Factor metadata interface into a separate module

docs/source/oauth2client.contrib.metadata.rst

@@ -0,0 +1,7 @@
+oauth2client.contrib.metadata module
+====================================
+
+.. automodule:: oauth2client.contrib.metadata
+    :members:
+    :undoc-members:
+    :show-inheritance:

docs/source/oauth2client.contrib.rst

@@ -21,6 +21,7 @@ Submodules
    oauth2client.contrib.gce
    oauth2client.contrib.keyring_storage
    oauth2client.contrib.locked_file
+   oauth2client.contrib.metadata
    oauth2client.contrib.multistore_file
    oauth2client.contrib.xsrfutil
 

oauth2client/contrib/gce.py

@@ -21,25 +21,17 @@
 import logging
 import warnings
 
-import httplib2
-from six.moves import http_client
-from six.moves import urllib
 
 from oauth2client._helpers import _from_bytes
 from oauth2client import util
-from oauth2client.client import HttpAccessTokenRefreshError
 from oauth2client.client import AssertionCredentials
+from oauth2client.contrib import metadata
 
 
 __author__ = '[email protected] (Joe Gregorio)'
 
 logger = logging.getLogger(__name__)
 
-# URI Template for the endpoint that returns access_tokens.
-_METADATA_ROOT = ('http://metadata.google.internal/computeMetadata/v1/'
-                  'instance/service-accounts/default/')
-META = _METADATA_ROOT + 'token'
-_DEFAULT_EMAIL_METADATA = _METADATA_ROOT + 'email'
 _SCOPES_WARNING = """\
 You have requested explicit scopes to be used with a GCE service account.
 Using this argument will have no effect on the actual scopes for tokens
@@ -48,30 +40,6 @@
 """
 
 
-def _get_service_account_email(http_request=None):
-    """Get the GCE service account email from the current environment.
-
-    Args:
-        http_request: callable, (Optional) a callable that matches the method
-                      signature of httplib2.Http.request, used to make
-                      the request to the metadata service.
-
-    Returns:
-        tuple, A pair where the first entry is an optional response (from a
-        failed request) and the second is service account email found (as
-        a string).
-    """
-    if http_request is None:
-        http_request = httplib2.Http().request
-    response, content = http_request(
-        _DEFAULT_EMAIL_METADATA, headers={'Metadata-Flavor': 'Google'})
-    if response.status == http_client.OK:
-        content = _from_bytes(content)
-        return None, content
-    else:
-        return response, content
-
-
 class AppAssertionCredentials(AssertionCredentials):
     """Credentials object for Compute Engine Assertion Grants
 
@@ -105,6 +73,8 @@ def __init__(self, scope='', **kwargs):
         # Assertion type is no longer used, but still in the
         # parent class signature.
         super(AppAssertionCredentials, self).__init__(None)
+
+        # Cache until Metadata Server supports Cache-Control Header
         self._service_account_email = None
 
     @classmethod
@@ -125,21 +95,8 @@ def _refresh(self, http_request):
         Raises:
             HttpAccessTokenRefreshError: When the refresh fails.
         """
-        response, content = http_request(
-            META, headers={'Metadata-Flavor': 'Google'})
-        content = _from_bytes(content)
-        if response.status == http_client.OK:
-            try:
-                token_content = json.loads(content)
-            except Exception as e:
-                raise HttpAccessTokenRefreshError(str(e),
-                                                  status=response.status)
-            self.access_token = token_content['access_token']
-        else:
-            if response.status == http_client.NOT_FOUND:
-                content += (' This can occur if a VM was created'
-                            ' with no service account or scopes.')
-            raise HttpAccessTokenRefreshError(content, status=response.status)
+        self.access_token, self.token_expiry = metadata.get_token(
+            http_request=http_request)
 
     @property
     def serialization_data(self):
@@ -184,11 +141,5 @@ def service_account_email(self):
             Compute Engine metadata service.
         """
         if self._service_account_email is None:
-            failure, email = _get_service_account_email()
-            if failure is None:
-                self._service_account_email = email
-            else:
-                raise AttributeError('Failed to retrieve the email from the '
-                                     'Google Compute Engine metadata service',
-                                     failure, email)
+            self._service_account_email = metadata.get_service_account_info()['email']
         return self._service_account_email

oauth2client/contrib/metadata.py

@@ -0,0 +1,93 @@
+# Copyright 2016 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Thin wrapper class for talking to the GCE Metadata Server."""
+import datetime
+import httplib2
+import json
+
+from six.moves import http_client
+
+from oauth2client._helpers import _from_bytes
+from oauth2client.client import _UTCNOW
+from oauth2client.client import HttpAccessTokenRefreshError
+
+METADATA_ROOT = 'http://metadata.google.internal/computeMetadata/v1/'
+METADATA_HEADERS = {'Metadata-Flavor': 'Google'}
+
+
+def get(path, recursive=True, http_request=None, root=METADATA_ROOT):
+    if path is None:
+        path = []
+
+    if not http_request:
+        http_request = httplib2.Http().request
+
+    r_string = '/?recursive=true' if recursive else ''
+    full_path = root + '/'.join(path) + r_string
+    response, content = http_request(
+        full_path,
+        headers=METADATA_HEADERS
+    )
+    if response.status == http_client.OK:
+        decoded = _from_bytes(content)
+        if response['content-type'] == 'application/json':
+            return json.loads(decoded)
+        else:
+            return decoded
+    else:
+        msg = (
+            'Failed to retrieve {path} from the Google Compute Engine'
+            'metadata service. Response:\n{error}'
+        ).format(path=full_path, error=response)
+        raise httplib2.HttpLib2Error(msg)
+
+
+def get_service_account_info(service_account='default', http_request=None):
+    """ Get information about a service account from the metadata server.
+    :param service_account: a service account email. Left blank information for
+    the default service account of current compute engine instance will be looked up.
+    :param http_request: callable, a callable that matches the method
+    signature of httplib2.Http.request, used to make
+    the refresh request.
+    :return: A dictionary with information about the specified service account.
+    """
+    return get(
+        ['instance', 'service-accounts', service_account],
+        recursive=True,
+        http_request=http_request
+    )
+
+
+def get_token(service_account='default', http_request=None):
+    """Fetch an OAuth access token from the metadata server
+    :param service_account: a service account email. Left blank information for
+    the default service account of current compute engine instance will be looked up.
+    :param http_request: callable, a callable that matches the method
+    signature of httplib2.Http.request, used to make
+    the refresh request.
+    :return:
+    """
+    try:
+        token_json = get(
+            ['instance', 'service-accounts', service_account, 'token'],
+            recursive=False,
+            http_request=http_request
+        )
+    except httplib2.HttpLib2Error as failed_fetch:
+        raise HttpAccessTokenRefreshError(str(failed_fetch))
+
+    token_expiry = _UTCNOW() + datetime.timedelta(
+        seconds=token_json['expires_in'])
+    return token_json['access_token'], token_expiry