def testWebFlowError(self):
"""When an error occurs in the web flow."""
self.mock_webflow.side_effect = store.FlowError('flowerror')
with self.assertRaisesRegex(store.FlowError, 'flowerror'):
self.Login()
self.AssertErrContains('There was a problem with web authentication.')
self.mock_webflow.assert_called_once_with(
launch_browser=True,
scopes=self.scopes,
client_id=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID,
client_secret=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
def testWebFlowError(self):
"""When an error occurs in the web flow."""
self.mock_load.return_value = None # No creds to start.
self.mock_flow.side_effect = store.FlowError('flowerror')
with self.assertRaisesRegex(store.FlowError, 'flowerror'):
self.Login(account='*****@*****.**')
self.AssertErrContains('There was a problem with web authentication.')
self.mock_load.assert_called_once_with(account='*****@*****.**',
scopes=self.expected_scopes)
self.assert_mock_flow_called_with(launch_browser=True,
scopes=self.expected_scopes)
self.assertEqual('junk', properties.VALUES.core.account.Get())
self.assertEqual('junkproj', properties.VALUES.core.project.Get())
def testWebFlowError_ContextAwareAccessDenied(self):
"""When login was denied because of context aware access policies."""
self.mock_load.return_value = None # No creds to start.
self.mock_flow.side_effect = store.FlowError(
'access_denied: Account restricted')
with self.assertRaisesRegex(store.FlowError,
'access_denied: Account restricted'):
self.Login(account='*****@*****.**')
self.AssertErrContains(
'Access was blocked due to an organization policy')
self.mock_load.assert_called_once_with(account='*****@*****.**',
scopes=self.expected_scopes)
self.assert_mock_flow_called_with(launch_browser=True,
scopes=self.expected_scopes)
self.assertEqual('junk', properties.VALUES.core.account.Get())
self.assertEqual('junkproj', properties.VALUES.core.project.Get())
def Run(self, args):
"""Run the authentication command."""
# TODO(b/203102970): Remove this condition check after the bug is resolved
if properties.VALUES.auth.access_token_file.Get():
raise c_store.FlowError(
'auth/access_token_file or --access-token-file was set which is not '
'compatible with this command. Please unset the property and rerun '
'this command.')
if c_gce.Metadata().connected:
message = textwrap.dedent("""
You are running on a Google Compute Engine virtual machine.
The service credentials associated with this virtual machine
will automatically be used by Application Default
Credentials, so it is not necessary to use this command.
If you decide to proceed anyway, your user credentials may be visible
to others with access to this virtual machine. Are you sure you want
to authenticate with your personal account?
""")
console_io.PromptContinue(message=message,
throw_if_unattended=True,
cancel_on_no=True)
command_auth_util.PromptIfADCEnvVarIsSet()
if args.client_id_file and not args.launch_browser:
raise c_exc.InvalidArgumentException(
'--no-launch-browser',
'`--no-launch-browser` flow no longer works with the '
'`--client-id-file`. Please replace `--no-launch-browser` with '
'`--no-browser`.')
# This reauth scope is only used here and when refreshing the access token.
scopes = (args.scopes
or auth_util.DEFAULT_SCOPES) + [config.REAUTH_SCOPE]
properties.VALUES.auth.client_id.Set(
auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID)
properties.VALUES.auth.client_secret.Set(
auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
creds = auth_util.DoInstalledAppBrowserFlowGoogleAuth(
scopes,
client_id_file=args.client_id_file,
no_launch_browser=not args.launch_browser,
no_browser=args.no_browser,
remote_bootstrap=args.remote_bootstrap)
if not creds:
return
target_impersonation_principal, delegates = None, None
impersonation_service_accounts = properties.VALUES.auth.impersonate_service_account.Get(
)
if impersonation_service_accounts:
(target_impersonation_principal,
delegates) = c_store.ParseImpersonationAccounts(
impersonation_service_accounts)
if not target_impersonation_principal:
if args.IsSpecified('client_id_file'):
command_auth_util.DumpADC(creds, quota_project_disabled=False)
elif args.disable_quota_project:
command_auth_util.DumpADC(creds, quota_project_disabled=True)
else:
command_auth_util.DumpADCOptionalQuotaProject(creds)
else:
# TODO(b/184049366): Supports quota project with impersonated creds.
command_auth_util.DumpImpersonatedServiceAccountToADC(
creds,
target_principal=target_impersonation_principal,
delegates=delegates)
return creds