# Copyright 2016 Google Inc. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import logging import httplib2 import six from six.moves import http_client from oauth2client._helpers import _to_bytes _LOGGER = logging.getLogger(__name__) # Properties present in file-like streams / buffers. _STREAM_PROPERTIES = ('read', 'seek', 'tell') # Google Data client libraries may need to set this to [401, 403]. REFRESH_STATUS_CODES = (http_client.UNAUTHORIZED,) class MemoryCache(object): """httplib2 Cache implementation which only caches locally.""" def __init__(self): self.cache = {} def get(self, key): return self.cache.get(key) def set(self, key, value): self.cache[key] = value def delete(self, key): self.cache.pop(key, None) def get_cached_http(): """Return an HTTP object which caches results returned. This is intended to be used in methods like oauth2client.client.verify_id_token(), which calls to the same URI to retrieve certs. Returns: httplib2.Http, an HTTP object with a MemoryCache """ return _CACHED_HTTP def get_http_object(): """Return a new HTTP object. Returns: httplib2.Http, an HTTP object. """ return httplib2.Http() def _initialize_headers(headers): """Creates a copy of the headers. Args: headers: dict, request headers to copy. Returns: dict, the copied headers or a new dictionary if the headers were None. """ return {} if headers is None else dict(headers) def _apply_user_agent(headers, user_agent): """Adds a user-agent to the headers. Args: headers: dict, request headers to add / modify user agent within. user_agent: str, the user agent to add. Returns: dict, the original headers passed in, but modified if the user agent is not None. """ if user_agent is not None: if 'user-agent' in headers: headers['user-agent'] = (user_agent + ' ' + headers['user-agent']) else: headers['user-agent'] = user_agent return headers def clean_headers(headers): """Forces header keys and values to be strings, i.e not unicode. The httplib module just concats the header keys and values in a way that may make the message header a unicode string, which, if it then tries to contatenate to a binary request body may result in a unicode decode error. Args: headers: dict, A dictionary of headers. Returns: The same dictionary but with all the keys converted to strings. """ clean = {} try: for k, v in six.iteritems(headers): if not isinstance(k, six.binary_type): k = str(k) if not isinstance(v, six.binary_type): v = str(v) clean[_to_bytes(k)] = _to_bytes(v) except UnicodeEncodeError: from oauth2client.client import NonAsciiHeaderError raise NonAsciiHeaderError(k, ': ', v) return clean def wrap_http_for_auth(credentials, http): """Prepares an HTTP object's request method for auth. Wraps HTTP requests with logic to catch auth failures (typically identified via a 401 status code). In the event of failure, tries to refresh the token used and then retry the original request. Args: credentials: Credentials, the credentials used to identify the authenticated user. http: httplib2.Http, an http object to be used to make auth requests. """ orig_request_method = http.request # The closure that will replace 'httplib2.Http.request'. def new_request(uri, method='GET', body=None, headers=None, redirections=httplib2.DEFAULT_MAX_REDIRECTS, connection_type=None): if not credentials.access_token: _LOGGER.info('Attempting refresh to obtain ' 'initial access_token') credentials._refresh(orig_request_method) # Clone and modify the request headers to add the appropriate # Authorization header. headers = _initialize_headers(headers) credentials.apply(headers) _apply_user_agent(headers, credentials.user_agent) body_stream_position = None # Check if the body is a file-like stream. if all(getattr(body, stream_prop, None) for stream_prop in _STREAM_PROPERTIES): body_stream_position = body.tell() resp, content = orig_request_method(uri, method, body, clean_headers(headers), redirections, connection_type) # A stored token may expire between the time it is retrieved and # the time the request is made, so we may need to try twice. max_refresh_attempts = 2 for refresh_attempt in range(max_refresh_attempts): if resp.status not in REFRESH_STATUS_CODES: break _LOGGER.info('Refreshing due to a %s (attempt %s/%s)', resp.status, refresh_attempt + 1, max_refresh_attempts) credentials._refresh(orig_request_method) credentials.apply(headers) if body_stream_position is not None: body.seek(body_stream_position) resp, content = orig_request_method(uri, method, body, clean_headers(headers), redirections, connection_type) return resp, content # Replace the request method with our own closure. http.request = new_request # Set credentials as a property of the request method. setattr(http.request, 'credentials', credentials) def wrap_http_for_jwt_access(credentials, http): """Prepares an HTTP object's request method for JWT access. Wraps HTTP requests with logic to catch auth failures (typically identified via a 401 status code). In the event of failure, tries to refresh the token used and then retry the original request. Args: credentials: _JWTAccessCredentials, the credentials used to identify a service account that uses JWT access tokens. http: httplib2.Http, an http object to be used to make auth requests. """ orig_request_method = http.request wrap_http_for_auth(credentials, http) # The new value of ``http.request`` set by ``wrap_http_for_auth``. authenticated_request_method = http.request # The closure that will replace 'httplib2.Http.request'. def new_request(uri, method='GET', body=None, headers=None, redirections=httplib2.DEFAULT_MAX_REDIRECTS, connection_type=None): if 'aud' in credentials._kwargs: # Preemptively refresh token, this is not done for OAuth2 if (credentials.access_token is None or credentials.access_token_expired): credentials.refresh(None) return authenticated_request_method(uri, method, body, headers, redirections, connection_type) else: # If we don't have an 'aud' (audience) claim, # create a 1-time token with the uri root as the audience headers = _initialize_headers(headers) _apply_user_agent(headers, credentials.user_agent) uri_root = uri.split('?', 1)[0] token, unused_expiry = credentials._create_token({'aud': uri_root}) headers['Authorization'] = 'Bearer ' + token return orig_request_method(uri, method, body, clean_headers(headers), redirections, connection_type) # Replace the request method with our own closure. http.request = new_request _CACHED_HTTP = httplib2.Http(MemoryCache())