Implementation for reauth credentials (google#2)

Author: dariakashcha

.coveragerc

@@ -9,3 +9,4 @@ exclude_lines =
     pragma: NO COVER
     # Ignore debug-only repr
     def __repr__
+    pass

google_reauth/_helpers.py

@@ -0,0 +1,44 @@
+# Copyright 2017 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import getpass
+import sys
+
+
+def get_user_password(text):
+    """Get password from user.
+
+    Override this function with a different logic if you are using this library
+    outside a CLI.
+
+    Args:
+        text: message for the password prompt.
+
+    Returns: password string.
+    """
+    return getpass.getpass(text)
+
+
+def is_interactive():
+    """Check if we are in an interractive environment.
+
+    If the rapt token needs refreshing, the user needs to answer the
+    challenges.
+    If the user is not in an interractive environment, the challenges can not
+    be answered and we just wait for timeout for no reason.
+
+    Returns: True if is interactive environment, False otherwise.
+    """
+
+    return sys.stdin.isatty()

google_reauth/_reauth_client.py

@@ -0,0 +1,148 @@
+# Copyright 2018 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Client for interacting with the Reauth HTTP API.
+
+This module provides the ability to do the following with the API:
+
+1. Get a list of challenges needed to obtain additional authorization.
+2. Send the result of the challenge to obtain a rapt token.
+3. A modified version of the standard OAuth2.0 refresh grant that takes a rapt
+   token.
+"""
+
+import json
+
+from six.moves import urllib
+
+from google_reauth import errors
+
+_REAUTH_API = 'https://reauth.googleapis.com/v2/sessions'
+
+
+def _handle_errors(msg):
+    """Raise an exception if msg has errors.
+
+    Args:
+        msg: parsed json from http response.
+
+    Returns: input response.
+    Raises: ReauthAPIError
+    """
+    if 'error' in msg:
+        raise errors.ReauthAPIError(msg['error']['message'])
+    return msg
+
+
+def _endpoint_request(http_request, path, body, access_token):
+    _, content = http_request(
+        uri='{0}{1}'.format(_REAUTH_API, path),
+        method='POST',
+        body=json.dumps(body),
+        headers={'Authorization': 'Bearer {0}'.format(access_token)}
+    )
+    response = json.loads(content)
+    _handle_errors(response)
+    return response
+
+
+def get_challenges(
+        http_request, supported_challenge_types, access_token,
+        requested_scopes=None):
+    """Does initial request to reauth API to get the challenges.
+
+    Args:
+        http_request (Callable): callable to run http requests. Accepts uri,
+            method, body and headers. Returns a tuple: (response, content)
+        supported_challenge_types (Sequence[str]): list of challenge names
+            supported by the manager.
+        access_token (str): Access token with reauth scopes.
+        requested_scopes (list[str]): Authorized scopes for the credentials.
+
+    Returns:
+        dict: The response from the reauth API.
+    """
+    body = {'supportedChallengeTypes': supported_challenge_types}
+    if requested_scopes:
+        body['oauthScopesForDomainPolicyLookup'] = requested_scopes
+
+    return _endpoint_request(
+        http_request, ':start', body, access_token)
+
+
+def send_challenge_result(
+        http_request, session_id, challenge_id, client_input, access_token):
+    """Attempt to refresh access token by sending next challenge result.
+
+    Args:
+        http_request (Callable): callable to run http requests. Accepts uri,
+            method, body and headers. Returns a tuple: (response, content)
+        session_id (str): session id returned by the initial reauth call.
+        challenge_id (str): challenge id returned by the initial reauth call.
+        client_input: dict with a challenge-specific client input. For example:
+            ``{'credential': password}`` for password challenge.
+        access_token (str): Access token with reauth scopes.
+
+    Returns:
+        dict: The response from the reauth API.
+    """
+    body = {
+        'sessionId': session_id,
+        'challengeId': challenge_id,
+        'action': 'RESPOND',
+        'proposalResponse': client_input,
+    }
+
+    return _endpoint_request(
+        http_request, '/{0}:continue'.format(session_id), body, access_token)
+
+
+def refresh_grant(
+        http_request, client_id, client_secret, refresh_token,
+        token_uri, scopes=None, rapt=None, headers={}):
+    """Implements the OAuth 2.0 Refresh Grant with the addition of the reauth
+    token.
+
+    Args:
+        http_request (Callable): callable to run http requests. Accepts uri,
+            method, body and headers. Returns a tuple: (response, content)
+        client_id (str): client id to get access token for reauth scope.
+        client_secret (str): client secret for the client_id
+        refresh_token (str): refresh token to refresh access token
+        token_uri (str): uri to refresh access token
+        scopes (str): scopes required by the client application as a
+            comma-joined list.
+        rapt (str): RAPT token
+        headers (dict): headers for http request
+
+    Returns:
+        Tuple[str, dict]: http response and parsed response content.
+    """
+    parameters = {
+        'grant_type': 'refresh_token',
+        'client_id': client_id,
+        'client_secret': client_secret,
+        'refresh_token': refresh_token,
+        'scope': scopes,
+        'rapt': rapt,
+    }
+
+    body = urllib.parse.urlencode(parameters)
+
+    response, content = http_request(
+        uri=token_uri,
+        method='POST',
+        body=body,
+        headers=headers)
+    return response, content

google_reauth/challenges.py

@@ -0,0 +1,132 @@
+# Copyright 2017 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import abc
+import base64
+import sys
+
+import pyu2f.convenience.authenticator
+import pyu2f.errors
+import pyu2f.model
+import six
+
+from google_reauth import _helpers
+
+
+REAUTH_ORIGIN = 'https://accounts.google.com'
+
+
+@six.add_metaclass(abc.ABCMeta)
+class ReauthChallenge(object):
+    """Base class for reauth challenges."""
+
+    @property
+    @abc.abstractmethod
+    def name(self):
+        """Returns the name of the challenge."""
+        pass
+
+    @property
+    @abc.abstractmethod
+    def is_locally_eligible(self):
+        """Returns true if a challenge is supported locally on this machine."""
+        pass
+
+    @abc.abstractmethod
+    def obtain_challenge_input(self, metadata):
+        """Performs logic required to obtain credentials and returns it.
+
+        Args:
+            metadata: challenge metadata returned in the 'challenges' field in
+                the initial reauth request. Includes the 'challengeType' field
+                and other challenge-specific fields.
+
+        Returns:
+            response that will be send to the reauth service as the content of
+            the 'proposalResponse' field in the request body. Usually a dict
+            with the keys specific to the challenge. For example,
+            {'credential': password} for password challenge.
+        """
+        pass
+
+
+class PasswordChallenge(ReauthChallenge):
+    """Challenge that asks for user's password."""
+
+    @property
+    def name(self):
+        return 'PASSWORD'
+
+    @property
+    def is_locally_eligible(self):
+        return True
+
+    def obtain_challenge_input(self, unused_metadata):
+        passwd = _helpers.get_user_password('Please enter your password:')
+        if not passwd:
+            passwd = ' '  # avoid the server crashing in case of no password :D
+        return {'credential': passwd}
+
+
+class SecurityKeyChallenge(ReauthChallenge):
+    """Challenge that asks for user's security key touch."""
+
+    @property
+    def name(self):
+        return 'SECURITY_KEY'
+
+    @property
+    def is_locally_eligible(self):
+        return True
+
+    def obtain_challenge_input(self, metadata):
+        sk = metadata['securityKey']
+        challenges = sk['challenges']
+        app_id = sk['applicationId']
+
+        challenge_data = []
+        for c in challenges:
+            kh = c['keyHandle'].encode('ascii')
+            key = pyu2f.model.RegisteredKey(
+                bytearray(base64.urlsafe_b64decode(kh)))
+            challenge = c['challenge'].encode('ascii')
+            challenge = base64.urlsafe_b64decode(challenge)
+            challenge_data.append({'key': key, 'challenge': challenge})
+
+        try:
+            api = pyu2f.convenience.authenticator.CreateCompositeAuthenticator(
+                REAUTH_ORIGIN)
+            response = api.Authenticate(app_id, challenge_data,
+                                        print_callback=sys.stderr.write)
+            return {'securityKey': response}
+        except pyu2f.errors.U2FError as e:
+            if e.code == pyu2f.errors.U2FError.DEVICE_INELIGIBLE:
+                sys.stderr.write('Ineligible security key.\n')
+            elif e.code == pyu2f.errors.U2FError.TIMEOUT:
+                sys.stderr.write(
+                    'Timed out while waiting for security key touch.\n')
+            else:
+                raise e
+        except pyu2f.errors.NoDeviceFoundError:
+            sys.stderr.write('No security key found.\n')
+        return None
+
+
+AVAILABLE_CHALLENGES = {
+    challenge.name: challenge
+    for challenge in [
+        SecurityKeyChallenge(),
+        PasswordChallenge()
+    ]
+}

google_reauth/errors.py

@@ -0,0 +1,62 @@
+# Copyright 2017 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""A module that provides rapt authentication errors."""
+
+
+class ReauthError(Exception):
+    """Base exception for reauthentication."""
+    pass
+
+
+class HttpAccessTokenRefreshError(Exception):
+    """Error (with HTTP status) trying to refresh an expired access token."""
+    def __init__(self, message, status=None):
+        super(HttpAccessTokenRefreshError, self).__init__(message)
+        self.status = status
+
+
+class ReauthUnattendedError(ReauthError):
+    """An exception for when reauth cannot be answered."""
+
+    def __init__(self):
+        super(ReauthUnattendedError, self).__init__(
+            'Reauthentication challenge could not be answered because you are '
+            'not in an interactive session.')
+
+
+class ReauthFailError(ReauthError):
+    """An exception for when reauth failed."""
+
+    def __init__(self, message=None):
+        super(ReauthFailError, self).__init__(
+            'Reauthentication challenge failed. {0}'.format(message))
+
+
+class ReauthAPIError(ReauthError):
+    """An exception for when reauth API returned something we can't handle."""
+
+    def __init__(self, api_error):
+        super(ReauthAPIError, self).__init__(
+            'Reauthentication challenge failed due to API error: {0}.'.format(
+                api_error))
+
+
+class ReauthAccessTokenRefreshError(ReauthError):
+    """An exception for when we can't get an access token for reauth."""
+
+    def __init__(self, message=None, status=None):
+        super(ReauthAccessTokenRefreshError, self).__init__(
+            'Failed to get an access token for reauthentication. {0}'.format(
+                message))
+        self.status = status