def Run(self, args):
"""Create service account credentials."""
try:
private_key = open(args.key_file).read()
except IOError as e:
raise c_exc.BadFileException(e)
password = None
if args.password_file:
try:
password = open(args.password_file).read().strip()
except IOError as e:
raise c_exc.UnknownArgumentException('--password-file', e)
if args.prompt_for_password:
password = getpass.getpass('Password: '******'CLOUDSDK_PYTHON_SITEPACKAGES'):
raise c_exc.ToolException(
('PyOpenSSL is not available. If you have already installed '
'PyOpenSSL, you will need to enable site packages by '
'setting the environment variable CLOUDSDK_PYTHON_SITEPACKAGES to '
'1. If that does not work, See '
'https://developers.google.com/cloud/sdk/crypto for details.'))
else:
raise c_exc.ToolException(
('PyOpenSSL is not available. See '
'https://developers.google.com/cloud/sdk/crypto for details.'))
if password:
cred = client.SignedJwtAssertionCredentials(
service_account_name=args.account,
private_key=private_key,
scope=config.CLOUDSDK_SCOPES,
private_key_password=password,
user_agent=config.CLOUDSDK_USER_AGENT)
else:
cred = client.SignedJwtAssertionCredentials(
service_account_name=args.account,
private_key=private_key,
scope=config.CLOUDSDK_SCOPES,
user_agent=config.CLOUDSDK_USER_AGENT)
c_store.Store(cred, args.account)
properties.PersistProperty(properties.VALUES.core.account, args.account)
project = args.project
if project:
properties.PersistProperty(properties.VALUES.core.project, project)
return cred
def connect_to_service(email, key_file, auth_scope):
credentials = client.SignedJwtAssertionCredentials(
email, read_binary_file(key_file), scope=auth_scope)
http = httplib2.Http()
http = credentials.authorize(http)
return build('androidpublisher', 'v2', http=http)
def _CreateOauthServiceAccountCreds(email, private_key_path, scopes):
"""Create credentials with a normal service account.
Args:
email: email address as the account.
private_key_path: Path to the service account P12 key.
scopes: string, multiple scopes should be saperated by space.
Api scopes to request for the oauth token.
Returns:
An oauth2client.OAuth2Credentials instance.
Raises:
errors.AuthentcationError: if failed to authenticate.
"""
try:
with open(private_key_path) as f:
private_key = f.read()
credentials = oauth2_client.SignedJwtAssertionCredentials(
email, private_key, scopes)
except EnvironmentError as e:
raise errors.AuthentcationError(
"Could not authenticate using private key file %s, error message: %s",
private_key_path, str(e))
return credentials
def get_for_service_account(client_email, private_key_path, scope=None):
"""Gets the credentials for a service account.
.. note::
You should not need to use this function directly.
Instead, use the helper methods provided in
:func:`gcloud.datastore.__init__.get_connection`
and
:func:`gcloud.datastore.__init__.get_dataset`
which use this method under the hood.
:type client_email: string
:param client_email: The e-mail attached to the service account.
:type private_key_path: string
:param private_key_path: The path to a private key file (this file was
given to you when you created the service
account).
:type scope: string or tuple of strings
:param scope: The scope against which to authenticate. (Different services
require different scopes, check the documentation for which
scope is required for the different levels of access to any
particular API.)
:rtype: :class:`oauth2client.client.SignedJwtAssertionCredentials`
:returns: A new SignedJwtAssertionCredentials instance with the
needed service account settings.
"""
return client.SignedJwtAssertionCredentials(
service_account_name=client_email,
private_key=open(private_key_path, 'rb').read(),
scope=scope)
def setup_auth(args):
"""Set up and authentication httplib.
Args:
args: ArgumentParser with additional command-line flags to pass to
the OAuth authentication flow.
Returns:
An http client library with authentication enabled.
"""
# Perform OAuth 2.0 authorization.
if args.service_account:
# Service accounts will follow the following authenication.
client_email = args.service_account
with open(args.service_account_secrets_file) as f:
private_key = json.loads(f.read())['private_key']
credentials = client.SignedJwtAssertionCredentials(client_email,
private_key,
scope=SCOPES)
else:
flow = flow_from_clientsecrets(args.client_secrets_file, scope=SCOPES)
storage = oauth_file.Storage(OAUTH2_STORAGE)
credentials = storage.get()
if credentials is None or credentials.invalid:
credentials = tools.run_flow(flow, storage, args)
http = httplib2.Http()
return credentials.authorize(http)
def ServiceAccountHttp(*args, **kwargs):
"""Returns the Credentials of the service account.
Just prior to the first request, the Http object makes a request to
https://accounts.google.com/o/oauth2/token to get an oauth token. The Http
object is cached in memcache to reduce the number of extraneous requests.
Arguments:
args, kwargs: Arguments passed through to httplib2.Http().
Raises:
KeyError: The service account credentials were not found.
"""
http = memcache.get(SERVICE_ACCOUNT_KEY)
if not http:
account_details = stored_object.Get(SERVICE_ACCOUNT_KEY)
if not account_details:
raise KeyError('Service account credentials not found.')
client.logger.setLevel(logging.WARNING)
credentials = client.SignedJwtAssertionCredentials(
service_account_name=account_details['client_email'],
private_key=account_details['private_key'],
scope=EMAIL_SCOPE)
http = httplib2.Http(*args, **kwargs)
credentials.authorize(http)
memcache.add(SERVICE_ACCOUNT_KEY, http,
time=60 * 50) # Less than 1 hour.
return http
def get_api_credentials(scope, service_account=True):
""" Build API client based on oAuth2 authentication """
STORAGE = file.Storage('oAuth2.json') #local storage of oAuth tokens
credentials = STORAGE.get()
if credentials is None or credentials.invalid: #check if new oAuth flow is needed
if service_account: #server 2 server flow
with open('service_account.json') as f:
account = json.loads(f.read())
email = account['client_email']
key = account['private_key']
credentials = client.SignedJwtAssertionCredentials(email,
key,
scope=scope)
STORAGE.put(credentials)
else: #normal oAuth2 flow
CLIENT_SECRETS = os.path.join(os.path.dirname(__file__),
'client_secrets.json')
FLOW = client.flow_from_clientsecrets(CLIENT_SECRETS, scope=scope)
PARSER = argparse.ArgumentParser(
description=__doc__,
formatter_class=argparse.RawDescriptionHelpFormatter,
parents=[tools.argparser])
FLAGS = PARSER.parse_args(sys.argv[1:])
credentials = tools.run_flow(FLOW, STORAGE, FLAGS)
return credentials
def get_for_service_account_p12(client_email, private_key_path, scope=None):
"""Gets the credentials for a service account.
.. note::
This method is not used by default, instead :func:`get_credentials`
is used. This method is intended to be used when the environments is
known explicitly and detecting the environment implicitly would be
superfluous.
:type client_email: string
:param client_email: The e-mail attached to the service account.
:type private_key_path: string
:param private_key_path: The path to a private key file (this file was
given to you when you created the service
account). This file must be in P12 format.
:type scope: string or tuple of strings
:param scope: The scope against which to authenticate. (Different services
require different scopes, check the documentation for which
scope is required for the different levels of access to any
particular API.)
:rtype: :class:`oauth2client.client.SignedJwtAssertionCredentials`
:returns: A new SignedJwtAssertionCredentials instance with the
needed service account settings.
"""
return client.SignedJwtAssertionCredentials(
service_account_name=client_email,
private_key=open(private_key_path, 'rb').read(),
scope=scope)
def service_account(filepath, scope, sub=None):
with open(filepath, "r") as f:
sa_details = json.load(f)
sa_details["service_account_name"] = sa_details["client_email"] #snafu fix
sa_details["scope"] = scope
if sub: sa_details["sub"] = sub
return oauth2.SignedJwtAssertionCredentials(**sa_details)
def test_signed_jwt_for_p12(self):
from oauth2client import client
scopes = []
ACCOUNT_NAME = 'dummy_service_account_name'
credentials = client.SignedJwtAssertionCredentials(
ACCOUNT_NAME, b'dummy_private_key_text', scopes)
self._run_test_with_credentials(credentials, ACCOUNT_NAME)
def LoadCredentialsFromPem():
logging.info('Loading credentials from uploaded private key.')
credentials = client.SignedJwtAssertionCredentials(
config.SERVICE_ACCOUNT,
_GetPrivateKey(config.PRIVATE_KEY_FILENAME),
API_SCOPES,
sub=config.SERVICE_ACCOUNT_ADMIN)
_StoreCredentials(credentials)
return credentials
def main():
# Load the key in PKCS 12 format that you downloaded from the Google APIs
# Console when you created your Service account.
f = file('key.p12', 'rb')
key = f.read()
f.close()
# Create an httplib2.Http object to handle our HTTP requests and authorize it
# with the Credentials. Note that the first parameter, service_account_name,
# is the Email address created for the Service account. It must be the email
# address associated with the key that was created.
credentials = client.SignedJwtAssertionCredentials(
SERVICE_ACCOUNT_EMAIL,
key,
scope='https://www.googleapis.com/auth/androidpublisher')
http = httplib2.Http()
http = credentials.authorize(http)
service = build('androidpublisher', 'v2', http=http)
# Process flags and read their values.
flags = argparser.parse_args()
package_name = flags.package_name
try:
edit_request = service.edits().insert(body={},
packageName=package_name)
result = edit_request.execute()
edit_id = result['id']
apk_response = service.edits().apks().upload(
editId=edit_id, packageName=package_name,
media_body=apk_file).execute()
print 'Version code %d has been uploaded' % apk_response['versionCode']
track_response = service.edits().tracks().update(
editId=edit_id,
track=TRACK,
packageName=package_name,
body={
u'versionCodes': [apk_response['versionCode']]
}).execute()
print 'Track %s is set for version code(s) %s' % (
track_response['track'], str(track_response['versionCodes']))
commit_request = service.edits().commit(
editId=edit_id, packageName=package_name).execute()
print 'Edit "%s" has been committed' % (commit_request['id'])
except client.AccessTokenRefreshError:
print(
'The credentials have been revoked or expired, please re-run the '
'application to re-authorize')
def ServiceAccountCredentials():
"""Returns the Credentials of the service account if available."""
account_details = stored_object.Get(SERVICE_ACCOUNT_KEY)
if not account_details:
logging.error('Service account credentials not found.')
return None
return client.SignedJwtAssertionCredentials(
service_account_name=account_details['client_email'],
private_key=account_details['private_key'],
scope=EMAIL_SCOPE)
def test_signature_non_bytes(self):
from oauth2client import client
scopes = []
ACCOUNT_NAME = 'dummy_service_account_name'
SIGNATURE_STRING = u'dummy_signature'
credentials = client.SignedJwtAssertionCredentials(
ACCOUNT_NAME, b'dummy_private_key_text', scopes)
self._run_test_with_credentials(credentials,
ACCOUNT_NAME,
signature_string=SIGNATURE_STRING)
def run_p12():
with open(P12_KEY_PATH, 'rb') as file_object:
private_key_contents = file_object.read()
credentials = client.SignedJwtAssertionCredentials(
service_account_name=P12_KEY_EMAIL,
private_key=private_key_contents,
scope=SCOPE,
)
_check_user_info(credentials, P12_KEY_EMAIL)
def authenticate_using_service_account(
service_account_email, impersonation_user_email, p12_file):
"""Authorizes an Http instance using service account credentials"""
with open(p12_file) as f:
private_key = f.read()
credentials = client.SignedJwtAssertionCredentials(
service_account_email, private_key,
'https://www.googleapis.com/auth/dfareporting',
sub=impersonation_user_email)
return credentials.authorize(httplib2.Http())
def create_service_credentials(private_key_file=None,
client_email=None,
client_secret_file=CLIENT_SECRET_FILE):
"""Create credentials from service account information.
See Also:
https://developers.google.com/api-client-library/python/auth/service-accounts
Args:
client_secret_file (str): path to json file with just the client_email when
providing the `private_key_file` separately, or this file can have both the
`client_email` and `private_key` contained in it. Defaults to .gdrive_private
client_email (str): service email account
private_key_file (str): path to the p12 private key, defaults to same name of file
used for regular authentication
Returns:
`~oauth2client.client.OAuth2Credentials`: google credentials object
"""
if private_key_file is not None:
with open(os.path.expanduser(private_key_file)) as f:
private_key = f.read()
else:
private_key = None
if client_email is None:
with open(os.path.expanduser(client_secret_file)) as client_file:
client_data = json.load(client_file)
if 'installed' in client_data:
# handle regular json format where key is separate
client_email = client_data['installed']['client_id']
if private_key is None:
raise RuntimeError('You must have the private key file \
with the regular json file. Try creating a new \
public/private key pair and downloading as json.'
)
else:
# handle newer case where json file has everything in it
client_email = client_data['client_email']
private_key = client_data['private_key']
if client_email is None or private_key is None:
raise RuntimeError(
'Client email and/or private key not provided by inputs.')
credentials = client.SignedJwtAssertionCredentials(client_email,
private_key, SCOPES)
return credentials
def GetService():
"""Builds the adexchangebuyer service used for the REST API."""
http = httplib2.Http()
credentials = client.SignedJwtAssertionCredentials(SERVICE_ACCOUNT_EMAIL,
open(KEY_FILE).read(),
scope=SCOPE)
http = credentials.authorize(http)
service = build('adexchangebuyer', VERSION, http=http)
return service
def testGetCredentialsFromEnvJwt(self):
self.mox.StubOutWithMock(os, 'getenv')
self.mox.StubOutWithMock(client, 'SignedJwtAssertionCredentials')
credentials = self.mox.CreateMockAnything()
os.getenv('DATASTORE_SERVICE_ACCOUNT').AndReturn('*****@*****.**')
os.getenv('DATASTORE_PRIVATE_KEY_FILE').AndReturn(
self.certificate.name)
client.SignedJwtAssertionCredentials(
'*****@*****.**', 'not-a-secret-key',
connection.SCOPE).AndReturn(credentials)
self.mox.ReplayAll()
self.assertIs(credentials, helper.get_credentials_from_env())
self.mox.VerifyAll()
def test_signed_jwt_for_p12(self):
from oauth2client import client
from gcloud._testing import _Monkey
from gcloud.storage import connection as MUT
scopes = []
credentials = client.SignedJwtAssertionCredentials(
'dummy_service_account_name', 'dummy_private_key_text', scopes)
crypto = _Crypto()
rsa = _RSA()
with _Monkey(MUT, crypto=crypto, RSA=rsa):
result = self._callFUT(credentials)
self.assertEqual(result, 'imported:__PEM__')
def upload(package, service, apk, track):
# Load the service key and email from the Google Developer Service Account json file
service_settings = json.load(service)
# Create an httplib2.Http object to handle our HTTP requests and authorize it
# with the Credentials. Note that the first parameter, service_account_name,
# is the Email address created for the Service account. It must be the email
# address associated with the key that was created.
credentials = client.SignedJwtAssertionCredentials(
service_settings['client_email'],
service_settings['private_key'],
scope='https://www.googleapis.com/auth/androidpublisher')
http = httplib2.Http()
http = credentials.authorize(http)
service = build('androidpublisher', 'v2', http=http)
try:
edit_request = service.edits().insert(body={}, packageName=package)
result = edit_request.execute()
edit_id = result['id']
apk_response = service.edits().apks().upload(
editId=edit_id, packageName=package,
media_body=apk.name).execute()
print 'Version code %d has been uploaded' % apk_response['versionCode']
track_response = service.edits().tracks().update(
editId=edit_id,
track=track,
packageName=package,
body={
u'versionCodes': [apk_response['versionCode']]
}).execute()
print 'Track %s is set for version code(s) %s' % (
track_response['track'], str(track_response['versionCodes']))
commit_request = service.edits().commit(editId=edit_id,
packageName=package).execute()
print 'Edit "%s" has been committed' % (commit_request['id'])
except client.AccessTokenRefreshError, e:
print(
'The credentials have been revoked or expired, please re-run the '
'application to re-authorize')
raise e
def getServiceAccountsAccessToken(user):
client_secrets = get_clientSecrets()
private_key = get_service_private_key()
scope = "https://mail.google.com/"
jwt_client = client.SignedJwtAssertionCredentials(
service_account_name=client_secrets['web']['client_email'],
private_key=private_key,
scope=scope,
prn=user)
jwt = json.loads(get_JWT(jwt_client._generate_assertion()))
access_token = jwt["access_token"]
return access_token
def ServiceAccountHttp():
"""Returns the Credentials of the service account if available."""
account_details = stored_object.Get(SERVICE_ACCOUNT_KEY)
if not account_details:
raise KeyError('Service account credentials not found.')
credentials = client.SignedJwtAssertionCredentials(
service_account_name=account_details['client_email'],
private_key=account_details['private_key'],
scope=EMAIL_SCOPE)
http = httplib2.Http()
credentials.authorize(http)
return http
def main():
f = file('key.p12', 'rb')
key = f.read()
f.close()
# Authenticate and construct service.
credentials = client.SignedJwtAssertionCredentials(
SERVICE_ACCOUNT_EMAIL,
key,
scope='https://www.googleapis.com/auth/androidpublisher')
http = httplib2.Http()
http = credentials.authorize(http)
service = build('androidpublisher', 'v2', http=http)
# Process flags and read their values.
flags = argparser.parse_args()
package_name = flags.package_name
apk_file = flags.apk_file
try:
edit_request = service.edits().insert(body={}, packageName=package_name)
result = edit_request.execute()
edit_id = result['id']
apk_response = service.edits().apks().upload(
editId=edit_id,
packageName=package_name,
media_body=apk_file).execute()
print 'Version code %d has been uploaded' % apk_response['versionCode']
track_response = service.edits().tracks().update(
editId=edit_id,
track=TRACK,
packageName=package_name,
body={u'versionCodes': [apk_response['versionCode']]}).execute()
print 'Track %s is set for version code(s) %s' % (
track_response['track'], str(track_response['versionCodes']))
commit_request = service.edits().commit(
editId=edit_id, packageName=package_name).execute()
print 'Edit "%s" has been committed' % (commit_request['id'])
except client.AccessTokenRefreshError:
print ('The credentials have been revoked or expired, please re-run the '
'application to re-authorize')
def CredentialsFromP12Key(private_key, account, password=None):
"""Creates creadentials object from given private key and account name."""
log.warning('.p12 service account keys are not recomended unless it is '
'necessary for backwards compatability. Please switch to '
'a newer .json service account key for this account.')
if not client.HAS_CRYPTO:
if not os.environ.get('CLOUDSDK_PYTHON_SITEPACKAGES'):
raise UnsupportedCredentialsType((
'PyOpenSSL is not available. If you have already installed '
'PyOpenSSL, you will need to enable site packages by '
'setting the environment variable CLOUDSDK_PYTHON_SITEPACKAGES '
'to 1. If that does not work, see '
'https://developers.google.com/cloud/sdk/crypto for details '
'or consider using .json private key instead.'))
else:
raise UnsupportedCredentialsType(
('PyOpenSSL is not available. See '
'https://developers.google.com/cloud/sdk/crypto for details '
'or consider using .json private key instead.'))
if password:
cred = client.SignedJwtAssertionCredentials(
service_account_name=account,
private_key=private_key,
scope=config.CLOUDSDK_SCOPES,
private_key_password=password,
user_agent=config.CLOUDSDK_USER_AGENT)
else: # Gets default password.
cred = client.SignedJwtAssertionCredentials(
service_account_name=account,
private_key=private_key,
scope=config.CLOUDSDK_SCOPES,
user_agent=config.CLOUDSDK_USER_AGENT)
return cred
def main():
# Create credentials using the Service email and P12 file.
oauth_credentials = client.SignedJwtAssertionCredentials(
SERVICE_ACCOUNT_EMAIL, open(KEY_FILE).read(), scope=SCOPE)
# Use the credentials to authorize an Http object
http = oauth_credentials.authorize(httplib2.Http())
# Use the http object to create a client for the API service.
buyer_service = build('adexchangebuyer', VERSION, http=http)
# Call the Accounts resource on the service to retrieve a list of
# Accounts for the service account.
request = buyer_service.accounts().list()
pprint.pprint(request.execute())
def __init__(self,
app_id,
email=None,
key_path=None,
require_indexes=False,
verbose=False,
service_name='datastore_v3',
trusted=False,
consistency_policy=None,
root_path=None,
use_atexit=True,
auto_id_policy=datastore_stub_util.SEQUENTIAL):
datastore_stub_util.BaseDatastore.__init__(self, require_indexes,
consistency_policy,
use_atexit,
auto_id_policy)
apiproxy_stub.APIProxyStub.__init__(self, service_name)
datastore_stub_util.DatastoreStub.__init__(self, weakref.proxy(self),
app_id, trusted, root_path)
self.__email = email
self.__key_path = key_path
self.__verbose = verbose
self.__id_map_sequential = {}
self.__id_map_scattered = {}
self.__id_counter_tables = {
datastore_stub_util.SEQUENTIAL: ('IdSeq', self.__id_map_sequential),
datastore_stub_util.SCATTERED: ('ScatteredIdCounters',
self.__id_map_scattered),
}
self.__id_lock = threading.Lock()
if self.__email and self.__key_path:
credentials = client.SignedJwtAssertionCredentials(
email, open(key_path).read(), googledatastore.connection.SCOPE)
self.__connection = googledatastore.connection.Datastore(app_id, credentials)
else:
self.__connection = googledatastore.connection.Datastore(app_id)
self.__connection.text_factory = lambda x: unicode(x, 'utf-8', 'ignore')
self.__connection_lock = threading.RLock()
self.__namespaces = set()
self.__query_history = {}
def ServiceAccountHttp(scope=EMAIL_SCOPE, timeout=None):
"""Returns the Credentials of the service account if available."""
account_details = stored_object.Get(SERVICE_ACCOUNT_KEY)
if not account_details:
raise KeyError('Service account credentials not found.')
assert scope, "ServiceAccountHttp scope must not be None."
client.logger.setLevel(logging.WARNING)
credentials = client.SignedJwtAssertionCredentials(
service_account_name=account_details['client_email'],
private_key=account_details['private_key'],
scope=scope)
http = httplib2.Http(timeout=timeout)
credentials.authorize(http)
return http
def test_get_signed_query_params(self):
from oauth2client import client
EXPIRATION = 1000
SIGNATURE = 'abc'
scopes = []
ACCOUNT_NAME = 'dummy_service_account_name'
creds = client.SignedJwtAssertionCredentials(
ACCOUNT_NAME, b'dummy_private_key_text', scopes)
with patch.multiple('gcloudoem.datastore.credentials',
SHA256=DEFAULT,
RSA=DEFAULT,
PKCS1_v1_5=DEFAULT,
crypt=DEFAULT) as mocks:
credentials._get_signed_query_params(creds, EXPIRATION, SIGNATURE)
self.assertEqual(mocks['PKCS1_v1_5'].mock_calls, [call.new()])
def main():
# Load the key in PKCS 12 format that you downloaded from the Google APIs
# Console when you created your Service account.
key_path = os.path.join(expanduser("~"), "src", "583631bdd16d.p12")
f = file(key_path, 'rb')
key = f.read()
f.close()
# Create an httplib2.Http object to handle our HTTP requests and authorize it
# with the Credentials. Note that the first parameter, service_account_name,
# is the Email address created for the Service account. It must be the email
# address associated with the key that was created.
credentials = client.SignedJwtAssertionCredentials(
SERVICE_ACCOUNT_EMAIL,
key,
scope='https://www.googleapis.com/auth/androidpublisher')
http = httplib2.Http()
http = credentials.authorize(http)
service = build('androidpublisher', 'v2', http=http)
edit_request = service.edits().insert(body={}, packageName=PACKAGE)
result = edit_request.execute()
edit_id = result['id']
# Process flags and read their values.
flags = argparser.parse_args()
task = flags.task
try:
if task == 'uploadImages':
# Upload screenshots
uploadImages(service, edit_id)
elif task == 'listImages':
# List all the images and their URLs.
# This task can be used as a non-destructive test to check the API is working
listImages(service, edit_id)
elif task == 'listApks':
# List all the APKs and their hashes.
# This task can be used as a non-destructive test to check the API is working
listApks(service, edit_id)
else:
raise ValueError('Unrecognized task name')
except client.AccessTokenRefreshError:
print(
'The credentials have been revoked or expired, please re-run the '
'application to re-authorize')
