+dZddlmZddlmZddlmZddlZddlZddlmZddlm Z ddlm Z dd lm Z dd l m Z dd l mZd Zd ZdZdZdZdZdZdZddZ ddZdZdZdZ ddZy)aA module that provides functions for handling rapt authentication. Reauth is a process of obtaining additional authentication (such as password, security token, etc.) while refreshing OAuth 2.0 credentials for a user. Credentials that use the Reauth flow must have the reauth scope, ``https://www.googleapis.com/auth/accounts.reauth``. This module provides a high-level function for executing the Reauth process, :func:`refresh_access_token`, and lower-level helpers for doing the individual steps of the reauth process. Those steps are: 1. Obtaining a list of challenges from the reauth server. 2. Running through each challenge and sending the result back to the reauth server. 3. Refreshing the access token using the returned rapt token. )absolute_import)division)print_functionN) challenges)errors)_helpers)_reauth_client) http_client)rangez/https://www.googleapis.com/auth/accounts.reauth invalid_grant invalid_rapt rapt_required AUTHENTICATEDCHALLENGE_REQUIREDCHALLENGE_PENDINGc |dD]}|ddk7r tjj|dd}|s\tjdj |ddj ttjj|js'tjdj |d|j|}|sytj||d |d ||cSy) aLGet the next challenge from msg and run it. Args: msg: Reauth API response body (either from the initial request to https://reauth.googleapis.com/v2/sessions:start or from sending the previous challenge response to https://reauth.googleapis.com/v2/sessions/id:continue) http_request: callable to run http requests. Accepts uri, method, body and headers. Returns a tuple: (response, content) access_token: reauth access token Returns: rapt token. Raises: errors.ReauthError if reauth failed rstatusREADY challengeTypeNz4Unsupported challenge type {0}. Supported types: {1},z%Challenge {0} is not locally eligible sessionId challengeId) rAVAILABLE_CHALLENGESgetrReauthFailErrorformatjoinlistkeysis_locally_eligibleobtain_challenge_inputr send_challenge_result)msg http_request access_token challengec client_inputs Hplatform/gsutil/third_party/google-reauth-python/google_reauth/reauth.py_run_next_challenger*=s & X ' )   + + / //*D 2((F /2j&E&E&J&J&L!MNP  $$((7 /235 5// : 33    m $    ''2 cd}td|D]}|s=tj|ttj j ||}|dtk(r|dcS|dtk(s3|dtk(s'tjdj|dtjstjt!|||}tj")aGiven an http request method and reauth access token, get rapt token. Args: http_request: callable to run http requests. Accepts uri, method, body and headers. Returns a tuple: (response, content) access_token: reauth access token requested_scopes: scopes required by the client application rounds_num: max number of attempts to get a rapt after the next challenge, before failing the reauth. This defines total number of challenges + number of additional retries if the chalenge input wasn't accepted. Returns: rapt token. Raises: errors.ReauthError if reauth failed NrrencodedProofOfReauthTokenzChallenge status {0})r r get_challengesrrrr_AUTHENTICATED_CHALLENGE_REQUIRED_CHALLENGE_PENDINGrReauthAPIErrorrris_interactiveReauthUnattendedErrorr*r)r$r%requested_scopes rounds_numr#_s r) _obtain_raptr8is" C 1j ! //Z4499;< "C x=N *23 3H !44H !33''&--c(m<> >&&(..0 0!#|\B)".  ""r+c tjjdtj|||||t ddi\}} t j|}|jtj k7r)tjt#||jd|vrtjdt%||d|}|S#ttf$r.tjdjt|wxYw) aNGiven an http request method and refresh_token, get rapt token. Args: http_request: callable to run http requests. Accepts uri, method, body and headers. Returns a tuple: (response, content) client_id: client id to get access token for reauth scope. client_secret: client secret for the client_id refresh_token: refresh token to refresh access token token_uri: uri to refresh access token scopes: scopes required by the client application Returns: rapt token. Raises: errors.ReauthError if reauth failed zReauthentication required. z Content-Typez!application/x-www-form-urlencoded)r$ client_id client_secret refresh_token token_uriscopesheadersInvalid response {0}r%z&Access token missing from the response)r5)sysstderrwriter refresh_grant _REAUTH_SCOPEjsonloads TypeError ValueErrorrReauthAccessTokenRefreshErrorr_substr_for_error_messagerr OK_get_refresh_error_messager8) r$r:r;r<r=r>responsecontent rapt_tokens r)get_rapt_tokenrQs"JJ34'44!##!DEGHgO**W% +..(22 &w /B BW$22 46 6!J % z "O22 " ) )*CG*L MO OOs C =D c tj|}|j dt k(xr2|j dt k(xs|j dtk(S#ttf$rYywxYw)zChecks if the rapt refresh is required. Args: content: refresh response content Returns: True if rapt refresh is required. Ferror error_subtype)rFrGrHrIr_REAUTH_NEEDED_ERROR!_REAUTH_NEEDED_ERROR_INVALID_RAPT"_REAUTH_NEEDED_ERROR_RAPT_REQUIREDrOs r)_rapt_refresh_requiredrYsx**W%  G 44 M _ %)J J L _ %)K KN z "sA##A54A5c:d}d|vr|d}d|vr |d|dzz }|S)zConstructs an error from the http response. Args: response: http response content: parsed response content Returns: error message to show zInvalid response.rSerror_descriptionz: )rO error_msgs r)rMrMs>$I'G$ ' ) (; << r@r%r<N expires_inid_token)r rDrr rLrYrQrFrGrHrIrHttpAccessTokenRefreshErrorrrKrMr) r$r:r;r<r=rcr>r?rNrOr%rdres r)refresh_access_tokenrgsm.'44!## Hg+..( #7 +! D!/ < <)#++#!! Hg**W% +..(00 &w /B B>*LKK6M\40J{{:t,H , z8 KK z "00 " ) )*CG*L M OO s 9DAE))N)NNN)__doc__ __future__rrrrFrA google_reauthrrrr six.movesr r rErUrVrWr/r0r1r*r8rQrYrMrKrgr\r+r)rms('% $ "(!B &$2!%4" *()X*#\&*1hN&$E48HLr+