def DumpADCOptionalQuotaProject(credentials):
"""Dumps the given credentials to ADC file with an optional quota project.
Loads quota project from gcloud's context and writes it to application default
credentials file if the credentials has the "serviceusage.services.use"
permission on the quota project..
Args:
credentials: a credentials from oauth2client or google-auth libraries, the
credentials to dump.
"""
adc_path = c_creds.ADC(credentials).DumpADCToFile()
LogADCIsWritten(adc_path)
quota_project = c_creds.GetQuotaProject(credentials,
force_resource_quota=True)
if not quota_project:
LogQuotaProjectNotFound()
elif AdcHasGivenPermissionOnProject(quota_project,
permissions=[SERVICEUSAGE_PERMISSION]):
c_creds.ADC(credentials).DumpExtendedADCToFile(
quota_project=quota_project)
LogQuotaProjectAdded(quota_project)
else:
LogMissingPermissionOnQuotaProject(quota_project)
def QuotaProject(self, enable_resource_quota, force_resource_quota,
allow_account_impersonation, use_google_auth):
if not (enable_resource_quota or force_resource_quota):
return None
creds = store.LoadIfEnabled(allow_account_impersonation,
use_google_auth)
return core_creds.GetQuotaProject(creds, force_resource_quota)
def GetGapicCredentials(enable_resource_quota=True,
allow_account_impersonation=True):
"""Returns a credential object for use by gapic client libraries.
Currently, we set _quota_project on the credentials, unlike for http requests,
which add quota project through request wrapping to implement
go/gcloud-quota-model-v2.
Additionally, we wrap the refresh method and plug in our own
google.auth.transport.Request object that uses our transport.
Args:
enable_resource_quota: bool, By default, we are going to tell APIs to use
the quota of the project being operated on. For some APIs we want to use
gcloud's quota, so you can explicitly disable that behavior by passing
False here.
allow_account_impersonation: bool, True to allow use of impersonated service
account credentials for calls made with this client. If False, the
active user credentials will always be used.
Returns:
A google auth credentials.Credentials object.
Raises:
MissingStoredCredentialsError: If a google-auth credential cannot be loaded.
"""
credentials = store.LoadIfEnabled(
allow_account_impersonation=allow_account_impersonation,
use_google_auth=True)
if not creds.IsGoogleAuthCredentials(credentials):
raise MissingStoredCredentialsError('Unable to load credentials')
if enable_resource_quota:
# pylint: disable=protected-access
credentials._quota_project_id = creds.GetQuotaProject(credentials)
# In order to ensure that credentials.Credentials:refresh is called with a
# google.auth.transport.Request that uses our transport, we ignore the request
# argument that is passed in and plug in our own.
original_refresh = credentials.refresh
def WrappedRefresh(request):
del request # unused
return original_refresh(requests.GoogleAuthRequest())
credentials.refresh = WrappedRefresh
return credentials
def __init__(self,
enable_resource_quota=True,
force_resource_quota=False,
allow_account_impersonation=True):
super(StoredCredentials, self).__init__()
self.stored_credentials = store.LoadIfEnabled(
allow_account_impersonation=allow_account_impersonation,
use_google_auth=True)
if self.stored_credentials is None:
raise MissingStoredCredentialsError()
if creds.IsOauth2ClientCredentials(self.stored_credentials):
self.token = self.stored_credentials.access_token
else:
self.token = self.stored_credentials.token
if enable_resource_quota or force_resource_quota:
self.quota_project_id = creds.GetQuotaProject(
self.stored_credentials, force_resource_quota)
else:
self.quota_project_id = None
def Http(timeout='unset',
enable_resource_quota=True,
force_resource_quota=False,
response_encoding=None,
ca_certs=None,
allow_account_impersonation=True):
"""Get an httplib2.Http client for working with the Google API.
Args:
timeout: double, The timeout in seconds to pass to httplib2. This is the
socket level timeout. If timeout is None, timeout is infinite. If
default argument 'unset' is given, a sensible default is selected.
enable_resource_quota: bool, By default, we are going to tell APIs to use
the quota of the project being operated on. For some APIs we want to use
gcloud's quota, so you can explicitly disable that behavior by passing
False here.
force_resource_quota: bool, If true resource project quota will be used by
this client regardless of the settings in gcloud. This should be used for
newer APIs that cannot work with legacy project quota.
response_encoding: str, the encoding to use to decode the response.
ca_certs: str, absolute filename of a ca_certs file that overrides the
default
allow_account_impersonation: bool, True to allow use of impersonated service
account credentials for calls made with this client. If False, the active
user credentials will always be used.
Returns:
An authorized httplib2.Http client object, or a regular httplib2.Http object
if no credentials are available.
Raises:
c_store.Error: If an error loading the credentials occurs.
"""
http_client = http.Http(timeout=timeout,
response_encoding=response_encoding,
ca_certs=ca_certs)
# Wrappers for IAM header injection.
authority_selector = properties.VALUES.auth.authority_selector.Get()
authorization_token_file = (
properties.VALUES.auth.authorization_token_file.Get())
handlers = _GetIAMAuthHandlers(authority_selector,
authorization_token_file)
creds = store.LoadIfEnabled(
allow_account_impersonation=allow_account_impersonation)
if creds:
# Inject the resource project header for quota unless explicitly disabled.
if enable_resource_quota or force_resource_quota:
quota_project = core_creds.GetQuotaProject(creds,
force_resource_quota)
if quota_project:
handlers.append(
http.Modifiers.Handler(
http.Modifiers.SetHeader('X-Goog-User-Project',
quota_project)))
http_client = creds.authorize(http_client)
# Wrap the request method to put in our own error handling.
http_client = http.Modifiers.WrapRequest(
http_client, handlers, _HandleAuthError,
client.AccessTokenRefreshError)
return http_client