Handle authentication errors and token expiration (#83695)

Fixes #70019
3 months ago · 9b0d2decb2
parent 5ab5f23487
commit 9b0d2decb2
2 changed files with 22 additions and 8 deletions
--- a/changelogs/fragments/galaxy-reauth-error-handling.yml
+++ b/changelogs/fragments/galaxy-reauth-error-handling.yml
@ -0,0 +1,2 @@
+minor_changes:
+- ansible-galaxy - Handle authentication errors and token expiration
--- a/lib/ansible/galaxy/token.py
+++ b/lib/ansible/galaxy/token.py
@ -21,11 +21,14 @@
 from __future__ import annotations

 import base64
-import os
 import json
+import os
+import time
 from stat import S_IRUSR, S_IWUSR
+from urllib.error import HTTPError

 from ansible import constants as C
+from ansible.galaxy.api import GalaxyError
 from ansible.galaxy.user_agent import user_agent
 from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
 from ansible.module_utils.common.yaml import yaml_dump, yaml_load
@ -57,12 +60,16 @@ class KeycloakToken(object):
        self.client_id = client_id
        if self.client_id is None:
            self.client_id = 'cloud-services'
+        self._expiration = None

    def _form_payload(self):
        return 'grant_type=refresh_token&client_id=%s&refresh_token=%s' % (self.client_id,
                                                                           self.access_token)

    def get(self):
+        if self._expiration and time.time() >= self._expiration:
+            self._token = None
+
        if self._token:
            return self._token

@ -76,15 +83,20 @@ class KeycloakToken(object):
        #         or 'azp' (Authorized party - the party to which the ID Token was issued)
        payload = self._form_payload()

+        try:
            resp = open_url(to_native(self.auth_url),
                            data=payload,
                            validate_certs=self.validate_certs,
                            method='POST',
                            http_agent=user_agent())
+        except HTTPError as e:
+            raise GalaxyError(e, 'Unable to get access token')

-        # TODO: handle auth errors
+        data = json.load(resp)

-        data = json.loads(to_text(resp.read(), errors='surrogate_or_strict'))
+        # So that we have a buffer, expire the token in ~2/3 the given value
+        expires_in = data['expires_in'] // 3 * 2
+        self._expiration = time.time() + expires_in

        # - extract 'access_token'
        self._token = data.get('access_token')