nSrSSKrSSKrSSKrSSKrSSKrSSKrSSKJr SSKJr SSKJ r SSKJ r Sr Sr S r "S S \R5rS r"S S\5rg)z/oauth2client Service account credentials class.N)_helpers)client)crypt) transport notasecret_private_key_pkcs12a  This library only implements PKCS#12 support via the pyOpenSSL library. Either install pyOpenSSL, or please convert the .p12 file to .pem format: $ cat key.p12 | \ > openssl pkcs12 -nodes -nocerts -passin pass:notasecret | \ > openssl rsa > key.pem c.^\rSrSrSrSr\"S/5\RR-r Sr Sr Sr SSSS\ R\ R4U4SjjrSU4Sjjr\SS j5r\SS j5r\SS j5r\SS\ R\ R4S j5r\SS\ R\ R4S j5r\SS\ R\ R4Sj5rSrSr\S5r\S5r\S5rSrSr Sr!Sr"Sr#U=r$$)ServiceAccountCredentials+aIService Account credential for OAuth 2.0 signed JWT grants. Supports * JSON keyfile (typically contains a PKCS8 key stored as PEM text) * ``.p12`` key (stores PKCS12 key and certificate) Makes an assertion to server using a signed JWT assertion in exchange for an access token. This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens. Args: service_account_email: string, The email associated with the service account. signer: ``crypt.Signer``, A signer which can be used to sign content. scopes: List or string, (Optional) Scopes to use when acquiring an access token. private_key_id: string, (Optional) Private key identifier. Typically only used with a JSON keyfile. Can be sent in the header of a JWT token assertion. client_id: string, (Optional) Client ID for the project that owns the service account. user_agent: string, (Optional) User agent to use when sending request. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. kwargs: dict, Extra key-value pairs (both strings) to send in the payload body when making an assertion. _signerNc  >[[U] SXgUS9 XlX l[ R "U5UlX@lXPl X`l Xl g)N) user_agent token_uri revoke_uri) superr __init___service_account_emailr rscopes_to_string_scopes_private_key_id client_id _user_agent_kwargs) selfservice_account_emailsignerscopesprivate_key_idrrrrkwargs __class__s ;platform/bq/third_party/oauth2client_4_0/service_account.pyr"ServiceAccountCredentials.__init__`sW '7 Z! 8 #'<# 008 -"% c>Uc [R"UR5nUR[5nUb[R "U5U['[ [U]#XS9$)aUtility function that creates JSON repr. of a credentials object. Over-ride is needed since PKCS#12 keys will not in general be JSON serializable. Args: strip: array, An array of names of members to exclude from the JSON. to_serialize: dict, (Optional) The properties for this object that will be serialized. This allows callers to modify before serializing. Returns: string, a JSON representation of this instance, suitable to pass to from_json(). ) to_serialize) copy__dict__get _PKCS12_KEYbase64 b64encoderr _to_json)rstripr' pkcs12_valr"s r#r."ServiceAccountCredentials._to_jsonwse"  99T]]3L!%%k2  !(.(8(8(DL %.> ?. .r%c URS5nU[R:wa[SUS[R5eUSnUSnUSnUSn U(d URS[R 5nU(d URS [R 5n[RRU5n U"XjUUXUS 9n X{l U $) aqHelper for factory constructors from JSON keyfile. Args: keyfile_dict: dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile. scopes: List or string, Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile contents. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. typezUnexpected credentials typeExpected client_email private_keyr rrr)rr rrr) r*rSERVICE_ACCOUNT ValueErroroauth2client_4_0GOOGLE_TOKEN_URIGOOGLE_REVOKE_URIrSigner from_string_private_key_pkcs8_pem) cls keyfile_dictrrr creds_typerprivate_key_pkcs8_pemr rr credentialss r#_from_parsed_json_keyfile3ServiceAccountCredentials._from_parsed_json_keyfiles4"%%f- // /:J')?)?A A!-^ < ,] ;%&67 - $(()9)J)JLI%)),*:*L*LNJ))*?@/)7$-%/1 .C*r%c[US5n[R"U5nSSS5 URWUUUS9$!,(df  N =f)aFactory constructor from JSON keyfile by name. Args: filename: string, The location of the keyfile. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in the key file, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in the key file, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. rNrr)openjsonloadrD)r?filenamerrrfile_objclient_credentialss r#from_json_keyfile_name0ServiceAccountCredentials.from_json_keyfile_namesR4(C H!%8!4 !,,-?7@8B-D D! s > A c$URXUUS9$)anFactory constructor from parsed JSON keyfile. Args: keyfile_dict: dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. rH)rD)r?r@rrrs r#from_json_keyfile_dict0ServiceAccountCredentials.from_json_keyfile_dicts&4,,\7@8B-D Dr%cUc[n[R[RLa[ [ 5e[RR UU5nU"XUXVS9nX(lX8lU$)aFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. private_key_pkcs12: string, The contents of a PKCS#12 keyfile. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. )rrr) _PASSWORD_DEFAULTrr< OpenSSLSignerNotImplementedError _PKCS12_ERRORr=r_private_key_password) r?rprivate_key_pkcs12private_key_passwordrrrrrCs r#_from_p12_keyfile_contents4ServiceAccountCredentials._from_p12_keyfile_contentssm> '#4 <@/$-F *<',@)r%c [US5nUR5nSSS5 URUWX4XVS9$!,(df  N =f)aFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. filename: string, The location of the PKCS#12 keyfile. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. rbNr[rrr)rIreadr\) r?rrLr[rrrrMrZs r#from_p12_keyfile*ServiceAccountCredentials.from_p12_keyfile+sN>(D !X!) "-- !#5!5.8 8" !s 8 Ac DUR5nURXX4XVS9$)aFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. file_buffer: stream, A buffer that implements ``read()`` and contains the PKCS#12 key contents. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. r`)rar\)r?r file_bufferr[rrrrZs r#from_p12_keyfile_buffer1ServiceAccountCredentials.from_p12_keyfile_bufferQs4>)--/-- !!5.8 8r%c4[[R"55n[RURUXR -UR S.nURUR5 [R"URUURS9$)z8Generate the assertion that will be used in the request.)audscopeiatexpisskey_id) inttimer9r:rMAX_TOKEN_LIFETIME_SECSrupdaterrmake_signed_jwtr r)rnowpayloads r#_generate_assertion-ServiceAccountCredentials._generate_assertionvsy$))+#44\\555..   t||$$$T\\7,0,@,@B Br%cPURURRU54$)aCryptographically sign a blob (of bytes). Implements abstract method :meth:`oauth2client_4_0.client.AssertionCredentials.sign_blob`. Args: blob: bytes, Message to be signed. Returns: tuple, A pair of the private key ID used to sign the blob and the signed contents. )rr sign)rblobs r# sign_blob#ServiceAccountCredentials.sign_blobs$##T\\%6%6t%<<rrs r#serialization_data,ServiceAccountCredentials.serialization_datas3& 77"2266   r%c[U[5(d*[R"[R "U55nSnUR [5nSnUc%USn[RRU5nO:[R"U5nUSn[RRX45nU"USU4USUSUSUSS .US D6nUbX&l UbX6lUbXFlUS UlUS UlUS UlUSUlUR SS5nUb3[(R(R+U[,R.5UlU$)aDeserialize a JSON-serialized instance. Inverse to :meth:`to_json`. Args: json_data: dict or string, Serialized JSON (as a string or an already parsed dictionary) representing a credential. Returns: ServiceAccountCredentials from the serialized data. Nr>rYrrrrrrr rrrinvalid access_tokenrr token_expiry) isinstancedictrJloadsr _from_bytesr*r+rr<r=r, b64decoder>rrYrrrrdatetimestrptimer EXPIRY_FORMATr)r? json_datarBr0passwordrrCrs r# from_json#ServiceAccountCredentials.from_jsons)T** 8#7#7 #BCI $]];/   $-.F$G !\\--.CDF  ))*5J !89H\\--jCF . /  Y'$%67 , /   "  ! ,1F .  !.8 +  08 -' 2 #,^#<  )+ 6 !*rrY)rrresults r# create_scoped'ServiceAccountCredentials.create_scopeds ; ; $ 0'-/3/C/C*...+/+;+; 0 #',, 0 >> OO(,(C(C%%)%=%="'+'A'A$ r%c[UR5nURU5 UR"URUR 4UR URURURS.UD6nURUl URUl URUl URUl URUlU$)aCreate credentials that specify additional claims. Args: claims: dict, key-value pairs for claims. Returns: ServiceAccountCredentials, a copy of the current service account credentials with updated claims to use when obtaining access tokens. r)rrrsr"rr rrrrrrr>rrY)rclaims new_kwargsrs r#create_with_claims,ServiceAccountCredentials.create_with_claimss$,,' &! ; ; $ .'+||/3/C/C*...+/+;+; . #- . >> OO(,(C(C%%)%=%="'+'A'A$ r%c(URSU05$)aCreate credentials that act as domain-wide delegation of authority. Use the ``sub`` parameter as the subject to delegate on behalf of that user. For example:: >>> account_sub = 'foo@email.com' >>> delegate_creds = creds.create_delegated(account_sub) Args: sub: string, An email address that this service account will act on behalf of (via domain-wide delegation). Returns: ServiceAccountCredentials, a copy of the current service account updated to act on behalf of ``sub``. sub)r)rrs r#create_delegated*ServiceAccountCredentials.create_delegated s&&&s|44r%)rrrrr rrrNN)rNN)%__name__ __module__ __qualname____firstlineno____doc__rr frozensetrAssertionCredentialsNON_SERIALIZED_MEMBERSr>rrYr9r:r;rr. classmethodrDrOrRr\rbrfrwr|propertyrrrrrrr__static_attributes__ __classcell__r"s@r#r r +s$L#; 9+##:: ;K"   $ +<<,>>..2=A//b57:>DD>9;:>DD:9=R-=-N-N.>.P.P ((T.22#3#D#D$4$F$F#8#8J59"*:*K*K+;+M+M"8"8H B =++  44l  655r%r cr[R"SSS5nX- nURS-UR-$)NiiQ)rdaysseconds)utc_timeepoch time_deltas r#_datetime_to_secsr!s:   dAq )E!J ??U "Z%7%7 77r%c^\rSrSrSrSrSSSS\R\RS4U4Sjjr Sr SSjr Sr S r \R\R4S jrS rS rSS jrSrU=r$)_JWTAccessCredentialsi)zSelf signed JWT credentials. Makes an assertion to server using a self signed JWT from service account credentials. These credentials do NOT use OAuth 2.0 and instead authenticate directly. r Nc H>U c0n [[U] "UU4UUUUUS.U D6 g)N)r rrrr)rrr) rrrrr rrrradditional_claimsr"s r#r_JWTAccessCredentials.__init__3sG  $ "  #T3 !  !*!! !  !r%c2[R"X5 U$)aiAuthorize an httplib2.Http instance with a JWT assertion. Unless specified, the 'aud' of the assertion will be the base uri of the request. Args: http: An instance of ``httplib2.Http`` or something that acts like it. Returns: A modified instance of http that was passed in. Example:: h = httplib2.Http() h = credentials.authorize(h) )rwrap_http_for_jwt_accessrhttps r# authorize_JWTAccessCredentials.authorizeIs **46 r%c"Uc\URbUR(aURS5 [R"URUR 5S9$UR U5up4[R"X0RS9$)zCreate a signed jwt. Args: http: unused additional_claims: dict, additional claims to add to the payload of the JWT. Returns: An AccessTokenInfo with the signed jwt N)r expires_in)raccess_token_expiredrefreshrAccessTokenInfo _expires_in _create_token_MAX_TOKEN_LIFETIME_SECS)rrrtoken unused_expirys r#get_access_token&_JWTAccessCredentials.get_access_token[s  $  (D,E,E T")),,9I9I9KM M$(#5#56G#H E)) -J-JL Lr%cg)z*Cannot revoke JWTAccessCredentials tokens.Nrs r#revoke_JWTAccessCredentials.revokeps r%cg)NTrrs r#r,_JWTAccessCredentials.create_scoped_requiredtsr%c Z[URUR4UURURUR UUS.UR D6nURbURUlURbURUlURbURUl U$)N)rr rrrr) r rr rrrrr>rrY)rrrrrs r#r#_JWTAccessCredentials.create_scopedxs+4+F+F+/<<;28:>:N:N59^^6:6F6F5>6@;.2\\;  & & 2,0,G,GF )  # # /)-)A)AF &  % % 1+/+E+EF ( r%c&URS5 g)zRefreshes the access_token. The HTTP object is unused since no request needs to be made to get a new token, it can just be generated locally. Args: http: unused HTTP object N)_refreshrs r#r_JWTAccessCredentials.refreshs dr%c>UR5uUlUlg)z@Refreshes the access_token. Args: http: unused HTTP object N)rrrrs r#r_JWTAccessCredentials._refreshs 04/A/A/C,4,r%c[R"5n[R"URS9nX#-n[ U5[ U5UR UR S.nURUR5 UbURU5 [R"URUURS9nURS5U4$)N)r)rkrlrmrrnascii)r_UTCNOWr timedeltarrrrsrrrtr rdecode)rrrulifetimeexpiryrvjwts r#r#_JWTAccessCredentials._create_tokensnn%%d.K.KL$S)$V,....   t||$  ( NN, -##DLL'+/+?+?Azz'"F**r%)rrrr)rrrrrrr9r:r;rrrrrrrrrrrrs@r#rr)s~ $;  $ +<<,>>#'!,$L* /?.O.O!1!C!C( D++r%r)rr,r(rrJrqr9rrrrrUr+rXrr rrrr%r#rse 6  %#"&!#  s5 ; ;s5l8E+5E+r%