Z,BdZddlmZddlmZddlmZddlZddlmZddl m Z ddl m Z dd l m Z dd l m Zdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddlmZddlmZddlmZ ddl!m"Z"e jFGdde jHZ%dZ&y)zJA command to install Application Default Credentials using a user account.)absolute_import)division)unicode_literalsN)util)actions) arg_parsers)base) exceptions) auth_util)flags)workforce_login_config)config)log) properties) console_io)creds)gce)store)filesc.eZdZdZddiZedZdZy)Logina Acquire new user credentials to use for Application Default Credentials. Obtains user access credentials via a web flow and puts them in the well-known location for Application Default Credentials (ADC). This command is useful when you are developing code that would normally use a service account but need to run the code in a local development environment where it's easier to provide user credentials. The credentials will apply to all API calls that make use of the Application Default Credentials client library. Do not set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable if you want to use the credentials generated by this command in your local development. This command tries to find a quota project from gcloud's context and write it to ADC so that Google client libraries can use it for billing and quota. Alternatively, you can use the `--client-id-file` flag. In this case, the project owning the client ID will be used for billing and quota. You can create the client ID file at https://console.cloud.google.com/apis/credentials. This command has no effect on the user account(s) set up by the `gcloud auth login` command. Any credentials previously generated by `gcloud auth application-default login` will be overwritten. EXAMPLESa9 If you want your local application to temporarily use your own user credentials for API access, run: $ {command} If you'd like to login by passing in a file containing your own client id, run: $ {command} --client-id-file=clientid.json c |jdd|jdtjdddjd j t j  |jd d tjtjjj |jdddtj|tj|d|j j#dy)z3Set args for gcloud auth application-default login.z--client-id-filezA file containing your own client id to use to login. If --client-id-file is specified, the quota project will not be written to ADC.)help--scopes) min_lengthSCOPEaThe names of the scopes to authorize for. By default {0} scopes are used. The list of possible scopes can be found at: [](https://developers.google.com/identity/protocols/googlescopes). To add scopes for applications outside of Google Cloud Platform, such as Google Drive, [create an OAuth Client ID](https://support.google.com/cloud/answer/6158849) and provide it by using the --client-id-file flag. z, )typemetavarrz--login-configzPath to the login configuration file (workforce pool, generated by the Cloud Console or `gcloud iam workforce-pools create-login-config`))ractionaccount?aUser account used for authorization. When the account specified has valid credentials in the local credential store these credentials will be re-used. Otherwise new ones will be fetched and replace any stored credential. This caching behavior is only available for user credentials.)nargsrT)for_adcnoneN) add_argumentrArgListformatjoinr DEFAULT_SCOPESr StorePropertyrVALUESauthlogin_config_filer AddQuotaProjectFlagsAddRemoteLoginFlags display_info AddFormat)parsers -lib/surface/auth/application_default/login.pyArgsz Login.ArgsSs     A .,  )223 4 6 <$$Z%6%6%;%;%M%MN P   M   v& fd3 !!&)ctjjjj rt j dtjjr-tjd}tj|ddtj|j r"|j"st%j&dd|j(rP|j*sDt-|j(r/t/j0dj3|j(y|j*xst4j6}t9|j" |j: |j< }|j<r5d |j<vr't5j>t@jBfd d i|ytEjF}|rZ|j rt%jHd |j*rt%jHdtEjJ|dfi|}ntjjjLjOt4jPtjjjRjOt4jTt4jV|vr3t%j&ddj3t4jVt5j>|f|j dd|}|sy|j(rGtY|dr;tjZ|j(|}|j]|j(}d\}} tjjj^j } | rt j`| \}} |sf|jcdrtjd|d|S|jfrtjd|d|Stjh||Stjj||| |S)zRun the authentication command.zauth/access_token_file or --access-token-file was set which is not compatible with this command. Please unset the property and rerun this command.a You are running on a Google Compute Engine virtual machine. The service credentials associated with this virtual machine will automatically be used by Application Default Credentials, so it is not necessary to use this command. If you decide to proceed anyway, your user credentials may be visible to others with access to this virtual machine. Are you sure you want to authenticate with your personal account? T)messagethrow_if_unattended cancel_on_noz--no-launch-browserz`--no-launch-browser` flow no longer works with the `--client-id-file`. Please replace `--no-launch-browser` with `--no-browser`.zx Valid credentials already exist for {}. To force refresh the existing credentials, omit the "ACCOUNT" positional field.N)no_launch_browser no_browserremote_bootstrap provider_nameauth_proxy_redirect_uriz8https://sdk.cloud.google/applicationdefaultauthcode.htmlzI--client-id-file is not currently supported for third party login flows. z@--scopes is not currently supported for third party login flows.rzO{} scope is required but not requested. Please include it in the --scopes flag.z#DoInstalledAppBrowserFlowGoogleAuthr CLOUDSDK_EXTERNAL_ACCOUNT_SCOPESworkforce_login_config_utilGetWorkforceLoginConfigConflictingArgumentsExceptionDoWorkforceHeadfulLogin client_idSet%DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID client_secret)DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRETCLOUD_PLATFORM_SCOPEhasattrExtractAndValidateAccountrBimpersonate_service_accountParseImpersonationAccounts IsSpecifiedDumpADCdisable_quota_projectDumpADCOptionalQuotaProject#DumpImpersonatedServiceAccountToADC) selfargsr9rU flow_paramsr/r_target_impersonation_principalrEimpersonation_service_accountss r5Runz Login.Run~s//335       ~~!! ! gt$H,,. 4#6#6  * *    ||DKK #DLL 1  J VDLL !  [[ 4I44F"111||#..K D4I4I!I33  1 1I   4KKM  11   11 NP P)AA   e&&**  9 9;**..  = =?  ' 'v 5,,  $fY%C%CD  ;; ,,L   e   ||~6  5 5dllE Ja  .e0:-"I::>>@#&  , ,-K L%y )  * +!!%F L  % %!!%E L 55e< L ;; 9 Lr7N)__name__ __module__ __qualname____doc__ detailed_help staticmethodr6rur7r5rr*s32  -(*(*Tr7rc tj}tj|} t j |}t jj|}|t jjk(r|j|k7ryy#tj$rYywxYw#t j$rYyt j$rYywxYw)zISkip login if the existing ADC was provisioned for the requested account.FT) r ADCFilePathrReadFileContentsError creds_moduleFromJsonGoogleAuthUnknownCredentialsTypeInvalidCredentialsErrorCredentialTypeGoogleAuthFromCredentials USER_ACCOUNTr")r" file_pathdata credential cred_types r5rVrVs""$I  ! !) ,D006J 33CCJO),77DDDW$      , ,   - - s()BB'B$#B$'C<CC)'ry __future__rrrrMgooglecloudsdk.api_lib.authrr googlecloudsdk.callioperrr r rSgooglecloudsdk.command_lib.authrPr r r\googlecloudsdk.corerrrgooglecloudsdk.core.consolergooglecloudsdk.core.credentialsrrrrJrrHgooglecloudsdk.core.utilrUniverseCompatibleCommandrrVr|r7r5rsu Q&'9+/(7J1a&#*2A8<*RDLLRRjr7