From 256d2bf0afb202c7f7c46316fd7d2f0ff9a93736 Mon Sep 17 00:00:00 2001
From: Jon Wayne Parrott <jonwayne@google.com>
Date: Tue, 13 Dec 2016 16:12:02 -0800
Subject: [PATCH] Add app_engine.Signer (#97)

---
 google/auth/app_engine.py | 31 +++++++++++++++++++++++++++----
 google/auth/crypt.py      |  2 +-
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/google/auth/app_engine.py b/google/auth/app_engine.py
index 608651d84..846bcec08 100644
--- a/google/auth/app_engine.py
+++ b/google/auth/app_engine.py
@@ -12,10 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-"""Google App Engine standard environment credentials.
+"""Google App Engine standard environment support.
 
-This module provides authentication for application running on App Engine in
-the standard environment using the `App Identity API`_.
+This module provides authentication and signing for applications running on App
+Engine in the standard environment using the `App Identity API`_.
 
 
 .. _App Identity API:
@@ -33,6 +33,29 @@
     app_identity = None
 
 
+class Signer(object):
+    """Signs messages using the App Engine app identity service.
+
+    This can be used in place of :class:`google.auth.crypt.Signer` when
+    running in the App Engine standard environment.
+    """
+    def __init__(self):
+        self.key_id = None
+
+    @staticmethod
+    def sign(message):
+        """Signs a message.
+
+        Args:
+            message (Union[str, bytes]): The message to be signed.
+
+        Returns:
+            bytes: The signature of the message.
+        """
+        message = _helpers.to_bytes(message)
+        return app_identity.sign_blob(message)
+
+
 def get_project_id():
     """Gets the project ID for the current App Engine application.
 
@@ -109,7 +132,7 @@ def with_scopes(self, scopes):
 
     @_helpers.copy_docstring(credentials.Signing)
     def sign_bytes(self, message):
-        return app_identity.sign_blob(message)
+        return Signer().sign(message)
 
     @property
     @_helpers.copy_docstring(credentials.Signing)
diff --git a/google/auth/crypt.py b/google/auth/crypt.py
index 8d5ac7c74..618afe594 100644
--- a/google/auth/crypt.py
+++ b/google/auth/crypt.py
@@ -186,7 +186,7 @@ def sign(self, message):
             message (Union[str, bytes]): The message to be signed.
 
         Returns:
-            bytes: The signature of the message for the given key.
+            bytes: The signature of the message.
         """
         message = _helpers.to_bytes(message)
         return rsa.pkcs1.sign(message, self._key, 'SHA-256')