Google Git
Sign in
pigweed / third_party / gerrit / git-repo / bb0ee8057165a9d54e1e1ab9addb15a2a57ccfc1^! / .
commitbb0ee8057165a9d54e1e1ab9addb15a2a57ccfc1[log] [tgz]
authorShawn O. Pearce <sop@google.com>Wed Oct 22 13:02:56 2008 -0700
committerShawn O. Pearce <sop@google.com>Wed Oct 22 13:10:29 2008 -0700
tree65fd7bcf7757f03a6ff52bc71be36128bcc64197
parent02dbb6d120e44ec22cc7051251984cfd618e74ce [diff]
Change RPC client to only use Google Accounts for authentication

Hosted domain account (such as "@google.com" itself) don't work on the
Google App Engine service unless the user specifically creates their
own Google Account (https://www.google.com/accounts/NewAccount) with
the same email address.

When both such accounts exist we must *only* use the Google Account in
our auth request, as that is all Google App Engine will honor when we
send it the session cookie.

However, Google has internal servers that may also be running Gerrit
based applications.  In those case we must use the hosted auth login
for @google.com user accounts, as the internal servers honor only the
hosted account and not the public Google Account database.

In the future we may need to add other domains to the "HOSTED" list
if other Gerrit instances are setup on hosted domains and locked to
only those domain's user accounts, similar to how a server that is
internal to Google would be setup.  Since this is currently not a
likely occurrence I'm not worrying about making it configurable at
this juncture.

Signed-off-by: Shawn O. Pearce <sop@google.com>

diff --git a/codereview/__init__.py b/codereview/__init__.py
index e47bc94..4ac92e8 100644
--- a/codereview/__init__.py
+++ b/codereview/__init__.py

@@ -1 +1 @@
-__version__ = 'v1.0'
+__version__ = 'v1.0-14-gc4f226bc'

diff --git a/codereview/proto_client.py b/codereview/proto_client.py
index e11beff..a51fcd0 100755
--- a/codereview/proto_client.py
+++ b/codereview/proto_client.py

@@ -167,6 +167,10 @@
     Returns:
       The authentication token returned by ClientLogin.
     """
+    account_type = 'GOOGLE'
+    if self.host.endswith('.google.com'):
+      account_type = 'HOSTED'
+
     req = self._CreateRequest(
         url="https://www.google.com/accounts/ClientLogin",
         data=urllib.urlencode({
@@ -174,7 +178,7 @@
             "Passwd": password,
             "service": "ah",
             "source": "gerrit-codereview-client",
-            "accountType": "HOSTED_OR_GOOGLE",
+            "accountType": account_type,
         })
     )
     try:
@@ -214,7 +218,6 @@
         response.info()["location"] != continue_location):
       raise urllib2.HTTPError(req.get_full_url(), response.code, response.msg,
                               response.headers, response.fp)
-    self.authenticated = True
 
   def _GetXsrfToken(self):
     """Fetches /proto/_token for use in X-XSRF-Token HTTP header.
@@ -253,10 +256,18 @@
     authentication cookie, it returns a 401 response and directs us to
     authenticate ourselves with ClientLogin.
     """
-    for i in range(3):
-      credentials = self.auth_function()
-      auth_token = self._GetAuthToken(credentials[0], credentials[1])
+    attempts = 0
+    while True:
+      attempts += 1
+      try:
+        cred = self.auth_function()
+        auth_token = self._GetAuthToken(cred[0], cred[1])
+      except ClientLoginError:
+        if attempts < 3:
+          continue
+        raise
       self._GetAuthCookie(auth_token)
+      self.authenticated = True
       if self.cookie_file is not None:
         self.cookie_jar.save()
       return