OLD | NEW |
1 # Copyright 2016 The LUCI Authors. All rights reserved. | 1 # Copyright 2016 The LUCI Authors. All rights reserved. |
2 # Use of this source code is governed under the Apache License, Version 2.0 | 2 # Use of this source code is governed under the Apache License, Version 2.0 |
3 # that can be found in the LICENSE file. | 3 # that can be found in the LICENSE file. |
4 | 4 |
5 import collections | 5 import collections |
6 import logging | 6 import logging |
7 import threading | 7 import threading |
8 import time | 8 import time |
9 | 9 |
10 from utils import auth_server | 10 from utils import auth_server |
(...skipping 311 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
322 account_id, service_account, tok.expiry - time.time()) | 322 account_id, service_account, tok.expiry - time.time()) |
323 return tok | 323 return tok |
324 | 324 |
325 def _grab_bot_oauth_token(self, auth_params): | 325 def _grab_bot_oauth_token(self, auth_params): |
326 # Piggyback on the bot own credentials. This works only for bots that use | 326 # Piggyback on the bot own credentials. This works only for bots that use |
327 # OAuth for authentication (e.g. GCE bots). Also it totally ignores scopes. | 327 # OAuth for authentication (e.g. GCE bots). Also it totally ignores scopes. |
328 # It relies on bot_main to keep the bot OAuth token sufficiently fresh. | 328 # It relies on bot_main to keep the bot OAuth token sufficiently fresh. |
329 # See remote_client.AUTH_HEADERS_EXPIRATION_SEC. | 329 # See remote_client.AUTH_HEADERS_EXPIRATION_SEC. |
330 bot_auth_hdr = auth_params.swarming_http_headers.get('Authorization') or '' | 330 bot_auth_hdr = auth_params.swarming_http_headers.get('Authorization') or '' |
331 if not bot_auth_hdr.startswith('Bearer '): | 331 if not bot_auth_hdr.startswith('Bearer '): |
332 raise auth_server.TokenError(2, 'The bot is not using OAuth', fatal=True) | 332 raise auth_server.TokenError(2, 'The bot is not using OAuth') |
333 tok = bot_auth_hdr[len('Bearer '):] | 333 tok = bot_auth_hdr[len('Bearer '):] |
334 | 334 |
335 # Default to some safe small expiration in case bot_main doesn't report it | 335 # Default to some safe small expiration in case bot_main doesn't report it |
336 # to us. This may happen if get_authentication_header bot hook is not | 336 # to us. This may happen if get_authentication_header bot hook is not |
337 # reporting expiration time. | 337 # reporting expiration time. |
338 exp = auth_params.swarming_http_headers_exp or (time.time() + 4*60) | 338 exp = auth_params.swarming_http_headers_exp or (time.time() + 4*60) |
339 | 339 |
340 # TODO(vadimsh): For GCE bots specifically we can pass a list of OAuth | 340 # TODO(vadimsh): For GCE bots specifically we can pass a list of OAuth |
341 # scopes granted to the GCE token and verify it contains all the requested | 341 # scopes granted to the GCE token and verify it contains all the requested |
342 # scopes. | 342 # scopes. |
343 return auth_server.AccessToken(tok, exp) | 343 return auth_server.AccessToken(tok, exp) |
344 | 344 |
345 def _grab_oauth_token_via_rpc(self, _rpc_client, _account_id, _scopes): | 345 def _grab_oauth_token_via_rpc(self, _rpc_client, _account_id, _scopes): |
346 # TODO(vadimsh): Send a request to /swarming/api/v1/bot/oauth_token using | 346 # TODO(vadimsh): Send a request to /swarming/api/v1/bot/oauth_token using |
347 # given RPC client. | 347 # given RPC client. |
348 raise auth_server.TokenError(3, 'Not implemented yet') | 348 raise auth_server.TokenError(3, 'Not implemented yet') |
OLD | NEW |