# Copyright 2015 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. """Google OAuth2 related functions.""" from __future__ import annotations import collections import datetime import functools import httplib2 import json import logging import os from typing import Optional from dataclasses import dataclass import subprocess2 # TODO: Should fix these warnings. # pylint: disable=line-too-long # This is what most GAE apps require for authentication. OAUTH_SCOPE_EMAIL = 'https://www.googleapis.com/auth/userinfo.email' # Gerrit and Git on *.googlesource.com require this scope. OAUTH_SCOPE_GERRIT = 'https://www.googleapis.com/auth/gerritcodereview' # Deprecated. Use OAUTH_SCOPE_EMAIL instead. OAUTH_SCOPES = OAUTH_SCOPE_EMAIL @dataclass class ReAuthContext: """Provides contextual information for ReAuth.""" host: str # Hostname (e.g. chromium-review.googlesource.com) project: str # Project on host (e.g. chromium/src) def to_git_cred_attrs(self) -> bytes: """Returns bytes to be used as the input of `git-credentials-luci` in exchange for a ReAuth token. """ assert self.project return f""" capability[]=authtype protocol=https host={self.host} path={self.project} """.lstrip().encode('utf-8') # Mockable datetime.datetime.utcnow for testing. def datetime_now(): return datetime.datetime.utcnow() # OAuth access token or ID token with its expiration time (UTC datetime or None # if unknown). class Token(collections.namedtuple('Token', [ 'token', 'expires_at', ])): def needs_refresh(self): """True if this token should be refreshed.""" if self.expires_at is not None: # Allow 30s of clock skew between client and backend. return datetime_now() + datetime.timedelta( seconds=30) >= self.expires_at # Token without expiration time never expires. return False class LoginRequiredError(Exception): """Interaction with the user is required to authenticate.""" def __init__(self, scopes=OAUTH_SCOPE_EMAIL): self.scopes = scopes msg = ('You are not logged in. Please login first by running:\n' ' %s' % self.login_command) super(LoginRequiredError, self).__init__(msg) @property def login_command(self) -> str: return 'luci-auth login -scopes "%s"' % self.scopes class GitLoginRequiredError(Exception): """Interaction with the user is required to authenticate. This is for git-credential-luci, not luci-auth. """ def __init__(self): msg = ( 'You are not logged in to Gerrit. Please login first by running:\n' ' %s' % self.login_command) super(GitLoginRequiredError, self).__init__(msg) @property def login_command(self) -> str: return 'git credential-luci login' class GitReAuthRequiredError(Exception): """Interaction with the user is required to ReAuth. This is for git-credential-luci, not luci-auth. """ def __init__(self): msg = ('You have not done ReAuth. Please run and try again:\n' ' %s' % self.reauth_command) super(GitReAuthRequiredError, self).__init__(msg) @property def reauth_command(self) -> str: return 'git credential-luci reauth' class GitUnknownError(Exception): """Unknown error from git-credential-luci.""" def __init__(self): msg = ('Unknown error from git-credential-luci. Try logging in? Run:\n' ' %s' % self.login_command) super(GitLoginRequiredError, self).__init__(msg) @property def login_command(self) -> str: return 'git credential-luci login' def has_luci_context_local_auth(): """Returns whether LUCI_CONTEXT should be used for ambient authentication.""" ctx_path = os.environ.get('LUCI_CONTEXT') if not ctx_path: return False try: with open(ctx_path) as f: loaded = json.load(f) except (OSError, IOError, ValueError): return False return loaded.get('local_auth', {}).get('default_account_id') is not None class Authenticator(object): """Object that knows how to refresh access tokens or id tokens when needed. Args: scopes: space separated oauth scopes. It's used to generate access tokens. Defaults to OAUTH_SCOPE_EMAIL. audience: An audience in ID tokens to claim which clients should accept it. """ def __init__(self, scopes=OAUTH_SCOPE_EMAIL, audience=None): self._access_token = None self._scopes = scopes self._id_token = None self._audience = audience def has_cached_credentials(self): """Returns True if credentials can be obtained. If returns False, get_access_token() or get_id_token() later will probably ask for interactive login by raising LoginRequiredError. If returns True, get_access_token() or get_id_token() won't ask for interactive login. """ return bool(self._get_luci_auth_token()) def get_access_token(self): """Returns AccessToken, refreshing it if necessary. Raises: LoginRequiredError if user interaction is required. """ if self._access_token and not self._access_token.needs_refresh(): return self._access_token # Token expired or missing. Maybe some other process already updated it, # reload from the cache. self._access_token = self._get_luci_auth_token() if self._access_token and not self._access_token.needs_refresh(): return self._access_token # Nope, still expired. Needs user interaction. logging.debug('Failed to create access token') raise LoginRequiredError(self._scopes) def get_id_token(self): """Returns id token, refreshing it if necessary. Returns: A Token object. Raises: LoginRequiredError if user interaction is required. """ if self._id_token and not self._id_token.needs_refresh(): return self._id_token self._id_token = self._get_luci_auth_token(use_id_token=True) if self._id_token and not self._id_token.needs_refresh(): return self._id_token # Nope, still expired. Needs user interaction. logging.debug('Failed to create id token') raise LoginRequiredError() def authorize(self, http, use_id_token=False): """Monkey patches authentication logic of httplib2.Http instance. The modified http.request method will add authentication headers to each request. Args: http: An instance of httplib2.Http. Returns: A modified instance of http that was passed in. """ # Adapted from oauth2client.OAuth2Credentials.authorize. request_orig = http.request @functools.wraps(request_orig) def new_request(uri, method='GET', body=None, headers=None, redirections=httplib2.DEFAULT_MAX_REDIRECTS, connection_type=None): headers = (headers or {}).copy() auth_token = self.get_access_token( ) if not use_id_token else self.get_id_token() headers['Authorization'] = 'Bearer %s' % auth_token.token return request_orig(uri, method, body, headers, redirections, connection_type) http.request = new_request return http ## Private methods. def _get_luci_auth_token(self, use_id_token=False): logging.debug('Running luci-auth token') if use_id_token: args = ['-use-id-token'] + ['-audience', self._audience ] if self._audience else [] else: args = ['-scopes', self._scopes] try: out, err = subprocess2.check_call_out(['luci-auth', 'token'] + args + ['-json-output', '-'], stdout=subprocess2.PIPE, stderr=subprocess2.PIPE) logging.debug('luci-auth token stderr:\n%s', err) token_info = json.loads(out) return Token( token_info['token'], datetime.datetime.utcfromtimestamp(token_info['expiry'])) except subprocess2.CalledProcessError as e: # subprocess2.CalledProcessError.__str__ nicely formats # stdout/stderr. logging.error('luci-auth token failed: %s', e) return None class GerritAuthenticator(object): """Object that knows how to refresh access tokens for Gerrit. Unlike Authenticator, this is specifically for authenticating Gerrit requests. """ # Exitcodes for `git-credential-luci`. # See: https://chromium.googlesource.com/infra/luci/luci-go/+/main/client/cmd/git-credential-luci/main.go _GCL_EXITCODE_SUCCESS = 0 _GCL_EXITCODE_UNCLASSIFIED = 1 _GCL_EXITCODE_LOGIN_REQUIRED = 2 _GCL_EXITCODE_REAUTH_REQUIRED = 3 def __init__(self): self._access_token: Optional[str] = None def get_access_token(self) -> str: """Returns AccessToken, refreshing it if necessary. This token can't satisfy ReAuth requirements. Use `get_authorization_header` method instead. Raises: GitLoginRequiredError: if user login is required. """ logging.debug('Running git-credential-luci') env = os.environ.copy() env['LUCI_ENABLE_REAUTH'] = '0' out_bytes = self._call_helper(['git-credential-luci', 'get'], stdin=subprocess2.DEVNULL, stdout=subprocess2.PIPE, stderr=subprocess2.PIPE, env=env) out = self._parse_creds_helper_out(out_bytes) if password := out.get("password", None): return password logging.error('git-credential-luci did not return a token') raise GitUnknownError() def get_authorization_header(self, context: ReAuthContext) -> str: """Returns an HTTP Authorization header to authenticate requests. This method supports ReAuth, but it may be missing ReAuth credentials (i.e. RAPT token), if ReAuth isn't required based on the context, or if ReAuth support is disabled. Raises: GitLoginRequiredError: if user login is required. GitReAuthRequiredError: if ReAuth is required. """ logging.debug('Running git-credential-luci (with reauth)') creds_attrs = context.to_git_cred_attrs() logging.debug('git-credential-luci stdin:\n%s', creds_attrs) out_bytes = self._call_helper(['git-credential-luci', 'get'], stdin=creds_attrs, stdout=subprocess2.PIPE, stderr=subprocess2.PIPE) if header := self._extract_authorization_header(out_bytes): return header logging.error('git-credential-luci did not return a token') raise GitUnknownError() def _extract_authorization_header(self, out_bytes: bytes) -> Optional[str]: out = self._parse_creds_helper_out(out_bytes) # Check for ReAuth token and return it's available. authtype = out.get("authtype", None) credential = out.get("credential", None) if authtype and credential: return f"{authtype} {credential}" # If the helper returns non-reauth token, it means ReAuth isn't required and # the access token already satisfies the request. if password := out.get("password", None): return f"Bearer {password}" # If the helper also didn't return an access token, something is wrong. logging.error( 'git-credential-luci did not return a token or a ReAuth token') return None def _parse_creds_helper_out(self, out_bytes: str) -> Dict[str, str]: """Parse credential helper's output to a dictionary. Note, this function doesn't handle arrays (e.g. key[]=value). """ result = {} for line in out_bytes.decode().splitlines(): if '=' in line: key, value = line.split('=', 1) result[key] = value.strip() return result def _call_helper(self, args, **kwargs) -> bytes: """Calls the helper executable and propagate errors based on exit code. Returns output as bytes if successful. Raises: GitLoginRequiredError GitReAuthRequiredError GitUnknownError """ stdout_stderr, exitcode = subprocess2.communicate(args, **kwargs) stdout, stderr = stdout_stderr logging.debug('git-credential-luci stderr:\n%s', stderr) if exitcode == self._GCL_EXITCODE_SUCCESS: return stdout if exitcode == self._GCL_EXITCODE_LOGIN_REQUIRED: raise GitLoginRequiredError() if exitcode == self._GCL_EXITCODE_REAUTH_REQUIRED: raise GitReAuthRequiredError() err = subprocess2.CalledProcessError(exitcode, args, kwargs.get('cwd'), stdout, stderr) logging.error('git-credential-luci failed: %s', err) raise err