auth.py 29.4 KB
Newer Older
1
# Copyright 2015 The Chromium Authors. All rights reserved.
2 3 4
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

5
"""Google OAuth2 related functions."""
6

7
import BaseHTTPServer
8
import collections
9 10
import datetime
import functools
11
import hashlib
12 13
import json
import logging
14
import optparse
15 16 17 18
import os
import socket
import sys
import threading
19
import time
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
import urllib
import urlparse
import webbrowser

from third_party import httplib2
from third_party.oauth2client import client
from third_party.oauth2client import multistore_file


# depot_tools/.
DEPOT_TOOLS_DIR = os.path.dirname(os.path.abspath(__file__))


# Google OAuth2 clients always have a secret, even if the client is an installed
# application/utility such as this. Of course, in such cases the "secret" is
# actually publicly known; security depends entirely on the secrecy of refresh
# tokens, which effectively become bearer tokens. An attacker can impersonate
# service's identity in OAuth2 flow. But that's generally fine as long as a list
# of allowed redirect_uri's associated with client_id is limited to 'localhost'
# or 'urn:ietf:wg:oauth:2.0:oob'. In that case attacker needs some process
# running on user's machine to successfully complete the flow and grab refresh
# token. When you have a malicious code running on your machine, you're screwed
# anyway.
# This particular set is managed by API Console project "chrome-infra-auth".
OAUTH_CLIENT_ID = (
    '446450136466-2hr92jrq8e6i4tnsa56b52vacp7t3936.apps.googleusercontent.com')
OAUTH_CLIENT_SECRET = 'uBfbay2KCy9t4QveJ-dOqHtp'

# List of space separated OAuth scopes for generated tokens. GAE apps usually
# use userinfo.email scope for authentication.
OAUTH_SCOPES = 'https://www.googleapis.com/auth/userinfo.email'

52 53 54 55 56
# Additional OAuth scopes.
ADDITIONAL_SCOPES = {
  'code.google.com': 'https://www.googleapis.com/auth/projecthosting',
}

57 58 59 60 61 62
# Path to a file with cached OAuth2 credentials used by default relative to the
# home dir (see _get_token_cache_path). It should be a safe location accessible
# only to a current user: knowing content of this file is roughly equivalent to
# knowing account password. Single file can hold multiple independent tokens
# identified by token_cache_key (see Authenticator).
OAUTH_TOKENS_CACHE = '.depot_tools_oauth2_tokens'
63 64 65 66 67 68 69 70 71


# Authentication configuration extracted from command line options.
# See doc string for 'make_auth_config' for meaning of fields.
AuthConfig = collections.namedtuple('AuthConfig', [
    'use_oauth2', # deprecated, will be always True
    'save_cookies', # deprecated, will be removed
    'use_local_webserver',
    'webserver_port',
72
    'refresh_token_json',
73 74 75
])


76 77 78 79 80 81 82
# OAuth access token with its expiration time (UTC datetime or None if unknown).
AccessToken = collections.namedtuple('AccessToken', [
    'token',
    'expires_at',
])


83 84 85 86 87 88 89 90
# Refresh token passed via --auth-refresh-token-json.
RefreshToken = collections.namedtuple('RefreshToken', [
    'client_id',
    'client_secret',
    'refresh_token',
])


91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
class AuthenticationError(Exception):
  """Raised on errors related to authentication."""


class LoginRequiredError(AuthenticationError):
  """Interaction with the user is required to authenticate."""

  def __init__(self, token_cache_key):
    # HACK(vadimsh): It is assumed here that the token cache key is a hostname.
    msg = (
        'You are not logged in. Please login first by running:\n'
        '  depot-tools-auth login %s' % token_cache_key)
    super(LoginRequiredError, self).__init__(msg)


106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202
class LuciContextAuthError(Exception):
  """Raised on errors related to unsuccessful attempts to load LUCI_CONTEXT"""


def get_luci_context_access_token():
  """Returns a valid AccessToken from the local LUCI context auth server.

  Adapted from
  https://chromium.googlesource.com/infra/luci/luci-py/+/master/client/libs/luci_context/luci_context.py
  See the link above for more details.

  Returns:
    AccessToken if LUCI_CONTEXT is present and attempt to load it is successful.
    None if LUCI_CONTEXT is absent.

  Raises:
    LuciContextAuthError if the attempt to load LUCI_CONTEXT
        and request its access token is unsuccessful.
  """
  return _get_luci_context_access_token(os.environ, datetime.datetime.utcnow())


def _get_luci_context_access_token(env, now):
  ctx_path = env.get('LUCI_CONTEXT')
  if not ctx_path:
    return None
  ctx_path = ctx_path.decode(sys.getfilesystemencoding())
  logging.debug('Loading LUCI_CONTEXT: %r', ctx_path)

  def authErr(msg, *args):
    error_msg = msg % args
    ex = sys.exc_info()[1]
    if not ex:
      logging.error(error_msg)
      raise LuciContextAuthError(error_msg)
    logging.exception(error_msg)
    raise LuciContextAuthError('%s: %s' % (error_msg, ex))

  try:
    loaded = _load_luci_context(ctx_path)
  except (OSError, IOError, ValueError):
    authErr('Failed to open, read or decode LUCI_CONTEXT')
  try:
    local_auth = loaded.get('local_auth')
  except AttributeError:
    authErr('LUCI_CONTEXT not in proper format')
  # failed to grab local_auth from LUCI context
  if not local_auth:
    logging.debug('local_auth: no local auth found')
    return None
  try:
    account_id = local_auth.get('default_account_id')
    secret = local_auth.get('secret')
    rpc_port = int(local_auth.get('rpc_port'))
  except (AttributeError, ValueError):
    authErr('local_auth: unexpected local auth format')

  if not secret:
    authErr('local_auth: no secret returned')
  # if account_id not specified, LUCI_CONTEXT should not be picked up
  if not account_id:
    return None

  logging.debug('local_auth: requesting an access token for account "%s"',
      account_id)
  http = httplib2.Http()
  host = '127.0.0.1:%d' % rpc_port
  resp, content = http.request(
      uri='http://%s/rpc/LuciLocalAuthService.GetOAuthToken' % host,
      method='POST',
      body=json.dumps({
        'account_id': account_id,
        'scopes': OAUTH_SCOPES.split(' '),
        'secret': secret,
      }),
      headers={'Content-Type': 'application/json'})
  if resp.status != 200:
    err = ('local_auth: Failed to grab access token from '
           'LUCI context server with status %d: %r')
    authErr(err, resp.status, content)
  try:
    token = json.loads(content)
    error_code = token.get('error_code')
    error_message = token.get('error_message')
    access_token = token.get('access_token')
    expiry = token.get('expiry')
  except (AttributeError, ValueError):
    authErr('local_auth: Unexpected access token response format')
  if error_code:
    authErr('local_auth: Error %d in retrieving access token: %s',
        error_code, error_message)
  if not access_token:
    authErr('local_auth: No access token returned from LUCI context server')
  expiry_dt = None
  if expiry:
    try:
      expiry_dt = datetime.datetime.utcfromtimestamp(expiry)
203 204 205 206
      logging.debug(
        'local_auth: got an access token for '
        'account "%s" that expires in %d sec',
        account_id, (expiry_dt - now).total_seconds())
207 208
    except (TypeError, ValueError):
      authErr('Invalid expiry in returned token')
209 210 211 212 213
  else:
    logging.debug(
        'local auth: got an access token for '
        'account "%s" that does not expire',
        account_id)
214 215 216 217 218 219 220 221 222 223 224
  access_token = AccessToken(access_token, expiry_dt)
  if _needs_refresh(access_token, now=now):
    authErr('local_auth: the returned access token needs to be refreshed')
  return access_token


def _load_luci_context(ctx_path):
  with open(ctx_path) as f:
    return json.load(f)


225 226 227 228
def make_auth_config(
    use_oauth2=None,
    save_cookies=None,
    use_local_webserver=None,
229 230
    webserver_port=None,
    refresh_token_json=None):
231 232 233 234 235 236 237 238
  """Returns new instance of AuthConfig.

  If some config option is None, it will be set to a reasonable default value.
  This function also acts as an authoritative place for default values of
  corresponding command line options.
  """
  default = lambda val, d: val if val is not None else d
  return AuthConfig(
239
      default(use_oauth2, True),
240
      default(save_cookies, True),
241
      default(use_local_webserver, not _is_headless()),
242 243
      default(webserver_port, 8090),
      default(refresh_token_json, ''))
244 245


246
def add_auth_options(parser, default_config=None):
247
  """Appends OAuth related options to OptionParser."""
248
  default_config = default_config or make_auth_config()
249
  parser.auth_group = optparse.OptionGroup(parser, 'Auth options')
250 251 252 253
  parser.add_option_group(parser.auth_group)

  # OAuth2 vs password switch.
  auth_default = 'use OAuth2' if default_config.use_oauth2 else 'use password'
254 255 256 257 258
  parser.auth_group.add_option(
      '--oauth2',
      action='store_true',
      dest='use_oauth2',
      default=default_config.use_oauth2,
259
      help='Use OAuth 2.0 instead of a password. [default: %s]' % auth_default)
260 261 262 263 264
  parser.auth_group.add_option(
      '--no-oauth2',
      action='store_false',
      dest='use_oauth2',
      default=default_config.use_oauth2,
265 266 267
      help='Use password instead of OAuth 2.0. [default: %s]' % auth_default)

  # Password related options, deprecated.
268 269 270 271 272 273
  parser.auth_group.add_option(
      '--no-cookies',
      action='store_false',
      dest='save_cookies',
      default=default_config.save_cookies,
      help='Do not save authentication cookies to local disk.')
274 275

  # OAuth2 related options.
276 277 278 279 280 281 282 283 284 285 286 287
  parser.auth_group.add_option(
      '--auth-no-local-webserver',
      action='store_false',
      dest='use_local_webserver',
      default=default_config.use_local_webserver,
      help='Do not run a local web server when performing OAuth2 login flow.')
  parser.auth_group.add_option(
      '--auth-host-port',
      type=int,
      default=default_config.webserver_port,
      help='Port a local web server should listen on. Used only if '
          '--auth-no-local-webserver is not set. [default: %default]')
288 289 290 291
  parser.auth_group.add_option(
      '--auth-refresh-token-json',
      default=default_config.refresh_token_json,
      help='Path to a JSON file with role account refresh token to use.')
292 293 294 295 296 297 298 299 300 301 302


def extract_auth_config_from_options(options):
  """Given OptionParser parsed options, extracts AuthConfig from it.

  OptionParser should be populated with auth options by 'add_auth_options'.
  """
  return make_auth_config(
      use_oauth2=options.use_oauth2,
      save_cookies=False if options.use_oauth2 else options.save_cookies,
      use_local_webserver=options.use_local_webserver,
303 304
      webserver_port=options.auth_host_port,
      refresh_token_json=options.auth_refresh_token_json)
305 306 307


def auth_config_to_command_options(auth_config):
308 309 310 311
  """AuthConfig -> list of strings with command line options.

  Omits options that are set to default values.
  """
312 313
  if not auth_config:
    return []
314 315 316 317 318 319 320 321 322 323 324 325
  defaults = make_auth_config()
  opts = []
  if auth_config.use_oauth2 != defaults.use_oauth2:
    opts.append('--oauth2' if auth_config.use_oauth2 else '--no-oauth2')
  if auth_config.save_cookies != auth_config.save_cookies:
    if not auth_config.save_cookies:
      opts.append('--no-cookies')
  if auth_config.use_local_webserver != defaults.use_local_webserver:
    if not auth_config.use_local_webserver:
      opts.append('--auth-no-local-webserver')
  if auth_config.webserver_port != defaults.webserver_port:
    opts.extend(['--auth-host-port', str(auth_config.webserver_port)])
326 327 328
  if auth_config.refresh_token_json != defaults.refresh_token_json:
    opts.extend([
        '--auth-refresh-token-json', str(auth_config.refresh_token_json)])
329
  return opts
330 331 332 333 334 335 336 337 338 339 340 341


def get_authenticator_for_host(hostname, config):
  """Returns Authenticator instance to access given host.

  Args:
    hostname: a naked hostname or http(s)://<hostname>[/] URL. Used to derive
        a cache key for token cache.
    config: AuthConfig instance.

  Returns:
    Authenticator object.
342 343 344

  Raises:
    AuthenticationError if hostname is invalid.
345 346 347 348 349
  """
  hostname = hostname.lower().rstrip('/')
  # Append some scheme, otherwise urlparse puts hostname into parsed.path.
  if '://' not in hostname:
    hostname = 'https://' + hostname
350
  scopes = OAUTH_SCOPES
351
  parsed = urlparse.urlparse(hostname)
352 353 354
  if parsed.netloc in ADDITIONAL_SCOPES:
    scopes = "%s %s" % (scopes, ADDITIONAL_SCOPES[parsed.netloc])

355 356 357
  if parsed.path or parsed.params or parsed.query or parsed.fragment:
    raise AuthenticationError(
        'Expecting a hostname or root host URL, got %s instead' % hostname)
358
  return Authenticator(parsed.netloc, config, scopes)
359 360 361 362 363 364 365 366 367 368 369


class Authenticator(object):
  """Object that knows how to refresh access tokens when needed.

  Args:
    token_cache_key: string key of a section of the token cache file to use
        to keep the tokens. See hostname_to_token_cache_key.
    config: AuthConfig object that holds authentication configuration.
  """

370
  def __init__(self, token_cache_key, config, scopes):
371 372 373 374 375 376
    assert isinstance(config, AuthConfig)
    assert config.use_oauth2
    self._access_token = None
    self._config = config
    self._lock = threading.Lock()
    self._token_cache_key = token_cache_key
377
    self._external_token = None
378
    self._scopes = scopes
379 380
    if config.refresh_token_json:
      self._external_token = _read_refresh_token_json(config.refresh_token_json)
381
    logging.debug('Using auth config %r', config)
382 383 384 385 386 387 388

  def login(self):
    """Performs interactive login flow if necessary.

    Raises:
      AuthenticationError on error or if interrupted.
    """
389 390 391
    if self._external_token:
      raise AuthenticationError(
          'Can\'t run login flow when using --auth-refresh-token-json.')
392 393 394 395 396 397
    return self.get_access_token(
        force_refresh=True, allow_user_interaction=True)

  def logout(self):
    """Revokes the refresh token and deletes it from the cache.

398
    Returns True if had some credentials cached.
399 400 401 402 403
    """
    with self._lock:
      self._access_token = None
      storage = self._get_storage()
      credentials = storage.get()
404 405 406 407 408 409
      had_creds = bool(credentials)
      if credentials and credentials.refresh_token and credentials.revoke_uri:
        try:
          credentials.revoke(httplib2.Http())
        except client.TokenRevokeError as e:
          logging.warning('Failed to revoke refresh token: %s', e)
410
      storage.delete()
411
    return had_creds
412 413 414 415 416 417 418 419 420 421 422 423 424 425 426

  def has_cached_credentials(self):
    """Returns True if long term credentials (refresh token) are in cache.

    Doesn't make network calls.

    If returns False, get_access_token() later will ask for interactive login by
    raising LoginRequiredError.

    If returns True, most probably get_access_token() won't ask for interactive
    login, though it is not guaranteed, since cached token can be already
    revoked and there's no way to figure this out without actually trying to use
    it.
    """
    with self._lock:
427
      return bool(self._get_cached_credentials())
428

429 430
  def get_access_token(self, force_refresh=False, allow_user_interaction=False,
                       use_local_auth=True):
431 432 433 434 435
    """Returns AccessToken, refreshing it if necessary.

    Args:
      force_refresh: forcefully refresh access token even if it is not expired.
      allow_user_interaction: True to enable blocking for user input if needed.
436
      use_local_auth: default to local auth if needed.
437 438 439 440 441 442

    Raises:
      AuthenticationError on error or if authentication flow was interrupted.
      LoginRequiredError if user interaction is required, but
          allow_user_interaction is False.
    """
443 444 445 446 447 448 449 450 451 452 453 454 455 456 457
    def get_loc_auth_tkn():
      exi = sys.exc_info()
      if not use_local_auth:
        logging.error('Failed to create access token')
        raise
      try:
        self._access_token = get_luci_context_access_token()
        if not self._access_token:
          logging.error('Failed to create access token')
          raise
        return self._access_token
      except LuciContextAuthError:
        logging.exception('Failed to use local auth')
        raise exi[0], exi[1], exi[2]

458 459
    with self._lock:
      if force_refresh:
460
        logging.debug('Forcing access token refresh')
461 462 463 464 465
        try:
          self._access_token = self._create_access_token(allow_user_interaction)
          return self._access_token
        except LoginRequiredError:
          return get_loc_auth_tkn()
466 467 468 469 470 471 472 473 474 475 476

      # Load from on-disk cache on a first access.
      if not self._access_token:
        self._access_token = self._load_access_token()

      # Refresh if expired or missing.
      if not self._access_token or _needs_refresh(self._access_token):
        # Maybe some other process already updated it, reload from the cache.
        self._access_token = self._load_access_token()
        # Nope, still expired, need to run the refresh flow.
        if not self._access_token or _needs_refresh(self._access_token):
477 478 479 480 481
          try:
            self._access_token = self._create_access_token(
                allow_user_interaction)
          except LoginRequiredError:
            get_loc_auth_tkn()
482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517

      return self._access_token

  def get_token_info(self):
    """Returns a result of /oauth2/v2/tokeninfo call with token info."""
    access_token = self.get_access_token()
    resp, content = httplib2.Http().request(
        uri='https://www.googleapis.com/oauth2/v2/tokeninfo?%s' % (
            urllib.urlencode({'access_token': access_token.token})))
    if resp.status == 200:
      return json.loads(content)
    raise AuthenticationError('Failed to fetch the token info: %r' % content)

  def authorize(self, http):
    """Monkey patches authentication logic of httplib2.Http instance.

    The modified http.request method will add authentication headers to each
    request and will refresh access_tokens when a 401 is received on a
    request.

    Args:
       http: An instance of httplib2.Http.

    Returns:
       A modified instance of http that was passed in.
    """
    # Adapted from oauth2client.OAuth2Credentials.authorize.

    request_orig = http.request

    @functools.wraps(request_orig)
    def new_request(
        uri, method='GET', body=None, headers=None,
        redirections=httplib2.DEFAULT_MAX_REDIRECTS,
        connection_type=None):
      headers = (headers or {}).copy()
518
      headers['Authorization'] = 'Bearer %s' % self.get_access_token().token
519 520 521 522 523
      resp, content = request_orig(
          uri, method, body, headers, redirections, connection_type)
      if resp.status in client.REFRESH_STATUS_CODES:
        logging.info('Refreshing due to a %s', resp.status)
        access_token = self.get_access_token(force_refresh=True)
524
        headers['Authorization'] = 'Bearer %s' % access_token.token
525 526 527 528 529 530 531 532 533 534 535 536
        return request_orig(
            uri, method, body, headers, redirections, connection_type)
      else:
        return (resp, content)

    http.request = new_request
    return http

  ## Private methods.

  def _get_storage(self):
    """Returns oauth2client.Storage with cached tokens."""
537 538 539 540 541 542
    # Do not mix cache keys for different externally provided tokens.
    if self._external_token:
      token_hash = hashlib.sha1(self._external_token.refresh_token).hexdigest()
      cache_key = '%s:refresh_tok:%s' % (self._token_cache_key, token_hash)
    else:
      cache_key = self._token_cache_key
543 544
    path = _get_token_cache_path()
    logging.debug('Using token storage %r (cache key %r)', path, cache_key)
545
    return multistore_file.get_credential_storage_custom_string_key(
546
        path, cache_key)
547 548 549 550 551 552

  def _get_cached_credentials(self):
    """Returns oauth2client.Credentials loaded from storage."""
    storage = self._get_storage()
    credentials = storage.get()

553 554 555 556 557
    if not credentials:
      logging.debug('No cached token')
    else:
      _log_credentials_info('cached token', credentials)

558 559 560 561 562 563 564 565 566 567 568
    # Is using --auth-refresh-token-json?
    if self._external_token:
      # Cached credentials are valid and match external token -> use them. It is
      # important to reuse credentials from the storage because they contain
      # cached access token.
      valid = (
          credentials and not credentials.invalid and
          credentials.refresh_token == self._external_token.refresh_token and
          credentials.client_id == self._external_token.client_id and
          credentials.client_secret == self._external_token.client_secret)
      if valid:
569
        logging.debug('Cached credentials match external refresh token')
570 571 572 573
        return credentials
      # Construct new credentials from externally provided refresh token,
      # associate them with cache storage (so that access_token will be placed
      # in the cache later too).
574
      logging.debug('Putting external refresh token into the cache')
575 576 577 578 579 580 581 582 583 584 585 586 587 588 589
      credentials = client.OAuth2Credentials(
          access_token=None,
          client_id=self._external_token.client_id,
          client_secret=self._external_token.client_secret,
          refresh_token=self._external_token.refresh_token,
          token_expiry=None,
          token_uri='https://accounts.google.com/o/oauth2/token',
          user_agent=None,
          revoke_uri=None)
      credentials.set_store(storage)
      storage.put(credentials)
      return credentials

    # Not using external refresh token -> return whatever is cached.
    return credentials if (credentials and not credentials.invalid) else None
590 591 592

  def _load_access_token(self):
    """Returns cached AccessToken if it is not expired yet."""
593
    logging.debug('Reloading access token from cache')
594 595
    creds = self._get_cached_credentials()
    if not creds or not creds.access_token or creds.access_token_expired:
596
      logging.debug('Access token is missing or expired')
597
      return None
598
    return AccessToken(str(creds.access_token), creds.token_expiry)
599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618

  def _create_access_token(self, allow_user_interaction=False):
    """Mints and caches a new access token, launching OAuth2 dance if necessary.

    Uses cached refresh token, if present. In that case user interaction is not
    required and function will finish quietly. Otherwise it will launch 3-legged
    OAuth2 flow, that needs user interaction.

    Args:
      allow_user_interaction: if True, allow interaction with the user (e.g.
          reading standard input, or launching a browser).

    Returns:
      AccessToken.

    Raises:
      AuthenticationError on error or if authentication flow was interrupted.
      LoginRequiredError if user interaction is required, but
          allow_user_interaction is False.
    """
619 620 621
    logging.debug(
        'Making new access token (allow_user_interaction=%r)',
        allow_user_interaction)
622
    credentials = self._get_cached_credentials()
623 624 625 626 627

    # 3-legged flow with (perhaps cached) refresh token.
    refreshed = False
    if credentials and not credentials.invalid:
      try:
628
        logging.debug('Attempting to refresh access_token')
629
        credentials.refresh(httplib2.Http())
630
        _log_credentials_info('refreshed token', credentials)
631 632 633
        refreshed = True
      except client.Error as err:
        logging.warning(
634
            'OAuth error during access token refresh (%s). '
635 636 637 638
            'Attempting a full authentication flow.', err)

    # Refresh token is missing or invalid, go through the full flow.
    if not refreshed:
639 640 641 642
      # Can't refresh externally provided token.
      if self._external_token:
        raise AuthenticationError(
            'Token provided via --auth-refresh-token-json is no longer valid.')
643
      if not allow_user_interaction:
644
        logging.debug('Requesting user to login')
645
        raise LoginRequiredError(self._token_cache_key)
646
      logging.debug('Launching OAuth browser flow')
647
      credentials = _run_oauth_dance(self._config, self._scopes)
648
      _log_credentials_info('new token', credentials)
649 650 651 652

    logging.info(
        'OAuth access_token refreshed. Expires in %s.',
        credentials.token_expiry - datetime.datetime.utcnow())
653
    storage = self._get_storage()
654 655
    credentials.set_store(storage)
    storage.put(credentials)
656
    return AccessToken(str(credentials.access_token), credentials.token_expiry)
657 658 659 660 661


## Private functions.


662 663 664 665 666 667 668 669 670 671 672 673 674 675
def _get_token_cache_path():
  # On non Win just use HOME.
  if sys.platform != 'win32':
    return os.path.join(os.path.expanduser('~'), OAUTH_TOKENS_CACHE)
  # Prefer USERPROFILE over HOME, since HOME is overridden in
  # git-..._bin/cmd/git.cmd to point to depot_tools. depot-tools-auth.py script
  # (and all other scripts) doesn't use this override and thus uses another
  # value for HOME. git.cmd doesn't touch USERPROFILE though, and usually
  # USERPROFILE == HOME on Windows.
  if 'USERPROFILE' in os.environ:
    return os.path.join(os.environ['USERPROFILE'], OAUTH_TOKENS_CACHE)
  return os.path.join(os.path.expanduser('~'), OAUTH_TOKENS_CACHE)


676 677 678 679 680
def _is_headless():
  """True if machine doesn't seem to have a display."""
  return sys.platform == 'linux2' and not os.environ.get('DISPLAY')


681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697
def _read_refresh_token_json(path):
  """Returns RefreshToken by reading it from the JSON file."""
  try:
    with open(path, 'r') as f:
      data = json.load(f)
      return RefreshToken(
          client_id=str(data.get('client_id', OAUTH_CLIENT_ID)),
          client_secret=str(data.get('client_secret', OAUTH_CLIENT_SECRET)),
          refresh_token=str(data['refresh_token']))
  except (IOError, ValueError) as e:
    raise AuthenticationError(
        'Failed to read refresh token from %s: %s' % (path, e))
  except KeyError as e:
    raise AuthenticationError(
        'Failed to read refresh token from %s: missing key %s' % (path, e))


698
def _needs_refresh(access_token, now=None):
699 700
  """True if AccessToken should be refreshed."""
  if access_token.expires_at is not None:
701
    now = now or datetime.datetime.utcnow()
702
    # Allow 5 min of clock skew between client and backend.
703
    now += datetime.timedelta(seconds=300)
704 705 706 707 708
    return now >= access_token.expires_at
  # Token without expiration time never expires.
  return False


709 710 711 712 713 714 715 716 717 718 719 720
def _log_credentials_info(title, credentials):
  """Dumps (non sensitive) part of client.Credentials object to debug log."""
  if credentials:
    logging.debug('%s info: %r', title, {
        'access_token_expired': credentials.access_token_expired,
        'has_access_token': bool(credentials.access_token),
        'invalid': credentials.invalid,
        'utcnow': datetime.datetime.utcnow(),
        'token_expiry': credentials.token_expiry,
    })


721
def _run_oauth_dance(config, scopes):
722 723 724 725 726 727 728 729 730 731 732
  """Perform full 3-legged OAuth2 flow with the browser.

  Returns:
    oauth2client.Credentials.

  Raises:
    AuthenticationError on errors.
  """
  flow = client.OAuth2WebServerFlow(
      OAUTH_CLIENT_ID,
      OAUTH_CLIENT_SECRET,
733
      scopes,
734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833
      approval_prompt='force')

  use_local_webserver = config.use_local_webserver
  port = config.webserver_port
  if config.use_local_webserver:
    success = False
    try:
      httpd = _ClientRedirectServer(('localhost', port), _ClientRedirectHandler)
    except socket.error:
      pass
    else:
      success = True
    use_local_webserver = success
    if not success:
      print(
        'Failed to start a local webserver listening on port %d.\n'
        'Please check your firewall settings and locally running programs that '
        'may be blocking or using those ports.\n\n'
        'Falling back to --auth-no-local-webserver and continuing with '
        'authentication.\n' % port)

  if use_local_webserver:
    oauth_callback = 'http://localhost:%s/' % port
  else:
    oauth_callback = client.OOB_CALLBACK_URN
  flow.redirect_uri = oauth_callback
  authorize_url = flow.step1_get_authorize_url()

  if use_local_webserver:
    webbrowser.open(authorize_url, new=1, autoraise=True)
    print(
      'Your browser has been opened to visit:\n\n'
      '    %s\n\n'
      'If your browser is on a different machine then exit and re-run this '
      'application with the command-line parameter\n\n'
      '  --auth-no-local-webserver\n' % authorize_url)
  else:
    print(
      'Go to the following link in your browser:\n\n'
      '    %s\n' % authorize_url)

  try:
    code = None
    if use_local_webserver:
      httpd.handle_request()
      if 'error' in httpd.query_params:
        raise AuthenticationError(
            'Authentication request was rejected: %s' %
            httpd.query_params['error'])
      if 'code' not in httpd.query_params:
        raise AuthenticationError(
            'Failed to find "code" in the query parameters of the redirect.\n'
            'Try running with --auth-no-local-webserver.')
      code = httpd.query_params['code']
    else:
      code = raw_input('Enter verification code: ').strip()
  except KeyboardInterrupt:
    raise AuthenticationError('Authentication was canceled.')

  try:
    return flow.step2_exchange(code)
  except client.FlowExchangeError as e:
    raise AuthenticationError('Authentication has failed: %s' % e)


class _ClientRedirectServer(BaseHTTPServer.HTTPServer):
  """A server to handle OAuth 2.0 redirects back to localhost.

  Waits for a single request and parses the query parameters
  into query_params and then stops serving.
  """
  query_params = {}


class _ClientRedirectHandler(BaseHTTPServer.BaseHTTPRequestHandler):
  """A handler for OAuth 2.0 redirects back to localhost.

  Waits for a single request and parses the query parameters
  into the servers query_params and then stops serving.
  """

  def do_GET(self):
    """Handle a GET request.

    Parses the query parameters and prints a message
    if the flow has completed. Note that we can't detect
    if an error occurred.
    """
    self.send_response(200)
    self.send_header('Content-type', 'text/html')
    self.end_headers()
    query = self.path.split('?', 1)[-1]
    query = dict(urlparse.parse_qsl(query))
    self.server.query_params = query
    self.wfile.write('<html><head><title>Authentication Status</title></head>')
    self.wfile.write('<body><p>The authentication flow has completed.</p>')
    self.wfile.write('</body></html>')

  def log_message(self, _format, *args):
    """Do not log messages to stdout while running as command line program."""