feat: Pluggable auth support #995
Update pluggable.py
- Loading branch information
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,23 +13,22 @@ | |
| # limitations under the License. | ||
|
|
||
| """Pluggable Credentials. | ||
| Pluggable Credentials are initialized using external_account arguments which | ||
| are typically loaded from third-party executables. Unlike other | ||
| credentials that can be initialized with a list of explicit arguments, secrets | ||
| or credentials, external account clients use the environment and hints/guidelines | ||
| provided by the external_account JSON file to retrieve credentials and exchange | ||
| them for Google access tokens. | ||
|
|
||
| Example credential_source for pluggable credential:: | ||
|
|
||
| { | ||
| "executable": { | ||
| "command": "/path/to/get/credentials.sh --arg1=value1 --arg2=value2", | ||
| "timeout_millis": 5000, | ||
| "output_file": "/path/to/generated/cached/credentials" | ||
| } | ||
| } | ||
| """ | ||
|
|
||
| try: | ||
|
|
@@ -47,10 +46,9 @@ | |
| from google.auth import exceptions | ||
| from google.auth import external_account | ||
|
|
||
| # The max supported executable spec version. | ||
| EXECUTABLE_SUPPORTED_MAX_VERSION = 1 | ||
|
|
||
| class Credentials(external_account.Credentials): | ||
| """External account credentials sourced from executables.""" | ||
|
|
||
|
|
@@ -78,7 +76,7 @@ def __init__( | |
| provide instructions on how to retrieve external credential to be | ||
| exchanged for Google access tokens. | ||
|
|
||
| Example credential_source for pluggable credential: | ||
|
|
||
| { | ||
| "executable": { | ||
|
|
@@ -126,40 +124,36 @@ def __init__( | |
| default_scopes=default_scopes, | ||
| workforce_pool_user_project=workforce_pool_user_project, | ||
| ) | ||
| if workforce_pool_user_project is not None: | ||
| raise ValueError( | ||
| "Pluggable auth doesn't support Workforce poolyet." | ||
| ) | ||
| if not isinstance(credential_source, Mapping): | ||
| self._credential_source_executable = None | ||
| raise ValueError( | ||
| "Missing credential_source. The credential_source is not a dict." | ||
| ) | ||
| self._credential_source_executable = credential_source.get("executable") | ||
| if not self._credential_source_executable: | ||
| raise ValueError( | ||
| "Missing credential_source. An 'executable' must be provided." | ||
| ) | ||
| self._credential_source_executable_command = self._credential_source_executable.get( | ||
| "command" | ||
| ) | ||
| self._credential_source_executable_timeout_millis = self._credential_source_executable.get( | ||
| "timeout_millis" | ||
| ) | ||
| self._credential_source_executable_output_file = self._credential_source_executable.get( | ||
| "output_file" | ||
| ) | ||
|
|
||
| if not self._credential_source_executable_command: | ||
| raise ValueError("Missing command. Executable command must be provided.") | ||
renkelvin marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| if not self._credential_source_executable_timeout_millis: | ||
renkelvin marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| self._credential_source_executable_timeout_millis = 30 * 1000 | ||
| elif self._credential_source_executable_timeout_millis < 0 or self._credential_source_executable_timeout_millis > 120: | ||
| raise ValueError("Timeout must be between 0 and 120 seconds.") | ||
|
|
||
| @_helpers.copy_docstring(external_account.Credentials) | ||
| def retrieve_subject_token(self, request): | ||
|
|
@@ -171,20 +165,21 @@ def retrieve_subject_token(self, request): | |
| "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run." | ||
| ) | ||
|
|
||
| # Check output file. | ||
| if self._credential_source_executable_output_file is not None: | ||
| try: | ||
| with open( | ||
| self._credential_source_executable_output_file | ||
| ) as output_file: | ||
| response = json.load(output_file) | ||
| # If the cached response is expired, _parse_subject_token will raise an error which will be ignored and we will call the executable again. | ||
| subject_token = self._parse_subject_token(response) | ||
renkelvin marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| except: | ||
| pass | ||
lsirac marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| else: | ||
| return subject_token | ||
|
|
||
| # Inject env vars. | ||
renkelvin marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| original_audience = os.getenv("GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE") | ||
| os.environ["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = self._audience | ||
| original_subject_token_type = os.getenv("GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPE") | ||
|
|
@@ -199,7 +194,7 @@ def retrieve_subject_token(self, request): | |
| if self._service_account_impersonation_url is not None: | ||
| os.environ[ | ||
| "GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL" | ||
| ] = self.service_account_email() | ||
| original_credential_source_executable_output_file = os.getenv( | ||
| "GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE" | ||
| ) | ||
|
|
@@ -215,7 +210,7 @@ def retrieve_subject_token(self, request): | |
| stderr=subprocess.STDOUT, | ||
| ) | ||
|
|
||
| # Reset env vars. | ||
| if original_audience is not None: | ||
| os.environ["GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"] = original_audience | ||
| else: | ||
|
|
@@ -302,21 +297,23 @@ def from_file(cls, filename, **kwargs): | |
| return cls.from_info(data, **kwargs) | ||
|
|
||
| def _parse_subject_token(self, response): | ||
lsirac marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| if response["version"] > EXECUTABLE_SUPPORTED_MAX_VERSION: | ||
|
Contributor
There was a problem hiding this comment. Not too familiar with Python but what happens if there is no "version" field here?
Contributor
There was a problem hiding this comment. I am not very familiar with python either. I came across this syntax to get a default value if the version is not present. May this can be used to simplify your code in the places where you are checking for presence first? @renkelvin: We did this intentionally to distinguish whether it's a format issue or a content issue, so we can inform the customer to fix the output accordingly.
lsirac marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| raise exceptions.RefreshError( | ||
| "Executable returned unsupported version {}.".format( | ||
| response["version"] | ||
| ) | ||
| ) | ||
| if not response["success"] or not response["success"]: | ||
renkelvin marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| if not response["code"] or not response["message"]: | ||
| raise ValueError("Code and message are required in the response.") | ||
| raise exceptions.RefreshError( | ||
| "Executable returned unsuccessful response: code: {}, message: {}.".format(response["code"], response["message"]) | ||
| ) | ||
| if response["expiration_time"] < time.time(): | ||
| raise exceptions.RefreshError( | ||
| "The token returned by the executable is expired." | ||
| ) | ||
| if ( | ||
| response["token_type"] == "urn:ietf:params:oauth:token-type:jwt" | ||
| or response["token_type"] == "urn:ietf:params:oauth:token-type:id_token" | ||
| ): # OIDC | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.