ndZddlZddlZddlZddlZddlZddlZddlmZddlmZddlm Z ddlm Z dZ dZ d Z Gd d ejZd ZGd deZy)z/oauth2client Service account credentials class.N)_helpers)client)crypt) transport notasecret_private_key_pkcs12a  This library only implements PKCS#12 support via the pyOpenSSL library. Either install pyOpenSSL, or please convert the .p12 file to .pem format: $ cat key.p12 | \ > openssl pkcs12 -nodes -nocerts -passin pass:notasecret | \ > openssl rsa > key.pem ceZdZdZdZ edgejjzZ dZ dZ dZ dddde je jffd Zdfd Ze ddZe dd Ze dd Zedde je jfd Zedde je jfd Zedde je jfd ZdZdZedZedZedZdZdZdZ dZ!xZ"S)ServiceAccountCredentialsaService Account credential for OAuth 2.0 signed JWT grants. Supports * JSON keyfile (typically contains a PKCS8 key stored as PEM text) * ``.p12`` key (stores PKCS12 key and certificate) Makes an assertion to server using a signed JWT assertion in exchange for an access token. This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens. Args: service_account_email: string, The email associated with the service account. signer: ``crypt.Signer``, A signer which can be used to sign content. scopes: List or string, (Optional) Scopes to use when acquiring an access token. private_key_id: string, (Optional) Private key identifier. Typically only used with a JSON keyfile. Can be sent in the header of a JWT token assertion. client_id: string, (Optional) Client ID for the project that owns the service account. user_agent: string, (Optional) User agent to use when sending request. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. kwargs: dict, Extra key-value pairs (both strings) to send in the payload body when making an assertion. _signerNc  tt| d|||||_||_t j ||_||_||_ ||_ | |_ y)N) user_agent token_uri revoke_uri) superr __init___service_account_emailr rscopes_to_string_scopes_private_key_id client_id _user_agent_kwargs) selfservice_account_emailsignerscopesprivate_key_idrrrrkwargs __class__s ;platform/bq/third_party/oauth2client_4_0/service_account.pyrz"ServiceAccountCredentials.__init__`se '7 Z9! 8 #'<# 008 -"% c|tj|j}|jt}|t j ||t<t t|#||S)acUtility function that creates JSON repr. of a credentials object. Over-ride is needed since PKCS#12 keys will not in general be JSON serializable. Args: strip: array, An array of names of members to exclude from the JSON. to_serialize: dict, (Optional) The properties for this object that will be serialized. This allows callers to modify before serializing. Returns: string, a JSON representation of this instance, suitable to pass to from_json(). ) to_serialize) copy__dict__get _PKCS12_KEYbase64 b64encoderr _to_json)rstripr% pkcs12_valr!s r"r,z"ServiceAccountCredentials._to_jsonwsg"  99T]]3L!%%k2  !(.(8(8(DL %.>  ?. .r#c |jd}|tjk7rtd|dtj|d}|d}|d}|d} |s |jdtj }|s |jd tj }tjj|} ||| ||| || } || _ | S) a Helper for factory constructors from JSON keyfile. Args: keyfile_dict: dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile. scopes: List or string, Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile contents. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. typezUnexpected credentials typeExpected client_email private_keyrrrr)rrrrr) r(rSERVICE_ACCOUNT ValueErroroauth2client_4_0GOOGLE_TOKEN_URIGOOGLE_REVOKE_URIrSigner from_string_private_key_pkcs8_pem) cls keyfile_dictrrr creds_typerprivate_key_pkcs8_pemrrr credentialss r"_from_parsed_json_keyfilez3ServiceAccountCredentials._from_parsed_json_keyfiles4"%%f- // /:J')?)?A A!-^ < ,] ;%&67 - $(()9)J)JLI%)),*:*L*LNJ))*?@/)7$-%/1 .C *r#ct|d5}tj|}ddd|j|||S#1swYxYw)aFactory constructor from JSON keyfile by name. Args: filename: string, The location of the keyfile. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in the key file, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in the key file, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. rNrr)openjsonloadrA)r<filenamerrrfile_objclient_credentialss r"from_json_keyfile_namez0ServiceAccountCredentials.from_json_keyfile_namesR4(C H!%8!4 !,,-?7@8B-D D! s AA c,|j||||S)aFactory constructor from parsed JSON keyfile. Args: keyfile_dict: dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. rD)rA)r<r=rrrs r"from_json_keyfile_dictz0ServiceAccountCredentials.from_json_keyfile_dicts(4,,\67@8B-D Dr#c|t}tjtjurt t tjj ||}||||||}||_||_|S)axFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. private_key_pkcs12: string, The contents of a PKCS#12 keyfile. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. )rrr) _PASSWORD_DEFAULTrr9 OpenSSLSignerNotImplementedError _PKCS12_ERRORr:r_private_key_password) r<rprivate_key_pkcs12private_key_passwordrrrrr@s r"_from_p12_keyfile_contentsz4ServiceAccountCredentials._from_p12_keyfile_contentssu> '#4 <@/$-*F *< ',@ )r#ct|d5}|j}ddd|j|||||S#1swY xYw)apFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. filename: string, The location of the PKCS#12 keyfile. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. rbNrUrrr)rEreadrV) r<rrHrUrrrrIrTs r"from_p12_keyfilez*ServiceAccountCredentials.from_p12_keyfile+sR>(D !X!) "-- !#5!5fJ.8 8" !s =AcP|j}|j||||||S)aFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. file_buffer: stream, A buffer that implements ``read()`` and contains the PKCS#12 key contents. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. rY)rZrV)r<r file_bufferrUrrrrTs r"from_p12_keyfile_bufferz1ServiceAccountCredentials.from_p12_keyfile_bufferQs;>)--/-- !#5!5fJ.8 8r#c8ttj}tj|j|||j z|j d}|j|jtj|j||jS)z8Generate the assertion that will be used in the request.)audscopeiatexpisskey_id) inttimer6r7rMAX_TOKEN_LIFETIME_SECSrupdaterrmake_signed_jwtr r)rnowpayloads r"_generate_assertionz-ServiceAccountCredentials._generate_assertionvs{$))+#44\\555..   t||$$$T\\7,0,@,@B Br#cP|j|jj|fS)aYCryptographically sign a blob (of bytes). Implements abstract method :meth:`oauth2client_4_0.client.AssertionCredentials.sign_blob`. Args: blob: bytes, Message to be signed. Returns: tuple, A pair of the private key ID used to sign the blob and the signed contents. )rr sign)rblobs r" sign_blobz#ServiceAccountCredentials.sign_blobs$##T\\%6%6t%<<> OO(,(C(C%%)%=%="'+'A'A$ r#ct|j}|j||j|j|j f|j |j|j|jd|}|j|_ |j|_ |j|_ |j|_ |j|_|S)a<Create credentials that specify additional claims. Args: claims: dict, key-value pairs for claims. Returns: ServiceAccountCredentials, a copy of the current service account credentials with updated claims to use when obtaining access tokens. ry)r~rrjr!rr rrrrrrr;rrS)rclaims new_kwargsrs r"create_with_claimsz,ServiceAccountCredentials.create_with_claimss$,,' &! ; ; $ .'+||/3/C/C*...+/+;+; . #- . >> OO(,(C(C%%)%=%="'+'A'A$ r#c(|jd|iS)aYCreate credentials that act as domain-wide delegation of authority. Use the ``sub`` parameter as the subject to delegate on behalf of that user. For example:: >>> account_sub = 'foo@email.com' >>> delegate_creds = creds.create_delegated(account_sub) Args: sub: string, An email address that this service account will act on behalf of (via domain-wide delegation). Returns: ServiceAccountCredentials, a copy of the current service account updated to act on behalf of ``sub``. sub)r)rrs r"create_delegatedz*ServiceAccountCredentials.create_delegated s&&&s|44r#rNN)r NN)#__name__ __module__ __qualname____doc__ri frozensetrAssertionCredentialsNON_SERIALIZED_MEMBERSr;rrSr6r7r8rr, classmethodrArKrMrVr[r^rnrrpropertyrrwrrrrr __classcell__r!s@r"r r +s$L#; 9+##:: ;K"   $ +<<,>>..2=A//b57:>DD>9;:>DD:9=R-=-N-N.>.P.P ((T.22#3#D#D$4$F$F#8#8J59"*:*K*K+;+M+M"8"8H B =++  44l  65r#r crtjddd}||z }|jdz|jzS)NiiQ)rdaysseconds)utc_timeepoch time_deltas r"_datetime_to_secsr!s<   dAq )EE!J ??U "Z%7%7 77r#ceZdZdZdZ ddddej ejdffd ZdZ d dZ dZ dZ ej ejfd Z d Zd Zdd ZxZS)_JWTAccessCredentialszSelf signed JWT credentials. Makes an assertion to server using a self signed JWT from service account credentials. These credentials do NOT use OAuth 2.0 and instead authenticate directly. r Nc D| i} tt| ||f|||||d| y)N)rrrrr)rrr) rrrrrrrrradditional_claimsr!s r"rz_JWTAccessCredentials.__init__3sG  $ "  #T3 !  !*!! !  !r#c2tj|||S)aAuthorize an httplib2.Http instance with a JWT assertion. Unless specified, the 'aud' of the assertion will be the base uri of the request. Args: http: An instance of ``httplib2.Http`` or something that acts like it. Returns: A modified instance of http that was passed in. Example:: h = httplib2.Http() h = credentials.authorize(h) )rwrap_http_for_jwt_accessrhttps r" authorizez_JWTAccessCredentials.authorizeIs **46 r#c |X|j |jr|jdtj|j|j S|j |\}}tj||jS)zCreate a signed jwt. Args: http: unused additional_claims: dict, additional claims to add to the payload of the JWT. Returns: An AccessTokenInfo with the signed jwt N)r{ expires_in)r{access_token_expiredrefreshrAccessTokenInfo _expires_in _create_token_MAX_TOKEN_LIFETIME_SECS)rrrtoken unused_expirys r"get_access_tokenz&_JWTAccessCredentials.get_access_token[s  $  (D,E,E T")),,9I9I9KM M$(#5#56G#H E=)) T-J-JL Lr#cy)z*Cannot revoke JWTAccessCredentials tokens.Nrs r"revokez_JWTAccessCredentials.revokeps r#cy)NTrrts r"rz,_JWTAccessCredentials.create_scoped_requiredtsr#c Tt|j|jf||j|j|j ||d|j }|j|j|_|j|j|_|j|j|_ |S)N)rrrrrr) r rr rrrrr;rrS)rrrrrs r"rz#_JWTAccessCredentials.create_scopedxs+4+F+F+/<<;28:>:N:N59^^6:6F6F5>6@;.2\\;  & & 2,0,G,GF )  # # /)-)A)AF &  % % 1+/+E+EF ( r#c&|jdy)zRefreshes the access_token. The HTTP object is unused since no request needs to be made to get a new token, it can just be generated locally. Args: http: unused HTTP object N)_refreshrs r"rz_JWTAccessCredentials.refreshs dr#c>|j\|_|_y)zXRefreshes the access_token. Args: http: unused HTTP object N)rr{r|rs r"rz_JWTAccessCredentials._refreshs 04/A/A/C,4,r#ctj}tj|j}||z}t |t ||j |j d}|j|j||j|tj|j||j}|jd|fS)N)r)rbrcrdrreascii)r_UTCNOWr timedeltarrrrjrrrkr rdecode)rrrllifetimeexpiryrmjwts r"rz#_JWTAccessCredentials._create_tokensnn%%d.K.KLx$S)$V,....   t||$  ( NN, -##DLL'+/+?+?Azz'"F**r#rr)rrrrrr6r7r8rrrrrrrrrrrs@r"rr)sy $;  $ +<<,>>#'!,$L* /?.O.O!1!C!C( D+r#r)rr*r&rrFrhr6rrrrrOr)rRrr rrrr#r"rse 6  %#"&!#  s5 ; ;s5l8E+5E+r#