My GAE applications works with Google's Fusion Tables thru Google API. Currently I request authorization each time I should add some data to Fusion Tables:
class TestHandler(webapp2.RequestHandler):
def get(self):
credentials = AppAssertionCredentials(scope='https://www.googleapis.com/auth/fusiontables')
http = credentials.authorize(httplib2.Http(memcache))
service = build('fusiontables', 'v1', http=http)
# addition of the data happens here
But do I really need to do it? Probably I should store authorization data (http?) somewhere? Like memcache? And then re-use it? Then how long the auth data is valid for? Or, is it already done by Google APIs Client Library for Python I use?
Related
I have a private HTTP Google Cloud Function which I'd like to call from an AppEngine app in another project.
Ideally, the AppEngine Service Account would have roles/cloudfunctions.invoker on my Cloud Function, I'd turn off all other invokers, and I wouldn't have to worry about auth at all inside of the CF. I'm struggling to get the AppEngine identity passed along.
Google's docs show how to do this from one Cloud Function to another, but AppEngine instead uses its own identity library to simplify getting access tokens. AppEngine docs outline:
Identity for other AppEngine apps in the same project
Identity for Google APIs
Something seemingly unrelated: verifying a payload's signature
Any way to include the AppEngine identity such that Google's native Cloud Function invoker role will the request through?
For this situation you will need to do the authentication programmatically by yourself.
First you need to add the app engine service account to the Cloud Functions permission.
After that, you need to follow the steps for this situation. Basically you will need to create a JWT, to authorize it and then to include the JWT in your request.
Here you can find a code example for creating and authorising a JWT.
I have reproduced your situation in python. I used the code from the link I have sent to you, and then after I had my JWT alright, I made a request like this :
#app.route('/')
def index():
data = {'headers': request.headers,
'service_name': os.environ.get('GAE_SERVICE', '(running locally)'),
'environment': os.environ}
return render_template('index.html', data=data)
#app.route('/request')
def send_request():
import requests
receiving_function_url = 'YOUR-CLOUD-FUNCT-URL'
r=requests.get("http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token?audience="+receiving_function_url,
headers={'Metadata-Flavor': 'Google'})
response = make_iap_request('YOUR-CLOUD-FUNCTION-URL', 'YOUR-CLOUD-FUNCTION-URL')
print(response)
return response
if __name__ == '__main__':
app.run('127.0.0.1', port=8080, debug=True)
The dependencies you need, in requirements.txt:
flask
PyJWT==1.7.1
cryptography==2.7
google-auth==1.6.3
gunicorn==19.9.0
requests==2.22.0
requests_toolbelt==0.9.1
In this repository you can find more code examples on how to do IAP(Identity Aware Proxy) requests.
I am using the app.yaml's login: admin in handlers to restrict access to my app only to selected Google accounts (which I can edit in IAM). I'm using the python27 standard environment on GAE.
I would like to use the JSON API my app exposes from another server app (not hosted on GAE). Using a service account looks like a straightforward solution, but I am unable to get the scopes or the request itself right, so the endpoint would see an authenticated Google user.
The service-user currently has Project/Viewer role in the IAM. I tried a few more like AppEngine/Viewer, AppEngine/Admin. I also tried some more scopes.
My test code:
"""Try do do an API request to a deployed app
with the current service account.
https://google-auth.readthedocs.io/en/latest/user-guide.html
"""
import sys
from google.auth.transport.requests import AuthorizedSession
from google.oauth2 import service_account
def main():
if len(sys.argv) < 2:
sys.exit("use: %s url" % sys.argv[0])
credentials = service_account.Credentials.from_service_account_file(
'service-user.json')
scoped_credentials = credentials.with_scopes(
['https://www.googleapis.com/auth/cloud-platform.read-only'])
authed_http = AuthorizedSession(scoped_credentials)
response = authed_http.request('GET', sys.argv[1])
print response.status_code, response.reason
print response.text.encode('utf-8')
if __name__ == '__main__':
main()
There is no error, the request behaves like unauthenticated. I checked the headers on the server, and while requesting from the browser there are several session cookies, the AuthorizedSession request contains single Authorization: Bearer .. header.
Normally the roles you would need is App Engine Admin; it's designed for this purpose. It should also work with the viewer/editor/owner primitive roles. That being said, to make sure it's not a "role" issue, simply give it the project owner role and also the explicit App Engine Admin role and try again. This will eliminate any role-based issue.
Let me know if that works for you.
I am using AppEngine Cloud Endpoints with the Javascript client and Google+ Sign In, I am using endpoints.get_current_user(). Is there a way to check if the user is an AppEngine admin? Similar to users.is_current_user_admin() in users API.
Thanks
See Google Endpoints API + Chrome Extension returns None for endpoints.get_current_user().user_id() for a long description of the difference between ID tokens and Bearer tokens when performing auth.
If you aren't using an Android application, you can freely use Bearer tokens and not have to worry about some of the limitations of ID tokens.
Right next get_current_user(), the oauth library provides the oauth.is_current_user_admin() method. Exactly as get_current_user(), this method calls _maybe_call_get_oauth_user and then checks a simple environment variable.
As mentioned in the other answer:
The oauth.get_current_user() call is only expensive IF it makes
the RPC. The _maybe_call_get_oauth_user method stores the value from
the last call, so calling oauth.get_current_user() a second time
will incur no network/speed overhead other than the few nanoseconds to
lookup a value from a Python dict.
So if you are only using Bearer tokens, you could do the following
from google.appengine.api import oauth
from google.appengine.ext import endpoints
...
endpoints_user = endpoints.get_current_user()
if endpoints_user is None:
raise endpoints.UnauthorizedException(...)
is_admin = oauth.is_current_user_admin(known_scope)
if not is_admin:
# Throw a 403 FORBIDDEN
raise endpoints.ForbiddenException(...)
I am implementing Cloud Endpoints with a Python app that uses custom authentication (GAE Sessions) instead of Google Accounts. I need to authenticate the requests coming from the Javascript client, so I would like to have access to the cookie information.
Reading this other question leads me to believe that it is possible, but perhaps not documented. I'm not familiar with the Java side of App Engine, so I'm not quite sure how to translate that snippet into Python. Here is an example of one of my methods:
class EndpointsAPI(remote.Service):
#endpoints.method(Query_In, Donations_Out, path='get/donations',
http_method='GET', name='get.donations')
def get_donations(self, req):
#Authenticate request via cookie
where Query_In and Donations_Out are both ProtoRPC messages (messages.Message). The parameter req in the function is just an instance of Query_In and I didn't find any properties related to HTTP data, however I could be wrong.
First, I would encourage you to try to use OAuth 2.0 from your client as is done in the Tic Tac Toe sample.
Cookies are sent to the server in the Cookie Header and these values are typically set in the WSGI environment with the keys 'HTTP_...' where ... corresponds to the header name:
http = {key: value for key, value in os.environ.iteritems()
if key.lower().startswith('http')}
For cookies, os.getenv('HTTP_COOKIE') will give you the header value you seek. Unfortunately, this doesn't get passed along through Google's API Infrastructure by default.
UPDATE: This has been enabled for Python applications as of version 1.8.0. To send cookies through, specify the following:
from google.appengine.ext.endpoints import api_config
AUTH_CONFIG = api_config.ApiAuth(allow_cookie_auth=True)
#endpoints.api(name='myapi', version='v1', auth=AUTH_CONFIG, ...)
class MyApi(remote.service):
...
This is a (not necessarily comprehensive list) of headers that make it through:
HTTP_AUTHORIZATION
HTTP_REFERER
HTTP_X_APPENGINE_COUNTRY
HTTP_X_APPENGINE_CITYLATLONG
HTTP_ORIGIN
HTTP_ACCEPT_CHARSET
HTTP_ORIGINALMETHOD
HTTP_X_APPENGINE_REGION
HTTP_X_ORIGIN
HTTP_X_REFERER
HTTP_X_JAVASCRIPT_USER_AGENT
HTTP_METHOD
HTTP_HOST
HTTP_CONTENT_TYPE
HTTP_CONTENT_LENGTH
HTTP_X_APPENGINE_PEER
HTTP_ACCEPT
HTTP_USER_AGENT
HTTP_X_APPENGINE_CITY
HTTP_X_CLIENTDETAILS
HTTP_ACCEPT_LANGUAGE
For the Java people who land here. You need to add the following annotation in order to use cookies in endpoints:
#Api(auth = #ApiAuth(allowCookieAuth = AnnotationBoolean.TRUE))
source
(Without that it will work on the local dev server but not on the real GAE instance.)
I have run through the google example of using Authsub to retrieve Google feed data (http://code.google.com/appengine/articles/python/retrieving_gdata_feeds.html)
If I understand correctly, it is possible for a malicious hacker to call the 'next_url' (which google auth service calls with your token) and inject their own token?
Meaning that they could cause the Web apps to write to the Hackers google doc account instead of the authenticated user!
Does anyone know how to secure this url so that only google auth service can call it?
Below is the code I am referring to:
def get(self):
next_url = atom.url.Url('http', settings.HOST_NAME, path='/step1')
# Initialize a client to talk to Google Data API services.
client = gdata.service.GDataService()
gdata.alt.appengine.run_on_appengine(client)
# Generate the AuthSub URL and write a page that includes the link
self.response.out.write("""<html><body>
Request token for the Google Documents Scope
</body></html>""" % client.GenerateAuthSubURL(next_url,
('http://docs.google.com/feeds/',), secure=False, session=True))