def test__load_credentials_from_file_invalid_type(tmpdir):
jsonfile = tmpdir.join('invalid.json')
jsonfile.write(json.dumps({'type': 'not-a-real-type'}))
with pytest.raises(exceptions.DefaultCredentialsError) as excinfo:
_default._load_credentials_from_file(str(jsonfile))
assert excinfo.match(r'does not have a valid type')
def test__load_credentials_from_file_invalid_json(tmpdir):
jsonfile = tmpdir.join('invalid.json')
jsonfile.write('{')
with pytest.raises(exceptions.DefaultCredentialsError) as excinfo:
_default._load_credentials_from_file(str(jsonfile))
assert excinfo.match(r'not a valid json file')
def test__load_credentials_from_file_service_account_bad_format(tmpdir):
filename = tmpdir.join('serivce_account_bad.json')
filename.write(json.dumps({'type': 'service_account'}))
with pytest.raises(exceptions.DefaultCredentialsError) as excinfo:
_default._load_credentials_from_file(str(filename))
assert excinfo.match(r'Failed to load service account')
assert excinfo.match(r'missing fields')
def test__load_credentials_from_file_authorized_user_bad_format(tmpdir):
filename = tmpdir.join('authorized_user_bad.json')
filename.write(json.dumps({'type': 'authorized_user'}))
with pytest.raises(exceptions.DefaultCredentialsError) as excinfo:
_default._load_credentials_from_file(str(filename))
assert excinfo.match(r'Failed to load authorized user')
assert excinfo.match(r'missing fields')
def build_service(api, version, credentials_path=None, user_email=None, scopes=None):
"""Build and returns a service object.
Allows delegation of GSuite permissions to the service account when the `user_email` argument is passed.
Args:
api (str): The Admin SDK API to use.
version (str): The Admin SDK API version to use.
credentials_path (str, optional): The path to the service account credentials.
user_email (str): The email of the user. Needs permissions to access the Admin APIs.
scopes (list, optional): A list of scopes to authenticate the request with.
Returns:
Google Service object.
"""
if credentials_path is not None:
logger.info("Getting credentials from file '%s' ...", credentials_path)
credentials, _ = _load_credentials_from_file(credentials_path)
else:
logger.info("Getting default application credentials ...")
credentials, _ = google.auth.default()
if user_email is not None: # make delegated credentials
credentials = _make_delegated_credentials(
credentials,
user_email,
scopes)
return discovery.build(api, version, credentials=credentials)
def __init__(self, config, callback_handler):
self.config = config
self._callback_handler = callback_handler
if 'gcp_cred' not in config:
LOGGER.info('No gcp_cred credential specified in config')
self._pubber = None
self._storage = None
self._firestore = None
return
cred_file = self.config['gcp_cred']
LOGGER.info('Loading gcp credentials from %s', cred_file)
# Normal execution assumes default credentials.
# pylint: disable=protected-access
(self._credentials,
self._project) = google_auth._load_credentials_from_file(cred_file)
self._client_name = self._parse_creds(cred_file)
self._pubber = pubsub_v1.PublisherClient(credentials=self._credentials)
LOGGER.info('Initialized gcp pub/sub %s:%s', self._project,
self._client_name)
self._firestore = self._initialize_firestore(cred_file)
self._storage = storage.Client(project=self._project,
credentials=self._credentials)
self._report_bucket_name = self.REPORT_BUCKET_FORMAT % self._project
self._ensure_report_bucket()
self._config_callbacks = {}
LOGGER.info('Connection initialized at %s', get_timestamp())
def test__load_credentials_from_file_authorized_user_cloud_sdk():
with pytest.warns(UserWarning, match="Cloud SDK"):
credentials, project_id = _default._load_credentials_from_file(
AUTHORIZED_USER_CLOUD_SDK_FILE
)
assert isinstance(credentials, google.oauth2.credentials.Credentials)
assert project_id is None
def credentials_from_file(
cred_file: str,
scopes: List[str] = [k.CLOUD_PLATFORM_SCOPE_URL, k.COMPUTE_SCOPE_URL]
) -> CredentialsData:
"""gets cloud credentials from service account file
Args:
cred_file: service account credentials file to read
scopes: list of scopes for credentials
Returns:
CredentialsData
"""
with open(cred_file, 'r') as f:
info = json.load(f)
cred_type = info.get('type')
# first we try reading as service account file
if cred_type == _SERVICE_ACCOUNT_TYPE:
creds = service_account.Credentials.from_service_account_file(
cred_file, scopes=scopes)
project_id = info.get('project_id')
elif cred_type == _AUTHORIZED_USER_TYPE:
creds, project_id = _load_credentials_from_file(cred_file)
else:
logging.error('invalid credentials file format: {}'.format(cred_type))
return CredentialsData(None, None)
creds.refresh(google.auth.transport.requests.Request())
return CredentialsData(credentials=creds, project_id=project_id)
def __init__(self, config):
self.config = config
if 'gcp_cred' not in config:
LOGGER.info('No gcp_cred credential specified in config')
self.pubber = None
return
cred_file = self.config['gcp_cred']
LOGGER.info('Loading gcp credentials from %s', cred_file)
# Normal execution assumes default credentials. pylint: disable=protected-access
(self.credentials, self.project) = google_auth._load_credentials_from_file(cred_file)
self.client_name = self._parse_creds(cred_file)
self.pubber = pubsub_v1.PublisherClient(credentials=self.credentials)
LOGGER.info('Initialized gcp pub/sub %s:%s', self.project, self.client_name)
self.firestore = self._initialize_firestore(cred_file)
def init_app(self, app):
# defaults for the configuration
app.config.setdefault("NDB_PROJECT", None)
app.config.setdefault("NDB_NAMESPACE", None)
app.config.setdefault("NDB_GOOGLE_APPLICATION_CREDENTIALS", None)
app.config.setdefault("NDB_LOCAL_EMULATOR", False)
app.config.setdefault("NDB_DATASTORE_DATASET", "")
app.config.setdefault("NDB_DATASTORE_EMULATOR_HOST", "")
app.config.setdefault("NDB_DATASTORE_EMULATOR_HOST_PATH", "")
app.config.setdefault("NDB_DATASTORE_HOST", "")
app.config.setdefault("NDB_DATASTORE_PROJECT_ID",
app.config["NDB_PROJECT"])
if not self.client:
# setup the client
project = app.config["NDB_PROJECT"]
namespace = app.config["NDB_NAMESPACE"]
credentials_file = app.config["NDB_GOOGLE_APPLICATION_CREDENTIALS"]
if credentials_file:
# call google auth helper to initialise credentials
credentials, project_id = _load_credentials_from_file(
credentials_file)
else:
# default credentials, OR load from env, through underlying
# lib
credentials = None
# if local emulator, set the environ as required by underlying
# google cloud ndb and related libraries
if app.config["NDB_LOCAL_EMULATOR"]:
os.environ["DATASTORE_DATASET"] = app.config[
"NDB_DATASTORE_DATASET"]
os.environ["DATASTORE_EMULATOR_HOST"] = app.config[
"NDB_DATASTORE_EMULATOR_HOST"]
os.environ["DATASTORE_EMULATOR_HOST_PATH"] = app.config[
"NDB_DATASTORE_EMULATOR_HOST_PATH"]
os.environ["DATASTORE_HOST"] = app.config["NDB_DATASTORE_HOST"]
os.environ["DATASTORE_PROJECT_ID"] = app.config[
"NDB_DATASTORE_PROJECT_ID"]
credentials = None
self.client = ndb.Client(project=project,
namespace=namespace,
credentials=credentials)
app.wsgi_app = ndb_wsgi_middleware(app.wsgi_app, client=self.client)
def client():
credentials, project = _load_credentials_from_file(FIRESTORE_CREDS)
yield firestore.Client(project=project, credentials=credentials)
def test__load_credentials_from_file_service_account():
credentials, project_id = _default._load_credentials_from_file(
SERVICE_ACCOUNT_FILE)
assert isinstance(credentials, service_account.Credentials)
assert project_id == SERVICE_ACCOUNT_FILE_DATA['project_id']
def test__load_credentials_from_file_authorized_user():
credentials, project_id = _default._load_credentials_from_file(
AUTHORIZED_USER_FILE)
assert isinstance(credentials, google.oauth2.credentials.Credentials)
assert project_id is None
def test__load_credentials_from_missing_file():
with pytest.raises(exceptions.DefaultCredentialsError) as excinfo:
_default._load_credentials_from_file("")
assert excinfo.match(r"not found")
import aiohttp
import google.oauth2.credentials
import uvloop
from google.auth._default import _load_credentials_from_file
from .datastore import DemoUser as User, GoogleSheetData, NonExpireableData
from .datastore import GcdConnector, Roles
from .googleauth import ServiceAccount
from .settings import BaseEnviron, AppEnviron, load_env
if BaseEnviron.SERVICE_ACCOUNT_SECRETS_PATH is None:
load_env(AppEnviron.ENV)
#request = google.auth.transport.requests.Request()
loop = uvloop.new_event_loop()
asyncio.set_event_loop(loop)
ROOT_ACCOUNT = ServiceAccount(*_load_credentials_from_file(BaseEnviron.SERVICE_ACCOUNT_SECRETS_PATH))
with open(BaseEnviron.WEBAPP_SECRETS_PATH) as fp:
s = fp.read()
BaseEnviron.WEBAPP_CLIENT_ID = json.loads(s)['web']['client_id']
(GCD_CREDENTIALS,) = ROOT_ACCOUNT.sub_credentials(aiogcd.connector.connector.DEFAULT_SCOPES)
VANILLA_SESSION = aiohttp.ClientSession()
ANONYMOUS = User(name="anonymous", gid="", role=Roles.SIGNED_OUT, token="", project_id=ROOT_ACCOUNT.project_name,
email='*****@*****.**')
GCD_CONNECTOR = GcdConnector(ROOT_ACCOUNT.project_name, GCD_CREDENTIALS)
User.set_connector(GCD_CONNECTOR)
GoogleSheetData.set_connector(GCD_CONNECTOR)
NonExpireableData.set_connector(GCD_CONNECTOR)
