def Run(self, args):
"""Run the authentication command."""
if c_gce.Metadata().connected:
message = textwrap.dedent("""
You are running on a Google Compute Engine virtual machine.
The service credentials associated with this virtual machine
will automatically be used by Application Default
Credentials, so it is not necessary to use this command.
If you decide to proceed anyway, your user credentials may be visible
to others with access to this virtual machine. Are you sure you want
to authenticate with your personal account?
""")
console_io.PromptContinue(message=message,
throw_if_unattended=True,
cancel_on_no=True)
override_file = auth_util.AdcEnvVariable()
if override_file:
message = textwrap.dedent("""
The environment variable [{envvar}] is set to:
[{override_file}]
Credentials will still be generated to the default location:
[{default_file}]
To use these credentials, unset this environment variable before
running your application.
""".format(envvar=client.GOOGLE_APPLICATION_CREDENTIALS,
override_file=override_file,
default_file=auth_util.ADCFilePath()))
console_io.PromptContinue(message=message,
throw_if_unattended=True,
cancel_on_no=True)
scopes = args.scopes or auth_util.DEFAULT_SCOPES
launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser)
if args.client_id_file:
creds = auth_util.DoInstalledAppBrowserFlow(
launch_browser=launch_browser,
scopes=scopes,
client_id_file=args.client_id_file)
else:
creds = auth_util.DoInstalledAppBrowserFlow(
launch_browser=launch_browser,
scopes=scopes,
client_id=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID,
client_secret=auth_util.
DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
full_path = auth_util.SaveCredentialsAsADC(creds)
log.status.Print(
'\nCredentials saved to file: [{f}]'.format(f=full_path))
log.status.Print(
'\n'
'These credentials will be used by any library that requests\n'
'Application Default Credentials.\n'
'\n'
'To generate an access token for other uses, run:\n'
' gcloud auth application-default print-access-token')
return creds
def BrowseApp(project, service, version, launch_browser):
"""Let you browse the given service at the given version.
Args:
project: str, project ID.
service: str, specific service, 'default' if None
version: str, specific version, latest if None
launch_browser: boolean, if False only print url
Returns:
None if the browser should open the URL
The relevant output as a dict for calliope format to print if not
Raises:
MissingApplicationError: If an app does not exist.
"""
try:
url = deploy_command_util.GetAppHostname(app_id=project,
service=service,
version=version,
use_ssl=appinfo.SECURE_HTTPS,
deploy=False)
except api_lib_exceptions.NotFoundError:
log.debug('No app found:', exc_info=True)
raise exceptions.MissingApplicationError(project)
if check_browser.ShouldLaunchBrowser(launch_browser):
OpenURL(url)
return None
else:
return {
'url': url,
'service': service or 'default',
'version': version,
}
def Run(self, args):
"""Run the authentication command."""
if c_gce.Metadata().connected:
message = textwrap.dedent("""
You are running on a Google Compute Engine virtual machine.
The service credentials associated with this virtual machine
will automatically be used by Application Default
Credentials, so it is not necessary to use this command.
If you decide to proceed anyway, your user credentials may be visible
to others with access to this virtual machine. Are you sure you want
to authenticate with your personal account?
""")
console_io.PromptContinue(message=message,
throw_if_unattended=True,
cancel_on_no=True)
command_auth_util.PromptIfADCEnvVarIsSet()
scopes = args.scopes or auth_util.DEFAULT_SCOPES
# This reauth scope is only used here and when refreshing the access token.
scopes += [config.REAUTH_SCOPE]
launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser)
if args.client_id_file:
creds = auth_util.DoInstalledAppBrowserFlow(
launch_browser=launch_browser,
scopes=scopes,
client_id_file=args.client_id_file)
else:
creds = auth_util.DoInstalledAppBrowserFlow(
launch_browser=launch_browser,
scopes=scopes,
client_id=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID,
client_secret=auth_util.
DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
if args.IsSpecified('client_id_file'):
full_path = c_creds.ADC(creds).DumpADCToFile()
else:
full_path = c_creds.ADC(creds).DumpExtendedADCToFile()
log.status.Print(
'\nCredentials saved to file: [{f}]'.format(f=full_path))
log.status.Print(
'\nThese credentials will be used by any library that requests '
'Application Default Credentials (ADC).')
quota_project = command_auth_util.GetQuotaProjectFromADC()
if quota_project:
log.status.Print(
"\nQuota project '{}' was added to ADC which can be used by Google "
'client libraries for billing and quota. To just '
'update the quota project in ADC, '
'run $gcloud auth application-default set-quota-project.'.
format(quota_project))
return creds
def Run(self, args):
"""Run the authentication command."""
if c_gce.Metadata().connected:
message = textwrap.dedent("""
You are running on a Google Compute Engine virtual machine.
The service credentials associated with this virtual machine
will automatically be used by Application Default
Credentials, so it is not necessary to use this command.
If you decide to proceed anyway, your user credentials may be visible
to others with access to this virtual machine. Are you sure you want
to authenticate with your personal account?
""")
console_io.PromptContinue(message=message,
throw_if_unattended=True,
cancel_on_no=True)
command_auth_util.PromptIfADCEnvVarIsSet()
# This reauth scope is only used here and when refreshing the access token.
scopes = (args.scopes
or auth_util.DEFAULT_SCOPES) + [config.REAUTH_SCOPE]
launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser)
if args.use_oauth2client:
if args.client_id_file:
creds = auth_util.DoInstalledAppBrowserFlow(
launch_browser=launch_browser,
scopes=scopes,
client_id_file=args.client_id_file)
else:
creds = auth_util.DoInstalledAppBrowserFlow(
launch_browser=launch_browser,
scopes=scopes,
client_id=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID,
client_secret=auth_util.
DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
else:
properties.VALUES.auth.client_id.Set(
auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID)
properties.VALUES.auth.client_secret.Set(
auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
creds = auth_util.DoInstalledAppBrowserFlowGoogleAuth(
launch_browser, scopes, client_id_file=args.client_id_file)
if args.IsSpecified('client_id_file'):
command_auth_util.DumpADC(creds, quota_project_disabled=False)
elif args.disable_quota_project or (not args.add_quota_project):
command_auth_util.DumpADC(creds, quota_project_disabled=True)
else:
command_auth_util.DumpADCOptionalQuotaProject(creds)
return creds
def DoInstalledAppBrowserFlowGoogleAuth(scopes,
client_id_file=None,
no_launch_browser=False,
no_browser=False,
remote_bootstrap=None):
"""Launches a 3LO oauth2 flow to get google-auth credentials.
Args:
scopes: [str], The list of scopes to authorize.
client_id_file: str, The path to a file containing the client id and secret
to use for the flow. If None, the default client id for the Cloud SDK is
used.
no_launch_browser: bool, True if users specify --no-launch-browser flag to
use the oob auth flow.
no_browser: bool, True if users specify --no-browser flag to ask another
gcloud instance to help with authorization.
remote_bootstrap: str, The auth parameters specified by --remote-bootstrap
flag. Once used, it means the command is to help authorize another
gcloud (i.e. gcloud without access to browser).
Returns:
core.credentials.google_auth_credentials.Credentials, The credentials
obtained from the flow.
"""
if client_id_file:
AssertClientSecretIsInstalledType(client_id_file)
client_config = _CreateGoogleAuthClientConfig(client_id_file)
can_launch_browser = check_browser.ShouldLaunchBrowser(
attempt_launch_browser=True)
if no_browser:
user_creds = NoBrowserFlowRunner(scopes, client_config).Run()
elif remote_bootstrap:
if not can_launch_browser:
raise c_flow.WebBrowserInaccessible(
'Cannot launch browser. Please run this command on a machine '
'where gcloud can launch a web browser.')
user_creds = NoBrowserHelperRunner(
scopes, client_config).Run(partial_auth_url=remote_bootstrap)
elif no_launch_browser:
user_creds = OobFlowRunner(scopes, client_config).Run()
elif not can_launch_browser:
user_creds = NoBrowserFlowRunner(scopes, client_config).Run()
else:
user_creds = BrowserFlowWithNoBrowserFallbackRunner(
scopes, client_config).Run()
if user_creds:
return c_google_auth.Credentials.FromGoogleAuthUserCredentials(
user_creds)
def Run(self, args):
"""Run the authentication command."""
scopes = config.CLOUDSDK_SCOPES
# Add REAUTH scope in case the user has 2fact activated.
# This scope is only used here and when refreshing the access token.
scopes += (config.REAUTH_SCOPE,)
if args.enable_gdrive_access:
scopes += (auth_util.GOOGLE_DRIVE_SCOPE,)
if c_devshell.IsDevshellEnvironment():
message = """
You are already authenticated with gcloud when running
inside the Cloud Shell and so do not need to run this
command.
Do you wish to proceed anyway?
"""
answer = console_io.PromptContinue(message=message)
if not answer:
return None
elif c_gce.Metadata().connected:
message = textwrap.dedent("""
You are running on a Google Compute Engine virtual machine.
It is recommended that you use service accounts for authentication.
You can run:
$ gcloud config set account `ACCOUNT`
to switch accounts if necessary.
Your credentials may be visible to others with access to this
virtual machine. Are you sure you want to authenticate with
your personal account?
""")
answer = console_io.PromptContinue(message=message)
if not answer:
return None
account = args.account
if account and not args.force:
try:
creds = c_store.Load(account=account, scopes=scopes)
except c_store.Error:
creds = None
if creds:
# Account already has valid creds, just switch to it.
return self.LoginAs(account, creds, args.project, args.activate,
args.brief)
# No valid creds, do the web flow.
launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser)
creds = auth_util.DoInstalledAppBrowserFlow(launch_browser, scopes)
web_flow_account = creds.id_token['email']
if account and account.lower() != web_flow_account.lower():
raise auth_exceptions.WrongAccountError(
'You attempted to log in as account [{account}] but the received '
'credentials were for account [{web_flow_account}].\n\n'
'Please check that your browser is logged in as account [{account}] '
'and that you are using the correct browser profile.'.format(
account=account, web_flow_account=web_flow_account))
account = web_flow_account
# We got new creds, and they are for the correct user.
c_store.Store(creds, account, scopes)
return self.LoginAs(account, creds, args.project, args.activate,
args.brief)
