Duplicity

Backup to Google Drive w/o service account

Bug #1621194 reported by Tornhoof
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Duplicity
Fix Released
Medium
Unassigned
Duplicity 0.7.11

Bug Description

Duplicity version: 0.7.10
Python: Python 2.7.12+
OS: Debian SID
Target: Google Drive with PyDriveBackend.py

This is not a bug, but rather an enhancement (request).

Goal: Getting Duplicity backup to google drive working without a service account

Motivation:
Using Google Drive without a service account might be useful, because then we actually see our backups in google's drive app or webpage. None of the code I can find in pydrivebackend.py is capable of handling user accounts

Let's assume we want to run the backup headless, so we need to authenticate google drive without manual input.

Result:
With google drive you have an client_secret and a storage file for the oauth response, which includes the refresh token.

I saw parts of the following code in previous versions or forks PyDriveBackend.py, so I'm not really the author of it, nor do I really know much about Python, I patched my own PyDriveBackend.py after each Duplicity release.

This is added after the other google auth code (line 68) and before the BackendException:

elif ('GOOGLE_SECRETS_FILE' in os.environ and 'GOOGLE_CREDENTIALS_FILE' in os.environ):
    gauth = GoogleAuth()
    gauth.LoadClientConfigFile(os.environ['GOOGLE_SECRETS_FILE'])
    gauth.LoadCredentialsFile(os.environ['GOOGLE_CREDENTIALS_FILE'])
    if gauth.credentials is None:
       gauth.CommandLineAuth()
    elif gauth.access_token_expired:
       gauth.Refresh()
    else:
       gauth.Authorize()
    gauth.SaveCredentialsFile(os.environ['GOOGLE_CREDENTIALS_FILE'])

What's done here?
1. We load two configuration settings, similar to the other code, one is the secrets file generated by google drive, one is a credentials file which is generated in CommandLineAuth()
2. if the credentials do not exist, we use that CommandLineAuth() method
3. If the token is expired we use the refresh token from the credentials file to refresh it
4. Otherwise we use the credentials to authorize ourself
5. We update the credential file

With the above method, it is now possible to use google drive without a service account and use the oauth refresh api to refresh the token if necessary.

You probably need to adopt the environment names to your liking.

Regards,
Torni

Kenneth Loafman (kenneth-loafman)
Changed in duplicity:
importance: Undecided → Medium
milestone: none → 0.7.11
status: New → Fix Committed
Kenneth Loafman (kenneth-loafman)
Changed in duplicity:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.