mirror of
https://github.com/GAM-team/GAM.git
synced 2025-07-08 05:33:34 +00:00
upgrade googleapiclient and oauth2client versions
This commit is contained in:
Jay Lee
@ -1,7 +1,6 @@
|
||||
#!/usr/bin/python2.4
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# Copyright (C) 2011 Google Inc.
|
||||
# Copyright 2014 Google Inc. All rights reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
@ -14,14 +13,13 @@
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
"""Crypto-related routines for oauth2client."""
|
||||
|
||||
import base64
|
||||
import hashlib
|
||||
import json
|
||||
import logging
|
||||
import time
|
||||
|
||||
from anyjson import simplejson
|
||||
|
||||
|
||||
CLOCK_SKEW_SECS = 300 # 5 minutes in seconds
|
||||
AUTH_TOKEN_LIFETIME_SECS = 300 # 5 minutes in seconds
|
||||
@ -38,7 +36,6 @@ class AppIdentityError(Exception):
|
||||
try:
|
||||
from OpenSSL import crypto
|
||||
|
||||
|
||||
class OpenSSLVerifier(object):
|
||||
"""Verifies the signature on a message."""
|
||||
|
||||
@ -125,10 +122,11 @@ try:
|
||||
Raises:
|
||||
OpenSSL.crypto.Error if the key can't be parsed.
|
||||
"""
|
||||
if key.startswith('-----BEGIN '):
|
||||
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
|
||||
parsed_pem_key = _parse_pem_key(key)
|
||||
if parsed_pem_key:
|
||||
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, parsed_pem_key)
|
||||
else:
|
||||
pkey = crypto.load_pkcs12(key, password).get_privatekey()
|
||||
pkey = crypto.load_pkcs12(key, password.encode('utf8')).get_privatekey()
|
||||
return OpenSSLSigner(pkey)
|
||||
|
||||
except ImportError:
|
||||
@ -140,6 +138,7 @@ try:
|
||||
from Crypto.PublicKey import RSA
|
||||
from Crypto.Hash import SHA256
|
||||
from Crypto.Signature import PKCS1_v1_5
|
||||
from Crypto.Util.asn1 import DerSequence
|
||||
|
||||
|
||||
class PyCryptoVerifier(object):
|
||||
@ -181,14 +180,15 @@ try:
|
||||
|
||||
Returns:
|
||||
Verifier instance.
|
||||
|
||||
Raises:
|
||||
NotImplementedError if is_x509_cert is true.
|
||||
"""
|
||||
if is_x509_cert:
|
||||
raise NotImplementedError(
|
||||
'X509 certs are not supported by the PyCrypto library. '
|
||||
'Try using PyOpenSSL if native code is an option.')
|
||||
pemLines = key_pem.replace(' ', '').split()
|
||||
certDer = _urlsafe_b64decode(''.join(pemLines[1:-1]))
|
||||
certSeq = DerSequence()
|
||||
certSeq.decode(certDer)
|
||||
tbsSeq = DerSequence()
|
||||
tbsSeq.decode(certSeq[0])
|
||||
pubkey = RSA.importKey(tbsSeq[6])
|
||||
else:
|
||||
pubkey = RSA.importKey(key_pem)
|
||||
return PyCryptoVerifier(pubkey)
|
||||
@ -230,11 +230,12 @@ try:
|
||||
Raises:
|
||||
NotImplementedError if they key isn't in PEM format.
|
||||
"""
|
||||
if key.startswith('-----BEGIN '):
|
||||
pkey = RSA.importKey(key)
|
||||
parsed_pem_key = _parse_pem_key(key)
|
||||
if parsed_pem_key:
|
||||
pkey = RSA.importKey(parsed_pem_key)
|
||||
else:
|
||||
raise NotImplementedError(
|
||||
'PKCS12 format is not supported by the PyCrpto library. '
|
||||
'PKCS12 format is not supported by the PyCrypto library. '
|
||||
'Try converting to a "PEM" '
|
||||
'(openssl pkcs12 -in xxxxx.p12 -nodes -nocerts > privatekey.pem) '
|
||||
'or using PyOpenSSL if native code is an option.')
|
||||
@ -256,6 +257,23 @@ else:
|
||||
'PyOpenSSL, or PyCrypto 2.6 or later')
|
||||
|
||||
|
||||
def _parse_pem_key(raw_key_input):
|
||||
"""Identify and extract PEM keys.
|
||||
|
||||
Determines whether the given key is in the format of PEM key, and extracts
|
||||
the relevant part of the key if it is.
|
||||
|
||||
Args:
|
||||
raw_key_input: The contents of a private key file (either PEM or PKCS12).
|
||||
|
||||
Returns:
|
||||
string, The actual key if the contents are from a PEM file, or else None.
|
||||
"""
|
||||
offset = raw_key_input.find('-----BEGIN ')
|
||||
if offset != -1:
|
||||
return raw_key_input[offset:]
|
||||
|
||||
|
||||
def _urlsafe_b64encode(raw_bytes):
|
||||
return base64.urlsafe_b64encode(raw_bytes).rstrip('=')
|
||||
|
||||
@ -268,7 +286,7 @@ def _urlsafe_b64decode(b64string):
|
||||
|
||||
|
||||
def _json_encode(data):
|
||||
return simplejson.dumps(data, separators = (',', ':'))
|
||||
return json.dumps(data, separators=(',', ':'))
|
||||
|
||||
|
||||
def make_signed_jwt(signer, payload):
|
||||
@ -286,8 +304,8 @@ def make_signed_jwt(signer, payload):
|
||||
header = {'typ': 'JWT', 'alg': 'RS256'}
|
||||
|
||||
segments = [
|
||||
_urlsafe_b64encode(_json_encode(header)),
|
||||
_urlsafe_b64encode(_json_encode(payload)),
|
||||
_urlsafe_b64encode(_json_encode(header)),
|
||||
_urlsafe_b64encode(_json_encode(payload)),
|
||||
]
|
||||
signing_input = '.'.join(segments)
|
||||
|
||||
@ -318,9 +336,8 @@ def verify_signed_jwt_with_certs(jwt, certs, audience):
|
||||
"""
|
||||
segments = jwt.split('.')
|
||||
|
||||
if (len(segments) != 3):
|
||||
raise AppIdentityError(
|
||||
'Wrong number of segments in token: %s' % jwt)
|
||||
if len(segments) != 3:
|
||||
raise AppIdentityError('Wrong number of segments in token: %s' % jwt)
|
||||
signed = '%s.%s' % (segments[0], segments[1])
|
||||
|
||||
signature = _urlsafe_b64decode(segments[2])
|
||||
@ -328,15 +345,15 @@ def verify_signed_jwt_with_certs(jwt, certs, audience):
|
||||
# Parse token.
|
||||
json_body = _urlsafe_b64decode(segments[1])
|
||||
try:
|
||||
parsed = simplejson.loads(json_body)
|
||||
parsed = json.loads(json_body)
|
||||
except:
|
||||
raise AppIdentityError('Can\'t parse token: %s' % json_body)
|
||||
|
||||
# Check signature.
|
||||
verified = False
|
||||
for (keyname, pem) in certs.items():
|
||||
for _, pem in certs.items():
|
||||
verifier = Verifier.from_string(pem, True)
|
||||
if (verifier.verify(signed, signature)):
|
||||
if verifier.verify(signed, signature):
|
||||
verified = True
|
||||
break
|
||||
if not verified:
|
||||
@ -354,16 +371,15 @@ def verify_signed_jwt_with_certs(jwt, certs, audience):
|
||||
if exp is None:
|
||||
raise AppIdentityError('No exp field in token: %s' % json_body)
|
||||
if exp >= now + MAX_TOKEN_LIFETIME_SECS:
|
||||
raise AppIdentityError(
|
||||
'exp field too far in future: %s' % json_body)
|
||||
raise AppIdentityError('exp field too far in future: %s' % json_body)
|
||||
latest = exp + CLOCK_SKEW_SECS
|
||||
|
||||
if now < earliest:
|
||||
raise AppIdentityError('Token used too early, %d < %d: %s' %
|
||||
(now, earliest, json_body))
|
||||
(now, earliest, json_body))
|
||||
if now > latest:
|
||||
raise AppIdentityError('Token used too late, %d > %d: %s' %
|
||||
(now, latest, json_body))
|
||||
(now, latest, json_body))
|
||||
|
||||
# Check audience.
|
||||
if audience is not None:
|
||||
@ -372,6 +388,6 @@ def verify_signed_jwt_with_certs(jwt, certs, audience):
|
||||
raise AppIdentityError('No aud field in token: %s' % json_body)
|
||||
if aud != audience:
|
||||
raise AppIdentityError('Wrong recipient, %s != %s: %s' %
|
||||
(aud, audience, json_body))
|
||||
(aud, audience, json_body))
|
||||
|
||||
return parsed
|
||||
|
||||
Reference in New Issue
Block a user