| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| |
|
| | """A module that provides functions for handling rapt authentication. |
| | |
| | Reauth is a process of obtaining additional authentication (such as password, |
| | security token, etc.) while refreshing OAuth 2.0 credentials for a user. |
| | |
| | Credentials that use the Reauth flow must have the reauth scope, |
| | ``https://www.googleapis.com/auth/accounts.reauth``. |
| | |
| | This module provides a high-level function for executing the Reauth process, |
| | :func:`refresh_grant`, and lower-level helpers for doing the individual |
| | steps of the reauth process. |
| | |
| | Those steps are: |
| | |
| | 1. Obtaining a list of challenges from the reauth server. |
| | 2. Running through each challenge and sending the result back to the reauth |
| | server. |
| | 3. Refreshing the access token using the returned rapt token. |
| | """ |
| |
|
| | import sys |
| |
|
| | from six.moves import range |
| |
|
| | from google.auth import exceptions |
| | from google.oauth2 import _client |
| | from google.oauth2 import challenges |
| |
|
| |
|
| | _REAUTH_SCOPE = "https://www.googleapis.com/auth/accounts.reauth" |
| | _REAUTH_API = "https://reauth.googleapis.com/v2/sessions" |
| |
|
| | _REAUTH_NEEDED_ERROR = "invalid_grant" |
| | _REAUTH_NEEDED_ERROR_INVALID_RAPT = "invalid_rapt" |
| | _REAUTH_NEEDED_ERROR_RAPT_REQUIRED = "rapt_required" |
| |
|
| | _AUTHENTICATED = "AUTHENTICATED" |
| | _CHALLENGE_REQUIRED = "CHALLENGE_REQUIRED" |
| | _CHALLENGE_PENDING = "CHALLENGE_PENDING" |
| |
|
| |
|
| | |
| | |
| | RUN_CHALLENGE_RETRY_LIMIT = 5 |
| |
|
| |
|
| | def is_interactive(): |
| | """Check if we are in an interractive environment. |
| | |
| | Override this function with a different logic if you are using this library |
| | outside a CLI. |
| | |
| | If the rapt token needs refreshing, the user needs to answer the challenges. |
| | If the user is not in an interractive environment, the challenges can not |
| | be answered and we just wait for timeout for no reason. |
| | |
| | Returns: |
| | bool: True if is interactive environment, False otherwise. |
| | """ |
| |
|
| | return sys.stdin.isatty() |
| |
|
| |
|
| | def _get_challenges( |
| | request, supported_challenge_types, access_token, requested_scopes=None |
| | ): |
| | """Does initial request to reauth API to get the challenges. |
| | |
| | Args: |
| | request (google.auth.transport.Request): A callable used to make |
| | HTTP requests. |
| | supported_challenge_types (Sequence[str]): list of challenge names |
| | supported by the manager. |
| | access_token (str): Access token with reauth scopes. |
| | requested_scopes (Optional(Sequence[str])): Authorized scopes for the credentials. |
| | |
| | Returns: |
| | dict: The response from the reauth API. |
| | """ |
| | body = {"supportedChallengeTypes": supported_challenge_types} |
| | if requested_scopes: |
| | body["oauthScopesForDomainPolicyLookup"] = requested_scopes |
| |
|
| | return _client._token_endpoint_request( |
| | request, _REAUTH_API + ":start", body, access_token=access_token, use_json=True |
| | ) |
| |
|
| |
|
| | def _send_challenge_result( |
| | request, session_id, challenge_id, client_input, access_token |
| | ): |
| | """Attempt to refresh access token by sending next challenge result. |
| | |
| | Args: |
| | request (google.auth.transport.Request): A callable used to make |
| | HTTP requests. |
| | session_id (str): session id returned by the initial reauth call. |
| | challenge_id (str): challenge id returned by the initial reauth call. |
| | client_input: dict with a challenge-specific client input. For example: |
| | ``{'credential': password}`` for password challenge. |
| | access_token (str): Access token with reauth scopes. |
| | |
| | Returns: |
| | dict: The response from the reauth API. |
| | """ |
| | body = { |
| | "sessionId": session_id, |
| | "challengeId": challenge_id, |
| | "action": "RESPOND", |
| | "proposalResponse": client_input, |
| | } |
| |
|
| | return _client._token_endpoint_request( |
| | request, |
| | _REAUTH_API + "/{}:continue".format(session_id), |
| | body, |
| | access_token=access_token, |
| | use_json=True, |
| | ) |
| |
|
| |
|
| | def _run_next_challenge(msg, request, access_token): |
| | """Get the next challenge from msg and run it. |
| | |
| | Args: |
| | msg (dict): Reauth API response body (either from the initial request to |
| | https://reauth.googleapis.com/v2/sessions:start or from sending the |
| | previous challenge response to |
| | https://reauth.googleapis.com/v2/sessions/id:continue) |
| | request (google.auth.transport.Request): A callable used to make |
| | HTTP requests. |
| | access_token (str): reauth access token |
| | |
| | Returns: |
| | dict: The response from the reauth API. |
| | |
| | Raises: |
| | google.auth.exceptions.ReauthError: if reauth failed. |
| | """ |
| | for challenge in msg["challenges"]: |
| | if challenge["status"] != "READY": |
| | |
| | continue |
| | c = challenges.AVAILABLE_CHALLENGES.get(challenge["challengeType"], None) |
| | if not c: |
| | raise exceptions.ReauthFailError( |
| | "Unsupported challenge type {0}. Supported types: {1}".format( |
| | challenge["challengeType"], |
| | ",".join(list(challenges.AVAILABLE_CHALLENGES.keys())), |
| | ) |
| | ) |
| | if not c.is_locally_eligible: |
| | raise exceptions.ReauthFailError( |
| | "Challenge {0} is not locally eligible".format( |
| | challenge["challengeType"] |
| | ) |
| | ) |
| | client_input = c.obtain_challenge_input(challenge) |
| | if not client_input: |
| | return None |
| | return _send_challenge_result( |
| | request, |
| | msg["sessionId"], |
| | challenge["challengeId"], |
| | client_input, |
| | access_token, |
| | ) |
| | return None |
| |
|
| |
|
| | def _obtain_rapt(request, access_token, requested_scopes): |
| | """Given an http request method and reauth access token, get rapt token. |
| | |
| | Args: |
| | request (google.auth.transport.Request): A callable used to make |
| | HTTP requests. |
| | access_token (str): reauth access token |
| | requested_scopes (Sequence[str]): scopes required by the client application |
| | |
| | Returns: |
| | str: The rapt token. |
| | |
| | Raises: |
| | google.auth.exceptions.ReauthError: if reauth failed |
| | """ |
| | msg = _get_challenges( |
| | request, |
| | list(challenges.AVAILABLE_CHALLENGES.keys()), |
| | access_token, |
| | requested_scopes, |
| | ) |
| |
|
| | if msg["status"] == _AUTHENTICATED: |
| | return msg["encodedProofOfReauthToken"] |
| |
|
| | for _ in range(0, RUN_CHALLENGE_RETRY_LIMIT): |
| | if not ( |
| | msg["status"] == _CHALLENGE_REQUIRED or msg["status"] == _CHALLENGE_PENDING |
| | ): |
| | raise exceptions.ReauthFailError( |
| | "Reauthentication challenge failed due to API error: {}".format( |
| | msg["status"] |
| | ) |
| | ) |
| |
|
| | if not is_interactive(): |
| | raise exceptions.ReauthFailError( |
| | "Reauthentication challenge could not be answered because you are not" |
| | " in an interactive session." |
| | ) |
| |
|
| | msg = _run_next_challenge(msg, request, access_token) |
| |
|
| | if not msg: |
| | raise exceptions.ReauthFailError("Failed to obtain rapt token.") |
| | if msg["status"] == _AUTHENTICATED: |
| | return msg["encodedProofOfReauthToken"] |
| |
|
| | |
| | raise exceptions.ReauthFailError("Failed to obtain rapt token.") |
| |
|
| |
|
| | def get_rapt_token( |
| | request, client_id, client_secret, refresh_token, token_uri, scopes=None |
| | ): |
| | """Given an http request method and refresh_token, get rapt token. |
| | |
| | Args: |
| | request (google.auth.transport.Request): A callable used to make |
| | HTTP requests. |
| | client_id (str): client id to get access token for reauth scope. |
| | client_secret (str): client secret for the client_id |
| | refresh_token (str): refresh token to refresh access token |
| | token_uri (str): uri to refresh access token |
| | scopes (Optional(Sequence[str])): scopes required by the client application |
| | |
| | Returns: |
| | str: The rapt token. |
| | Raises: |
| | google.auth.exceptions.RefreshError: If reauth failed. |
| | """ |
| | sys.stderr.write("Reauthentication required.\n") |
| |
|
| | |
| | access_token, _, _, _ = _client.refresh_grant( |
| | request=request, |
| | client_id=client_id, |
| | client_secret=client_secret, |
| | refresh_token=refresh_token, |
| | token_uri=token_uri, |
| | scopes=[_REAUTH_SCOPE], |
| | ) |
| |
|
| | |
| | rapt_token = _obtain_rapt(request, access_token, requested_scopes=scopes) |
| |
|
| | return rapt_token |
| |
|
| |
|
| | def refresh_grant( |
| | request, |
| | token_uri, |
| | refresh_token, |
| | client_id, |
| | client_secret, |
| | scopes=None, |
| | rapt_token=None, |
| | enable_reauth_refresh=False, |
| | ): |
| | """Implements the reauthentication flow. |
| | |
| | Args: |
| | request (google.auth.transport.Request): A callable used to make |
| | HTTP requests. |
| | token_uri (str): The OAuth 2.0 authorizations server's token endpoint |
| | URI. |
| | refresh_token (str): The refresh token to use to get a new access |
| | token. |
| | client_id (str): The OAuth 2.0 application's client ID. |
| | client_secret (str): The Oauth 2.0 appliaction's client secret. |
| | scopes (Optional(Sequence[str])): Scopes to request. If present, all |
| | scopes must be authorized for the refresh token. Useful if refresh |
| | token has a wild card scope (e.g. |
| | 'https://www.googleapis.com/auth/any-api'). |
| | rapt_token (Optional(str)): The rapt token for reauth. |
| | enable_reauth_refresh (Optional[bool]): Whether reauth refresh flow |
| | should be used. The default value is False. This option is for |
| | gcloud only, other users should use the default value. |
| | |
| | Returns: |
| | Tuple[str, Optional[str], Optional[datetime], Mapping[str, str], str]: The |
| | access token, new refresh token, expiration, the additional data |
| | returned by the token endpoint, and the rapt token. |
| | |
| | Raises: |
| | google.auth.exceptions.RefreshError: If the token endpoint returned |
| | an error. |
| | """ |
| | body = { |
| | "grant_type": _client._REFRESH_GRANT_TYPE, |
| | "client_id": client_id, |
| | "client_secret": client_secret, |
| | "refresh_token": refresh_token, |
| | } |
| | if scopes: |
| | body["scope"] = " ".join(scopes) |
| | if rapt_token: |
| | body["rapt"] = rapt_token |
| |
|
| | response_status_ok, response_data, retryable_error = _client._token_endpoint_request_no_throw( |
| | request, token_uri, body |
| | ) |
| | if ( |
| | not response_status_ok |
| | and response_data.get("error") == _REAUTH_NEEDED_ERROR |
| | and ( |
| | response_data.get("error_subtype") == _REAUTH_NEEDED_ERROR_INVALID_RAPT |
| | or response_data.get("error_subtype") == _REAUTH_NEEDED_ERROR_RAPT_REQUIRED |
| | ) |
| | ): |
| | if not enable_reauth_refresh: |
| | raise exceptions.RefreshError( |
| | "Reauthentication is needed. Please run `gcloud auth application-default login` to reauthenticate." |
| | ) |
| |
|
| | rapt_token = get_rapt_token( |
| | request, client_id, client_secret, refresh_token, token_uri, scopes=scopes |
| | ) |
| | body["rapt"] = rapt_token |
| | ( |
| | response_status_ok, |
| | response_data, |
| | retryable_error, |
| | ) = _client._token_endpoint_request_no_throw(request, token_uri, body) |
| |
|
| | if not response_status_ok: |
| | _client._handle_error_response(response_data, retryable_error) |
| | return _client._handle_refresh_grant_response(response_data, refresh_token) + ( |
| | rapt_token, |
| | ) |
| |
|
