def testDumpADCOptionalQuotaProject_NoQuotaProject(self):
self.StartObjectPatch(creds, 'GetQuotaProject').return_value = None
auth_util.DumpADCOptionalQuotaProject(self.MakeUserCredentials())
auth_util.AssertADCExists()
self.AssertQuotaProjectEquals(None)
self.AssertErrContains('Credentials saved to file')
self.AssertErrContains('Cannot find a quota project')
self.adc_permission_checking.assert_not_called()
def testDumpADCOptionalQuotaProject_WithoutPermission(self):
self.StartObjectPatch(
creds, 'GetQuotaProject').return_value = self.fake_project
self.adc_permission_checking.return_value = False
auth_util.DumpADCOptionalQuotaProject(self.MakeUserCredentials())
auth_util.AssertADCExists()
self.AssertQuotaProjectEquals(None)
self.AssertErrContains('Credentials saved to file')
self.AssertErrContains('Cannot add the project "{}" to ADC'.format(
self.fake_project))
self.adc_permission_checking.assert_called()
def Run(self, args):
"""Run the authentication command."""
if c_gce.Metadata().connected:
message = textwrap.dedent("""
You are running on a Google Compute Engine virtual machine.
The service credentials associated with this virtual machine
will automatically be used by Application Default
Credentials, so it is not necessary to use this command.
If you decide to proceed anyway, your user credentials may be visible
to others with access to this virtual machine. Are you sure you want
to authenticate with your personal account?
""")
console_io.PromptContinue(message=message,
throw_if_unattended=True,
cancel_on_no=True)
command_auth_util.PromptIfADCEnvVarIsSet()
# This reauth scope is only used here and when refreshing the access token.
scopes = (args.scopes
or auth_util.DEFAULT_SCOPES) + [config.REAUTH_SCOPE]
launch_browser = check_browser.ShouldLaunchBrowser(args.launch_browser)
if args.use_oauth2client:
if args.client_id_file:
creds = auth_util.DoInstalledAppBrowserFlow(
launch_browser=launch_browser,
scopes=scopes,
client_id_file=args.client_id_file)
else:
creds = auth_util.DoInstalledAppBrowserFlow(
launch_browser=launch_browser,
scopes=scopes,
client_id=auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID,
client_secret=auth_util.
DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
else:
properties.VALUES.auth.client_id.Set(
auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID)
properties.VALUES.auth.client_secret.Set(
auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
creds = auth_util.DoInstalledAppBrowserFlowGoogleAuth(
launch_browser, scopes, client_id_file=args.client_id_file)
if args.IsSpecified('client_id_file'):
command_auth_util.DumpADC(creds, quota_project_disabled=False)
elif args.disable_quota_project or (not args.add_quota_project):
command_auth_util.DumpADC(creds, quota_project_disabled=True)
else:
command_auth_util.DumpADCOptionalQuotaProject(creds)
return creds
def _authenticate_and_get_creds_file_path(existing_creds_file=None):
"""Ensures agent will be able to authenticate and returns creds."""
# Can't disable near "else" (https://github.com/PyCQA/pylint/issues/872).
# pylint:disable=protected-access
if existing_creds_file:
creds_file_path = _expand_path(existing_creds_file)
if not os.path.exists(creds_file_path):
raise OSError(
'Credentials file not found at {}. Check for typos and ensure a'
' creds file exists at the path, then re-run the command.'.
format(creds_file_path))
else:
creds_file_path = oauth2_client._get_well_known_file()
# pylint:enable=protected-access
if not os.path.exists(creds_file_path):
creds = login_util.DoInstalledAppBrowserFlowGoogleAuth(
scopes=(login_util.DEFAULT_SCOPES + [config.REAUTH_SCOPE]))
auth_util.DumpADCOptionalQuotaProject(creds)
return creds_file_path
def Run(self, args):
"""Run the authentication command."""
# TODO(b/203102970): Remove this condition check after the bug is resolved
if properties.VALUES.auth.access_token_file.Get():
raise c_store.FlowError(
'auth/access_token_file or --access-token-file was set which is not '
'compatible with this command. Please unset the property and rerun '
'this command.')
if c_gce.Metadata().connected:
message = textwrap.dedent("""
You are running on a Google Compute Engine virtual machine.
The service credentials associated with this virtual machine
will automatically be used by Application Default
Credentials, so it is not necessary to use this command.
If you decide to proceed anyway, your user credentials may be visible
to others with access to this virtual machine. Are you sure you want
to authenticate with your personal account?
""")
console_io.PromptContinue(message=message,
throw_if_unattended=True,
cancel_on_no=True)
command_auth_util.PromptIfADCEnvVarIsSet()
if args.client_id_file and not args.launch_browser:
raise c_exc.InvalidArgumentException(
'--no-launch-browser',
'`--no-launch-browser` flow no longer works with the '
'`--client-id-file`. Please replace `--no-launch-browser` with '
'`--no-browser`.')
# This reauth scope is only used here and when refreshing the access token.
scopes = (args.scopes
or auth_util.DEFAULT_SCOPES) + [config.REAUTH_SCOPE]
properties.VALUES.auth.client_id.Set(
auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_ID)
properties.VALUES.auth.client_secret.Set(
auth_util.DEFAULT_CREDENTIALS_DEFAULT_CLIENT_SECRET)
creds = auth_util.DoInstalledAppBrowserFlowGoogleAuth(
scopes,
client_id_file=args.client_id_file,
no_launch_browser=not args.launch_browser,
no_browser=args.no_browser,
remote_bootstrap=args.remote_bootstrap)
if not creds:
return
target_impersonation_principal, delegates = None, None
impersonation_service_accounts = properties.VALUES.auth.impersonate_service_account.Get(
)
if impersonation_service_accounts:
(target_impersonation_principal,
delegates) = c_store.ParseImpersonationAccounts(
impersonation_service_accounts)
if not target_impersonation_principal:
if args.IsSpecified('client_id_file'):
command_auth_util.DumpADC(creds, quota_project_disabled=False)
elif args.disable_quota_project:
command_auth_util.DumpADC(creds, quota_project_disabled=True)
else:
command_auth_util.DumpADCOptionalQuotaProject(creds)
else:
# TODO(b/184049366): Supports quota project with impersonated creds.
command_auth_util.DumpImpersonatedServiceAccountToADC(
creds,
target_principal=target_impersonation_principal,
delegates=delegates)
return creds