diff options
| author | Jason Gunthorpe <jgg@mellanox.com> | 2020-06-19 16:43:45 -0300 |
|---|---|---|
| committer | Jason Gunthorpe <jgg@nvidia.com> | 2020-06-22 20:24:18 -0300 |
| commit | c353c00ef8d1897079a8c32f7913ea5d33331de2 (patch) | |
| tree | da832695e56fac58468eccc7710eb21797c72cf8 /cloud_mdir_sync/gmail.py | |
| parent | c607f4a3cbd9cc4c9611db12bfe175b52de514e1 (diff) | |
| download | cloud_mdir_sync-c353c00ef8d1897079a8c32f7913ea5d33331de2.tar.gz cloud_mdir_sync-c353c00ef8d1897079a8c32f7913ea5d33331de2.tar.bz2 cloud_mdir_sync-c353c00ef8d1897079a8c32f7913ea5d33331de2.zip | |
OAUTH: Make some sense of the scopes
With the ability to run as a broker for IMAP/SMTP we can limit the scopes
requested based on the configuration. Add a fake _CMS_ protocol that
refers to the scopes required to operate internally.
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Diffstat (limited to 'cloud_mdir_sync/gmail.py')
| -rw-r--r-- | cloud_mdir_sync/gmail.py | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/cloud_mdir_sync/gmail.py b/cloud_mdir_sync/gmail.py index 20e7502..98c76cb 100644 --- a/cloud_mdir_sync/gmail.py +++ b/cloud_mdir_sync/gmail.py @@ -86,11 +86,13 @@ class GmailAPI(oauth.Account): self.session = aiohttp.ClientSession(connector=connector, raise_for_status=False) - self.scopes = [ - "https://www.googleapis.com/auth/gmail.modify", - ] + self.scopes = [] + if "_CMS_" in self.protocols: + self.scopes.append("https://www.googleapis.com/auth/gmail.modify") if "SMTP" in self.protocols or "IMAP" in self.protocols: self.scopes.append("https://mail.google.com/") + if not self.scopes: + self.scopes.append("openid") self.redirect_url = cfg.web_app.url + "oauth2/gmail" self.api_token = cfg.msgdb.get_authenticator(self.domain_id) @@ -140,7 +142,10 @@ class GmailAPI(oauth.Account): client_secret=self.client_secret, scopes=self.scopes, refresh_token=self.api_token["refresh_token"]) - except oauthlib.oauth2.OAuth2Error: + except (oauthlib.oauth2.OAuth2Error, Warning): + self.cfg.logger.exception( + f"OAUTH initial exchange failed for {self.domain_id}, sleeping for retry" + ) self.api_token = None return False return self._set_token(api_token) @@ -163,13 +168,20 @@ class GmailAPI(oauth.Account): q = await self.cfg.web_app.auth_redir(url, state, self.redirect_url) - api_token = await self.oauth.fetch_token( - self.session, - 'https://oauth2.googleapis.com/token', - include_client_id=True, - client_secret=self.client_secret, - scopes=self.scopes, - code=q["code"]) + try: + api_token = await self.oauth.fetch_token( + self.session, + 'https://oauth2.googleapis.com/token', + include_client_id=True, + client_secret=self.client_secret, + scopes=self.scopes, + code=q["code"]) + except (oauthlib.oauth2.OAuth2Error, Warning): + self.cfg.logger.exception( + f"OAUTH initial exchange failed for {self.domain_id}, sleeping for retry" + ) + await asyncio.sleep(1) + continue if self._set_token(api_token): return @@ -338,6 +350,7 @@ class GMailMailbox(mailbox.Mailbox): self.gmail = gmail self.gmail_messages = {} self.max_fetches = asyncio.Semaphore(10) + gmail.protocols.add("_CMS_") gmail.mailboxes.append(self) def __repr__(self): |