auth: Keep audit log of all generated delegation tokens.

appengine/auth_service/config.py

 # Copyright 2015 The LUCI Authors. All rights reserved.
 # Use of this source code is governed under the Apache License, Version 2.0
 # that can be found in the LICENSE file.
 
 """Adapter between config service client and the rest of auth_service.
 
 Basically a cron job that each minute refetches config files from config service
 and modifies auth service datastore state if anything changed.
 
 Following files are fetched:
   imports.cfg - configuration for group importer cron job.
   ip_whitelist.cfg - IP whitelists.
   oauth.cfg - OAuth client_id whitelist.
 
 Configs are ASCII serialized protocol buffer messages. The schema is defined in
 proto/config.proto.
 
 Storing infrequently changing configuration in the config service (implemented
 on top of source control) allows to use code review workflow for configuration
 changes as well as removes a need to write some UI for them.
 """
 
 import collections
 import logging
-import os
 import posixpath
 
 from google import protobuf
 from google.appengine.ext import ndb
 
 from components import config
 from components import datastore_utils
 from components import gitiles
 from components import utils
 from components.auth import ipaddr
 from components.auth import model
 from components.config import validation
 from components.config import validation_context
 
 from proto import config_pb2
 import importer
 
 
 # Config file revision number and where it came from.
 Revision = collections.namedtuple('Revision', ['revision', 'url'])
 
 
+class CannotLoadConfigError(Exception):
+  """Raised when fetching configs if they are missing or invalid."""
+
+
 def is_remote_configured():
   """True if config service backend URL is defined.
 
   If config service backend URL is not set auth_service will use datastore
   as source of truth for configuration (with some simple web UI to change it).
 
   If config service backend URL is set, UI for config management will be read
   only and all config changes must be performed through the config service.
   """
   return bool(get_remote_url())
@@ skipping 39 matching lines @@
 
   Called as a cron job.
   """
   if not is_remote_configured():
     logging.info('Config remote is not configured')
     return
 
   # Grab and validate all new configs in parallel.
   try:
     configs = _fetch_configs(_CONFIG_SCHEMAS)
-  except config.CannotLoadConfigError as exc:
+  except CannotLoadConfigError as exc:
     logging.error('Failed to fetch configs\n%s', exc)
     return
 
   # Figure out what needs to be updated.
   dirty = {}
   dirty_in_authdb = {}
   for path, (new_rev, conf) in sorted(configs.iteritems()):
     assert path in _CONFIG_SCHEMAS, path
     cur_rev = get_config_revision(path)
     if cur_rev != new_rev or force:
@@ skipping 409 matching lines @@
     config.get_self_config_async(
         p, dest_type=_CONFIG_SCHEMAS[p]['proto_class'], store_last_good=False)
     for p in paths
   ]
   configs_url = _get_configs_url()
   ndb.Future.wait_all(futures)
   out = {}
   for path, future in zip(paths, futures):
     rev, conf = future.get_result()
     if conf is None:
-      raise config.CannotLoadConfigError('Config %s is missing' % path)
+      raise CannotLoadConfigError('Config %s is missing' % path)
     try:
       validation.validate(config.self_config_set(), path, conf)
     except ValueError as exc:
-      raise config.CannotLoadConfigError(
+      raise CannotLoadConfigError(
           'Config %s at rev %s failed to pass validation: %s' %
           (path, rev, exc))
     out[path] = (Revision(rev, _gitiles_url(configs_url, rev, path)), conf)
   return out
 
 
 def _gitiles_url(configs_url, rev, path):
   """URL to a directory in gitiles -> URL to a file at concrete revision."""
   try:
     location = gitiles.Location.parse(configs_url)
     return str(gitiles.Location(
         hostname=location.hostname,
         project=location.project,
         treeish=rev,
         path=posixpath.join(location.path, path)))
   except ValueError:
     # Not a gitiles URL, return as is.
     return configs_url