def _from_p12_keyfile_helper(self, private_key_password=None, scopes='',
token_uri=None, revoke_uri=None):
service_account_email = '*****@*****.**'
filename = data_filename('privatekey.p12')
with open(filename, 'rb') as file_obj:
key_contents = file_obj.read()
creds_from_filename = ServiceAccountCredentials.from_p12_keyfile(
service_account_email, filename,
private_key_password=private_key_password,
scopes=scopes, token_uri=token_uri, revoke_uri=revoke_uri)
creds_from_file_contents = (
ServiceAccountCredentials.from_p12_keyfile_buffer(
service_account_email, BytesIO(key_contents),
private_key_password=private_key_password,
scopes=scopes, token_uri=token_uri, revoke_uri=revoke_uri))
for creds in (creds_from_filename, creds_from_file_contents):
self.assertIsInstance(creds, ServiceAccountCredentials)
self.assertIsNone(creds.client_id)
self.assertEqual(creds._service_account_email, service_account_email)
self.assertIsNone(creds._private_key_id)
self.assertIsNone(creds._private_key_pkcs8_pem)
self.assertEqual(creds._private_key_pkcs12, key_contents)
if private_key_password is not None:
self.assertEqual(creds._private_key_password, private_key_password)
self.assertEqual(creds._scopes, ' '.join(scopes))
self.assertEqual(creds.token_uri, token_uri)
self.assertEqual(creds.revoke_uri, revoke_uri)
def _from_p12_keyfile_helper(self, private_key_password=None, scopes='',
token_uri=None, revoke_uri=None):
service_account_email = '*****@*****.**'
filename = data_filename('privatekey.p12')
with open(filename, 'rb') as file_obj:
key_contents = file_obj.read()
creds_from_filename = ServiceAccountCredentials.from_p12_keyfile(
service_account_email, filename,
private_key_password=private_key_password,
scopes=scopes, token_uri=token_uri, revoke_uri=revoke_uri)
creds_from_file_contents = (
ServiceAccountCredentials.from_p12_keyfile_buffer(
service_account_email, BytesIO(key_contents),
private_key_password=private_key_password,
scopes=scopes, token_uri=token_uri, revoke_uri=revoke_uri))
for creds in (creds_from_filename, creds_from_file_contents):
self.assertIsInstance(creds, ServiceAccountCredentials)
self.assertIsNone(creds.client_id)
self.assertEqual(creds._service_account_email, service_account_email)
self.assertIsNone(creds._private_key_id)
self.assertIsNone(creds._private_key_pkcs8_pem)
self.assertEqual(creds._private_key_pkcs12, key_contents)
if private_key_password is not None:
self.assertEqual(creds._private_key_password, private_key_password)
self.assertEqual(creds._scopes, ' '.join(scopes))
self.assertEqual(creds.token_uri, token_uri)
self.assertEqual(creds.revoke_uri, revoke_uri)
def get_trade_in_value(serial_number):
if not (settings.GOOGLE_OAUTH2_CLIENT_EMAIL
and settings.GOOGLE_OAUTH2_PRIVATE_KEY
and settings.GOOGLE_SPREADSHEET_ID):
return
try:
buffer = io.StringIO(
settings.GOOGLE_OAUTH2_PRIVATE_KEY.replace('\\n', '\n'))
credentials = ServiceAccountCredentials.from_p12_keyfile_buffer(
service_account_email=settings.GOOGLE_OAUTH2_CLIENT_EMAIL,
file_buffer=buffer,
scopes=['https://spreadsheets.google.com/feeds'])
gc = gspread.authorize(credentials)
ws = gc.open_by_key(settings.GOOGLE_SPREADSHEET_ID).sheet1
camera = ws.find(serial_number)
cell_start = ws.find('Serial Number')
dates = ws.row_values(cell_start.row)
today = now().date()
x = None
for col in range(ws.col_count, 0, -1):
try:
if today <= datetime.datetime.strptime(dates[col - 1],
'%m/%d/%Y').date():
x = col
except:
pass
return ws.cell(camera.row, x).value or None
except:
return
def _GetOauth2ServiceAccountCredentials():
"""Retrieves OAuth2 service account credentials for a private key file."""
if not _HasOauth2ServiceAccountCreds():
return
provider_token_uri = _GetProviderTokenUri()
service_client_id = config.get('Credentials', 'gs_service_client_id', '')
private_key_filename = config.get('Credentials', 'gs_service_key_file', '')
with io.open(private_key_filename, 'rb') as private_key_file:
private_key = private_key_file.read()
keyfile_is_utf8 = False
try:
private_key = private_key.decode(UTF8)
# P12 keys won't be encoded as UTF8 bytes.
keyfile_is_utf8 = True
except UnicodeDecodeError:
pass
if keyfile_is_utf8:
try:
json_key_dict = json.loads(private_key)
except ValueError:
raise Exception('Could not parse JSON keyfile "%s" as valid JSON' %
private_key_filename)
# Key file is in JSON format.
for json_entry in ('client_id', 'client_email', 'private_key_id',
'private_key'):
if json_entry not in json_key_dict:
raise Exception('The JSON private key file at %s '
'did not contain the required entry: %s' %
(private_key_filename, json_entry))
return ServiceAccountCredentials.from_json_keyfile_dict(
json_key_dict, scopes=DEFAULT_SCOPES, token_uri=provider_token_uri)
else:
# Key file is in P12 format.
if HAS_CRYPTO:
if not service_client_id:
raise Exception(
'gs_service_client_id must be set if '
'gs_service_key_file is set to a .p12 key file')
key_file_pass = config.get('Credentials',
'gs_service_key_file_password',
GOOGLE_OAUTH2_DEFAULT_FILE_PASSWORD)
# We use _from_p12_keyfile_contents to avoid reading the key file
# again unnecessarily.
try:
return ServiceAccountCredentials.from_p12_keyfile_buffer(
service_client_id,
BytesIO(private_key),
private_key_password=key_file_pass,
scopes=DEFAULT_SCOPES,
token_uri=provider_token_uri)
except Exception as e:
raise Exception(
'OpenSSL unable to parse PKCS 12 key {}.'
'Please verify key integrity. Error message:\n{}'.format(
private_key_filename, str(e)))
def _GetOauth2ServiceAccountCredentials():
"""Retrieves OAuth2 service account credentials for a private key file."""
if not _HasOauth2ServiceAccountCreds():
return
provider_token_uri = _GetProviderTokenUri()
service_client_id = config.get('Credentials', 'gs_service_client_id', '')
private_key_filename = config.get('Credentials', 'gs_service_key_file', '')
with io.open(private_key_filename, 'rb') as private_key_file:
private_key = private_key_file.read()
keyfile_is_utf8 = False
try:
private_key = private_key.decode(UTF8)
# P12 keys won't be encoded as UTF8 bytes.
keyfile_is_utf8 = True
except UnicodeDecodeError:
pass
if keyfile_is_utf8:
try:
json_key_dict = json.loads(private_key)
except ValueError:
raise Exception('Could not parse JSON keyfile "%s" as valid JSON' %
private_key_filename)
# Key file is in JSON format.
for json_entry in ('client_id', 'client_email', 'private_key_id',
'private_key'):
if json_entry not in json_key_dict:
raise Exception('The JSON private key file at %s '
'did not contain the required entry: %s' %
(private_key_filename, json_entry))
return ServiceAccountCredentials.from_json_keyfile_dict(
json_key_dict, scopes=DEFAULT_SCOPES, token_uri=provider_token_uri)
else:
# Key file is in P12 format.
if HAS_CRYPTO:
if not service_client_id:
raise Exception('gs_service_client_id must be set if '
'gs_service_key_file is set to a .p12 key file')
key_file_pass = config.get('Credentials', 'gs_service_key_file_password',
GOOGLE_OAUTH2_DEFAULT_FILE_PASSWORD)
# We use _from_p12_keyfile_contents to avoid reading the key file
# again unnecessarily.
try:
return ServiceAccountCredentials.from_p12_keyfile_buffer(
service_client_id,
BytesIO(private_key),
private_key_password=key_file_pass,
scopes=DEFAULT_SCOPES,
token_uri=provider_token_uri)
except Exception as e:
raise Exception(
'OpenSSL unable to parse PKCS 12 key {}.'
'Please verify key integrity. Error message:\n{}'.format(
private_key_filename, str(e)))
def _gce_conn(cred, key=None):
service_account_name = cryptotool.decrypt_scalr(app.crypto_key, cred["service_account_name"])
if key is None:
key = _gce_key(cred)
credentials = ServiceAccountCredentials.from_p12_keyfile_buffer(
service_account_name, StringIO.StringIO(key), scopes=["https://www.googleapis.com/auth/compute"]
)
http = httplib2.Http()
http = credentials.authorize(http)
return build("compute", "v1", http=http), http
def get_credentials(file_buffer):
scopes = [
'https://www.googleapis.com/auth/spreadsheets',
]
credentials = ServiceAccountCredentials.from_p12_keyfile_buffer(
service_account_email='*****@*****.**',
file_buffer=file_buffer,
private_key_password='******',
scopes=scopes,
)
return credentials
def get_reviews_service():
"""Create new instance of google play API service."""
scope = 'https://www.googleapis.com/auth/androidpublisher'
credentials = get_credentials()
service_credentials = ServiceAccountCredentials.from_p12_keyfile_buffer(
credentials['account'], credentials['key'], scopes=scope)
http = httplib2.Http()
http = service_credentials.authorize(http)
service = build('androidpublisher', 'v3', http=http, cache_discovery=False)
return service.reviews()
def _gce_conn(cred, key=None):
service_account_name = cryptotool.decrypt_scalr(
app.crypto_key, cred['service_account_name'])
if key is None:
key = _gce_key(cred)
credentials = ServiceAccountCredentials.from_p12_keyfile_buffer(
service_account_name,
StringIO.StringIO(key),
scopes=['https://www.googleapis.com/auth/compute'])
http = httplib2.Http()
http = credentials.authorize(http)
return build('compute', 'v1', http=http), http
def GetCredentials(self):
if HAS_CRYPTO:
if OAUTH2CLIENT_V2:
# pylint: disable=protected-access
return ServiceAccountCredentials.from_p12_keyfile_buffer(
self._client_id, BytesIO(self._private_key),
private_key_password=self._password, scopes=DEFAULT_SCOPE,
token_uri=self.token_uri)
# pylint: enable=protected-access
else:
return SignedJwtAssertionCredentials(
self._client_id, self._private_key, scope=DEFAULT_SCOPE,
private_key_password=self._password, token_uri=self.token_uri)
else:
raise MissingDependencyError(
'Service account authentication requires PyOpenSSL. Please install '
'this library and try again.')
def get_client():
"""Return client with connection to build apiary."""
# Connect using build apiary service account credentials.
build_apiary_service_account_email = db_config.get_value(
'build_apiary_service_account_email')
build_apiary_service_account_private_key = db_config.get_value(
'build_apiary_service_account_private_key')
credentials = ServiceAccountCredentials.from_p12_keyfile_buffer(
build_apiary_service_account_email,
StringIO.StringIO(build_apiary_service_account_private_key),
scopes='https://www.googleapis.com/auth/androidbuild.internal')
client = apiclient.discovery.build('androidbuildinternal',
'v2beta1',
credentials=credentials,
cache_discovery=False)
return client
def _GetOauth2ServiceAccountCredentials():
"""Retrieves OAuth2 service account credentials for a private key file."""
if not _HasOauth2ServiceAccountCreds():
return
provider_token_uri = _GetProviderTokenUri()
service_client_id = config.get('Credentials', 'gs_service_client_id', '')
private_key_filename = config.get('Credentials', 'gs_service_key_file', '')
private_key = None
with open(private_key_filename, 'rb') as private_key_file:
private_key = private_key_file.read()
json_key_dict = None
try:
json_key_dict = json.loads(private_key)
except ValueError:
pass
if json_key_dict:
# Key file is in JSON format.
for json_entry in ('client_id', 'client_email', 'private_key_id',
'private_key'):
if json_entry not in json_key_dict:
raise Exception('The JSON private key file at %s '
'did not contain the required entry: %s' %
(private_key_filename, json_entry))
return ServiceAccountCredentials.from_json_keyfile_dict(
json_key_dict, scopes=DEFAULT_SCOPES, token_uri=provider_token_uri)
else:
# Key file is in P12 format.
if HAS_CRYPTO:
if not service_client_id:
raise Exception(
'gs_service_client_id must be set if '
'gs_service_key_file is set to a .p12 key file')
key_file_pass = config.get('Credentials',
'gs_service_key_file_password',
GOOGLE_OAUTH2_DEFAULT_FILE_PASSWORD)
# We use _from_p12_keyfile_contents to avoid reading the key file
# again unnecessarily.
return ServiceAccountCredentials.from_p12_keyfile_buffer(
service_client_id,
BytesIO(private_key),
private_key_password=key_file_pass,
scopes=DEFAULT_SCOPES,
token_uri=provider_token_uri)
def _GetOauth2ServiceAccountCredentials():
"""Retrieves OAuth2 service account credentials for a private key file."""
if not _HasOauth2ServiceAccountCreds():
return
provider_token_uri = _GetProviderTokenUri()
service_client_id = config.get('Credentials', 'gs_service_client_id', '')
private_key_filename = config.get('Credentials', 'gs_service_key_file', '')
private_key = None
with open(private_key_filename, 'rb') as private_key_file:
private_key = private_key_file.read()
json_key_dict = None
try:
json_key_dict = json.loads(private_key)
except ValueError:
pass
if json_key_dict:
# Key file is in JSON format.
for json_entry in ('client_id', 'client_email', 'private_key_id',
'private_key'):
if json_entry not in json_key_dict:
raise Exception('The JSON private key file at %s '
'did not contain the required entry: %s' %
(private_key_filename, json_entry))
return ServiceAccountCredentials.from_json_keyfile_dict(
json_key_dict, scopes=DEFAULT_SCOPES, token_uri=provider_token_uri)
else:
# Key file is in P12 format.
if HAS_CRYPTO:
if not service_client_id:
raise Exception('gs_service_client_id must be set if '
'gs_service_key_file is set to a .p12 key file')
key_file_pass = config.get(
'Credentials', 'gs_service_key_file_password',
GOOGLE_OAUTH2_DEFAULT_FILE_PASSWORD)
# We use _from_p12_keyfile_contents to avoid reading the key file
# again unnecessarily.
return ServiceAccountCredentials.from_p12_keyfile_buffer(
service_client_id, BytesIO(private_key),
private_key_password=key_file_pass, scopes=DEFAULT_SCOPES,
token_uri=provider_token_uri)
def authorize_account():
# setup variables for reading
SCOPE = ["https://spreadsheets.google.com/feeds"]
SECRETS_FILE = "forms/secretKey.json"
SPREADSHEET = "Responses"
# Based on docs here - http://gspread.readthedocs.org/en/latest/oauth2.html
# Load in the secret JSON key (must be a service account)
json_key = json.load(open(SECRETS_FILE))
# Authenticate using the signed key
credentials = ServiceAccountCredentials.from_p12_keyfile_buffer(
json_key['client_email'],
StringIO.StringIO(json_key['private_key']),
scopes='https://www.googleapis.com/auth/drive')
http = credentials.authorize(httplib2.Http())
drive = discovery.build("drive", "v2", http=http)
# Client instance
our_client = gspread.authorize(credentials)
# our_client.login()
return our_client
def test_from_p12_keyfile_buffer(self):
service_account_email = '*****@*****.**'
filename = data_filename('privatekey.p12')
private_key_password = '******'
scopes = ['foo', 'bar']
with open(filename, 'rb') as file_obj:
key_contents = file_obj.read()
# Seek back to the beginning so the buffer can be
# passed to the constructor.
file_obj.seek(0)
creds = ServiceAccountCredentials.from_p12_keyfile_buffer(
service_account_email, file_obj,
private_key_password=private_key_password,
scopes=scopes)
# Check the created object.
self.assertIsInstance(creds, ServiceAccountCredentials)
self.assertIsNone(creds.client_id)
self.assertEqual(creds._service_account_email, service_account_email)
self.assertIsNone(creds._private_key_id)
self.assertIsNone(creds._private_key_pkcs8_pem)
self.assertEqual(creds._private_key_pkcs12, key_contents)
self.assertEqual(creds._private_key_password, private_key_password)
self.assertEqual(creds._scopes, ' '.join(scopes))
def get_client():
"""Return client with connection to build apiary."""
# Connect using build apiary service account credentials.
build_apiary_service_account_email = db_config.get_value(
'build_apiary_service_account_email')
build_apiary_service_account_private_key = db_config.get_value(
'build_apiary_service_account_private_key')
if (not build_apiary_service_account_email
or not build_apiary_service_account_private_key):
logs.log(
'Android build apiary credentials are not set, skip artifact fetch.'
)
return None
credentials = ServiceAccountCredentials.from_p12_keyfile_buffer(
build_apiary_service_account_email,
io.BytesIO(build_apiary_service_account_private_key),
scopes='https://www.googleapis.com/auth/androidbuild.internal')
client = apiclient.discovery.build('androidbuildinternal',
'v2beta1',
credentials=credentials,
cache_discovery=False)
return client
def gce_credentials_from_config(gce_credentials_config=None):
"""
This function creates a proper GCE credentials object either from a passed
in configuration blob or, if this code is being run on a GCE instance, from
the default service account credentials associated with the VM.
:param dict gce_credentials_config: A credentials dict used to authenticate
against GCE. This should have the same content as the JSON blob you
download when you create a new key for a service account. If this is
``None``, then the instances implicit credentials will be used.
:returns: A GCE credentials object for use with the GCE API.
"""
if gce_credentials_config is not None:
credentials = ServiceAccountCredentials.from_p12_keyfile_buffer(
service_account_email=gce_credentials_config['client_email'],
file_buffer=BytesIO(gce_credentials_config['private_key']),
scopes=[
u"https://www.googleapis.com/auth/compute",
]
)
else:
credentials = GoogleCredentials.get_application_default()
return credentials
def test_from_p12_keyfile_buffer(self):
service_account_email = '*****@*****.**'
filename = data_filename('privatekey.p12')
private_key_password = '******'
scopes = ['foo', 'bar']
with open(filename, 'rb') as file_obj:
key_contents = file_obj.read()
# Seek back to the beginning so the buffer can be
# passed to the constructor.
file_obj.seek(0)
creds = ServiceAccountCredentials.from_p12_keyfile_buffer(
service_account_email,
file_obj,
private_key_password=private_key_password,
scopes=scopes)
# Check the created object.
self.assertIsInstance(creds, ServiceAccountCredentials)
self.assertIsNone(creds.client_id)
self.assertEqual(creds._service_account_email, service_account_email)
self.assertIsNone(creds._private_key_id)
self.assertIsNone(creds._private_key_pkcs8_pem)
self.assertEqual(creds._private_key_pkcs12, key_contents)
self.assertEqual(creds._private_key_password, private_key_password)
self.assertEqual(creds._scopes, ' '.join(scopes))
def _get_credentials():
"""
Method to retrieve credentials with a lot of possible ways.
First, it tries to get credentials with the three ansible/libcloud ways:
* With the secrets.py file which should be in $PYTHONPATH
* With the GCE_INI_PATH
* With the environment variables
If none present, it tries the default OAuth client one
:return: credentials
"""
gce_ini_default_path = os.path.join(
os.path.dirname(os.path.realpath(__file__)), "gce.ini")
gce_ini_path = os.environ.get('GCE_INI_PATH', gce_ini_default_path)
# We don't get the libcloud_secret parameter since it has been deprecated
config = ConfigParser.SafeConfigParser(
defaults={
'gce_service_account_email_address': '',
'gce_service_account_pem_file_path': '',
})
if 'gce' not in config.sections():
config.add_section('gce')
# It's safe even if the gce.ini file does not exist
config.read(gce_ini_path)
try:
import secrets
args = list(getattr(secrets, 'GCE_PARAMS', []))
gce_service_account_email_address = args[0]
gce_service_account_pem_file_path = args[1]
except ImportError:
gce_service_account_email_address = config.get(
'gce', 'gce_service_account_email_address')
gce_service_account_pem_file_path = config.get(
'gce', 'gce_service_account_pem_file_path')
# If the environment variables are set, they override
gce_service_account_email_address = os.environ.get(
'GCE_EMAIL', gce_service_account_email_address)
gce_service_account_pem_file_path = os.environ.get(
'GCE_PEM_FILE_PATH', gce_service_account_pem_file_path)
# If the email and the pem_file are empty, let use the Google OAuth default behavior
if gce_service_account_email_address == '' or gce_service_account_pem_file_path == '':
log.info(
'Using default behavior of the oauth client lib to get credentials'
)
return GoogleCredentials.get_application_default()
# check if the GCE_PEM_FILE_PATH is directly the key
# see: https://github.com/apache/libcloud/blob/trunk/libcloud/common/google.py#L471
log.info('Using the libcloud way to get credentials')
stream = StringIO()
if gce_service_account_pem_file_path.find('PRIVATE KEY---') != -1:
stream.write(gce_service_account_pem_file_path)
else:
key_path = os.path.expanduser(gce_service_account_pem_file_path)
is_file_path = os.path.exists(key_path) and os.path.isfile(
key_path)
if not is_file_path:
raise ValueError("Missing (or not readable) key "
"file: '%s'" %
gce_service_account_pem_file_path)
with open(key_path, 'r') as f:
contents = f.read()
try:
key = json.loads(contents)
key = key['private_key']
except ValueError:
key = contents
stream.write(key)
# Reset the buffer position
stream.seek(0)
return ServiceAccountCredentials.from_p12_keyfile_buffer(
gce_service_account_email_address, stream)
