Viewing: iamcredentials_api.py
# -*- coding: utf-8 -*-
# Copyright 2019 Google Inc. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""JSON gsutil Cloud API implementation for Google Cloud Storage."""
from __future__ import absolute_import
from __future__ import print_function
from __future__ import division
from __future__ import unicode_literals
import json
import logging
import traceback
from apitools.base.py import exceptions as apitools_exceptions
from boto import config
from gslib.cloud_api import AccessDeniedException
from gslib.cloud_api import BadRequestException
from gslib.cloud_api import NotFoundException
from gslib.cloud_api import PreconditionException
from gslib.cloud_api import ServiceException
from gslib.no_op_credentials import NoOpCredentials
from gslib.third_party.iamcredentials_apitools import iamcredentials_v1_client as apitools_client
from gslib.third_party.iamcredentials_apitools import iamcredentials_v1_messages as apitools_messages
from gslib.utils import system_util
from gslib.utils.boto_util import GetCertsFile
from gslib.utils.boto_util import GetMaxRetryDelay
from gslib.utils.boto_util import GetNewHttp
from gslib.utils.boto_util import GetNumRetries
TRANSLATABLE_APITOOLS_EXCEPTIONS = (apitools_exceptions.HttpError)
if system_util.InvokedViaCloudSdk():
_INSUFFICIENT_OAUTH2_SCOPE_MESSAGE = (
'Insufficient OAuth2 scope to perform this operation. '
'Please re-run `gcloud auth login`')
else:
_INSUFFICIENT_OAUTH2_SCOPE_MESSAGE = (
'Insufficient OAuth2 scope to perform this operation. '
'Please re-run `gsutil config`')
class IamcredentailsApi(object):
"""Wraps calls to the Cloud IAM Credentials v1 interface via apitools."""
def __init__(self, logger=None, credentials=None, debug=0):
"""Performs necessary setup for interacting with Google Cloud IAM
Credentials.
Args:
logger: logging.logger for outputting log messages.
credentials: Credentials to be used for interacting with Cloud IAM
debug: Debug level for the API implementation (0..3).
"""
super(IamcredentailsApi, self).__init__()
self.logger = logger
self.credentials = credentials
self.certs_file = GetCertsFile()
self.http = GetNewHttp()
self.http_base = 'https://'
# The original config option had a typo; supporting it as a fall-back
# for legacy reasons.
legacy_typo = 'gs_iamcredentails_host'
self.host_base = config.get(
'Credentials', 'gs_iamcredentials_host',
config.get('Credentials', legacy_typo, 'iamcredentials.googleapis.com'))
gs_iamcred_port = config.get('Credentials', 'gs_iamcredentails_port', None)
self.host_port = (':' + gs_iamcred_port) if gs_iamcred_port else ''
self.url_base = (self.http_base + self.host_base + self.host_port)
log_request = (debug >= 3)
log_response = (debug >= 3)
self.api_client = apitools_client.IamcredentialsV1(
url=self.url_base,
http=self.http,
log_request=log_request,
log_response=log_response,
credentials=self.credentials)
self.num_retries = GetNumRetries()
self.api_client.num_retries = self.num_retries
self.max_retry_wait = GetMaxRetryDelay()
self.api_client.max_retry_wait = self.max_retry_wait
if isinstance(self.credentials, NoOpCredentials):
# This API key is not secret and is used to identify gsutil during
# anonymous requests.
self.api_client.AddGlobalParam(
'key', u'AIzaSyDnacJHrKma0048b13sh8cgxNUwulubmJM')
def SignBlob(self, service_account_id, message):
"""Sign the blob using iamcredentials.SignBlob API."""
name = 'projects/-/serviceAccounts/%s' % service_account_id
sign_blob_request = apitools_messages.SignBlobRequest(payload=message)
request = (
apitools_messages.IamcredentialsProjectsServiceAccountsSignBlobRequest(
name=name, signBlobRequest=sign_blob_request))
try:
return self.api_client.projects_serviceAccounts.SignBlob(request)
except TRANSLATABLE_APITOOLS_EXCEPTIONS as e:
self._TranslateExceptionAndRaise(e, service_account_id)
def GenerateAccessToken(self, service_account_id, scopes):
"""Generates an access token for the given service account."""
name = 'projects/-/serviceAccounts/%s' % service_account_id
generate_access_token_request = apitools_messages.GenerateAccessTokenRequest(
scope=scopes)
request = (apitools_messages.
IamcredentialsProjectsServiceAccountsGenerateAccessTokenRequest(
name=name,
generateAccessTokenRequest=generate_access_token_request))
try:
return self.api_client.projects_serviceAccounts.GenerateAccessToken(
request)
except TRANSLATABLE_APITOOLS_EXCEPTIONS as e:
self._TranslateExceptionAndRaise(e, service_account_id)
def _TranslateExceptionAndRaise(self, e, service_account_id=None):
"""Translates an HTTP exception and raises the translated or original value.
Args:
e: Any Exception.
service_account_id: Optional service account in request that caused the exception.
Raises:
Translated CloudApi exception, or the original exception if it was not
translatable.
"""
if self.logger.isEnabledFor(logging.DEBUG):
self.logger.debug('TranslateExceptionAndRaise: %s',
traceback.format_exc())
translated_exception = self._TranslateApitoolsException(
e, service_account_id=service_account_id)
if translated_exception:
raise translated_exception
else:
raise
def _TranslateApitoolsException(self, e, service_account_id=None):
"""Translates apitools exceptions into their gsutil equivalents.
Args:
e: Any exception in TRANSLATABLE_APITOOLS_EXCEPTIONS.
service_account_id: Optional service account ID that caused the exception.
Returns:
CloudStorageApiServiceException for translatable exceptions, None
otherwise.
"""
if isinstance(e, apitools_exceptions.HttpError):
message = self._GetMessageFromHttpError(e)
if e.status_code == 400:
# It is possible that the Project ID is incorrect. Unfortunately the
# JSON API does not give us much information about what part of the
# request was bad.
return BadRequestException(message or 'Bad Request',
status=e.status_code)
elif e.status_code == 401:
if 'Login Required' in str(e):
return AccessDeniedException(message or
'Access denied: login required.',
status=e.status_code)
elif 'insufficient_scope' in str(e):
# If the service includes insufficient scope error detail in the
# response body, this check can be removed.
return AccessDeniedException(
_INSUFFICIENT_OAUTH2_SCOPE_MESSAGE,
status=e.status_code,
body=self._GetAcceptableScopesFromHttpError(e))
elif e.status_code == 403:
# Messaging for when the the originating credentials don't have access
# to impersonate a service account.
if 'The caller does not have permission' in str(e):
return AccessDeniedException(
'Service account impersonation failed. Please go to the Google '
'Cloud Platform Console (https://cloud.google.com/console), '
'select IAM & admin, then Service Accounts, and grant your '
'originating account the Service Account Token Creator role on '
'the target service account.')
# The server's errors message when IAM Credentials API aren't enabled
# are pretty great so we just display them.
if 'IAM Service Account Credentials API has not been used' in str(e):
return AccessDeniedException(message)
if 'The account for the specified project has been disabled' in str(e):
return AccessDeniedException(message or 'Account disabled.',
status=e.status_code)
elif 'Daily Limit for Unauthenticated Use Exceeded' in str(e):
return AccessDeniedException(message or
'Access denied: quota exceeded. '
'Is your project ID valid?',
status=e.status_code)
elif 'User Rate Limit Exceeded' in str(e):
return AccessDeniedException(
'Rate limit exceeded. Please retry this '
'request later.',
status=e.status_code)
elif 'Access Not Configured' in str(e):
return AccessDeniedException(
'Access Not Configured. Please go to the Google Cloud Platform '
'Console (https://cloud.google.com/console#/project) for your '
'project, select APIs & services, and enable the Google Cloud '
'IAM Credentials API.',
status=e.status_code)
elif 'insufficient_scope' in str(e):
# If the service includes insufficient scope error detail in the
# response body, this check can be removed.
return AccessDeniedException(
_INSUFFICIENT_OAUTH2_SCOPE_MESSAGE,
status=e.status_code,
body=self._GetAcceptableScopesFromHttpError(e))
else:
return AccessDeniedException(message or e.message or
service_account_id,
status=e.status_code)
elif e.status_code == 404:
return NotFoundException(message or e.message, status=e.status_code)
elif e.status_code == 409 and service_account_id:
return ServiceException('The key %s already exists.' %
service_account_id,
status=e.status_code)
elif e.status_code == 412:
return PreconditionException(message, status=e.status_code)
return ServiceException(message, status=e.status_code)
def _GetMessageFromHttpError(self, http_error):
if isinstance(http_error, apitools_exceptions.HttpError):
if getattr(http_error, 'content', None):
try:
json_obj = json.loads(http_error.content)
if 'error' in json_obj and 'message' in json_obj['error']:
return json_obj['error']['message']
except Exception: # pylint: disable=broad-except
# If we couldn't decode anything, just leave the message as None.
pass
def _GetAcceptableScopesFromHttpError(self, http_error):
try:
www_authenticate = http_error.response['www-authenticate']
# In the event of a scope error, the www-authenticate field of the HTTP
# response should contain text of the form
#
# 'Bearer realm="https://oauth2.googleapis.com/",
# error=insufficient_scope,
# scope="${space separated list of acceptable scopes}"'
#
# Here we use a quick string search to find the scope list, just looking
# for a substring with the form 'scope="${scopes}"'.
scope_idx = www_authenticate.find('scope="')
if scope_idx >= 0:
scopes = www_authenticate[scope_idx:].split('"')[1]
return 'Acceptable scopes: %s' % scopes
except Exception: # pylint: disable=broad-except
# Return None if we have any trouble parsing out the acceptable scopes.
pass
Back to File Manager