def AvailableAccounts():
"""Get all accounts that have credentials stored for the CloudSDK.
This function will also ping the GCE metadata server to see if GCE credentials
are available.
Returns:
[str], List of the accounts.
"""
all_keys = multistore_file.get_all_credential_keys(
filename=config.Paths().credentials_path)
accounts = []
for key in all_keys:
if key.get('type') != 'google-cloud-sdk':
continue
if key.get('clientId') != properties.VALUES.auth.client_id.Get(
required=True):
continue
if key.get('scope') != ' '.join(config.CLOUDSDK_SCOPES):
continue
accounts.append(key['account'])
accounts.extend(c_gce.Metadata().Accounts())
devshell_creds = c_devshell.LoadDevshellCredentials()
if devshell_creds:
accounts.append(devshell_creds.devshell_response.user_email)
accounts.sort()
return accounts
def AvailableAccounts():
"""Get all accounts that have credentials stored for the CloudSDK.
This function will also ping the GCE metadata server to see if GCE credentials
are available.
Returns:
[str], List of the accounts.
"""
all_keys = multistore_file.get_all_credential_keys(
filename=config.Paths().credentials_path)
accounts = [key['account'] for key in all_keys
if key.get('type') == 'google-cloud-sdk']
accounts.extend(c_gce.Metadata().Accounts())
devshell_creds = c_devshell.LoadDevshellCredentials()
if devshell_creds:
accounts.append(devshell_creds.devshell_response.user_email)
accounts.sort()
return accounts
def Load(account=None):
"""Get the credentials associated with the provided account.
Args:
account: str, The account address for the credentials being fetched. If
None, the account stored in the core.account property is used.
Returns:
oauth2client.client.Credentials, The specified credentials.
Raises:
NoActiveAccountException: If account is not provided and there is no
active account.
NoCredentialsForAccountException: If there are no valid credentials
available for the provided or active account.
c_gce.CannotConnectToMetadataServerException: If the metadata server cannot
be reached.
RefreshError: If the credentials fail to refresh.
"""
# If a credential file is set, just use that and ignore the active account
# and whatever is in the credential store.
cred_file_override = properties.VALUES.auth.credential_file_override.Get()
if cred_file_override:
log.info('Using alternate credentials from file: [%s]',
cred_file_override)
try:
cred = client.GoogleCredentials.from_stream(cred_file_override)
if cred.create_scoped_required():
cred = cred.create_scoped(config.CLOUDSDK_SCOPES)
return cred
except client.Error as e:
raise InvalidCredentialFileException(cred_file_override, e)
if not account:
account = properties.VALUES.core.account.Get()
if not account:
raise NoActiveAccountException()
devshell_creds = c_devshell.LoadDevshellCredentials()
if devshell_creds and (
devshell_creds.devshell_response.user_email == account):
return devshell_creds
if account in c_gce.Metadata().Accounts():
return AcquireFromGCE(account)
store = _StorageForAccount(account)
if not store:
raise NoCredentialsForAccountException(account)
cred = store.get()
if not cred:
raise NoCredentialsForAccountException(account)
# cred.token_expiry is in UTC time.
if not cred.token_expiry or cred.token_expiry < cred.token_expiry.utcnow():
Refresh(cred)
return cred
def GetCredentials(self, account, use_google_auth=False):
# TODO(b/153356810): migrate to google-auth.
del use_google_auth
devshell_creds = c_devshell.LoadDevshellCredentials()
if devshell_creds and (devshell_creds.devshell_response.user_email ==
account):
return devshell_creds
return None
def GetAccounts(self):
# DevShellCredentialsGoogleAuth and DevShellCredentials use the same code
# to get devshell_response, so here it is safe to load
# DevShellCredentialsGoogleAuth.
devshell_creds = c_devshell.LoadDevshellCredentials(
use_google_auth=True)
if devshell_creds:
return set([devshell_creds.devshell_response.user_email])
return set()
def Load(account=None):
"""Get the credentials associated with the provided account.
Args:
account: str, The account address for the credentials being fetched. If
None, the account stored in the core.account property is used.
Returns:
oauth2client.client.Credentials, The specified credentials.
Raises:
NoActiveAccountException: If account is not provided and there is no
active account.
NoCredentialsForAccountException: If there are no valid credentials
available for the provided or active account.
c_gce.CannotConnectToMetadataServerException: If the metadata server cannot
be reached.
RefreshError: If the credentials fail to refresh.
"""
if not account:
account = properties.VALUES.core.account.Get()
if not account:
raise NoActiveAccountException()
devshell_creds = c_devshell.LoadDevshellCredentials()
if devshell_creds and (
devshell_creds.devshell_response.user_email == account):
return devshell_creds
if account in c_gce.Metadata().Accounts():
return AcquireFromGCE(account)
store = _StorageForAccount(account)
if not store:
raise NoCredentialsForAccountException(account)
cred = store.get()
if not cred:
raise NoCredentialsForAccountException(account)
# cred.token_expiry is in UTC time.
if not cred.token_expiry or cred.token_expiry < cred.token_expiry.utcnow():
Refresh(cred)
return cred
def AvailableAccounts():
"""Get all accounts that have credentials stored for the CloudSDK.
This function will also ping the GCE metadata server to see if GCE credentials
are available.
Returns:
[str], List of the accounts.
"""
store = Oauth2ClientCredentialStore(config.Paths().credentials_path)
accounts = store.GetAccounts() | set(c_gce.Metadata().Accounts())
devshell_creds = c_devshell.LoadDevshellCredentials()
if devshell_creds:
accounts.add(devshell_creds.devshell_response.user_email)
return sorted(accounts)
def GetAccounts(self):
devshell_creds = c_devshell.LoadDevshellCredentials()
if devshell_creds:
return set([devshell_creds.devshell_response.user_email])
return set()
def GetCredentials(self, account):
devshell_creds = c_devshell.LoadDevshellCredentials()
if devshell_creds and (devshell_creds.devshell_response.user_email
== account):
return devshell_creds
return None
def GetCredentials(self, account, use_google_auth=False):
devshell_creds = c_devshell.LoadDevshellCredentials(use_google_auth)
if devshell_creds and (devshell_creds.devshell_response.user_email
== account):
return devshell_creds
return None
def Load(account=None, scopes=None, prevent_refresh=False):
"""Get the credentials associated with the provided account.
Args:
account: str, The account address for the credentials being fetched. If
None, the account stored in the core.account property is used.
scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES
are requested.
prevent_refresh: bool, If True, do not refresh the access token even if it
is out of date. (For use with operations that do not require a current
access token, such as credential revocation.)
Returns:
oauth2client.client.Credentials, The specified credentials.
Raises:
NoActiveAccountException: If account is not provided and there is no
active account.
NoCredentialsForAccountException: If there are no valid credentials
available for the provided or active account.
c_gce.CannotConnectToMetadataServerException: If the metadata server cannot
be reached.
TokenRefreshError: If the credentials fail to refresh.
"""
# If a credential file is set, just use that and ignore the active account
# and whatever is in the credential store.
cred_file_override = properties.VALUES.auth.credential_file_override.Get()
if cred_file_override:
log.info('Using alternate credentials from file: [%s]',
cred_file_override)
try:
cred = client.GoogleCredentials.from_stream(cred_file_override)
cred_type = cred.serialization_data['type']
token_uri_override = properties.VALUES.auth.token_host.Get()
if cred_type == client.SERVICE_ACCOUNT and token_uri_override:
# pylint: disable=protected-access
cred.token_uri = cred._token_uri = token_uri_override
if cred.create_scoped_required():
if scopes is None:
scopes = config.CLOUDSDK_SCOPES
cred = cred.create_scoped(scopes)
return cred
except client.Error as e:
raise InvalidCredentialFileException(cred_file_override, e)
if not account:
account = properties.VALUES.core.account.Get()
if not account:
raise NoActiveAccountException()
devshell_creds = c_devshell.LoadDevshellCredentials()
if devshell_creds and (devshell_creds.devshell_response.user_email
== account):
return devshell_creds
if account in c_gce.Metadata().Accounts():
return AcquireFromGCE(account)
store = _StorageForAccount(account)
if not store:
raise NoCredentialsForAccountException(account)
cred = store.get()
if not cred:
raise NoCredentialsForAccountException(account)
# cred.token_expiry is in UTC time.
if (not prevent_refresh
and (not cred.token_expiry
or cred.token_expiry < cred.token_expiry.utcnow())):
Refresh(cred)
return cred
def Load(account=None, scopes=None, prevent_refresh=False):
"""Get the credentials associated with the provided account.
This loads credentials regardless of whether credentials have been disabled
via properties. Only use this when the functionality of the caller absolutely
requires credentials (like printing out a token) vs logically requiring
credentials (like for an http request).
Args:
account: str, The account address for the credentials being fetched. If
None, the account stored in the core.account property is used.
scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES
are requested.
prevent_refresh: bool, If True, do not refresh the access token even if it
is out of date. (For use with operations that do not require a current
access token, such as credential revocation.)
Returns:
oauth2client.client.Credentials, The specified credentials.
Raises:
NoActiveAccountException: If account is not provided and there is no
active account.
NoCredentialsForAccountException: If there are no valid credentials
available for the provided or active account.
c_gce.CannotConnectToMetadataServerException: If the metadata server cannot
be reached.
TokenRefreshError: If the credentials fail to refresh.
TokenRefreshReauthError: If the credentials fail to refresh due to reauth.
"""
# If a credential file is set, just use that and ignore the active account
# and whatever is in the credential store.
cred_file_override = properties.VALUES.auth.credential_file_override.Get()
if cred_file_override:
log.info('Using alternate credentials from file: [%s]',
cred_file_override)
try:
cred = client.GoogleCredentials.from_stream(cred_file_override)
except client.Error as e:
raise InvalidCredentialFileException(cred_file_override, e)
if cred.create_scoped_required():
if scopes is None:
scopes = config.CLOUDSDK_SCOPES
cred = cred.create_scoped(scopes)
# Set token_uri after scopes since token_uri needs to be explicitly
# preserved when scopes are applied.
token_uri_override = properties.VALUES.auth.token_host.Get()
if token_uri_override:
cred_type = creds.CredentialType.FromCredentials(cred)
if cred_type in (creds.CredentialType.SERVICE_ACCOUNT,
creds.CredentialType.P12_SERVICE_ACCOUNT):
cred.token_uri = token_uri_override
return cred
if not account:
account = properties.VALUES.core.account.Get()
if not account:
raise NoActiveAccountException()
devshell_creds = c_devshell.LoadDevshellCredentials()
if devshell_creds and (devshell_creds.devshell_response.user_email
== account):
return devshell_creds
if account in c_gce.Metadata().Accounts():
return AcquireFromGCE(account)
store = creds.GetCredentialStore()
cred = store.Load(account)
if not cred:
raise NoCredentialsForAccountException(account)
# cred.token_expiry is in UTC time.
if (not prevent_refresh
and (not cred.token_expiry
or cred.token_expiry < cred.token_expiry.utcnow())):
Refresh(cred)
return cred
