def _Load(account, scopes, prevent_refresh): """Helper for Load().""" # If a credential file is set, just use that and ignore the active account # and whatever is in the credential store. cred_file_override = properties.VALUES.auth.credential_file_override.Get() if cred_file_override: log.info('Using alternate credentials from file: [%s]', cred_file_override) try: cred = client.GoogleCredentials.from_stream(cred_file_override) except client.Error as e: raise InvalidCredentialFileException(cred_file_override, e) if cred.create_scoped_required(): if scopes is None: scopes = config.CLOUDSDK_SCOPES cred = cred.create_scoped(scopes) # Set token_uri after scopes since token_uri needs to be explicitly # preserved when scopes are applied. token_uri_override = properties.VALUES.auth.token_host.Get() if token_uri_override: cred_type = creds.CredentialType.FromCredentials(cred) if cred_type in (creds.CredentialType.SERVICE_ACCOUNT, creds.CredentialType.P12_SERVICE_ACCOUNT): cred.token_uri = token_uri_override # The credential override is not stored in credential store, but we still # want to cache access tokens between invocations. return creds.MaybeAttachAccessTokenCacheStore(cred) if not account: account = properties.VALUES.core.account.Get() if not account: raise NoActiveAccountException( named_configs.ActiveConfig(False).file_path) cred = STATIC_CREDENTIAL_PROVIDERS.GetCredentials(account) if cred is not None: return cred store = creds.GetCredentialStore() cred = store.Load(account) if not cred: raise NoCredentialsForAccountException(account) # cred.token_expiry is in UTC time. if (not prevent_refresh and (not cred.token_expiry or cred.token_expiry < cred.token_expiry.utcnow())): Refresh(cred) return cred
def testAttachAccessTokenCacheStore(self): access_token_cache = creds.AccessTokenCache( config.Paths().access_token_db_path) credentials = creds.FromJson(self.SERVICE_ACCOUNT_CREDENTIALS_JSON) credentials.token_response = json.loads("""{"id_token": "woweee"}""") self.assertIsNone(credentials.access_token) access_token_cache.Store( credentials.service_account_email, access_token='token1', token_expiry=datetime.datetime.utcnow() + datetime.timedelta(seconds=3600), rapt_token=None, id_token=None) self.assertIsNone(credentials.access_token) new_cred = creds.MaybeAttachAccessTokenCacheStore(credentials) self.assertIsNone(new_cred.token_response) self.assertEqual('token1', new_cred.access_token)
def Load(account=None, scopes=None, prevent_refresh=False): """Get the credentials associated with the provided account. This loads credentials regardless of whether credentials have been disabled via properties. Only use this when the functionality of the caller absolutely requires credentials (like printing out a token) vs logically requiring credentials (like for an http request). Args: account: str, The account address for the credentials being fetched. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. prevent_refresh: bool, If True, do not refresh the access token even if it is out of date. (For use with operations that do not require a current access token, such as credential revocation.) Returns: oauth2client.client.Credentials, The specified credentials. Raises: NoActiveAccountException: If account is not provided and there is no active account. NoCredentialsForAccountException: If there are no valid credentials available for the provided or active account. c_gce.CannotConnectToMetadataServerException: If the metadata server cannot be reached. TokenRefreshError: If the credentials fail to refresh. TokenRefreshReauthError: If the credentials fail to refresh due to reauth. """ # If a credential file is set, just use that and ignore the active account # and whatever is in the credential store. cred_file_override = properties.VALUES.auth.credential_file_override.Get() if cred_file_override: log.info('Using alternate credentials from file: [%s]', cred_file_override) try: cred = client.GoogleCredentials.from_stream(cred_file_override) except client.Error as e: raise InvalidCredentialFileException(cred_file_override, e) if cred.create_scoped_required(): if scopes is None: scopes = config.CLOUDSDK_SCOPES cred = cred.create_scoped(scopes) # Set token_uri after scopes since token_uri needs to be explicitly # preserved when scopes are applied. token_uri_override = properties.VALUES.auth.token_host.Get() if token_uri_override: cred_type = creds.CredentialType.FromCredentials(cred) if cred_type in (creds.CredentialType.SERVICE_ACCOUNT, creds.CredentialType.P12_SERVICE_ACCOUNT): cred.token_uri = token_uri_override # The credential override is not stored in credential store, but we still # want to cache access tokens between invocations. return creds.MaybeAttachAccessTokenCacheStore(cred) if not account: account = properties.VALUES.core.account.Get() if not account: raise NoActiveAccountException() cred = STATIC_CREDENTIAL_PROVIDERS.GetCredentials(account) if cred is not None: return cred store = creds.GetCredentialStore() cred = store.Load(account) if not cred: raise NoCredentialsForAccountException(account) # cred.token_expiry is in UTC time. if (not prevent_refresh and (not cred.token_expiry or cred.token_expiry < cred.token_expiry.utcnow())): Refresh(cred) return cred