1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
|
# Copyright 2015 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Helper functions for commonly used utilities."""
import base64
import calendar
import datetime
from email.message import Message
import hashlib
import json
import logging
import sys
from typing import Any, Dict, Mapping, Optional, Union
import urllib
from google.auth import exceptions
# _BASE_LOGGER_NAME is the base logger for all google-based loggers.
_BASE_LOGGER_NAME = "google"
# _LOGGING_INITIALIZED ensures that base logger is only configured once
# (unless already configured by the end-user).
_LOGGING_INITIALIZED = False
# The smallest MDS cache used by this library stores tokens until 4 minutes from
# expiry.
REFRESH_THRESHOLD = datetime.timedelta(minutes=3, seconds=45)
# TODO(https://github.com/googleapis/google-auth-library-python/issues/1684): Audit and update the list below.
_SENSITIVE_FIELDS = {
"accessToken",
"access_token",
"id_token",
"client_id",
"refresh_token",
"client_secret",
}
def copy_docstring(source_class):
"""Decorator that copies a method's docstring from another class.
Args:
source_class (type): The class that has the documented method.
Returns:
Callable: A decorator that will copy the docstring of the same
named method in the source class to the decorated method.
"""
def decorator(method):
"""Decorator implementation.
Args:
method (Callable): The method to copy the docstring to.
Returns:
Callable: the same method passed in with an updated docstring.
Raises:
google.auth.exceptions.InvalidOperation: if the method already has a docstring.
"""
if method.__doc__:
raise exceptions.InvalidOperation("Method already has a docstring.")
source_method = getattr(source_class, method.__name__)
method.__doc__ = source_method.__doc__
return method
return decorator
def parse_content_type(header_value):
"""Parse a 'content-type' header value to get just the plain media-type (without parameters).
This is done using the class Message from email.message as suggested in PEP 594
(because the cgi is now deprecated and will be removed in python 3.13,
see https://peps.python.org/pep-0594/#cgi).
Args:
header_value (str): The value of a 'content-type' header as a string.
Returns:
str: A string with just the lowercase media-type from the parsed 'content-type' header.
If the provided content-type is not parsable, returns 'text/plain',
the default value for textual files.
"""
m = Message()
m["content-type"] = header_value
return (
m.get_content_type()
) # Despite the name, actually returns just the media-type
def utcnow():
"""Returns the current UTC datetime.
Returns:
datetime: The current time in UTC.
"""
# We used datetime.utcnow() before, since it's deprecated from python 3.12,
# we are using datetime.now(timezone.utc) now. "utcnow()" is offset-native
# (no timezone info), but "now()" is offset-aware (with timezone info).
# This will cause datetime comparison problem. For backward compatibility,
# we need to remove the timezone info.
now = datetime.datetime.now(datetime.timezone.utc)
now = now.replace(tzinfo=None)
return now
def datetime_to_secs(value):
"""Convert a datetime object to the number of seconds since the UNIX epoch.
Args:
value (datetime): The datetime to convert.
Returns:
int: The number of seconds since the UNIX epoch.
"""
return calendar.timegm(value.utctimetuple())
def to_bytes(value, encoding="utf-8"):
"""Converts a string value to bytes, if necessary.
Args:
value (Union[str, bytes]): The value to be converted.
encoding (str): The encoding to use to convert unicode to bytes.
Defaults to "utf-8".
Returns:
bytes: The original value converted to bytes (if unicode) or as
passed in if it started out as bytes.
Raises:
google.auth.exceptions.InvalidValue: If the value could not be converted to bytes.
"""
result = value.encode(encoding) if isinstance(value, str) else value
if isinstance(result, bytes):
return result
else:
raise exceptions.InvalidValue(
"{0!r} could not be converted to bytes".format(value)
)
def from_bytes(value):
"""Converts bytes to a string value, if necessary.
Args:
value (Union[str, bytes]): The value to be converted.
Returns:
str: The original value converted to unicode (if bytes) or as passed in
if it started out as unicode.
Raises:
google.auth.exceptions.InvalidValue: If the value could not be converted to unicode.
"""
result = value.decode("utf-8") if isinstance(value, bytes) else value
if isinstance(result, str):
return result
else:
raise exceptions.InvalidValue(
"{0!r} could not be converted to unicode".format(value)
)
def update_query(url, params, remove=None):
"""Updates a URL's query parameters.
Replaces any current values if they are already present in the URL.
Args:
url (str): The URL to update.
params (Mapping[str, str]): A mapping of query parameter
keys to values.
remove (Sequence[str]): Parameters to remove from the query string.
Returns:
str: The URL with updated query parameters.
Examples:
>>> url = 'http://example.com?a=1'
>>> update_query(url, {'a': '2'})
http://example.com?a=2
>>> update_query(url, {'b': '3'})
http://example.com?a=1&b=3
>> update_query(url, {'b': '3'}, remove=['a'])
http://example.com?b=3
"""
if remove is None:
remove = []
# Split the URL into parts.
parts = urllib.parse.urlparse(url)
# Parse the query string.
query_params = urllib.parse.parse_qs(parts.query)
# Update the query parameters with the new parameters.
query_params.update(params)
# Remove any values specified in remove.
query_params = {
key: value for key, value in query_params.items() if key not in remove
}
# Re-encoded the query string.
new_query = urllib.parse.urlencode(query_params, doseq=True)
# Unsplit the url.
new_parts = parts._replace(query=new_query)
return urllib.parse.urlunparse(new_parts)
def scopes_to_string(scopes):
"""Converts scope value to a string suitable for sending to OAuth 2.0
authorization servers.
Args:
scopes (Sequence[str]): The sequence of scopes to convert.
Returns:
str: The scopes formatted as a single string.
"""
return " ".join(scopes)
def string_to_scopes(scopes):
"""Converts stringifed scopes value to a list.
Args:
scopes (Union[Sequence, str]): The string of space-separated scopes
to convert.
Returns:
Sequence(str): The separated scopes.
"""
if not scopes:
return []
return scopes.split(" ")
def padded_urlsafe_b64decode(value):
"""Decodes base64 strings lacking padding characters.
Google infrastructure tends to omit the base64 padding characters.
Args:
value (Union[str, bytes]): The encoded value.
Returns:
bytes: The decoded value
"""
b64string = to_bytes(value)
padded = b64string + b"=" * (-len(b64string) % 4)
return base64.urlsafe_b64decode(padded)
def unpadded_urlsafe_b64encode(value):
"""Encodes base64 strings removing any padding characters.
`rfc 7515`_ defines Base64url to NOT include any padding
characters, but the stdlib doesn't do that by default.
_rfc7515: https://tools.ietf.org/html/rfc7515#page-6
Args:
value (Union[str|bytes]): The bytes-like value to encode
Returns:
Union[str|bytes]: The encoded value
"""
return base64.urlsafe_b64encode(value).rstrip(b"=")
def is_python_3():
"""Check if the Python interpreter is Python 2 or 3.
Returns:
bool: True if the Python interpreter is Python 3 and False otherwise.
"""
return sys.version_info > (3, 0)
def _hash_sensitive_info(data: Union[dict, list]) -> Union[dict, list, str]:
"""
Hashes sensitive information within a dictionary.
Args:
data: The dictionary containing data to be processed.
Returns:
A new dictionary with sensitive values replaced by their SHA512 hashes.
If the input is a list, returns a list with each element recursively processed.
If the input is neither a dict nor a list, returns the type of the input as a string.
"""
if isinstance(data, dict):
hashed_data: Dict[Any, Union[Optional[str], dict, list]] = {}
for key, value in data.items():
if key in _SENSITIVE_FIELDS and not isinstance(value, (dict, list)):
hashed_data[key] = _hash_value(value, key)
elif isinstance(value, (dict, list)):
hashed_data[key] = _hash_sensitive_info(value)
else:
hashed_data[key] = value
return hashed_data
elif isinstance(data, list):
hashed_list = []
for val in data:
hashed_list.append(_hash_sensitive_info(val))
return hashed_list
else:
# TODO(https://github.com/googleapis/google-auth-library-python/issues/1701):
# Investigate and hash sensitive info before logging when the data type is
# not a dict or a list.
return str(type(data))
def _hash_value(value, field_name: str) -> Optional[str]:
"""Hashes a value and returns a formatted hash string."""
if value is None:
return None
encoded_value = str(value).encode("utf-8")
hash_object = hashlib.sha512()
hash_object.update(encoded_value)
hex_digest = hash_object.hexdigest()
return f"hashed_{field_name}-{hex_digest}"
def _logger_configured(logger: logging.Logger) -> bool:
"""Determines whether `logger` has non-default configuration
Args:
logger: The logger to check.
Returns:
bool: Whether the logger has any non-default configuration.
"""
return (
logger.handlers != [] or logger.level != logging.NOTSET or not logger.propagate
)
def is_logging_enabled(logger: logging.Logger) -> bool:
"""
Checks if debug logging is enabled for the given logger.
Args:
logger: The logging.Logger instance to check.
Returns:
True if debug logging is enabled, False otherwise.
"""
# NOTE: Log propagation to the root logger is disabled unless
# the base logger i.e. logging.getLogger("google") is
# explicitly configured by the end user. Ideally this
# needs to happen in the client layer (already does for GAPICs).
# However, this is implemented here to avoid logging
# (if a root logger is configured) when a version of google-auth
# which supports logging is used with:
# - an older version of a GAPIC which does not support logging.
# - Apiary client which does not support logging.
global _LOGGING_INITIALIZED
if not _LOGGING_INITIALIZED:
base_logger = logging.getLogger(_BASE_LOGGER_NAME)
if not _logger_configured(base_logger):
base_logger.propagate = False
_LOGGING_INITIALIZED = True
return logger.isEnabledFor(logging.DEBUG)
def request_log(
logger: logging.Logger,
method: str,
url: str,
body: Optional[bytes],
headers: Optional[Mapping[str, str]],
) -> None:
"""
Logs an HTTP request at the DEBUG level if logging is enabled.
Args:
logger: The logging.Logger instance to use.
method: The HTTP method (e.g., "GET", "POST").
url: The URL of the request.
body: The request body (can be None).
headers: The request headers (can be None).
"""
if is_logging_enabled(logger):
content_type = (
headers["Content-Type"] if headers and "Content-Type" in headers else ""
)
json_body = _parse_request_body(body, content_type=content_type)
logged_body = _hash_sensitive_info(json_body)
logger.debug(
"Making request...",
extra={
"httpRequest": {
"method": method,
"url": url,
"body": logged_body,
"headers": headers,
}
},
)
def _parse_request_body(body: Optional[bytes], content_type: str = "") -> Any:
"""
Parses a request body, handling bytes and string types, and different content types.
Args:
body (Optional[bytes]): The request body.
content_type (str): The content type of the request body, e.g., "application/json",
"application/x-www-form-urlencoded", or "text/plain". If empty, attempts
to parse as JSON.
Returns:
Parsed body (dict, str, or None).
- JSON: Decodes if content_type is "application/json" or None (fallback).
- URL-encoded: Parses if content_type is "application/x-www-form-urlencoded".
- Plain text: Returns string if content_type is "text/plain".
- None: Returns if body is None, UTF-8 decode fails, or content_type is unknown.
"""
if body is None:
return None
try:
body_str = body.decode("utf-8")
except (UnicodeDecodeError, AttributeError):
return None
content_type = content_type.lower()
if not content_type or "application/json" in content_type:
try:
return json.loads(body_str)
except (json.JSONDecodeError, TypeError):
return body_str
if "application/x-www-form-urlencoded" in content_type:
parsed_query = urllib.parse.parse_qs(body_str)
result = {k: v[0] for k, v in parsed_query.items()}
return result
if "text/plain" in content_type:
return body_str
return None
def _parse_response(response: Any) -> Any:
"""
Parses a response, attempting to decode JSON.
Args:
response: The response object to parse. This can be any type, but
it is expected to have a `json()` method if it contains JSON.
Returns:
The parsed response. If the response contains valid JSON, the
decoded JSON object (e.g., a dictionary or list) is returned.
If the response does not have a `json()` method or if the JSON
decoding fails, None is returned.
"""
try:
json_response = response.json()
return json_response
except Exception:
# TODO(https://github.com/googleapis/google-auth-library-python/issues/1744):
# Parse and return response payload as json based on different content types.
return None
def _response_log_base(logger: logging.Logger, parsed_response: Any) -> None:
"""
Logs a parsed HTTP response at the DEBUG level.
This internal helper function takes a parsed response and logs it
using the provided logger. It also applies a hashing function to
potentially sensitive information before logging.
Args:
logger: The logging.Logger instance to use for logging.
parsed_response: The parsed HTTP response object (e.g., a dictionary,
list, or the original response if parsing failed).
"""
logged_response = _hash_sensitive_info(parsed_response)
logger.debug("Response received...", extra={"httpResponse": logged_response})
def response_log(logger: logging.Logger, response: Any) -> None:
"""
Logs an HTTP response at the DEBUG level if logging is enabled.
Args:
logger: The logging.Logger instance to use.
response: The HTTP response object to log.
"""
if is_logging_enabled(logger):
json_response = _parse_response(response)
_response_log_base(logger, json_response)
|
