1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
# Copyright 2017 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Tools for using the Google `Cloud Identity and Access Management (IAM)
API`_'s auth-related functionality.
.. _Cloud Identity and Access Management (IAM) API:
https://cloud.google.com/iam/docs/
"""
import base64
import http.client as http_client
import json
from google.auth import _helpers
from google.auth import crypt
from google.auth import exceptions
_IAM_API_ROOT_URI = "https://iamcredentials.googleapis.com/v1"
_SIGN_BLOB_URI = _IAM_API_ROOT_URI + "/projects/-/serviceAccounts/{}:signBlob?alt=json"
class Signer(crypt.Signer):
"""Signs messages using the IAM `signBlob API`_.
This is useful when you need to sign bytes but do not have access to the
credential's private key file.
.. _signBlob API:
https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts
/signBlob
"""
def __init__(self, request, credentials, service_account_email):
"""
Args:
request (google.auth.transport.Request): The object used to make
HTTP requests.
credentials (google.auth.credentials.Credentials): The credentials
that will be used to authenticate the request to the IAM API.
The credentials must have of one the following scopes:
- https://www.googleapis.com/auth/iam
- https://www.googleapis.com/auth/cloud-platform
service_account_email (str): The service account email identifying
which service account to use to sign bytes. Often, this can
be the same as the service account email in the given
credentials.
"""
self._request = request
self._credentials = credentials
self._service_account_email = service_account_email
def _make_signing_request(self, message):
"""Makes a request to the API signBlob API."""
message = _helpers.to_bytes(message)
method = "POST"
url = _SIGN_BLOB_URI.format(self._service_account_email)
headers = {"Content-Type": "application/json"}
body = json.dumps(
{"payload": base64.b64encode(message).decode("utf-8")}
).encode("utf-8")
self._credentials.before_request(self._request, method, url, headers)
response = self._request(url=url, method=method, body=body, headers=headers)
if response.status != http_client.OK:
raise exceptions.TransportError(
"Error calling the IAM signBlob API: {}".format(response.data)
)
return json.loads(response.data.decode("utf-8"))
@property
def key_id(self):
"""Optional[str]: The key ID used to identify this private key.
.. warning::
This is always ``None``. The key ID used by IAM can not
be reliably determined ahead of time.
"""
return None
@_helpers.copy_docstring(crypt.Signer)
def sign(self, message):
response = self._make_signing_request(message)
return base64.b64decode(response["signedBlob"])
|