def MaybeConvertToGoogleAuthCredentials(credentials, use_google_auth):
"""Converts credentials to type of google-auth under certain conditions.
The conversion will take place when the below conditions are all met,
1. use_google_auth is True;
2. credentials is of type oauth2client;
3. The input credentials are not built from P12 service account key. The
reason is that this legacy service account key is not supported by
google-auth. Additionally, gcloud plans to deprecate P12 service account
key support. The authenticaion logic of credentials of this type will be
left on oauth2client for now and will be removed in the deprecation.
Args:
credentials: oauth2client.client.Credentials or
google.auth.credentials.Credentials
use_google_auth: bool, True if the calling command indicates to use
google-auth library for authentication.
Returns:
google.auth.credentials.Credentials or oauth2client.client.Credentials
"""
if ((not use_google_auth)
or (not isinstance(credentials, client.OAuth2Credentials))
or CredentialType.FromCredentials(credentials)
== CredentialType.P12_SERVICE_ACCOUNT):
return credentials
# pylint: disable=g-import-not-at-top
# To work around the circular dependency between this the util and the creds
# modules.
from googlecloudsdk.api_lib.iamcredentials import util
if isinstance(credentials, c_devshell.DevshellCredentials):
google_auth_creds = c_devshell.DevShellCredentialsGoogleAuth
return google_auth_creds.from_devshell_credentials(credentials)
if isinstance(credentials, util.ImpersonationCredentials):
google_auth_creds = util.ImpersonationCredentialsGoogleAuth
return google_auth_creds.from_impersonation_credentials(credentials)
google_auth_creds = oauth2client_helper.convert(credentials)
# token expiry is lost in the conversion.
google_auth_creds.expiry = getattr(credentials, 'token_expiry', None)
if (isinstance(google_auth_creds, google_auth_service_account.Credentials)
or isinstance(google_auth_creds, compute_engine.Credentials)):
# Access token and scopes are lost in the conversions of service acccount
# and GCE credentials.
google_auth_creds.token = getattr(credentials, 'access_token', None)
scopes = getattr(credentials, 'scopes', [])
scopes = scopes if scopes else config.CLOUDSDK_SCOPES
# client.OAuth2Credentials converts scopes into a set. google-auth requires
# scopes to be of a Sequence type.
google_auth_creds._scopes = list(scopes) # pylint: disable=protected-access
return google_auth_creds
def test_convert_success():
convert_function = mock.Mock(spec=["__call__"])
conversion_map_patch = mock.patch.object(
_oauth2client, "_CLASS_CONVERSION_MAP",
{FakeCredentials: convert_function})
credentials = FakeCredentials()
with conversion_map_patch:
result = _oauth2client.convert(credentials)
convert_function.assert_called_once_with(credentials)
assert result == convert_function.return_value
def MaybeConvertToGoogleAuthCredentials(credentials, use_google_auth):
"""Converts credentials to type of google-auth under certain conditions.
The conversion will take place when the below conditions are all met,
1. use_google_auth is True;
2. credentials is of type oauth2client;
3. The input credentials are not built from P12 service account key. The
reason is that this legacy service account key is not supported by
google-auth. Additionally, gcloud plans to deprecate P12 service account
key support. The authentication logic of credentials of this type will be
left on oauth2client for now and will be removed in the deprecation.
Args:
credentials: oauth2client.client.Credentials or
google.auth.credentials.Credentials
use_google_auth: bool, True if the calling command indicates to use
google-auth library for authentication.
Returns:
google.auth.credentials.Credentials or oauth2client.client.Credentials
"""
if not use_google_auth:
return credentials
if not IsOauth2ClientCredentials(credentials):
return credentials
if CredentialType.FromCredentials(
credentials) == CredentialType.P12_SERVICE_ACCOUNT:
return credentials
if isinstance(credentials, c_devshell.DevshellCredentials):
target_creds_type = c_devshell.DevShellCredentialsGoogleAuth
return target_creds_type.from_devshell_credentials(credentials)
target_creds = oauth2client_helper.convert(credentials)
# token expiry is lost in the conversion.
target_creds.expiry = getattr(credentials, 'token_expiry', None)
# Import only when necessary to decrease the startup time. Move it to
# global once google-auth is ready to replace oauth2client.
# pylint: disable=g-import-not-at-top
from google.oauth2 import service_account as google_auth_service_account
# pylint: enable=g-import-not-at-top
if (isinstance(target_creds, google_auth_service_account.Credentials) or
isinstance(target_creds, google_auth_compute_engine.Credentials)):
# Access token and scopes are lost in the conversions of service acccount
# and GCE credentials.
target_creds.token = getattr(credentials, 'access_token', None)
scopes = getattr(credentials, 'scopes', [])
scopes = scopes if scopes else config.CLOUDSDK_SCOPES
# client.OAuth2Credentials converts scopes into a set. google-auth requires
# scopes to be of a Sequence type.
target_creds._scopes = list(scopes) # pylint: disable=protected-access
return target_creds
def ConvertToGoogleAuthCredentials(credentials):
"""Converts credentials of oauth2lient to credentials of google-auth.
This conversion will be used in the phase 1 of the 'GUAC on gcloud' project.
More details in go/gcloud-guac.
Args:
credentials: oauth2client.client.Credentials, Credentials of the
oauth2client library.
Returns:
google.auth.credentials.Credentials, Credentials of the google-auth library.
"""
# pylint: disable=g-import-not-at-top
# To work around the circular dependency between this the util and the store
# modules.
from googlecloudsdk.api_lib.iamcredentials import util
if isinstance(credentials, c_devshell.DevshellCredentials):
google_auth_creds = c_devshell.DevShellCredentialsGoogleAuth
return google_auth_creds.from_devshell_credentials(credentials)
if isinstance(credentials, util.ImpersonationCredentials):
google_auth_creds = util.ImpersonationCredentialsGoogleAuth
return google_auth_creds.from_impersonation_credentials(credentials)
google_auth_creds = oauth2client_helper.convert(credentials)
# token expiry is lost in the conversion.
google_auth_creds.expiry = getattr(credentials, 'token_expiry', None)
if (isinstance(google_auth_creds, google_auth_service_account.Credentials) or
isinstance(google_auth_creds, compute_engine.Credentials)):
# Access token and scopes are lost in the conversions of service acccount
# and GCE credentials.
google_auth_creds.token = getattr(credentials, 'access_token', None)
scopes = getattr(credentials, 'scopes', [])
scopes = scopes if scopes else config.CLOUDSDK_SCOPES
# client.OAuth2Credentials converts scopes into a set. google-auth requires
# scopes to be of a Sequence type.
google_auth_creds._scopes = list(scopes) # pylint: disable=protected-access
return google_auth_creds
def test_convert_not_found():
with pytest.raises(ValueError) as excinfo:
_oauth2client.convert("a string is not a real credentials class")
assert excinfo.match("Unable to convert")
