Source code for airflow.providers.google.common.auth_backend.google_openid
## Licensed to the Apache Software Foundation (ASF) under one# or more contributor license agreements. See the NOTICE file# distributed with this work for additional information# regarding copyright ownership. The ASF licenses this file# to you under the Apache License, Version 2.0 (the# "License"); you may not use this file except in compliance# with the License. You may obtain a copy of the License at## http://www.apache.org/licenses/LICENSE-2.0## Unless required by applicable law or agreed to in writing,# software distributed under the License is distributed on an# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY# KIND, either express or implied. See the License for the# specific language governing permissions and limitations# under the License."""Authentication backend that use Google credentials for authorization."""importloggingfromfunctoolsimportwrapsfromtypingimportCallable,Optional,TypeVar,castimportgoogleimportgoogle.auth.transport.requestsimportgoogle.oauth2.id_tokenfromflaskimportResponse,_request_ctx_stack,current_app,requestasflask_request# type: ignorefromgoogle.authimportexceptionsfromgoogle.auth.transport.requestsimportAuthorizedSessionfromgoogle.oauth2importservice_accountfromairflow.configurationimportconffromairflow.providers.google.common.utils.id_token_credentialsimportget_default_id_token_credentials
[docs]defcreate_client_session():"""Create a HTTP authorized client."""service_account_path=conf.get("api","google_key_path")ifservice_account_path:id_token_credentials=service_account.IDTokenCredentials.from_service_account_file(service_account_path)else:id_token_credentials=get_default_id_token_credentials(target_audience=AUDIENCE)returnAuthorizedSession(credentials=id_token_credentials)
def_get_id_token_from_request(request)->Optional[str]:authorization_header=request.headers.get("Authorization")ifnotauthorization_header:returnNoneauthorization_header_parts=authorization_header.split(" ",2)iflen(authorization_header_parts)!=2orauthorization_header_parts[0].lower()!="bearer":returnNoneid_token=authorization_header_parts[1]returnid_tokendef_verify_id_token(id_token:str)->Optional[str]:try:request_adapter=google.auth.transport.requests.Request()id_info=google.oauth2.id_token.verify_token(id_token,request_adapter,AUDIENCE)exceptexceptions.GoogleAuthError:returnNone# This check is part of google-auth v1.19.0 (2020-07-09), In order not to create strong version# requirements to too new version, we check it in our code too.# One day, we may delete this code and set minimum version in requirements.ifid_info.get("iss")notin_GOOGLE_ISSUERS:returnNoneifnotid_info.get("email_verified",False):returnNonereturnid_info.get("email")def_lookup_user(user_email:str):security_manager=current_app.appbuilder.smuser=security_manager.find_user(email=user_email)ifnotuser:returnNoneifnotuser.is_active:returnNonereturnuserdef_set_current_user(user):ctx=_request_ctx_stack.topctx.user=user
[docs]defrequires_authentication(function:T):"""Decorator for functions that require authentication."""@wraps(function)defdecorated(*args,**kwargs):access_token=_get_id_token_from_request(flask_request)ifnotaccess_token:log.debug("Missing ID Token")returnResponse("Forbidden",403)userid=_verify_id_token(access_token)ifnotuserid:log.debug("Invalid ID Token")returnResponse("Forbidden",403)log.debug("Looking for user with e-mail: %s",userid)user=_lookup_user(userid)ifnotuser:returnResponse("Forbidden",403)log.debug("Found user: %s",user)_set_current_user(user)returnfunction(*args,**kwargs)returncast(T,decorated)