def testMaybeConvertToGoogleAuthCredsInputGoogleAuthCreds(self):
google_auth_cred = creds.MaybeConvertToGoogleAuthCredentials(
self.fake_cred, True)
self.assertIsInstance(google_auth_cred, google_auth_credentials.Credentials)
cred_returned = creds.MaybeConvertToGoogleAuthCredentials(
google_auth_cred, True)
self.assertIsInstance(cred_returned, google_auth_credentials.Credentials)
self.AssertCredentialsEqual(
google_auth_cred, {
'token': 'access-token',
'expiry': datetime.datetime(2017, 1, 8, 0, 0, 0),
'_scopes': config.CLOUDSDK_SCOPES,
'client_id': 'client_id',
'client_secret': 'client_secret',
'refresh_token': 'fake-token',
'token_uri': 'token_uri',
})
def testConvertDevShellCredsToGoogleAuthCreds(self):
cred = c_store.Load()
self.assertIsInstance(cred, devshell.DevshellCredentials)
google_auth_cred = creds.MaybeConvertToGoogleAuthCredentials(cred, True)
self.assertIsInstance(google_auth_cred,
devshell.DevShellCredentialsGoogleAuth)
self.assertEqual(google_auth_cred.token, cred.access_token)
self.assertEqual(google_auth_cred.id_tokenb64, cred.id_tokenb64)
self.assertEqual(google_auth_cred.id_token, cred.id_tokenb64)
self.assertEqual(google_auth_cred.expiry, cred.token_expiry)
def testMaybeConvertUserCredsToGoogleAuthCreds(self):
self.assertIsInstance(self.fake_cred, client.OAuth2Credentials)
google_auth_cred = creds.MaybeConvertToGoogleAuthCredentials(
self.fake_cred, True)
self.assertIsInstance(google_auth_cred, google_auth_credentials.Credentials)
self.AssertCredentialsEqual(
google_auth_cred, {
'token': 'access-token',
'expiry': datetime.datetime(2017, 1, 8, 0, 0, 0),
'client_id': 'client_id',
'client_secret': 'client_secret',
'refresh_token': 'fake-token',
'token_uri': 'token_uri',
})
def testMaybeConvertToGoogleAuthCredsNotUseGoogleAuth(self):
self.assertIsInstance(self.fake_cred, client.OAuth2Credentials)
cred_returned = creds.MaybeConvertToGoogleAuthCredentials(
self.fake_cred, False)
self.assertIsInstance(cred_returned, client.OAuth2Credentials)
self.AssertCredentialsEqual(
cred_returned, {
'access_token': 'access-token',
'token_expiry': datetime.datetime(2017, 1, 8, 0, 0, 0),
'scopes': config.CLOUDSDK_SCOPES,
'client_id': 'client_id',
'client_secret': 'client_secret',
'refresh_token': 'fake-token',
'token_uri': 'token_uri',
})
def testMaybeConvertGceCredsToGoogleAuthCreds(self):
cred = oauth2client_gce.AppAssertionCredentials(
'*****@*****.**')
cred.access_token = 'access-token'
cred.token_expiry = datetime.datetime(2017, 1, 8, 0, 0, 0)
cred.scopes = set(config.CLOUDSDK_SCOPES)
google_auth_cred = creds.MaybeConvertToGoogleAuthCredentials(cred, True)
self.assertIsInstance(google_auth_cred, compute_engine.Credentials)
self.AssertCredentialsEqual(
google_auth_cred, {
'token': 'access-token',
'expiry': datetime.datetime(2017, 1, 8, 0, 0, 0),
'_scopes': config.CLOUDSDK_SCOPES,
'service_account_email': '*****@*****.**',
})
def testMaybeConvertADCToGoogleAuthCreds(self):
properties.VALUES.auth.credential_file_override.Set(self.adc_file)
cred = c_store.Load()
cred.access_token = 'access-token'
cred.token_expiry = datetime.datetime(2017, 1, 8, 0, 0, 0)
cred.scopes = set(config.CLOUDSDK_SCOPES)
self.assertIsInstance(cred, client.GoogleCredentials)
google_auth_cred = creds.MaybeConvertToGoogleAuthCredentials(cred, True)
self.assertIsInstance(google_auth_cred, google_auth_credentials.Credentials)
self.AssertCredentialsEqual(
google_auth_cred, {
'token': 'access-token',
'expiry': datetime.datetime(2017, 1, 8, 0, 0, 0),
'_scopes': config.CLOUDSDK_SCOPES,
'client_id': 'foo.apps.googleusercontent.com',
'client_secret': 'file-secret',
'refresh_token': 'file-token',
})
def testMaybeConvertServiceAccountCredsToGoogleAuthCreds(self):
properties.VALUES.auth.credential_file_override.Set(self.json_file)
cred = c_store.Load()
cred.access_token = 'access-token'
cred.token_expiry = datetime.datetime(2017, 1, 8, 0, 0, 0)
cred.scopes = set(config.CLOUDSDK_SCOPES)
self.assertIsInstance(cred, service_account.ServiceAccountCredentials)
google_auth_cred = creds.MaybeConvertToGoogleAuthCredentials(cred, True)
self.assertIsInstance(google_auth_cred,
google_auth_service_account.Credentials)
self.AssertCredentialsEqual(
google_auth_cred, {
'token': 'access-token',
'expiry': datetime.datetime(2017, 1, 8, 0, 0, 0),
'_scopes': config.CLOUDSDK_SCOPES,
'service_account_email': '*****@*****.**',
'_token_uri': 'https://www.googleapis.com/oauth2/v4/token',
})
def testMaybeConvertP12ServiceAccountCredsToGoogleAuthCreds(self):
cred_p12 = service_account.ServiceAccountCredentials(
'service_account_email', None, config.CLOUDSDK_SCOPES, 'private_key_id',
'client_id', None, 'token_uri')
cred_p12.access_token = 'access-token'
cred_p12.token_expiry = datetime.datetime(2017, 1, 8, 0, 0, 0)
cred_p12._private_key_pkcs12 = '_private_key_pkcs12'
cred_returned = creds.MaybeConvertToGoogleAuthCredentials(cred_p12, True)
self.assertIsInstance(cred_returned,
service_account.ServiceAccountCredentials)
self.AssertCredentialsEqual(
cred_returned, {
'access_token': 'access-token',
'token_expiry': datetime.datetime(2017, 1, 8, 0, 0, 0),
'client_id': 'client_id',
'_private_key_id': 'private_key_id',
'_private_key_pkcs12': '_private_key_pkcs12',
'token_uri': 'token_uri',
})
def Load(account=None,
scopes=None,
prevent_refresh=False,
allow_account_impersonation=True,
use_google_auth=False):
"""Get the credentials associated with the provided account.
This loads credentials regardless of whether credentials have been disabled
via properties. Only use this when the functionality of the caller absolutely
requires credentials (like printing out a token) vs logically requiring
credentials (like for an http request).
Credential information may come from the stored credential file (representing
the last gcloud auth command), or the credential cache (representing the last
time the credentials were refreshed). If they come from the cache, the
token_response field will be None, as the full server response from the cached
request was not stored.
Args:
account: str, The account address for the credentials being fetched. If
None, the account stored in the core.account property is used.
scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES
are requested.
prevent_refresh: bool, If True, do not refresh the access token even if it
is out of date. (For use with operations that do not require a current
access token, such as credential revocation.)
allow_account_impersonation: bool, True to allow use of impersonated service
account credentials (if that is configured). If False, the active user
credentials will always be loaded.
use_google_auth: bool, True to load credentials of google-auth if it is
supported in the current authentication scenario. False to load
credentials of oauth2client.
Returns:
oauth2client.client.Credentials or google.auth.credentials.Credentials based
on use_google_auth and whether google-auth is supported in the current
authentication sceanrio. The only two scenarios that google-auth is not
supported are,
1) Property auth/disable_google_auth is set to True;
2) P12 service account key is being used.
Raises:
NoActiveAccountException: If account is not provided and there is no
active account.
NoCredentialsForAccountException: If there are no valid credentials
available for the provided or active account.
c_gce.CannotConnectToMetadataServerException: If the metadata server cannot
be reached.
TokenRefreshError: If the credentials fail to refresh.
TokenRefreshReauthError: If the credentials fail to refresh due to reauth.
AccountImpersonationError: If impersonation is requested but an
impersonation provider is not configured.
"""
google_auth_disabled = properties.VALUES.auth.disable_google_auth.GetBool()
use_google_auth = use_google_auth and (not google_auth_disabled)
impersonate_service_account = (
properties.VALUES.auth.impersonate_service_account.Get())
if allow_account_impersonation and impersonate_service_account:
if not IMPERSONATION_TOKEN_PROVIDER:
raise AccountImpersonationError(
'gcloud is configured to impersonate service account [{}] but '
'impersonation support is not available.'.format(
impersonate_service_account))
log.warning(
'This command is using service account impersonation. All API calls will '
'be executed as [{}].'.format(impersonate_service_account))
cred = IMPERSONATION_TOKEN_PROVIDER.GetElevationAccessToken(
impersonate_service_account, scopes or config.CLOUDSDK_SCOPES)
else:
cred = _Load(account, scopes, prevent_refresh)
cred = creds.MaybeConvertToGoogleAuthCredentials(cred, use_google_auth)
return cred