openpilot_comma/tools/lib/auth.py

#!/usr/bin/env python3
"""
Usage::

  usage: auth.py [-h] [{google,apple,github,jwt}] [jwt]

  Login to your comma account

  positional arguments:
    {google,apple,github,jwt}
    jwt

  optional arguments:
    -h, --help            show this help message and exit


Examples::

  ./auth.py  # Log in with google account
  ./auth.py github  # Log in with GitHub Account
  ./auth.py jwt ey......hw  # Log in with a JWT from https://jwt.comma.ai, for use in CI
"""

import argparse
import sys
import pprint
import webbrowser
from http.server import BaseHTTPRequestHandler, HTTPServer
from typing import Any, Dict
from urllib.parse import parse_qs, urlencode

from openpilot.tools.lib.api import APIError, CommaApi, UnauthorizedError
from openpilot.tools.lib.auth_config import set_token, get_token

PORT = 3000


class ClientRedirectServer(HTTPServer):
  query_params: Dict[str, Any] = {}


class ClientRedirectHandler(BaseHTTPRequestHandler):
  def do_GET(self):
    if not self.path.startswith('/auth'):
      self.send_response(204)
      return

    query = self.path.split('?', 1)[-1]
    query_parsed = parse_qs(query, keep_blank_values=True)
    self.server.query_params = query_parsed

    self.send_response(200)
    self.send_header('Content-type', 'text/plain')
    self.end_headers()
    self.wfile.write(b'Return to the CLI to continue')

  def log_message(self, *args):  # pylint: disable=redefined-builtin
    pass  # this prevent http server from dumping messages to stdout


def auth_redirect_link(method):
  provider_id = {
    'google': 'g',
    'apple': 'a',
    'github': 'h',
  }[method]

  params = {
    'redirect_uri': f"https://api.comma.ai/v2/auth/{provider_id}/redirect/",
    'state': f'service,localhost:{PORT}',
  }

  if method == 'google':
    params.update({
      'type': 'web_server',
      'client_id': '45471411055-ornt4svd2miog6dnopve7qtmh5mnu6id.apps.googleusercontent.com',
      'response_type': 'code',
      'scope': 'https://www.googleapis.com/auth/userinfo.email',
      'prompt': 'select_account',
    })
    return 'https://accounts.google.com/o/oauth2/auth?' + urlencode(params)
  elif method == 'github':
    params.update({
      'client_id': '28c4ecb54bb7272cb5a4',
      'scope': 'read:user',
    })
    return 'https://github.com/login/oauth/authorize?' + urlencode(params)
  elif method == 'apple':
    params.update({
      'client_id': 'ai.comma.login',
      'response_type': 'code',
      'response_mode': 'form_post',
      'scope': 'name email',
    })
    return 'https://appleid.apple.com/auth/authorize?' + urlencode(params)
  else:
    raise NotImplementedError(f"no redirect implemented for method {method}")


def login(method):
  oauth_uri = auth_redirect_link(method)

  web_server = ClientRedirectServer(('localhost', PORT), ClientRedirectHandler)
  print(f'To sign in, use your browser and navigate to {oauth_uri}')
  webbrowser.open(oauth_uri, new=2)

  while True:
    web_server.handle_request()
    if 'code' in web_server.query_params:
      break
    elif 'error' in web_server.query_params:
      print('Authentication Error: "{}". Description: "{}" '.format(
        web_server.query_params['error'],
        web_server.query_params.get('error_description')), file=sys.stderr)
      break

  try:
    auth_resp = CommaApi().post('v2/auth/', data={'code': web_server.query_params['code'], 'provider': web_server.query_params['provider']})
    set_token(auth_resp['access_token'])
  except APIError as e:
    print(f'Authentication Error: {e}', file=sys.stderr)


if __name__ == '__main__':
  parser = argparse.ArgumentParser(description='Login to your comma account')
  parser.add_argument('method', default='google', const='google', nargs='?', choices=['google', 'apple', 'github', 'jwt'])
  parser.add_argument('jwt', nargs='?')

  args = parser.parse_args()
  if args.method == 'jwt':
    if args.jwt is None:
      print("method JWT selected, but no JWT was provided")
      exit(1)

    set_token(args.jwt)
  else:
    login(args.method)

  try:
    me = CommaApi(token=get_token()).get('/v1/me')
    print("Authenticated!")
    pprint.pprint(me)
  except UnauthorizedError:
    print("Got invalid JWT")
    exit(1)
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`#!/usr/bin/env python3`
tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago			`"""`
			`Usage::`

			`usage: auth.py [-h] [{google,apple,github,jwt}] [jwt]`

			`Login to your comma account`

			`positional arguments:`
			`{google,apple,github,jwt}`
			`jwt`

			`optional arguments:`
			`-h, --help show this help message and exit`


			`Examples::`

			`./auth.py # Log in with google account`
			`./auth.py github # Log in with GitHub Account`
			`./auth.py jwt ey......hw # Log in with a JWT from https://jwt.comma.ai, for use in CI`
			`"""`

			`import argparse`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`import sys`
tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago			`import pprint`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`import webbrowser`
tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago			`from http.server import BaseHTTPRequestHandler, HTTPServer`
			`from typing import Any, Dict`
			`from urllib.parse import parse_qs, urlencode`

add openpilot prefix to imports (#29498) * add openpilot prefix to imports * more * more * fix docs * fix linter * bump submodules * fix patched tests * update dynamic imports * debug * Revert "debug" This reverts commit db5e13b9911cc74438bee123bc3430da6c31b24b. * fix pm test old-commit-hash: a9626f95b69af19306143fc4def02fb5769405d2 2 years ago			`from openpilot.tools.lib.api import APIError, CommaApi, UnauthorizedError`
			`from openpilot.tools.lib.auth_config import set_token, get_token`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago
tools/lib/auth.py update oauth redirect url old-commit-hash: 0252072729b188d5a725e8a2b979ca4d44f92773 4 years ago			`PORT = 3000`

tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`class ClientRedirectServer(HTTPServer):`
Run mypy commit hook (#1591) * run mypy commit hook * fix mypy errors old-commit-hash: 3d08dcc3b27936cb14c0eae63605be9a6c077380 5 years ago			`query_params: Dict[str, Any] = {}`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago
tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`class ClientRedirectHandler(BaseHTTPRequestHandler):`
			`def do_GET(self):`
tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago			`if not self.path.startswith('/auth'):`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`self.send_response(204)`
			`return`

			`query = self.path.split('?', 1)[-1]`
Mypy fixes for --check-untyped-defs (#24372) more type fixes old-commit-hash: 17e33978cdd9322918e9d5d388f7fa47aa30e9b7 3 years ago			`query_parsed = parse_qs(query, keep_blank_values=True)`
			`self.server.query_params = query_parsed`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago
			`self.send_response(200)`
			`self.send_header('Content-type', 'text/plain')`
			`self.end_headers()`
			`self.wfile.write(b'Return to the CLI to continue')`

Ruff: enable flake8-builtins (#29315) * enable flake8-builtins * replace any with contains * fix typo in pack * fix type * format is from the parent module, has to be enabled * item_id * fix item_id * disable for id since that's what the remote server returns old-commit-hash: 8793cbff40662a92bff16d75b51479c80517305a 2 years ago			`def log_message(self, *args): # pylint: disable=redefined-builtin`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`pass # this prevent http server from dumping messages to stdout`

tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago
			`def auth_redirect_link(method):`
			`provider_id = {`
			`'google': 'g',`
			`'apple': 'a',`
			`'github': 'h',`
			`}[method]`

Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`params = {`
tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago			`'redirect_uri': f"https://api.comma.ai/v2/auth/{provider_id}/redirect/",`
			`'state': f'service,localhost:{PORT}',`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`}`

tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago			`if method == 'google':`
			`params.update({`
			`'type': 'web_server',`
			`'client_id': '45471411055-ornt4svd2miog6dnopve7qtmh5mnu6id.apps.googleusercontent.com',`
			`'response_type': 'code',`
			`'scope': 'https://www.googleapis.com/auth/userinfo.email',`
			`'prompt': 'select_account',`
			`})`
			`return 'https://accounts.google.com/o/oauth2/auth?' + urlencode(params)`
			`elif method == 'github':`
			`params.update({`
			`'client_id': '28c4ecb54bb7272cb5a4',`
			`'scope': 'read:user',`
			`})`
			`return 'https://github.com/login/oauth/authorize?' + urlencode(params)`
			`elif method == 'apple':`
pylint: enforce indentation (W0311) (#24039) * pylint: enforce indentation (W0311) * few more old-commit-hash: 8af20af66ddaa6bc06d7f72f9134aa9afeed3ed8 3 years ago			`params.update({`
			`'client_id': 'ai.comma.login',`
			`'response_type': 'code',`
			`'response_mode': 'form_post',`
			`'scope': 'name email',`
			`})`
			`return 'https://appleid.apple.com/auth/authorize?' + urlencode(params)`
tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago			`else:`
			`raise NotImplementedError(f"no redirect implemented for method {method}")`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago
tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago
			`def login(method):`
			`oauth_uri = auth_redirect_link(method)`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago
tools/lib/auth.py update oauth redirect url old-commit-hash: 0252072729b188d5a725e8a2b979ca4d44f92773 4 years ago			`web_server = ClientRedirectServer(('localhost', PORT), ClientRedirectHandler)`
tools: Print auth url to console old-commit-hash: 327a255a1ab7fd4b50898ebbeadf27235d6331e6 5 years ago			`print(f'To sign in, use your browser and navigate to {oauth_uri}')`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`webbrowser.open(oauth_uri, new=2)`

			`while True:`
			`web_server.handle_request()`
			`if 'code' in web_server.query_params:`
			`break`
			`elif 'error' in web_server.query_params:`
Pyupgrade 3.6: Update syntax with Python 3.6+ features (#23305) Updated Python code with Python 3.6+ features: - utf-8 encoding is now the default (PEP 3120) - Replace list comprehensions by Generator Expressions (PEP 289) - Replace yield loop by yield from (PEP 380) - Remove the (object) subclass when defining a class - Replace the IOError alias by OSError (PEP 3151) - Define sets with curly braces {} instead of set() - Remove "r" parameter from open function, which is default Co-Authored-By: Adeeb Shihadeh <8762862+adeebshihadeh@users.noreply.github.com> Co-Authored-By: GregorKikelj <96022003+GregorKikelj@users.noreply.github.com> Co-authored-by: Adeeb Shihadeh <8762862+adeebshihadeh@users.noreply.github.com> Co-authored-by: GregorKikelj <96022003+GregorKikelj@users.noreply.github.com> old-commit-hash: 332f568a8241fba9459cb70c76840b9670e6993a 3 years ago			`print('Authentication Error: "{}". Description: "{}" '.format(`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`web_server.query_params['error'],`
			`web_server.query_params.get('error_description')), file=sys.stderr)`
			`break`

			`try:`
tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago			`auth_resp = CommaApi().post('v2/auth/', data={'code': web_server.query_params['code'], 'provider': web_server.query_params['provider']})`
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`set_token(auth_resp['access_token'])`
			`except APIError as e:`
			`print(f'Authentication Error: {e}', file=sys.stderr)`

tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago
Tools: Storage API (#1161) * filereader * support URLs in filereader, logreader * unused * use route files api; add auth file * Implement browser auth * Update readme, fix up cache paths * Add tests, clear token on 401 * Factor out URLFile * space old-commit-hash: c4af05868ba82d4295e3f508e8477f2f6f898834 5 years ago			`if __name__ == '__main__':`
tools/lib/auth.py: support github/apple login (#22766) * tools/lib/auth.py: support github/apple login * print some info about logged in user * add docstring old-commit-hash: 252f3c1c871909611d162596e163fd7e6b8541bb 4 years ago			`parser = argparse.ArgumentParser(description='Login to your comma account')`
			`parser.add_argument('method', default='google', const='google', nargs='?', choices=['google', 'apple', 'github', 'jwt'])`
			`parser.add_argument('jwt', nargs='?')`

			`args = parser.parse_args()`
			`if args.method == 'jwt':`
			`if args.jwt is None:`
			`print("method JWT selected, but no JWT was provided")`
			`exit(1)`

			`set_token(args.jwt)`
			`else:`
			`login(args.method)`

			`try:`
			`me = CommaApi(token=get_token()).get('/v1/me')`
			`print("Authenticated!")`
			`pprint.pprint(me)`
			`except UnauthorizedError:`
			`print("Got invalid JWT")`
			`exit(1)`