OLD | NEW |
(Empty) | |
| 1 # Copyright (C) 2010 Google Inc. |
| 2 # |
| 3 # Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 # you may not use this file except in compliance with the License. |
| 5 # You may obtain a copy of the License at |
| 6 # |
| 7 # http://www.apache.org/licenses/LICENSE-2.0 |
| 8 # |
| 9 # Unless required by applicable law or agreed to in writing, software |
| 10 # distributed under the License is distributed on an "AS IS" BASIS, |
| 11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 # See the License for the specific language governing permissions and |
| 13 # limitations under the License. |
| 14 |
| 15 """Utilities for Google App Engine |
| 16 |
| 17 Utilities for making it easier to use OAuth 2.0 on Google App Engine. |
| 18 """ |
| 19 |
| 20 __author__ = 'jcgregorio@google.com (Joe Gregorio)' |
| 21 |
| 22 import base64 |
| 23 import cgi |
| 24 import httplib2 |
| 25 import logging |
| 26 import os |
| 27 import pickle |
| 28 import threading |
| 29 import time |
| 30 |
| 31 from google.appengine.api import app_identity |
| 32 from google.appengine.api import memcache |
| 33 from google.appengine.api import users |
| 34 from google.appengine.ext import db |
| 35 from google.appengine.ext import webapp |
| 36 from google.appengine.ext.webapp.util import login_required |
| 37 from google.appengine.ext.webapp.util import run_wsgi_app |
| 38 from oauth2client import GOOGLE_AUTH_URI |
| 39 from oauth2client import GOOGLE_REVOKE_URI |
| 40 from oauth2client import GOOGLE_TOKEN_URI |
| 41 from oauth2client import clientsecrets |
| 42 from oauth2client import util |
| 43 from oauth2client import xsrfutil |
| 44 from oauth2client.anyjson import simplejson |
| 45 from oauth2client.client import AccessTokenRefreshError |
| 46 from oauth2client.client import AssertionCredentials |
| 47 from oauth2client.client import Credentials |
| 48 from oauth2client.client import Flow |
| 49 from oauth2client.client import OAuth2WebServerFlow |
| 50 from oauth2client.client import Storage |
| 51 |
| 52 # TODO(dhermes): Resolve import issue. |
| 53 # This is a temporary fix for a Google internal issue. |
| 54 try: |
| 55 from google.appengine.ext import ndb |
| 56 except ImportError: |
| 57 ndb = None |
| 58 |
| 59 |
| 60 logger = logging.getLogger(__name__) |
| 61 |
| 62 OAUTH2CLIENT_NAMESPACE = 'oauth2client#ns' |
| 63 |
| 64 XSRF_MEMCACHE_ID = 'xsrf_secret_key' |
| 65 |
| 66 |
| 67 def _safe_html(s): |
| 68 """Escape text to make it safe to display. |
| 69 |
| 70 Args: |
| 71 s: string, The text to escape. |
| 72 |
| 73 Returns: |
| 74 The escaped text as a string. |
| 75 """ |
| 76 return cgi.escape(s, quote=1).replace("'", ''') |
| 77 |
| 78 |
| 79 class InvalidClientSecretsError(Exception): |
| 80 """The client_secrets.json file is malformed or missing required fields.""" |
| 81 |
| 82 |
| 83 class InvalidXsrfTokenError(Exception): |
| 84 """The XSRF token is invalid or expired.""" |
| 85 |
| 86 |
| 87 class SiteXsrfSecretKey(db.Model): |
| 88 """Storage for the sites XSRF secret key. |
| 89 |
| 90 There will only be one instance stored of this model, the one used for the |
| 91 site. |
| 92 """ |
| 93 secret = db.StringProperty() |
| 94 |
| 95 if ndb is not None: |
| 96 class SiteXsrfSecretKeyNDB(ndb.Model): |
| 97 """NDB Model for storage for the sites XSRF secret key. |
| 98 |
| 99 Since this model uses the same kind as SiteXsrfSecretKey, it can be used |
| 100 interchangeably. This simply provides an NDB model for interacting with the |
| 101 same data the DB model interacts with. |
| 102 |
| 103 There should only be one instance stored of this model, the one used for the |
| 104 site. |
| 105 """ |
| 106 secret = ndb.StringProperty() |
| 107 |
| 108 @classmethod |
| 109 def _get_kind(cls): |
| 110 """Return the kind name for this class.""" |
| 111 return 'SiteXsrfSecretKey' |
| 112 |
| 113 |
| 114 def _generate_new_xsrf_secret_key(): |
| 115 """Returns a random XSRF secret key. |
| 116 """ |
| 117 return os.urandom(16).encode("hex") |
| 118 |
| 119 |
| 120 def xsrf_secret_key(): |
| 121 """Return the secret key for use for XSRF protection. |
| 122 |
| 123 If the Site entity does not have a secret key, this method will also create |
| 124 one and persist it. |
| 125 |
| 126 Returns: |
| 127 The secret key. |
| 128 """ |
| 129 secret = memcache.get(XSRF_MEMCACHE_ID, namespace=OAUTH2CLIENT_NAMESPACE) |
| 130 if not secret: |
| 131 # Load the one and only instance of SiteXsrfSecretKey. |
| 132 model = SiteXsrfSecretKey.get_or_insert(key_name='site') |
| 133 if not model.secret: |
| 134 model.secret = _generate_new_xsrf_secret_key() |
| 135 model.put() |
| 136 secret = model.secret |
| 137 memcache.add(XSRF_MEMCACHE_ID, secret, namespace=OAUTH2CLIENT_NAMESPACE) |
| 138 |
| 139 return str(secret) |
| 140 |
| 141 |
| 142 class AppAssertionCredentials(AssertionCredentials): |
| 143 """Credentials object for App Engine Assertion Grants |
| 144 |
| 145 This object will allow an App Engine application to identify itself to Google |
| 146 and other OAuth 2.0 servers that can verify assertions. It can be used for the |
| 147 purpose of accessing data stored under an account assigned to the App Engine |
| 148 application itself. |
| 149 |
| 150 This credential does not require a flow to instantiate because it represents |
| 151 a two legged flow, and therefore has all of the required information to |
| 152 generate and refresh its own access tokens. |
| 153 """ |
| 154 |
| 155 @util.positional(2) |
| 156 def __init__(self, scope, **kwargs): |
| 157 """Constructor for AppAssertionCredentials |
| 158 |
| 159 Args: |
| 160 scope: string or iterable of strings, scope(s) of the credentials being |
| 161 requested. |
| 162 """ |
| 163 self.scope = util.scopes_to_string(scope) |
| 164 |
| 165 # Assertion type is no longer used, but still in the parent class signature. |
| 166 super(AppAssertionCredentials, self).__init__(None) |
| 167 |
| 168 @classmethod |
| 169 def from_json(cls, json): |
| 170 data = simplejson.loads(json) |
| 171 return AppAssertionCredentials(data['scope']) |
| 172 |
| 173 def _refresh(self, http_request): |
| 174 """Refreshes the access_token. |
| 175 |
| 176 Since the underlying App Engine app_identity implementation does its own |
| 177 caching we can skip all the storage hoops and just to a refresh using the |
| 178 API. |
| 179 |
| 180 Args: |
| 181 http_request: callable, a callable that matches the method signature of |
| 182 httplib2.Http.request, used to make the refresh request. |
| 183 |
| 184 Raises: |
| 185 AccessTokenRefreshError: When the refresh fails. |
| 186 """ |
| 187 try: |
| 188 scopes = self.scope.split() |
| 189 (token, _) = app_identity.get_access_token(scopes) |
| 190 except app_identity.Error, e: |
| 191 raise AccessTokenRefreshError(str(e)) |
| 192 self.access_token = token |
| 193 |
| 194 |
| 195 class FlowProperty(db.Property): |
| 196 """App Engine datastore Property for Flow. |
| 197 |
| 198 Utility property that allows easy storage and retrieval of an |
| 199 oauth2client.Flow""" |
| 200 |
| 201 # Tell what the user type is. |
| 202 data_type = Flow |
| 203 |
| 204 # For writing to datastore. |
| 205 def get_value_for_datastore(self, model_instance): |
| 206 flow = super(FlowProperty, |
| 207 self).get_value_for_datastore(model_instance) |
| 208 return db.Blob(pickle.dumps(flow)) |
| 209 |
| 210 # For reading from datastore. |
| 211 def make_value_from_datastore(self, value): |
| 212 if value is None: |
| 213 return None |
| 214 return pickle.loads(value) |
| 215 |
| 216 def validate(self, value): |
| 217 if value is not None and not isinstance(value, Flow): |
| 218 raise db.BadValueError('Property %s must be convertible ' |
| 219 'to a FlowThreeLegged instance (%s)' % |
| 220 (self.name, value)) |
| 221 return super(FlowProperty, self).validate(value) |
| 222 |
| 223 def empty(self, value): |
| 224 return not value |
| 225 |
| 226 |
| 227 if ndb is not None: |
| 228 class FlowNDBProperty(ndb.PickleProperty): |
| 229 """App Engine NDB datastore Property for Flow. |
| 230 |
| 231 Serves the same purpose as the DB FlowProperty, but for NDB models. Since |
| 232 PickleProperty inherits from BlobProperty, the underlying representation of |
| 233 the data in the datastore will be the same as in the DB case. |
| 234 |
| 235 Utility property that allows easy storage and retrieval of an |
| 236 oauth2client.Flow |
| 237 """ |
| 238 |
| 239 def _validate(self, value): |
| 240 """Validates a value as a proper Flow object. |
| 241 |
| 242 Args: |
| 243 value: A value to be set on the property. |
| 244 |
| 245 Raises: |
| 246 TypeError if the value is not an instance of Flow. |
| 247 """ |
| 248 logger.info('validate: Got type %s', type(value)) |
| 249 if value is not None and not isinstance(value, Flow): |
| 250 raise TypeError('Property %s must be convertible to a flow ' |
| 251 'instance; received: %s.' % (self._name, value)) |
| 252 |
| 253 |
| 254 class CredentialsProperty(db.Property): |
| 255 """App Engine datastore Property for Credentials. |
| 256 |
| 257 Utility property that allows easy storage and retrieval of |
| 258 oath2client.Credentials |
| 259 """ |
| 260 |
| 261 # Tell what the user type is. |
| 262 data_type = Credentials |
| 263 |
| 264 # For writing to datastore. |
| 265 def get_value_for_datastore(self, model_instance): |
| 266 logger.info("get: Got type " + str(type(model_instance))) |
| 267 cred = super(CredentialsProperty, |
| 268 self).get_value_for_datastore(model_instance) |
| 269 if cred is None: |
| 270 cred = '' |
| 271 else: |
| 272 cred = cred.to_json() |
| 273 return db.Blob(cred) |
| 274 |
| 275 # For reading from datastore. |
| 276 def make_value_from_datastore(self, value): |
| 277 logger.info("make: Got type " + str(type(value))) |
| 278 if value is None: |
| 279 return None |
| 280 if len(value) == 0: |
| 281 return None |
| 282 try: |
| 283 credentials = Credentials.new_from_json(value) |
| 284 except ValueError: |
| 285 credentials = None |
| 286 return credentials |
| 287 |
| 288 def validate(self, value): |
| 289 value = super(CredentialsProperty, self).validate(value) |
| 290 logger.info("validate: Got type " + str(type(value))) |
| 291 if value is not None and not isinstance(value, Credentials): |
| 292 raise db.BadValueError('Property %s must be convertible ' |
| 293 'to a Credentials instance (%s)' % |
| 294 (self.name, value)) |
| 295 #if value is not None and not isinstance(value, Credentials): |
| 296 # return None |
| 297 return value |
| 298 |
| 299 |
| 300 if ndb is not None: |
| 301 # TODO(dhermes): Turn this into a JsonProperty and overhaul the Credentials |
| 302 # and subclass mechanics to use new_from_dict, to_dict, |
| 303 # from_dict, etc. |
| 304 class CredentialsNDBProperty(ndb.BlobProperty): |
| 305 """App Engine NDB datastore Property for Credentials. |
| 306 |
| 307 Serves the same purpose as the DB CredentialsProperty, but for NDB models. |
| 308 Since CredentialsProperty stores data as a blob and this inherits from |
| 309 BlobProperty, the data in the datastore will be the same as in the DB case. |
| 310 |
| 311 Utility property that allows easy storage and retrieval of Credentials and |
| 312 subclasses. |
| 313 """ |
| 314 def _validate(self, value): |
| 315 """Validates a value as a proper credentials object. |
| 316 |
| 317 Args: |
| 318 value: A value to be set on the property. |
| 319 |
| 320 Raises: |
| 321 TypeError if the value is not an instance of Credentials. |
| 322 """ |
| 323 logger.info('validate: Got type %s', type(value)) |
| 324 if value is not None and not isinstance(value, Credentials): |
| 325 raise TypeError('Property %s must be convertible to a credentials ' |
| 326 'instance; received: %s.' % (self._name, value)) |
| 327 |
| 328 def _to_base_type(self, value): |
| 329 """Converts our validated value to a JSON serialized string. |
| 330 |
| 331 Args: |
| 332 value: A value to be set in the datastore. |
| 333 |
| 334 Returns: |
| 335 A JSON serialized version of the credential, else '' if value is None. |
| 336 """ |
| 337 if value is None: |
| 338 return '' |
| 339 else: |
| 340 return value.to_json() |
| 341 |
| 342 def _from_base_type(self, value): |
| 343 """Converts our stored JSON string back to the desired type. |
| 344 |
| 345 Args: |
| 346 value: A value from the datastore to be converted to the desired type. |
| 347 |
| 348 Returns: |
| 349 A deserialized Credentials (or subclass) object, else None if the |
| 350 value can't be parsed. |
| 351 """ |
| 352 if not value: |
| 353 return None |
| 354 try: |
| 355 # Uses the from_json method of the implied class of value |
| 356 credentials = Credentials.new_from_json(value) |
| 357 except ValueError: |
| 358 credentials = None |
| 359 return credentials |
| 360 |
| 361 |
| 362 class StorageByKeyName(Storage): |
| 363 """Store and retrieve a credential to and from the App Engine datastore. |
| 364 |
| 365 This Storage helper presumes the Credentials have been stored as a |
| 366 CredentialsProperty or CredentialsNDBProperty on a datastore model class, and |
| 367 that entities are stored by key_name. |
| 368 """ |
| 369 |
| 370 @util.positional(4) |
| 371 def __init__(self, model, key_name, property_name, cache=None, user=None): |
| 372 """Constructor for Storage. |
| 373 |
| 374 Args: |
| 375 model: db.Model or ndb.Model, model class |
| 376 key_name: string, key name for the entity that has the credentials |
| 377 property_name: string, name of the property that is a CredentialsProperty |
| 378 or CredentialsNDBProperty. |
| 379 cache: memcache, a write-through cache to put in front of the datastore. |
| 380 If the model you are using is an NDB model, using a cache will be |
| 381 redundant since the model uses an instance cache and memcache for you. |
| 382 user: users.User object, optional. Can be used to grab user ID as a |
| 383 key_name if no key name is specified. |
| 384 """ |
| 385 if key_name is None: |
| 386 if user is None: |
| 387 raise ValueError('StorageByKeyName called with no key name or user.') |
| 388 key_name = user.user_id() |
| 389 |
| 390 self._model = model |
| 391 self._key_name = key_name |
| 392 self._property_name = property_name |
| 393 self._cache = cache |
| 394 |
| 395 def _is_ndb(self): |
| 396 """Determine whether the model of the instance is an NDB model. |
| 397 |
| 398 Returns: |
| 399 Boolean indicating whether or not the model is an NDB or DB model. |
| 400 """ |
| 401 # issubclass will fail if one of the arguments is not a class, only need |
| 402 # worry about new-style classes since ndb and db models are new-style |
| 403 if isinstance(self._model, type): |
| 404 if ndb is not None and issubclass(self._model, ndb.Model): |
| 405 return True |
| 406 elif issubclass(self._model, db.Model): |
| 407 return False |
| 408 |
| 409 raise TypeError('Model class not an NDB or DB model: %s.' % (self._model,)) |
| 410 |
| 411 def _get_entity(self): |
| 412 """Retrieve entity from datastore. |
| 413 |
| 414 Uses a different model method for db or ndb models. |
| 415 |
| 416 Returns: |
| 417 Instance of the model corresponding to the current storage object |
| 418 and stored using the key name of the storage object. |
| 419 """ |
| 420 if self._is_ndb(): |
| 421 return self._model.get_by_id(self._key_name) |
| 422 else: |
| 423 return self._model.get_by_key_name(self._key_name) |
| 424 |
| 425 def _delete_entity(self): |
| 426 """Delete entity from datastore. |
| 427 |
| 428 Attempts to delete using the key_name stored on the object, whether or not |
| 429 the given key is in the datastore. |
| 430 """ |
| 431 if self._is_ndb(): |
| 432 ndb.Key(self._model, self._key_name).delete() |
| 433 else: |
| 434 entity_key = db.Key.from_path(self._model.kind(), self._key_name) |
| 435 db.delete(entity_key) |
| 436 |
| 437 def locked_get(self): |
| 438 """Retrieve Credential from datastore. |
| 439 |
| 440 Returns: |
| 441 oauth2client.Credentials |
| 442 """ |
| 443 credentials = None |
| 444 if self._cache: |
| 445 json = self._cache.get(self._key_name) |
| 446 if json: |
| 447 credentials = Credentials.new_from_json(json) |
| 448 if credentials is None: |
| 449 entity = self._get_entity() |
| 450 if entity is not None: |
| 451 credentials = getattr(entity, self._property_name) |
| 452 if self._cache: |
| 453 self._cache.set(self._key_name, credentials.to_json()) |
| 454 |
| 455 if credentials and hasattr(credentials, 'set_store'): |
| 456 credentials.set_store(self) |
| 457 return credentials |
| 458 |
| 459 def locked_put(self, credentials): |
| 460 """Write a Credentials to the datastore. |
| 461 |
| 462 Args: |
| 463 credentials: Credentials, the credentials to store. |
| 464 """ |
| 465 entity = self._model.get_or_insert(self._key_name) |
| 466 setattr(entity, self._property_name, credentials) |
| 467 entity.put() |
| 468 if self._cache: |
| 469 self._cache.set(self._key_name, credentials.to_json()) |
| 470 |
| 471 def locked_delete(self): |
| 472 """Delete Credential from datastore.""" |
| 473 |
| 474 if self._cache: |
| 475 self._cache.delete(self._key_name) |
| 476 |
| 477 self._delete_entity() |
| 478 |
| 479 |
| 480 class CredentialsModel(db.Model): |
| 481 """Storage for OAuth 2.0 Credentials |
| 482 |
| 483 Storage of the model is keyed by the user.user_id(). |
| 484 """ |
| 485 credentials = CredentialsProperty() |
| 486 |
| 487 |
| 488 if ndb is not None: |
| 489 class CredentialsNDBModel(ndb.Model): |
| 490 """NDB Model for storage of OAuth 2.0 Credentials |
| 491 |
| 492 Since this model uses the same kind as CredentialsModel and has a property |
| 493 which can serialize and deserialize Credentials correctly, it can be used |
| 494 interchangeably with a CredentialsModel to access, insert and delete the |
| 495 same entities. This simply provides an NDB model for interacting with the |
| 496 same data the DB model interacts with. |
| 497 |
| 498 Storage of the model is keyed by the user.user_id(). |
| 499 """ |
| 500 credentials = CredentialsNDBProperty() |
| 501 |
| 502 @classmethod |
| 503 def _get_kind(cls): |
| 504 """Return the kind name for this class.""" |
| 505 return 'CredentialsModel' |
| 506 |
| 507 |
| 508 def _build_state_value(request_handler, user): |
| 509 """Composes the value for the 'state' parameter. |
| 510 |
| 511 Packs the current request URI and an XSRF token into an opaque string that |
| 512 can be passed to the authentication server via the 'state' parameter. |
| 513 |
| 514 Args: |
| 515 request_handler: webapp.RequestHandler, The request. |
| 516 user: google.appengine.api.users.User, The current user. |
| 517 |
| 518 Returns: |
| 519 The state value as a string. |
| 520 """ |
| 521 uri = request_handler.request.url |
| 522 token = xsrfutil.generate_token(xsrf_secret_key(), user.user_id(), |
| 523 action_id=str(uri)) |
| 524 return uri + ':' + token |
| 525 |
| 526 |
| 527 def _parse_state_value(state, user): |
| 528 """Parse the value of the 'state' parameter. |
| 529 |
| 530 Parses the value and validates the XSRF token in the state parameter. |
| 531 |
| 532 Args: |
| 533 state: string, The value of the state parameter. |
| 534 user: google.appengine.api.users.User, The current user. |
| 535 |
| 536 Raises: |
| 537 InvalidXsrfTokenError: if the XSRF token is invalid. |
| 538 |
| 539 Returns: |
| 540 The redirect URI. |
| 541 """ |
| 542 uri, token = state.rsplit(':', 1) |
| 543 if not xsrfutil.validate_token(xsrf_secret_key(), token, user.user_id(), |
| 544 action_id=uri): |
| 545 raise InvalidXsrfTokenError() |
| 546 |
| 547 return uri |
| 548 |
| 549 |
| 550 class OAuth2Decorator(object): |
| 551 """Utility for making OAuth 2.0 easier. |
| 552 |
| 553 Instantiate and then use with oauth_required or oauth_aware |
| 554 as decorators on webapp.RequestHandler methods. |
| 555 |
| 556 Example: |
| 557 |
| 558 decorator = OAuth2Decorator( |
| 559 client_id='837...ent.com', |
| 560 client_secret='Qh...wwI', |
| 561 scope='https://www.googleapis.com/auth/plus') |
| 562 |
| 563 |
| 564 class MainHandler(webapp.RequestHandler): |
| 565 |
| 566 @decorator.oauth_required |
| 567 def get(self): |
| 568 http = decorator.http() |
| 569 # http is authorized with the user's Credentials and can be used |
| 570 # in API calls |
| 571 |
| 572 """ |
| 573 |
| 574 def set_credentials(self, credentials): |
| 575 self._tls.credentials = credentials |
| 576 |
| 577 def get_credentials(self): |
| 578 """A thread local Credentials object. |
| 579 |
| 580 Returns: |
| 581 A client.Credentials object, or None if credentials hasn't been set in |
| 582 this thread yet, which may happen when calling has_credentials inside |
| 583 oauth_aware. |
| 584 """ |
| 585 return getattr(self._tls, 'credentials', None) |
| 586 |
| 587 credentials = property(get_credentials, set_credentials) |
| 588 |
| 589 def set_flow(self, flow): |
| 590 self._tls.flow = flow |
| 591 |
| 592 def get_flow(self): |
| 593 """A thread local Flow object. |
| 594 |
| 595 Returns: |
| 596 A credentials.Flow object, or None if the flow hasn't been set in this |
| 597 thread yet, which happens in _create_flow() since Flows are created |
| 598 lazily. |
| 599 """ |
| 600 return getattr(self._tls, 'flow', None) |
| 601 |
| 602 flow = property(get_flow, set_flow) |
| 603 |
| 604 |
| 605 @util.positional(4) |
| 606 def __init__(self, client_id, client_secret, scope, |
| 607 auth_uri=GOOGLE_AUTH_URI, |
| 608 token_uri=GOOGLE_TOKEN_URI, |
| 609 revoke_uri=GOOGLE_REVOKE_URI, |
| 610 user_agent=None, |
| 611 message=None, |
| 612 callback_path='/oauth2callback', |
| 613 token_response_param=None, |
| 614 _storage_class=StorageByKeyName, |
| 615 _credentials_class=CredentialsModel, |
| 616 _credentials_property_name='credentials', |
| 617 **kwargs): |
| 618 |
| 619 """Constructor for OAuth2Decorator |
| 620 |
| 621 Args: |
| 622 client_id: string, client identifier. |
| 623 client_secret: string client secret. |
| 624 scope: string or iterable of strings, scope(s) of the credentials being |
| 625 requested. |
| 626 auth_uri: string, URI for authorization endpoint. For convenience |
| 627 defaults to Google's endpoints but any OAuth 2.0 provider can be used. |
| 628 token_uri: string, URI for token endpoint. For convenience |
| 629 defaults to Google's endpoints but any OAuth 2.0 provider can be used. |
| 630 revoke_uri: string, URI for revoke endpoint. For convenience |
| 631 defaults to Google's endpoints but any OAuth 2.0 provider can be used. |
| 632 user_agent: string, User agent of your application, default to None. |
| 633 message: Message to display if there are problems with the OAuth 2.0 |
| 634 configuration. The message may contain HTML and will be presented on the |
| 635 web interface for any method that uses the decorator. |
| 636 callback_path: string, The absolute path to use as the callback URI. Note |
| 637 that this must match up with the URI given when registering the |
| 638 application in the APIs Console. |
| 639 token_response_param: string. If provided, the full JSON response |
| 640 to the access token request will be encoded and included in this query |
| 641 parameter in the callback URI. This is useful with providers (e.g. |
| 642 wordpress.com) that include extra fields that the client may want. |
| 643 _storage_class: "Protected" keyword argument not typically provided to |
| 644 this constructor. A storage class to aid in storing a Credentials object |
| 645 for a user in the datastore. Defaults to StorageByKeyName. |
| 646 _credentials_class: "Protected" keyword argument not typically provided to |
| 647 this constructor. A db or ndb Model class to hold credentials. Defaults |
| 648 to CredentialsModel. |
| 649 _credentials_property_name: "Protected" keyword argument not typically |
| 650 provided to this constructor. A string indicating the name of the field |
| 651 on the _credentials_class where a Credentials object will be stored. |
| 652 Defaults to 'credentials'. |
| 653 **kwargs: dict, Keyword arguments are be passed along as kwargs to the |
| 654 OAuth2WebServerFlow constructor. |
| 655 """ |
| 656 self._tls = threading.local() |
| 657 self.flow = None |
| 658 self.credentials = None |
| 659 self._client_id = client_id |
| 660 self._client_secret = client_secret |
| 661 self._scope = util.scopes_to_string(scope) |
| 662 self._auth_uri = auth_uri |
| 663 self._token_uri = token_uri |
| 664 self._revoke_uri = revoke_uri |
| 665 self._user_agent = user_agent |
| 666 self._kwargs = kwargs |
| 667 self._message = message |
| 668 self._in_error = False |
| 669 self._callback_path = callback_path |
| 670 self._token_response_param = token_response_param |
| 671 self._storage_class = _storage_class |
| 672 self._credentials_class = _credentials_class |
| 673 self._credentials_property_name = _credentials_property_name |
| 674 |
| 675 def _display_error_message(self, request_handler): |
| 676 request_handler.response.out.write('<html><body>') |
| 677 request_handler.response.out.write(_safe_html(self._message)) |
| 678 request_handler.response.out.write('</body></html>') |
| 679 |
| 680 def oauth_required(self, method): |
| 681 """Decorator that starts the OAuth 2.0 dance. |
| 682 |
| 683 Starts the OAuth dance for the logged in user if they haven't already |
| 684 granted access for this application. |
| 685 |
| 686 Args: |
| 687 method: callable, to be decorated method of a webapp.RequestHandler |
| 688 instance. |
| 689 """ |
| 690 |
| 691 def check_oauth(request_handler, *args, **kwargs): |
| 692 if self._in_error: |
| 693 self._display_error_message(request_handler) |
| 694 return |
| 695 |
| 696 user = users.get_current_user() |
| 697 # Don't use @login_decorator as this could be used in a POST request. |
| 698 if not user: |
| 699 request_handler.redirect(users.create_login_url( |
| 700 request_handler.request.uri)) |
| 701 return |
| 702 |
| 703 self._create_flow(request_handler) |
| 704 |
| 705 # Store the request URI in 'state' so we can use it later |
| 706 self.flow.params['state'] = _build_state_value(request_handler, user) |
| 707 self.credentials = self._storage_class( |
| 708 self._credentials_class, None, |
| 709 self._credentials_property_name, user=user).get() |
| 710 |
| 711 if not self.has_credentials(): |
| 712 return request_handler.redirect(self.authorize_url()) |
| 713 try: |
| 714 resp = method(request_handler, *args, **kwargs) |
| 715 except AccessTokenRefreshError: |
| 716 return request_handler.redirect(self.authorize_url()) |
| 717 finally: |
| 718 self.credentials = None |
| 719 return resp |
| 720 |
| 721 return check_oauth |
| 722 |
| 723 def _create_flow(self, request_handler): |
| 724 """Create the Flow object. |
| 725 |
| 726 The Flow is calculated lazily since we don't know where this app is |
| 727 running until it receives a request, at which point redirect_uri can be |
| 728 calculated and then the Flow object can be constructed. |
| 729 |
| 730 Args: |
| 731 request_handler: webapp.RequestHandler, the request handler. |
| 732 """ |
| 733 if self.flow is None: |
| 734 redirect_uri = request_handler.request.relative_url( |
| 735 self._callback_path) # Usually /oauth2callback |
| 736 self.flow = OAuth2WebServerFlow(self._client_id, self._client_secret, |
| 737 self._scope, redirect_uri=redirect_uri, |
| 738 user_agent=self._user_agent, |
| 739 auth_uri=self._auth_uri, |
| 740 token_uri=self._token_uri, |
| 741 revoke_uri=self._revoke_uri, |
| 742 **self._kwargs) |
| 743 |
| 744 def oauth_aware(self, method): |
| 745 """Decorator that sets up for OAuth 2.0 dance, but doesn't do it. |
| 746 |
| 747 Does all the setup for the OAuth dance, but doesn't initiate it. |
| 748 This decorator is useful if you want to create a page that knows |
| 749 whether or not the user has granted access to this application. |
| 750 From within a method decorated with @oauth_aware the has_credentials() |
| 751 and authorize_url() methods can be called. |
| 752 |
| 753 Args: |
| 754 method: callable, to be decorated method of a webapp.RequestHandler |
| 755 instance. |
| 756 """ |
| 757 |
| 758 def setup_oauth(request_handler, *args, **kwargs): |
| 759 if self._in_error: |
| 760 self._display_error_message(request_handler) |
| 761 return |
| 762 |
| 763 user = users.get_current_user() |
| 764 # Don't use @login_decorator as this could be used in a POST request. |
| 765 if not user: |
| 766 request_handler.redirect(users.create_login_url( |
| 767 request_handler.request.uri)) |
| 768 return |
| 769 |
| 770 self._create_flow(request_handler) |
| 771 |
| 772 self.flow.params['state'] = _build_state_value(request_handler, user) |
| 773 self.credentials = self._storage_class( |
| 774 self._credentials_class, None, |
| 775 self._credentials_property_name, user=user).get() |
| 776 try: |
| 777 resp = method(request_handler, *args, **kwargs) |
| 778 finally: |
| 779 self.credentials = None |
| 780 return resp |
| 781 return setup_oauth |
| 782 |
| 783 |
| 784 def has_credentials(self): |
| 785 """True if for the logged in user there are valid access Credentials. |
| 786 |
| 787 Must only be called from with a webapp.RequestHandler subclassed method |
| 788 that had been decorated with either @oauth_required or @oauth_aware. |
| 789 """ |
| 790 return self.credentials is not None and not self.credentials.invalid |
| 791 |
| 792 def authorize_url(self): |
| 793 """Returns the URL to start the OAuth dance. |
| 794 |
| 795 Must only be called from with a webapp.RequestHandler subclassed method |
| 796 that had been decorated with either @oauth_required or @oauth_aware. |
| 797 """ |
| 798 url = self.flow.step1_get_authorize_url() |
| 799 return str(url) |
| 800 |
| 801 def http(self): |
| 802 """Returns an authorized http instance. |
| 803 |
| 804 Must only be called from within an @oauth_required decorated method, or |
| 805 from within an @oauth_aware decorated method where has_credentials() |
| 806 returns True. |
| 807 """ |
| 808 return self.credentials.authorize(httplib2.Http()) |
| 809 |
| 810 @property |
| 811 def callback_path(self): |
| 812 """The absolute path where the callback will occur. |
| 813 |
| 814 Note this is the absolute path, not the absolute URI, that will be |
| 815 calculated by the decorator at runtime. See callback_handler() for how this |
| 816 should be used. |
| 817 |
| 818 Returns: |
| 819 The callback path as a string. |
| 820 """ |
| 821 return self._callback_path |
| 822 |
| 823 |
| 824 def callback_handler(self): |
| 825 """RequestHandler for the OAuth 2.0 redirect callback. |
| 826 |
| 827 Usage: |
| 828 app = webapp.WSGIApplication([ |
| 829 ('/index', MyIndexHandler), |
| 830 ..., |
| 831 (decorator.callback_path, decorator.callback_handler()) |
| 832 ]) |
| 833 |
| 834 Returns: |
| 835 A webapp.RequestHandler that handles the redirect back from the |
| 836 server during the OAuth 2.0 dance. |
| 837 """ |
| 838 decorator = self |
| 839 |
| 840 class OAuth2Handler(webapp.RequestHandler): |
| 841 """Handler for the redirect_uri of the OAuth 2.0 dance.""" |
| 842 |
| 843 @login_required |
| 844 def get(self): |
| 845 error = self.request.get('error') |
| 846 if error: |
| 847 errormsg = self.request.get('error_description', error) |
| 848 self.response.out.write( |
| 849 'The authorization request failed: %s' % _safe_html(errormsg)) |
| 850 else: |
| 851 user = users.get_current_user() |
| 852 decorator._create_flow(self) |
| 853 credentials = decorator.flow.step2_exchange(self.request.params) |
| 854 decorator._storage_class( |
| 855 decorator._credentials_class, None, |
| 856 decorator._credentials_property_name, user=user).put(credentials) |
| 857 redirect_uri = _parse_state_value(str(self.request.get('state')), |
| 858 user) |
| 859 |
| 860 if decorator._token_response_param and credentials.token_response: |
| 861 resp_json = simplejson.dumps(credentials.token_response) |
| 862 redirect_uri = util._add_query_parameter( |
| 863 redirect_uri, decorator._token_response_param, resp_json) |
| 864 |
| 865 self.redirect(redirect_uri) |
| 866 |
| 867 return OAuth2Handler |
| 868 |
| 869 def callback_application(self): |
| 870 """WSGI application for handling the OAuth 2.0 redirect callback. |
| 871 |
| 872 If you need finer grained control use `callback_handler` which returns just |
| 873 the webapp.RequestHandler. |
| 874 |
| 875 Returns: |
| 876 A webapp.WSGIApplication that handles the redirect back from the |
| 877 server during the OAuth 2.0 dance. |
| 878 """ |
| 879 return webapp.WSGIApplication([ |
| 880 (self.callback_path, self.callback_handler()) |
| 881 ]) |
| 882 |
| 883 |
| 884 class OAuth2DecoratorFromClientSecrets(OAuth2Decorator): |
| 885 """An OAuth2Decorator that builds from a clientsecrets file. |
| 886 |
| 887 Uses a clientsecrets file as the source for all the information when |
| 888 constructing an OAuth2Decorator. |
| 889 |
| 890 Example: |
| 891 |
| 892 decorator = OAuth2DecoratorFromClientSecrets( |
| 893 os.path.join(os.path.dirname(__file__), 'client_secrets.json') |
| 894 scope='https://www.googleapis.com/auth/plus') |
| 895 |
| 896 |
| 897 class MainHandler(webapp.RequestHandler): |
| 898 |
| 899 @decorator.oauth_required |
| 900 def get(self): |
| 901 http = decorator.http() |
| 902 # http is authorized with the user's Credentials and can be used |
| 903 # in API calls |
| 904 """ |
| 905 |
| 906 @util.positional(3) |
| 907 def __init__(self, filename, scope, message=None, cache=None): |
| 908 """Constructor |
| 909 |
| 910 Args: |
| 911 filename: string, File name of client secrets. |
| 912 scope: string or iterable of strings, scope(s) of the credentials being |
| 913 requested. |
| 914 message: string, A friendly string to display to the user if the |
| 915 clientsecrets file is missing or invalid. The message may contain HTML |
| 916 and will be presented on the web interface for any method that uses the |
| 917 decorator. |
| 918 cache: An optional cache service client that implements get() and set() |
| 919 methods. See clientsecrets.loadfile() for details. |
| 920 """ |
| 921 client_type, client_info = clientsecrets.loadfile(filename, cache=cache) |
| 922 if client_type not in [ |
| 923 clientsecrets.TYPE_WEB, clientsecrets.TYPE_INSTALLED]: |
| 924 raise InvalidClientSecretsError( |
| 925 'OAuth2Decorator doesn\'t support this OAuth 2.0 flow.') |
| 926 constructor_kwargs = { |
| 927 'auth_uri': client_info['auth_uri'], |
| 928 'token_uri': client_info['token_uri'], |
| 929 'message': message, |
| 930 } |
| 931 revoke_uri = client_info.get('revoke_uri') |
| 932 if revoke_uri is not None: |
| 933 constructor_kwargs['revoke_uri'] = revoke_uri |
| 934 super(OAuth2DecoratorFromClientSecrets, self).__init__( |
| 935 client_info['client_id'], client_info['client_secret'], |
| 936 scope, **constructor_kwargs) |
| 937 if message is not None: |
| 938 self._message = message |
| 939 else: |
| 940 self._message = 'Please configure your application for OAuth 2.0.' |
| 941 |
| 942 |
| 943 @util.positional(2) |
| 944 def oauth2decorator_from_clientsecrets(filename, scope, |
| 945 message=None, cache=None): |
| 946 """Creates an OAuth2Decorator populated from a clientsecrets file. |
| 947 |
| 948 Args: |
| 949 filename: string, File name of client secrets. |
| 950 scope: string or list of strings, scope(s) of the credentials being |
| 951 requested. |
| 952 message: string, A friendly string to display to the user if the |
| 953 clientsecrets file is missing or invalid. The message may contain HTML and |
| 954 will be presented on the web interface for any method that uses the |
| 955 decorator. |
| 956 cache: An optional cache service client that implements get() and set() |
| 957 methods. See clientsecrets.loadfile() for details. |
| 958 |
| 959 Returns: An OAuth2Decorator |
| 960 |
| 961 """ |
| 962 return OAuth2DecoratorFromClientSecrets(filename, scope, |
| 963 message=message, cache=cache) |
OLD | NEW |