Run Rietveld using the AppEngine SDK

modules/rietveld/files/wrapper.py

 #!/usr/bin/env python
 
+from ConfigParser import SafeConfigParser
 import hashlib
 import hmac
 import json
 import os
 import re
 import sys
 import urllib
+
+OAUTH2_AUTHURL = 'https://accounts.google.com/o/oauth2/auth'
+OAUTH2_TOKENURL = 'https://accounts.google.com/o/oauth2/token'
+OAUTH2_DATAURL = 'https://www.googleapis.com/plus/v1/people/me'
+OAUTH2_SCOPE = 'email'
+
+OAUTH2_TOKEN_EXPIRATION = 5 * 60
 
 def setup_paths(engine_dir):
   sys.path.append(engine_dir)
 
   import wrapper_util
   paths = wrapper_util.Paths(engine_dir)
   script_name = os.path.basename(__file__)
   sys.path[0:0] = paths.script_paths(script_name)

[Sebastian Noack, 2015/06/02 21:32:06]

Nit: sys.path.insert(0, ..)

[Wladimir Palant, 2015/06/03 15:42:35]

The App Engine is inserting tons of paths here, not just one. This code matches
what its own wrappers are doing.

[Sebastian Noack, 2015/06/03 15:58:49]

Sorry, just realized that you insert multiple items not only one here. So yeah,
this is the way to do it.

   return script_name, paths.script_file(script_name)
 
 def adjust_server_id():
   from google.appengine.tools.devappserver2 import http_runtime_constants
   http_runtime_constants.SERVER_SOFTWARE = 'Production/2.0'
 
 def fix_request_scheme():
   from google.appengine.runtime.wsgi import WsgiRequest
   orig_init = WsgiRequest.__init__
   def __init__(self, *args):
     orig_init(self, *args)
     self._environ['wsgi.url_scheme'] = self._environ.get('HTTP_X_FORWARDED_PROTO', 'http')
     self._environ['HTTPS'] = 'on' if self._environ['wsgi.url_scheme'] == 'https' else 'off'
   WsgiRequest.__init__ = __init__
 
+def read_config(path):
+  config = SafeConfigParser()
+  config.read(path)
+  return config
+
 def set_storage_path(storage_path):
   sys.argv.extend(['--storage_path', storage_path])
 
 def replace_runtime():
   from google.appengine.tools.devappserver2 import python_runtime
   runtime_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), '_python_runtime.py')
   python_runtime._RUNTIME_PATH = runtime_path
   python_runtime._RUNTIME_ARGS = [sys.executable, runtime_path]
 
-def protect_cookies(secret_path):
+def protect_cookies(cookie_secret):
   from google.appengine.tools.devappserver2 import login
 
-  with open(secret_path) as file:
-    cookie_secret = file.read().strip()
-
-  def calculate_signature(str):

[Sebastian Noack, 2015/06/02 21:32:06]

Nit: Please don't override built-in symbols like "str".

[Wladimir Palant, 2015/06/03 15:42:35]

Interesting that you seem to be fine with overriding "file" but not with
overriding "str" :)

[Sebastian Noack, 2015/06/03 15:58:49]

I just waited for the day, you notice that. ;P The reason is that "file" is
deprecated and in fact gone in Python 3. So since you should never use the
global "file" anyway, it's fine to use it as local variable name.

-    return hmac.new(cookie_secret, str, hashlib.sha256).hexdigest()
+  def calculate_signature(message):
+    return hmac.new(cookie_secret, message, hashlib.sha256).hexdigest()
 
   def _get_user_info_from_dict(cookie_dict, cookie_name=login._COOKIE_NAME):
     cookie_value = cookie_dict.get(cookie_name, '')
 
     email, admin, user_id, signature = (cookie_value.split(':') + ['', '', '', ''])[:4]
     if '@' not in email or signature != calculate_signature(':'.join([email, admin, user_id])):
       return '', False, ''
     return email, (admin == 'True'), user_id
   login._get_user_info_from_dict = _get_user_info_from_dict
 
   orig_create_cookie_data = login._create_cookie_data
   def _create_cookie_data(email, admin):
     result = orig_create_cookie_data(email, admin)
     result += ':' + calculate_signature(result)
     return result
   login._create_cookie_data = _create_cookie_data
 
-def enable_oauth2():
+def enable_oauth2(client_id, client_secret, admins):
   from google.appengine.tools.devappserver2 import login
 
+  def request(method, url, data):
+    if method != 'POST':
+      url += '?' + urllib.urlencode(data)
+      data = None
+    else:
+      data = urllib.urlencode(data)
+    response = urllib.urlopen(url, data)
+    try:
+      return json.loads(response.read())
+    finally:
+      response.close()
+
+  token_cache = {}
+  def get_user_info(access_token):
+    email, is_admin, expiration = token_cache.get(access_token, (None, None, 0))
+    now = time.mktime(time.gmtime())
+    if now > expiration:
+      get_params = {
+        'access_token': access_token,
+      }
+      data = request('GET', OAUTH2_DATAURL, get_params)
+      emails = [e for e in data.get('emails') if e['type'] == 'account']
+      if not emails:
+        return None, None
+
+      email = emails[0]['value']
+      is_admin = email in admins
+
+      for token, (_, _, expiration) in token_cache.items():
+        if now > expiration:
+          del token_cache[token]
+      token_cache[access_token] = (email, is_admin, now + OAUTH2_TOKEN_EXPIRATION)
+    return email, is_admin
+
   def get(self):
-    action = self.request.get(login.ACTION_PARAM)
-    continue_url = self.request.get(login.CONTINUE_PARAM)
-    continue_url = re.sub(r'^http:', 'https:', continue_url)
-
-    base_url = 'https://%s/' % self.request.environ['HTTP_HOST']
-
-    client_id = '513968628653-95pc63l111it9srihkktkjuvv82ub17s.apps.googleusercontent.com'
-    client_secret = 'G6mHhxjv48gwNSshSyXmNCLi'
-
     def error(text):
       self.response.status = 200
       self.response.headers['Content-Type'] = 'text/plain'
       self.response.write(text.encode('utf-8'))
 
     def redirect(url):
       self.response.status = 302
       self.response.status_message = 'Found'
       self.response.headers['Location'] = url.encode('utf-8')
 
+    def logout(continue_url):
+      self.response.headers['Set-Cookie'] = login._clear_user_info_cookie()
+      redirect(continue_url)
+
+    def login_step1(continue_url):
+      # See https://stackoverflow.com/questions/10271110/python-oauth2-login-with-google
+      authorize_params = {
+        'response_type': 'code',
+        'client_id': client_id,
+        'redirect_uri': base_url + login.LOGIN_URL_RELATIVE,
+        'scope': OAUTH2_SCOPE,
+        'state': continue_url,
+      }
+      redirect(OAUTH2_AUTHURL + '?' + urllib.urlencode(authorize_params))
+
+    def login_step2(code, continue_url):
+      token_params = {
+        'code': code,
+        'client_id': client_id,
+        'client_secret': client_secret,
+        'redirect_uri': base_url + login.LOGIN_URL_RELATIVE,
+        'grant_type':'authorization_code',
+      }
+      data = request('POST', OAUTH2_TOKENURL, token_params)
+      token = data.get('access_token')
+      if not token:
+        error('No token in response: ' + str(data))
+        return
+
+      email, is_admin = get_user_info(token)
+      if not email:
+        error('No email address in response: ' + str(data))
+        return
+      self.response.headers['Set-Cookie'] = login._set_user_info_cookie(email, is_admin)
+      redirect(continue_url)
+
+    action = self.request.get(login.ACTION_PARAM)
+    continue_url = self.request.get(login.CONTINUE_PARAM)
+    continue_url = re.sub(r'^http:', 'https:', continue_url)
+    base_url = 'https://%s/' % self.request.environ['HTTP_HOST']
+
     if action.lower() == login.LOGOUT_ACTION.lower():
-      self.response.headers['Set-Cookie'] = login._clear_user_info_cookie()
-      redirect(continue_url or base_url)

[Sebastian Noack, 2015/06/02 21:32:06]

It seems inconsistent that you return after error(), but use if/else when
calling redirect().

[Wladimir Palant, 2015/06/03 15:42:35]

Not really, the three branches here represent the functions implemented: logout,
finalize login, start login. Using returns here would make the logic confusing.
I've split up the logic into functions to make that more obvious.

[Sebastian Noack, 2015/06/03 15:58:49]

Fair enough.

+      logout(continue_url or base_url)
+    elif self.request.get('error'):
+      error('Authorization failed: ' + self.request.get('error'))
     else:
-      # See https://stackoverflow.com/questions/10271110/python-oauth2-login-with-google
-      if self.request.get('error'):
-        error('Authorization failed: ' + self.request.get('error'))
-        return
-
       code = self.request.get('code')
       if code:
-        # User is back and authorized
-        token_params = {
-          'code': code,
-          'client_id': client_id,
-          'client_secret': client_secret,
-          'redirect_uri': base_url + login.LOGIN_URL_RELATIVE,
-          'grant_type':'authorization_code',
-        }
-        data = urllib.urlopen('https://accounts.google.com/o/oauth2/token', urllib.urlencode(token_params)).read()

[Sebastian Noack, 2015/06/02 21:41:06]

Please close the file-like object returned by urlopen().

[Wladimir Palant, 2015/06/03 15:42:35]

Done.

-        token = json.loads(data).get('access_token')
-        if not token:
-          error('No token in response: ' + data)
-          return
-
-        get_params = {
-          'access_token': token,
-        }
-        data = urllib.urlopen('https://www.googleapis.com/plus/v1/people/me?' + urllib.urlencode(get_params)).read()
-        emails = filter(lambda e: e["type"] == "account", json.loads(data).get('emails'))

[Sebastian Noack, 2015/06/02 21:32:06]

I'd rather use a list comprehension here.

[Wladimir Palant, 2015/06/03 15:42:35]

Done.

-        if not emails:
-          error('No email address in response: ' + data)
-          return
-
-        self.response.headers['Set-Cookie'] = login._set_user_info_cookie(emails[0]["value"], False)
-        redirect(self.request.get('state') or base_url)
+        login_step2(code, self.request.get('state') or base_url)
       else:
-        # User needs to authorize first
-        authorize_params = {
-          'response_type': 'code',
-          'client_id': client_id,
-          'redirect_uri': base_url + login.LOGIN_URL_RELATIVE,
-          'scope': 'email',
-          'state': continue_url,
-        }
-        redirect('https://accounts.google.com/o/oauth2/auth?' + urllib.urlencode(authorize_params))

[Sebastian Noack, 2015/06/02 21:32:06]

How about a global for 'https://accounts.google.com/o/oauth2/'?

[Wladimir Palant, 2015/06/03 15:42:35]

Done.

+        login_step1(continue_url or base_url)
 
   login.Handler.get = get
+
+  from google.appengine.api import user_service_stub, user_service_pb
+  from google.appengine.runtime import apiproxy_errors
+  def _Dynamic_GetOAuthUser(self, request, response, request_id):
+    environ = self.request_data.get_request_environ(request_id)
+    match = re.search(r'^OAuth (\S+)', environ.get('HTTP_AUTHORIZATION', ''))
+    if not match:
+      raise apiproxy_errors.ApplicationError(
+          user_service_pb.UserServiceError.OAUTH_INVALID_REQUEST)
+
+    email, is_admin = get_user_info(match.group(1))
+    if not email:
+      raise apiproxy_errors.ApplicationError(
+          user_service_pb.UserServiceError.OAUTH_INVALID_TOKEN)
+
+    # User ID is based on email address, see appengine.tools.devappserver2.login
+    user_id_digest = hashlib.md5(email.lower()).digest()
+    user_id = '1' + ''.join(['%02d' % ord(x) for x in user_id_digest])[:20]

[Sebastian Noack, 2015/06/04 21:51:43]

WTF this algorithm, but I suppose we have to use it.

[Wladimir Palant, 2015/06/04 23:19:54]

Luckily, it doesn't seem to matter - Rietveld works only with email addresses,
it doesn't care about user IDs. Otherwise this would be a security hole I think,
generating a collision with user IDs shouldn't be hard.

+
+    response.set_email(email)
+    response.set_user_id(user_id)
+    response.set_auth_domain(user_service_stub._DEFAULT_AUTH_DOMAIN)
+    response.set_is_admin(is_admin)
+    response.set_client_id(client_id)
+    response.add_scopes(OAUTH2_SCOPE)
+
+  user_service_stub.UserServiceStub._Dynamic_GetOAuthUser = _Dynamic_GetOAuthUser
 
 
 if __name__ == '__main__':
   engine_dir = '/opt/google_appengine'
   storage_path = '/var/lib/rietveld'
 
   script_name, script_file = setup_paths(engine_dir)
   adjust_server_id()
   fix_request_scheme()
 
   if script_name == 'dev_appserver.py':
+    config = read_config(os.path.join(storage_path, 'config.ini'))
+
     set_storage_path(storage_path)
     replace_runtime()
-    protect_cookies(os.path.join(storage_path, 'cookie_secret'))
-    enable_oauth2()
+    protect_cookies(config.get('main', 'cookie_secret'))
+    enable_oauth2(
+      config.get('oauth2', 'client_id'),
+      config.get('oauth2', 'client_secret'),
+      config.get('main', 'admins').split()
+    )
 
   execfile(script_file)