def _GetOauth2UserAccountCredentials():
"""Retrieves OAuth2 service account credentials for a refresh token."""
if not _HasOauth2UserAccountCreds():
return
provider_token_uri = _GetProviderTokenUri()
gsutil_client_id, gsutil_client_secret = (
system_util.GetGsutilClientIdAndSecret())
client_id = config.get(
'OAuth2', 'client_id',
os.environ.get('OAUTH2_CLIENT_ID', gsutil_client_id))
client_secret = config.get(
'OAuth2', 'client_secret',
os.environ.get('OAUTH2_CLIENT_SECRET', gsutil_client_secret))
# Note that these scopes don't necessarily correspond to the refresh token
# being used. This list is is used for obtaining the RAPT in the reauth flow,
# to determine which challenges should be used.
scopes_for_reauth_challenge = [
constants.Scopes.CLOUD_PLATFORM, constants.Scopes.REAUTH
]
return reauth_creds.Oauth2WithReauthCredentials(
None, # access_token
client_id,
client_secret,
config.get('Credentials', 'gs_oauth2_refresh_token'),
None, # token_expiry
provider_token_uri,
None, # user_agent
scopes=scopes_for_reauth_challenge)
def GetCredentials(self):
"""Fetches a credentials objects from the provider's token endpoint."""
access_token = self.GetAccessToken()
credentials = reauth_creds.Oauth2WithReauthCredentials(
access_token.token, self.client_id, self.client_secret,
self.refresh_token, access_token.expiry, self.token_uri,
None) # user_agent
return credentials
def FetchAccessToken(self, rapt_token=None):
"""Fetches an access token from the provider's token endpoint.
Fetches an access token from this client's OAuth2 provider's token endpoint.
Args:
rapt_token: (str) The RAPT to be passed when refreshing the access token.
Returns:
The fetched AccessToken.
"""
try:
http = self.CreateHttpRequest()
credentials = reauth_creds.Oauth2WithReauthCredentials(
None, # access_token
self.client_id,
self.client_secret,
self.refresh_token,
None, # token_expiry
self.token_uri,
None, # user_agent
scopes=RAPT_SCOPES,
rapt_token=rapt_token)
credentials.refresh(http)
return AccessToken(credentials.access_token,
credentials.token_expiry,
datetime_strategy=self.datetime_strategy,
rapt_token=credentials.rapt_token)
except oauth2client.client.AccessTokenRefreshError as e:
if 'Invalid response 403' in e.message:
# This is the most we can do at the moment to accurately detect rate
# limiting errors since they come back as 403s with no further
# information.
raise GsAccessTokenRefreshError(e)
elif 'invalid_grant' in e.message:
LOG.info("""
Attempted to retrieve an access token from an invalid refresh token. Two common
cases in which you will see this error are:
1. Your refresh token was revoked.
2. Your refresh token was typed incorrectly.
""")
raise GsInvalidRefreshTokenError(e)
else:
raise
