o @@sdZddlmZddlmZddlmZddlZddlZddlZddlm Z ddl m Z ddl m Z dd l m Z dd l mZdd l mZdd lmZdd lmZddlmZddlZdZdZdZdZdZdZdZeeeegZdZGddde j Z Gddde Z!Gddde Z"ddZ#dd Z$Gd!d"d"e%ej&e'Z(Gd#d$d$e(Z)Gd%d&d&e(Z*Gd'd(d(e(Z+Gd)d*d*e(Z,Gd+d,d,e(Z-Gd-d.d.e(Z.dz#A library to support auth commands.)absolute_import)division)unicode_literalsN) check_browser)config) exceptions)log) properties)yaml) console_io)creds)fileszH764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.comzd-FL95Q19q7MQmFpd7hHD0Tyz.https://www.googleapis.com/auth/cloud-platformz0https://www.googleapis.com/auth/sqlservice.loginz%https://www.googleapis.com/auth/drivez.https://www.googleapis.com/auth/userinfo.emailopenid installedc@eZdZdZdS)Errorz A base exception for this class.N__name__ __module__ __qualname____doc__rr=/tmp/google-cloud-sdk/lib/googlecloudsdk/api_lib/auth/util.pyr;rc@r)InvalidClientSecretsErrorz:An error for when we fail to load the client secrets file.Nrrrrrr@rrc@r)BadCredentialFileExceptionz,Raised when credentials file cannot be read.NrrrrrrErrc Cs|zt|}Wn(ty}ztd||d}~wtjy/}ztd||d}~wwt|tss  zFlowRunner.Runr0) rrrrr?r:abcabstractmethodr4r>rrrrr/xs   r/c@eZdZdZddZdS) OobFlowRunnerzA flow runner to run OobFlow.cC.ddlm}|jj|j|jtjjj dSNrr;autogenerate_code_verifier) r=r<OobFlowfrom_client_configr2r1r VALUESauthdisable_code_verifierGetBoolr6rArrrr4 zOobFlowRunner._CreateFlowNrrrrr4rrrrrE rEc@rD)NoBrowserFlowRunnerz#A flow runner to run NoBrowserFlow.cCrFrG) r=r< NoBrowserFlowrKr2r1r rLrMrNrOrPrrrr4rQzNoBrowserFlowRunner._CreateFlowNrRrrrrrTrSrTc@rD)"RemoteLoginWithAuthProxyFlowRunnerz2A flow runner to run RemoteLoginWithAuthProxyFlow.cCs2ddlm}|jj|j|jtjjj |j dS)Nrr;)rIr9) r=r<RemoteLoginWithAuthProxyFlowrKr2r1r rLrMrNrOr3rPrrrr4s z.RemoteLoginWithAuthProxyFlowRunner._CreateFlowNrRrrrrrVrSrVc@rD)NoBrowserHelperRunnerz)A flow runner to run NoBrowserHelperFlow.cCsNddlm}z|jj|j|jtjjj dWS|j y&t dw)Nrr;rHzCannot start a local server to handle authorization redirection. Please run this command on a machine where gcloud can start a local server.)r=r<NoBrowserHelperFlowrKr2r1r rLrMrNrOLocalServerCreationErrorrr)rPrrrr4s  z!NoBrowserHelperRunner._CreateFlowNrRrrrrrXrSrXc@eZdZdZdZddZdS) BrowserFlowWithOobFallbackRunnerz?A flow runner to try normal web flow and fall back to oob flow.zXThere was a problem with web authentication. Try running again with --no-launch-browser.c Cddlm}z|jj|j|jtjjj dWS|j yF}z!t |t d|jj|j|jtjjj dWYd}~Sd}~ww)Nrr;rHz"Defaulting to URL copy/paste mode.)r=r< FullWebFlowrKr2r1r rLrMrNrOrZrwarningrJr6rAr$rrrr4*   z,BrowserFlowWithOobFallbackRunner._CreateFlowNrrrrr?r4rrrrr\ r\c@r[)&BrowserFlowWithNoBrowserFallbackRunnerzEA flow runner to try normal web flow and fall back to NoBrowser flow.zQThere was a problem with web authentication. Try running again with --no-browser.c Cr])Nrr;rHz Defaulting to --no-browser mode.)r=r<r^rKr2r1r rLrMrNrOrZrr_rUr`rrrr4raz2BrowserFlowWithNoBrowserFallbackRunner._CreateFlowNrbrrrrrdrcrdcCs>|rt| }t|WdS1swYtS)zECreates a client config from a client id file or gcloud's properties.N)r FileReaderjsonload+_CreateGoogleAuthClientConfigFromProperties)client_id_filefrrr_CreateGoogleAuthClientConfig s   rkcCsPtjjjjdd}t}tjjjjdd}tjjjjdd}d||||diS)z1Creates a client config from gcloud's properties.T)requiredr) client_id client_secretauth_uri token_uri) r rLrM auth_hostr+r GetDefaultTokenUrirmrn)rorprmrnrrrrhsrhcCs|ddtjtfvS)Nrrm)rCLOUDSDK_CLIENT_ID%DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID)r8rrr_IsGoogleOwnedClientID$s ruFcCsPddlm}ddlm} ddlm} |rt||st|}|s"i}tj dd} |r6t ||j d i|} nR|rM| s?| dt ||j d d|i|} n;|r\t|||j d i|} n,| s}|rpt|spt ||j d i|} nt|||j d i|} n t||j d i|} | rt| | jrdd lm} | j| St| |jr| Sd Sd S) a/Launches a 3LO oauth2 flow to get google-auth credentials. Args: scopes: [str], The list of scopes to authorize. client_id_file: str, The path to a file containing the client id and secret to use for the flow. If None, the default client id for the Cloud SDK is used. client_config: Optional[Mapping], the client secrets and urls that should be used for the OAuth flow. no_launch_browser: bool, True if users specify --no-launch-browser flag to use the remote login with auth proxy flow. no_browser: bool, True if users specify --no-browser flag to ask another gcloud instance to help with authorization. remote_bootstrap: str, The auth parameters specified by --remote-bootstrap flag. Once used, it means the command is to help authorize another gcloud (i.e. gcloud without access to browser). query_params: Optional[Mapping], extra params to pass to the flow during `Run`. These params end up getting used as query params for authorization_url. auth_proxy_redirect_uri: str, The uri where OAuth service will redirect the user to once the authentication is complete for a remote login with auth proxy flow. Returns: core.credentials.google_auth_credentials.Credentials, The credentials obtained from the flow. r) external_account_authorized_user) credentialsr;T)attempt_launch_browserzbCannot launch browser. Please run this command on a machine where gcloud can launch a web browser.partial_auth_url)google_auth_credentialsNr) google.authrv google.oauth2rwr=r<!AssertClientSecretIsInstalledTyperkrShouldLaunchBrowserrTr>WebBrowserInaccessiblerXrVrurdr CredentialsrzFromGoogleAuthUserCredentials)r7rir8no_launch_browser no_browserremote_bootstrap query_paramsauth_proxy_redirect_urirvoauth2_credentialsrAcan_launch_browser user_creds c_google_authrrr#DoInstalledAppBrowserFlowGoogleAuth)sv #       rcCsd}z tt|}Wn!tjytd|dtjy-td|d|wt|dkr;td|t|d}|t krRtd t d |d |d S) zDAssert that the file is a valid json file for installed application.zTo obtain a valid client ID file, create a Desktop App following the steps outlined in https://support.google.com/cloud/answer/6158849?hl=en#zippy=%2Cnative-applications%2Cdesktop-apps.zCannot read file: "z".zClient ID file z is not a valid JSON file. zNExpected a JSON object with a single property for an "installed" application. rzOnly client IDs of type 'z%' are allowed, but encountered type 'z'. N) rfloadsr ReadFileContentsrrJSONDecodeErrorlentupleCLIENT_SECRET_INSTALLED_TYPE)riactionable_messageobj client_typerrrr}s:  r}cCsdtjjj}||kr dStd|||}tj |d}|r0t tjjj|t j ddSdS)aKPrompt the user to update the universe domain if there is conflict. If the given universe domain is different from the core/universe_domain property, prompt the user to update the core/universe_domain property. Args: new_universe_domain: str, The given new universe domain. account: str, The account name to use. Nz WARNING: This account [{0}] is from the universe domain [{1}], which does not match the current core/universe property [{2}]. Do you want to set property [core/universe_domain] to [{1}]? [Y/N] )messagez(Updated property [core/universe_domain].)r rLcoreuniverse_domainr+textwrapdedentrr PromptContinuePersistPropertyrstatusPrint)new_universe_domainaccountcurrent_universe_domainrshould_update_universe_domainrrrHandleUniverseDomainConflicts    rr0)NNFFNNN)5r __future__rrrrBrfrgooglecloudsdk.command_lib.utilrr'rrrr r googlecloudsdk.core.consoler r=r googlecloudsdk.core.utilr sixrt)DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRETCLOUD_PLATFORM_SCOPESQL_LOGIN_SCOPEGOOGLE_DRIVE_SCOPEUSER_EMAIL_SCOPEOPENIDDEFAULT_SCOPESrrrrr%r.with_metaclassABCMetaobjectr/rErTrVrXr\rdrkrhrurr}rrrrrsn            #    X