def _get_cached_credentials(self):
"""Returns oauth2client.Credentials loaded from storage."""
storage = self._get_storage()
credentials = storage.get()
# Is using --auth-refresh-token-json?
if self._external_token:
# Cached credentials are valid and match external token -> use them. It is
# important to reuse credentials from the storage because they contain
# cached access token.
valid = (
credentials and not credentials.invalid and
credentials.refresh_token == self._external_token.refresh_token and
credentials.client_id == self._external_token.client_id and
credentials.client_secret == self._external_token.client_secret)
if valid:
return credentials
# Construct new credentials from externally provided refresh token,
# associate them with cache storage (so that access_token will be placed
# in the cache later too).
credentials = client.OAuth2Credentials(
access_token=None,
client_id=self._external_token.client_id,
client_secret=self._external_token.client_secret,
refresh_token=self._external_token.refresh_token,
token_expiry=None,
token_uri='https://accounts.google.com/o/oauth2/token',
user_agent=None,
revoke_uri=None)
credentials.set_store(storage)
storage.put(credentials)
return credentials
# Not using external refresh token -> return whatever is cached.
return credentials if (credentials and not credentials.invalid) else None
def _get_luci_auth_credentials(scopes):
try:
token_info = json.loads(
subprocess2.check_output(
['luci-auth', 'token', '-scopes', scopes, '-json-output', '-'],
stderr=subprocess2.VOID))
except subprocess2.CalledProcessError:
return None
return client.OAuth2Credentials(
access_token=token_info['token'],
client_id=OAUTH_CLIENT_ID,
client_secret=OAUTH_CLIENT_SECRET,
refresh_token=None,
token_expiry=datetime.datetime.utcfromtimestamp(token_info['expiry']),
token_uri=None,
user_agent=None,
revoke_uri=None)
def _get_cached_credentials(self):
"""Returns oauth2client.Credentials loaded from luci-auth."""
credentials = _get_luci_auth_credentials(self._scopes)
if not credentials:
logging.debug('No cached token')
else:
_log_credentials_info('cached token', credentials)
# Is using --auth-refresh-token-json?
if self._external_token:
# Cached credentials are valid and match external token -> use them. It is
# important to reuse credentials from the storage because they contain
# cached access token.
valid = (credentials and not credentials.invalid
and credentials.refresh_token
== self._external_token.refresh_token and
credentials.client_id == self._external_token.client_id
and credentials.client_secret
== self._external_token.client_secret)
if valid:
logging.debug(
'Cached credentials match external refresh token')
return credentials
# Construct new credentials from externally provided refresh token,
# associate them with cache storage (so that access_token will be placed
# in the cache later too).
logging.debug('Putting external refresh token into the cache')
credentials = client.OAuth2Credentials(
access_token=None,
client_id=self._external_token.client_id,
client_secret=self._external_token.client_secret,
refresh_token=self._external_token.refresh_token,
token_expiry=None,
token_uri='https://accounts.google.com/o/oauth2/token',
user_agent=None,
revoke_uri=None)
return credentials
# Not using external refresh token -> return whatever is cached.
return credentials if (credentials
and not credentials.invalid) else None
