def Run(self, args): """Create service account credentials.""" try: private_key = open(args.key_file).read() except IOError as e: raise c_exc.BadFileException(e) password = None if args.password_file: try: password = open(args.password_file).read().strip() except IOError as e: raise c_exc.UnknownArgumentException('--password-file', e) if args.prompt_for_password: password = getpass.getpass('Password: '******'CLOUDSDK_PYTHON_SITEPACKAGES'): raise c_exc.ToolException( ('PyOpenSSL is not available. If you have already installed ' 'PyOpenSSL, you will need to enable site packages by ' 'setting the environment variable CLOUDSDK_PYTHON_SITEPACKAGES to ' '1. If that does not work, See ' 'https://developers.google.com/cloud/sdk/crypto for details.')) else: raise c_exc.ToolException( ('PyOpenSSL is not available. See ' 'https://developers.google.com/cloud/sdk/crypto for details.')) if password: cred = client.SignedJwtAssertionCredentials( service_account_name=args.account, private_key=private_key, scope=config.CLOUDSDK_SCOPES, private_key_password=password, user_agent=config.CLOUDSDK_USER_AGENT) else: cred = client.SignedJwtAssertionCredentials( service_account_name=args.account, private_key=private_key, scope=config.CLOUDSDK_SCOPES, user_agent=config.CLOUDSDK_USER_AGENT) c_store.Store(cred, args.account) properties.PersistProperty(properties.VALUES.core.account, args.account) project = args.project if project: properties.PersistProperty(properties.VALUES.core.project, project) return cred
def connect_to_service(email, key_file, auth_scope): credentials = client.SignedJwtAssertionCredentials( email, read_binary_file(key_file), scope=auth_scope) http = httplib2.Http() http = credentials.authorize(http) return build('androidpublisher', 'v2', http=http)
def _CreateOauthServiceAccountCreds(email, private_key_path, scopes): """Create credentials with a normal service account. Args: email: email address as the account. private_key_path: Path to the service account P12 key. scopes: string, multiple scopes should be saperated by space. Api scopes to request for the oauth token. Returns: An oauth2client.OAuth2Credentials instance. Raises: errors.AuthentcationError: if failed to authenticate. """ try: with open(private_key_path) as f: private_key = f.read() credentials = oauth2_client.SignedJwtAssertionCredentials( email, private_key, scopes) except EnvironmentError as e: raise errors.AuthentcationError( "Could not authenticate using private key file %s, error message: %s", private_key_path, str(e)) return credentials
def get_for_service_account(client_email, private_key_path, scope=None): """Gets the credentials for a service account. .. note:: You should not need to use this function directly. Instead, use the helper methods provided in :func:`gcloud.datastore.__init__.get_connection` and :func:`gcloud.datastore.__init__.get_dataset` which use this method under the hood. :type client_email: string :param client_email: The e-mail attached to the service account. :type private_key_path: string :param private_key_path: The path to a private key file (this file was given to you when you created the service account). :type scope: string or tuple of strings :param scope: The scope against which to authenticate. (Different services require different scopes, check the documentation for which scope is required for the different levels of access to any particular API.) :rtype: :class:`oauth2client.client.SignedJwtAssertionCredentials` :returns: A new SignedJwtAssertionCredentials instance with the needed service account settings. """ return client.SignedJwtAssertionCredentials( service_account_name=client_email, private_key=open(private_key_path, 'rb').read(), scope=scope)
def setup_auth(args): """Set up and authentication httplib. Args: args: ArgumentParser with additional command-line flags to pass to the OAuth authentication flow. Returns: An http client library with authentication enabled. """ # Perform OAuth 2.0 authorization. if args.service_account: # Service accounts will follow the following authenication. client_email = args.service_account with open(args.service_account_secrets_file) as f: private_key = json.loads(f.read())['private_key'] credentials = client.SignedJwtAssertionCredentials(client_email, private_key, scope=SCOPES) else: flow = flow_from_clientsecrets(args.client_secrets_file, scope=SCOPES) storage = oauth_file.Storage(OAUTH2_STORAGE) credentials = storage.get() if credentials is None or credentials.invalid: credentials = tools.run_flow(flow, storage, args) http = httplib2.Http() return credentials.authorize(http)
def ServiceAccountHttp(*args, **kwargs): """Returns the Credentials of the service account. Just prior to the first request, the Http object makes a request to https://accounts.google.com/o/oauth2/token to get an oauth token. The Http object is cached in memcache to reduce the number of extraneous requests. Arguments: args, kwargs: Arguments passed through to httplib2.Http(). Raises: KeyError: The service account credentials were not found. """ http = memcache.get(SERVICE_ACCOUNT_KEY) if not http: account_details = stored_object.Get(SERVICE_ACCOUNT_KEY) if not account_details: raise KeyError('Service account credentials not found.') client.logger.setLevel(logging.WARNING) credentials = client.SignedJwtAssertionCredentials( service_account_name=account_details['client_email'], private_key=account_details['private_key'], scope=EMAIL_SCOPE) http = httplib2.Http(*args, **kwargs) credentials.authorize(http) memcache.add(SERVICE_ACCOUNT_KEY, http, time=60 * 50) # Less than 1 hour. return http
def get_api_credentials(scope, service_account=True): """ Build API client based on oAuth2 authentication """ STORAGE = file.Storage('oAuth2.json') #local storage of oAuth tokens credentials = STORAGE.get() if credentials is None or credentials.invalid: #check if new oAuth flow is needed if service_account: #server 2 server flow with open('service_account.json') as f: account = json.loads(f.read()) email = account['client_email'] key = account['private_key'] credentials = client.SignedJwtAssertionCredentials(email, key, scope=scope) STORAGE.put(credentials) else: #normal oAuth2 flow CLIENT_SECRETS = os.path.join(os.path.dirname(__file__), 'client_secrets.json') FLOW = client.flow_from_clientsecrets(CLIENT_SECRETS, scope=scope) PARSER = argparse.ArgumentParser( description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter, parents=[tools.argparser]) FLAGS = PARSER.parse_args(sys.argv[1:]) credentials = tools.run_flow(FLOW, STORAGE, FLAGS) return credentials
def get_for_service_account_p12(client_email, private_key_path, scope=None): """Gets the credentials for a service account. .. note:: This method is not used by default, instead :func:`get_credentials` is used. This method is intended to be used when the environments is known explicitly and detecting the environment implicitly would be superfluous. :type client_email: string :param client_email: The e-mail attached to the service account. :type private_key_path: string :param private_key_path: The path to a private key file (this file was given to you when you created the service account). This file must be in P12 format. :type scope: string or tuple of strings :param scope: The scope against which to authenticate. (Different services require different scopes, check the documentation for which scope is required for the different levels of access to any particular API.) :rtype: :class:`oauth2client.client.SignedJwtAssertionCredentials` :returns: A new SignedJwtAssertionCredentials instance with the needed service account settings. """ return client.SignedJwtAssertionCredentials( service_account_name=client_email, private_key=open(private_key_path, 'rb').read(), scope=scope)
def service_account(filepath, scope, sub=None): with open(filepath, "r") as f: sa_details = json.load(f) sa_details["service_account_name"] = sa_details["client_email"] #snafu fix sa_details["scope"] = scope if sub: sa_details["sub"] = sub return oauth2.SignedJwtAssertionCredentials(**sa_details)
def test_signed_jwt_for_p12(self): from oauth2client import client scopes = [] ACCOUNT_NAME = 'dummy_service_account_name' credentials = client.SignedJwtAssertionCredentials( ACCOUNT_NAME, b'dummy_private_key_text', scopes) self._run_test_with_credentials(credentials, ACCOUNT_NAME)
def LoadCredentialsFromPem(): logging.info('Loading credentials from uploaded private key.') credentials = client.SignedJwtAssertionCredentials( config.SERVICE_ACCOUNT, _GetPrivateKey(config.PRIVATE_KEY_FILENAME), API_SCOPES, sub=config.SERVICE_ACCOUNT_ADMIN) _StoreCredentials(credentials) return credentials
def main(): # Load the key in PKCS 12 format that you downloaded from the Google APIs # Console when you created your Service account. f = file('key.p12', 'rb') key = f.read() f.close() # Create an httplib2.Http object to handle our HTTP requests and authorize it # with the Credentials. Note that the first parameter, service_account_name, # is the Email address created for the Service account. It must be the email # address associated with the key that was created. credentials = client.SignedJwtAssertionCredentials( SERVICE_ACCOUNT_EMAIL, key, scope='https://www.googleapis.com/auth/androidpublisher') http = httplib2.Http() http = credentials.authorize(http) service = build('androidpublisher', 'v2', http=http) # Process flags and read their values. flags = argparser.parse_args() package_name = flags.package_name try: edit_request = service.edits().insert(body={}, packageName=package_name) result = edit_request.execute() edit_id = result['id'] apk_response = service.edits().apks().upload( editId=edit_id, packageName=package_name, media_body=apk_file).execute() print 'Version code %d has been uploaded' % apk_response['versionCode'] track_response = service.edits().tracks().update( editId=edit_id, track=TRACK, packageName=package_name, body={ u'versionCodes': [apk_response['versionCode']] }).execute() print 'Track %s is set for version code(s) %s' % ( track_response['track'], str(track_response['versionCodes'])) commit_request = service.edits().commit( editId=edit_id, packageName=package_name).execute() print 'Edit "%s" has been committed' % (commit_request['id']) except client.AccessTokenRefreshError: print( 'The credentials have been revoked or expired, please re-run the ' 'application to re-authorize')
def ServiceAccountCredentials(): """Returns the Credentials of the service account if available.""" account_details = stored_object.Get(SERVICE_ACCOUNT_KEY) if not account_details: logging.error('Service account credentials not found.') return None return client.SignedJwtAssertionCredentials( service_account_name=account_details['client_email'], private_key=account_details['private_key'], scope=EMAIL_SCOPE)
def test_signature_non_bytes(self): from oauth2client import client scopes = [] ACCOUNT_NAME = 'dummy_service_account_name' SIGNATURE_STRING = u'dummy_signature' credentials = client.SignedJwtAssertionCredentials( ACCOUNT_NAME, b'dummy_private_key_text', scopes) self._run_test_with_credentials(credentials, ACCOUNT_NAME, signature_string=SIGNATURE_STRING)
def run_p12(): with open(P12_KEY_PATH, 'rb') as file_object: private_key_contents = file_object.read() credentials = client.SignedJwtAssertionCredentials( service_account_name=P12_KEY_EMAIL, private_key=private_key_contents, scope=SCOPE, ) _check_user_info(credentials, P12_KEY_EMAIL)
def authenticate_using_service_account( service_account_email, impersonation_user_email, p12_file): """Authorizes an Http instance using service account credentials""" with open(p12_file) as f: private_key = f.read() credentials = client.SignedJwtAssertionCredentials( service_account_email, private_key, 'https://www.googleapis.com/auth/dfareporting', sub=impersonation_user_email) return credentials.authorize(httplib2.Http())
def create_service_credentials(private_key_file=None, client_email=None, client_secret_file=CLIENT_SECRET_FILE): """Create credentials from service account information. See Also: https://developers.google.com/api-client-library/python/auth/service-accounts Args: client_secret_file (str): path to json file with just the client_email when providing the `private_key_file` separately, or this file can have both the `client_email` and `private_key` contained in it. Defaults to .gdrive_private client_email (str): service email account private_key_file (str): path to the p12 private key, defaults to same name of file used for regular authentication Returns: `~oauth2client.client.OAuth2Credentials`: google credentials object """ if private_key_file is not None: with open(os.path.expanduser(private_key_file)) as f: private_key = f.read() else: private_key = None if client_email is None: with open(os.path.expanduser(client_secret_file)) as client_file: client_data = json.load(client_file) if 'installed' in client_data: # handle regular json format where key is separate client_email = client_data['installed']['client_id'] if private_key is None: raise RuntimeError('You must have the private key file \ with the regular json file. Try creating a new \ public/private key pair and downloading as json.' ) else: # handle newer case where json file has everything in it client_email = client_data['client_email'] private_key = client_data['private_key'] if client_email is None or private_key is None: raise RuntimeError( 'Client email and/or private key not provided by inputs.') credentials = client.SignedJwtAssertionCredentials(client_email, private_key, SCOPES) return credentials
def GetService(): """Builds the adexchangebuyer service used for the REST API.""" http = httplib2.Http() credentials = client.SignedJwtAssertionCredentials(SERVICE_ACCOUNT_EMAIL, open(KEY_FILE).read(), scope=SCOPE) http = credentials.authorize(http) service = build('adexchangebuyer', VERSION, http=http) return service
def testGetCredentialsFromEnvJwt(self): self.mox.StubOutWithMock(os, 'getenv') self.mox.StubOutWithMock(client, 'SignedJwtAssertionCredentials') credentials = self.mox.CreateMockAnything() os.getenv('DATASTORE_SERVICE_ACCOUNT').AndReturn('*****@*****.**') os.getenv('DATASTORE_PRIVATE_KEY_FILE').AndReturn( self.certificate.name) client.SignedJwtAssertionCredentials( '*****@*****.**', 'not-a-secret-key', connection.SCOPE).AndReturn(credentials) self.mox.ReplayAll() self.assertIs(credentials, helper.get_credentials_from_env()) self.mox.VerifyAll()
def test_signed_jwt_for_p12(self): from oauth2client import client from gcloud._testing import _Monkey from gcloud.storage import connection as MUT scopes = [] credentials = client.SignedJwtAssertionCredentials( 'dummy_service_account_name', 'dummy_private_key_text', scopes) crypto = _Crypto() rsa = _RSA() with _Monkey(MUT, crypto=crypto, RSA=rsa): result = self._callFUT(credentials) self.assertEqual(result, 'imported:__PEM__')
def upload(package, service, apk, track): # Load the service key and email from the Google Developer Service Account json file service_settings = json.load(service) # Create an httplib2.Http object to handle our HTTP requests and authorize it # with the Credentials. Note that the first parameter, service_account_name, # is the Email address created for the Service account. It must be the email # address associated with the key that was created. credentials = client.SignedJwtAssertionCredentials( service_settings['client_email'], service_settings['private_key'], scope='https://www.googleapis.com/auth/androidpublisher') http = httplib2.Http() http = credentials.authorize(http) service = build('androidpublisher', 'v2', http=http) try: edit_request = service.edits().insert(body={}, packageName=package) result = edit_request.execute() edit_id = result['id'] apk_response = service.edits().apks().upload( editId=edit_id, packageName=package, media_body=apk.name).execute() print 'Version code %d has been uploaded' % apk_response['versionCode'] track_response = service.edits().tracks().update( editId=edit_id, track=track, packageName=package, body={ u'versionCodes': [apk_response['versionCode']] }).execute() print 'Track %s is set for version code(s) %s' % ( track_response['track'], str(track_response['versionCodes'])) commit_request = service.edits().commit(editId=edit_id, packageName=package).execute() print 'Edit "%s" has been committed' % (commit_request['id']) except client.AccessTokenRefreshError, e: print( 'The credentials have been revoked or expired, please re-run the ' 'application to re-authorize') raise e
def getServiceAccountsAccessToken(user): client_secrets = get_clientSecrets() private_key = get_service_private_key() scope = "https://mail.google.com/" jwt_client = client.SignedJwtAssertionCredentials( service_account_name=client_secrets['web']['client_email'], private_key=private_key, scope=scope, prn=user) jwt = json.loads(get_JWT(jwt_client._generate_assertion())) access_token = jwt["access_token"] return access_token
def ServiceAccountHttp(): """Returns the Credentials of the service account if available.""" account_details = stored_object.Get(SERVICE_ACCOUNT_KEY) if not account_details: raise KeyError('Service account credentials not found.') credentials = client.SignedJwtAssertionCredentials( service_account_name=account_details['client_email'], private_key=account_details['private_key'], scope=EMAIL_SCOPE) http = httplib2.Http() credentials.authorize(http) return http
def main(): f = file('key.p12', 'rb') key = f.read() f.close() # Authenticate and construct service. credentials = client.SignedJwtAssertionCredentials( SERVICE_ACCOUNT_EMAIL, key, scope='https://www.googleapis.com/auth/androidpublisher') http = httplib2.Http() http = credentials.authorize(http) service = build('androidpublisher', 'v2', http=http) # Process flags and read their values. flags = argparser.parse_args() package_name = flags.package_name apk_file = flags.apk_file try: edit_request = service.edits().insert(body={}, packageName=package_name) result = edit_request.execute() edit_id = result['id'] apk_response = service.edits().apks().upload( editId=edit_id, packageName=package_name, media_body=apk_file).execute() print 'Version code %d has been uploaded' % apk_response['versionCode'] track_response = service.edits().tracks().update( editId=edit_id, track=TRACK, packageName=package_name, body={u'versionCodes': [apk_response['versionCode']]}).execute() print 'Track %s is set for version code(s) %s' % ( track_response['track'], str(track_response['versionCodes'])) commit_request = service.edits().commit( editId=edit_id, packageName=package_name).execute() print 'Edit "%s" has been committed' % (commit_request['id']) except client.AccessTokenRefreshError: print ('The credentials have been revoked or expired, please re-run the ' 'application to re-authorize')
def CredentialsFromP12Key(private_key, account, password=None): """Creates creadentials object from given private key and account name.""" log.warning('.p12 service account keys are not recomended unless it is ' 'necessary for backwards compatability. Please switch to ' 'a newer .json service account key for this account.') if not client.HAS_CRYPTO: if not os.environ.get('CLOUDSDK_PYTHON_SITEPACKAGES'): raise UnsupportedCredentialsType(( 'PyOpenSSL is not available. If you have already installed ' 'PyOpenSSL, you will need to enable site packages by ' 'setting the environment variable CLOUDSDK_PYTHON_SITEPACKAGES ' 'to 1. If that does not work, see ' 'https://developers.google.com/cloud/sdk/crypto for details ' 'or consider using .json private key instead.')) else: raise UnsupportedCredentialsType( ('PyOpenSSL is not available. See ' 'https://developers.google.com/cloud/sdk/crypto for details ' 'or consider using .json private key instead.')) if password: cred = client.SignedJwtAssertionCredentials( service_account_name=account, private_key=private_key, scope=config.CLOUDSDK_SCOPES, private_key_password=password, user_agent=config.CLOUDSDK_USER_AGENT) else: # Gets default password. cred = client.SignedJwtAssertionCredentials( service_account_name=account, private_key=private_key, scope=config.CLOUDSDK_SCOPES, user_agent=config.CLOUDSDK_USER_AGENT) return cred
def main(): # Create credentials using the Service email and P12 file. oauth_credentials = client.SignedJwtAssertionCredentials( SERVICE_ACCOUNT_EMAIL, open(KEY_FILE).read(), scope=SCOPE) # Use the credentials to authorize an Http object http = oauth_credentials.authorize(httplib2.Http()) # Use the http object to create a client for the API service. buyer_service = build('adexchangebuyer', VERSION, http=http) # Call the Accounts resource on the service to retrieve a list of # Accounts for the service account. request = buyer_service.accounts().list() pprint.pprint(request.execute())
def __init__(self, app_id, email=None, key_path=None, require_indexes=False, verbose=False, service_name='datastore_v3', trusted=False, consistency_policy=None, root_path=None, use_atexit=True, auto_id_policy=datastore_stub_util.SEQUENTIAL): datastore_stub_util.BaseDatastore.__init__(self, require_indexes, consistency_policy, use_atexit, auto_id_policy) apiproxy_stub.APIProxyStub.__init__(self, service_name) datastore_stub_util.DatastoreStub.__init__(self, weakref.proxy(self), app_id, trusted, root_path) self.__email = email self.__key_path = key_path self.__verbose = verbose self.__id_map_sequential = {} self.__id_map_scattered = {} self.__id_counter_tables = { datastore_stub_util.SEQUENTIAL: ('IdSeq', self.__id_map_sequential), datastore_stub_util.SCATTERED: ('ScatteredIdCounters', self.__id_map_scattered), } self.__id_lock = threading.Lock() if self.__email and self.__key_path: credentials = client.SignedJwtAssertionCredentials( email, open(key_path).read(), googledatastore.connection.SCOPE) self.__connection = googledatastore.connection.Datastore(app_id, credentials) else: self.__connection = googledatastore.connection.Datastore(app_id) self.__connection.text_factory = lambda x: unicode(x, 'utf-8', 'ignore') self.__connection_lock = threading.RLock() self.__namespaces = set() self.__query_history = {}
def ServiceAccountHttp(scope=EMAIL_SCOPE, timeout=None): """Returns the Credentials of the service account if available.""" account_details = stored_object.Get(SERVICE_ACCOUNT_KEY) if not account_details: raise KeyError('Service account credentials not found.') assert scope, "ServiceAccountHttp scope must not be None." client.logger.setLevel(logging.WARNING) credentials = client.SignedJwtAssertionCredentials( service_account_name=account_details['client_email'], private_key=account_details['private_key'], scope=scope) http = httplib2.Http(timeout=timeout) credentials.authorize(http) return http
def test_get_signed_query_params(self): from oauth2client import client EXPIRATION = 1000 SIGNATURE = 'abc' scopes = [] ACCOUNT_NAME = 'dummy_service_account_name' creds = client.SignedJwtAssertionCredentials( ACCOUNT_NAME, b'dummy_private_key_text', scopes) with patch.multiple('gcloudoem.datastore.credentials', SHA256=DEFAULT, RSA=DEFAULT, PKCS1_v1_5=DEFAULT, crypt=DEFAULT) as mocks: credentials._get_signed_query_params(creds, EXPIRATION, SIGNATURE) self.assertEqual(mocks['PKCS1_v1_5'].mock_calls, [call.new()])
def main(): # Load the key in PKCS 12 format that you downloaded from the Google APIs # Console when you created your Service account. key_path = os.path.join(expanduser("~"), "src", "583631bdd16d.p12") f = file(key_path, 'rb') key = f.read() f.close() # Create an httplib2.Http object to handle our HTTP requests and authorize it # with the Credentials. Note that the first parameter, service_account_name, # is the Email address created for the Service account. It must be the email # address associated with the key that was created. credentials = client.SignedJwtAssertionCredentials( SERVICE_ACCOUNT_EMAIL, key, scope='https://www.googleapis.com/auth/androidpublisher') http = httplib2.Http() http = credentials.authorize(http) service = build('androidpublisher', 'v2', http=http) edit_request = service.edits().insert(body={}, packageName=PACKAGE) result = edit_request.execute() edit_id = result['id'] # Process flags and read their values. flags = argparser.parse_args() task = flags.task try: if task == 'uploadImages': # Upload screenshots uploadImages(service, edit_id) elif task == 'listImages': # List all the images and their URLs. # This task can be used as a non-destructive test to check the API is working listImages(service, edit_id) elif task == 'listApks': # List all the APKs and their hashes. # This task can be used as a non-destructive test to check the API is working listApks(service, edit_id) else: raise ValueError('Unrecognized task name') except client.AccessTokenRefreshError: print( 'The credentials have been revoked or expired, please re-run the ' 'application to re-authorize')