def DumpADCOptionalQuotaProject(credentials):
"""Dumps the given credentials to ADC file with an optional quota project.
Loads quota project from gcloud's context and writes it to application default
credentials file if the credentials has the "serviceusage.services.use"
permission on the quota project..
Args:
credentials: a credentials from oauth2client or google-auth libraries, the
credentials to dump.
"""
adc_path = c_creds.ADC(credentials).DumpADCToFile()
LogADCIsWritten(adc_path)
quota_project = c_creds.GetQuotaProject(credentials,
force_resource_quota=True)
if not quota_project:
LogQuotaProjectNotFound()
elif AdcHasGivenPermissionOnProject(quota_project,
permissions=[SERVICEUSAGE_PERMISSION]):
c_creds.ADC(credentials).DumpExtendedADCToFile(
quota_project=quota_project)
LogQuotaProjectAdded(quota_project)
else:
LogMissingPermissionOnQuotaProject(quota_project)
def Run(self, args):
"""Run the authentication command."""
if c_gce.Metadata().connected:
message = textwrap.dedent("""
You are running on a Google Compute Engine virtual machine.
The service credentials associated with this virtual machine
will automatically be used by Application Default
Credentials, so it is not necessary to use this command.
If you decide to proceed anyway, your user credentials may be visible
to others with access to this virtual machine. Are you sure you want
to authenticate with your personal account?
""")
console_io.PromptContinue(message=message,
throw_if_unattended=True,
cancel_on_no=True)
command_auth_util.PromptIfADCEnvVarIsSet()
scopes = args.scopes or auth_util.DEFAULT_SCOPES
# This reauth scope is only used here and when refreshing the access token.
scopes += [config.REAUTH_SCOPE]
launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser)
if args.client_id_file:
creds = auth_util.DoInstalledAppBrowserFlow(
launch_browser=launch_browser,
scopes=scopes,
client_id_file=args.client_id_file)
else:
creds = auth_util.DoInstalledAppBrowserFlow(
launch_browser=launch_browser,
scopes=scopes,
client_id=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID,
client_secret=auth_util.
DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
if args.IsSpecified('client_id_file'):
full_path = c_creds.ADC(creds).DumpADCToFile()
else:
full_path = c_creds.ADC(creds).DumpExtendedADCToFile()
log.status.Print(
'\nCredentials saved to file: [{f}]'.format(f=full_path))
log.status.Print(
'\nThese credentials will be used by any library that requests '
'Application Default Credentials (ADC).')
quota_project = command_auth_util.GetQuotaProjectFromADC()
if quota_project:
log.status.Print(
"\nQuota project '{}' was added to ADC which can be used by Google "
'client libraries for billing and quota. To just '
'update the quota project in ADC, '
'run $gcloud auth application-default set-quota-project.'.
format(quota_project))
return creds
def WriteGcloudCredentialsToADC(creds, add_quota_project=False):
"""Writes gclouds's credential from auth login to ADC json."""
if not c_creds.IsUserAccountCredentials(creds):
log.warning('Credentials cannot be written to application default '
'credentials because it is not a user credential.')
return
PromptIfADCEnvVarIsSet()
if add_quota_project:
c_creds.ADC(creds).DumpExtendedADCToFile()
else:
c_creds.ADC(creds).DumpADCToFile()
def testSetQuotaProject_ExistingServiceCreds(self):
creds.ADC(creds.FromJson(_GetJsonServiceADC())).DumpADCToFile()
with self.AssertRaisesExceptionMatches(
exceptions.BadFileException,
'The application default credentials are not user credentials'
):
self.RunSetQuotaProject()
def AddQuotaProjectToADC(quota_project):
"""Adds the quota project to the existing ADC file.
Quota project is only added to ADC when the credentials have the
"serviceusage.services.use" permission on the project.
Args:
quota_project: str, The project id of a valid GCP project to add to ADC.
Raises:
MissingPermissionOnQuotaProjectError: If the credentials do not have the
"serviceusage.services.use" permission.
"""
AssertADCExists()
if not ADCIsUserAccount():
raise c_exc.BadFileException(
'The application default credentials are not user credentials, quota '
'project cannot be added.')
if not AdcHasGivenPermissionOnProject(
quota_project, permissions=[SERVICEUSAGE_PERMISSION]):
raise MissingPermissionOnQuotaProjectError(
'Cannot add the project "{}" to application default credentials (ADC) '
'as a quota project because the account in ADC does not have the '
'"{}" permission on this project.'.format(quota_project,
SERVICEUSAGE_PERMISSION))
credentials = client.GoogleCredentials.from_stream(config.ADCFilePath())
adc_path = c_creds.ADC(credentials).DumpExtendedADCToFile(
quota_project=quota_project)
LogADCIsWritten(adc_path)
LogQuotaProjectAdded(quota_project)
def WriteGcloudCredentialsToADC(creds, add_quota_project=False):
"""Writes gclouds's credential from auth login to ADC json."""
if c_creds.IsOauth2ClientCredentials(creds):
cred_type = c_creds.CredentialType.FromCredentials(creds).key
else:
cred_type = c_creds.CredentialTypeGoogleAuth.FromCredentials(creds).key
if cred_type != c_creds.USER_ACCOUNT_CREDS_NAME:
log.warning('Credentials cannot be written to application default '
'credentials because it is not a user credential.')
return
PromptIfADCEnvVarIsSet()
if add_quota_project:
c_creds.ADC(creds).DumpExtendedADCToFile()
else:
c_creds.ADC(creds).DumpADCToFile()
def testDumpADCRequiredQuotaProject_NotUserAccount(self):
self.StartPatch('oauth2client.crypt.Signer', autospec=True)
creds.ADC(self.MakeServiceAccountCredentials()).DumpADCToFile()
with self.AssertRaisesExceptionMatches(
c_exc.BadFileException,
'The application default credentials are not user credentials'
):
auth_util.AddQuotaProjectToADC(self.fake_project)
def testSetQuotaProject_ExistingUserCreds_NoPermission(self):
creds.ADC(creds.FromJson(_GetJsonUserADC())).DumpADCToFile()
self.adc_permission_checking.return_value = False
with self.AssertRaisesExceptionMatches(
auth_util.MissingPermissionOnQuotaProjectError,
'ADC does not have the "serviceusage.services.use" permission'
):
self.RunSetQuotaProject()
def WriteGcloudCredentialsToADC(creds):
"""Writes gclouds's credential from auth login to ADC json."""
if c_creds.CredentialType.FromCredentials(
creds) != c_creds.CredentialType.USER_ACCOUNT:
log.warning('Credentials cannot be written to application default '
'credentials because it is not a user credential.')
return
PromptIfADCEnvVarIsSet()
c_creds.ADC(creds).DumpExtendedADCToFile()
def WriteGcloudCredentialsToADC(creds, add_quota_project=False):
"""Writes gclouds's credential from auth login to ADC json."""
# TODO(b/190114370): We will also support writing service account creds.
if (not c_creds.IsUserAccountCredentials(creds) and
not c_creds.IsExternalAccountCredentials(creds)):
log.warning('Credentials cannot be written to application default '
'credentials because it is not a user or external account '
'credential.')
return
# Quota project ID should not be added to non-user credentials.
if c_creds.IsExternalAccountCredentials(creds) and add_quota_project:
raise AddQuotaProjectError(
'The application default credentials are external account credentials, '
'quota project cannot be added.')
PromptIfADCEnvVarIsSet()
if add_quota_project:
c_creds.ADC(creds).DumpExtendedADCToFile()
else:
c_creds.ADC(creds).DumpADCToFile()
def DumpADC(credentials, quota_project_disabled=False):
"""Dumps the given credentials to ADC file.
Args:
credentials: a credentials from oauth2client or google-auth libraries, the
credentials to dump.
quota_project_disabled: bool, If quota project is explicitly disabled.
"""
adc_path = c_creds.ADC(credentials).DumpADCToFile()
LogADCIsWritten(adc_path)
if quota_project_disabled:
LogQuotaProjectDisabled()
def WriteTemplate(self):
"""Write the credential file."""
# General credentials used by bq and gsutil.
if self.credentials_type != creds.CredentialType.P12_SERVICE_ACCOUNT:
creds.ADC(self.credentials).DumpADCToFile(file_path=self._adc_path)
if self.credentials_type == creds.CredentialType.USER_ACCOUNT:
# We create a small .boto file for gsutil, to be put in BOTO_PATH.
# Our client_id and client_secret should accompany our refresh token;
# if a user loaded any other .boto files that specified a different
# id and secret, those would override our id and secret, causing any
# attempts to obtain an access token with our refresh token to fail.
self._WriteFileContents(
self._gsutil_path, '\n'.join([
'[OAuth2]',
'client_id = {cid}',
'client_secret = {secret}',
'',
'[Credentials]',
'gs_oauth2_refresh_token = {token}',
]).format(cid=config.CLOUDSDK_CLIENT_ID,
secret=config.CLOUDSDK_CLIENT_NOTSOSECRET,
token=self.credentials.refresh_token))
elif self.credentials_type == creds.CredentialType.SERVICE_ACCOUNT:
self._WriteFileContents(
self._gsutil_path, '\n'.join([
'[Credentials]',
'gs_service_key_file = {key_file}',
]).format(key_file=self._adc_path))
else:
raise creds.CredentialFileSaveError(
'Unsupported credentials type {0}'.format(
type(self.credentials)))
else: # P12 service account
cred = self.credentials
key = cred._private_key_pkcs12 # pylint: disable=protected-access
password = cred._private_key_password # pylint: disable=protected-access
files.WriteBinaryFileContents(self._p12_key_path,
key,
private=True)
# the .boto file gets some different fields
self._WriteFileContents(
self._gsutil_path, '\n'.join([
'[Credentials]',
'gs_service_client_id = {account}',
'gs_service_key_file = {key_file}',
'gs_service_key_file_password = {key_password}',
]).format(account=self.credentials.service_account_email,
key_file=self._p12_key_path,
key_password=password))
def Run(self, args):
cred_file = config.ADCFilePath()
if not os.path.isfile(cred_file):
raise c_exc.BadFileException(
'Application default credentials have not been set up. '
'Run $gcloud auth application-default login to set it up before '
'running this command.')
creds = client.GoogleCredentials.from_stream(cred_file)
if creds.serialization_data['type'] != 'authorized_user':
raise c_exc.BadFileException(
'The credentials are not user credentials, quota project '
'cannot be inserted.')
c_creds.ADC(creds).DumpExtendedADCToFile(
quota_project=args.quota_project_id)
log.status.Print("Updated the quota project in application default "
"credentials (ADC) to '{}'.".format(
args.quota_project_id))
def testDumpExtendedADCToFile_QuotaProjectNotFound(self):
self.StartObjectPatch(creds, 'GetQuotaProject', return_value=None)
adc = creds.ADC(self.user_creds)
adc.DumpExtendedADCToFile()
self.AssertFileEquals(self.USER_CREDENTIALS_JSON, self.adc_file_path)
self.AssertErrContains('Cannot find a project')
def testDumpExtendedADCToFile_ServiceCreds(self):
adc = creds.ADC(self.service_creds)
with self.AssertRaisesExceptionRegexp(creds.CredentialFileSaveError,
'The credential is not .*'):
adc.DumpExtendedADCToFile(quota_project='my project')
def testDumpExtendedADCToFile_UserCreds(self):
adc = creds.ADC(self.user_creds)
adc.DumpExtendedADCToFile(quota_project='my project')
self.AssertFileEquals(self.EXTENDED_USER_CREDENTIALS_JSON,
self.adc_file_path)
def testDumpADCToFile_ServiceCreds(self):
adc = creds.ADC(self.service_creds)
adc.DumpADCToFile()
self.AssertFileEquals(self.SERVICE_ACCOUNT_CREDENTIALS_JSON,
self.adc_file_path)
def testDumpADCToFile_UserCreds(self): adc = creds.ADC(self.user_creds) adc.DumpADCToFile() self.AssertFileEquals(self.USER_CREDENTIALS_JSON, self.adc_file_path)
def testGetQuotaProjectFromADC_NoQuotaProject(self):
creds.ADC(creds.FromJson(self.USER_CREDENTIALS_JSON)).DumpADCToFile()
self.assertIsNone(auth_util.GetQuotaProjectFromADC())
def testGetQuotaProjectFromADC_GoogleAuthNoQuotaProject(self):
creds.ADC(self.MakeUserAccountCredentialsGoogleAuth()).DumpADCToFile()
self.assertIsNone(auth_util.GetQuotaProjectFromADC())
def DumpImpersonatedServiceAccountToADC(credentials, target_principal,
delegates):
adc_path = c_creds.ADC(credentials, target_principal,
delegates).DumpADCToFile()
LogADCIsWritten(adc_path)
def testSetQuotaProject_ExistingUserCreds(self):
creds.ADC(creds.FromJson(_GetJsonUserADC())).DumpADCToFile()
self.RunSetQuotaProject()
self.AssertFileEquals(_GetJsonUserExtendedADC(), self.adc_file_path)
self.AssertErrContains('Quota project "fake-project" was added to ADC')
def testGetQuotaProjectFromADC_QuotaProjectExists(self):
creds.ADC(creds.FromJson(
self.USER_CREDENTIALS_JSON)).DumpExtendedADCToFile()
self.assertEqual(auth_util.GetQuotaProjectFromADC(), 'my project')
def testDumpADCToFile_P12ServiceAccount(self):
with self.AssertRaisesExceptionMatches(creds.ADCError,
'Cannot convert credentials'):
adc = creds.ADC(self.p12_service_creds)
adc.DumpADCToFile()
def testDumpADCRequiredQuotaProject_NotUserAccount(self):
creds.ADC(self.MakeServiceAccountCredentials()).DumpADCToFile()
with self.AssertRaisesExceptionMatches(
c_exc.BadFileException,
'The application default credentials are not user credentials'):
auth_util.AddQuotaProjectToADC(self.fake_project)
def testGetQuotaProjectFromADC_GoogleAuthQuotaProjectExists(self):
creds.ADC(self.MakeUserAccountCredentialsGoogleAuth()
).DumpExtendedADCToFile()
self.assertEqual(auth_util.GetQuotaProjectFromADC(), 'my project')
