From 82c0fb126a3dd82b3f5c8975eb8fd708ac3180fe Mon Sep 17 00:00:00 2001 From: "akuegel@chromium.org" Date: Thu, 16 Apr 2015 11:06:23 +0000 Subject: [PATCH] Revert of Upgrade 3rd packages (patchset #4 id:60001 of https://codereview.chromium.org/1085893002/) Reason for revert: This might have broken some internal tryserver bots. Original issue's description: > Upgrade 3rd packages > > BUG=461614 > R=nodir@chromium.org > > Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=294835 TBR=nodir@chromium.org,sheyang@chromium.org NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=461614 Review URL: https://codereview.chromium.org/1094533003 git-svn-id: svn://svn.chromium.org/chrome/trunk/tools/depot_tools@294841 0039d316-1c4b-4281-b951-d872f2087c98 --- .../MODIFICATIONS.diff | 125 -- .../google_api_python_client/README.chromium | 6 +- .../apiclient/__init__.py | 2 +- .../googleapiclient/channel.py | 2 +- .../googleapiclient/discovery.py | 10 +- .../googleapiclient/errors.py | 2 +- .../googleapiclient/http.py | 4 +- .../googleapiclient/sample_tools.py | 8 +- .../googleapiclient/schema.py | 2 +- third_party/oauth2client/README.chromium | 4 +- third_party/oauth2client/__init__.py | 7 +- third_party/oauth2client/anyjson.py | 32 + third_party/oauth2client/appengine.py | 82 +- third_party/oauth2client/client.py | 1112 ++++------------- third_party/oauth2client/clientsecrets.py | 47 +- third_party/oauth2client/crypt.py | 126 +- third_party/oauth2client/devshell.py | 135 -- third_party/oauth2client/django_orm.py | 15 +- third_party/oauth2client/file.py | 12 +- third_party/oauth2client/gce.py | 39 +- third_party/oauth2client/keyring_storage.py | 9 +- third_party/oauth2client/locked_file.py | 45 +- third_party/oauth2client/multistore_file.py | 72 +- third_party/oauth2client/old_run.py | 106 +- third_party/oauth2client/service_account.py | 139 --- third_party/oauth2client/tools.py | 194 ++- third_party/oauth2client/util.py | 105 +- third_party/oauth2client/xsrfutil.py | 49 +- 28 files changed, 646 insertions(+), 1845 deletions(-) delete mode 100644 third_party/google_api_python_client/MODIFICATIONS.diff create mode 100644 third_party/oauth2client/anyjson.py delete mode 100644 third_party/oauth2client/devshell.py delete mode 100644 third_party/oauth2client/service_account.py diff --git a/third_party/google_api_python_client/MODIFICATIONS.diff b/third_party/google_api_python_client/MODIFICATIONS.diff deleted file mode 100644 index efa382abf..000000000 --- a/third_party/google_api_python_client/MODIFICATIONS.diff +++ /dev/null @@ -1,125 +0,0 @@ -diff --git a/third_party/google_api_python_client/apiclient/__init__.py b/third_party/google_api_python_client/apiclient/__init__.py -index 5efb142..acb1a23 100644 ---- a/third_party/google_api_python_client/apiclient/__init__.py -+++ b/third_party/google_api_python_client/apiclient/__init__.py -@@ -3,7 +3,7 @@ - import googleapiclient - - try: -- import oauth2client -+ from third_party import oauth2client - except ImportError: - raise RuntimeError( - 'Previous version of google-api-python-client detected; due to a ' -diff --git a/third_party/google_api_python_client/googleapiclient/channel.py b/third_party/google_api_python_client/googleapiclient/channel.py -index 68a3b89..4626094 100644 ---- a/third_party/google_api_python_client/googleapiclient/channel.py -+++ b/third_party/google_api_python_client/googleapiclient/channel.py -@@ -60,7 +60,7 @@ import datetime - import uuid - - from googleapiclient import errors --from ...oauth2client import util -+from third_party.oauth2client import util - - - # The unix time epoch starts at midnight 1970. -diff --git a/third_party/google_api_python_client/googleapiclient/discovery.py b/third_party/google_api_python_client/googleapiclient/discovery.py -index 3ddac57..0e9e5cf 100644 ---- a/third_party/google_api_python_client/googleapiclient/discovery.py -+++ b/third_party/google_api_python_client/googleapiclient/discovery.py -@@ -47,9 +47,9 @@ except ImportError: - from cgi import parse_qsl - - # Third-party imports --from ... import httplib2 -+from third_party import httplib2 -+from third_party.uritemplate import uritemplate - import mimeparse --from ... import uritemplate - - # Local imports - from googleapiclient.errors import HttpError -@@ -65,9 +65,9 @@ from googleapiclient.model import JsonModel - from googleapiclient.model import MediaModel - from googleapiclient.model import RawModel - from googleapiclient.schema import Schemas --from oauth2client.client import GoogleCredentials --from oauth2client.util import _add_query_parameter --from oauth2client.util import positional -+from third_party.oauth2client.client import GoogleCredentials -+from third_party.oauth2client.util import _add_query_parameter -+from third_party.oauth2client.util import positional - - - # The client library requires a version of httplib2 that supports RETRIES. -diff --git a/third_party/google_api_python_client/googleapiclient/errors.py b/third_party/google_api_python_client/googleapiclient/errors.py -index a1999fd..18c52e6 100644 ---- a/third_party/google_api_python_client/googleapiclient/errors.py -+++ b/third_party/google_api_python_client/googleapiclient/errors.py -@@ -24,7 +24,7 @@ __author__ = 'jcgregorio@google.com (Joe Gregorio)' - - import json - --from ...oauth2client import util -+from third_party.oauth2client import util - - - class Error(Exception): -diff --git a/third_party/google_api_python_client/googleapiclient/http.py b/third_party/google_api_python_client/googleapiclient/http.py -index 8638279..d2ce70c 100644 ---- a/third_party/google_api_python_client/googleapiclient/http.py -+++ b/third_party/google_api_python_client/googleapiclient/http.py -@@ -25,7 +25,6 @@ import StringIO - import base64 - import copy - import gzip --import httplib2 - import json - import logging - import mimeparse -@@ -49,7 +48,8 @@ from errors import ResumableUploadError - from errors import UnexpectedBodyError - from errors import UnexpectedMethodError - from model import JsonModel --from ...oauth2client import util -+from third_party import httplib2 -+from third_party.oauth2client import util - - - DEFAULT_CHUNK_SIZE = 512*1024 -diff --git a/third_party/google_api_python_client/googleapiclient/sample_tools.py b/third_party/google_api_python_client/googleapiclient/sample_tools.py -index cbd6d6f..cc0790b 100644 ---- a/third_party/google_api_python_client/googleapiclient/sample_tools.py -+++ b/third_party/google_api_python_client/googleapiclient/sample_tools.py -@@ -22,13 +22,13 @@ __all__ = ['init'] - - - import argparse --import httplib2 - import os - - from googleapiclient import discovery --from ...oauth2client import client --from ...oauth2client import file --from ...oauth2client import tools -+from third_party import httplib2 -+from third_party.oauth2client import client -+from third_party.oauth2client import file -+from third_party.oauth2client import tools - - - def init(argv, name, version, doc, filename, scope=None, parents=[], discovery_filename=None): -diff --git a/third_party/google_api_python_client/googleapiclient/schema.py b/third_party/google_api_python_client/googleapiclient/schema.py -index af41317..92543ec 100644 ---- a/third_party/google_api_python_client/googleapiclient/schema.py -+++ b/third_party/google_api_python_client/googleapiclient/schema.py -@@ -63,7 +63,7 @@ __author__ = 'jcgregorio@google.com (Joe Gregorio)' - - import copy - --from oauth2client import util -+from third_party.oauth2client import util - - - class Schemas(object): diff --git a/third_party/google_api_python_client/README.chromium b/third_party/google_api_python_client/README.chromium index a7e95835e..eb7a00d0d 100644 --- a/third_party/google_api_python_client/README.chromium +++ b/third_party/google_api_python_client/README.chromium @@ -3,8 +3,4 @@ Version: v1.3.1 Revision: 49d45a6c3318b75e551c3022020f46c78655f365 License: Apache License, Version 2.0 (the "License") -Local modifications: -See also MODIFICATIONS.diff - -Notes: -Requires the httplib2 and oauth2client library. +No local changes diff --git a/third_party/google_api_python_client/apiclient/__init__.py b/third_party/google_api_python_client/apiclient/__init__.py index acb1a2393..5efb142e0 100644 --- a/third_party/google_api_python_client/apiclient/__init__.py +++ b/third_party/google_api_python_client/apiclient/__init__.py @@ -3,7 +3,7 @@ import googleapiclient try: - from third_party import oauth2client + import oauth2client except ImportError: raise RuntimeError( 'Previous version of google-api-python-client detected; due to a ' diff --git a/third_party/google_api_python_client/googleapiclient/channel.py b/third_party/google_api_python_client/googleapiclient/channel.py index 4626094a8..68a3b8919 100644 --- a/third_party/google_api_python_client/googleapiclient/channel.py +++ b/third_party/google_api_python_client/googleapiclient/channel.py @@ -60,7 +60,7 @@ import datetime import uuid from googleapiclient import errors -from third_party.oauth2client import util +from ...oauth2client import util # The unix time epoch starts at midnight 1970. diff --git a/third_party/google_api_python_client/googleapiclient/discovery.py b/third_party/google_api_python_client/googleapiclient/discovery.py index 0e9e5cf5a..3ddac5712 100644 --- a/third_party/google_api_python_client/googleapiclient/discovery.py +++ b/third_party/google_api_python_client/googleapiclient/discovery.py @@ -47,9 +47,9 @@ except ImportError: from cgi import parse_qsl # Third-party imports -from third_party import httplib2 -from third_party.uritemplate import uritemplate +from ... import httplib2 import mimeparse +from ... import uritemplate # Local imports from googleapiclient.errors import HttpError @@ -65,9 +65,9 @@ from googleapiclient.model import JsonModel from googleapiclient.model import MediaModel from googleapiclient.model import RawModel from googleapiclient.schema import Schemas -from third_party.oauth2client.client import GoogleCredentials -from third_party.oauth2client.util import _add_query_parameter -from third_party.oauth2client.util import positional +from oauth2client.client import GoogleCredentials +from oauth2client.util import _add_query_parameter +from oauth2client.util import positional # The client library requires a version of httplib2 that supports RETRIES. diff --git a/third_party/google_api_python_client/googleapiclient/errors.py b/third_party/google_api_python_client/googleapiclient/errors.py index 18c52e6e4..a1999fd50 100644 --- a/third_party/google_api_python_client/googleapiclient/errors.py +++ b/third_party/google_api_python_client/googleapiclient/errors.py @@ -24,7 +24,7 @@ __author__ = 'jcgregorio@google.com (Joe Gregorio)' import json -from third_party.oauth2client import util +from ...oauth2client import util class Error(Exception): diff --git a/third_party/google_api_python_client/googleapiclient/http.py b/third_party/google_api_python_client/googleapiclient/http.py index d2ce70c72..863827933 100644 --- a/third_party/google_api_python_client/googleapiclient/http.py +++ b/third_party/google_api_python_client/googleapiclient/http.py @@ -25,6 +25,7 @@ import StringIO import base64 import copy import gzip +import httplib2 import json import logging import mimeparse @@ -48,8 +49,7 @@ from errors import ResumableUploadError from errors import UnexpectedBodyError from errors import UnexpectedMethodError from model import JsonModel -from third_party import httplib2 -from third_party.oauth2client import util +from ...oauth2client import util DEFAULT_CHUNK_SIZE = 512*1024 diff --git a/third_party/google_api_python_client/googleapiclient/sample_tools.py b/third_party/google_api_python_client/googleapiclient/sample_tools.py index cc0790b96..cbd6d6f73 100644 --- a/third_party/google_api_python_client/googleapiclient/sample_tools.py +++ b/third_party/google_api_python_client/googleapiclient/sample_tools.py @@ -22,13 +22,13 @@ __all__ = ['init'] import argparse +import httplib2 import os from googleapiclient import discovery -from third_party import httplib2 -from third_party.oauth2client import client -from third_party.oauth2client import file -from third_party.oauth2client import tools +from ...oauth2client import client +from ...oauth2client import file +from ...oauth2client import tools def init(argv, name, version, doc, filename, scope=None, parents=[], discovery_filename=None): diff --git a/third_party/google_api_python_client/googleapiclient/schema.py b/third_party/google_api_python_client/googleapiclient/schema.py index 92543ec13..af413177f 100644 --- a/third_party/google_api_python_client/googleapiclient/schema.py +++ b/third_party/google_api_python_client/googleapiclient/schema.py @@ -63,7 +63,7 @@ __author__ = 'jcgregorio@google.com (Joe Gregorio)' import copy -from third_party.oauth2client import util +from oauth2client import util class Schemas(object): diff --git a/third_party/oauth2client/README.chromium b/third_party/oauth2client/README.chromium index bfc4a01f5..ea15b9636 100644 --- a/third_party/oauth2client/README.chromium +++ b/third_party/oauth2client/README.chromium @@ -1,7 +1,7 @@ Name: oauth2client Short Name: oauth2client -URL: https://pypi.python.org/packages/source/o/oauth2client/oauth2client-1.4.7.tar.gz -Version: 1.4.7 +URL: https://pypi.python.org/packages/source/o/oauth2client/oauth2client-1.2.tar.gz +Version: 1.2 License: Apache License 2.0 Description: diff --git a/third_party/oauth2client/__init__.py b/third_party/oauth2client/__init__.py index fea30cae9..ac847483d 100644 --- a/third_party/oauth2client/__init__.py +++ b/third_party/oauth2client/__init__.py @@ -1,8 +1,5 @@ -"""Client library for using OAuth2, especially with Google APIs.""" - -__version__ = '1.4.7' +__version__ = "1.2" GOOGLE_AUTH_URI = 'https://accounts.google.com/o/oauth2/auth' -GOOGLE_DEVICE_URI = 'https://accounts.google.com/o/oauth2/device/code' GOOGLE_REVOKE_URI = 'https://accounts.google.com/o/oauth2/revoke' -GOOGLE_TOKEN_URI = 'https://accounts.google.com/o/oauth2/token' \ No newline at end of file +GOOGLE_TOKEN_URI = 'https://accounts.google.com/o/oauth2/token' diff --git a/third_party/oauth2client/anyjson.py b/third_party/oauth2client/anyjson.py new file mode 100644 index 000000000..ae21c338b --- /dev/null +++ b/third_party/oauth2client/anyjson.py @@ -0,0 +1,32 @@ +# Copyright (C) 2010 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Utility module to import a JSON module + +Hides all the messy details of exactly where +we get a simplejson module from. +""" + +__author__ = 'jcgregorio@google.com (Joe Gregorio)' + + +try: # pragma: no cover + # Should work for Python2.6 and higher. + import json as simplejson +except ImportError: # pragma: no cover + try: + import simplejson + except ImportError: + # Try to import from django, should work on App Engine + from django.utils import simplejson diff --git a/third_party/oauth2client/appengine.py b/third_party/oauth2client/appengine.py index 4131513d1..5cd3f4baf 100644 --- a/third_party/oauth2client/appengine.py +++ b/third_party/oauth2client/appengine.py @@ -1,4 +1,4 @@ -# Copyright 2014 Google Inc. All rights reserved. +# Copyright (C) 2010 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,14 +19,14 @@ Utilities for making it easier to use OAuth 2.0 on Google App Engine. __author__ = 'jcgregorio@google.com (Joe Gregorio)' +import base64 import cgi -import json +import httplib2 import logging import os import pickle import threading - -import httplib2 +import time from google.appengine.api import app_identity from google.appengine.api import memcache @@ -41,6 +41,7 @@ from oauth2client import GOOGLE_TOKEN_URI from oauth2client import clientsecrets from oauth2client import util from oauth2client import xsrfutil +from oauth2client.anyjson import simplejson from oauth2client.client import AccessTokenRefreshError from oauth2client.client import AssertionCredentials from oauth2client.client import Credentials @@ -158,20 +159,15 @@ class AppAssertionCredentials(AssertionCredentials): Args: scope: string or iterable of strings, scope(s) of the credentials being requested. - **kwargs: optional keyword args, including: - service_account_id: service account id of the application. If None or - unspecified, the default service account for the app is used. """ self.scope = util.scopes_to_string(scope) - self._kwargs = kwargs - self.service_account_id = kwargs.get('service_account_id', None) # Assertion type is no longer used, but still in the parent class signature. super(AppAssertionCredentials, self).__init__(None) @classmethod - def from_json(cls, json_data): - data = json.loads(json_data) + def from_json(cls, json): + data = simplejson.loads(json) return AppAssertionCredentials(data['scope']) def _refresh(self, http_request): @@ -190,22 +186,11 @@ class AppAssertionCredentials(AssertionCredentials): """ try: scopes = self.scope.split() - (token, _) = app_identity.get_access_token( - scopes, service_account_id=self.service_account_id) - except app_identity.Error as e: + (token, _) = app_identity.get_access_token(scopes) + except app_identity.Error, e: raise AccessTokenRefreshError(str(e)) self.access_token = token - @property - def serialization_data(self): - raise NotImplementedError('Cannot serialize credentials for AppEngine.') - - def create_scoped_required(self): - return not self.scope - - def create_scoped(self, scopes): - return AppAssertionCredentials(scopes, **self._kwargs) - class FlowProperty(db.Property): """App Engine datastore Property for Flow. @@ -449,7 +434,6 @@ class StorageByKeyName(Storage): entity_key = db.Key.from_path(self._model.kind(), self._key_name) db.delete(entity_key) - @db.non_transactional(allow_existing=True) def locked_get(self): """Retrieve Credential from datastore. @@ -472,7 +456,6 @@ class StorageByKeyName(Storage): credentials.set_store(self) return credentials - @db.non_transactional(allow_existing=True) def locked_put(self, credentials): """Write a Credentials to the datastore. @@ -485,7 +468,6 @@ class StorageByKeyName(Storage): if self._cache: self._cache.set(self._key_name, credentials.to_json()) - @db.non_transactional(allow_existing=True) def locked_delete(self): """Delete Credential from datastore.""" @@ -571,14 +553,16 @@ class OAuth2Decorator(object): Instantiate and then use with oauth_required or oauth_aware as decorators on webapp.RequestHandler methods. - :: + Example: decorator = OAuth2Decorator( client_id='837...ent.com', client_secret='Qh...wwI', scope='https://www.googleapis.com/auth/plus') + class MainHandler(webapp.RequestHandler): + @decorator.oauth_required def get(self): http = decorator.http() @@ -666,9 +650,8 @@ class OAuth2Decorator(object): provided to this constructor. A string indicating the name of the field on the _credentials_class where a Credentials object will be stored. Defaults to 'credentials'. - **kwargs: dict, Keyword arguments are passed along as kwargs to - the OAuth2WebServerFlow constructor. - + **kwargs: dict, Keyword arguments are be passed along as kwargs to the + OAuth2WebServerFlow constructor. """ self._tls = threading.local() self.flow = None @@ -815,18 +798,14 @@ class OAuth2Decorator(object): url = self.flow.step1_get_authorize_url() return str(url) - def http(self, *args, **kwargs): + def http(self): """Returns an authorized http instance. Must only be called from within an @oauth_required decorated method, or from within an @oauth_aware decorated method where has_credentials() returns True. - - Args: - *args: Positional arguments passed to httplib2.Http constructor. - **kwargs: Positional arguments passed to httplib2.Http constructor. """ - return self.credentials.authorize(httplib2.Http(*args, **kwargs)) + return self.credentials.authorize(httplib2.Http()) @property def callback_path(self): @@ -845,8 +824,7 @@ class OAuth2Decorator(object): def callback_handler(self): """RequestHandler for the OAuth 2.0 redirect callback. - Usage:: - + Usage: app = webapp.WSGIApplication([ ('/index', MyIndexHandler), ..., @@ -880,7 +858,7 @@ class OAuth2Decorator(object): user) if decorator._token_response_param and credentials.token_response: - resp_json = json.dumps(credentials.token_response) + resp_json = simplejson.dumps(credentials.token_response) redirect_uri = util._add_query_parameter( redirect_uri, decorator._token_response_param, resp_json) @@ -909,23 +887,24 @@ class OAuth2DecoratorFromClientSecrets(OAuth2Decorator): Uses a clientsecrets file as the source for all the information when constructing an OAuth2Decorator. - :: + Example: decorator = OAuth2DecoratorFromClientSecrets( os.path.join(os.path.dirname(__file__), 'client_secrets.json') scope='https://www.googleapis.com/auth/plus') + class MainHandler(webapp.RequestHandler): + @decorator.oauth_required def get(self): http = decorator.http() # http is authorized with the user's Credentials and can be used # in API calls - """ @util.positional(3) - def __init__(self, filename, scope, message=None, cache=None, **kwargs): + def __init__(self, filename, scope, message=None, cache=None): """Constructor Args: @@ -938,20 +917,17 @@ class OAuth2DecoratorFromClientSecrets(OAuth2Decorator): decorator. cache: An optional cache service client that implements get() and set() methods. See clientsecrets.loadfile() for details. - **kwargs: dict, Keyword arguments are passed along as kwargs to - the OAuth2WebServerFlow constructor. """ client_type, client_info = clientsecrets.loadfile(filename, cache=cache) if client_type not in [ clientsecrets.TYPE_WEB, clientsecrets.TYPE_INSTALLED]: raise InvalidClientSecretsError( - "OAuth2Decorator doesn't support this OAuth 2.0 flow.") - constructor_kwargs = dict(kwargs) - constructor_kwargs.update({ - 'auth_uri': client_info['auth_uri'], - 'token_uri': client_info['token_uri'], - 'message': message, - }) + 'OAuth2Decorator doesn\'t support this OAuth 2.0 flow.') + constructor_kwargs = { + 'auth_uri': client_info['auth_uri'], + 'token_uri': client_info['token_uri'], + 'message': message, + } revoke_uri = client_info.get('revoke_uri') if revoke_uri is not None: constructor_kwargs['revoke_uri'] = revoke_uri @@ -984,4 +960,4 @@ def oauth2decorator_from_clientsecrets(filename, scope, """ return OAuth2DecoratorFromClientSecrets(filename, scope, - message=message, cache=cache) \ No newline at end of file + message=message, cache=cache) diff --git a/third_party/oauth2client/client.py b/third_party/oauth2client/client.py index 8fe28a30d..6901f3f38 100644 --- a/third_party/oauth2client/client.py +++ b/third_party/oauth2client/client.py @@ -1,4 +1,4 @@ -# Copyright 2014 Google Inc. All rights reserved. +# Copyright (C) 2010 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,48 +20,44 @@ Tools for interacting with OAuth 2.0 protected resources. __author__ = 'jcgregorio@google.com (Joe Gregorio)' import base64 -import collections +import clientsecrets import copy import datetime -import json +from .. import httplib2 import logging -import os -import socket import sys -import tempfile import time -import shutil +import urllib +import urlparse -from .. import httplib2 -from . import clientsecrets from . import GOOGLE_AUTH_URI -from . import GOOGLE_DEVICE_URI from . import GOOGLE_REVOKE_URI from . import GOOGLE_TOKEN_URI from . import util -from third_party import six -from third_party.six.moves import urllib +from .anyjson import simplejson HAS_OPENSSL = False HAS_CRYPTO = False try: - from oauth2client import crypt + from . import crypt HAS_CRYPTO = True if crypt.OpenSSLVerifier is not None: HAS_OPENSSL = True except ImportError: pass +try: + from urlparse import parse_qsl +except ImportError: + from cgi import parse_qsl + logger = logging.getLogger(__name__) # Expiry is stored in RFC3339 UTC format EXPIRY_FORMAT = '%Y-%m-%dT%H:%M:%SZ' # Which certs to use to validate id_tokens received. -ID_TOKEN_VERIFICATION_CERTS = 'https://www.googleapis.com/oauth2/v1/certs' -# This symbol previously had a typo in the name; we keep the old name -# around for now, but will remove it in the future. -ID_TOKEN_VERIFICATON_CERTS = ID_TOKEN_VERIFICATION_CERTS +ID_TOKEN_VERIFICATON_CERTS = 'https://www.googleapis.com/oauth2/v1/certs' # Constant to use for the out of band OAuth 2.0 flow. OOB_CALLBACK_URN = 'urn:ietf:wg:oauth:2.0:oob' @@ -69,42 +65,6 @@ OOB_CALLBACK_URN = 'urn:ietf:wg:oauth:2.0:oob' # Google Data client libraries may need to set this to [401, 403]. REFRESH_STATUS_CODES = [401] -# The value representing user credentials. -AUTHORIZED_USER = 'authorized_user' - -# The value representing service account credentials. -SERVICE_ACCOUNT = 'service_account' - -# The environment variable pointing the file with local -# Application Default Credentials. -GOOGLE_APPLICATION_CREDENTIALS = 'GOOGLE_APPLICATION_CREDENTIALS' -# The ~/.config subdirectory containing gcloud credentials. Intended -# to be swapped out in tests. -_CLOUDSDK_CONFIG_DIRECTORY = 'gcloud' - -# The error message we show users when we can't find the Application -# Default Credentials. -ADC_HELP_MSG = ( - 'The Application Default Credentials are not available. They are available ' - 'if running in Google Compute Engine. Otherwise, the environment variable ' - + GOOGLE_APPLICATION_CREDENTIALS + - ' must be defined pointing to a file defining the credentials. See ' - 'https://developers.google.com/accounts/docs/application-default-credentials' # pylint:disable=line-too-long - ' for more information.') - -# The access token along with the seconds in which it expires. -AccessTokenInfo = collections.namedtuple( - 'AccessTokenInfo', ['access_token', 'expires_in']) - -DEFAULT_ENV_NAME = 'UNKNOWN' - -# If set to True _get_environment avoid GCE check (_detect_gce_environment) -NO_GCE_CHECK = os.environ.setdefault('NO_GCE_CHECK', 'False') - -class SETTINGS(object): - """Settings namespace for globally defined values.""" - env_name = None - class Error(Exception): """Base error for this module.""" @@ -131,25 +91,13 @@ class AccessTokenCredentialsError(Error): class VerifyJwtTokenError(Error): - """Could not retrieve certificates for validation.""" + """Could on retrieve certificates for validation.""" class NonAsciiHeaderError(Error): """Header names and values must be ASCII strings.""" -class ApplicationDefaultCredentialsError(Error): - """Error retrieving the Application Default Credentials.""" - - -class OAuth2DeviceCodeError(Error): - """Error trying to retrieve a device code.""" - - -class CryptoUnavailableError(Error, NotImplementedError): - """Raised when a crypto library is required, but none is available.""" - - def _abstract(): raise NotImplementedError('You need to override this function') @@ -177,12 +125,11 @@ class Credentials(object): an HTTP transport. Subclasses must also specify a classmethod named 'from_json' that takes a JSON - string as input and returns an instantiated Credentials object. + string as input and returns an instaniated Credentials object. """ NON_SERIALIZED_MEMBERS = ['store'] - def authorize(self, http): """Take an httplib2.Http instance (or equivalent) and authorizes it. @@ -196,7 +143,6 @@ class Credentials(object): """ _abstract() - def refresh(self, http): """Forces a refresh of the access_token. @@ -206,7 +152,6 @@ class Credentials(object): """ _abstract() - def revoke(self, http): """Revokes a refresh_token and makes the credentials void. @@ -216,7 +161,6 @@ class Credentials(object): """ _abstract() - def apply(self, headers): """Add the authorization to the headers. @@ -240,16 +184,12 @@ class Credentials(object): for member in strip: if member in d: del d[member] - if (d.get('token_expiry') and - isinstance(d['token_expiry'], datetime.datetime)): + if 'token_expiry' in d and isinstance(d['token_expiry'], datetime.datetime): d['token_expiry'] = d['token_expiry'].strftime(EXPIRY_FORMAT) # Add in information we will need later to reconsistitue this instance. d['_class'] = t.__name__ d['_module'] = t.__module__ - for key, val in d.items(): - if isinstance(val, bytes): - d[key] = val.decode('utf-8') - return json.dumps(d) + return simplejson.dumps(d) def to_json(self): """Creating a JSON representation of an instance of Credentials. @@ -272,16 +212,14 @@ class Credentials(object): An instance of the subclass of Credentials that was serialized with to_json(). """ - if six.PY3 and isinstance(s, bytes): - s = s.decode('utf-8') - data = json.loads(s) + data = simplejson.loads(s) # Find and call the right classmethod from_json() to restore the object. module = data['_module'] try: m = __import__(module) except ImportError: # In case there's an object from the old package structure, update it - module = module.replace('.googleapiclient', '') + module = module.replace('.apiclient', '') m = __import__(module) m = __import__(module, fromlist=module.split('.')[:-1]) @@ -290,13 +228,13 @@ class Credentials(object): return from_json(s) @classmethod - def from_json(cls, unused_data): + def from_json(cls, s): """Instantiate a Credentials object from a JSON description of it. The JSON should have been produced by calling .to_json() on the object. Args: - unused_data: dict, A deserialized JSON object. + data: dict, A deserialized JSON object. Returns: An instance of a Credentials subclass. @@ -418,10 +356,8 @@ def clean_headers(headers): """ clean = {} try: - for k, v in six.iteritems(headers): - clean_k = k if isinstance(k, bytes) else str(k).encode('ascii') - clean_v = v if isinstance(v, bytes) else str(v).encode('ascii') - clean[clean_k] = clean_v + for k, v in headers.iteritems(): + clean[str(k)] = str(v) except UnicodeEncodeError: raise NonAsciiHeaderError(k + ': ' + v) return clean @@ -437,11 +373,11 @@ def _update_query_params(uri, params): Returns: The same URI but with the new query parameters added. """ - parts = urllib.parse.urlparse(uri) - query_params = dict(urllib.parse.parse_qsl(parts.query)) + parts = list(urlparse.urlparse(uri)) + query_params = dict(parse_qsl(parts[4])) # 4 is the index of the query part query_params.update(params) - new_parts = parts._replace(query=urllib.parse.urlencode(query_params)) - return urllib.parse.urlunparse(new_parts) + parts[4] = urllib.urlencode(query_params) + return urlparse.urlunparse(parts) class OAuth2Credentials(Credentials): @@ -509,23 +445,22 @@ class OAuth2Credentials(Credentials): it. Args: - http: An instance of ``httplib2.Http`` or something that acts - like it. + http: An instance of httplib2.Http + or something that acts like it. Returns: A modified instance of http that was passed in. - Example:: + Example: h = httplib2.Http() h = credentials.authorize(h) - You can't create a new OAuth subclass of httplib2.Authentication + You can't create a new OAuth subclass of httplib2.Authenication because it never gets passed the absolute URI, which is needed for signing. So instead we have to overload 'request' with a closure that adds in the Authorization header and then calls the original version of 'request()'. - """ request_orig = http.request @@ -538,12 +473,10 @@ class OAuth2Credentials(Credentials): logger.info('Attempting refresh to obtain initial access_token') self._refresh(request_orig) - # Clone and modify the request headers to add the appropriate + # Modify the request headers to add the appropriate # Authorization header. if headers is None: headers = {} - else: - headers = dict(headers) self.apply(headers) if self.user_agent is not None: @@ -556,7 +489,7 @@ class OAuth2Credentials(Credentials): redirections, connection_type) if resp.status in REFRESH_STATUS_CODES: - logger.info('Refreshing due to a %s', resp.status) + logger.info('Refreshing due to a %s' % str(resp.status)) self._refresh(request_orig) self.apply(headers) return request_orig(uri, method, body, clean_headers(headers), @@ -612,15 +545,13 @@ class OAuth2Credentials(Credentials): Returns: An instance of a Credentials subclass. """ - if six.PY3 and isinstance(s, bytes): - s = s.decode('utf-8') - data = json.loads(s) - if (data.get('token_expiry') and - not isinstance(data['token_expiry'], datetime.datetime)): + data = simplejson.loads(s) + if 'token_expiry' in data and not isinstance(data['token_expiry'], + datetime.datetime): try: data['token_expiry'] = datetime.datetime.strptime( data['token_expiry'], EXPIRY_FORMAT) - except ValueError: + except: data['token_expiry'] = None retval = cls( data['access_token'], @@ -655,24 +586,11 @@ class OAuth2Credentials(Credentials): return True return False - def get_access_token(self, http=None): - """Return the access token and its expiration information. - - If the token does not exist, get one. - If the token expired, refresh it. - """ - if not self.access_token or self.access_token_expired: - if not http: - http = httplib2.Http() - self.refresh(http) - return AccessTokenInfo(access_token=self.access_token, - expires_in=self._expires_in()) - def set_store(self, store): """Set the Storage for the credential. Args: - store: Storage, an implementation of Storage object. + store: Storage, an implementation of Stroage object. This is needed to store the latest access_token if it has expired and been refreshed. This implementation uses locking to check for updates before updating the @@ -680,25 +598,6 @@ class OAuth2Credentials(Credentials): """ self.store = store - def _expires_in(self): - """Return the number of seconds until this token expires. - - If token_expiry is in the past, this method will return 0, meaning the - token has already expired. - If token_expiry is None, this method will return None. Note that returning - 0 in such a case would not be fair: the token may still be valid; - we just don't know anything about it. - """ - if self.token_expiry: - now = datetime.datetime.utcnow() - if self.token_expiry > now: - time_delta = self.token_expiry - now - # TODO(orestica): return time_delta.total_seconds() - # once dropping support for Python 2.6 - return time_delta.days * 86400 + time_delta.seconds - else: - return 0 - def _updateFromCredential(self, other): """Update this Credential from another instance.""" self.__dict__.update(other.__getstate__()) @@ -716,7 +615,7 @@ class OAuth2Credentials(Credentials): def _generate_refresh_request_body(self): """Generate the body that will be used in the refresh request.""" - body = urllib.parse.urlencode({ + body = urllib.urlencode({ 'grant_type': 'refresh_token', 'client_id': self.client_id, 'client_secret': self.client_secret, @@ -780,10 +679,9 @@ class OAuth2Credentials(Credentials): logger.info('Refreshing access_token') resp, content = http_request( self.token_uri, method='POST', body=body, headers=headers) - if six.PY3 and isinstance(content, bytes): - content = content.decode('utf-8') if resp.status == 200: - d = json.loads(content) + # TODO(jcgregorio) Raise an error if loads fails? + d = simplejson.loads(content) self.token_response = d self.access_token = d['access_token'] self.refresh_token = d.get('refresh_token', self.refresh_token) @@ -792,40 +690,35 @@ class OAuth2Credentials(Credentials): seconds=int(d['expires_in'])) + datetime.datetime.utcnow() else: self.token_expiry = None - # On temporary refresh errors, the user does not actually have to - # re-authorize, so we unflag here. - self.invalid = False if self.store: self.store.locked_put(self) else: # An {'error':...} response body means the token is expired or revoked, # so we flag the credentials as such. - logger.info('Failed to retrieve access token: %s', content) + logger.info('Failed to retrieve access token: %s' % content) error_msg = 'Invalid response %s.' % resp['status'] try: - d = json.loads(content) + d = simplejson.loads(content) if 'error' in d: error_msg = d['error'] - if 'error_description' in d: - error_msg += ': ' + d['error_description'] self.invalid = True if self.store: self.store.locked_put(self) - except (TypeError, ValueError): + except StandardError: pass raise AccessTokenRefreshError(error_msg) def _revoke(self, http_request): - """Revokes this credential and deletes the stored copy (if it exists). + """Revokes the refresh_token and deletes the store if available. Args: http_request: callable, a callable that matches the method signature of httplib2.Http.request, used to make the revoke request. """ - self._do_revoke(http_request, self.refresh_token or self.access_token) + self._do_revoke(http_request, self.refresh_token) def _do_revoke(self, http_request, token): - """Revokes this credential and deletes the stored copy (if it exists). + """Revokes the credentials and deletes the store if available. Args: http_request: callable, a callable that matches the method signature of @@ -845,10 +738,10 @@ class OAuth2Credentials(Credentials): else: error_msg = 'Invalid response %s.' % resp.status try: - d = json.loads(content) + d = simplejson.loads(content) if 'error' in d: error_msg = d['error'] - except (TypeError, ValueError): + except StandardError: pass raise TokenRevokeError(error_msg) @@ -870,8 +763,7 @@ class AccessTokenCredentials(OAuth2Credentials): AccessTokenCredentials objects may be safely pickled and unpickled. - Usage:: - + Usage: credentials = AccessTokenCredentials('', 'my-user-agent/1.0') http = httplib2.Http() @@ -907,12 +799,10 @@ class AccessTokenCredentials(OAuth2Credentials): @classmethod def from_json(cls, s): - if six.PY3 and isinstance(s, bytes): - s = s.decode('utf-8') - data = json.loads(s) + data = simplejson.loads(s) retval = AccessTokenCredentials( - data['access_token'], - data['user_agent']) + data['access_token'], + data['user_agent']) return retval def _refresh(self, http_request): @@ -929,434 +819,7 @@ class AccessTokenCredentials(OAuth2Credentials): self._do_revoke(http_request, self.access_token) -def _detect_gce_environment(urlopen=None): - """Determine if the current environment is Compute Engine. - - Args: - urlopen: Optional argument. Function used to open a connection to a URL. - - Returns: - Boolean indicating whether or not the current environment is Google - Compute Engine. - """ - urlopen = urlopen or urllib.request.urlopen - # Note: the explicit `timeout` below is a workaround. The underlying - # issue is that resolving an unknown host on some networks will take - # 20-30 seconds; making this timeout short fixes the issue, but - # could lead to false negatives in the event that we are on GCE, but - # the metadata resolution was particularly slow. The latter case is - # "unlikely". - try: - response = urlopen('http://169.254.169.254/', timeout=1) - return response.info().get('Metadata-Flavor', '') == 'Google' - except socket.timeout: - logger.info('Timeout attempting to reach GCE metadata service.') - return False - except urllib.error.URLError as e: - if isinstance(getattr(e, 'reason', None), socket.timeout): - logger.info('Timeout attempting to reach GCE metadata service.') - return False - - -def _get_environment(urlopen=None): - """Detect the environment the code is being run on. - - Args: - urlopen: Optional argument. Function used to open a connection to a URL. - - Returns: - The value of SETTINGS.env_name after being set. If already - set, simply returns the value. - """ - if SETTINGS.env_name is not None: - return SETTINGS.env_name - - # None is an unset value, not the default. - SETTINGS.env_name = DEFAULT_ENV_NAME - - server_software = os.environ.get('SERVER_SOFTWARE', '') - if server_software.startswith('Google App Engine/'): - SETTINGS.env_name = 'GAE_PRODUCTION' - elif server_software.startswith('Development/'): - SETTINGS.env_name = 'GAE_LOCAL' - elif NO_GCE_CHECK != 'True' and _detect_gce_environment(urlopen=urlopen): - SETTINGS.env_name = 'GCE_PRODUCTION' - - return SETTINGS.env_name - - -class GoogleCredentials(OAuth2Credentials): - """Application Default Credentials for use in calling Google APIs. - - The Application Default Credentials are being constructed as a function of - the environment where the code is being run. - More details can be found on this page: - https://developers.google.com/accounts/docs/application-default-credentials - - Here is an example of how to use the Application Default Credentials for a - service that requires authentication: - - from googleapiclient.discovery import build - from oauth2client.client import GoogleCredentials - - credentials = GoogleCredentials.get_application_default() - service = build('compute', 'v1', credentials=credentials) - - PROJECT = 'bamboo-machine-422' - ZONE = 'us-central1-a' - request = service.instances().list(project=PROJECT, zone=ZONE) - response = request.execute() - - print(response) - """ - - def __init__(self, access_token, client_id, client_secret, refresh_token, - token_expiry, token_uri, user_agent, - revoke_uri=GOOGLE_REVOKE_URI): - """Create an instance of GoogleCredentials. - - This constructor is not usually called by the user, instead - GoogleCredentials objects are instantiated by - GoogleCredentials.from_stream() or - GoogleCredentials.get_application_default(). - - Args: - access_token: string, access token. - client_id: string, client identifier. - client_secret: string, client secret. - refresh_token: string, refresh token. - token_expiry: datetime, when the access_token expires. - token_uri: string, URI of token endpoint. - user_agent: string, The HTTP User-Agent to provide for this application. - revoke_uri: string, URI for revoke endpoint. - Defaults to GOOGLE_REVOKE_URI; a token can't be revoked if this is None. - """ - super(GoogleCredentials, self).__init__( - access_token, client_id, client_secret, refresh_token, token_expiry, - token_uri, user_agent, revoke_uri=revoke_uri) - - def create_scoped_required(self): - """Whether this Credentials object is scopeless. - - create_scoped(scopes) method needs to be called in order to create - a Credentials object for API calls. - """ - return False - - def create_scoped(self, scopes): - """Create a Credentials object for the given scopes. - - The Credentials type is preserved. - """ - return self - - @property - def serialization_data(self): - """Get the fields and their values identifying the current credentials.""" - return { - 'type': 'authorized_user', - 'client_id': self.client_id, - 'client_secret': self.client_secret, - 'refresh_token': self.refresh_token - } - - @staticmethod - def _implicit_credentials_from_gae(env_name=None): - """Attempts to get implicit credentials in Google App Engine env. - - If the current environment is not detected as App Engine, returns None, - indicating no Google App Engine credentials can be detected from the - current environment. - - Args: - env_name: String, indicating current environment. - - Returns: - None, if not in GAE, else an appengine.AppAssertionCredentials object. - """ - env_name = env_name or _get_environment() - if env_name not in ('GAE_PRODUCTION', 'GAE_LOCAL'): - return None - - return _get_application_default_credential_GAE() - - @staticmethod - def _implicit_credentials_from_gce(env_name=None): - """Attempts to get implicit credentials in Google Compute Engine env. - - If the current environment is not detected as Compute Engine, returns None, - indicating no Google Compute Engine credentials can be detected from the - current environment. - - Args: - env_name: String, indicating current environment. - - Returns: - None, if not in GCE, else a gce.AppAssertionCredentials object. - """ - env_name = env_name or _get_environment() - if env_name != 'GCE_PRODUCTION': - return None - - return _get_application_default_credential_GCE() - - @staticmethod - def _implicit_credentials_from_files(env_name=None): - """Attempts to get implicit credentials from local credential files. - - First checks if the environment variable GOOGLE_APPLICATION_CREDENTIALS - is set with a filename and then falls back to a configuration file (the - "well known" file) associated with the 'gcloud' command line tool. - - Args: - env_name: Unused argument. - - Returns: - Credentials object associated with the GOOGLE_APPLICATION_CREDENTIALS - file or the "well known" file if either exist. If neither file is - define, returns None, indicating no credentials from a file can - detected from the current environment. - """ - credentials_filename = _get_environment_variable_file() - if not credentials_filename: - credentials_filename = _get_well_known_file() - if os.path.isfile(credentials_filename): - extra_help = (' (produced automatically when running' - ' "gcloud auth login" command)') - else: - credentials_filename = None - else: - extra_help = (' (pointed to by ' + GOOGLE_APPLICATION_CREDENTIALS + - ' environment variable)') - - if not credentials_filename: - return - - try: - return _get_application_default_credential_from_file(credentials_filename) - except (ApplicationDefaultCredentialsError, ValueError) as error: - _raise_exception_for_reading_json(credentials_filename, extra_help, error) - - @classmethod - def _get_implicit_credentials(cls): - """Gets credentials implicitly from the environment. - - Checks environment in order of precedence: - - Google App Engine (production and testing) - - Environment variable GOOGLE_APPLICATION_CREDENTIALS pointing to - a file with stored credentials information. - - Stored "well known" file associated with `gcloud` command line tool. - - Google Compute Engine production environment. - - Exceptions: - ApplicationDefaultCredentialsError: raised when the credentials fail - to be retrieved. - """ - env_name = _get_environment() - - # Environ checks (in order). Assumes each checker takes `env_name` - # as a kwarg. - environ_checkers = [ - cls._implicit_credentials_from_gae, - cls._implicit_credentials_from_files, - cls._implicit_credentials_from_gce, - ] - - for checker in environ_checkers: - credentials = checker(env_name=env_name) - if credentials is not None: - return credentials - - # If no credentials, fail. - raise ApplicationDefaultCredentialsError(ADC_HELP_MSG) - - @staticmethod - def get_application_default(): - """Get the Application Default Credentials for the current environment. - - Exceptions: - ApplicationDefaultCredentialsError: raised when the credentials fail - to be retrieved. - """ - return GoogleCredentials._get_implicit_credentials() - - @staticmethod - def from_stream(credential_filename): - """Create a Credentials object by reading the information from a given file. - - It returns an object of type GoogleCredentials. - - Args: - credential_filename: the path to the file from where the credentials - are to be read - - Exceptions: - ApplicationDefaultCredentialsError: raised when the credentials fail - to be retrieved. - """ - - if credential_filename and os.path.isfile(credential_filename): - try: - return _get_application_default_credential_from_file( - credential_filename) - except (ApplicationDefaultCredentialsError, ValueError) as error: - extra_help = ' (provided as parameter to the from_stream() method)' - _raise_exception_for_reading_json(credential_filename, - extra_help, - error) - else: - raise ApplicationDefaultCredentialsError( - 'The parameter passed to the from_stream() ' - 'method should point to a file.') - - -def _save_private_file(filename, json_contents): - """Saves a file with read-write permissions on for the owner. - - Args: - filename: String. Absolute path to file. - json_contents: JSON serializable object to be saved. - """ - temp_filename = tempfile.mktemp() - file_desc = os.open(temp_filename, os.O_WRONLY | os.O_CREAT, 0o600) - with os.fdopen(file_desc, 'w') as file_handle: - json.dump(json_contents, file_handle, sort_keys=True, - indent=2, separators=(',', ': ')) - shutil.move(temp_filename, filename) - - -def save_to_well_known_file(credentials, well_known_file=None): - """Save the provided GoogleCredentials to the well known file. - - Args: - credentials: - the credentials to be saved to the well known file; - it should be an instance of GoogleCredentials - well_known_file: - the name of the file where the credentials are to be saved; - this parameter is supposed to be used for testing only - """ - # TODO(orestica): move this method to tools.py - # once the argparse import gets fixed (it is not present in Python 2.6) - - if well_known_file is None: - well_known_file = _get_well_known_file() - - credentials_data = credentials.serialization_data - _save_private_file(well_known_file, credentials_data) - - -def _get_environment_variable_file(): - application_default_credential_filename = ( - os.environ.get(GOOGLE_APPLICATION_CREDENTIALS, - None)) - - if application_default_credential_filename: - if os.path.isfile(application_default_credential_filename): - return application_default_credential_filename - else: - raise ApplicationDefaultCredentialsError( - 'File ' + application_default_credential_filename + ' (pointed by ' + - GOOGLE_APPLICATION_CREDENTIALS + - ' environment variable) does not exist!') - - -def _get_well_known_file(): - """Get the well known file produced by command 'gcloud auth login'.""" - # TODO(orestica): Revisit this method once gcloud provides a better way - # of pinpointing the exact location of the file. - - WELL_KNOWN_CREDENTIALS_FILE = 'application_default_credentials.json' - - if os.name == 'nt': - try: - default_config_path = os.path.join(os.environ['APPDATA'], - _CLOUDSDK_CONFIG_DIRECTORY) - except KeyError: - # This should never happen unless someone is really messing with things. - drive = os.environ.get('SystemDrive', 'C:') - default_config_path = os.path.join(drive, '\\', - _CLOUDSDK_CONFIG_DIRECTORY) - else: - default_config_path = os.path.join(os.path.expanduser('~'), - '.config', - _CLOUDSDK_CONFIG_DIRECTORY) - - default_config_path = os.path.join(default_config_path, - WELL_KNOWN_CREDENTIALS_FILE) - - return default_config_path - - -def _get_application_default_credential_from_file(filename): - """Build the Application Default Credentials from file.""" - - from oauth2client import service_account - - # read the credentials from the file - with open(filename) as file_obj: - client_credentials = json.load(file_obj) - - credentials_type = client_credentials.get('type') - if credentials_type == AUTHORIZED_USER: - required_fields = set(['client_id', 'client_secret', 'refresh_token']) - elif credentials_type == SERVICE_ACCOUNT: - required_fields = set(['client_id', 'client_email', 'private_key_id', - 'private_key']) - else: - raise ApplicationDefaultCredentialsError( - "'type' field should be defined (and have one of the '" + - AUTHORIZED_USER + "' or '" + SERVICE_ACCOUNT + "' values)") - - missing_fields = required_fields.difference(client_credentials.keys()) - - if missing_fields: - _raise_exception_for_missing_fields(missing_fields) - - if client_credentials['type'] == AUTHORIZED_USER: - return GoogleCredentials( - access_token=None, - client_id=client_credentials['client_id'], - client_secret=client_credentials['client_secret'], - refresh_token=client_credentials['refresh_token'], - token_expiry=None, - token_uri=GOOGLE_TOKEN_URI, - user_agent='Python client library') - else: # client_credentials['type'] == SERVICE_ACCOUNT - return service_account._ServiceAccountCredentials( - service_account_id=client_credentials['client_id'], - service_account_email=client_credentials['client_email'], - private_key_id=client_credentials['private_key_id'], - private_key_pkcs8_text=client_credentials['private_key'], - scopes=[]) - - -def _raise_exception_for_missing_fields(missing_fields): - raise ApplicationDefaultCredentialsError( - 'The following field(s) must be defined: ' + ', '.join(missing_fields)) - - -def _raise_exception_for_reading_json(credential_file, - extra_help, - error): - raise ApplicationDefaultCredentialsError( - 'An error was encountered while reading json file: '+ - credential_file + extra_help + ': ' + str(error)) - - -def _get_application_default_credential_GAE(): - from oauth2client.appengine import AppAssertionCredentials - - return AppAssertionCredentials([]) - - -def _get_application_default_credential_GCE(): - from oauth2client.gce import AppAssertionCredentials - - return AppAssertionCredentials([]) - - -class AssertionCredentials(GoogleCredentials): +class AssertionCredentials(OAuth2Credentials): """Abstract Credentials object used for OAuth 2.0 assertion grants. This credential does not require a flow to instantiate because it @@ -1396,7 +859,7 @@ class AssertionCredentials(GoogleCredentials): def _generate_refresh_request_body(self): assertion = self._generate_assertion() - body = urllib.parse.urlencode({ + body = urllib.urlencode({ 'assertion': assertion, 'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer', }) @@ -1419,157 +882,141 @@ class AssertionCredentials(GoogleCredentials): self._do_revoke(http_request, self.access_token) -def _RequireCryptoOrDie(): - """Ensure we have a crypto library, or throw CryptoUnavailableError. - - The oauth2client.crypt module requires either PyCrypto or PyOpenSSL - to be available in order to function, but these are optional - dependencies. - """ - if not HAS_CRYPTO: - raise CryptoUnavailableError('No crypto library available') +if HAS_CRYPTO: + # PyOpenSSL and PyCrypto are not prerequisites for oauth2client, so if it is + # missing then don't create the SignedJwtAssertionCredentials or the + # verify_id_token() method. + class SignedJwtAssertionCredentials(AssertionCredentials): + """Credentials object used for OAuth 2.0 Signed JWT assertion grants. -class SignedJwtAssertionCredentials(AssertionCredentials): - """Credentials object used for OAuth 2.0 Signed JWT assertion grants. - - This credential does not require a flow to instantiate because it - represents a two legged flow, and therefore has all of the required - information to generate and refresh its own access tokens. - - SignedJwtAssertionCredentials requires either PyOpenSSL, or PyCrypto - 2.6 or later. For App Engine you may also consider using - AppAssertionCredentials. - """ - - MAX_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds - - @util.positional(4) - def __init__(self, - service_account_name, - private_key, - scope, - private_key_password='notasecret', - user_agent=None, - token_uri=GOOGLE_TOKEN_URI, - revoke_uri=GOOGLE_REVOKE_URI, - **kwargs): - """Constructor for SignedJwtAssertionCredentials. - - Args: - service_account_name: string, id for account, usually an email address. - private_key: string, private key in PKCS12 or PEM format. - scope: string or iterable of strings, scope(s) of the credentials being - requested. - private_key_password: string, password for private_key, unused if - private_key is in PEM format. - user_agent: string, HTTP User-Agent to provide for this application. - token_uri: string, URI for token endpoint. For convenience - defaults to Google's endpoints but any OAuth 2.0 provider can be used. - revoke_uri: string, URI for revoke endpoint. - kwargs: kwargs, Additional parameters to add to the JWT token, for - example sub=joe@xample.org. + This credential does not require a flow to instantiate because it represents + a two legged flow, and therefore has all of the required information to + generate and refresh its own access tokens. - Raises: - CryptoUnavailableError if no crypto library is available. + SignedJwtAssertionCredentials requires either PyOpenSSL, or PyCrypto 2.6 or + later. For App Engine you may also consider using AppAssertionCredentials. """ - _RequireCryptoOrDie() - super(SignedJwtAssertionCredentials, self).__init__( - None, - user_agent=user_agent, - token_uri=token_uri, - revoke_uri=revoke_uri, - ) - - self.scope = util.scopes_to_string(scope) - - # Keep base64 encoded so it can be stored in JSON. - self.private_key = base64.b64encode(private_key) - if isinstance(self.private_key, six.text_type): - self.private_key = self.private_key.encode('utf-8') - self.private_key_password = private_key_password - self.service_account_name = service_account_name - self.kwargs = kwargs + MAX_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds - @classmethod - def from_json(cls, s): - data = json.loads(s) - retval = SignedJwtAssertionCredentials( - data['service_account_name'], - base64.b64decode(data['private_key']), - data['scope'], - private_key_password=data['private_key_password'], - user_agent=data['user_agent'], - token_uri=data['token_uri'], - **data['kwargs'] - ) - retval.invalid = data['invalid'] - retval.access_token = data['access_token'] - return retval - - def _generate_assertion(self): - """Generate the assertion that will be used in the request.""" - now = int(time.time()) - payload = { - 'aud': self.token_uri, - 'scope': self.scope, - 'iat': now, - 'exp': now + SignedJwtAssertionCredentials.MAX_TOKEN_LIFETIME_SECS, - 'iss': self.service_account_name - } - payload.update(self.kwargs) - logger.debug(str(payload)) + @util.positional(4) + def __init__(self, + service_account_name, + private_key, + scope, + private_key_password='notasecret', + user_agent=None, + token_uri=GOOGLE_TOKEN_URI, + revoke_uri=GOOGLE_REVOKE_URI, + **kwargs): + """Constructor for SignedJwtAssertionCredentials. + + Args: + service_account_name: string, id for account, usually an email address. + private_key: string, private key in PKCS12 or PEM format. + scope: string or iterable of strings, scope(s) of the credentials being + requested. + private_key_password: string, password for private_key, unused if + private_key is in PEM format. + user_agent: string, HTTP User-Agent to provide for this application. + token_uri: string, URI for token endpoint. For convenience + defaults to Google's endpoints but any OAuth 2.0 provider can be used. + revoke_uri: string, URI for revoke endpoint. + kwargs: kwargs, Additional parameters to add to the JWT token, for + example sub=joe@xample.org.""" + + super(SignedJwtAssertionCredentials, self).__init__( + None, + user_agent=user_agent, + token_uri=token_uri, + revoke_uri=revoke_uri, + ) + + self.scope = util.scopes_to_string(scope) + + # Keep base64 encoded so it can be stored in JSON. + self.private_key = base64.b64encode(private_key) + + self.private_key_password = private_key_password + self.service_account_name = service_account_name + self.kwargs = kwargs + + @classmethod + def from_json(cls, s): + data = simplejson.loads(s) + retval = SignedJwtAssertionCredentials( + data['service_account_name'], + base64.b64decode(data['private_key']), + data['scope'], + private_key_password=data['private_key_password'], + user_agent=data['user_agent'], + token_uri=data['token_uri'], + **data['kwargs'] + ) + retval.invalid = data['invalid'] + retval.access_token = data['access_token'] + return retval + + def _generate_assertion(self): + """Generate the assertion that will be used in the request.""" + now = long(time.time()) + payload = { + 'aud': self.token_uri, + 'scope': self.scope, + 'iat': now, + 'exp': now + SignedJwtAssertionCredentials.MAX_TOKEN_LIFETIME_SECS, + 'iss': self.service_account_name + } + payload.update(self.kwargs) + logger.debug(str(payload)) - private_key = base64.b64decode(self.private_key) - return crypt.make_signed_jwt(crypt.Signer.from_string( - private_key, self.private_key_password), payload) + private_key = base64.b64decode(self.private_key) + return crypt.make_signed_jwt(crypt.Signer.from_string( + private_key, self.private_key_password), payload) -# Only used in verify_id_token(), which is always calling to the same URI -# for the certs. -_cached_http = httplib2.Http(MemoryCache()) + # Only used in verify_id_token(), which is always calling to the same URI + # for the certs. + _cached_http = httplib2.Http(MemoryCache()) -@util.positional(2) -def verify_id_token(id_token, audience, http=None, - cert_uri=ID_TOKEN_VERIFICATION_CERTS): - """Verifies a signed JWT id_token. + @util.positional(2) + def verify_id_token(id_token, audience, http=None, + cert_uri=ID_TOKEN_VERIFICATON_CERTS): + """Verifies a signed JWT id_token. - This function requires PyOpenSSL and because of that it does not work on - App Engine. + This function requires PyOpenSSL and because of that it does not work on + App Engine. - Args: - id_token: string, A Signed JWT. - audience: string, The audience 'aud' that the token should be for. - http: httplib2.Http, instance to use to make the HTTP request. Callers - should supply an instance that has caching enabled. - cert_uri: string, URI of the certificates in JSON format to - verify the JWT against. + Args: + id_token: string, A Signed JWT. + audience: string, The audience 'aud' that the token should be for. + http: httplib2.Http, instance to use to make the HTTP request. Callers + should supply an instance that has caching enabled. + cert_uri: string, URI of the certificates in JSON format to + verify the JWT against. - Returns: - The deserialized JSON in the JWT. + Returns: + The deserialized JSON in the JWT. - Raises: - oauth2client.crypt.AppIdentityError: if the JWT fails to verify. - CryptoUnavailableError: if no crypto library is available. - """ - _RequireCryptoOrDie() - if http is None: - http = _cached_http + Raises: + oauth2client.crypt.AppIdentityError if the JWT fails to verify. + """ + if http is None: + http = _cached_http - resp, content = http.request(cert_uri) + resp, content = http.request(cert_uri) - if resp.status == 200: - certs = json.loads(content.decode('utf-8')) - return crypt.verify_signed_jwt_with_certs(id_token, certs, audience) - else: - raise VerifyJwtTokenError('Status code: %d' % resp.status) + if resp.status == 200: + certs = simplejson.loads(content) + return crypt.verify_signed_jwt_with_certs(id_token, certs, audience) + else: + raise VerifyJwtTokenError('Status code: %d' % resp.status) def _urlsafe_b64decode(b64string): # Guard against unicode strings, which base64 can't handle. - if isinstance(b64string, six.text_type): - b64string = b64string.encode('ascii') - padded = b64string + b'=' * (4 - len(b64string) % 4) + b64string = b64string.encode('ascii') + padded = b64string + '=' * (4 - len(b64string) % 4) return base64.urlsafe_b64decode(padded) @@ -1579,21 +1026,18 @@ def _extract_id_token(id_token): Does the extraction w/o checking the signature. Args: - id_token: string or bytestring, OAuth 2.0 id_token. + id_token: string, OAuth 2.0 id_token. Returns: object, The deserialized JSON payload. """ - if type(id_token) == bytes: - segments = id_token.split(b'.') - else: - segments = id_token.split(u'.') + segments = id_token.split('.') - if len(segments) != 3: + if (len(segments) != 3): raise VerifyJwtTokenError( - 'Wrong number of segments in token: %s' % id_token) + 'Wrong number of segments in token: %s' % id_token) - return json.loads(_urlsafe_b64decode(segments[1]).decode('utf-8')) + return simplejson.loads(_urlsafe_b64decode(segments[1])) def _parse_exchange_token_response(content): @@ -1611,12 +1055,11 @@ def _parse_exchange_token_response(content): """ resp = {} try: - resp = json.loads(content.decode('utf-8')) - except Exception: + resp = simplejson.loads(content) + except StandardError: # different JSON libs raise different exceptions, # so we just do a catch-all here - content = content.decode('utf-8') - resp = dict(urllib.parse.parse_qsl(content)) + resp = dict(parse_qsl(content)) # some providers respond with 'expires', others with 'expires_in' if resp and 'expires' in resp: @@ -1630,15 +1073,14 @@ def credentials_from_code(client_id, client_secret, scope, code, redirect_uri='postmessage', http=None, user_agent=None, token_uri=GOOGLE_TOKEN_URI, auth_uri=GOOGLE_AUTH_URI, - revoke_uri=GOOGLE_REVOKE_URI, - device_uri=GOOGLE_DEVICE_URI): + revoke_uri=GOOGLE_REVOKE_URI): """Exchanges an authorization code for an OAuth2Credentials object. Args: client_id: string, client identifier. client_secret: string, client secret. scope: string or iterable of strings, scope(s) to request. - code: string, An authorization code, most likely passed down from + code: string, An authroization code, most likely passed down from the client redirect_uri: string, this is generally set to 'postmessage' to match the redirect_uri that the client specified @@ -1649,8 +1091,6 @@ def credentials_from_code(client_id, client_secret, scope, code, defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. - device_uri: string, URI for device authorization endpoint. For convenience - defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: An OAuth2Credentials object. @@ -1662,7 +1102,7 @@ def credentials_from_code(client_id, client_secret, scope, code, flow = OAuth2WebServerFlow(client_id, client_secret, scope, redirect_uri=redirect_uri, user_agent=user_agent, auth_uri=auth_uri, token_uri=token_uri, - revoke_uri=revoke_uri, device_uri=device_uri) + revoke_uri=revoke_uri) credentials = flow.step2_exchange(code, http=http) return credentials @@ -1673,8 +1113,7 @@ def credentials_from_clientsecrets_and_code(filename, scope, code, message = None, redirect_uri='postmessage', http=None, - cache=None, - device_uri=None): + cache=None): """Returns OAuth2Credentials from a clientsecrets file and an auth code. Will create the right kind of Flow based on the contents of the clientsecrets @@ -1694,7 +1133,6 @@ def credentials_from_clientsecrets_and_code(filename, scope, code, http: httplib2.Http, optional http instance to use to do the fetch cache: An optional cache service client that implements get() and set() methods. See clientsecrets.loadfile() for details. - device_uri: string, OAuth 2.0 device authorization endpoint Returns: An OAuth2Credentials object. @@ -1707,49 +1145,11 @@ def credentials_from_clientsecrets_and_code(filename, scope, code, invalid. """ flow = flow_from_clientsecrets(filename, scope, message=message, cache=cache, - redirect_uri=redirect_uri, - device_uri=device_uri) + redirect_uri=redirect_uri) credentials = flow.step2_exchange(code, http=http) return credentials -class DeviceFlowInfo(collections.namedtuple('DeviceFlowInfo', ( - 'device_code', 'user_code', 'interval', 'verification_url', - 'user_code_expiry'))): - """Intermediate information the OAuth2 for devices flow.""" - - @classmethod - def FromResponse(cls, response): - """Create a DeviceFlowInfo from a server response. - - The response should be a dict containing entries as described here: - - http://tools.ietf.org/html/draft-ietf-oauth-v2-05#section-3.7.1 - """ - # device_code, user_code, and verification_url are required. - kwargs = { - 'device_code': response['device_code'], - 'user_code': response['user_code'], - } - # The response may list the verification address as either - # verification_url or verification_uri, so we check for both. - verification_url = response.get( - 'verification_url', response.get('verification_uri')) - if verification_url is None: - raise OAuth2DeviceCodeError( - 'No verification_url provided in server response') - kwargs['verification_url'] = verification_url - # expires_in and interval are optional. - kwargs.update({ - 'interval': response.get('interval'), - 'user_code_expiry': None, - }) - if 'expires_in' in response: - kwargs['user_code_expiry'] = datetime.datetime.now() + datetime.timedelta( - seconds=int(response['expires_in'])) - - return cls(**kwargs) - class OAuth2WebServerFlow(Flow): """Does the Web Server Flow for OAuth 2.0. @@ -1763,8 +1163,6 @@ class OAuth2WebServerFlow(Flow): auth_uri=GOOGLE_AUTH_URI, token_uri=GOOGLE_TOKEN_URI, revoke_uri=GOOGLE_REVOKE_URI, - login_hint=None, - device_uri=GOOGLE_DEVICE_URI, **kwargs): """Constructor for OAuth2WebServerFlow. @@ -1787,11 +1185,6 @@ class OAuth2WebServerFlow(Flow): defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. - login_hint: string, Either an email address or domain. Passing this hint - will either pre-fill the email box on the sign-in form or select the - proper multi-login session, thereby simplifying the login flow. - device_uri: string, URI for device authorization endpoint. For convenience - defaults to Google's endpoints but any OAuth 2.0 provider can be used. **kwargs: dict, The keyword arguments are all optional and required parameters for the OAuth calls. """ @@ -1799,12 +1192,10 @@ class OAuth2WebServerFlow(Flow): self.client_secret = client_secret self.scope = util.scopes_to_string(scope) self.redirect_uri = redirect_uri - self.login_hint = login_hint self.user_agent = user_agent self.auth_uri = auth_uri self.token_uri = token_uri self.revoke_uri = revoke_uri - self.device_uri = device_uri self.params = { 'access_type': 'offline', 'response_type': 'code', @@ -1825,9 +1216,8 @@ class OAuth2WebServerFlow(Flow): A URI as a string to redirect the user to begin the authorization flow. """ if redirect_uri is not None: - logger.warning(( - 'The redirect_uri parameter for ' - 'OAuth2WebServerFlow.step1_get_authorize_url is deprecated. Please ' + logger.warning(('The redirect_uri parameter for' + 'OAuth2WebServerFlow.step1_get_authorize_url is deprecated. Please' 'move to passing the redirect_uri in via the constructor.')) self.redirect_uri = redirect_uri @@ -1839,107 +1229,45 @@ class OAuth2WebServerFlow(Flow): 'redirect_uri': self.redirect_uri, 'scope': self.scope, } - if self.login_hint is not None: - query_params['login_hint'] = self.login_hint query_params.update(self.params) return _update_query_params(self.auth_uri, query_params) - @util.positional(1) - def step1_get_device_and_user_codes(self, http=None): - """Returns a user code and the verification URL where to enter it - - Returns: - A user code as a string for the user to authorize the application - An URL as a string where the user has to enter the code - """ - if self.device_uri is None: - raise ValueError('The value of device_uri must not be None.') - - body = urllib.parse.urlencode({ - 'client_id': self.client_id, - 'scope': self.scope, - }) - headers = { - 'content-type': 'application/x-www-form-urlencoded', - } - - if self.user_agent is not None: - headers['user-agent'] = self.user_agent - - if http is None: - http = httplib2.Http() - - resp, content = http.request(self.device_uri, method='POST', body=body, - headers=headers) - if resp.status == 200: - try: - flow_info = json.loads(content) - except ValueError as e: - raise OAuth2DeviceCodeError( - 'Could not parse server response as JSON: "%s", error: "%s"' % ( - content, e)) - return DeviceFlowInfo.FromResponse(flow_info) - else: - error_msg = 'Invalid response %s.' % resp.status - try: - d = json.loads(content) - if 'error' in d: - error_msg += ' Error: %s' % d['error'] - except ValueError: - # Couldn't decode a JSON response, stick with the default message. - pass - raise OAuth2DeviceCodeError(error_msg) - @util.positional(2) - def step2_exchange(self, code=None, http=None, device_flow_info=None): - """Exchanges a code for OAuth2Credentials. + def step2_exchange(self, code, http=None): + """Exhanges a code for OAuth2Credentials. Args: - - code: string, a dict-like object, or None. For a non-device - flow, this is either the response code as a string, or a - dictionary of query parameters to the redirect_uri. For a - device flow, this should be None. - http: httplib2.Http, optional http instance to use when fetching - credentials. - device_flow_info: DeviceFlowInfo, return value from step1 in the - case of a device flow. + code: string or dict, either the code as a string, or a dictionary + of the query parameters to the redirect_uri, which contains + the code. + http: httplib2.Http, optional http instance to use to do the fetch Returns: An OAuth2Credentials object that can be used to authorize requests. Raises: - FlowExchangeError: if a problem occurred exchanging the code for a - refresh_token. - ValueError: if code and device_flow_info are both provided or both - missing. - + FlowExchangeError if a problem occured exchanging the code for a + refresh_token. """ - if code is None and device_flow_info is None: - raise ValueError('No code or device_flow_info provided.') - if code is not None and device_flow_info is not None: - raise ValueError('Cannot provide both code and device_flow_info.') - - if code is None: - code = device_flow_info.device_code - elif not isinstance(code, six.string_types): + + if not (isinstance(code, str) or isinstance(code, unicode)): if 'code' not in code: - raise FlowExchangeError(code.get( - 'error', 'No code was supplied in the query parameters.')) - code = code['code'] + if 'error' in code: + error_msg = code['error'] + else: + error_msg = 'No code was supplied in the query parameters.' + raise FlowExchangeError(error_msg) + else: + code = code['code'] - post_data = { + body = urllib.urlencode({ + 'grant_type': 'authorization_code', 'client_id': self.client_id, 'client_secret': self.client_secret, 'code': code, + 'redirect_uri': self.redirect_uri, 'scope': self.scope, - } - if device_flow_info is not None: - post_data['grant_type'] = 'http://oauth.net/grant_type/device/1.0' - else: - post_data['grant_type'] = 'authorization_code' - post_data['redirect_uri'] = self.redirect_uri - body = urllib.parse.urlencode(post_data) + }) headers = { 'content-type': 'application/x-www-form-urlencoded', } @@ -1956,31 +1284,26 @@ class OAuth2WebServerFlow(Flow): if resp.status == 200 and 'access_token' in d: access_token = d['access_token'] refresh_token = d.get('refresh_token', None) - if not refresh_token: - logger.info( - 'Received token response with no refresh_token. Consider ' - "reauthenticating with approval_prompt='force'.") token_expiry = None if 'expires_in' in d: token_expiry = datetime.datetime.utcnow() + datetime.timedelta( seconds=int(d['expires_in'])) - extracted_id_token = None if 'id_token' in d: - extracted_id_token = _extract_id_token(d['id_token']) + d['id_token'] = _extract_id_token(d['id_token']) logger.info('Successfully retrieved access token') return OAuth2Credentials(access_token, self.client_id, self.client_secret, refresh_token, token_expiry, self.token_uri, self.user_agent, revoke_uri=self.revoke_uri, - id_token=extracted_id_token, + id_token=d.get('id_token', None), token_response=d) else: - logger.info('Failed to retrieve access token: %s', content) + logger.info('Failed to retrieve access token: %s' % content) if 'error' in d: # you never know what those providers got to say - error_msg = str(d['error']) + str(d.get('error_description', '')) + error_msg = unicode(d['error']) else: error_msg = 'Invalid response: %s.' % str(resp.status) raise FlowExchangeError(error_msg) @@ -1988,8 +1311,7 @@ class OAuth2WebServerFlow(Flow): @util.positional(2) def flow_from_clientsecrets(filename, scope, redirect_uri=None, - message=None, cache=None, login_hint=None, - device_uri=None): + message=None, cache=None): """Create a Flow from a clientsecrets file. Will create the right kind of Flow based on the contents of the clientsecrets @@ -2007,11 +1329,6 @@ def flow_from_clientsecrets(filename, scope, redirect_uri=None, provided then clientsecrets.InvalidClientSecretsError will be raised. cache: An optional cache service client that implements get() and set() methods. See clientsecrets.loadfile() for details. - login_hint: string, Either an email address or domain. Passing this hint - will either pre-fill the email box on the sign-in form or select the - proper multi-login session, thereby simplifying the login flow. - device_uri: string, URI for device authorization endpoint. For convenience - defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: A Flow object. @@ -2028,13 +1345,10 @@ def flow_from_clientsecrets(filename, scope, redirect_uri=None, 'redirect_uri': redirect_uri, 'auth_uri': client_info['auth_uri'], 'token_uri': client_info['token_uri'], - 'login_hint': login_hint, } revoke_uri = client_info.get('revoke_uri') if revoke_uri is not None: constructor_kwargs['revoke_uri'] = revoke_uri - if device_uri is not None: - constructor_kwargs['device_uri'] = device_uri return OAuth2WebServerFlow( client_info['client_id'], client_info['client_secret'], scope, **constructor_kwargs) @@ -2046,4 +1360,4 @@ def flow_from_clientsecrets(filename, scope, redirect_uri=None, raise else: raise UnknownClientSecretsFlowError( - 'This OAuth 2.0 flow is unsupported: %r' % client_type) \ No newline at end of file + 'This OAuth 2.0 flow is unsupported: %r' % client_type) diff --git a/third_party/oauth2client/clientsecrets.py b/third_party/oauth2client/clientsecrets.py index af079ecc9..ac99aae96 100644 --- a/third_party/oauth2client/clientsecrets.py +++ b/third_party/oauth2client/clientsecrets.py @@ -1,4 +1,4 @@ -# Copyright 2014 Google Inc. All rights reserved. +# Copyright (C) 2011 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,10 +20,8 @@ an OAuth 2.0 protected service. __author__ = 'jcgregorio@google.com (Joe Gregorio)' -import json - -from third_party import six +from anyjson import simplejson # Properties that make a client_secrets.json file valid. TYPE_WEB = 'web' @@ -70,21 +68,11 @@ class InvalidClientSecretsError(Error): def _validate_clientsecrets(obj): - _INVALID_FILE_FORMAT_MSG = ( - 'Invalid file format. See ' - 'https://developers.google.com/api-client-library/' - 'python/guide/aaa_client_secrets') - - if obj is None: - raise InvalidClientSecretsError(_INVALID_FILE_FORMAT_MSG) - if len(obj) != 1: - raise InvalidClientSecretsError( - _INVALID_FILE_FORMAT_MSG + ' ' - 'Expected a JSON object with a single property for a "web" or ' - '"installed" application') - client_type = tuple(obj)[0] - if client_type not in VALID_CLIENT: - raise InvalidClientSecretsError('Unknown client type: %s.' % (client_type,)) + if obj is None or len(obj) != 1: + raise InvalidClientSecretsError('Invalid file format.') + client_type = obj.keys()[0] + if client_type not in VALID_CLIENT.keys(): + raise InvalidClientSecretsError('Unknown client type: %s.' % client_type) client_info = obj[client_type] for prop_name in VALID_CLIENT[client_type]['required']: if prop_name not in client_info: @@ -99,19 +87,22 @@ def _validate_clientsecrets(obj): def load(fp): - obj = json.load(fp) + obj = simplejson.load(fp) return _validate_clientsecrets(obj) def loads(s): - obj = json.loads(s) + obj = simplejson.loads(s) return _validate_clientsecrets(obj) def _loadfile(filename): try: - with open(filename, 'r') as fp: - obj = json.load(fp) + fp = file(filename, 'r') + try: + obj = simplejson.load(fp) + finally: + fp.close() except IOError: raise InvalidClientSecretsError('File not found: "%s"' % filename) return _validate_clientsecrets(obj) @@ -123,12 +114,10 @@ def loadfile(filename, cache=None): Typical cache storage would be App Engine memcache service, but you can pass in any other cache client that implements these methods: + - get(key, namespace=ns) + - set(key, value, namespace=ns) - * ``get(key, namespace=ns)`` - * ``set(key, value, namespace=ns)`` - - Usage:: - + Usage: # without caching client_type, client_info = loadfile('secrets.json') # using App Engine memcache service @@ -161,4 +150,4 @@ def loadfile(filename, cache=None): obj = {client_type: client_info} cache.set(filename, obj, namespace=_SECRET_NAMESPACE) - return next(six.iteritems(obj)) \ No newline at end of file + return obj.iteritems().next() diff --git a/third_party/oauth2client/crypt.py b/third_party/oauth2client/crypt.py index b5b8cab22..2d31815dd 100644 --- a/third_party/oauth2client/crypt.py +++ b/third_party/oauth2client/crypt.py @@ -1,6 +1,7 @@ +#!/usr/bin/python2.4 # -*- coding: utf-8 -*- # -# Copyright 2014 Google Inc. All rights reserved. +# Copyright (C) 2011 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,15 +14,13 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -"""Crypto-related routines for oauth2client.""" import base64 -import json +import hashlib import logging -import sys import time -from third_party import six +from anyjson import simplejson CLOCK_SKEW_SECS = 300 # 5 minutes in seconds @@ -39,6 +38,7 @@ class AppIdentityError(Exception): try: from OpenSSL import crypto + class OpenSSLVerifier(object): """Verifies the signature on a message.""" @@ -62,8 +62,6 @@ try: key that this object was constructed with. """ try: - if isinstance(message, six.text_type): - message = message.encode('utf-8') crypto.verify(self._pubkey, signature, message, 'sha256') return True except: @@ -106,17 +104,15 @@ try: """Signs a message. Args: - message: bytes, Message to be signed. + message: string, Message to be signed. Returns: string, The signature of the message for the given key. """ - if isinstance(message, six.text_type): - message = message.encode('utf-8') return crypto.sign(self._key, message, 'sha256') @staticmethod - def from_string(key, password=b'notasecret'): + def from_string(key, password='notasecret'): """Construct a Signer instance from a string. Args: @@ -129,45 +125,21 @@ try: Raises: OpenSSL.crypto.Error if the key can't be parsed. """ - parsed_pem_key = _parse_pem_key(key) - if parsed_pem_key: - pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, parsed_pem_key) + if key.startswith('-----BEGIN '): + pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key) else: - if isinstance(password, six.text_type): - password = password.encode('utf-8') pkey = crypto.load_pkcs12(key, password).get_privatekey() return OpenSSLSigner(pkey) - - def pkcs12_key_as_pem(private_key_text, private_key_password): - """Convert the contents of a PKCS12 key to PEM using OpenSSL. - - Args: - private_key_text: String. Private key. - private_key_password: String. Password for PKCS12. - - Returns: - String. PEM contents of ``private_key_text``. - """ - decoded_body = base64.b64decode(private_key_text) - if isinstance(private_key_password, six.string_types): - private_key_password = private_key_password.encode('ascii') - - pkcs12 = crypto.load_pkcs12(decoded_body, private_key_password) - return crypto.dump_privatekey(crypto.FILETYPE_PEM, - pkcs12.get_privatekey()) except ImportError: OpenSSLVerifier = None OpenSSLSigner = None - def pkcs12_key_as_pem(*args, **kwargs): - raise NotImplementedError('pkcs12_key_as_pem requires OpenSSL.') try: from Crypto.PublicKey import RSA from Crypto.Hash import SHA256 from Crypto.Signature import PKCS1_v1_5 - from Crypto.Util.asn1 import DerSequence class PyCryptoVerifier(object): @@ -209,17 +181,14 @@ try: Returns: Verifier instance. + + Raises: + NotImplementedError if is_x509_cert is true. """ if is_x509_cert: - if isinstance(key_pem, six.text_type): - key_pem = key_pem.encode('ascii') - pemLines = key_pem.replace(b' ', b'').split() - certDer = _urlsafe_b64decode(b''.join(pemLines[1:-1])) - certSeq = DerSequence() - certSeq.decode(certDer) - tbsSeq = DerSequence() - tbsSeq.decode(certSeq[0]) - pubkey = RSA.importKey(tbsSeq[6]) + raise NotImplementedError( + 'X509 certs are not supported by the PyCrypto library. ' + 'Try using PyOpenSSL if native code is an option.') else: pubkey = RSA.importKey(key_pem) return PyCryptoVerifier(pubkey) @@ -245,8 +214,6 @@ try: Returns: string, The signature of the message for the given key. """ - if isinstance(message, six.text_type): - message = message.encode('utf-8') return PKCS1_v1_5.new(self._key).sign(SHA256.new(message)) @staticmethod @@ -263,12 +230,11 @@ try: Raises: NotImplementedError if they key isn't in PEM format. """ - parsed_pem_key = _parse_pem_key(key) - if parsed_pem_key: - pkey = RSA.importKey(parsed_pem_key) + if key.startswith('-----BEGIN '): + pkey = RSA.importKey(key) else: raise NotImplementedError( - 'PKCS12 format is not supported by the PyCrypto library. ' + 'PKCS12 format is not supported by the PyCrpto library. ' 'Try converting to a "PEM" ' '(openssl pkcs12 -in xxxxx.p12 -nodes -nocerts > privatekey.pem) ' 'or using PyOpenSSL if native code is an option.') @@ -290,39 +256,19 @@ else: 'PyOpenSSL, or PyCrypto 2.6 or later') -def _parse_pem_key(raw_key_input): - """Identify and extract PEM keys. - - Determines whether the given key is in the format of PEM key, and extracts - the relevant part of the key if it is. - - Args: - raw_key_input: The contents of a private key file (either PEM or PKCS12). - - Returns: - string, The actual key if the contents are from a PEM file, or else None. - """ - offset = raw_key_input.find(b'-----BEGIN ') - if offset != -1: - return raw_key_input[offset:] - - def _urlsafe_b64encode(raw_bytes): - if isinstance(raw_bytes, six.text_type): - raw_bytes = raw_bytes.encode('utf-8') - return base64.urlsafe_b64encode(raw_bytes).decode('ascii').rstrip('=') + return base64.urlsafe_b64encode(raw_bytes).rstrip('=') def _urlsafe_b64decode(b64string): # Guard against unicode strings, which base64 can't handle. - if isinstance(b64string, six.text_type): - b64string = b64string.encode('ascii') - padded = b64string + b'=' * (4 - len(b64string) % 4) + b64string = b64string.encode('ascii') + padded = b64string + '=' * (4 - len(b64string) % 4) return base64.urlsafe_b64decode(padded) def _json_encode(data): - return json.dumps(data, separators=(',', ':')) + return simplejson.dumps(data, separators = (',', ':')) def make_signed_jwt(signer, payload): @@ -340,8 +286,8 @@ def make_signed_jwt(signer, payload): header = {'typ': 'JWT', 'alg': 'RS256'} segments = [ - _urlsafe_b64encode(_json_encode(header)), - _urlsafe_b64encode(_json_encode(payload)), + _urlsafe_b64encode(_json_encode(header)), + _urlsafe_b64encode(_json_encode(payload)), ] signing_input = '.'.join(segments) @@ -372,8 +318,9 @@ def verify_signed_jwt_with_certs(jwt, certs, audience): """ segments = jwt.split('.') - if len(segments) != 3: - raise AppIdentityError('Wrong number of segments in token: %s' % jwt) + if (len(segments) != 3): + raise AppIdentityError( + 'Wrong number of segments in token: %s' % jwt) signed = '%s.%s' % (segments[0], segments[1]) signature = _urlsafe_b64decode(segments[2]) @@ -381,15 +328,15 @@ def verify_signed_jwt_with_certs(jwt, certs, audience): # Parse token. json_body = _urlsafe_b64decode(segments[1]) try: - parsed = json.loads(json_body.decode('utf-8')) + parsed = simplejson.loads(json_body) except: raise AppIdentityError('Can\'t parse token: %s' % json_body) # Check signature. verified = False - for pem in certs.values(): + for (keyname, pem) in certs.items(): verifier = Verifier.from_string(pem, True) - if verifier.verify(signed, signature): + if (verifier.verify(signed, signature)): verified = True break if not verified: @@ -402,20 +349,21 @@ def verify_signed_jwt_with_certs(jwt, certs, audience): earliest = iat - CLOCK_SKEW_SECS # Check expiration timestamp. - now = int(time.time()) + now = long(time.time()) exp = parsed.get('exp') if exp is None: raise AppIdentityError('No exp field in token: %s' % json_body) if exp >= now + MAX_TOKEN_LIFETIME_SECS: - raise AppIdentityError('exp field too far in future: %s' % json_body) + raise AppIdentityError( + 'exp field too far in future: %s' % json_body) latest = exp + CLOCK_SKEW_SECS if now < earliest: raise AppIdentityError('Token used too early, %d < %d: %s' % - (now, earliest, json_body)) + (now, earliest, json_body)) if now > latest: raise AppIdentityError('Token used too late, %d > %d: %s' % - (now, latest, json_body)) + (now, latest, json_body)) # Check audience. if audience is not None: @@ -424,6 +372,6 @@ def verify_signed_jwt_with_certs(jwt, certs, audience): raise AppIdentityError('No aud field in token: %s' % json_body) if aud != audience: raise AppIdentityError('Wrong recipient, %s != %s: %s' % - (aud, audience, json_body)) + (aud, audience, json_body)) - return parsed \ No newline at end of file + return parsed diff --git a/third_party/oauth2client/devshell.py b/third_party/oauth2client/devshell.py deleted file mode 100644 index 69d3808a3..000000000 --- a/third_party/oauth2client/devshell.py +++ /dev/null @@ -1,135 +0,0 @@ -# Copyright 2015 Google Inc. All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -"""OAuth 2.0 utitilies for Google Developer Shell environment.""" - -import json -import os - -from . import client - - -DEVSHELL_ENV = 'DEVSHELL_CLIENT_PORT' - - -class Error(Exception): - """Errors for this module.""" - pass - - -class CommunicationError(Error): - """Errors for communication with the Developer Shell server.""" - - -class NoDevshellServer(Error): - """Error when no Developer Shell server can be contacted.""" - - -# The request for credential information to the Developer Shell client socket is -# always an empty PBLite-formatted JSON object, so just define it as a constant. -CREDENTIAL_INFO_REQUEST_JSON = '[]' - - -class CredentialInfoResponse(object): - """Credential information response from Developer Shell server. - - The credential information response from Developer Shell socket is a - PBLite-formatted JSON array with fields encoded by their index in the array: - * Index 0 - user email - * Index 1 - default project ID. None if the project context is not known. - * Index 2 - OAuth2 access token. None if there is no valid auth context. - """ - - def __init__(self, json_string): - """Initialize the response data from JSON PBLite array.""" - pbl = json.loads(json_string) - if not isinstance(pbl, list): - raise ValueError('Not a list: ' + str(pbl)) - pbl_len = len(pbl) - self.user_email = pbl[0] if pbl_len > 0 else None - self.project_id = pbl[1] if pbl_len > 1 else None - self.access_token = pbl[2] if pbl_len > 2 else None - - -def _SendRecv(): - """Communicate with the Developer Shell server socket.""" - - port = int(os.getenv(DEVSHELL_ENV, 0)) - if port == 0: - raise NoDevshellServer() - - import socket - - sock = socket.socket() - sock.connect(('localhost', port)) - - data = CREDENTIAL_INFO_REQUEST_JSON - msg = '%s\n%s' % (len(data), data) - sock.sendall(msg.encode()) - - header = sock.recv(6).decode() - if '\n' not in header: - raise CommunicationError('saw no newline in the first 6 bytes') - len_str, json_str = header.split('\n', 1) - to_read = int(len_str) - len(json_str) - if to_read > 0: - json_str += sock.recv(to_read, socket.MSG_WAITALL).decode() - - return CredentialInfoResponse(json_str) - - -class DevshellCredentials(client.GoogleCredentials): - """Credentials object for Google Developer Shell environment. - - This object will allow a Google Developer Shell session to identify its user - to Google and other OAuth 2.0 servers that can verify assertions. It can be - used for the purpose of accessing data stored under the user account. - - This credential does not require a flow to instantiate because it represents - a two legged flow, and therefore has all of the required information to - generate and refresh its own access tokens. - """ - - def __init__(self, user_agent=None): - super(DevshellCredentials, self).__init__( - None, # access_token, initialized below - None, # client_id - None, # client_secret - None, # refresh_token - None, # token_expiry - None, # token_uri - user_agent) - self._refresh(None) - - def _refresh(self, http_request): - self.devshell_response = _SendRecv() - self.access_token = self.devshell_response.access_token - - @property - def user_email(self): - return self.devshell_response.user_email - - @property - def project_id(self): - return self.devshell_response.project_id - - @classmethod - def from_json(cls, json_data): - raise NotImplementedError( - 'Cannot load Developer Shell credentials from JSON.') - - @property - def serialization_data(self): - raise NotImplementedError( - 'Cannot serialize Developer Shell credentials.') diff --git a/third_party/oauth2client/django_orm.py b/third_party/oauth2client/django_orm.py index ffbcf92e3..d54d20c28 100644 --- a/third_party/oauth2client/django_orm.py +++ b/third_party/oauth2client/django_orm.py @@ -1,4 +1,4 @@ -# Copyright 2014 Google Inc. All rights reserved. +# Copyright (C) 2010 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -116,21 +116,14 @@ class Storage(BaseStorage): credential.set_store(self) return credential - def locked_put(self, credentials, overwrite=False): + def locked_put(self, credentials): """Write a Credentials to the datastore. Args: credentials: Credentials, the credentials to store. - overwrite: Boolean, indicates whether you would like these credentials to - overwrite any existing stored credentials. """ args = {self.key_name: self.key_value} - - if overwrite: - entity, unused_is_new = self.model_class.objects.get_or_create(**args) - else: - entity = self.model_class(**args) - + entity = self.model_class(**args) setattr(entity, self.property_name, credentials) entity.save() @@ -138,4 +131,4 @@ class Storage(BaseStorage): """Delete Credentials from the datastore.""" query = {self.key_name: self.key_value} - entities = self.model_class.objects.filter(**query).delete() \ No newline at end of file + entities = self.model_class.objects.filter(**query).delete() diff --git a/third_party/oauth2client/file.py b/third_party/oauth2client/file.py index 4337fcfd2..1895f94ea 100644 --- a/third_party/oauth2client/file.py +++ b/third_party/oauth2client/file.py @@ -1,4 +1,4 @@ -# Copyright 2014 Google Inc. All rights reserved. +# Copyright (C) 2010 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,10 +21,12 @@ credentials. __author__ = 'jcgregorio@google.com (Joe Gregorio)' import os +import stat import threading -from client import Credentials +from anyjson import simplejson from client import Storage as BaseStorage +from client import Credentials class CredentialsFileSymbolicLinkError(Exception): @@ -90,7 +92,7 @@ class Storage(BaseStorage): simple version of "touch" to ensure the file has been created. """ if not os.path.exists(self._filename): - old_umask = os.umask(0o177) + old_umask = os.umask(0177) try: open(self._filename, 'a+b').close() finally: @@ -108,7 +110,7 @@ class Storage(BaseStorage): self._create_file_if_needed() self._validate_file() - f = open(self._filename, 'w') + f = open(self._filename, 'wb') f.write(credentials.to_json()) f.close() @@ -119,4 +121,4 @@ class Storage(BaseStorage): credentials: Credentials, the credentials to store. """ - os.unlink(self._filename) \ No newline at end of file + os.unlink(self._filename) diff --git a/third_party/oauth2client/gce.py b/third_party/oauth2client/gce.py index ebd14e378..c7fd7c18a 100644 --- a/third_party/oauth2client/gce.py +++ b/third_party/oauth2client/gce.py @@ -1,4 +1,4 @@ -# Copyright 2014 Google Inc. All rights reserved. +# Copyright (C) 2012 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,13 +19,14 @@ Utilities for making it easier to use OAuth 2.0 on Google Compute Engine. __author__ = 'jcgregorio@google.com (Joe Gregorio)' -import json +import httplib2 import logging -from third_party.six.moves import urllib +import uritemplate -from third_party.oauth2client import util -from third_party.oauth2client.client import AccessTokenRefreshError -from third_party.oauth2client.client import AssertionCredentials +from oauth2client import util +from oauth2client.anyjson import simplejson +from oauth2client.client import AccessTokenRefreshError +from oauth2client.client import AssertionCredentials logger = logging.getLogger(__name__) @@ -56,14 +57,13 @@ class AppAssertionCredentials(AssertionCredentials): requested. """ self.scope = util.scopes_to_string(scope) - self.kwargs = kwargs # Assertion type is no longer used, but still in the parent class signature. super(AppAssertionCredentials, self).__init__(None) @classmethod - def from_json(cls, json_data): - data = json.loads(json_data) + def from_json(cls, json): + data = simplejson.loads(json) return AppAssertionCredentials(data['scope']) def _refresh(self, http_request): @@ -78,28 +78,13 @@ class AppAssertionCredentials(AssertionCredentials): Raises: AccessTokenRefreshError: When the refresh fails. """ - query = '?scope=%s' % urllib.parse.quote(self.scope, '') - uri = META.replace('{?scope}', query) + uri = uritemplate.expand(META, {'scope': self.scope}) response, content = http_request(uri) if response.status == 200: try: - d = json.loads(content) - except Exception as e: + d = simplejson.loads(content) + except StandardError, e: raise AccessTokenRefreshError(str(e)) self.access_token = d['accessToken'] else: - if response.status == 404: - content += (' This can occur if a VM was created' - ' with no service account or scopes.') raise AccessTokenRefreshError(content) - - @property - def serialization_data(self): - raise NotImplementedError( - 'Cannot serialize credentials for GCE service accounts.') - - def create_scoped_required(self): - return not self.scope - - def create_scoped(self, scopes): - return AppAssertionCredentials(scopes, **self.kwargs) \ No newline at end of file diff --git a/third_party/oauth2client/keyring_storage.py b/third_party/oauth2client/keyring_storage.py index 512ac7755..efe2949cd 100644 --- a/third_party/oauth2client/keyring_storage.py +++ b/third_party/oauth2client/keyring_storage.py @@ -1,4 +1,4 @@ -# Copyright 2014 Google Inc. All rights reserved. +# Copyright (C) 2012 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,12 +19,11 @@ A Storage for Credentials that uses the keyring module. __author__ = 'jcgregorio@google.com (Joe Gregorio)' -import threading - import keyring +import threading -from client import Credentials from client import Storage as BaseStorage +from client import Credentials class Storage(BaseStorage): @@ -107,4 +106,4 @@ class Storage(BaseStorage): Args: credentials: Credentials, the credentials to store. """ - keyring.set_password(self._service_name, self._user_name, '') \ No newline at end of file + keyring.set_password(self._service_name, self._user_name, '') diff --git a/third_party/oauth2client/locked_file.py b/third_party/oauth2client/locked_file.py index fa2c6c1c7..858b70281 100644 --- a/third_party/oauth2client/locked_file.py +++ b/third_party/oauth2client/locked_file.py @@ -1,4 +1,4 @@ -# Copyright 2014 Google Inc. All rights reserved. +# Copyright 2011 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,21 +17,17 @@ This module first tries to use fcntl locking to ensure serialized access to a file, then falls back on a lock file if that is unavialable. -Usage:: - +Usage: f = LockedFile('filename', 'r+b', 'rb') f.open_and_lock() if f.is_locked(): - print('Acquired filename with r+b mode') + print 'Acquired filename with r+b mode' f.file_handle().write('locked data') else: - print('Acquired filename with rb mode') + print 'Aquired filename with rb mode' f.unlock_and_close() - """ -from __future__ import print_function - __author__ = 'cache@google.com (David T McWherter)' import errno @@ -74,7 +70,6 @@ class _Opener(object): self._mode = mode self._fallback_mode = fallback_mode self._fh = None - self._lock_fd = None def is_locked(self): """Was the file locked.""" @@ -127,7 +122,7 @@ class _PosixOpener(_Opener): validate_file(self._filename) try: self._fh = open(self._filename, self._mode) - except IOError as e: + except IOError, e: # If we can't access with _mode, try _fallback_mode and don't lock. if e.errno == errno.EACCES: self._fh = open(self._filename, self._fallback_mode) @@ -142,12 +137,12 @@ class _PosixOpener(_Opener): self._locked = True break - except OSError as e: + except OSError, e: if e.errno != errno.EEXIST: raise if (time.time() - start_time) >= timeout: - logger.warn('Could not acquire lock %s in %s seconds', - lock_filename, timeout) + logger.warn('Could not acquire lock %s in %s seconds' % ( + lock_filename, timeout)) # Close the file and open in fallback_mode. if self._fh: self._fh.close() @@ -197,9 +192,9 @@ try: validate_file(self._filename) try: self._fh = open(self._filename, self._mode) - except IOError as e: + except IOError, e: # If we can't access with _mode, try _fallback_mode and don't lock. - if e.errno in (errno.EPERM, errno.EACCES): + if e.errno == errno.EACCES: self._fh = open(self._filename, self._fallback_mode) return @@ -209,16 +204,16 @@ try: fcntl.lockf(self._fh.fileno(), fcntl.LOCK_EX) self._locked = True return - except IOError as e: + except IOError, e: # If not retrying, then just pass on the error. if timeout == 0: - raise + raise e if e.errno != errno.EACCES: - raise + raise e # We could not acquire the lock. Try again. if (time.time() - start_time) >= timeout: - logger.warn('Could not lock %s in %s seconds', - self._filename, timeout) + logger.warn('Could not lock %s in %s seconds' % ( + self._filename, timeout)) if self._fh: self._fh.close() self._fh = open(self._filename, self._fallback_mode) @@ -272,7 +267,7 @@ try: validate_file(self._filename) try: self._fh = open(self._filename, self._mode) - except IOError as e: + except IOError, e: # If we can't access with _mode, try _fallback_mode and don't lock. if e.errno == errno.EACCES: self._fh = open(self._filename, self._fallback_mode) @@ -289,9 +284,9 @@ try: pywintypes.OVERLAPPED()) self._locked = True return - except pywintypes.error as e: + except pywintypes.error, e: if timeout == 0: - raise + raise e # If the error is not that the file is already in use, raise. if e[0] != _Win32Opener.FILE_IN_USE_ERROR: @@ -313,7 +308,7 @@ try: try: hfile = win32file._get_osfhandle(self._fh.fileno()) win32file.UnlockFileEx(hfile, 0, -0x10000, pywintypes.OVERLAPPED()) - except pywintypes.error as e: + except pywintypes.error, e: if e[0] != _Win32Opener.FILE_ALREADY_UNLOCKED_ERROR: raise self._locked = False @@ -375,4 +370,4 @@ class LockedFile(object): def unlock_and_close(self): """Unlock and close a file.""" - self._opener.unlock_and_close() \ No newline at end of file + self._opener.unlock_and_close() diff --git a/third_party/oauth2client/multistore_file.py b/third_party/oauth2client/multistore_file.py index 5008c00ee..ea89027f2 100644 --- a/third_party/oauth2client/multistore_file.py +++ b/third_party/oauth2client/multistore_file.py @@ -1,4 +1,4 @@ -# Copyright 2014 Google Inc. All rights reserved. +# Copyright 2011 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,41 +19,39 @@ credentials can be stored in one file. That file supports locking both in a single process and across processes. The credential themselves are keyed off of: - * client_id * user_agent * scope -The format of the stored data is like so:: - - { - 'file_version': 1, - 'data': [ - { - 'key': { - 'clientId': '', - 'userAgent': '', - 'scope': '' - }, - 'credential': { - # JSON serialized Credentials. - } +The format of the stored data is like so: +{ + 'file_version': 1, + 'data': [ + { + 'key': { + 'clientId': '', + 'userAgent': '', + 'scope': '' + }, + 'credential': { + # JSON serialized Credentials. } - ] - } - + } + ] +} """ __author__ = 'jbeda@google.com (Joe Beda)' +import base64 import errno -import json import logging import os import threading -from .client import Credentials +from anyjson import simplejson from .client import Storage as BaseStorage +from .client import Credentials from . import util from locked_file import LockedFile @@ -66,10 +64,12 @@ _multistores_lock = threading.Lock() class Error(Exception): """Base error for this module.""" + pass class NewerCredentialStoreError(Error): - """The credential store is a newer version than supported.""" + """The credential store is a newer version that supported.""" + pass @util.positional(4) @@ -193,7 +193,7 @@ class _MultiStore(object): This will create the file if necessary. """ - self._file = LockedFile(filename, 'r+', 'r') + self._file = LockedFile(filename, 'r+b', 'rb') self._thread_lock = threading.Lock() self._read_only = False self._warn_on_readonly = warn_on_readonly @@ -271,7 +271,7 @@ class _MultiStore(object): simple version of "touch" to ensure the file has been created. """ if not os.path.exists(self._file.filename()): - old_umask = os.umask(0o177) + old_umask = os.umask(0177) try: open(self._file.filename(), 'a+b').close() finally: @@ -280,23 +280,13 @@ class _MultiStore(object): def _lock(self): """Lock the entire multistore.""" self._thread_lock.acquire() - try: - self._file.open_and_lock() - except IOError as e: - if e.errno == errno.ENOSYS: - logger.warn('File system does not support locking the credentials ' - 'file.') - elif e.errno == errno.ENOLCK: - logger.warn('File system is out of resources for writing the ' - 'credentials file (is your disk full?).') - else: - raise + self._file.open_and_lock() if not self._file.is_locked(): self._read_only = True if self._warn_on_readonly: logger.warn('The credentials file (%s) is not writable. Opening in ' 'read-only mode. Any refreshed credentials will only be ' - 'valid for this run.', self._file.filename()) + 'valid for this run.' % self._file.filename()) if os.path.getsize(self._file.filename()) == 0: logger.debug('Initializing empty multistore file') # The multistore is empty so write out an empty file. @@ -325,7 +315,7 @@ class _MultiStore(object): """ assert self._thread_lock.locked() self._file.file_handle().seek(0) - return json.load(self._file.file_handle()) + return simplejson.load(self._file.file_handle()) def _locked_json_write(self, data): """Write a JSON serializable data structure to the multistore. @@ -339,7 +329,7 @@ class _MultiStore(object): if self._read_only: return self._file.file_handle().seek(0) - json.dump(data, self._file.file_handle(), sort_keys=True, indent=2, separators=(',', ': ')) + simplejson.dump(data, self._file.file_handle(), sort_keys=True, indent=2) self._file.file_handle().truncate() def _refresh_data_cache(self): @@ -397,7 +387,7 @@ class _MultiStore(object): raw_key = cred_entry['key'] key = util.dict_to_tuple_key(raw_key) credential = None - credential = Credentials.new_from_json(json.dumps(cred_entry['credential'])) + credential = Credentials.new_from_json(simplejson.dumps(cred_entry['credential'])) return (key, credential) def _write(self): @@ -410,7 +400,7 @@ class _MultiStore(object): raw_data['data'] = raw_creds for (cred_key, cred) in self._data.items(): raw_key = dict(cred_key) - raw_cred = json.loads(cred.to_json()) + raw_cred = simplejson.loads(cred.to_json()) raw_creds.append({'key': raw_key, 'credential': raw_cred}) self._locked_json_write(raw_data) @@ -472,4 +462,4 @@ class _MultiStore(object): Returns: A Storage object that can be used to get/set this cred """ - return self._Storage(self, key) \ No newline at end of file + return self._Storage(self, key) diff --git a/third_party/oauth2client/old_run.py b/third_party/oauth2client/old_run.py index 221fff86b..da2335848 100644 --- a/third_party/oauth2client/old_run.py +++ b/third_party/oauth2client/old_run.py @@ -1,4 +1,4 @@ -# Copyright 2014 Google Inc. All rights reserved. +# Copyright (C) 2013 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,7 +15,6 @@ """This module holds the old run() function which is deprecated, the tools.run_flow() function should be used in its place.""" -from __future__ import print_function import logging import socket @@ -23,9 +22,9 @@ import sys import webbrowser import gflags -from third_party.six.moves import input -from third_party.oauth2client import client -from third_party.oauth2client import util + +from oauth2client import client +from oauth2client import util from tools import ClientRedirectHandler from tools import ClientRedirectServer @@ -49,38 +48,39 @@ gflags.DEFINE_multi_int('auth_host_port', [8080, 8090], def run(flow, storage, http=None): """Core code for a command-line application. - The ``run()`` function is called from your application and runs - through all the steps to obtain credentials. It takes a ``Flow`` - argument and attempts to open an authorization server page in the - user's default web browser. The server asks the user to grant your - application access to the user's data. If the user grants access, - the ``run()`` function returns new credentials. The new credentials - are also stored in the ``storage`` argument, which updates the file - associated with the ``Storage`` object. + The run() function is called from your application and runs through all + the steps to obtain credentials. It takes a Flow argument and attempts to + open an authorization server page in the user's default web browser. The + server asks the user to grant your application access to the user's data. + If the user grants access, the run() function returns new credentials. The + new credentials are also stored in the Storage argument, which updates the + file associated with the Storage object. It presumes it is run from a command-line application and supports the following flags: - ``--auth_host_name`` (string, default: ``localhost``) - Host name to use when running a local web server to handle - redirects during OAuth authorization. + --auth_host_name: Host name to use when running a local web server + to handle redirects during OAuth authorization. + (default: 'localhost') - ``--auth_host_port`` (integer, default: ``[8080, 8090]``) - Port to use when running a local web server to handle redirects - during OAuth authorization. Repeat this option to specify a list - of values. + --auth_host_port: Port to use when running a local web server to handle + redirects during OAuth authorization.; + repeat this option to specify a list of values + (default: '[8080, 8090]') + (an integer) - ``--[no]auth_local_webserver`` (boolean, default: ``True``) - Run a local web server to handle redirects during OAuth authorization. + --[no]auth_local_webserver: Run a local web server to handle redirects + during OAuth authorization. + (default: 'true') - Since it uses flags make sure to initialize the ``gflags`` module before - calling ``run()``. + Since it uses flags make sure to initialize the gflags module before + calling run(). Args: flow: Flow, an OAuth 2.0 Flow to step through. - storage: Storage, a ``Storage`` to store the credential in. - http: An instance of ``httplib2.Http.request`` or something that acts - like it. + storage: Storage, a Storage to store the credential in. + http: An instance of httplib2.Http.request + or something that acts like it. Returns: Credentials, the obtained credential. @@ -96,20 +96,20 @@ def run(flow, storage, http=None): try: httpd = ClientRedirectServer((FLAGS.auth_host_name, port), ClientRedirectHandler) - except socket.error as e: + except socket.error, e: pass else: success = True break FLAGS.auth_local_webserver = success if not success: - print('Failed to start a local webserver listening on either port 8080') - print('or port 9090. Please check your firewall settings and locally') - print('running programs that may be blocking or using those ports.') - print() - print('Falling back to --noauth_local_webserver and continuing with') - print('authorization.') - print() + print 'Failed to start a local webserver listening on either port 8080' + print 'or port 9090. Please check your firewall settings and locally' + print 'running programs that may be blocking or using those ports.' + print + print 'Falling back to --noauth_local_webserver and continuing with', + print 'authorization.' + print if FLAGS.auth_local_webserver: oauth_callback = 'http://%s:%s/' % (FLAGS.auth_host_name, port_number) @@ -120,20 +120,20 @@ def run(flow, storage, http=None): if FLAGS.auth_local_webserver: webbrowser.open(authorize_url, new=1, autoraise=True) - print('Your browser has been opened to visit:') - print() - print(' ' + authorize_url) - print() - print('If your browser is on a different machine then exit and re-run') - print('this application with the command-line parameter ') - print() - print(' --noauth_local_webserver') - print() + print 'Your browser has been opened to visit:' + print + print ' ' + authorize_url + print + print 'If your browser is on a different machine then exit and re-run' + print 'this application with the command-line parameter ' + print + print ' --noauth_local_webserver' + print else: - print('Go to the following link in your browser:') - print() - print(' ' + authorize_url) - print() + print 'Go to the following link in your browser:' + print + print ' ' + authorize_url + print code = None if FLAGS.auth_local_webserver: @@ -143,18 +143,18 @@ def run(flow, storage, http=None): if 'code' in httpd.query_params: code = httpd.query_params['code'] else: - print('Failed to find "code" in the query parameters of the redirect.') + print 'Failed to find "code" in the query parameters of the redirect.' sys.exit('Try running with --noauth_local_webserver.') else: - code = input('Enter verification code: ').strip() + code = raw_input('Enter verification code: ').strip() try: credential = flow.step2_exchange(code, http=http) - except client.FlowExchangeError as e: + except client.FlowExchangeError, e: sys.exit('Authentication has failed: %s' % e) storage.put(credential) credential.set_store(storage) - print('Authentication successful.') + print 'Authentication successful.' - return credential \ No newline at end of file + return credential diff --git a/third_party/oauth2client/service_account.py b/third_party/oauth2client/service_account.py deleted file mode 100644 index b6b694c84..000000000 --- a/third_party/oauth2client/service_account.py +++ /dev/null @@ -1,139 +0,0 @@ -# Copyright 2014 Google Inc. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -"""A service account credentials class. - -This credentials class is implemented on top of rsa library. -""" - -import base64 -import json -import time - -from pyasn1.codec.ber import decoder -from pyasn1_modules.rfc5208 import PrivateKeyInfo -import rsa - -from . import GOOGLE_REVOKE_URI -from . import GOOGLE_TOKEN_URI -from . import util -from client import AssertionCredentials -from third_party import six - - -class _ServiceAccountCredentials(AssertionCredentials): - """Class representing a service account (signed JWT) credential.""" - - MAX_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds - - def __init__(self, service_account_id, service_account_email, private_key_id, - private_key_pkcs8_text, scopes, user_agent=None, - token_uri=GOOGLE_TOKEN_URI, revoke_uri=GOOGLE_REVOKE_URI, - **kwargs): - - super(_ServiceAccountCredentials, self).__init__( - None, user_agent=user_agent, token_uri=token_uri, revoke_uri=revoke_uri) - - self._service_account_id = service_account_id - self._service_account_email = service_account_email - self._private_key_id = private_key_id - self._private_key = _get_private_key(private_key_pkcs8_text) - self._private_key_pkcs8_text = private_key_pkcs8_text - self._scopes = util.scopes_to_string(scopes) - self._user_agent = user_agent - self._token_uri = token_uri - self._revoke_uri = revoke_uri - self._kwargs = kwargs - - def _generate_assertion(self): - """Generate the assertion that will be used in the request.""" - - header = { - 'alg': 'RS256', - 'typ': 'JWT', - 'kid': self._private_key_id - } - - now = int(time.time()) - payload = { - 'aud': self._token_uri, - 'scope': self._scopes, - 'iat': now, - 'exp': now + _ServiceAccountCredentials.MAX_TOKEN_LIFETIME_SECS, - 'iss': self._service_account_email - } - payload.update(self._kwargs) - - assertion_input = (_urlsafe_b64encode(header) + b'.' + - _urlsafe_b64encode(payload)) - - # Sign the assertion. - rsa_bytes = rsa.pkcs1.sign(assertion_input, self._private_key, 'SHA-256') - signature = base64.urlsafe_b64encode(rsa_bytes).rstrip(b'=') - - return assertion_input + b'.' + signature - - def sign_blob(self, blob): - # Ensure that it is bytes - try: - blob = blob.encode('utf-8') - except AttributeError: - pass - return (self._private_key_id, - rsa.pkcs1.sign(blob, self._private_key, 'SHA-256')) - - @property - def service_account_email(self): - return self._service_account_email - - @property - def serialization_data(self): - return { - 'type': 'service_account', - 'client_id': self._service_account_id, - 'client_email': self._service_account_email, - 'private_key_id': self._private_key_id, - 'private_key': self._private_key_pkcs8_text - } - - def create_scoped_required(self): - return not self._scopes - - def create_scoped(self, scopes): - return _ServiceAccountCredentials(self._service_account_id, - self._service_account_email, - self._private_key_id, - self._private_key_pkcs8_text, - scopes, - user_agent=self._user_agent, - token_uri=self._token_uri, - revoke_uri=self._revoke_uri, - **self._kwargs) - - -def _urlsafe_b64encode(data): - return base64.urlsafe_b64encode( - json.dumps(data, separators=(',', ':')).encode('UTF-8')).rstrip(b'=') - - -def _get_private_key(private_key_pkcs8_text): - """Get an RSA private key object from a pkcs8 representation.""" - - if not isinstance(private_key_pkcs8_text, six.binary_type): - private_key_pkcs8_text = private_key_pkcs8_text.encode('ascii') - der = rsa.pem.load_pem(private_key_pkcs8_text, 'PRIVATE KEY') - asn1_private_key, _ = decoder.decode(der, asn1Spec=PrivateKeyInfo()) - return rsa.PrivateKey.load_pkcs1( - asn1_private_key.getComponentByName('privateKey').asOctets(), - format='DER') \ No newline at end of file diff --git a/third_party/oauth2client/tools.py b/third_party/oauth2client/tools.py index 3df1bbede..12c68bf0f 100644 --- a/third_party/oauth2client/tools.py +++ b/third_party/oauth2client/tools.py @@ -1,4 +1,4 @@ -# Copyright 2014 Google Inc. All rights reserved. +# Copyright (C) 2013 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,22 +19,27 @@ generated credentials in a common file that is used by other example apps in the same directory. """ -from __future__ import print_function - __author__ = 'jcgregorio@google.com (Joe Gregorio)' __all__ = ['argparser', 'run_flow', 'run', 'message_if_missing'] + +import BaseHTTPServer +import argparse +import httplib2 import logging +import os import socket import sys +import webbrowser -from third_party.six.moves import BaseHTTPServer -from third_party.six.moves import urllib -from third_party.six.moves import input - -from . import client -from . import util +from oauth2client import client +from oauth2client import file +from oauth2client import util +try: + from urlparse import parse_qsl +except ImportError: + from cgi import parse_qsl _CLIENT_SECRETS_MESSAGE = """WARNING: Please configure OAuth 2.0 @@ -47,27 +52,20 @@ with information from the APIs Console . """ -def _CreateArgumentParser(): - try: - import argparse - except ImportError: - return None - parser = argparse.ArgumentParser(add_help=False) - parser.add_argument('--auth_host_name', default='localhost', - help='Hostname when running a local web server.') - parser.add_argument('--noauth_local_webserver', action='store_true', - default=False, help='Do not run a local web server.') - parser.add_argument('--auth_host_port', default=[8080, 8090], type=int, - nargs='*', help='Port web server should listen on.') - parser.add_argument('--logging_level', default='ERROR', - choices=['DEBUG', 'INFO', 'WARNING', 'ERROR', 'CRITICAL'], - help='Set the logging level of detail.') - return parser - -# argparser is an ArgumentParser that contains command-line options expected +# run_parser is an ArgumentParser that contains command-line options expected # by tools.run(). Pass it in as part of the 'parents' argument to your own # ArgumentParser. -argparser = _CreateArgumentParser() +argparser = argparse.ArgumentParser(add_help=False) +argparser.add_argument('--auth_host_name', default='localhost', + help='Hostname when running a local web server.') +argparser.add_argument('--noauth_local_webserver', action='store_true', + default=False, help='Do not run a local web server.') +argparser.add_argument('--auth_host_port', default=[8080, 8090], type=int, + nargs='*', help='Port web server should listen on.') +argparser.add_argument('--logging_level', default='ERROR', + choices=['DEBUG', 'INFO', 'WARNING', 'ERROR', + 'CRITICAL'], + help='Set the logging level of detail.') class ClientRedirectServer(BaseHTTPServer.HTTPServer): @@ -86,75 +84,72 @@ class ClientRedirectHandler(BaseHTTPServer.BaseHTTPRequestHandler): into the servers query_params and then stops serving. """ - def do_GET(self): + def do_GET(s): """Handle a GET request. Parses the query parameters and prints a message if the flow has completed. Note that we can't detect if an error occurred. """ - self.send_response(200) - self.send_header("Content-type", "text/html") - self.end_headers() - query = self.path.split('?', 1)[-1] - query = dict(urllib.parse.parse_qsl(query)) - self.server.query_params = query - self.wfile.write(b"Authentication Status") - self.wfile.write(b"

The authentication flow has completed.

") - self.wfile.write(b"") + s.send_response(200) + s.send_header("Content-type", "text/html") + s.end_headers() + query = s.path.split('?', 1)[-1] + query = dict(parse_qsl(query)) + s.server.query_params = query + s.wfile.write("Authentication Status") + s.wfile.write("

The authentication flow has completed.

") + s.wfile.write("") def log_message(self, format, *args): """Do not log messages to stdout while running as command line program.""" + pass @util.positional(3) def run_flow(flow, storage, flags, http=None): """Core code for a command-line application. - The ``run()`` function is called from your application and runs - through all the steps to obtain credentials. It takes a ``Flow`` - argument and attempts to open an authorization server page in the - user's default web browser. The server asks the user to grant your - application access to the user's data. If the user grants access, - the ``run()`` function returns new credentials. The new credentials - are also stored in the ``storage`` argument, which updates the file - associated with the ``Storage`` object. + The run() function is called from your application and runs through all the + steps to obtain credentials. It takes a Flow argument and attempts to open an + authorization server page in the user's default web browser. The server asks + the user to grant your application access to the user's data. If the user + grants access, the run() function returns new credentials. The new credentials + are also stored in the Storage argument, which updates the file associated + with the Storage object. It presumes it is run from a command-line application and supports the following flags: - ``--auth_host_name`` (string, default: ``localhost``) - Host name to use when running a local web server to handle - redirects during OAuth authorization. - - ``--auth_host_port`` (integer, default: ``[8080, 8090]``) - Port to use when running a local web server to handle redirects - during OAuth authorization. Repeat this option to specify a list - of values. - - ``--[no]auth_local_webserver`` (boolean, default: ``True``) - Run a local web server to handle redirects during OAuth authorization. - + --auth_host_name: Host name to use when running a local web server + to handle redirects during OAuth authorization. + (default: 'localhost') + --auth_host_port: Port to use when running a local web server to handle + redirects during OAuth authorization.; + repeat this option to specify a list of values + (default: '[8080, 8090]') + (an integer) + --[no]auth_local_webserver: Run a local web server to handle redirects + during OAuth authorization. + (default: 'true') - The tools module defines an ``ArgumentParser`` the already contains the flag - definitions that ``run()`` requires. You can pass that ``ArgumentParser`` to your - ``ArgumentParser`` constructor:: + The tools module defines an ArgumentParser the already contains the flag + definitions that run() requires. You can pass that ArgumentParser to your + ArgumentParser constructor: - parser = argparse.ArgumentParser(description=__doc__, - formatter_class=argparse.RawDescriptionHelpFormatter, - parents=[tools.argparser]) - flags = parser.parse_args(argv) + parser = argparse.ArgumentParser(description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter, + parents=[tools.run_parser]) + flags = parser.parse_args(argv) Args: flow: Flow, an OAuth 2.0 Flow to step through. - storage: Storage, a ``Storage`` to store the credential in. - flags: ``argparse.Namespace``, The command-line flags. This is the - object returned from calling ``parse_args()`` on - ``argparse.ArgumentParser`` as described above. - http: An instance of ``httplib2.Http.request`` or something that - acts like it. + storage: Storage, a Storage to store the credential in. + flags: argparse.ArgumentParser, the command-line flags. + http: An instance of httplib2.Http.request + or something that acts like it. Returns: Credentials, the obtained credential. @@ -168,20 +163,20 @@ def run_flow(flow, storage, flags, http=None): try: httpd = ClientRedirectServer((flags.auth_host_name, port), ClientRedirectHandler) - except socket.error: + except socket.error, e: pass else: success = True break flags.noauth_local_webserver = not success if not success: - print('Failed to start a local webserver listening on either port 8080') - print('or port 9090. Please check your firewall settings and locally') - print('running programs that may be blocking or using those ports.') - print() - print('Falling back to --noauth_local_webserver and continuing with') - print('authorization.') - print() + print 'Failed to start a local webserver listening on either port 8080' + print 'or port 9090. Please check your firewall settings and locally' + print 'running programs that may be blocking or using those ports.' + print + print 'Falling back to --noauth_local_webserver and continuing with', + print 'authorization.' + print if not flags.noauth_local_webserver: oauth_callback = 'http://%s:%s/' % (flags.auth_host_name, port_number) @@ -191,22 +186,21 @@ def run_flow(flow, storage, flags, http=None): authorize_url = flow.step1_get_authorize_url() if not flags.noauth_local_webserver: - import webbrowser webbrowser.open(authorize_url, new=1, autoraise=True) - print('Your browser has been opened to visit:') - print() - print(' ' + authorize_url) - print() - print('If your browser is on a different machine then exit and re-run this') - print('application with the command-line parameter ') - print() - print(' --noauth_local_webserver') - print() + print 'Your browser has been opened to visit:' + print + print ' ' + authorize_url + print + print 'If your browser is on a different machine then exit and re-run this' + print 'application with the command-line parameter ' + print + print ' --noauth_local_webserver' + print else: - print('Go to the following link in your browser:') - print() - print(' ' + authorize_url) - print() + print 'Go to the following link in your browser:' + print + print ' ' + authorize_url + print code = None if not flags.noauth_local_webserver: @@ -216,19 +210,19 @@ def run_flow(flow, storage, flags, http=None): if 'code' in httpd.query_params: code = httpd.query_params['code'] else: - print('Failed to find "code" in the query parameters of the redirect.') + print 'Failed to find "code" in the query parameters of the redirect.' sys.exit('Try running with --noauth_local_webserver.') else: - code = input('Enter verification code: ').strip() + code = raw_input('Enter verification code: ').strip() try: credential = flow.step2_exchange(code, http=http) - except client.FlowExchangeError as e: + except client.FlowExchangeError, e: sys.exit('Authentication has failed: %s' % e) storage.put(credential) credential.set_store(storage) - print('Authentication successful.') + print 'Authentication successful.' return credential @@ -239,11 +233,11 @@ def message_if_missing(filename): return _CLIENT_SECRETS_MESSAGE % filename try: - from oauth2client.old_run import run - from oauth2client.old_run import FLAGS + from old_run import run + from old_run import FLAGS except ImportError: def run(*args, **kwargs): raise NotImplementedError( 'The gflags library must be installed to use tools.run(). ' 'Please install gflags or preferrably switch to using ' - 'tools.run_flow().') \ No newline at end of file + 'tools.run_flow().') diff --git a/third_party/oauth2client/util.py b/third_party/oauth2client/util.py index b0963ef52..90dff155b 100644 --- a/third_party/oauth2client/util.py +++ b/third_party/oauth2client/util.py @@ -1,6 +1,6 @@ #!/usr/bin/env python # -# Copyright 2014 Google Inc. All rights reserved. +# Copyright 2010 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,27 +17,26 @@ """Common utility library.""" -__author__ = [ - 'rafek@google.com (Rafe Kaplan)', - 'guido@google.com (Guido van Rossum)', +__author__ = ['rafek@google.com (Rafe Kaplan)', + 'guido@google.com (Guido van Rossum)', ] - __all__ = [ - 'positional', - 'POSITIONAL_WARNING', - 'POSITIONAL_EXCEPTION', - 'POSITIONAL_IGNORE', + 'positional', + 'POSITIONAL_WARNING', + 'POSITIONAL_EXCEPTION', + 'POSITIONAL_IGNORE', ] -import functools import inspect import logging -import sys import types +import urllib +import urlparse -from third_party import six -from third_party.six.moves import urllib - +try: + from urlparse import parse_qsl +except ImportError: + from cgi import parse_qsl logger = logging.getLogger(__name__) @@ -52,58 +51,56 @@ positional_parameters_enforcement = POSITIONAL_WARNING def positional(max_positional_args): """A decorator to declare that only the first N arguments my be positional. - This decorator makes it easy to support Python 3 style keyword-only - parameters. For example, in Python 3 it is possible to write:: + This decorator makes it easy to support Python 3 style key-word only + parameters. For example, in Python 3 it is possible to write: def fn(pos1, *, kwonly1=None, kwonly1=None): ... - All named parameters after ``*`` must be a keyword:: + All named parameters after * must be a keyword: fn(10, 'kw1', 'kw2') # Raises exception. fn(10, kwonly1='kw1') # Ok. - Example - ^^^^^^^ - - To define a function like above, do:: + Example: + To define a function like above, do: - @positional(1) - def fn(pos1, kwonly1=None, kwonly2=None): - ... + @positional(1) + def fn(pos1, kwonly1=None, kwonly2=None): + ... - If no default value is provided to a keyword argument, it becomes a required - keyword argument:: + If no default value is provided to a keyword argument, it becomes a required + keyword argument: - @positional(0) - def fn(required_kw): - ... + @positional(0) + def fn(required_kw): + ... - This must be called with the keyword parameter:: + This must be called with the keyword parameter: - fn() # Raises exception. - fn(10) # Raises exception. - fn(required_kw=10) # Ok. + fn() # Raises exception. + fn(10) # Raises exception. + fn(required_kw=10) # Ok. - When defining instance or class methods always remember to account for - ``self`` and ``cls``:: + When defining instance or class methods always remember to account for + 'self' and 'cls': - class MyClass(object): + class MyClass(object): - @positional(2) - def my_method(self, pos1, kwonly1=None): - ... + @positional(2) + def my_method(self, pos1, kwonly1=None): + ... - @classmethod - @positional(2) - def my_method(cls, pos1, kwonly1=None): - ... + @classmethod + @positional(2) + def my_method(cls, pos1, kwonly1=None): + ... The positional decorator behavior is controlled by - ``util.positional_parameters_enforcement``, which may be set to - ``POSITIONAL_EXCEPTION``, ``POSITIONAL_WARNING`` or - ``POSITIONAL_IGNORE`` to raise an exception, log a warning, or do - nothing, respectively, if a declaration is violated. + util.positional_parameters_enforcement, which may be set to + POSITIONAL_EXCEPTION, POSITIONAL_WARNING or POSITIONAL_IGNORE to raise an + exception, log a warning, or do nothing, respectively, if a declaration is + violated. Args: max_positional_arguments: Maximum number of positional arguments. All @@ -117,10 +114,8 @@ def positional(max_positional_args): TypeError if a key-word only argument is provided as a positional parameter, but only if util.positional_parameters_enforcement is set to POSITIONAL_EXCEPTION. - """ def positional_decorator(wrapped): - @functools.wraps(wrapped) def positional_wrapper(*args, **kwargs): if len(args) > max_positional_args: plural_s = '' @@ -137,7 +132,7 @@ def positional(max_positional_args): return wrapped(*args, **kwargs) return positional_wrapper - if isinstance(max_positional_args, six.integer_types): + if isinstance(max_positional_args, (int, long)): return positional_decorator else: args, _, _, defaults = inspect.getargspec(max_positional_args) @@ -157,7 +152,7 @@ def scopes_to_string(scopes): Returns: The scopes formatted as a single string. """ - if isinstance(scopes, six.string_types): + if isinstance(scopes, types.StringTypes): return scopes else: return ' '.join(scopes) @@ -194,8 +189,8 @@ def _add_query_parameter(url, name, value): if value is None: return url else: - parsed = list(urllib.parse.urlparse(url)) - q = dict(urllib.parse.parse_qsl(parsed[4])) + parsed = list(urlparse.urlparse(url)) + q = dict(parse_qsl(parsed[4])) q[name] = value - parsed[4] = urllib.parse.urlencode(q) - return urllib.parse.urlunparse(parsed) \ No newline at end of file + parsed[4] = urllib.urlencode(q) + return urlparse.urlunparse(parsed) diff --git a/third_party/oauth2client/xsrfutil.py b/third_party/oauth2client/xsrfutil.py index bea7c875e..7e1fe5c81 100644 --- a/third_party/oauth2client/xsrfutil.py +++ b/third_party/oauth2client/xsrfutil.py @@ -1,5 +1,6 @@ +#!/usr/bin/python2.5 # -# Copyright 2014 the Melange authors. +# Copyright 2010 the Melange authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,36 +17,25 @@ """Helper methods for creating & verifying XSRF tokens.""" __authors__ = [ - '"Doug Coker" ', - '"Joe Gregorio" ', + '"Doug Coker" ', + '"Joe Gregorio" ', ] import base64 import hmac +import os # for urandom import time -import six from oauth2client import util # Delimiter character -DELIMITER = b':' - +DELIMITER = ':' # 1 hour in seconds DEFAULT_TIMEOUT_SECS = 1*60*60 - -def _force_bytes(s): - if isinstance(s, bytes): - return s - s = str(s) - if isinstance(s, six.text_type): - return s.encode('utf-8') - return s - - @util.positional(2) def generate_token(key, user_id, action_id="", when=None): """Generates a URL-safe token for the given user, action, time tuple. @@ -61,16 +51,18 @@ def generate_token(key, user_id, action_id="", when=None): Returns: A string XSRF protection token. """ - when = _force_bytes(when or int(time.time())) - digester = hmac.new(_force_bytes(key)) - digester.update(_force_bytes(user_id)) + when = when or int(time.time()) + digester = hmac.new(key) + digester.update(str(user_id)) digester.update(DELIMITER) - digester.update(_force_bytes(action_id)) + digester.update(action_id) digester.update(DELIMITER) - digester.update(when) + digester.update(str(when)) digest = digester.digest() - token = base64.urlsafe_b64encode(digest + DELIMITER + when) + token = base64.urlsafe_b64encode('%s%s%d' % (digest, + DELIMITER, + when)) return token @@ -95,8 +87,8 @@ def validate_token(key, token, user_id, action_id="", current_time=None): if not token: return False try: - decoded = base64.urlsafe_b64decode(token) - token_time = int(decoded.split(DELIMITER)[-1]) + decoded = base64.urlsafe_b64decode(str(token)) + token_time = long(decoded.split(DELIMITER)[-1]) except (TypeError, ValueError): return False if current_time is None: @@ -113,6 +105,9 @@ def validate_token(key, token, user_id, action_id="", current_time=None): # Perform constant time comparison to avoid timing attacks different = 0 - for x, y in zip(bytearray(token), bytearray(expected_token)): - different |= x ^ y - return not different \ No newline at end of file + for x, y in zip(token, expected_token): + different |= ord(x) ^ ord(y) + if different: + return False + + return True