Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add IAM signer #108

Merged
merged 2 commits into from
Feb 16, 2017
Merged

Add IAM signer #108

merged 2 commits into from
Feb 16, 2017

Conversation

theacodes
Copy link
Contributor

/cc @matthewg

@theacodes
Copy link
Contributor Author

FYI to @elibixby as well.

dhermes
dhermes reviewed Feb 15, 2017
View reviewed changes
google/auth/iam.py
The IAM API signs bytes using Google-managed keys. Because of this
it's possible that the key used to sign bytes will change. In some
cases this change can occur between successive calls to :attr:`key_id`
and :meth:`sign`. This could result in a signature that was signed

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

google/auth/iam.py Outdated

- https://www.googleapis.com/auth/iam
- https://www.googleapis.com/auth/cloud-platform
service_account_email (str): The service account email to use to

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

google/auth/iam.py Outdated
- https://www.googleapis.com/auth/cloud-platform
service_account_email (str): The service account email to use to
sign bytes. Often, this can be the same as the service account
email in the given credentials.

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

google/auth/iam.py Outdated
method = 'POST'
url = (
'https://iam.googleapis.com/v1/projects/-/serviceAccounts/{}'
':signBlob?alt=json').format(self._service_account_email)

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

google/auth/iam.py Outdated
':signBlob?alt=json').format(self._service_account_email)
headers = {}
body = json.dumps({
'bytesToSign': base64.b64encode(message).decode('utf-8')

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

google/auth/iam.py Outdated
response.data))

data = json.loads(response.data.decode('utf-8'))
return data

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

google/auth/iam.py
.. note::
This makes an API request to the IAM API.
"""
response = self._make_signing_request('')

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

tests/test_iam.py


def make_credentials():
class CredentialsImpl(google.auth.credentials.Credentials):

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

tests/test_iam.py
return CredentialsImpl()


class TestSigner(object):

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

tests/test_iam.py Outdated
assert returned_signature == signature

def test_sign_bytes_failure(self):
request = make_request(401)

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

lukesneeringer
lukesneeringer reviewed Feb 16, 2017
View reviewed changes
google/auth/iam.py
response = self._request(
url=url, method=method, body=body, headers=headers)

if response.status != http_client.OK:

This comment was marked as spam.

Sign in to view

@theacodes
Copy link
Contributor Author

theacodes commented Feb 16, 2017 via email

@lukesneeringer
Copy link

Is there any risk of that changing? Cards on table: I usually do status < 400 for this kind of check, since it seems more future-proof.

If you are pretty sure that everything returned from the IAM API will always be 200 for a success case, though, then this is good to go.

@theacodes
Copy link
Contributor Author

If you are pretty sure that everything returned from the IAM API will always be 200 for a success case, though, then this is good to go.

I feel like any change in that behavior should necessitate a change in our code. I also don't think they'll mess with it.

@theacodes theacodes merged commit 924191c into master Feb 16, 2017
@theacodes theacodes deleted the iam-signer branch February 16, 2017 00:43
This was referenced Feb 16, 2017
Open
Closed
@neozwu neozwu mentioned this pull request Nov 15, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhermes dhermes dhermes left review comments

@lukesneeringer lukesneeringer lukesneeringer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@theacodes @lukesneeringer @dhermes