Adds SSO auth to gsutil

third_party/gsutil/plugins/sso_auth.py

Index: third_party/gsutil/plugins/sso_auth.py
diff --git a/third_party/gsutil/plugins/sso_auth.py b/third_party/gsutil/plugins/sso_auth.py
new file mode 100644
index 0000000000000000000000000000000000000000..500cf85fa8f4847c90e186e546927175c60cd5db
--- /dev/null
+++ b/third_party/gsutil/plugins/sso_auth.py
@@ -0,0 +1,59 @@
+import json

[Vadim Sh., 2013/12/03 01:33:41]

nit: Copyright (or license header, don't know...).

Also module level doc string.

[Ryan Tseng, 2013/12/03 22:57:11]

Done.

+import getpass
+import os
+import re
+import urllib2
+import subprocess
+
+from boto.auth_handler import AuthHandler
+from boto.auth_handler import NotReadyToAuthenticate
+
+CMD = ['stubby', '--proto2', 'call', 'blade:sso', 'CorpLogin.Exchange']

[Vadim Sh., 2013/12/03 01:33:41]

nit: newline after CMD

[Ryan Tseng, 2013/12/03 22:57:11]

Done.

+STUBBY_CMD = """target: {
+  scope: GAIA_USER
+  name: "%s"
+}
+target_credential: {
+  type: OAUTH2_TOKEN
+  oauth2_attributes: {
+    scope: 'https://www.googleapis.com/auth/devstorage.read_only'
+  }
+}"""
+
+
+class SSOAuth(AuthHandler):
+  """SSO based auth handler."""
+
+  capability = ['google-oauth2', 's3']

[Vadim Sh., 2013/12/03 01:33:41]

Is 's3' necessary here?..

[Ryan Tseng, 2013/12/03 22:57:11]

Actually it is, for some reason this doesn't get activated unless 's3' is in
there.

+
+  def __init__(self, path, config, provider):
+    if provider.name == 'google' and self.has_prodaccess():
+      # If we don't have a loas token, then bypass this auth handler.
+      if subprocess.call('loas_check',
+                         stdout=subprocess.PIPE,
+                         stderr=subprocess.PIPE):
+        raise NotReadyToAuthenticate()
+      pass

[Vadim Sh., 2013/12/03 01:33:41]

nit: remove 'pass', it looks odd..

[Ryan Tseng, 2013/12/03 22:57:11]

Done.

+    else:
+      raise NotReadyToAuthenticate()
+
+  def GetAccessToken(self):

[Vadim Sh., 2013/12/03 01:33:41]

How often is this called? Does it make sense to cache it in some global variable
to reuse between requests?

I think oauth2 plugin implements in-memory cache for this.

[Ryan Tseng, 2013/12/03 22:57:11]

Implemented some simple in-memory + filesystem cache

+    username = '%s@google.com' % getpass.getuser()
+    proc = subprocess.Popen(CMD, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
+    out, err = proc.communicate(STUBBY_CMD % username)
+    token_match = re.search(r'oauth2_token: "(.*)"$', out)

[Vadim Sh., 2013/12/03 01:33:41]

Check process exit code before parsing its output? I assume stubby returns != 0
in case of error.

[Ryan Tseng, 2013/12/03 22:57:11]

Done.

+    if token_match:
+      return token_match.group(1)
+    return None

[Vadim Sh., 2013/12/03 01:33:41]

Raise some exception instead of returning None. It's better to fail early.

Otherwise 'Authorization' header will be 'OAuth None', and request will blow up
later with 403.

[Ryan Tseng, 2013/12/03 22:57:11]

Done.

+
+  def add_auth(self, http_request):
+    http_request.headers['Authorization'] = (
+        'OAuth %s' % self.GetAccessToken())

[Vadim Sh., 2013/12/03 01:33:41]

nit: is new line required? looks like it can fit on same line...

[Ryan Tseng, 2013/12/03 22:57:11]

Done.

+
+  @staticmethod
+  def has_prodaccess():
+    for path in os.environ["PATH"].split(os.pathsep):

[Vadim Sh., 2013/12/03 01:33:41]

nit: single quote 'PATH'

[Ryan Tseng, 2013/12/03 22:57:11]

Done.

+      exe_file = os.path.join(path, 'prodaccess')
+      if os.path.exists(exe_file) and os.access(exe_file, os.X_OK):
+        return True
+    return False