Skip to content
This repository has been archived by the owner on Jan 18, 2025. It is now read-only.

Update GCE AppAssertionCredentials #476

Closed
wants to merge 39 commits into from
Closed

Update GCE AppAssertionCredentials #476

wants to merge 39 commits into from

Conversation

elibixby
Copy link
Contributor

This provides several much needed updates to GCE App Assertion Credentials

  1. Properly populates token expiry
  2. Retrieves credentials scopes from the metadata server
  3. Allows credentials to use custom service accounts by providing an optional email field
  4. Implements serialization/deserialization for this email field
  5. Provides a project_id property using metadata server in preparation for a pull request addressing Allow GCE credentials to sign blobs #471

elibixby added 3 commits March 22, 2016 16:58
@elibixby
Updated gce.AppAssertionCredentials
b24a4e3 
* Now tracks Token Expire times
* Adds project_id property in preparation for googleapis#471 PR
* Allows usage of custom service accounts from in GCE accordance with
  the [beta
capabilities](https://cloud.google.com/compute/docs/authentication#createcutomserviceaccount)
* Now properly knows scopes of the service account
@elibixby
Typo
e4407d2
@elibixby
Move back to JIT field population
bcc1198 
Also use v1 endpoint
elibixby
elibixby reviewed Mar 25, 2016
View reviewed changes
oauth2client/contrib/gce.py
# used by this class.
self.scope = util.scopes_to_string(scope)

self.scopes = None

This comment was marked as spam.

Sign in to view

@elibixby elibixby mentioned this pull request Mar 25, 2016
Merged
@elibixby
Copy link
Contributor Author

I am still in the process of adding tests for this PR. Do Not Merge.

elibixby added 2 commits March 25, 2016 12:23
@elibixby
Move back to 0.1 endpoint
b721ec8 
* consolidates requests for email field
* provides a "expiresAt" field

Will revert to v1 endpoint if GCE eng team says that there are plans to
deprecate 0.1

Additionally made scopes an `@property` to avoid false readings of no
scopes
@elibixby
no project/ prefix in 0.1 endpoint
73b0a8d
dhermes
dhermes reviewed Mar 25, 2016
View reviewed changes
oauth2client/contrib/gce.py
'instance/service-accounts/default/')
META = _METADATA_ROOT + 'token'
_DEFAULT_EMAIL_METADATA = _METADATA_ROOT + 'email'
_METADATA_ROOT = 'http://metadata.google.internal/0.1/meta-data'

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

elibixby added 3 commits March 25, 2016 16:10
@elibixby
Moved back to v1 endpoint
96e7250 
* added a service_account_info property with more detailed information
  and to share code between service_account_email and _refresh_scopes
@elibixby
More specific exception
c0b2300
@elibixby
Include scopes and aliases in serialization
b593ac0
elibixby
elibixby reviewed Mar 28, 2016
View reviewed changes
oauth2client/contrib/gce.py

@property
def serialization_data(self):
return self.service_account_info

This comment was marked as spam.

Sign in to view

@coveralls
Copy link

Coverage Status

Coverage decreased (-0.02%) to 97.544% when pulling ae03714 on elibixby:master into 3ca2ca7 on google:master.

@coveralls
Copy link

Coverage Status

Coverage decreased (-0.02%) to 97.544% when pulling eed5f04 on elibixby:master into 3ca2ca7 on google:master.

@coveralls
Copy link

Coverage Status

Coverage increased (+0.01%) to 97.577% when pulling d2f1bbb on elibixby:master into 3ca2ca7 on google:master.

nathanielmanistaatgoogle
nathanielmanistaatgoogle reviewed Apr 1, 2016
View reviewed changes
oauth2client/contrib/gce.py
return False
self.access_token, self.token_expiry = _get_access_token(
http_request,
self._service_account_info['email']

This comment was marked as spam.

Sign in to view

@nathanielmanistaatgoogle
Copy link
Contributor

Be prepared at the end of the review to squash commits.

@elibixby
Copy link
Contributor Author

elibixby commented Apr 1, 2016

https://github.com/blog/2141-squash-your-commits

Is this option available to you now? Or do I still have to manually squash?

@nathanielmanistaatgoogle
Copy link
Contributor

A repository setting to require all pull requests to be one commit each probably is available to us, but I'm not sure that we'd want to enable it for all changes. Some are still appropriate to be done in multiple commits.

nathanielmanistaatgoogle
nathanielmanistaatgoogle reviewed Apr 4, 2016
View reviewed changes
oauth2client/contrib/gce.py
@@ -16,60 +16,117 @@

Utilities for making it easier to use OAuth 2.0 on Google Compute Engine.
"""

This comment was marked as spam.

Sign in to view

elibixby added 2 commits April 4, 2016 16:52
@elibixby
Style fixes
1ffa704 
* Remove deserialization arg from constructor
@elibixby
Docstring and error prose fixes
ccad050
@elibixby
Copy link
Contributor Author

elibixby commented Apr 5, 2016

@nathanielmanistaatgoogle Fixes pushed

nathanielmanistaatgoogle
nathanielmanistaatgoogle reviewed Apr 5, 2016
View reviewed changes
oauth2client/contrib/gce.py

__author__ = '[email protected] (Joe Gregorio)'

logger = logging.getLogger(__name__)

# URI Template for the endpoint that returns access_tokens.
_METADATA_ROOT = ('http://metadata.google.internal/computeMetadata/v1/'
'instance/service-accounts/default/')
META = _METADATA_ROOT + 'token'

This comment was marked as spam.

Sign in to view

@elibixby
Copy link
Contributor Author

elibixby commented Apr 5, 2016

@nathanielmanistaatgoogle More fixes.

@elibixby
Copy link
Contributor Author

@nathanielmanistaatgoogle @dhermes Bump.

@elibixby
Copy link
Contributor Author

After discussion with @jonparrott I'm going to break this into 3 smaller PRs:

  • add a metadata module that takes care of caching paths
  • Move gce.AppAssertionCredentials to use the metadata module
  • Add credentials.scopes and support for custom emails

@elibixby elibixby closed this Apr 19, 2016
@elibixby elibixby mentioned this pull request Jun 8, 2016
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
cla: yes don't merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@elibixby @coveralls @nathanielmanistaatgoogle @theacodes @dhermes @googlebot