lSrSSKrSSKrSSKrSSKrSSKrSSKrSSKJr SSKJr SSKJ r SSKJ r SSKJ r Sr S r S r"S S \R5rS r"SS\5rg)z/oauth2client Service account credentials class.N)_helpers)client)crypt) transport)util notasecret_private_key_pkcs12a  This library only implements PKCS#12 support via the pyOpenSSL library. Either install pyOpenSSL, or please convert the .p12 file to .pem format: $ cat key.p12 | \ > openssl pkcs12 -nodes -nocerts -passin pass:notasecret | \ > openssl rsa > key.pem c.^\rSrSrSrSr\"S/5\RR-r Sr Sr Sr SSSS\ R\ R4U4SjjrSU4Sjjr\SS j5r\SS j5r\SS j5r\SS\ R\ R4S j5r\SS\ R\ R4S j5r\SS\ R\ R4Sj5rSrSr\S5r\S5r\S5rSrSr Sr!Sr"Sr#U=r$$)ServiceAccountCredentials+aIService Account credential for OAuth 2.0 signed JWT grants. Supports * JSON keyfile (typically contains a PKCS8 key stored as PEM text) * ``.p12`` key (stores PKCS12 key and certificate) Makes an assertion to server using a signed JWT assertion in exchange for an access token. This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens. Args: service_account_email: string, The email associated with the service account. signer: ``crypt.Signer``, A signer which can be used to sign content. scopes: List or string, (Optional) Scopes to use when acquiring an access token. private_key_id: string, (Optional) Private key identifier. Typically only used with a JSON keyfile. Can be sent in the header of a JWT token assertion. client_id: string, (Optional) Client ID for the project that owns the service account. user_agent: string, (Optional) User agent to use when sending request. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. kwargs: dict, Extra key-value pairs (both strings) to send in the payload body when making an assertion. _signerNc  >[[U] SXgUS9 XlX l[ R "U5UlX@lXPl X`l Xl g)N) user_agent token_uri revoke_uri) superr __init___service_account_emailrrscopes_to_string_scopes_private_key_id client_id _user_agent_kwargs) selfservice_account_emailsignerscopesprivate_key_idrrrrkwargs __class__s /lib/third_party/oauth2client/service_account.pyr"ServiceAccountCredentials.__init__`sW '7 Z! 8 #'<# ,,V4 -"% c>Uc [R"UR5nUR[5nUb[R "U5U['[ [U]#XS9$)aUtility function that creates JSON repr. of a credentials object. Over-ride is needed since PKCS#12 keys will not in general be JSON serializable. Args: strip: array, An array of names of members to exclude from the JSON. to_serialize: dict, (Optional) The properties for this object that will be serialized. This allows callers to modify before serializing. Returns: string, a JSON representation of this instance, suitable to pass to from_json(). ) to_serialize) copy__dict__get _PKCS12_KEYbase64 b64encoderr _to_json)rstripr( pkcs12_valr#s r$r/"ServiceAccountCredentials._to_jsonwse"  99T]]3L!%%k2  !(.(8(8(DL %.> ?. .r&c URS5nU[R:wa[SUS[R5eUSnUSnUSnUSn U(d URS[R 5nU(d URS [R 5n[RRU5n U"XjUUXUS 9n X{l U $) aqHelper for factory constructors from JSON keyfile. Args: keyfile_dict: dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile. scopes: List or string, Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile contents. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. typezUnexpected credentials typeExpected client_email private_keyr!rrr)r r!rrr) r+rSERVICE_ACCOUNT ValueError oauth2clientGOOGLE_TOKEN_URIGOOGLE_REVOKE_URIrSigner from_string_private_key_pkcs8_pem) cls keyfile_dictr rr creds_typerprivate_key_pkcs8_pemr!rr credentialss r$_from_parsed_json_keyfile3ServiceAccountCredentials._from_parsed_json_keyfiles4"%%f- // /:J')?)?A A!-^ < ,] ;%&67 - $(()5)F)FHI%)),*6*H*HJJ))*?@/)7$-%/1 .C*r&c[US5n[R"U5nSSS5 URWUUUS9$!,(df  N =f)aFactory constructor from JSON keyfile by name. Args: filename: string, The location of the keyfile. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in the key file, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in the key file, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. rNrr)openjsonloadrE)r@filenamer rrfile_objclient_credentialss r$from_json_keyfile_name0ServiceAccountCredentials.from_json_keyfile_namesR4(C H!%8!4 !,,-?7@8B-D D! s > A c$URXUUS9$)anFactory constructor from parsed JSON keyfile. Args: keyfile_dict: dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. rI)rE)r@rAr rrs r$from_json_keyfile_dict0ServiceAccountCredentials.from_json_keyfile_dicts&4,,\7@8B-D Dr&cUc[n[R[RLa[ [ 5e[RR UU5nU"XUXVS9nX(lX8lU$)aFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. private_key_pkcs12: string, The contents of a PKCS#12 keyfile. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. )r rr) _PASSWORD_DEFAULTrr= OpenSSLSignerNotImplementedError _PKCS12_ERRORr>r _private_key_password) r@rprivate_key_pkcs12private_key_passwordr rrrrDs r$_from_p12_keyfile_contents4ServiceAccountCredentials._from_p12_keyfile_contentssm> '#4 <@/$-F *<',@)r&c [US5nUR5nSSS5 URUWX4XVS9$!,(df  N =f)aFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. filename: string, The location of the PKCS#12 keyfile. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. rbNr\r rr)rJreadr]) r@rrMr\r rrrNr[s r$from_p12_keyfile*ServiceAccountCredentials.from_p12_keyfile+sN>(D !X!) "-- !#5!5.8 8" !s 8 Ac DUR5nURXX4XVS9$)aFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. file_buffer: stream, A buffer that implements ``read()`` and contains the PKCS#12 key contents. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. ra)rbr])r@r file_bufferr\r rrr[s r$from_p12_keyfile_buffer1ServiceAccountCredentials.from_p12_keyfile_bufferQs4>)--/-- !!5.8 8r&c,[[R"55nURURUXR-UR S.nUR UR5 [R"URUURS9$)z8Generate the assertion that will be used in the request.)audscopeiatexpisskey_id) inttimerrMAX_TOKEN_LIFETIME_SECSrupdaterrmake_signed_jwtrr)rnowpayloads r$_generate_assertion-ServiceAccountCredentials._generate_assertionvsw$))+>>\\555..   t||$$$T\\7,0,@,@B Br&cPURURRU54$)aCryptographically sign a blob (of bytes). Implements abstract method :meth:`oauth2client.client.AssertionCredentials.sign_blob`. Args: blob: bytes, Message to be signed. Returns: tuple, A pair of the private key ID used to sign the blob and the signed contents. )rrsign)rblobs r$ sign_blob#ServiceAccountCredentials.sign_blobs$##T\\%6%6t%<<r- b64decoder?r rZrrrrdatetimestrptimer EXPIRY_FORMATr)r@ json_datarCr1passwordrrDrs r$ from_json#ServiceAccountCredentials.from_jsons)T** 8#7#7 #BCI $]];/   $-.F$G !\\--.CDF  ))*5J !89H\\--jCF . /  Y'$%67 , /   "  ! ,1F .  !.8 +  08 -' 2 #,^#<  )+ 6 !*> OO(,(C(C%%)%=%="'+'A'A$ r&c[UR5nURU5 UR"URUR 4UR URURURS.UD6nURUl URUl URUl URUl URUlU$)aCreate credentials that specify additional claims. Args: claims: dict, key-value pairs for claims. Returns: ServiceAccountCredentials, a copy of the current service account credentials with updated claims to use when obtaining access tokens. r)rrrtr#rrrrrrrrr?r rZ)rclaims new_kwargsrs r$create_with_claims,ServiceAccountCredentials.create_with_claimss$,,' &! ; ; $ .'+||/3/C/C*...+/+;+; . #- . >> OO(,(C(C%%)%=%="'+'A'A$ r&c(URSU05$)aCreate credentials that act as domain-wide delegation of authority. Use the ``sub`` parameter as the subject to delegate on behalf of that user. For example:: >>> account_sub = 'foo@email.com' >>> delegate_creds = creds.create_delegated(account_sub) Args: sub: string, An email address that this service account will act on behalf of (via domain-wide delegation). Returns: ServiceAccountCredentials, a copy of the current service account updated to act on behalf of ``sub``. sub)r)rrs r$create_delegated*ServiceAccountCredentials.create_delegated s&&&s|44r&)rrrrrrrrNN)rNN)%__name__ __module__ __qualname____firstlineno____doc__rs frozensetrAssertionCredentialsNON_SERIALIZED_MEMBERSr?r rZr:r;r<rr/ classmethodrErPrSr]rcrgrxr}propertyrrrrrrr__static_attributes__ __classcell__r#s@r$r r +s$L#; 9+##:: ;K"   $ '88(::..2=A//b57:>DD>9;:>DD:9=R-9-J-J.:.L.L ((T.22#/#@#@$0$B$B#8#8J59"*6*G*G+7+I+I"8"8H B =++  44l  655r&r cr[R"SSS5nX- nURS-UR-$)NiiQ)rdaysseconds)utc_timeepoch time_deltas r$_datetime_to_secsr!s:   dAq )E!J ??U "Z%7%7 77r&c^\rSrSrSrSrSSSS\R\RS4U4Sjjr Sr SSjr Sr S r \R\R4S jrS rS rSS jrSrU=r$)_JWTAccessCredentialsi)zSelf signed JWT credentials. Makes an assertion to server using a self signed JWT from service account credentials. These credentials do NOT use OAuth 2.0 and instead authenticate directly. r Nc H>U c0n [[U] "UU4UUUUUS.U D6 g)N)r!rrrr)rrr) rrrr r!rrrradditional_claimsr#s r$r_JWTAccessCredentials.__init__3sG  $ "  #T3 !  !*!! !  !r&c2[R"X5 U$)aiAuthorize an httplib2.Http instance with a JWT assertion. Unless specified, the 'aud' of the assertion will be the base uri of the request. Args: http: An instance of ``httplib2.Http`` or something that acts like it. Returns: A modified instance of http that was passed in. Example:: h = httplib2.Http() h = credentials.authorize(h) )rwrap_http_for_jwt_accessrhttps r$ authorize_JWTAccessCredentials.authorizeIs **46 r&c"Uc\URbUR(aURS5 [R"URUR 5S9$UR U5up4[R"X0RS9$)zCreate a signed jwt. Args: http: unused additional_claims: dict, additional claims to add to the payload of the JWT. Returns: An AccessTokenInfo with the signed jwt N)r expires_in)raccess_token_expiredrefreshrAccessTokenInfo _expires_in _create_token_MAX_TOKEN_LIFETIME_SECS)rrrtoken unused_expirys r$get_access_token&_JWTAccessCredentials.get_access_token[s  $  (D,E,E T")),,9I9I9KM M$(#5#56G#H E)) -J-JL Lr&cg)z*Cannot revoke JWTAccessCredentials tokens.Nrs r$revoke_JWTAccessCredentials.revokeps r&cg)NTrrs r$r,_JWTAccessCredentials.create_scoped_requiredtsr&c Z[URUR4UURURUR UUS.UR D6nURbURUlURbURUlURbURUl U$)N)r r!rrrr) r rrrrrrr?r rZ)rr rrrs r$r#_JWTAccessCredentials.create_scopedxs+4+F+F+/<<;28:>:N:N59^^6:6F6F5>6@;.2\\;  & & 2,0,G,GF )  # # /)-)A)AF &  % % 1+/+E+EF ( r&c&URS5 gr)_refreshrs r$r_JWTAccessCredentials.refreshs dr&c>UR5uUlUlgr)rrr)r http_requests r$r_JWTAccessCredentials._refreshs/3/A/A/C,4,r&c[R"5n[R"URS9nX#-n[ U5[ U5UR UR S.nURUR5 UbURU5 [R"URUURS9nURS5U4$)N)r)rlrmrnrroascii)r_UTCNOWr timedeltarrrrtrrrurrdecode)rrrvlifetimeexpiryrwjwts r$r#_JWTAccessCredentials._create_tokensnn%%d.K.KL$S)$V,....   t||$  ( NN, -##DLL'+/+?+?Azz'"F**r&)rrrr)rrrrrrr:r;r<rrrrrrrrrrrrs@r$rr)s~ $;  $ '88(::#'!,$L* /;.K.K!-!?!?(D++r&r)rr-r)rrKrrr:rrrrrrVr,rYrr rrrr&r$rsh6  !"!#  s5 ; ;s5l8x+5x+r&