a

�z�g�u�@s�dZd
dl
mZ
d
dlZd
dlZd
dlZd
dlZd
dlZd
dlZd
dl	Z	d
dl
Z
d
dlZd
dlZd
dlm
Z

d
dlmZ
d
dlZd
dlmZ
d
dlmZ
d
dlmZ
d
d	lmZ
zd
dlZd
ZWnPe�
y
Z
z6ej�dd�Ze�d
�
s�e�d�
s�e�
dZWYdZ[n
dZ[00zd
dlmZ
Wn e�
yB


d
dlmZ
Yn0zd
dlm Z 
d
Z!WnJe�
y�


dZ!zd
dlm"Z"
Wn e�
y�


d
dlm"Z"
Yn0Yn0zd
dl#Z#e#j$Z$Wne�
y�


dZ$Yn0gd�
Z%e�&�a'dd�Z(gZ)d6dd�
Z*d7dd�
Z+d8dd�
Z,dd�Z-d9dd�
Z.Gd d!�d!ej/�Z0Gd"d#�d#ej1j2�Z3d:d$d%�
Z4d;d&d'�
Z5Gd(d)�d)e6�Z7d<d*d+�
Z8d,d-�Z9e*d=d.d/�
�
Z:e*d0d1��
Z;e*d2d3��
Z<e*d>d4d5�
�
Z=dS)?z,Common credentials classes and constructors.�)
�print_functionN)
�service_account)
�tools)
�http_client)
�urllib)
�
exceptions)
�utilT�SERVER_SOFTWARE�ZDevelopmentzGoogle App EngineF)
�gce)
�multiprocess_file_storage)
�multistore_file)�CredentialsFromFile�GaeAssertionCredentials�GceAssertionCredentials�GetCredentials�GetUserinfo�!ServiceAccountCredentialsFromFilec


Cs|adS�
N)
�cache_file_lock)
�lock�r�D/opt/gsutil/third_party/apitools/apitools/base/py/credentials_lib.py�SetCredentialsCacheFileLock_srcCs0|
d
urtt
�
}
nt|
tt
�
�}
t
�|
|�
|S)aPRegister a new method for fetching credentials.

    This new method should be a function with signature:
      client_info, **kwds -> Credentials or None
    This method can be used as a decorator, unless position needs to
    be supplied.

    Note that method must *always* accept arbitrary keyword arguments.

    Args:
      method: New credential-fetching method.
      position: (default: None) Where in the list of methods to
        add this; if None, we append. In all but rare cases,
        this should be either 0 or None.
    Returns:
      method, for use as a decorator.

    N)�len�_CREDENTIALS_METHODS�min�insert)�method�positionrrr�_RegisterCredentialsMethodjs




r c	
Ks�t�
|
�
}
||d
�t|
�
�
|p$d|d�}
tD]$}||
f
i|	�
�
}|du
r.|
Sq.|pbtj�d�
}t||
|d�}|du
r~|St	�
d�
�
dS)zDAttempt to get credentials, using an oauth dance as the last resort.�
 z%s-generated/0.1)�	client_id�
client_secret�scope�
user_agentNz~/.apitools.token)
�oauth2client_argsz"Could not create valid credentials)r�NormalizeScopes�join�sortedr�os�path�
expanduserrr�CredentialsError)
�package_name�scopesr"r#r%�credentials_filename�api_key�clientr&�kwds�client_infor�credentialsrrrr�s&




�






�
�

rcCs�tj
�|�
}tjd
kr@tjj||
d�}|du
r<|du
r<||_|St	|�
�}t
�|�
}Wd�
n1sh0


Y
|�d�
}|tj
jkr�t�d|f
�
�
tj|d|d|d|d	|
|d
�}|SdS)z=Use the credentials in filename to create a token for scopes.�1.5.2�
r/N�typez'Invalid service account credentials: %sr"�client_email�private_key_id�private_key)Zservice_account_id�service_account_emailr:Zprivate_key_pkcs8_textr/r%)r*r+r,�oauth2client�__version__r�ServiceAccountCredentialsZfrom_json_keyfile_namer%�open�json�load�getr2�SERVICE_ACCOUNTrr-Z_ServiceAccountCredentials)�filenamer/r%r5�keyfileZservice_account_infoZaccount_typerrrr�s2

��




(




�




�rcCs�tj
�|
�
}
t�|�
}tjd
krDtjj	||
|d�}|du
r@||_
|St|
d��(}tjj
||��||d�Wd�
S1s|0


Y
dS)z4Create a new credential from the named .p12 keyfile.r6r7N�rb�
r%)r*r+r,rr'r=r>rr?Zfrom_p12_keyfiler%r@r2ZSignedJwtAssertionCredentials�read)�service_account_nameZprivate_key_filenamer/r%r5�key_filerrr�$ServiceAccountCredentialsFromP12File�s




��





�rLc	
Cs�|
rtj
�d
d�}ntj
�dd�}d|d|}ddi
}tjj||d	�}tj�tj�i�
�
}z|�|�
}Wn8tj	j
y�
}
zt�d
|j
�
�
WYd}~n
d}~00|S)z4Request the given url from the GCE metadata service.�GCE_METADATA_IPz169.254.169.254�GCE_METADATA_ROOTzmetadata.google.internalzhttp://z/computeMetadata/v1/zMetadata-Flavor�Google)
�headersz$Could not reach metadata service: %sN)r*�environrCr�request�Request�build_opener�ProxyHandlerr@�error�URLErrorr�CommunicationError�reason)	�relative_urlZuse_metadata_ip�base_url�urlrPrR�opener�response�
errr�_GceMetadataRequest�s 

�






�r`cs�eZ
dZd
Zd�f
dd�	Zedd��
Zdd	�Zd
d�Zdd
�Z	dd�Z
dd�Zdd�Zdd�Z
�f
dd�Zedd��
Zedd��
Z�ZS)rz(Assertion credentials for GCE instances.N�defaultcs�tj
|d
d�|_d}|�d�
}|r.|�||
�}|p:|�|
�
}
|rP|sP|�||
�
t���4
t�	d�

t
t|�jfd|
i
|�
�

Wd�
n1s�0


Y
dS)aA
Initializes the credentials instance.

        Args:
          scopes: The scopes to get. If None, whatever scopes that are
              available to the instance are used.
          service_account_name: The service account to retrieve the scopes
              from.
          **kwds: Additional keyword args.

        �utf-8�
�encodingN�cache_filename�ignorer$)
�six�ensure_text�._GceAssertionCredentials__service_account_namerC�_CheckCacheFileForMatch�_ScopesFromMetadataServer�_WriteCacheFile�warnings�catch_warnings�simplefilter�superr�__init__)�selfr/rJr3Z
cached_scopesre�
�	__class__rrrq�s 

�




�




z GceAssertionCredentials.__init__c
Os,z||
i|�
�
WStj
y&


YdS0dSr�r�Error��cls�argsr3rrr�Get
s


zGceAssertionCredentials.GetcCs�|rtt
|�
�
nd
|jd�}t|
�
}zN|��}|s8Wd
St�|�
}|d|dkrp|dd
|dfvrp|dWSWnty�


�Yn


Yn0d
S)a	
Checks the cache file to see if it matches the given credentials.

        Args:
          cache_filename: Cache filename to check.
          scopes: Scopes for the desired credentials.

        Returns:
          List of scopes (if cache matches) or None.
        N�r/�
svc_acct_namer|r/)r)�listri�_MultiProcessCacheFile�
LockedReadrA�loads�KeyboardInterrupt)rrrer/�creds�
cache_fileZcached_creds_strZcached_credsrrrrj
s 
�











z/GceAssertionCredentials._CheckCacheFileForMatchcCsbtd
d�|D�
�
}||j
d�}t�|�
}t|
�
}z|�|�

WntyR


�Yn


Yn0dS)aB
Writes the credential metadata to the cache file.

        This does not save the credentials themselves (CredentialStore class
        optionally handles that after this class is initialized).

        Args:
          cache_filename: Cache filename to check.
          scopes: Scopes for the desired credentials.
        c
Ssg|]}
t�
|
�
�qSr)rgrh��.0r$rrr�
<listcomp>C
�z;GceAssertionCredentials._WriteCacheFile.<locals>.<listcomp>r{N)r)rirA�dumpsr~�LockedWriter�)rrrer/r�Z	creds_strr�rrrrl8
s

�






z'GceAssertionCredentials._WriteCacheFilecCsvt�
�st�d
�
�
|�|j�
s.t�d|j�
�
|
rjt�|
�
}|��}||krrt�dt	t
||�
�
f
�
�
n|��}
|
S)z5Returns instance scopes based on GCE metadata server.�0GCE credentials requested outside a GCE instancez@GCE credentials requested but service account %s does not exist.z)Instance did not have access to scopes %s)r�	DetectGcer�ResourceUnavailableError�GetServiceAccountrir'�GetInstanceScopesr-r)r})rrr/Zscope_lsZinstance_scopesrrrrkP
s*

�


��






��
z1GceAssertionCredentials._ScopesFromMetadataServercCs&d
}t|�
}dd�|�
�D�
}|
|vS)Nzinstance/service-accountsc
Ssg|]}
t�
|
�
�d�
�qS)
z/

)rg�
ensure_str�rstrip)r��linerrrr�g
s
�z=GceAssertionCredentials.GetServiceAccount.<locals>.<listcomp>)r`�	readlines)rrZaccountrZr^Zresponse_linesrrrr�d
s



�z)GceAssertionCredentials.GetServiceAccountc
Cs,d
�|j
�
}
t|
�
}t�dd�|��D�
�
S)Nz$instance/service-accounts/{0}/scopesc
ss|]}
t�
|
�
��V
qdSr)rgr��stripr�rrr�	<genexpr>o
s
�z<GceAssertionCredentials.GetInstanceScopes.<locals>.<genexpr>)�formatrir`rr'r�)rrrZr^rrrr�k
s

�


�z)GceAssertionCredentials.GetInstanceScopescCstj
j�||
�
d
S)a7
Refresh self.access_token.

        This function replaces AppAssertionCredentials._refresh, which
        does not use the credential store and is therefore poorly
        suited for multi-threaded scenarios.

        Args:
          do_request: A function matching httplib2.Http.request's signature.

        N)r=r2�OAuth2Credentials�_refresh)rrZ
do_requestrrrr�s
sz GceAssertionCredentials._refreshcCs�d
�|j
�
}zt|�
}Wn.tjyF


d|_|jr@|j�|�

�Yn0t�	|�
��
}zt�|�
}Wn t
y�


t�d|�
�
Yn0|d|_d|vr�t|d�
}tj|d�
tjjtjjd�
jdd	�
|_nd|_d
|_|jr�|j�|�

dS)z�Refresh self.access_token by querying the metadata server.

        If self.store is initialized, store acquired credentials there.
        z#instance/service-accounts/{0}/tokenTz$Could not parse response as JSON: %s�access_token�
expires_in)
�seconds)
�tzN)
�tzinfoF)r�rir`rrX�invalid�store�
locked_putrgr�rIrAr��
ValueErrorr-r��int�datetime�	timedelta�now�timezone�utc�replace�token_expiry)rrZunused_http_requestrZr^�contentZcredential_infor�rrr�_do_refresh_request�
s8
�











�





��


z+GceAssertionCredentials._do_refresh_requestc

stt
j|���Sr)rpr�AppAssertionCredentials�to_json�
rrrsrrr��
szGceAssertionCredentials.to_jsoncCs�t�
|
�
}i}d
|�dg�vr.|dd
|d
<d}d|vrD|dg
}tfd|i
|�
�
}d|vrh|d|_d|vr�tj�|dtjj	�|_
d|vr�|d|_|S)Nre�kwargsr$r/r�r�r�)rAr�rCrr�r��strptimer=r2�
EXPIRY_FORMATr�r�)rx�	json_data�datar�Z
scope_listr5rrr�	from_json�
s"













�


z!GceAssertionCredentials.from_jsonc

Cstd
�
�
dS)Nz6Cannot serialize credentials for GCE service accounts.�
�NotImplementedErrorr�rrr�serialization_data�
s
�z*GceAssertionCredentials.serialization_data)Nra)�__name__�
__module__�__qualname__�__doc__rq�classmethodrzrjrlrkr�r�r�r�r�r��propertyr��
__classcell__rrrsrr�s &

!


rcsHeZ
dZd
Z�f
dd�Zedd��
Zedd��
Zdd	�Zd
d�Z	�Z
S)rz1Assertion credentials for Google App Engine apps.cs<t�
�st�d
�
�
tt�|
�
�
|_tt|�j	di|�
�

dS)Nr�)
N)
r�	DetectGaerr�r}r'�_scopesrprrq)rrr/r3rsrrrq�
s


�
z GaeAssertionCredentials.__init__c
Os,z||
i|�
�
WStj
y&


YdS0dSrrurwrrrrz�
s


zGaeAssertionCredentials.GetcCst�
|
�
}t|d
�
S)Nr�)rAr�r)rxr�r�rrrr��
s

z!GaeAssertionCredentials.from_jsonc
Cs`d
dlm
}
z|�|j�
\}}
Wn4|jyT
}
zt�t|�
�
�
WYd}~n
d}~00||_dS)z�Refresh self.access_token.

        Args:
          _: (ignored) A function matching httplib2.Http.request's signature.
        r
)
�app_identityN)	Zgoogle.appengine.apir��get_access_tokenr�rvrr-�strr�)rr�
_r��tokenr_rrrr��
s



$
z GaeAssertionCredentials._refreshcCstd
�
�
dS)au
Cryptographically sign a blob (of bytes).

        This method is provided to support a common interface, but
        the actual key used for a Google Compute Engine service account
        is not available, so it can't be used to sign content.

        Args:
            blob: bytes, Message to be signed.

        Raises:
            NotImplementedError, always.
        z1Compute Engine service accounts cannot sign blobsNr�)rr�blobrrr�	sign_blob�
s

�z!GaeAssertionCredentials.sign_blob)r�r�r�r�rqr�rzr�r�r�r�rrrsrr�
s



rc
Cs\tj
tjg
d
�
}
|
j|d�
\}}ttd�r2tj|_ttd�rDtj|_ttd�rXtj	|_
|S)z4Retrieves command line flags based on gflags module.)
�parents�
ry�auth_host_name�auth_host_port�auth_local_webserver)�argparse�ArgumentParserrZ	argparserZparse_known_args�hasattr�FLAGSr�r�r�Znoauth_local_webserver)ry�parser�flagsr�rrr�_GetRunFlowFlagss









r�cCsL
|
d
}|
d}t|t
j�s&d�|�
}|
d||}trHt�||�}nt�||�}t	t
d�rddt
_|��}|dus||j
�
rHtd�

td	�
D]�}z6tjjfi|
�
�
}	t|d
�
}
t�|	||
�}W
�
qHWq�tjjtf�
y
}
ztd|f
�

WYd}~q�d}~0tj�
yD
}
z(td|f
�

t�d
|�
�
WYd}~q�d}~00q�|S)zRead credentials from a file.r%r$�
:r"r�FNz$Generating new OAuth credentials ...�r�zInvalid authorization: %szCommunication error: %sz,Communication error creating credentials: %s)�
isinstancerg�string_typesr(�_NEW_FILESTORErZMultiprocessFileStorager
Z(get_credential_storage_custom_string_keyr�r�r�rCr��print�ranger=r2�OAuth2WebServerFlowr�rZrun_flow�FlowExchangeError�
SystemExit�httplib2�
HttpLib2Errorrr-)r+r4r&r%Z	scope_keyZstorage_keyZcredential_storer5r��flowr�r_rrrrs>






�
�











"



�rc@s\eZ
dZd
ZdZdZe��Zdd�Z	e
jdd��
Ze
jdd	��
Z
d
d�Zdd
�Zdd�ZdS)r~aOSimple multithreading and multiprocessing safe cache file.

    Notes on behavior:
    * the fasteners.InterProcessLock object cannot reliably prevent threads
      from double-acquiring a lock. A threading lock is used in addition to
      the InterProcessLock. The threading lock is always acquired first and
      released last.
    * The interprocess lock will not deadlock. If a process can not acquire
      the interprocess lock within `_lock_timeout` the call will return as
      a cache miss or unsuccessful cache write.
    * App Engine environments cannot be process locked because (1) the runtime
      does not provide monotonic time and (2) different processes may or may
      not share the same machine. Because of this, process locks are disabled
      and locking is only guaranteed to protect against multithreaded access.
    �
rbcCs>d|_|
|_
tr,|j|_t�d
�|
�
�
|_n|j	|_d|_dS)Nz{0}.lock)
�_file�	_filename�_FASTENERS_AVAILABLE�_ProcessLockAcquired�_process_lock_getter�	fastenersZInterProcessLockr��
_process_lock�_DummyLockAcquired)rrrErrrrqSs





�
z_MultiProcessCacheFile.__init__c
cs>z(|jj
|jd
�
}
|
V
W|
r:|j��
n|
r8|j��
0dS)z/Context manager for process locks with timeout.)
�timeoutN)r��acquire�
_lock_timeout�release)rrZ	is_lockedrrrr�^s


�
z+_MultiProcessCacheFile._ProcessLockAcquiredc


cs
d
V
dS)z<Lock context manager for environments without process locks.TNrr�rrrr�hsz)_MultiProcessCacheFile._DummyLockAcquiredc

Cs�d
}
|j��
|�
�s$Wd
�
d
S|���n}|sNWd
�
Wd
�
d
St|jd��"}|��j|jd�
}
Wd
�
n1s�0


Y
Wd
�
n1s�0


Y
Wd
�
n1s�0


Y
|
S)a
Acquire an interprocess lock and dump cache contents.

        This method safely acquires the locks then reads a string
        from the cache file. If the file does not exist and cannot
        be created, it will return None. If the locks cannot be
        acquired, this will also return None.

        Returns:
          cache data - string if present, None on failure.
        NrGrc)�_thread_lock�_EnsureFileExistsr�r@r�rI�decode�	_encoding)rr�
file_contents�acquired_plock�
frrrrms








l
z!_MultiProcessCacheFile.LockedReadc
Cs�t|
t
j�r|
j|jd
�
}
|j��
|��s:Wd�
dS|���t}|sdWd�
Wd�
dSt|j	d��}|�
|
�

Wd�
n1s�0


Y
Wd�
Wd�
dS1s�0


Y
Wd�
n1s�0


Y
dS)a�
Acquire an interprocess lock and write a string.

        This method safely acquires the locks then writes a string
        to the cache file. If the string is written successfully
        the function will return True, if the write fails for any
        reason it will return False.

        Args:
          cache_data: string or bytes to write.

        Returns:
          bool: success
        rcNF�wbT)r�rg�	text_type�encoder�r�r�r�r@r��write)rrZ
cache_datar�r�rrrr��s








(
z"_MultiProcessCacheFile.LockedWritec
	Csntj
�|j�
sjt�d
�
}
zDzt|jd���
Wn tyN


YWt�|
�

dS0Wt�|
�

nt�|
�

0dS)z8Touches a file; returns False on error, True on success.�za+bFT)r*r+�existsr��umaskr@�close�OSError)rrZ	old_umaskrrrr��s






�
z(_MultiProcessCacheFile._EnsureFileExistsN)r�r�r�r�r�r��	threading�Lockr�rq�
contextlib�contextmanagerr�r�rr�r�rrrrr~>s




	

r~cCs\|
p
t�
�}
t|�
}|
�|�
\}}|jtjkrN|�|
�

t|�
}|
�|�
\}}t�	|pXd
�
S)a�
Get the userinfo associated with the given credentials.

    This is dependent on the token having either the userinfo.email or
    userinfo.profile scope for the given token.

    Args:
      credentials: (oauth2client.client.Credentials) incoming credentials
      http: (httplib2.Http, optional) http instance to use

    Returns:
      The email address for this token, or None if the required scopes
      aren't available.
    z{})
r��Http�_GetUserinfoUrlrR�statusr�BAD_REQUEST�refreshrAr�)r5�httpr\r^r�rrrr�s






rc
Cs$d
}
d|ji
}d�
|
tj�|�
f�
S)Nz'https://oauth2.googleapis.com/tokeninfor��
?)r�r(r�parse�	urlencode)r5Zurl_root�
query_argsrrrr
�s



r
cKsZ|d
��}|d}|r&t
|||d�S|
r.|r6|r@|
s@t�d�
�
|
du
rVt|
|||�SdS)z1Returns ServiceAccountCredentials from give file.r$r%rHz:Service account name or keyfile provided without the otherN)�splitrrr-rL)r4rJZservice_account_keyfileZservice_account_json_keyfile�unused_kwdsr/r%rrr�_GetServiceAccountCredentials�s$


�
�
�
�

�r

c
Ks|d
�d�
}t
j|d�
S�Nr$r!r7)r
rrz�r4r
r/rrr�_GetGaeServiceAccount�s
r
c
Ks|d
�d�
}t
j|d�
Sr
)r
rrzr
rrr�_GetGceServiceAccount�s
r
c	Ks�|d
��}|
rdSt
jj}t�B
z|��}Wn$t
jjyR


YWd�
dS0Wd�
n1sh0


Y
d}|dur�dSt||�r�||vr�|�|�
SdS)zReturns ADC with right scopes.r$Nz.https://www.googleapis.com/auth/cloud-platform)	r
r=r2�GoogleCredentialsr� _implicit_credentials_from_files�"ApplicationDefaultCredentialsErrorr��
create_scoped)r4Z$skip_application_default_credentialsr
r/�gcr5�cprrr�!_GetApplicationDefaultCredentials�s






2





r
)
N)NNNN)
N)
F)
N)
N)
N)NNN)
F)>r��
__future__rr�r�r�rAr*r�rmr�r=�oauth2client.clientrrrg�	six.movesrr�apitools.base.pyrrr�r��ImportErrorZimport_errorrQrCZ
server_env�
startswithZoauth2client.contribrrr�r
Zgflagsr��__all__r�rrrr rrrLr`r�rr2�AssertionCredentialsrr�r�objectr~rr
r

r
r
r
rrrr�<module>s�





















�





















�

 
a6

(n

�



�