def RevokeCredsInWellKnownFile(brief):
"""Revoke the credentials in ADC's well-known file."""
# pylint:disable=protected-access, refactor as per TODO above
credentials_filename = client._get_well_known_file()
if not os.path.isfile(credentials_filename):
if not brief:
log.status.write(
'\nApplication Default Credentials have not been\n'
'set up by a tool, so nothing was revoked.\n')
return
# We only want to get the credentials from the well-known file, because
# no other credentials can be revoked.
# pylint:disable=protected-access, refactor as per TODO above
creds = client._get_application_default_credential_from_file(
credentials_filename)
if creds.serialization_data['type'] != 'authorized_user':
if not brief:
log.status.write(
'\nThe credentials set up for Application Default Credentials\n'
'through the Google Cloud SDK are service account credentials,\n'
'so they were not revoked.\n')
else:
c_store.RevokeCredentials(creds)
if not brief:
log.status.write(
'\nThe credentials set up for Application Default Credentials\n'
'through the Google Cloud SDK have been revoked.\n')
os.remove(credentials_filename)
if not brief:
log.status.write(
'\nThe file storing the Application Default Credentials\n'
'has been removed.\n')
def Run(self, args):
"""Revoke Application Default Credentials."""
cred_file = config.ADCFilePath()
if not os.path.isfile(cred_file):
log.status.Print(
'Application Default Credentials have not been set up, '
'nothing to revoke.')
return
creds = client.GoogleCredentials.from_stream(cred_file)
if creds.serialization_data['type'] != 'authorized_user':
raise c_exc.BadFileException(
'The given credential file is a service account credential, and '
'cannot be revoked.')
console_io.PromptContinue(
'You are about to revoke the credentials stored in: [{file}]'.
format(file=cred_file),
throw_if_unattended=True,
cancel_on_no=True)
c_store.RevokeCredentials(creds)
os.remove(cred_file)
log.status.Print('Credentials revoked.')
def Run(self, args):
"""Revoke Application Default Credentials."""
cred_file = config.ADCFilePath()
if not os.path.isfile(cred_file):
log.status.Print(
'Application Default Credentials have not been set up, '
'nothing to revoke.')
return
creds, _ = c_creds.GetGoogleAuthDefault().load_credentials_from_file(
cred_file)
if not (c_creds.IsUserAccountCredentials(creds)
or c_creds.IsExternalAccountCredentials(creds)
or c_creds.IsExternalAccountUserCredentials(creds)):
raise c_exc.BadFileException(
'The given credential file is a service account credential, and '
'cannot be revoked.')
if isinstance(creds, google_auth_creds.Credentials):
creds = c_google_auth.Credentials.FromGoogleAuthUserCredentials(
creds)
console_io.PromptContinue(
'You are about to revoke the credentials stored in: [{file}]'.
format(file=cred_file),
throw_if_unattended=True,
cancel_on_no=True)
try:
c_store.RevokeCredentials(creds)
os.remove(cred_file)
log.status.Print('Credentials revoked.')
except c_store.RevokeError:
os.remove(cred_file)
log.warning(
'The credentials stored in: [{file}] are not revocable from the '
'server but have been deleted from the file system.'.format(
file=cred_file))
