Added code that allows authorization with service_account_key.

Author: seukyaso

setup.py

@@ -3,15 +3,17 @@
 packages = find_packages('.', include=['yandexcloud*', 'yandex*'])
 
 setup(name='yandexcloud',
-      version='0.5',
+      version='0.6',
       description='The Yandex.Cloud official SDK',
       url='https://github.com/yandex-cloud/python-sdk',
       author='Yandex LLC',
       author_email='FIXME',
       license='MIT',
       install_requires=[
+          'cryptography',
           'grpcio',
           'googleapis-common-protos',
+          'pyjwt',
           'six',
       ],
       tests_require=['pytest'],

tests/conftest.py

@@ -0,0 +1,18 @@
+import pytest
+
+
+@pytest.fixture()
+def token():
+    return "AAAA00000000000000000000000000000000000"
+
+
+@pytest.fixture()
+def service_account_key():
+    return {
+        "id": "ajeboa0du6edu6m43c3t",
+        "service_account_id": "ajeq7dsmihqple6761c5",
+        "created_at": "2018-10-31T09:30:52Z",
+        "key_algorithm": "RSA_4096",
+        "public_key": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0q4HXY6/7jzA3iwofyTq\nxJ+VPR2fQGrhd+nEi32lemw8XEqVpr4wvzaJHdW2921Z7nsEKJPJq9ZCaDpnkdpS\npGPnJCUtJSYQvjs5yrYbEB00LGGi4pERDNWbsX+MyyMl+0Mqd3G3wiu/T8k31T5F\ngmOK1KPnlDQ6JjZ+OQWkBojBTGGkaCsYKuDwuKfsHZQCqhTt8pLIN7ZiiXWRIB4Q\n4GfBuBWUfhgncbNCj+PBEBvy1auFnI0CHQ8T9cHqnh9UQIi0qsxVslICv4Z5iX4y\nYCrRfSw3UJOqQ+mkttSNBjnJC7TpC4uQyc98XC+kLzP1i8/nNv967K9eWA6MVsHF\nZqAkFJYcUn6Bx/f3FDiIcW0tR5P/FgDtVTvQAAdUW+l02P27JOqRyD9oDX/y889/\nc1TGbXlhmaWCqjIVoUnUBlnlHAB7v8X4aqlCu9vwP0DUaXdI/Yxf7VcG6B7wFFZN\noM2k6X1J3LSMdrFTXSLbduv/n0mMLUurUx1D0YIIrk2Kv1N63YNiVtPWdFkGHQs6\nshVgrpiTBUm0VBME7EYKwKQUK7pZ0gn6/IeZpgel0aPCQtaF9FIffLi8KJaMVbJi\nNGgvr4HTejzn/jabWuLc3rN62AexNYUqnRMfmfNPXyArJ0A54tl2u/TKoPmw0w5t\nYAwgJ+mSGlylBJbZy2CBp2sCAwEAAQ==\n-----END PUBLIC KEY-----\n",
+        "private_key": "-----BEGIN PRIVATE KEY-----\nMIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDSrgddjr/uPMDe\nLCh/JOrEn5U9HZ9AauF36cSLfaV6bDxcSpWmvjC/Nokd1bb3bVnuewQok8mr1kJo\nOmeR2lKkY+ckJS0lJhC+OznKthsQHTQsYaLikREM1Zuxf4zLIyX7Qyp3cbfCK79P\nyTfVPkWCY4rUo+eUNDomNn45BaQGiMFMYaRoKxgq4PC4p+wdlAKqFO3yksg3tmKJ\ndZEgHhDgZ8G4FZR+GCdxs0KP48EQG/LVq4WcjQIdDxP1weqeH1RAiLSqzFWyUgK/\nhnmJfjJgKtF9LDdQk6pD6aS21I0GOckLtOkLi5DJz3xcL6QvM/WLz+c2/3rsr15Y\nDoxWwcVmoCQUlhxSfoHH9/cUOIhxbS1Hk/8WAO1VO9AAB1Rb6XTY/bsk6pHIP2gN\nf/Lzz39zVMZteWGZpYKqMhWhSdQGWeUcAHu/xfhqqUK72/A/QNRpd0j9jF/tVwbo\nHvAUVk2gzaTpfUnctIx2sVNdItt26/+fSYwtS6tTHUPRggiuTYq/U3rdg2JW09Z0\nWQYdCzqyFWCumJMFSbRUEwTsRgrApBQrulnSCfr8h5mmB6XRo8JC1oX0Uh98uLwo\nloxVsmI0aC+vgdN6POf+Npta4tzes3rYB7E1hSqdEx+Z809fICsnQDni2Xa79Mqg\n+bDTDm1gDCAn6ZIaXKUEltnLYIGnawIDAQABAoICACXvsmHVZ5gllnErMGucoS2g\nssXbhKab2Fe4X2zixh5iSQgxYfsxeiOkVVJq/lRVe4Em45vO6NypazHLeoTX9FOn\nraJjk1qCHTe0AHcRDZR8Pb3UIvl7N7/A4xU2K4sUnC0/bfEuJ/Gt4Pgj+orKeMe+\n1uvtS7DzKplg7J+l9WA71drEJk+fmu11rcMCcdDtqwEnXaV1atolXF72LZjD8TQH\nWumj8SY3gTrHFbBFSal17ucsyJVlCsFiyqxRK8cnSwuH0kiDHNdMTzRfqZjpgXax\nnyFUCe3XeSxbcQ5+/ZnmY95YyDINAphkZTdQWNcrGwb++9p6bI8cEPf4PqsMn1fE\ngCvhjTpfVLhTbjvA6QH1Za6j4BQxR3+zUw1yzCsuma00r9m1H0/4aQwBhRN6bbKs\nf2OwPmwSMtqzrklqODmLSQbXyPIkb6xoky6zRNJdq3uwBORILgOvzNiM4jUrBjue\nfUmlblu7n2Qw2POJRjrNGEUasYUhZCk9UAlGl8ThTqMo5r2pfT0p0MuQrCzsg4ch\nylM7vzqKhrGdHlIEBr//AJ2C/NHqZjiX2h3H9gfoFiNCx0meOtjDmen9z6vCtiOs\n7JcAHO30z5KuRd59nPO3GuWeXe6SlWWymgv9DiNAQXx163lyBpYvXI8F8KzgKvM+\nbtQzUXpr/Q2/KOcSgl9hAoIBAQD9Vo4PZQ9FOzJSxXPOHeMbpP3lizHoPwmDbRjT\nCu5d8+a9IuHmsINm5bzShPJQauZMsaJvyfHd6Q1RlieJ6l/qObSHrN9LNwVYZxJ8\nTZiyufk4FrgPX0K6rzNUHxCG/2R5A/qfg32BgQ8+h+rK0ZSPVGnVUMRpofTPubBE\nP9lzy/3pcqvJjljI2BtbFYYanB4WWrtDCEZOcLU6Nny7ll/N5Y1ZFFcrL1eiB2kh\nFvFp1ScgAtjTWoxEPIPJK0hVUkMnWnbMMCpJ+WXg+2blDEY2H8BTk47EyN7P/Y3G\nFhujduNLCJbwCuGn8wchCgvSFuy56UcbLpdu8e1R/TEpL5vxAoIBAQDU5LqS7TyS\n0p7tOXQuLgNuPXezuu8yC/eIg9wfUWPEMNaFS6er75AKOqzykFMHnNimPnuxMNLI\nmXwb2bd6J9PfRJ6eqsf60E1iDD+F9KiKSd+btGxh5soc8wVjTWbghW47DfWkAZGX\nw0dWZTh2PY41HupU6lizrBMPnx2xFQz4CgU3DjDlhSVDSbkJ64Wt0RDKICe+OQWe\nlhKmC8fjo9IO5W/QRIcOmqO+1W3nUko84CDVlh+mJ2Hxi2N3+xUT9XJee0id81u2\nVO6tH20+zDTfsu8RFJXBL2Mx2WJ4MTV3ASxvBbUMG5sAOlFb4SL6p6ODzZwOwlDZ\ny/T3tQHr+IUbAoIBAAp9vSBSFRHO48SdvK/6eN86M/F/lC+D/Mbei7qhp0FoylNm\n0GgXQznNpcYqD0bZRnRCnvF2MXf5IL4SM8z4UcSHYzyDIjQhMS16Bz/yjrJIFVQH\nTNQGI+NLQhrntm2Awg5o5cYZUec9Cv6R7l071KUi38cfsyKUvGilzfDlnAG5nug+\nAXM1W+PlXyykdYtAj9ZpJ3wdKZwx+q9QdlXmYk1KhlH8D6gQK9bf67CdHJ4/X4Fp\n3MTT6R8iSmrYSgSOhY1pp6XJENdDZr6sapRtr7KqGfLcF3t6vg9q9qYPYFGiqMMA\ntg92w+WKoO7zVY37uQ3x5SnxAgBsMGHG1HRaLmECggEBAIEuVYQIDkRtJ2B9B2Fq\nLEy9YaAeozv0BPzCPlSGl4oZtGHnuVNcJ0P9vKnnJ2qsIs4lhfrLzGtKrwNbRbkK\n58ZHphRTPsuTkBEZq4YGIirfjp61iTqSxztvv2o1MmK0tGGDI/Wjugujw+rJuswM\np/jVzI1AMhi8JkjJXUPxqQ/tTKLOqp7q/uRonK5HSrNg89YiUttbUGydVa2J4n3g\nDvtY/1MZ8fXLoeaPLYQ6668qtOHFmWjB5u2hjfbk1TJqMj7ggfzOCW2G9dj5A9oi\nIUdIFUaA/ineLku2Q8j42x9eB+9KQESbj59Aw9ODtizwggjdP3+5K0QtPXT9UbA0\n+dcCggEAfpDfGOMurnFZxh7AYU3HfFLR0LIDqc4JX/SA8WlsbFUfM8ujaHhKoR+5\nnWWTouuOy8lJlXVnqUfKvG4Ty0+2QvcTFE50h167AewsHmDqJ4oELJ6kCbMEUzpk\nzILaeiCJlbldkfi4ztA7hT8Dfv+yKmi9GA2pyoMbdsVwG4xPDkA/R0jj7H5kkrh1\nAv/K+T674XEr0ReHxEIxRFFQ0K/lyOxRIdxGssb30SNS3VvKTFtvFDKTm0uP7MYD\ndSc0bk6fmeN0bR/Og2/S1ZEkQNxUFBPx92e9T4g/bi/2rIOdl4xcpwjW1By2UkNG\nawxDbYxnTunk1YxP7KA0/bDnu/OZlQ==\n-----END PRIVATE KEY-----\n"
+    }

tests/test_service_account_auth.py

@@ -0,0 +1,47 @@
+import pytest
+import jwt
+import time
+
+from yandexcloud._auth_fabric import get_auth_token_request_func
+
+
+def test_both_params_error(token, service_account_key):
+    with pytest.raises(RuntimeError) as e:
+        get_auth_token_request_func(token=token, service_account_key=service_account_key)
+
+    assert str(e.value) == "Conflicting API credentials properties 'token' and 'service-account-key' are set."
+
+
+@pytest.mark.parametrize("key, error_msg", [
+    ("id", "Invalid Service Account Key: missing key object id."),
+    ("service_account_id", "Invalid Service Account Key: missing service account id."),
+    ("private_key", "Invalid Service Account Key: missing private key."),
+])
+def test_service_account_no_id(service_account_key, key, error_msg):
+    service_account_key.pop(key)
+
+    with pytest.raises(RuntimeError) as e:
+        get_auth_token_request_func(service_account_key=service_account_key)
+
+    assert str(e.value) == error_msg
+
+
+def test_oauth_token(token):
+    request_func = get_auth_token_request_func(token=token)
+    request = request_func()
+    assert token == request.yandex_passport_oauth_token
+
+
+def test_service_account_key(service_account_key):
+    request_func = get_auth_token_request_func(service_account_key=service_account_key)
+    request = request_func()
+    now = int(time.time())
+    headers = jwt.get_unverified_header(request.jwt)
+    parsed = jwt.decode(request.jwt, secret=service_account_key["public_key"], algorithms=['PS256'], verify=False)
+    assert headers["typ"] == "JWT"
+    assert headers["alg"] == "PS256"
+    assert headers["kid"] == service_account_key["id"]
+
+    assert parsed["iss"] == service_account_key["service_account_id"]
+    assert parsed["aud"] == "https://iam.api.cloud.yandex.net/iam/v1/tokens"
+    assert now - 60 <= int(parsed["iat"]) <= now

yandexcloud/_auth_fabric.py

@@ -0,0 +1,72 @@
+import time
+from datetime import datetime
+
+# jwt package depends on cryptography
+import cryptography
+import jwt
+
+
+from yandex.cloud.iam.v1.iam_token_service_pb2 import CreateIamTokenRequest
+
+
+def __validate_service_account_key(sa_key):
+    obj_id = sa_key.get("id")
+    sa_id = sa_key.get("service_account_id")
+    private_key = sa_key.get("private_key")
+
+    if not obj_id:
+        raise RuntimeError("Invalid Service Account Key: missing key object id.")
+
+    if not sa_id:
+        raise RuntimeError("Invalid Service Account Key: missing service account id.")
+
+    if not private_key:
+        raise RuntimeError("Invalid Service Account Key: missing private key.")
+
+
+def get_auth_token_request_func(token=None, service_account_key=None):
+    if token and service_account_key:
+        raise RuntimeError("Conflicting API credentials properties 'token' and 'service-account-key' are set.")
+
+    if token:
+        return TokenAuth(token=token).get_token_request
+
+    __validate_service_account_key(service_account_key)
+    return ServiceAccountAuth(service_account_key).get_token_request
+
+
+class TokenAuth:
+    def __init__(self, token):
+        self.__oauth_token = token
+
+    def get_token_request(self):
+        return CreateIamTokenRequest(yandex_passport_oauth_token=self.__oauth_token)
+
+
+class ServiceAccountAuth:
+    __SECONDS_IN_HOUR = 60. * 60.
+
+    def __init__(self, sa_key):
+        self.__sa_key = sa_key
+
+    def get_token_request(self):
+        return CreateIamTokenRequest(jwt=self.__prepare_request())
+
+    def __prepare_request(self):
+        now = time.time()
+        now_utc = datetime.utcfromtimestamp(now)
+        exp_utc = datetime.utcfromtimestamp(now + self.__SECONDS_IN_HOUR)
+        payload = {
+            "iss": self.__sa_key["service_account_id"],
+            "aud": "https://iam.api.cloud.yandex.net/iam/v1/tokens",
+            "iat": now_utc,
+            "exp": exp_utc,
+        }
+
+        headers = {
+            "typ": "JWT",
+            "alg": "PS256",
+            "kid": self.__sa_key["id"],
+        }
+
+        return jwt.encode(payload, self.__sa_key["private_key"], algorithm="PS256", headers=headers)

yandexcloud/_auth_plugin.py

@@ -1,20 +1,16 @@
+import grpc
 
-import threading
-from concurrent import futures
 from datetime import datetime
-
-import grpc
 from six.moves.urllib.parse import urlparse
 
-from yandex.cloud.iam.v1.iam_token_service_pb2 import CreateIamTokenRequest
 from yandex.cloud.iam.v1.iam_token_service_pb2_grpc import IamTokenServiceStub
 
 TIMEOUT_SECONDS = 20
 
 
 class Credentials(grpc.AuthMetadataPlugin):
-    def __init__(self, oauth_token, lazy_channel):
-        self._oauth_token = oauth_token
+    def __init__(self, token_request_func, lazy_channel):
+        self.__token_request_func = token_request_func
         self._lazy_channel = lazy_channel
         self._channel = None
         self._cached_iam_token = None
@@ -28,17 +24,15 @@ def __call__(self, context, callback):
 
     def _call(self, context, callback):
         u = urlparse(context.service_url)
-        if u.path == '/yandex.cloud.iam.v1.IamTokenService' or \
-            u.path == '/yandex.cloud.endpoint.ApiEndpointService':
+        if u.path == '/yandex.cloud.iam.v1.IamTokenService' or u.path == '/yandex.cloud.endpoint.ApiEndpointService':
             callback(None, None)
             return
 
         if not self._channel:
             self._channel = self._lazy_channel()
 
         if self._cached_iam_token is None or not self._fresh():
-            token_future = IamTokenServiceStub(self._channel).Create.future(CreateIamTokenRequest(
-                yandex_passport_oauth_token=self._oauth_token))
+            token_future = IamTokenServiceStub(self._channel).Create.future(self.__token_request_func())
             token_future.add_done_callback(self.create_done_callback(callback))
             return
 

yandexcloud/_channels.py

@@ -5,27 +5,19 @@
 from yandex.cloud.endpoint.api_endpoint_service_pb2 import ListApiEndpointsRequest
 
 from yandexcloud import _auth_plugin
-
-
-def _fill_defaults(opts):
-    opts['root_certificates'] = opts.get('root_certificates')
-    opts['private_key'] = opts.get('private_key')
-    opts['certificate_chain'] = opts.get('certificate_chain')
-    opts['endpoint'] = opts.get('endpoint', 'api.cloud.yandex.net')
+from yandexcloud._auth_fabric import get_auth_token_request_func
 
 
 class Channels(object):
     def __init__(self, **kwargs):
-        opts = {x: y for x, y in kwargs.items()}
-        _fill_defaults(opts)
-
         self._channel_creds = grpc.ssl_channel_credentials(
-            root_certificates=opts['root_certificates'],
-            private_key=opts['private_key'],
-            certificate_chain=opts['certificate_chain'],
+            root_certificates=kwargs.get('root_certificates'),
+            private_key=kwargs.get('private_key'),
+            certificate_chain=kwargs.get('certificate_chain'),
         )
-        self._endpoint = opts['endpoint']
-        self._token = opts['token']
+        self._endpoint = kwargs.get('endpoint', 'api.cloud.yandex.net')
+        self._token_request_func = get_auth_token_request_func(token=kwargs.get("token"),
+                                                               service_account_key=kwargs.get("service_account_key"))
 
         self._unauthenticated_channel = None
         self._channels = None
@@ -40,7 +32,7 @@ def channel(self, endpoint):
             endpoints = resp.endpoints
 
             plugin = _auth_plugin.Credentials(
-                self._token, lambda: self._channels["iam"])
+                self._token_request_func, lambda: self._channels["iam"])
             call_creds = grpc.metadata_call_credentials(plugin)
             creds = grpc.composite_channel_credentials(
                 self._channel_creds, call_creds)