|
| 1 | +# Copyright 2020 Google LLC |
| 2 | +# |
| 3 | +# Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | +# you may not use this file except in compliance with the License. |
| 5 | +# You may obtain a copy of the License at |
| 6 | +# |
| 7 | +# http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | +# |
| 9 | +# Unless required by applicable law or agreed to in writing, software |
| 10 | +# distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | +# See the License for the specific language governing permissions and |
| 13 | +# limitations under the License. |
| 14 | + |
| 15 | +""" |
| 16 | +Authenticate requests coming from other App Engine instances. |
| 17 | +""" |
| 18 | + |
| 19 | +# [START gae_python_app_identity_incoming] |
| 20 | +from google.oauth2 import id_token |
| 21 | +from google.auth.transport import requests |
| 22 | + |
| 23 | +import logging |
| 24 | +import webapp2 |
| 25 | + |
| 26 | + |
| 27 | +def get_app_id(request): |
| 28 | + # Requests from App Engine Standard for Python 2.7 will include a |
| 29 | + # trustworthy X-Appengine-Inbound-Appid. Other requests won't have |
| 30 | + # that header, as the App Engine runtime will strip it out |
| 31 | + incoming_app_id = request.headers.get( |
| 32 | + 'X-Appengine-Inbound-Appid', None) |
| 33 | + if incoming_app_id is not None: |
| 34 | + return incoming_app_id |
| 35 | + |
| 36 | + # Other App Engine apps can get an ID token for the App Engine default |
| 37 | + # service account, which will identify the application ID. They will |
| 38 | + # have to include at token in an Authorization header to be recognized |
| 39 | + # by this method. |
| 40 | + auth_header = request.headers.get('Authorization', None) |
| 41 | + if auth_header is None: |
| 42 | + return None |
| 43 | + |
| 44 | + # The auth_header must be in the form Authorization: Bearer token. |
| 45 | + bearer, token = auth_header.split() |
| 46 | + if bearer.lower() != 'bearer': |
| 47 | + return None |
| 48 | + |
| 49 | + try: |
| 50 | + info = id_token.verify_oauth2_token(token, requests.Request()) |
| 51 | + service_account_email = info['email'] |
| 52 | + incoming_app_id, domain = service_account_email.split('@') |
| 53 | + if domain != 'appspot.gserviceaccount.com': # Not App Engine svc acct |
| 54 | + return None |
| 55 | + else: |
| 56 | + return incoming_app_id |
| 57 | + except Exception as e: |
| 58 | + # report or log if desired, as here: |
| 59 | + logging.warning('Request has bad OAuth2 id token: {}'.format(e)) |
| 60 | + return None |
| 61 | + |
| 62 | + |
| 63 | +class MainPage(webapp2.RequestHandler): |
| 64 | + allowed_app_ids = [ |
| 65 | + 'other-app-id', |
| 66 | + 'other-app-id-2' |
| 67 | + ] |
| 68 | + |
| 69 | + def get(self): |
| 70 | + incoming_app_id = get_app_id(self.request) |
| 71 | + |
| 72 | + if incoming_app_id is None: |
| 73 | + self.abort(403) |
| 74 | + |
| 75 | + if incoming_app_id not in self.allowed_app_ids: |
| 76 | + self.abort(403) |
| 77 | + |
| 78 | + self.response.write('This is a protected page.') |
| 79 | + |
| 80 | + |
| 81 | +app = webapp2.WSGIApplication([ |
| 82 | + ('/', MainPage) |
| 83 | +], debug=True) |
| 84 | +# [END gae_python_app_identity_incoming] |
0 commit comments