Run Rietveld using the AppEngine SDK

modules/rietveld/files/wrapper.py

 #!/usr/bin/env python
 
 from ConfigParser import SafeConfigParser
 import hashlib
 import hmac
 import json
 import os
 import re
 import sys
 import urllib
 
 OAUTH2_AUTHURL = 'https://accounts.google.com/o/oauth2/auth'
 OAUTH2_TOKENURL = 'https://accounts.google.com/o/oauth2/token'
 OAUTH2_DATAURL = 'https://www.googleapis.com/plus/v1/people/me'
 OAUTH2_SCOPE = 'email'
+
+OAUTH2_TOKEN_EXPIRATION = 5 * 60
 
 def setup_paths(engine_dir):
   sys.path.append(engine_dir)
 
   import wrapper_util
   paths = wrapper_util.Paths(engine_dir)
   script_name = os.path.basename(__file__)
   sys.path[0:0] = paths.script_paths(script_name)
   return script_name, paths.script_file(script_name)
 
@@ skipping 54 matching lines @@
       url += '?' + urllib.urlencode(data)
       data = None
     else:
       data = urllib.urlencode(data)
     response = urllib.urlopen(url, data)
     try:
       return json.loads(response.read())
     finally:
       response.close()
 
+  token_cache = {}
   def get_user_info(access_token):
-    get_params = {
-      'access_token': access_token,
-    }
-    data = request('GET', OAUTH2_DATAURL, get_params)
-    emails = [e for e in data.get('emails') if e['type'] == 'account']
-    if not emails:
-      return None, None
-
-    email = emails[0]['value']
-    return email, email in admins
+    email, is_admin, expiration = token_cache.get(access_token, (None, None, 0))
+    now = time.mktime(time.gmtime())
+    if now > expiration:
+      get_params = {
+        'access_token': access_token,
+      }
+      data = request('GET', OAUTH2_DATAURL, get_params)
+      emails = [e for e in data.get('emails') if e['type'] == 'account']
+      if not emails:
+        return None, None
+
+      email = emails[0]['value']
+      is_admin = email in admins
+
+      for token, (_, _, expiration) in token_cache.items():
+        if now > expiration:
+          del token_cache[token]
+      token_cache[access_token] = (email, is_admin, now + OAUTH2_TOKEN_EXPIRATION)
+    return email, is_admin
 
   def get(self):
     def error(text):
       self.response.status = 200
       self.response.headers['Content-Type'] = 'text/plain'
       self.response.write(text.encode('utf-8'))
 
     def redirect(url):
       self.response.status = 302
       self.response.status_message = 'Found'
@@ skipping 46 matching lines @@
       error('Authorization failed: ' + self.request.get('error'))
     else:
       code = self.request.get('code')
       if code:
         login_step2(code, self.request.get('state') or base_url)
       else:
         login_step1(continue_url or base_url)
 
   login.Handler.get = get
 
-  from google.appengine.api.user_service_stub import UserServiceStub
-  from google.appengine.api import user_service_pb
+  from google.appengine.api import user_service_stub, user_service_pb
   from google.appengine.runtime import apiproxy_errors
   def _Dynamic_GetOAuthUser(self, request, response, request_id):
     environ = self.request_data.get_request_environ(request_id)
     match = re.search(r'^OAuth (\S+)', environ.get('HTTP_AUTHORIZATION', ''))
     if not match:
       raise apiproxy_errors.ApplicationError(
           user_service_pb.UserServiceError.OAUTH_INVALID_REQUEST)
 
     email, is_admin = get_user_info(match.group(1))
     if not email:
       raise apiproxy_errors.ApplicationError(
           user_service_pb.UserServiceError.OAUTH_INVALID_TOKEN)
 
+    # User ID is based on email address, see appengine.tools.devappserver2.login
+    user_id_digest = hashlib.md5(email.lower()).digest()
+    user_id = '1' + ''.join(['%02d' % ord(x) for x in user_id_digest])[:20]

[Sebastian Noack, 2015/06/04 21:51:43]

WTF this algorithm, but I suppose we have to use it.

[Wladimir Palant, 2015/06/04 23:19:54]

Luckily, it doesn't seem to matter - Rietveld works only with email addresses,
it doesn't care about user IDs. Otherwise this would be a security hole I think,
generating a collision with user IDs shouldn't be hard.

+
     response.set_email(email)
-    response.set_user_id(0)
-    response.set_auth_domain(environ.get('HTTP_HOST'))
+    response.set_user_id(user_id)
+    response.set_auth_domain(user_service_stub._DEFAULT_AUTH_DOMAIN)
     response.set_is_admin(is_admin)
     response.set_client_id(client_id)
     response.add_scopes(OAUTH2_SCOPE)
 
-  UserServiceStub._Dynamic_GetOAuthUser = _Dynamic_GetOAuthUser
+  user_service_stub.UserServiceStub._Dynamic_GetOAuthUser = _Dynamic_GetOAuthUser
 
 
 if __name__ == '__main__':
   engine_dir = '/opt/google_appengine'
   storage_path = '/var/lib/rietveld'
 
   script_name, script_file = setup_paths(engine_dir)
   adjust_server_id()
   fix_request_scheme()
 
   if script_name == 'dev_appserver.py':
     config = read_config(os.path.join(storage_path, 'config.ini'))
 
     set_storage_path(storage_path)
     replace_runtime()
     protect_cookies(config.get('main', 'cookie_secret'))
     enable_oauth2(
       config.get('oauth2', 'client_id'),
       config.get('oauth2', 'client_secret'),
       config.get('main', 'admins').split()
     )
 
   execfile(script_file)