コード例 #1
0
  def testWebFlowError(self):
    """When an error occurs in the web flow."""
    self.mock_webflow.side_effect = store.FlowError('flowerror')

    with self.assertRaisesRegex(store.FlowError, 'flowerror'):
      self.Login()
    self.AssertErrContains('There was a problem with web authentication.')

    self.mock_webflow.assert_called_once_with(
        launch_browser=True,
        scopes=self.scopes,
        client_id=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID,
        client_secret=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
コード例 #2
0
ファイル: login_test.py プロジェクト: bopopescu/gcloud_cli
    def testWebFlowError(self):
        """When an error occurs in the web flow."""
        self.mock_load.return_value = None  # No creds to start.
        self.mock_flow.side_effect = store.FlowError('flowerror')

        with self.assertRaisesRegex(store.FlowError, 'flowerror'):
            self.Login(account='*****@*****.**')
        self.AssertErrContains('There was a problem with web authentication.')

        self.mock_load.assert_called_once_with(account='*****@*****.**',
                                               scopes=self.expected_scopes)
        self.assert_mock_flow_called_with(launch_browser=True,
                                          scopes=self.expected_scopes)
        self.assertEqual('junk', properties.VALUES.core.account.Get())
        self.assertEqual('junkproj', properties.VALUES.core.project.Get())
コード例 #3
0
    def testWebFlowError_ContextAwareAccessDenied(self):
        """When login was denied because of context aware access policies."""
        self.mock_load.return_value = None  # No creds to start.
        self.mock_flow.side_effect = store.FlowError(
            'access_denied: Account restricted')

        with self.assertRaisesRegex(store.FlowError,
                                    'access_denied: Account restricted'):
            self.Login(account='*****@*****.**')
        self.AssertErrContains(
            'Access was blocked due to an organization policy')

        self.mock_load.assert_called_once_with(account='*****@*****.**',
                                               scopes=self.expected_scopes)
        self.assert_mock_flow_called_with(launch_browser=True,
                                          scopes=self.expected_scopes)
        self.assertEqual('junk', properties.VALUES.core.account.Get())
        self.assertEqual('junkproj', properties.VALUES.core.project.Get())
コード例 #4
0
    def Run(self, args):
        """Run the authentication command."""
        # TODO(b/203102970): Remove this condition check after the bug is resolved
        if properties.VALUES.auth.access_token_file.Get():
            raise c_store.FlowError(
                'auth/access_token_file or --access-token-file was set which is not '
                'compatible with this command. Please unset the property and rerun '
                'this command.')

        if c_gce.Metadata().connected:
            message = textwrap.dedent("""
          You are running on a Google Compute Engine virtual machine.
          The service credentials associated with this virtual machine
          will automatically be used by Application Default
          Credentials, so it is not necessary to use this command.

          If you decide to proceed anyway, your user credentials may be visible
          to others with access to this virtual machine. Are you sure you want
          to authenticate with your personal account?
          """)
            console_io.PromptContinue(message=message,
                                      throw_if_unattended=True,
                                      cancel_on_no=True)

        command_auth_util.PromptIfADCEnvVarIsSet()
        if args.client_id_file and not args.launch_browser:
            raise c_exc.InvalidArgumentException(
                '--no-launch-browser',
                '`--no-launch-browser` flow no longer works with the '
                '`--client-id-file`. Please replace `--no-launch-browser` with '
                '`--no-browser`.')
        # This reauth scope is only used here and when refreshing the access token.
        scopes = (args.scopes
                  or auth_util.DEFAULT_SCOPES) + [config.REAUTH_SCOPE]
        properties.VALUES.auth.client_id.Set(
            auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID)
        properties.VALUES.auth.client_secret.Set(
            auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
        creds = auth_util.DoInstalledAppBrowserFlowGoogleAuth(
            scopes,
            client_id_file=args.client_id_file,
            no_launch_browser=not args.launch_browser,
            no_browser=args.no_browser,
            remote_bootstrap=args.remote_bootstrap)
        if not creds:
            return

        target_impersonation_principal, delegates = None, None
        impersonation_service_accounts = properties.VALUES.auth.impersonate_service_account.Get(
        )
        if impersonation_service_accounts:
            (target_impersonation_principal,
             delegates) = c_store.ParseImpersonationAccounts(
                 impersonation_service_accounts)
        if not target_impersonation_principal:
            if args.IsSpecified('client_id_file'):
                command_auth_util.DumpADC(creds, quota_project_disabled=False)
            elif args.disable_quota_project:
                command_auth_util.DumpADC(creds, quota_project_disabled=True)
            else:
                command_auth_util.DumpADCOptionalQuotaProject(creds)
        else:
            # TODO(b/184049366): Supports quota project with impersonated creds.
            command_auth_util.DumpImpersonatedServiceAccountToADC(
                creds,
                target_principal=target_impersonation_principal,
                delegates=delegates)
        return creds