def MaybeConvertToGoogleAuthCredentials(credentials, use_google_auth): """Converts credentials to type of google-auth under certain conditions. The conversion will take place when the below conditions are all met, 1. use_google_auth is True; 2. credentials is of type oauth2client; 3. The input credentials are not built from P12 service account key. The reason is that this legacy service account key is not supported by google-auth. Additionally, gcloud plans to deprecate P12 service account key support. The authenticaion logic of credentials of this type will be left on oauth2client for now and will be removed in the deprecation. Args: credentials: oauth2client.client.Credentials or google.auth.credentials.Credentials use_google_auth: bool, True if the calling command indicates to use google-auth library for authentication. Returns: google.auth.credentials.Credentials or oauth2client.client.Credentials """ if ((not use_google_auth) or (not isinstance(credentials, client.OAuth2Credentials)) or CredentialType.FromCredentials(credentials) == CredentialType.P12_SERVICE_ACCOUNT): return credentials # pylint: disable=g-import-not-at-top # To work around the circular dependency between this the util and the creds # modules. from googlecloudsdk.api_lib.iamcredentials import util if isinstance(credentials, c_devshell.DevshellCredentials): google_auth_creds = c_devshell.DevShellCredentialsGoogleAuth return google_auth_creds.from_devshell_credentials(credentials) if isinstance(credentials, util.ImpersonationCredentials): google_auth_creds = util.ImpersonationCredentialsGoogleAuth return google_auth_creds.from_impersonation_credentials(credentials) google_auth_creds = oauth2client_helper.convert(credentials) # token expiry is lost in the conversion. google_auth_creds.expiry = getattr(credentials, 'token_expiry', None) if (isinstance(google_auth_creds, google_auth_service_account.Credentials) or isinstance(google_auth_creds, compute_engine.Credentials)): # Access token and scopes are lost in the conversions of service acccount # and GCE credentials. google_auth_creds.token = getattr(credentials, 'access_token', None) scopes = getattr(credentials, 'scopes', []) scopes = scopes if scopes else config.CLOUDSDK_SCOPES # client.OAuth2Credentials converts scopes into a set. google-auth requires # scopes to be of a Sequence type. google_auth_creds._scopes = list(scopes) # pylint: disable=protected-access return google_auth_creds
def test_convert_success(): convert_function = mock.Mock(spec=["__call__"]) conversion_map_patch = mock.patch.object( _oauth2client, "_CLASS_CONVERSION_MAP", {FakeCredentials: convert_function}) credentials = FakeCredentials() with conversion_map_patch: result = _oauth2client.convert(credentials) convert_function.assert_called_once_with(credentials) assert result == convert_function.return_value
def MaybeConvertToGoogleAuthCredentials(credentials, use_google_auth): """Converts credentials to type of google-auth under certain conditions. The conversion will take place when the below conditions are all met, 1. use_google_auth is True; 2. credentials is of type oauth2client; 3. The input credentials are not built from P12 service account key. The reason is that this legacy service account key is not supported by google-auth. Additionally, gcloud plans to deprecate P12 service account key support. The authentication logic of credentials of this type will be left on oauth2client for now and will be removed in the deprecation. Args: credentials: oauth2client.client.Credentials or google.auth.credentials.Credentials use_google_auth: bool, True if the calling command indicates to use google-auth library for authentication. Returns: google.auth.credentials.Credentials or oauth2client.client.Credentials """ if not use_google_auth: return credentials if not IsOauth2ClientCredentials(credentials): return credentials if CredentialType.FromCredentials( credentials) == CredentialType.P12_SERVICE_ACCOUNT: return credentials if isinstance(credentials, c_devshell.DevshellCredentials): target_creds_type = c_devshell.DevShellCredentialsGoogleAuth return target_creds_type.from_devshell_credentials(credentials) target_creds = oauth2client_helper.convert(credentials) # token expiry is lost in the conversion. target_creds.expiry = getattr(credentials, 'token_expiry', None) # Import only when necessary to decrease the startup time. Move it to # global once google-auth is ready to replace oauth2client. # pylint: disable=g-import-not-at-top from google.oauth2 import service_account as google_auth_service_account # pylint: enable=g-import-not-at-top if (isinstance(target_creds, google_auth_service_account.Credentials) or isinstance(target_creds, google_auth_compute_engine.Credentials)): # Access token and scopes are lost in the conversions of service acccount # and GCE credentials. target_creds.token = getattr(credentials, 'access_token', None) scopes = getattr(credentials, 'scopes', []) scopes = scopes if scopes else config.CLOUDSDK_SCOPES # client.OAuth2Credentials converts scopes into a set. google-auth requires # scopes to be of a Sequence type. target_creds._scopes = list(scopes) # pylint: disable=protected-access return target_creds
def ConvertToGoogleAuthCredentials(credentials): """Converts credentials of oauth2lient to credentials of google-auth. This conversion will be used in the phase 1 of the 'GUAC on gcloud' project. More details in go/gcloud-guac. Args: credentials: oauth2client.client.Credentials, Credentials of the oauth2client library. Returns: google.auth.credentials.Credentials, Credentials of the google-auth library. """ # pylint: disable=g-import-not-at-top # To work around the circular dependency between this the util and the store # modules. from googlecloudsdk.api_lib.iamcredentials import util if isinstance(credentials, c_devshell.DevshellCredentials): google_auth_creds = c_devshell.DevShellCredentialsGoogleAuth return google_auth_creds.from_devshell_credentials(credentials) if isinstance(credentials, util.ImpersonationCredentials): google_auth_creds = util.ImpersonationCredentialsGoogleAuth return google_auth_creds.from_impersonation_credentials(credentials) google_auth_creds = oauth2client_helper.convert(credentials) # token expiry is lost in the conversion. google_auth_creds.expiry = getattr(credentials, 'token_expiry', None) if (isinstance(google_auth_creds, google_auth_service_account.Credentials) or isinstance(google_auth_creds, compute_engine.Credentials)): # Access token and scopes are lost in the conversions of service acccount # and GCE credentials. google_auth_creds.token = getattr(credentials, 'access_token', None) scopes = getattr(credentials, 'scopes', []) scopes = scopes if scopes else config.CLOUDSDK_SCOPES # client.OAuth2Credentials converts scopes into a set. google-auth requires # scopes to be of a Sequence type. google_auth_creds._scopes = list(scopes) # pylint: disable=protected-access return google_auth_creds
def test_convert_not_found(): with pytest.raises(ValueError) as excinfo: _oauth2client.convert("a string is not a real credentials class") assert excinfo.match("Unable to convert")