def Load(account=None, scopes=None, prevent_refresh=False): """Get the credentials associated with the provided account. Args: account: str, The account address for the credentials being fetched. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. prevent_refresh: bool, If True, do not refresh the access token even if it is out of date. (For use with operations that do not require a current access token, such as credential revocation.) Returns: oauth2client.client.Credentials, The specified credentials. Raises: NoActiveAccountException: If account is not provided and there is no active account. NoCredentialsForAccountException: If there are no valid credentials available for the provided or active account. c_gce.CannotConnectToMetadataServerException: If the metadata server cannot be reached. TokenRefreshError: If the credentials fail to refresh. TokenRefreshReauthError: If the credentials fail to refresh due to reauth. """ # If a credential file is set, just use that and ignore the active account # and whatever is in the credential store. cred_file_override = properties.VALUES.auth.credential_file_override.Get() if cred_file_override: log.info('Using alternate credentials from file: [%s]', cred_file_override) try: cred = client.GoogleCredentials.from_stream(cred_file_override) except client.Error as e: raise InvalidCredentialFileException(cred_file_override, e) if cred.create_scoped_required(): if scopes is None: scopes = config.CLOUDSDK_SCOPES cred = cred.create_scoped(scopes) # Set token_uri after scopes since token_uri needs to be explicitly # preserved when scopes are applied. token_uri_override = properties.VALUES.auth.token_host.Get() if token_uri_override: cred_type = creds.CredentialType.FromCredentials(cred) if cred_type in (creds.CredentialType.SERVICE_ACCOUNT, creds.CredentialType.P12_SERVICE_ACCOUNT): cred.token_uri = token_uri_override return cred if not account: account = properties.VALUES.core.account.Get() if not account: raise NoActiveAccountException() devshell_creds = c_devshell.LoadDevshellCredentials() if devshell_creds and (devshell_creds.devshell_response.user_email == account): return devshell_creds if account in c_gce.Metadata().Accounts(): return AcquireFromGCE(account) store = creds.GetCredentialStore() cred = store.Load(account) if not cred: raise NoCredentialsForAccountException(account) # cred.token_expiry is in UTC time. if (not prevent_refresh and (not cred.token_expiry or cred.token_expiry < cred.token_expiry.utcnow())): Refresh(cred) return cred
def _GetGCEZone(): if properties.VALUES.core.check_gce_metadata.GetBool(): return c_gce.Metadata().Zone() return None
def Run(self, args): """Run the authentication command.""" scopes = config.CLOUDSDK_SCOPES # Add REAUTH scope in case the user has 2fact activated. # This scope is only used here and when refreshing the access token. scopes += (config.REAUTH_SCOPE, ) if args.enable_gdrive_access: scopes += (auth_util.GOOGLE_DRIVE_SCOPE, ) if c_devshell.IsDevshellEnvironment(): if c_devshell.HasDevshellAuth(): message = textwrap.dedent(""" You are already authenticated with gcloud when running inside the Cloud Shell and so do not need to run this command. Do you wish to proceed anyway? """) answer = console_io.PromptContinue(message=message) if not answer: return None elif c_gce.Metadata().connected: message = textwrap.dedent(""" You are running on a Google Compute Engine virtual machine. It is recommended that you use service accounts for authentication. You can run: $ gcloud config set account `ACCOUNT` to switch accounts if necessary. Your credentials may be visible to others with access to this virtual machine. Are you sure you want to authenticate with your personal account? """) answer = console_io.PromptContinue(message=message) if not answer: return None account = args.account if account and not args.force: try: creds = c_store.Load(account=account, scopes=scopes) except c_store.Error: creds = None if creds: # Account already has valid creds, just switch to it. return self.LoginAs(account, creds, args.project, args.activate, args.brief) # No valid creds, do the web flow. launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser) creds = auth_util.DoInstalledAppBrowserFlow(launch_browser, scopes) web_flow_account = creds.id_token['email'] if account and account.lower() != web_flow_account.lower(): raise auth_exceptions.WrongAccountError( 'You attempted to log in as account [{account}] but the received ' 'credentials were for account [{web_flow_account}].\n\n' 'Please check that your browser is logged in as account [{account}] ' 'and that you are using the correct browser profile.'.format( account=account, web_flow_account=web_flow_account)) account = web_flow_account # We got new creds, and they are for the correct user. c_store.Store(creds, account, scopes) return self.LoginAs(account, creds, args.project, args.activate, args.brief)
def main(): """Launches gsutil.""" args = [] project, account = bootstrapping.GetActiveProjectAndAccount() pass_credentials = ( properties.VALUES.core.pass_credentials_to_gsutil.GetBool() and not properties.VALUES.auth.disable_credentials.GetBool()) _MaybeAddBotoOption(args, 'GSUtil', 'default_project_id', project) if pass_credentials: # Allow gsutil to only check for the '1' string value, as is done # with regard to the 'CLOUDSDK_WRAPPER' environment variable. encoding.SetEncodedValue( os.environ, 'CLOUDSDK_CORE_PASS_CREDENTIALS_TO_GSUTIL', '1') if account in c_gce.Metadata().Accounts(): # Tell gsutil that it should obtain credentials from the GCE metadata # server for the instance's configured service account. _MaybeAddBotoOption(args, 'GoogleCompute', 'service_account', 'default') # For auth'n debugging purposes, allow gsutil to reason about whether the # configured service account was set in a boto file or passed from here. encoding.SetEncodedValue( os.environ, 'CLOUDSDK_PASSED_GCE_SERVICE_ACCOUNT_TO_GSUTIL', '1') else: legacy_config_path = config.Paths().LegacyCredentialsGSUtilPath(account) # We construct a BOTO_PATH that tacks the config containing our # credentials options onto the end of the list of config paths. We ensure # the other credential options are loaded first so that ours will take # precedence and overwrite them. boto_config = encoding.GetEncodedValue(os.environ, 'BOTO_CONFIG', '') boto_path = encoding.GetEncodedValue(os.environ, 'BOTO_PATH', '') if boto_config: boto_path = os.pathsep.join([boto_config, legacy_config_path]) elif boto_path: boto_path = os.pathsep.join([boto_path, legacy_config_path]) else: path_parts = ['/etc/boto.cfg', os.path.expanduser(os.path.join('~', '.boto')), legacy_config_path] boto_path = os.pathsep.join(path_parts) encoding.SetEncodedValue(os.environ, 'BOTO_CONFIG', None) encoding.SetEncodedValue(os.environ, 'BOTO_PATH', boto_path) # Tell gsutil whether gcloud analytics collection is enabled. encoding.SetEncodedValue( os.environ, 'GA_CID', metrics.GetCIDIfMetricsEnabled()) # Set proxy settings. Note that if these proxy settings are configured in a # boto config file, the options here will be loaded afterward, overriding # them. proxy_params = properties.VALUES.proxy proxy_address = proxy_params.address.Get() if proxy_address: _MaybeAddBotoOption(args, 'Boto', 'proxy', proxy_address) _MaybeAddBotoOption(args, 'Boto', 'proxy_port', proxy_params.port.Get()) _MaybeAddBotoOption(args, 'Boto', 'proxy_rdns', proxy_params.rdns.GetBool()) _MaybeAddBotoOption(args, 'Boto', 'proxy_user', proxy_params.username.Get()) _MaybeAddBotoOption(args, 'Boto', 'proxy_pass', proxy_params.password.Get()) # Set SSL-related settings. disable_ssl = properties.VALUES.auth.disable_ssl_validation.GetBool() _MaybeAddBotoOption(args, 'Boto', 'https_validate_certificates', None if disable_ssl is None else not disable_ssl) _MaybeAddBotoOption(args, 'Boto', 'ca_certificates_file', properties.VALUES.core.custom_ca_certs_file.Get()) # Sync device certificate settings for mTLS. context_config = context_aware.Config() _MaybeAddBotoOption(args, 'Credentials', 'use_client_certificate', context_config.use_client_certificate) if context_config.use_client_certificate: # Don't need to pass mTLS data if gsutil shouldn't be using it. _MaybeAddBotoOption(args, 'Credentials', 'cert_provider_command', context_config.cert_provider_command) # Note that the original args to gsutil will be appended after the args we've # supplied here. bootstrapping.ExecutePythonTool('platform/gsutil', 'gsutil', *args)
def GetAccounts(self): return set(c_gce.Metadata().Accounts())
def GetProject(self): if properties.VALUES.core.check_gce_metadata.GetBool(): return c_gce.Metadata().Project() return None
def GetAccount(self): if properties.VALUES.core.check_gce_metadata.GetBool(): return c_gce.Metadata().DefaultAccount() return None
def GetCredentials(self, account): if account in c_gce.Metadata().Accounts(): return AcquireFromGCE(account) return None
def Load(account=None, scopes=None): """Get the credentials associated with the provided account. Args: account: str, The account address for the credentials being fetched. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. Returns: oauth2client.client.Credentials, The specified credentials. Raises: NoActiveAccountException: If account is not provided and there is no active account. NoCredentialsForAccountException: If there are no valid credentials available for the provided or active account. c_gce.CannotConnectToMetadataServerException: If the metadata server cannot be reached. TokenRefreshError: If the credentials fail to refresh. """ # If a credential file is set, just use that and ignore the active account # and whatever is in the credential store. cred_file_override = properties.VALUES.auth.credential_file_override.Get() if cred_file_override: log.info('Using alternate credentials from file: [%s]', cred_file_override) try: cred = client.GoogleCredentials.from_stream(cred_file_override) if cred.create_scoped_required(): if scopes is None: scopes = config.CLOUDSDK_SCOPES cred = cred.create_scoped(scopes) return cred except client.Error as e: raise InvalidCredentialFileException(cred_file_override, e) if not account: account = properties.VALUES.core.account.Get() if not account: raise NoActiveAccountException() devshell_creds = c_devshell.LoadDevshellCredentials() if devshell_creds and (devshell_creds.devshell_response.user_email == account): return devshell_creds if account in c_gce.Metadata().Accounts(): return AcquireFromGCE(account) store = _StorageForAccount(account) if not store: raise NoCredentialsForAccountException(account) cred = store.get() if not cred: raise NoCredentialsForAccountException(account) # cred.token_expiry is in UTC time. if not cred.token_expiry or cred.token_expiry < cred.token_expiry.utcnow(): Refresh(cred) return cred
def SetUp(self): self.metadata = gce.Metadata() self.metadata.connected = True
def main(): """Launches gsutil.""" project, account = bootstrapping.GetActiveProjectAndAccount() pass_credentials = ( properties.VALUES.core.pass_credentials_to_gsutil.GetBool() and not properties.VALUES.auth.disable_credentials.GetBool()) if pass_credentials and account not in c_gce.Metadata().Accounts(): gsutil_path = config.Paths().LegacyCredentialsGSUtilPath(account) # Allow gsutil to only check for the '1' string value, as is done # with regard to the 'CLOUDSDK_WRAPPER' environment variable. os.environ['CLOUDSDK_CORE_PASS_CREDENTIALS_TO_GSUTIL'] = '1' boto_config = os.environ.get('BOTO_CONFIG', '') boto_path = os.environ.get('BOTO_PATH', '') # We construct a BOTO_PATH that tacks the refresh token config # on the end. if boto_config: boto_path = os.pathsep.join([boto_config, gsutil_path]) elif boto_path: boto_path = os.pathsep.join([boto_path, gsutil_path]) else: path_parts = [ '/etc/boto.cfg', os.path.expanduser(os.path.join('~', '.boto')), gsutil_path ] boto_path = os.pathsep.join(path_parts) if 'BOTO_CONFIG' in os.environ: del os.environ['BOTO_CONFIG'] os.environ['BOTO_PATH'] = boto_path # Tell gsutil whether gcloud analytics collection is enabled. os.environ['GA_CID'] = metrics.GetCIDIfMetricsEnabled() args = [] _MaybeAddBotoOption(args, 'GSUtil', 'default_project_id', project) if pass_credentials and account in c_gce.Metadata().Accounts(): # Tell gsutil to look for GCE service accounts. _MaybeAddBotoOption(args, 'GoogleCompute', 'service_account', 'default') proxy_params = properties.VALUES.proxy proxy_address = proxy_params.address.Get() if proxy_address: _MaybeAddBotoOption(args, 'Boto', 'proxy', proxy_address) _MaybeAddBotoOption(args, 'Boto', 'proxy_port', proxy_params.port.Get()) _MaybeAddBotoOption(args, 'Boto', 'proxy_rdns', proxy_params.rdns.GetBool()) _MaybeAddBotoOption(args, 'Boto', 'proxy_user', proxy_params.username.Get()) _MaybeAddBotoOption(args, 'Boto', 'proxy_pass', proxy_params.password.Get()) disable_ssl = properties.VALUES.auth.disable_ssl_validation.GetBool() _MaybeAddBotoOption(args, 'Boto', 'https_validate_certificates', None if disable_ssl is None else not disable_ssl) _MaybeAddBotoOption(args, 'Boto', 'ca_certificates_file', properties.VALUES.core.custom_ca_certs_file.Get()) bootstrapping.ExecutePythonTool('platform/gsutil', 'gsutil', *args)