def testMaybeConvertToGoogleAuthCredsInputGoogleAuthCreds(self): google_auth_cred = creds.MaybeConvertToGoogleAuthCredentials( self.fake_cred, True) self.assertIsInstance(google_auth_cred, google_auth_credentials.Credentials) cred_returned = creds.MaybeConvertToGoogleAuthCredentials( google_auth_cred, True) self.assertIsInstance(cred_returned, google_auth_credentials.Credentials) self.AssertCredentialsEqual( google_auth_cred, { 'token': 'access-token', 'expiry': datetime.datetime(2017, 1, 8, 0, 0, 0), '_scopes': config.CLOUDSDK_SCOPES, 'client_id': 'client_id', 'client_secret': 'client_secret', 'refresh_token': 'fake-token', 'token_uri': 'token_uri', })
def testConvertDevShellCredsToGoogleAuthCreds(self): cred = c_store.Load() self.assertIsInstance(cred, devshell.DevshellCredentials) google_auth_cred = creds.MaybeConvertToGoogleAuthCredentials(cred, True) self.assertIsInstance(google_auth_cred, devshell.DevShellCredentialsGoogleAuth) self.assertEqual(google_auth_cred.token, cred.access_token) self.assertEqual(google_auth_cred.id_tokenb64, cred.id_tokenb64) self.assertEqual(google_auth_cred.id_token, cred.id_tokenb64) self.assertEqual(google_auth_cred.expiry, cred.token_expiry)
def testMaybeConvertUserCredsToGoogleAuthCreds(self): self.assertIsInstance(self.fake_cred, client.OAuth2Credentials) google_auth_cred = creds.MaybeConvertToGoogleAuthCredentials( self.fake_cred, True) self.assertIsInstance(google_auth_cred, google_auth_credentials.Credentials) self.AssertCredentialsEqual( google_auth_cred, { 'token': 'access-token', 'expiry': datetime.datetime(2017, 1, 8, 0, 0, 0), 'client_id': 'client_id', 'client_secret': 'client_secret', 'refresh_token': 'fake-token', 'token_uri': 'token_uri', })
def testMaybeConvertToGoogleAuthCredsNotUseGoogleAuth(self): self.assertIsInstance(self.fake_cred, client.OAuth2Credentials) cred_returned = creds.MaybeConvertToGoogleAuthCredentials( self.fake_cred, False) self.assertIsInstance(cred_returned, client.OAuth2Credentials) self.AssertCredentialsEqual( cred_returned, { 'access_token': 'access-token', 'token_expiry': datetime.datetime(2017, 1, 8, 0, 0, 0), 'scopes': config.CLOUDSDK_SCOPES, 'client_id': 'client_id', 'client_secret': 'client_secret', 'refresh_token': 'fake-token', 'token_uri': 'token_uri', })
def testMaybeConvertGceCredsToGoogleAuthCreds(self): cred = oauth2client_gce.AppAssertionCredentials( '*****@*****.**') cred.access_token = 'access-token' cred.token_expiry = datetime.datetime(2017, 1, 8, 0, 0, 0) cred.scopes = set(config.CLOUDSDK_SCOPES) google_auth_cred = creds.MaybeConvertToGoogleAuthCredentials(cred, True) self.assertIsInstance(google_auth_cred, compute_engine.Credentials) self.AssertCredentialsEqual( google_auth_cred, { 'token': 'access-token', 'expiry': datetime.datetime(2017, 1, 8, 0, 0, 0), '_scopes': config.CLOUDSDK_SCOPES, 'service_account_email': '*****@*****.**', })
def testMaybeConvertADCToGoogleAuthCreds(self): properties.VALUES.auth.credential_file_override.Set(self.adc_file) cred = c_store.Load() cred.access_token = 'access-token' cred.token_expiry = datetime.datetime(2017, 1, 8, 0, 0, 0) cred.scopes = set(config.CLOUDSDK_SCOPES) self.assertIsInstance(cred, client.GoogleCredentials) google_auth_cred = creds.MaybeConvertToGoogleAuthCredentials(cred, True) self.assertIsInstance(google_auth_cred, google_auth_credentials.Credentials) self.AssertCredentialsEqual( google_auth_cred, { 'token': 'access-token', 'expiry': datetime.datetime(2017, 1, 8, 0, 0, 0), '_scopes': config.CLOUDSDK_SCOPES, 'client_id': 'foo.apps.googleusercontent.com', 'client_secret': 'file-secret', 'refresh_token': 'file-token', })
def testMaybeConvertServiceAccountCredsToGoogleAuthCreds(self): properties.VALUES.auth.credential_file_override.Set(self.json_file) cred = c_store.Load() cred.access_token = 'access-token' cred.token_expiry = datetime.datetime(2017, 1, 8, 0, 0, 0) cred.scopes = set(config.CLOUDSDK_SCOPES) self.assertIsInstance(cred, service_account.ServiceAccountCredentials) google_auth_cred = creds.MaybeConvertToGoogleAuthCredentials(cred, True) self.assertIsInstance(google_auth_cred, google_auth_service_account.Credentials) self.AssertCredentialsEqual( google_auth_cred, { 'token': 'access-token', 'expiry': datetime.datetime(2017, 1, 8, 0, 0, 0), '_scopes': config.CLOUDSDK_SCOPES, 'service_account_email': '*****@*****.**', '_token_uri': 'https://www.googleapis.com/oauth2/v4/token', })
def testMaybeConvertP12ServiceAccountCredsToGoogleAuthCreds(self): cred_p12 = service_account.ServiceAccountCredentials( 'service_account_email', None, config.CLOUDSDK_SCOPES, 'private_key_id', 'client_id', None, 'token_uri') cred_p12.access_token = 'access-token' cred_p12.token_expiry = datetime.datetime(2017, 1, 8, 0, 0, 0) cred_p12._private_key_pkcs12 = '_private_key_pkcs12' cred_returned = creds.MaybeConvertToGoogleAuthCredentials(cred_p12, True) self.assertIsInstance(cred_returned, service_account.ServiceAccountCredentials) self.AssertCredentialsEqual( cred_returned, { 'access_token': 'access-token', 'token_expiry': datetime.datetime(2017, 1, 8, 0, 0, 0), 'client_id': 'client_id', '_private_key_id': 'private_key_id', '_private_key_pkcs12': '_private_key_pkcs12', 'token_uri': 'token_uri', })
def Load(account=None, scopes=None, prevent_refresh=False, allow_account_impersonation=True, use_google_auth=False): """Get the credentials associated with the provided account. This loads credentials regardless of whether credentials have been disabled via properties. Only use this when the functionality of the caller absolutely requires credentials (like printing out a token) vs logically requiring credentials (like for an http request). Credential information may come from the stored credential file (representing the last gcloud auth command), or the credential cache (representing the last time the credentials were refreshed). If they come from the cache, the token_response field will be None, as the full server response from the cached request was not stored. Args: account: str, The account address for the credentials being fetched. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. prevent_refresh: bool, If True, do not refresh the access token even if it is out of date. (For use with operations that do not require a current access token, such as credential revocation.) allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). If False, the active user credentials will always be loaded. use_google_auth: bool, True to load credentials of google-auth if it is supported in the current authentication scenario. False to load credentials of oauth2client. Returns: oauth2client.client.Credentials or google.auth.credentials.Credentials based on use_google_auth and whether google-auth is supported in the current authentication sceanrio. The only two scenarios that google-auth is not supported are, 1) Property auth/disable_google_auth is set to True; 2) P12 service account key is being used. Raises: NoActiveAccountException: If account is not provided and there is no active account. NoCredentialsForAccountException: If there are no valid credentials available for the provided or active account. c_gce.CannotConnectToMetadataServerException: If the metadata server cannot be reached. TokenRefreshError: If the credentials fail to refresh. TokenRefreshReauthError: If the credentials fail to refresh due to reauth. AccountImpersonationError: If impersonation is requested but an impersonation provider is not configured. """ google_auth_disabled = properties.VALUES.auth.disable_google_auth.GetBool() use_google_auth = use_google_auth and (not google_auth_disabled) impersonate_service_account = ( properties.VALUES.auth.impersonate_service_account.Get()) if allow_account_impersonation and impersonate_service_account: if not IMPERSONATION_TOKEN_PROVIDER: raise AccountImpersonationError( 'gcloud is configured to impersonate service account [{}] but ' 'impersonation support is not available.'.format( impersonate_service_account)) log.warning( 'This command is using service account impersonation. All API calls will ' 'be executed as [{}].'.format(impersonate_service_account)) cred = IMPERSONATION_TOKEN_PROVIDER.GetElevationAccessToken( impersonate_service_account, scopes or config.CLOUDSDK_SCOPES) else: cred = _Load(account, scopes, prevent_refresh) cred = creds.MaybeConvertToGoogleAuthCredentials(cred, use_google_auth) return cred