| OLD | NEW |
|---|
| 1 # Copyright 2016 The LUCI Authors. All rights reserved. | 1 # Copyright 2016 The LUCI Authors. All rights reserved. |
| 2 # Use of this source code is governed under the Apache License, Version 2.0 | 2 # Use of this source code is governed under the Apache License, Version 2.0 |
| 3 # that can be found in the LICENSE file. | 3 # that can be found in the LICENSE file. |
| 4 | 4 |
| 5 import collections | 5 import collections |
| 6 import logging | 6 import logging |
| 7 import threading | 7 import threading |
| 8 import time | 8 import time |
| 9 | 9 |
| 10 from utils import auth_server | 10 from utils import auth_server |
| (...skipping 311 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 322 account_id, service_account, tok.expiry - time.time()) | 322 account_id, service_account, tok.expiry - time.time()) |
| 323 return tok | 323 return tok |
| 324 | 324 |
| 325 def _grab_bot_oauth_token(self, auth_params): | 325 def _grab_bot_oauth_token(self, auth_params): |
| 326 # Piggyback on the bot own credentials. This works only for bots that use | 326 # Piggyback on the bot own credentials. This works only for bots that use |
| 327 # OAuth for authentication (e.g. GCE bots). Also it totally ignores scopes. | 327 # OAuth for authentication (e.g. GCE bots). Also it totally ignores scopes. |
| 328 # It relies on bot_main to keep the bot OAuth token sufficiently fresh. | 328 # It relies on bot_main to keep the bot OAuth token sufficiently fresh. |
| 329 # See remote_client.AUTH_HEADERS_EXPIRATION_SEC. | 329 # See remote_client.AUTH_HEADERS_EXPIRATION_SEC. |
| 330 bot_auth_hdr = auth_params.swarming_http_headers.get('Authorization') or '' | 330 bot_auth_hdr = auth_params.swarming_http_headers.get('Authorization') or '' |
| 331 if not bot_auth_hdr.startswith('Bearer '): | 331 if not bot_auth_hdr.startswith('Bearer '): |
| 332 raise auth_server.TokenError(2, 'The bot is not using OAuth', fatal=True) | 332 raise auth_server.TokenError(2, 'The bot is not using OAuth') |
| 333 tok = bot_auth_hdr[len('Bearer '):] | 333 tok = bot_auth_hdr[len('Bearer '):] |
| 334 | 334 |
| 335 # Default to some safe small expiration in case bot_main doesn't report it | 335 # Default to some safe small expiration in case bot_main doesn't report it |
| 336 # to us. This may happen if get_authentication_header bot hook is not | 336 # to us. This may happen if get_authentication_header bot hook is not |
| 337 # reporting expiration time. | 337 # reporting expiration time. |
| 338 exp = auth_params.swarming_http_headers_exp or (time.time() + 4*60) | 338 exp = auth_params.swarming_http_headers_exp or (time.time() + 4*60) |
| 339 | 339 |
| 340 # TODO(vadimsh): For GCE bots specifically we can pass a list of OAuth | 340 # TODO(vadimsh): For GCE bots specifically we can pass a list of OAuth |
| 341 # scopes granted to the GCE token and verify it contains all the requested | 341 # scopes granted to the GCE token and verify it contains all the requested |
| 342 # scopes. | 342 # scopes. |
| 343 return auth_server.AccessToken(tok, exp) | 343 return auth_server.AccessToken(tok, exp) |
| 344 | 344 |
| 345 def _grab_oauth_token_via_rpc(self, _rpc_client, _account_id, _scopes): | 345 def _grab_oauth_token_via_rpc(self, _rpc_client, _account_id, _scopes): |
| 346 # TODO(vadimsh): Send a request to /swarming/api/v1/bot/oauth_token using | 346 # TODO(vadimsh): Send a request to /swarming/api/v1/bot/oauth_token using |
| 347 # given RPC client. | 347 # given RPC client. |
| 348 raise auth_server.TokenError(3, 'Not implemented yet') | 348 raise auth_server.TokenError(3, 'Not implemented yet') |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2963103002:
Always treat TokenError as fatal error. (Closed)
