Run Rietveld using the AppEngine SDK

modules/rietveld/files/wrapper.py

Index: modules/rietveld/files/wrapper.py
===================================================================
new file mode 100644
--- /dev/null
+++ b/modules/rietveld/files/wrapper.py
@@ -0,0 +1,154 @@
+#!/usr/bin/env python
+
+import hashlib
+import hmac
+import json
+import os
+import re
+import sys
+import urllib
+
+def setup_paths(engine_dir):
+  sys.path.append(engine_dir)
+
+  import wrapper_util
+  paths = wrapper_util.Paths(engine_dir)
+  script_name = os.path.basename(__file__)
+  sys.path[0:0] = paths.script_paths(script_name)

[Sebastian Noack, 2015/06/02 21:32:06]

Nit: sys.path.insert(0, ..)

[Wladimir Palant, 2015/06/03 15:42:35]

The App Engine is inserting tons of paths here, not just one. This code matches
what its own wrappers are doing.

[Sebastian Noack, 2015/06/03 15:58:49]

Sorry, just realized that you insert multiple items not only one here. So yeah,
this is the way to do it.

+  return script_name, paths.script_file(script_name)
+
+def adjust_server_id():
+  from google.appengine.tools.devappserver2 import http_runtime_constants
+  http_runtime_constants.SERVER_SOFTWARE = 'Production/2.0'
+
+def fix_request_scheme():
+  from google.appengine.runtime.wsgi import WsgiRequest
+  orig_init = WsgiRequest.__init__
+  def __init__(self, *args):
+    orig_init(self, *args)
+    self._environ['wsgi.url_scheme'] = self._environ.get('HTTP_X_FORWARDED_PROTO', 'http')
+    self._environ['HTTPS'] = 'on' if self._environ['wsgi.url_scheme'] == 'https' else 'off'
+  WsgiRequest.__init__ = __init__
+
+def set_storage_path(storage_path):
+  sys.argv.extend(['--storage_path', storage_path])
+
+def replace_runtime():
+  from google.appengine.tools.devappserver2 import python_runtime
+  runtime_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), '_python_runtime.py')
+  python_runtime._RUNTIME_PATH = runtime_path
+  python_runtime._RUNTIME_ARGS = [sys.executable, runtime_path]
+
+def protect_cookies(secret_path):
+  from google.appengine.tools.devappserver2 import login
+
+  with open(secret_path) as file:
+    cookie_secret = file.read().strip()
+
+  def calculate_signature(str):

[Sebastian Noack, 2015/06/02 21:32:06]

Nit: Please don't override built-in symbols like "str".

[Wladimir Palant, 2015/06/03 15:42:35]

Interesting that you seem to be fine with overriding "file" but not with
overriding "str" :)

[Sebastian Noack, 2015/06/03 15:58:49]

I just waited for the day, you notice that. ;P The reason is that "file" is
deprecated and in fact gone in Python 3. So since you should never use the
global "file" anyway, it's fine to use it as local variable name.

+    return hmac.new(cookie_secret, str, hashlib.sha256).hexdigest()
+
+  def _get_user_info_from_dict(cookie_dict, cookie_name=login._COOKIE_NAME):
+    cookie_value = cookie_dict.get(cookie_name, '')
+
+    email, admin, user_id, signature = (cookie_value.split(':') + ['', '', '', ''])[:4]
+    if '@' not in email or signature != calculate_signature(':'.join([email, admin, user_id])):
+      return '', False, ''
+    return email, (admin == 'True'), user_id
+  login._get_user_info_from_dict = _get_user_info_from_dict
+
+  orig_create_cookie_data = login._create_cookie_data
+  def _create_cookie_data(email, admin):
+    result = orig_create_cookie_data(email, admin)
+    result += ':' + calculate_signature(result)
+    return result
+  login._create_cookie_data = _create_cookie_data
+
+def enable_oauth2():
+  from google.appengine.tools.devappserver2 import login
+
+  def get(self):
+    action = self.request.get(login.ACTION_PARAM)
+    continue_url = self.request.get(login.CONTINUE_PARAM)
+    continue_url = re.sub(r'^http:', 'https:', continue_url)
+
+    base_url = 'https://%s/' % self.request.environ['HTTP_HOST']
+
+    client_id = '513968628653-95pc63l111it9srihkktkjuvv82ub17s.apps.googleusercontent.com'
+    client_secret = 'G6mHhxjv48gwNSshSyXmNCLi'
+
+    def error(text):
+      self.response.status = 200
+      self.response.headers['Content-Type'] = 'text/plain'
+      self.response.write(text.encode('utf-8'))
+
+    def redirect(url):
+      self.response.status = 302
+      self.response.status_message = 'Found'
+      self.response.headers['Location'] = url.encode('utf-8')
+
+    if action.lower() == login.LOGOUT_ACTION.lower():
+      self.response.headers['Set-Cookie'] = login._clear_user_info_cookie()
+      redirect(continue_url or base_url)

[Sebastian Noack, 2015/06/02 21:32:06]

It seems inconsistent that you return after error(), but use if/else when
calling redirect().

[Wladimir Palant, 2015/06/03 15:42:35]

Not really, the three branches here represent the functions implemented: logout,
finalize login, start login. Using returns here would make the logic confusing.
I've split up the logic into functions to make that more obvious.

[Sebastian Noack, 2015/06/03 15:58:49]

Fair enough.

+    else:
+      # See https://stackoverflow.com/questions/10271110/python-oauth2-login-with-google
+      if self.request.get('error'):
+        error('Authorization failed: ' + self.request.get('error'))
+        return
+
+      code = self.request.get('code')
+      if code:
+        # User is back and authorized
+        token_params = {
+          'code': code,
+          'client_id': client_id,
+          'client_secret': client_secret,
+          'redirect_uri': base_url + login.LOGIN_URL_RELATIVE,
+          'grant_type':'authorization_code',
+        }
+        data = urllib.urlopen('https://accounts.google.com/o/oauth2/token', urllib.urlencode(token_params)).read()

[Sebastian Noack, 2015/06/02 21:41:06]

Please close the file-like object returned by urlopen().

[Wladimir Palant, 2015/06/03 15:42:35]

Done.

+        token = json.loads(data).get('access_token')
+        if not token:
+          error('No token in response: ' + data)
+          return
+
+        get_params = {
+          'access_token': token,
+        }
+        data = urllib.urlopen('https://www.googleapis.com/plus/v1/people/me?' + urllib.urlencode(get_params)).read()
+        emails = filter(lambda e: e["type"] == "account", json.loads(data).get('emails'))

[Sebastian Noack, 2015/06/02 21:32:06]

I'd rather use a list comprehension here.

[Wladimir Palant, 2015/06/03 15:42:35]

Done.

+        if not emails:
+          error('No email address in response: ' + data)
+          return
+
+        self.response.headers['Set-Cookie'] = login._set_user_info_cookie(emails[0]["value"], False)
+        redirect(self.request.get('state') or base_url)
+      else:
+        # User needs to authorize first
+        authorize_params = {
+          'response_type': 'code',
+          'client_id': client_id,
+          'redirect_uri': base_url + login.LOGIN_URL_RELATIVE,
+          'scope': 'email',
+          'state': continue_url,
+        }
+        redirect('https://accounts.google.com/o/oauth2/auth?' + urllib.urlencode(authorize_params))

[Sebastian Noack, 2015/06/02 21:32:06]

How about a global for 'https://accounts.google.com/o/oauth2/'?

[Wladimir Palant, 2015/06/03 15:42:35]

Done.

+
+  login.Handler.get = get
+
+
+if __name__ == '__main__':
+  engine_dir = '/opt/google_appengine'
+  storage_path = '/var/lib/rietveld'
+
+  script_name, script_file = setup_paths(engine_dir)
+  adjust_server_id()
+  fix_request_scheme()
+
+  if script_name == 'dev_appserver.py':
+    set_storage_path(storage_path)
+    replace_runtime()
+    protect_cookies(os.path.join(storage_path, 'cookie_secret'))
+    enable_oauth2()
+
+  execfile(script_file)