# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """Authentication server for VPC-SC Live Demo.""" import io import json import os from base64 import b64decode from zipfile import ZipFile import google.auth import requests import session from flask import Flask, Response, redirect, request, send_file from flask.logging import create_logger # pylint: disable=ungrouped-imports from google.auth.transport import requests as reqs from google.oauth2 import id_token from utilities import access_secret_version app = Flask(__name__) logger = create_logger(app) credentials, project_id = google.auth.default() def get_redirect_url(): """Get the redirect URL, depending on prod vs dev deployment.""" debug_port = os.getenv("DEBUG_PORT") if os.getenv("PROD") == "true": return "https://auth.dialogflow-demo.app/callback" return f"http://localhost:{debug_port}/callback" @app.route("/callback") def callback(): """Callback route, redirects to the user-provided return_to URL.""" args = request.args.to_dict() state = json.loads(b64decode(args["state"])) redirect_path = state["return_to"] session_id = state["session_id"] data = { "code": args["code"], "client_id": os.getenv("CLIENT_ID"), "client_secret": access_secret_version( project_id, "application-client-secret", "latest" )["response"], "redirect_uri": get_redirect_url(), "grant_type": "authorization_code", } resp = requests.post( "https://oauth2.googleapis.com/token", data=data, timeout=10, ).json() info = id_token.verify_oauth2_token(resp["id_token"], reqs.Request()) session.create( { "id_token": resp["id_token"], "access_token": resp["access_token"], "refresh_token": resp["refresh_token"], "email": info["email"], "expiration": info["exp"], "origin": redirect_path, }, session_id=session_id, public_pem=state["public_pem"], ) if session_id is None: logger.critical("Could not create session") return Response(status=403) response = redirect(redirect_path) return response @app.route("/login", methods=["GET"]) def login_get(): """login_get Handles requests made to the path /login. This may occur due to a user following a link, or other website pages redirecting here. The request may include a query parameter called return_to, which will lead to the user being directed to that path following a successful login. This path is relative to the application's root URL and special characters must be url-encoded. Example: GET /login?return_to=/ """ state = request.args["state"] # Link to redirect to Google auth service, including required query parameters. sign_in_url = "https://accounts.google.com/o/oauth2/v2/auth?" # Client apps and their callbacks must be registered and supplied here sign_in_url += f"redirect_uri={get_redirect_url()}&" sign_in_url += f'client_id={os.getenv("CLIENT_ID")}&' # Asking for user email and any previously granted scopes openid%20email sign_in_url += "scope=openid%20" sign_in_url += "email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform&" sign_in_url += "include_granted_scopes=true&" # The next two parameters are essential to get a refresh token sign_in_url += "prompt=consent&" sign_in_url += "access_type=offline&" # Asking for a code that can then be exchanged for user information sign_in_url += "response_type=code&" # Remember this info and echo it back to me so I'll know what to do next sign_in_url += f"state={state}&" return redirect(sign_in_url) @app.route("/auth", methods=["GET"]) def auth(): """Rout for getting authentication information, when session_id is valid.""" # pylint: disable=unexpected-keyword-arg session_id = request.args.get("session_id") session_data = session.read(session_id) if "error" in session_data: return session_data["error"] zip_file_stream = io.BytesIO() with ZipFile(zip_file_stream, "w") as zip_file: for ( curr_stream_name, curr_stream, ) in session_data.items(): zip_file.writestr( os.path.basename(curr_stream_name), curr_stream.getvalue() ) zip_file_stream.seek(0) return send_file( zip_file_stream, as_attachment=True, attachment_filename="encrypted_session.zip", ) if __name__ == "__main__": # pragma: no cover port = int(os.environ.get("PORT", 5000)) app.run(debug=False, host="0.0.0.0", port=port)