iaptoolkit 0.0.3__tar.gz → 0.0.4__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/PKG-INFO +1 -1
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/pyproject.toml +1 -1
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/src/iaptoolkit/exceptions.py +2 -2
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/src/iaptoolkit/headers.py +7 -6
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/src/iaptoolkit/tokens/__init__.py +2 -5
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/src/iaptoolkit/tokens/service_account.py +9 -6
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/LICENSE +0 -0
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/README.md +0 -0
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/src/iaptoolkit/__init__.py +0 -0
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/src/iaptoolkit/constants.py +0 -0
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/src/iaptoolkit/tokens/structs.py +0 -0
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/src/iaptoolkit/tokens/token_datastore.py +0 -0
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/src/iaptoolkit/utils/__init__.py +0 -0
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/src/iaptoolkit/utils/urls.py +0 -0
- {iaptoolkit-0.0.3 → iaptoolkit-0.0.4}/src/iaptoolkit/vars.py +0 -0
|
@@ -24,7 +24,7 @@ class TokenStorageException(TokenException):
|
|
|
24
24
|
|
|
25
25
|
class ServiceAccountTokenException(TokenException):
|
|
26
26
|
def __init__(
|
|
27
|
-
self, message: str, google_exception: t.Union[DefaultCredentialsError, RefreshError]
|
|
27
|
+
self, message: str, google_exception: t.Union[DefaultCredentialsError, RefreshError] | None
|
|
28
28
|
):
|
|
29
29
|
self.google_exception = google_exception
|
|
30
30
|
credentials_env_var_value = os.environ.get(GOOGLE_CREDENTIALS_FILE_PATH)
|
|
@@ -40,7 +40,7 @@ class ServiceAccountTokenException(TokenException):
|
|
|
40
40
|
|
|
41
41
|
@property
|
|
42
42
|
def retryable(self):
|
|
43
|
-
return self.google_exception._retryable
|
|
43
|
+
return self.google_exception and self.google_exception._retryable
|
|
44
44
|
|
|
45
45
|
|
|
46
46
|
class ServiceAccountNoDefaultCredentials(ServiceAccountTokenException):
|
|
@@ -4,11 +4,11 @@ from kvcommon import logger
|
|
|
4
4
|
|
|
5
5
|
from iaptoolkit.constants import GOOGLE_IAP_AUTH_HEADER
|
|
6
6
|
from iaptoolkit.constants import GOOGLE_IAP_AUTH_HEADER_PROXY
|
|
7
|
-
from iaptoolkit.tokens import get_token_for_google_service_account
|
|
7
|
+
from iaptoolkit.tokens import get_token_for_google_service_account
|
|
8
8
|
from iaptoolkit.tokens.structs import ResultAddTokenHeader
|
|
9
9
|
from iaptoolkit.utils.urls import is_url_safe_for_token
|
|
10
10
|
from iaptoolkit.vars import IAPTOOLKIT_USE_AUTH_HEADER
|
|
11
|
-
|
|
11
|
+
from iaptoolkit.vars import GOOGLE_IAP_CLIENT_ID
|
|
12
12
|
|
|
13
13
|
LOG = logger.get_logger("iaptk")
|
|
14
14
|
|
|
@@ -39,7 +39,7 @@ def sanitize_request_headers(headers: dict) -> dict:
|
|
|
39
39
|
return log_safe_headers
|
|
40
40
|
|
|
41
41
|
|
|
42
|
-
def add_token_to_request_headers(request_headers: dict, use_oauth2: bool) -> bool:
|
|
42
|
+
def add_token_to_request_headers(request_headers: dict, use_oauth2: bool, iap_client_id: str) -> bool:
|
|
43
43
|
"""
|
|
44
44
|
Adds Bearer token to headers dict. Modifies dict in-place.
|
|
45
45
|
Returns True if added token is a fresh one, or False if token is from cache
|
|
@@ -47,7 +47,7 @@ def add_token_to_request_headers(request_headers: dict, use_oauth2: bool) -> boo
|
|
|
47
47
|
# TODO: Make this less google-specific, or move it to a google-specific implementation
|
|
48
48
|
# TODO: oauth2
|
|
49
49
|
|
|
50
|
-
token_refresh_struct =
|
|
50
|
+
token_refresh_struct = get_token_for_google_service_account(iap_client_id=iap_client_id)
|
|
51
51
|
id_token: str = token_refresh_struct.id_token
|
|
52
52
|
auth_header_str = "Bearer {}".format(id_token)
|
|
53
53
|
|
|
@@ -73,7 +73,8 @@ def check_url_and_add_token_header(
|
|
|
73
73
|
url: str,
|
|
74
74
|
request_headers: dict,
|
|
75
75
|
use_oauth2: bool = False,
|
|
76
|
-
valid_domains: t.
|
|
76
|
+
valid_domains: t.List[str] | None = None,
|
|
77
|
+
iap_client_id: str = GOOGLE_IAP_CLIENT_ID
|
|
77
78
|
) -> ResultAddTokenHeader:
|
|
78
79
|
"""Prevent inadvertently sending private tokens to arbitrary locations.
|
|
79
80
|
Returns:
|
|
@@ -85,7 +86,7 @@ def check_url_and_add_token_header(
|
|
|
85
86
|
|
|
86
87
|
# Verify that the url's domain is one we allow before adding a token
|
|
87
88
|
if is_url_safe_for_token(url_parts, valid_domains):
|
|
88
|
-
token_is_fresh = add_token_to_request_headers(request_headers, use_oauth2)
|
|
89
|
+
token_is_fresh = add_token_to_request_headers(request_headers, use_oauth2, iap_client_id=iap_client_id)
|
|
89
90
|
return ResultAddTokenHeader(token_added=True, token_is_fresh=token_is_fresh)
|
|
90
91
|
else:
|
|
91
92
|
LOG.warn(
|
|
@@ -3,7 +3,6 @@ from kvcommon import logger
|
|
|
3
3
|
from iaptoolkit.exceptions import ServiceAccountTokenException
|
|
4
4
|
from iaptoolkit.exceptions import TokenStorageException
|
|
5
5
|
from iaptoolkit.exceptions import TokenException
|
|
6
|
-
from iaptoolkit.vars import GOOGLE_IAP_CLIENT_ID
|
|
7
6
|
|
|
8
7
|
from .structs import TokenStruct
|
|
9
8
|
from .structs import TokenRefreshStruct
|
|
@@ -15,12 +14,10 @@ from .service_account import GoogleServiceAccount
|
|
|
15
14
|
|
|
16
15
|
LOG = logger.get_logger("iaptk")
|
|
17
16
|
|
|
18
|
-
google_sa_token_client = GoogleServiceAccount(GOOGLE_IAP_CLIENT_ID)
|
|
19
17
|
|
|
20
|
-
|
|
21
|
-
def get_token_for_google_service_account(iap_client_id: str = GOOGLE_IAP_CLIENT_ID):
|
|
18
|
+
def get_token_for_google_service_account(iap_client_id):
|
|
22
19
|
try:
|
|
23
|
-
return GoogleServiceAccount(
|
|
20
|
+
return GoogleServiceAccount(iap_client_id).get_token()
|
|
24
21
|
except ServiceAccountTokenException as ex:
|
|
25
22
|
LOG.debug(ex)
|
|
26
23
|
raise
|
|
@@ -16,7 +16,6 @@ from iaptoolkit.exceptions import ServiceAccountTokenFailedRefresh
|
|
|
16
16
|
from iaptoolkit.exceptions import ServiceAccountNoDefaultCredentials
|
|
17
17
|
from iaptoolkit.exceptions import TokenStorageException
|
|
18
18
|
|
|
19
|
-
from iaptoolkit.vars import GOOGLE_IAP_CLIENT_ID
|
|
20
19
|
# from iaptoolkit.vars import GOOGLE_CLIENT_ID
|
|
21
20
|
# from iaptoolkit.vars import GOOGLE_CLIENT_SECRET
|
|
22
21
|
|
|
@@ -29,8 +28,8 @@ MAX_RECURSE = 3
|
|
|
29
28
|
|
|
30
29
|
|
|
31
30
|
class ServiceAccount(object):
|
|
32
|
-
"""Base class for interacting with service accounts and OIDC tokens for IAP
|
|
33
|
-
|
|
31
|
+
"""Base class for interacting with service accounts and OIDC tokens for IAP"""
|
|
32
|
+
|
|
34
33
|
# TODO: This is a static namespace for SA functions. Turn it into a per-iap-client-id client
|
|
35
34
|
# TODO: Move Google-specific logic to GoogleServiceAccount
|
|
36
35
|
|
|
@@ -166,9 +165,13 @@ class ServiceAccount(object):
|
|
|
166
165
|
|
|
167
166
|
|
|
168
167
|
class GoogleServiceAccount(ServiceAccount):
|
|
169
|
-
"""For interacting with Google service accounts and OIDC tokens for Google IAP
|
|
170
|
-
|
|
171
|
-
def __init__(self, iap_client_id: str
|
|
168
|
+
"""For interacting with Google service accounts and OIDC tokens for Google IAP"""
|
|
169
|
+
|
|
170
|
+
def __init__(self, iap_client_id: str) -> None:
|
|
171
|
+
if not iap_client_id or not isinstance(iap_client_id, str):
|
|
172
|
+
raise ServiceAccountTokenException(
|
|
173
|
+
"Invalid iap_client_id for GoogleServiceAccount", google_exception=None
|
|
174
|
+
)
|
|
172
175
|
self._iap_client_id = iap_client_id
|
|
173
176
|
super().__init__()
|
|
174
177
|
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|