o l@sdZddlZddlZddlZddlZddlZddlZddlmZddlmZddlm Z ddlm Z ddlm Z dZ d Z d ZGd d d ejZd dZGdddeZdS)z/oauth2client Service account credentials class.N)_helpers)client)crypt) transport)util notasecret_private_key_pkcs12a  This library only implements PKCS#12 support via the pyOpenSSL library. Either install pyOpenSSL, or please convert the .p12 file to .pem format: $ cat key.p12 | \ > openssl pkcs12 -nodes -nocerts -passin pass:notasecret | \ > openssl rsa > key.pem cs<eZdZdZdZ edgejjBZ dZ dZ dZ dddde j e jffdd Zd(fdd Ze d)d d Ze  d*d d Ze  d*ddZedde j e jfddZedde j e jfddZedde j e jfddZddZddZeddZeddZeddZd d!Zd"d#Zd$d%Z d&d'Z!Z"S)+ServiceAccountCredentialsaService Account credential for OAuth 2.0 signed JWT grants. Supports * JSON keyfile (typically contains a PKCS8 key stored as PEM text) * ``.p12`` key (stores PKCS12 key and certificate) Makes an assertion to server using a signed JWT assertion in exchange for an access token. This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens. Args: service_account_email: string, The email associated with the service account. signer: ``crypt.Signer``, A signer which can be used to sign content. scopes: List or string, (Optional) Scopes to use when acquiring an access token. private_key_id: string, (Optional) Private key identifier. Typically only used with a JSON keyfile. Can be sent in the header of a JWT token assertion. client_id: string, (Optional) Client ID for the project that owns the service account. user_agent: string, (Optional) User agent to use when sending request. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. kwargs: dict, Extra key-value pairs (both strings) to send in the payload body when making an assertion. _signerNc  sLtt|jd|||d||_||_t||_||_||_ ||_ | |_ dS)N) user_agent token_uri revoke_uri) superr __init___service_account_emailr rscopes_to_string_scopes_private_key_id client_id _user_agent_kwargs) selfservice_account_emailsignerscopesprivate_key_idrr rrkwargs __class__E/tmp/google-cloud-sdk/lib/third_party/oauth2client/service_account.pyr`s   z"ServiceAccountCredentials.__init__csH|dur t|j}|t}|durt||t<tt|j||dS)acUtility function that creates JSON repr. of a credentials object. Over-ride is needed since PKCS#12 keys will not in general be JSON serializable. Args: strip: array, An array of names of members to exclude from the JSON. to_serialize: dict, (Optional) The properties for this object that will be serialized. This allows callers to modify before serializing. Returns: string, a JSON representation of this instance, suitable to pass to from_json(). N) to_serialize) copy__dict__get _PKCS12_KEYbase64 b64encoderr _to_json)rstripr# pkcs12_valrr!r"r*ws   z"ServiceAccountCredentials._to_jsonc Cs|d}|tjkrtd|dtj|d}|d}|d}|d} |s+|dtj}|s4|d tj}tj |} ||| ||| ||d } || _ | S) a Helper for factory constructors from JSON keyfile. Args: keyfile_dict: dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile. scopes: List or string, Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile contents. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. typezUnexpected credentials typeExpected client_email private_keyrrrr)rrrrr) r&rSERVICE_ACCOUNT ValueError oauth2clientGOOGLE_TOKEN_URIGOOGLE_REVOKE_URIrSigner from_string_private_key_pkcs8_pem) cls keyfile_dictrrr creds_typerprivate_key_pkcs8_pemrrr credentialsr!r!r"_from_parsed_json_keyfiles2   z3ServiceAccountCredentials._from_parsed_json_keyfilecCsFt|d }t|}Wdn1swY|j||||dS)aFactory constructor from JSON keyfile by name. Args: filename: string, The location of the keyfile. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in the key file, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in the key file, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. rNrr)openjsonloadr>)r9filenamerrrfile_objclient_credentialsr!r!r"from_json_keyfile_names  z0ServiceAccountCredentials.from_json_keyfile_namecCs|j||||dS)aFactory constructor from parsed JSON keyfile. Args: keyfile_dict: dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. r@)r>)r9r:rrrr!r!r"from_json_keyfile_dictsz0ServiceAccountCredentials.from_json_keyfile_dictc CsP|durt}tjtjurtttj||}||||||d}||_||_|S)axFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. private_key_pkcs12: string, The contents of a PKCS#12 keyfile. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. N)rrr) _PASSWORD_DEFAULTrr6 OpenSSLSignerNotImplementedError _PKCS12_ERRORr7r_private_key_password) r9rprivate_key_pkcs12private_key_passwordrrrrr=r!r!r"_from_p12_keyfile_contentss z4ServiceAccountCredentials._from_p12_keyfile_contentsc CsHt|d }|}Wdn1swY|j||||||dS)apFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. filename: string, The location of the PKCS#12 keyfile. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. rbNrOrrr)rAreadrP) r9rrDrOrrrrErNr!r!r"from_p12_keyfile+s  z*ServiceAccountCredentials.from_p12_keyfilecCs|}|j||||||dS)aFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. file_buffer: stream, A buffer that implements ``read()`` and contains the PKCS#12 key contents. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. rR)rSrP)r9r file_bufferrOrrrrNr!r!r"from_p12_keyfile_bufferQs z1ServiceAccountCredentials.from_p12_keyfile_buffercCsHtt}|j|j|||j|jd}||jtj |j ||j dS)z8Generate the assertion that will be used in the request.)audscopeiatexpisskey_id) inttimerrMAX_TOKEN_LIFETIME_SECSrupdaterrmake_signed_jwtr r)rnowpayloadr!r!r"_generate_assertionvs   z-ServiceAccountCredentials._generate_assertioncCs|j|j|fS)aUCryptographically sign a blob (of bytes). Implements abstract method :meth:`oauth2client.client.AssertionCredentials.sign_blob`. Args: blob: bytes, Message to be signed. Returns: tuple, A pair of the private key ID used to sign the blob and the signed contents. )rr sign)rblobr!r!r" sign_blobs z#ServiceAccountCredentials.sign_blobcCs|jS)zGet the email for the current service account. Returns: string, The email associated with the service account. )rrr!r!r"rsz/ServiceAccountCredentials.service_account_emailcCsd|j|j|j|jdS)Nservice_account)r-r/rr0r)rrr8rrir!r!r"serialization_datas z,ServiceAccountCredentials.serialization_datacCst|ts tt|}d}|t}d}|dur%|d}tj |}nt |}|d}tj ||}||d|f|d|d|d|dd |d }|durV||_ |dur]||_|durd||_|d |_|d |_|d |_|d|_|dd}|durtj|tj|_|S)aMDeserialize a JSON-serialized instance. Inverse to :meth:`to_json`. Args: json_data: dict or string, Serialized JSON (as a string or an already parsed dictionary) representing a credential. Returns: ServiceAccountCredentials from the serialized data. Nr8rMrrrrrrrrr rinvalid access_tokenrr token_expiry) isinstancedictrBloadsr _from_bytesr&r'rr6r7r( b64decoder8rrMrmrnrrdatetimestrptimer EXPIRY_FORMATro)r9 json_datar<r,passwordrr=ror!r!r" from_jsonsL         z#ServiceAccountCredentials.from_jsoncCs|j SN)rrir!r!r"create_scoped_requiredsz0ServiceAccountCredentials.create_scoped_requiredcCsV|j|j|jf||j|j|jd|j}|j|_|j|_|j |_ |j |_ |j |_ |S)Nrl) r rr rrrrrrr8rrM)rrresultr!r!r" create_scopeds z'ServiceAccountCredentials.create_scopedcCsjt|j}|||j|j|jf|j|j|j|j d|}|j |_ |j |_ |j |_ |j |_ |j|_|S)a<Create credentials that specify additional claims. Args: claims: dict, key-value pairs for claims. Returns: ServiceAccountCredentials, a copy of the current service account credentials with updated claims to use when obtaining access tokens. rl)rqrrar rr rrrrrrr8rrM)rclaims new_kwargsr}r!r!r"create_with_claimss$ z,ServiceAccountCredentials.create_with_claimscCs|d|iS)aYCreate credentials that act as domain-wide delegation of authority. Use the ``sub`` parameter as the subject to delegate on behalf of that user. For example:: >>> account_sub = 'foo@email.com' >>> delegate_creds = creds.create_delegated(account_sub) Args: sub: string, An email address that this service account will act on behalf of (via domain-wide delegation). Returns: ServiceAccountCredentials, a copy of the current service account updated to act on behalf of ``sub``. sub)r)rrr!r!r"create_delegated sz*ServiceAccountCredentials.create_delegatedr{NN)r NN)#__name__ __module__ __qualname____doc__r` frozensetrAssertionCredentialsNON_SERIALIZED_MEMBERSr8rrMr3r4r5rr* classmethodr>rGrHrPrTrVrerhpropertyrrkrzr|r~rr __classcell__r!r!rr"r +st& 1   * % $   6r cCs&tddd}||}|jd|jS)NiiQ)rudaysseconds)utc_timeepoch time_deltar!r!r"_datetime_to_secs!srcseZdZdZdZ ddddejejdffdd ZddZ ddd Z d d Z d d Z ejejfddZ ddZddZdddZZS)_JWTAccessCredentialszSelf signed JWT credentials. Makes an assertion to server using a self signed JWT from service account credentials. These credentials do NOT use OAuth 2.0 and instead authenticate directly. r Nc s6| duri} tt|j||f|||||d| dS)N)rrr rr)rrr) rrrrrrr rradditional_claimsrr!r"r3s   z_JWTAccessCredentials.__init__cCst|||S)aAuthorize an httplib2.Http instance with a JWT assertion. Unless specified, the 'aud' of the assertion will be the base uri of the request. Args: http: An instance of ``httplib2.Http`` or something that acts like it. Returns: A modified instance of http that was passed in. Example:: h = httplib2.Http() h = credentials.authorize(h) )rwrap_http_for_jwt_accessrhttpr!r!r" authorizeIs z_JWTAccessCredentials.authorizecCsT|dur|jdus |jr|dtj|j|dS||\}}tj||jdS)zCreate a signed jwt. Args: http: unused additional_claims: dict, additional claims to add to the payload of the JWT. Returns: An AccessTokenInfo with the signed jwt N)rn expires_in)rnaccess_token_expiredrefreshrAccessTokenInfo _expires_in _create_token_MAX_TOKEN_LIFETIME_SECS)rrrtoken unused_expiryr!r!r"get_access_token[s   z&_JWTAccessCredentials.get_access_tokencCdS)z*Cannot revoke JWTAccessCredentials tokens.Nr!rr!r!r"revokepz_JWTAccessCredentials.revokecCr)NTr!rir!r!r"r|trz,_JWTAccessCredentials.create_scoped_requiredc Csft|j|jf||j|j|j||d|j}|jdur|j|_|jdur(|j|_|j dur1|j |_ |S)N)rrrr rr) r rr rrrrr8rrM)rrrrr}r!r!r"r~xs&   z#_JWTAccessCredentials.create_scopedcCs|ddSr{)_refreshrr!r!r"rsz_JWTAccessCredentials.refreshcCs|\|_|_dSr{)rrnro)r http_requestr!r!r"rsz_JWTAccessCredentials._refreshcCsxt}tj|jd}||}t|t||j|jd}||j|dur+||t j |j ||j d}| d|fS)N)r)rYrZr[rr\ascii)r_UTCNOWru timedeltarrrrarrrbr rdecode)rrrclifetimeexpiryrdjwtr!r!r"rs   z#_JWTAccessCredentials._create_tokenrr{)rrrrrr3r4r5rrrrr|r~rrrrr!r!rr"r)s,  r)rr(r$rurBr_r3rrrrrrIr'rLrr rrr!r!r!r"s*      y