DSrSSKrSSKrSSKrSSKrSSKrSSKrSSKJr SSKJ r SSKJ r SSK J r SSK Jr SSKrSSKrSSKrSSKJr SS KJr SS KJr SS KJr SS KJr S r\R6"\5rSrSr\c Sr Sr!Sr"Sr#Sr$Sr%OH\R@r \RBr!\RDr"\RLr#\RNr$\RJr%Sr("SS\ RR5r*Sr+Sr,"SS\RZ5r."SS\ R^5r0"SS\ R^5r1"SS\Rd5r3"SS\ RR5r4Sr5S r6"S!S"\75r8"S#S$\85r9\Rt"S%5S'S&j5r;g!\a SrGN:f=f)(zgUtilities for Google App Engine Utilities for making it easier to use OAuth 2.0 on Google App Engine. N) app_identity)memcache)users)db)login_required)client) clientsecrets)util)xsrfutil)_appengine_ndbz$jcgregorio@google.com (Joe Gregorio)zoauth2client#nsxsrf_secret_keycL[R"USS9RSS5$)z~Escape text to make it safe to display. Args: s: string, The text to escape. Returns: The escaped text as a string. )quote'z')cgiescapereplace)ss 1lib/third_party/oauth2client/contrib/appengine.py _safe_htmlrHs" ::aq ! ) )#w 77c:\rSrSrSr\R "5rSrg)SiteXsrfSecretKeyTzyStorage for the sites XSRF secret key. There will only be one instance stored of this model, the one used for the site. N) __name__ __module__ __qualname____firstlineno____doc__rStringPropertysecret__static_attributes__rrrrrTs    FrrcL[R"S5RS5$)z!Returns a random XSRF secret key.hex)osurandomencoderrr_generate_new_xsrf_secret_keyr+]s ::b>  ''rc:[R"[[S9nU(dm[R SS9nUR (d[5UlUR5 UR n[R"[U[S9 [U5$)zReturn the secret key for use for XSRF protection. If the Site entity does not have a secret key, this method will also create one and persist it. Returns: The secret key. ) namespacesite)key_name) rgetXSRF_MEMCACHE_IDOAUTH2CLIENT_NAMESPACEr get_or_insertr#r+putaddstr)r#models rr r bso\\*6L MF !///@||8:EL IIK %v5 7 v;rc^\rSrSrSr\R "S5U4Sj5r\S5r Sr \ S5r Sr S rS r\ S 5rS rU=r$) AppAssertionCredentialsyaCredentials object for App Engine Assertion Grants This object will allow an App Engine application to identify itself to Google and other OAuth 2.0 servers that can verify assertions. It can be used for the purpose of accessing data stored under an account assigned to the App Engine application itself. This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens. c >[R"U5UlX lUR SS5UlSUl[[U]'S5 g)ayConstructor for AppAssertionCredentials Args: scope: string or iterable of strings, scope(s) of the credentials being requested. **kwargs: optional keyword args, including: service_account_id: service account id of the application. If None or unspecified, the default service account for the app is used. service_account_idN) r scopes_to_stringscope_kwargsr0r=_service_account_emailsuperr9__init__)selfr?kwargs __class__s rrC AppAssertionCredentials.__init__sJ**51  "(**-A4"H&*# %t5d;rcJ[R"U5n[US5$)Nr?)jsonloadsr9)cls json_datadatas r from_json!AppAssertionCredentials.from_jsonszz)$&tG}55rcURR5n[R"X RS9up4X0l g![R a$n[ R"[U55eSnAff=f)aRefreshes the access_token. Since the underlying App Engine app_identity implementation does its own caching we can skip all the storage hoops and just to a refresh using the API. Args: http_request: callable, a callable that matches the method signature of httplib2.Http.request, used to make the refresh request. Raises: AccessTokenRefreshError: When the refresh fails. )r=N) r?splitrget_access_tokenr=ErrorrAccessTokenRefreshErrorr6 access_token)rD http_requestscopestoken_es r_refresh AppAssertionCredentials._refreshsj 9ZZ%%'F%66+B+BDJU"!! 900Q8 8 9s:AA;A66A;c[S5e)Nz3Cannot serialize credentials for Google App Engine.)NotImplementedErrorrDs rserialization_data*AppAssertionCredentials.serialization_datas!#;< >>rc.[R"U5$)aCryptographically sign a blob (of bytes). Implements abstract method :meth:`oauth2client.client.AssertionCredentials.sign_blob`. Args: blob: bytes, Message to be signed. Returns: tuple, A pair of the private key ID used to sign the blob and the signed contents. )r sign_blob)rDblobs rrj!AppAssertionCredentials.sign_blobs%%d++rchURc[R"5UlUR$)zGet the email for the current service account. Returns: string, The email associated with the Google App Engine service account. )rArget_service_account_namer_s rservice_account_email-AppAssertionCredentials.service_account_emails0  & & .557  '***r)r@rArUr?r=)rrrr r!r positionalrC classmethodrNr[propertyr`rdrgrjror$ __classcell__rFs@rr9r9ysu  __Q<<(66".<<? , + +rr9c\^\rSrSrSr\R rU4SjrSr U4Sjr Sr Sr U=r $) FlowPropertyzyApp Engine datastore Property for Flow. Utility property that allows easy storage and retrieval of an oauth2client.Flow c~>[[U] U5n[R"[ R "U55$rc)rBrwget_value_for_datastorerBlobpickledumps)rDmodel_instanceflowrFs rrz$FlowProperty.get_value_for_datastores/\4@ wwv||D)**rc6Ucg[R"U5$rc)r|rJrDvalues rmake_value_from_datastore&FlowProperty.make_value_from_datastores =||E""rc>UbO[U[R5(d0[R"SR UR U55e[[U]'U5$)NzDProperty {0} must be convertible to a FlowThreeLegged instance ({1})) isinstancerFlowr BadValueErrorformatnamerBrwvalidaterDrrFs rrFlowProperty.validatesW  Zv{{%C%C""66[RS[[U55-5 [[ U]U5nUcSnOUR5n[R"U5$)Nzget: Got type ) loggerinfor6typerBrrzto_jsonrr{)rDr~credrFs rrz+CredentialsProperty.get_value_for_datastore sW $s4+?'@@A($G  <D<<>Dwwt}rc[RS[[U55-5 Ucg[ U5S:Xag[ R RU5nU$![a SnU$f=f)Nzmake: Got type r) rrr6rlenr Credentials new_from_json ValueError)rDr credentialss rr-CredentialsProperty.make_value_from_datastoresr %DK(889 = u:?  ,,::5AK K sA!! A10A1c&>[[U] U5n[R S[ [ U55-5 UbO[U[R5(d0[R"SRURU55eU$)Nzvalidate: Got type z@Property {0} must be convertible to a Credentials instance ({1}))rBrrrrr6rrrrrrrrrs rrCredentialsProperty.validate"sy)49%@ )CU ,<<=  Zv7I7I%J%J""228&E2JL L rr) rrrr r!rrrrzrrr$rtrus@rrrs)""I rrc^\rSrSrSr\R "S5SU4Sjj5rSrSr Sr \ R"SS 9S 5r \ R"SS 9S 5r\ R"SS 9S 5rS rU=r$)StorageByKeyNamei,zStore and retrieve a credential to and from the App Engine datastore. This Storage helper presumes the Credentials have been stored as a CredentialsProperty or CredentialsNDBProperty on a datastore model class, and that entities are stored by key_name. c>[[U] 5 UcUc [S5eUR 5nXlX lX0lX@lg)aConstructor for Storage. Args: model: db.Model or ndb.Model, model class key_name: string, key name for the entity that has the credentials property_name: string, name of the property that is a CredentialsProperty or CredentialsNDBProperty. cache: memcache, a write-through cache to put in front of the datastore. If the model you are using is an NDB model, using a cache will be redundant since the model uses an instance cache and memcache for you. user: users.User object, optional. Can be used to grab user ID as a key_name if no key name is specified. Nz1StorageByKeyName called with no key name or user.) rBrrCruser_id_model _key_name_property_name_cache)rDr7r/ property_namecacheuserrFs rrCStorageByKeyName.__init__4sP .0  | "566||~H !+ rc*[UR[5(aQ[b [ UR[5(ag[ UR[ R 5(ag[SRUR55e)zDetermine whether the model of the instance is an NDB model. Returns: Boolean indicating whether or not the model is an NDB or DB model. TFz(Model class not an NDB or DB model: {0}.) rrr _NDB_MODEL issubclassrModel TypeErrorrr_s r_is_ndbStorageByKeyName._is_ndbQsg dkk4 ( (%*T[[**M*MDKK22 6 = =dkk JL LrcUR5(a%URRUR5$URR UR5$)zRetrieve entity from datastore. Uses a different model method for db or ndb models. Returns: Instance of the model corresponding to the current storage object and stored using the key name of the storage object. )rr get_by_idrget_by_key_namer_s r _get_entityStorageByKeyName._get_entitycsA <<>>;;((8 8;;..t~~> >rc<UR5(a/[URUR5R 5 g[ R RURR5UR5n[ R"U5 g)zDelete entity from datastore. Attempts to delete using the key_name stored on the object, whether or not the given key is in the datastore. N) r_NDB_KEYrrdeleterKey from_pathkind)rD entity_keys r_delete_entityStorageByKeyName._delete_entityqs] <<>> T[[$.. 1 8 8 :))$++*:*:*>2D$00>>tD  %%'F!%f.A.AB ;;KKOODNNK4G4G4IJ 7; <<  ! !$ 'rc&URRUR5n[X RU5 UR 5 UR (a5UR RURUR55 gg)zeWrite a Credentials to the datastore. Args: credentials: Credentials, the credentials to store. N) rr3rsetattrrr4rrr)rDrrs r locked_putStorageByKeyName.locked_puts`**4>>:++[9 ;; KKOODNNK,?,?,A B rcUR(a%URRUR5 UR5 g)z!Delete Credential from datastore.N)rrrrr_s r locked_deleteStorageByKeyName.locked_deletes- ;; KK  t~~ . r)rrrrNN)rrrr r!r rqrCrrrrnon_transactionalrrrr$rtrus@rrr,s __Q8L$ ? "./,. C/ C./rrc&\rSrSrSr\"5rSrg)CredentialsModelizXStorage for OAuth 2.0 Credentials Storage of the model is keyed by the user.user_id(). rN)rrrr r!rrr$rrrrrs&'KrrcURRn[R"[ 5UR 5[ U5S9nUS-U-$)ahComposes the value for the 'state' parameter. Packs the current request URI and an XSRF token into an opaque string that can be passed to the authentication server via the 'state' parameter. Args: request_handler: webapp.RequestHandler, The request. user: google.appengine.api.users.User, The current user. Returns: The state value as a string.  action_id:)requesturlr generate_tokenr rr6)request_handlerrurirXs r_build_state_valuersH  ! ! % %C  # #O$5t||~.1#h 8E 9u rcURSS5up#[R"[5X1R 5US9(aU$g)a.Parse the value of the 'state' parameter. Parses the value and validates the XSRF token in the state parameter. Args: state: string, The value of the state parameter. user: google.appengine.api.users.User, The current user. Returns: The redirect URI, or None if XSRF token is not valid. rrrN)rsplitr validate_tokenr r)staterrrXs r_parse_state_valuers<c1%JC0%),. rc \rSrSrSrSrSr\"\\5rSr Sr \"\ \ 5r \ R"S5\R\R \R"SSS S\\S 4 S j5rS rS rSrSrSrSrSr\S5rSrSrSrg)OAuth2Decoratoria(Utility for making OAuth 2.0 easier. Instantiate and then use with oauth_required or oauth_aware as decorators on webapp.RequestHandler methods. :: decorator = OAuth2Decorator( client_id='837...ent.com', client_secret='Qh...wwI', scope='https://www.googleapis.com/auth/plus') class MainHandler(webapp.RequestHandler): @decorator.oauth_required def get(self): http = decorator.http() # http is authorized with the user's Credentials and can be # used in API calls c$XRlgrc)_tlsr)rDrs rset_credentialsOAuth2Decorator.set_credentialss + rc0[URSS5$)zA thread local Credentials object. Returns: A client.Credentials object, or None if credentials hasn't been set in this thread yet, which may happen when calling has_credentials inside oauth_aware. rNrrr_s rget_credentialsOAuth2Decorator.get_credentialsstyy-66rc$XRlgrc)rr)rDrs rset_flowOAuth2Decorator.set_flows  rc0[URSS5$)zA thread local Flow object. Returns: A credentials.Flow object, or None if the flow hasn't been set in this thread yet, which happens in _create_flow() since Flows are created lazily. rNrr_s rget_flowOAuth2Decorator.get_flowstyy&$//rrNz/oauth2callbackrc 4[R"5UlSUlSUlXlX l[R"U5Ul X@l XPl X`l Xpl XlXlSUlXlXlXlXlXlg)a Constructor for OAuth2Decorator Args: client_id: string, client identifier. client_secret: string client secret. scope: string or iterable of strings, scope(s) of the credentials being requested. auth_uri: string, URI for authorization endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. user_agent: string, User agent of your application, default to None. message: Message to display if there are problems with the OAuth 2.0 configuration. The message may contain HTML and will be presented on the web interface for any method that uses the decorator. callback_path: string, The absolute path to use as the callback URI. Note that this must match up with the URI given when registering the application in the APIs Console. token_response_param: string. If provided, the full JSON response to the access token request will be encoded and included in this query parameter in the callback URI. This is useful with providers (e.g. wordpress.com) that include extra fields that the client may want. _storage_class: "Protected" keyword argument not typically provided to this constructor. A storage class to aid in storing a Credentials object for a user in the datastore. Defaults to StorageByKeyName. _credentials_class: "Protected" keyword argument not typically provided to this constructor. A db or ndb Model class to hold credentials. Defaults to CredentialsModel. _credentials_property_name: "Protected" keyword argument not typically provided to this constructor. A string indicating the name of the field on the _credentials_class where a Credentials object will be stored. Defaults to 'credentials'. **kwargs: dict, Keyword arguments are passed along as kwargs to the OAuth2WebServerFlow constructor. NF) threadinglocalrrr _client_id_client_secretr r>_scope _auth_uri _token_uri _revoke_uri _user_agentr@_message _in_error_callback_path_token_response_param_storage_class_credentials_class_credentials_property_name)rD client_id client_secretr?auth_uri token_uri revoke_uri user_agentmessage callback_pathtoken_response_paramr r r rEs rrCOAuth2Decorator.__init__s|OO%  #+++E2 !#%%  +%9","4*D'rcURRRS5 URRR[UR55 URRRS5 g)Nz z)responseoutwriterr)rDrs r_display_error_message&OAuth2Decorator._display_error_message_sZ  $$**>:  $$**:dmm+DE  $$**+;TR(aTRU5 g[R"5nU(d:UR [R "UR R55 gTRU5 [X5TRRS'TRTRSTRUS9R5TlTR#5(dUR TR%55$T"U/UQ70UD6nSTlU$![&R(a) UR TR%55sSTl$f=f!STlf=fNrr)rrrget_current_userredirectcreate_login_urlrr _create_flowrrparamsr r r r0rhas_credentials authorize_urlrrTrargsrErrespmethodrDs r check_oauth3OAuth2Decorator.oauth_required..check_oauthosX~~++O<))+D(()?)?#++//*12   o .);)'DII  W %#22''//d 3 <TR(aTRU5 g[R"5nU(d:UR [R "UR R55 gTRU5 [UU5TRRS'TRTRSTRUS9R5TlT"U/UQ70UD6nSTlU$!STlf=fr)rrrr!r"r#rrr$rrr%r r r r0rr(s r setup_oauth0OAuth2Decorator.oauth_aware..setup_oauths~~++O<))+D(()?)?#++//*12   o .(:?;?)ADII  W %#22''//d 3 <> Dr)rDr+r7s`` r oauth_awareOAuth2Decorator.oauth_awares 2rcbURSL=(a URR(+$)zTrue if for the logged in user there are valid access Credentials. Must only be called from with a webapp.RequestHandler subclassed method that had been decorated with either @oauth_required or @oauth_aware. N)rinvalidr_s rr&OAuth2Decorator.has_credentialss) t+LD4D4D4L4L0LLrcLURR5n[U5$)zReturns the URL to start the OAuth dance. Must only be called from with a webapp.RequestHandler subclassed method that had been decorated with either @oauth_required or @oauth_aware. )rstep1_get_authorize_urlr6)rDrs rr'OAuth2Decorator.authorize_urls ii//13xrc`URR[R"U0UD65$)aUReturns an authorized http instance. Must only be called from within an @oauth_required decorated method, or from within an @oauth_aware decorated method where has_credentials() returns True. Args: *args: Positional arguments passed to httplib2.Http constructor. **kwargs: Positional arguments passed to httplib2.Http constructor. )r authorizehttplib2Http)rDr)rEs rhttpOAuth2Decorator.https)))(--*H*HIIrcUR$)zThe absolute path where the callback will occur. Note this is the absolute path, not the absolute URI, that will be calculated by the decorator at runtime. See callback_handler() for how this should be used. Returns: The callback path as a string. )rr_s rrOAuth2Decorator.callback_paths"""rcD^Um"U4SjS[R5nU$)aNRequestHandler for the OAuth 2.0 redirect callback. Usage:: app = webapp.WSGIApplication([ ('/index', MyIndexHandler), ..., (decorator.callback_path, decorator.callback_handler()) ]) Returns: A webapp.RequestHandler that handles the redirect back from the server during the OAuth 2.0 dance. c0>\rSrSrSr\U4Sj5rSrg)7OAuth2Decorator.callback_handler..OAuth2Handleri z4Handler for the redirect_uri of the OAuth 2.0 dance.c>URRS5nU(aZURRSU5nURRR SR [ U555 g[R"5nTRU5 TRRURR5nTRTRSTRUS9R!U5 [#[%URRS55U5nUc&URRR S5 gTR&(aSUR((aB[*R,"UR(5n[.R0"UTR&U5nUR3U5 g)Nerrorerror_descriptionz%The authorization request failed: {0}r rz The authorization request failed)rr0rrrrrrr!r$rstep2_exchanger%r r r r4rr6r token_responserIr}r _add_query_parameterr")rDrMerrormsgrrr1 resp_json decorators rr0;OAuth2Decorator.callback_handler..OAuth2Handler.get sn ((1#||//0CUKHMM%%++?FF&x023!113D**40"+.."?"? ++#-K,,!44d!<<!-#$'3{#3#5DLL,,W56$>L#+ ))//>@!77'66$(JJ{/I/I$J '+'@'@()*I*I%(' MM,/rrN)rrrr r!rr0r$)rTsr OAuth2HandlerrK s F  0 0rrV)webappRequestHandler)rDrVrTs @rcallback_handler OAuth2Decorator.callback_handlers% " 0F11" 0Hrcd[R"URUR54/5$)aWSGI application for handling the OAuth 2.0 redirect callback. If you need finer grained control use `callback_handler` which returns just the webapp.RequestHandler. Returns: A webapp.WSGIApplication that handles the redirect back from the server during the OAuth 2.0 dance. )rWWSGIApplicationrrYr_s rcallback_application$OAuth2Decorator.callback_application/s3%%   !6!6!8 9'   r)rrrrr r rr@rrrr rr rrrr) rrrr r!rrrsrrrrr rq oauth2clientGOOGLE_AUTH_URIGOOGLE_TOKEN_URIGOOGLE_REVOKE_URIrrrCrr.r$r9r&r'rErrYr]r$rrrrrs*,7?OaJAn OAuth2Decorator that builds from a clientsecrets file. Uses a clientsecrets file as the source for all the information when constructing an OAuth2Decorator. :: decorator = OAuth2DecoratorFromClientSecrets( os.path.join(os.path.dirname(__file__), 'client_secrets.json') scope='https://www.googleapis.com/auth/plus') class MainHandler(webapp.RequestHandler): @decorator.oauth_required def get(self): http = decorator.http() # http is authorized with the user's Credentials and can be # used in API calls c >[R"UUS9upgU[R[R4;a[R"S5e[ U5nUR USUSUS.5 URS5n U bXS'[[U]*"USUS U40UD6 UbX0l gS Ul g) aConstructor Args: filename: string, File name of client secrets. scope: string or iterable of strings, scope(s) of the credentials being requested. message: string, A friendly string to display to the user if the clientsecrets file is missing or invalid. The message may contain HTML and will be presented on the web interface for any method that uses the decorator. cache: An optional cache service client that implements get() and set() methods. See clientsecrets.loadfile() for details. **kwargs: dict, Keyword arguments are passed along as kwargs to the OAuth2WebServerFlow constructor. )rz4OAuth2Decorator doesn't support this OAuth 2.0 flow.rr)rrrrNr rz0Please configure your application for OAuth 2.0.) r loadfileTYPE_WEBTYPE_INSTALLEDInvalidClientSecretsErrordictupdater0rBrdrCr) rDfilenamer?rrrE client_type client_infoconstructor_kwargsrrFs rrC)OAuth2DecoratorFromClientSecrets.__init__Ss$$1#9#9(@E$G }55,;;= =99FH H"&\!!#J/$[1#  !__\2  !/9| , .>  $k/&B  )' )  #MNDMr)rr) rrrr r!r rqrCr$rtrus@rrdrd>s'( __Q'O'Orrdr;c[XX#S9$)aCreates an OAuth2Decorator populated from a clientsecrets file. Args: filename: string, File name of client secrets. scope: string or list of strings, scope(s) of the credentials being requested. message: string, A friendly string to display to the user if the clientsecrets file is missing or invalid. The message may contain HTML and will be presented on the web interface for any method that uses the decorator. cache: An optional cache service client that implements get() and set() methods. See clientsecrets.loadfile() for details. Returns: An OAuth2Decorator )rr)rd)rmr?rrs r"oauth2decorator_from_clientsecretsrs~s$ ,H4; JJrr)rs   -)&#;&)3 4   8 $*$!OHJ(<<+BB$44O%%H))J)>> 8!!( .c+f99c+L2;;B)"++)X|v~~|~(rxx(&(a fa H =O=O@;?JJgNsFFF