@LdZddlmZddlmZddlmZddlZddlZddlZddlm Z ddl m Z ddl m Z dd l m Z dd l mZdd l mZdd lmZdd lmZddlmZddlZdZdZdZdZdZdZdZeeeegZdZGdde j@Z Gdde Z!Gdde Z"dZ#dZ$Gdd ejJejLe'Z(Gd!d"e(Z)Gd#d$e(Z*Gd%d&e(Z+Gd'd(e(Z,Gd)d*e(Z-Gd+d,e(Z.d3d-Z/d.Z0d/Z1 d4d0Z2d1Z3d2Z4y)5z#A library to support auth commands.)absolute_import)division)unicode_literalsN) check_browser)config) exceptions)log) properties)yaml) console_io)creds)fileszH764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.comzd-FL95Q19q7MQmFpd7hHD0Tyz.https://www.googleapis.com/auth/cloud-platformz0https://www.googleapis.com/auth/sqlservice.loginz%https://www.googleapis.com/auth/drivez.https://www.googleapis.com/auth/userinfo.emailopenid installedceZdZdZy)Errorz A base exception for this class.N__name__ __module__ __qualname____doc__'lib/googlecloudsdk/api_lib/auth/util.pyrr;s(rrceZdZdZy)InvalidClientSecretsErrorz:An error for when we fail to load the client secrets file.Nrrrrrr@sBrrceZdZdZy)BadCredentialFileExceptionz,Raised when credentials file cannot be read.NrrrrrrEs4rrc@ tj|}t |tstdj ||S#t$r }tdj ||d}~wtj $r }tdj ||d}~wwxYw)aReturns the JSON content of a credentials config file. This function is useful when the content of a file need to be inspected first before determining how to handle it (how to initialize the underlying credentials). Only UTF-8 JSON files are supported. Args: filename (str): The filepath to the ADC file representing credentials. Returns: Optional(Mapping): The JSON content. Raises: BadCredentialFileException: If JSON parsing of the file fails. z"File {0} is not utf-8 encoded: {1}Nz!Could not read json file {0}: {1}zCould not read json file {0})r load_pathUnicodeDecodeErrorrformatYAMLParseError isinstancedict)filenamecontentes rGetCredentialsConfigFromFiler)Js"nnX&G GT " $&--h7 99 . B $,33Ha@ BB   $%H%O%O!& s#A B A''B=BBcddlm}|j|r.tj|j j ytj|y)z2Prints help messages when auth flow throws errors.r) context_awareN)googlecloudsdk.corer+IsContextAwareAccessDeniedErrorr errorContextAwareAccessErrorGet)excdefault_help_msgr+s r_HandleFlowErrorr3ms=02237IIm33779:IIrcFeZdZdZdZddZejdZdZ y) FlowRunnerzBase auth flow runner class. Attributes: _scopes: [str], The list of scopes to authorize. _client_config: The client configuration in the Google client secrets format. z,There was a problem with web authentication.NcX||_||_||_|j|_yN)_scopes_client_config _redirect_uri _CreateFlow_flow)selfscopes client_config redirect_uris r__init__zFlowRunner.__init__s)DL'D%D!!#DJrcyr7r)r=s rr;zFlowRunner._CreateFlowsrc ddlm} |jjdi|S#|j$r}t ||j d}~wwxYw)Nrflowr)googlecloudsdk.core.credentialsrEr<Runrr3_FLOW_ERROR_HELP_MSG)r=kwargsc_flowr(s rrGzFlowRunner.RunsI> TZZ^^ %f %% << q$334  s$AA  Ar7) rrrrrHrAabcabstractmethodr;rGrrrr5r5xs4H$    rr5ceZdZdZdZy) OobFlowRunnerzA flow runner to run OobFlow.cddlm}|jj|j|j t jjjj SNrrDautogenerate_code_verifier) rFrEOobFlowfrom_client_configr9r8r VALUESauthdisable_code_verifierGetBoolr=rJs rr;zOobFlowRunner._CreateFlowsQ> >> , ,  '1'8'8'='=  wwy$) - **rNrrrrr;rrrrNrNs %*rrNceZdZdZdZy)NoBrowserFlowRunnerz#A flow runner to run NoBrowserFlow.cddlm}|jj|j|j t jjjj SrP) rFrE NoBrowserFlowrTr9r8r rUrVrWrXrYs rr;zNoBrowserFlowRunner._CreateFlowsS>    2 2  '1'8'8'='=  wwy$) 3 **rNrZrrrr\r\s +*rr\ceZdZdZdZy)"RemoteLoginWithAuthProxyFlowRunnerz2A flow runner to run RemoteLoginWithAuthProxyFlow.cddlm}|jj|j|j t jjjj |jS)NrrD)rRr@) rFrERemoteLoginWithAuthProxyFlowrTr9r8r rUrVrWrXr:rYs rr;z.RemoteLoginWithAuthProxyFlowRunner._CreateFlows]>  . . A A  '1'8'8'='=  wwy$)'' B ))rNrZrrrr`r`s : )rr`ceZdZdZdZy)NoBrowserHelperRunnerz)A flow runner to run NoBrowserHelperFlow.c(ddlm} |jj|j|j t jjjj S#|j$rtjdwxYw)NrrDrQzCannot start a local server to handle authorization redirection. Please run this command on a machine where gcloud can start a local server.)rFrENoBrowserHelperFlowrTr9r8r rUrVrWrXLocalServerCreationErrorr r.rYs rr;z!NoBrowserHelperRunner._CreateFlows>   ' ' : :    ,,)3):):)?)? &+;,,  * *  ii34  s A"A++&BNrZrrrrdrds 1 rrdceZdZdZdZdZy) BrowserFlowWithOobFallbackRunnerz?A flow runner to try normal web flow and fall back to oob flow.zXThere was a problem with web authentication. Try running again with --no-launch-browser.c(ddlm} |jj|j|j t jjjj S#|j$r}tj|tjd|jj|j|j t jjjj cYd}~Sd}~wwxYw)NrrDrQz"Defaulting to URL copy/paste mode.)rFrE FullWebFlowrTr9r8r rUrVrWrXrgr warningrSr=rJr(s rr;z,BrowserFlowWithOobFallbackRunner._CreateFlows> ,    2 2    ,,)3):):)?)? &+3,,  * *, kk!n kk67 ^^ . .    ,,)3):):)?)? &+/,,,A"A++D:B D D DNrrrrrHr;rrrririsGH,rriceZdZdZdZdZy)&BrowserFlowWithNoBrowserFallbackRunnerzEA flow runner to try normal web flow and fall back to NoBrowser flow.zQThere was a problem with web authentication. Try running again with --no-browser.c(ddlm} |jj|j|j t jjjj S#|j$r}tj|tjd|jj|j|j t jjjj cYd}~Sd}~wwxYw)NrrDrQz Defaulting to --no-browser mode.)rFrErkrTr9r8r rUrVrWrXrgr rlr^rms rr;z2BrowserFlowWithNoBrowserFallbackRunner._CreateFlows> ,    2 2    ,,)3):):)?)? &+3,,  * *, kk!n kk45  ! ! 4 4    ,,)3):):)?)? &+5,,,rnNrorrrrqrqsMA,rrqc|r4tj|5}tj|cdddSt S#1swYt SxYw)zECreates a client config from a client id file or gcloud's properties.N)r FileReaderjsonload+_CreateGoogleAuthClientConfigFromProperties)client_id_filefs r_CreateGoogleAuthClientConfigrz s@   . )Q YYq\ * ) 4 66 * 4 66s AActtjjjj d}t j }tjjjj d}tjjjj d}d||||diS)z1Creates a client config from gcloud's properties.T)requiredr) client_id client_secretauth_uri token_uri) r rUrV auth_hostr0r GetDefaultTokenUrir}r~)rrr}r~s rrwrws    # # - - 1 14 1 @(&&()$$..22D2A)##((66::D:I- (  rc>|ddtjtfvS)Nrr})rCLOUDSDK_CLIENT_ID%DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID)r?s r_IsGoogleOwnedClientIDr$s*  $[ 1'')N O PQrcddlm}ddlm} ddlm} |r t ||s t|}|si}tjd} |rt||jd i|} n|r2| s| jdt||jd d|i|} n|rt|||jd i|} nf| sH|r(t|st||jd i|} n:t|||jd i|} nt!||jd i|} | rPt#| | j$r!dd lm} | j$j)| St#| |j$r| Sy y ) a/Launches a 3LO oauth2 flow to get google-auth credentials. Args: scopes: [str], The list of scopes to authorize. client_id_file: str, The path to a file containing the client id and secret to use for the flow. If None, the default client id for the Cloud SDK is used. client_config: Optional[Mapping], the client secrets and urls that should be used for the OAuth flow. no_launch_browser: bool, True if users specify --no-launch-browser flag to use the remote login with auth proxy flow. no_browser: bool, True if users specify --no-browser flag to ask another gcloud instance to help with authorization. remote_bootstrap: str, The auth parameters specified by --remote-bootstrap flag. Once used, it means the command is to help authorize another gcloud (i.e. gcloud without access to browser). query_params: Optional[Mapping], extra params to pass to the flow during `Run`. These params end up getting used as query params for authorization_url. auth_proxy_redirect_uri: str, The uri where OAuth service will redirect the user to once the authentication is complete for a remote login with auth proxy flow. Returns: core.credentials.google_auth_credentials.Credentials, The credentials obtained from the flow. r) external_account_authorized_user) credentialsrDT)attempt_launch_browserzbCannot launch browser. Please run this command on a machine where gcloud can launch a web browser.partial_auth_url)google_auth_credentialsNr) google.authr google.oauth2rrFrE!AssertClientSecretIsInstalledTyperzrShouldLaunchBrowserr\rGWebBrowserInaccessiblerdr`rrqr$ CredentialsrFromGoogleAuthUserCredentials)r>rxr?no_launch_browser no_browserremote_bootstrap query_paramsauth_proxy_redirect_uriroauth2_credentialsrJcan_launch_browser user_creds c_google_auths r#DoInstalledAppBrowserFlowGoogleAuthr)sF;=<%n5 1.AM L$88!#?$V];??O,OJ   ) ) 3 44B&v}=AA;);-9;J 3 6 c J 4]CA&v}=AA j 5 -!8 j#7 "s3%13J*0<<=[  & & D DZ PP*>JJK Lrcd} tjtj|}t|dk7rt d|t|d}|tk7rt d td |d |y #tj$rt d|dtj $rt d|d|wxYw) zDAssert that the file is a valid json file for installed application.zTo obtain a valid client ID file, create a Desktop App following the steps outlined in https://support.google.com/cloud/answer/6158849?hl=en#zippy=%2Cnative-applications%2Cdesktop-apps.zCannot read file: "z".zClient ID file z is not a valid JSON file. zNExpected a JSON object with a single property for an "installed" application. rzOnly client IDs of type 'z%' are allowed, but encountered type 'z'. N) ruloadsrReadFileContentsrrJSONDecodeErrorlentupleCLIENT_SECRET_INSTALLED_TYPE)rxactionable_messageobj client_types rrrsl  **U++N; ctjjjj }||k(ryt j dj|||}tj|}|rXtjtjjj|tjjdyy)aKPrompt the user to update the universe domain if there is conflict. If the given universe domain is different from the core/universe_domain property, prompt the user to update the core/universe_domain property. Args: new_universe_domain: str, The given new universe domain. account: str, The account name to use. Nz WARNING: This account [{0}] is from the universe domain [{1}], which does not match the current core/universe property [{2}]. Do you want to set property [core/universe_domain] to [{1}]? [Y/N] )messagez(Updated property [core/universe_domain].)r rUcoreuniverse_domainr0textwrapdedentr"r PromptContinuePersistPropertyr statusPrint)new_universe_domainaccountcurrent_universe_domainrshould_update_universe_domains rHandleUniverseDomainConflictrs'--22BBFFH 33 OO  VG02I J  #-";";G"L"..0CJJ?@ #rr7)NNFFNNN)5r __future__rrrrKrurgooglecloudsdk.command_lib.utilrr,rrr r r googlecloudsdk.core.consoler rFr googlecloudsdk.core.utilrsixr)DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRETCLOUD_PLATFORM_SCOPESQL_LOGIN_SCOPEGOOGLE_DRIVE_SCOPEUSER_EMAIL_SCOPEOPENIDDEFAULT_SCOPESrrrrr)r3with_metaclassABCMetaobjectr5rNr\r`rdrirqrzrwrrrrrrrrs[ *'' 9&*#*$21* )s%,F)GD<C    +J     F  ###CKK8 @ *J * ** * ) ) J (,z,4,Z,47"Q 8<6::?389=59@DUp:Ar