o i#n@sdZddlZddlZddlZddlZddlZddlZddlmZddlmZddlm Z ddlm Z dZ dZ d Z Gd d d ejZd d ZGdddeZdS)z/oauth2client Service account credentials class.N)_helpers)client)crypt) transport notasecret_private_key_pkcs12a  This library only implements PKCS#12 support via the pyOpenSSL library. Either install pyOpenSSL, or please convert the .p12 file to .pem format: $ cat key.p12 | \ > openssl pkcs12 -nodes -nocerts -passin pass:notasecret | \ > openssl rsa > key.pem cs<eZdZdZdZ edgejjBZ dZ dZ dZ dddde j e jffdd Zd(fdd Ze d)d d Ze  d*d d Ze  d*ddZedde j e jfddZedde j e jfddZedde j e jfddZddZddZeddZeddZeddZd d!Zd"d#Zd$d%Z d&d'Z!Z"S)+ServiceAccountCredentialsaService Account credential for OAuth 2.0 signed JWT grants. Supports * JSON keyfile (typically contains a PKCS8 key stored as PEM text) * ``.p12`` key (stores PKCS12 key and certificate) Makes an assertion to server using a signed JWT assertion in exchange for an access token. This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens. Args: service_account_email: string, The email associated with the service account. signer: ``crypt.Signer``, A signer which can be used to sign content. scopes: List or string, (Optional) Scopes to use when acquiring an access token. private_key_id: string, (Optional) Private key identifier. Typically only used with a JSON keyfile. Can be sent in the header of a JWT token assertion. client_id: string, (Optional) Client ID for the project that owns the service account. user_agent: string, (Optional) User agent to use when sending request. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. kwargs: dict, Extra key-value pairs (both strings) to send in the payload body when making an assertion. _signerNc  sLtt|jd|||d||_||_t||_||_||_ ||_ | |_ dS)N) user_agent token_uri revoke_uri) superr__init___service_account_emailr rscopes_to_string_scopes_private_key_id client_id _user_agent_kwargs) selfservice_account_emailsignerscopesprivate_key_idrr r rkwargs __class__W/var/www/edux/Edux_v2/venv/lib/python3.10/site-packages/oauth2client/service_account.pyr_s   z"ServiceAccountCredentials.__init__csH|dur t|j}|t}|durt||t<tt|j||dS)acUtility function that creates JSON repr. of a credentials object. Over-ride is needed since PKCS#12 keys will not in general be JSON serializable. Args: strip: array, An array of names of members to exclude from the JSON. to_serialize: dict, (Optional) The properties for this object that will be serialized. This allows callers to modify before serializing. Returns: string, a JSON representation of this instance, suitable to pass to from_json(). N) to_serialize) copy__dict__get _PKCS12_KEYbase64 b64encoderr_to_json)rstripr" pkcs12_valrr r!r)vs   z"ServiceAccountCredentials._to_jsonc Cs|d}|tjkrtd|dtj|d}|d}|d}|d} |s+|dtj}|s4|d tj}tj |} ||| ||| ||d } || _ | S) a Helper for factory constructors from JSON keyfile. Args: keyfile_dict: dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile. scopes: List or string, Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile contents. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. typezUnexpected credentials typeExpected client_email private_keyrrr r)rrrr r) r%rSERVICE_ACCOUNT ValueError oauth2clientGOOGLE_TOKEN_URIGOOGLE_REVOKE_URIrSigner from_string_private_key_pkcs8_pem) cls keyfile_dictrr r creds_typerprivate_key_pkcs8_pemrrr credentialsr r r!_from_parsed_json_keyfiles2   z3ServiceAccountCredentials._from_parsed_json_keyfilecCsFt|d }t|}Wdn1swY|j||||dS)aFactory constructor from JSON keyfile by name. Args: filename: string, The location of the keyfile. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in the key file, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in the key file, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. rNr r)openjsonloadr=)r8filenamerr rfile_objclient_credentialsr r r!from_json_keyfile_names  z0ServiceAccountCredentials.from_json_keyfile_namecCs|j||||dS)aFactory constructor from parsed JSON keyfile. Args: keyfile_dict: dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. r?)r=)r8r9rr rr r r!from_json_keyfile_dictsz0ServiceAccountCredentials.from_json_keyfile_dictc CsP|durt}tjtjurtttj||}||||||d}||_||_|S)axFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. private_key_pkcs12: string, The contents of a PKCS#12 keyfile. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. N)rr r) _PASSWORD_DEFAULTrr5 OpenSSLSignerNotImplementedError _PKCS12_ERRORr6r_private_key_password) r8rprivate_key_pkcs12private_key_passwordrr rrr<r r r!_from_p12_keyfile_contentss z4ServiceAccountCredentials._from_p12_keyfile_contentsc CsHt|d }|}Wdn1swY|j||||||dS)apFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. filename: string, The location of the PKCS#12 keyfile. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. rbNrNrr r)r@readrO) r8rrCrNrr rrDrMr r r!from_p12_keyfile*s  z*ServiceAccountCredentials.from_p12_keyfilecCs|}|j||||||dS)aFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. file_buffer: stream, A buffer that implements ``read()`` and contains the PKCS#12 key contents. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. rQ)rRrO)r8r file_bufferrNrr rrMr r r!from_p12_keyfile_bufferPs z1ServiceAccountCredentials.from_p12_keyfile_buffercCsHtt}|j|j|||j|jd}||jtj |j ||j dS)z8Generate the assertion that will be used in the request.)audscopeiatexpisskey_id) inttimer rMAX_TOKEN_LIFETIME_SECSrupdaterrmake_signed_jwtr r)rnowpayloadr r r!_generate_assertionus   z-ServiceAccountCredentials._generate_assertioncCs|j|j|fS)aUCryptographically sign a blob (of bytes). Implements abstract method :meth:`oauth2client.client.AssertionCredentials.sign_blob`. Args: blob: bytes, Message to be signed. Returns: tuple, A pair of the private key ID used to sign the blob and the signed contents. )rr sign)rblobr r r! sign_blobs z#ServiceAccountCredentials.sign_blobcCs|jS)zGet the email for the current service account. Returns: string, The email associated with the service account. )rrr r r!rsz/ServiceAccountCredentials.service_account_emailcCsd|j|j|j|jdS)Nservice_account)r,r.rr/r)rrr7rrhr r r!serialization_datas z,ServiceAccountCredentials.serialization_datacCst|ts tt|}d}|t}d}|dur%|d}tj |}nt |}|d}tj ||}||d|f|d|d|d|dd |d }|durV||_ |dur]||_|durd||_|d |_|d |_|d |_|d|_|dd}|durtj|tj|_|S)aMDeserialize a JSON-serialized instance. Inverse to :meth:`to_json`. Args: json_data: dict or string, Serialized JSON (as a string or an already parsed dictionary) representing a credential. Returns: ServiceAccountCredentials from the serialized data. Nr7rLrrrrrrrrr rinvalid access_tokenr r token_expiry) isinstancedictrAloadsr _from_bytesr%r&rr5r6r' b64decoder7rrLrlrmr rdatetimestrptimer EXPIRY_FORMATrn)r8 json_datar;r+passwordrr<rnr r r! from_jsonsL         z#ServiceAccountCredentials.from_jsoncCs|j SN)rrhr r r!create_scoped_requiredsz0ServiceAccountCredentials.create_scoped_requiredcCsV|j|j|jf||j|j|jd|j}|j|_|j|_|j |_ |j |_ |j |_ |S)Nrk) rrr rrrrr rr7rrL)rrresultr r r! create_scopeds z'ServiceAccountCredentials.create_scopedcCsjt|j}|||j|j|jf|j|j|j|j d|}|j |_ |j |_ |j |_ |j |_ |j|_|S)a<Create credentials that specify additional claims. Args: claims: dict, key-value pairs for claims. Returns: ServiceAccountCredentials, a copy of the current service account credentials with updated claims to use when obtaining access tokens. rk)rprr`rrr rrrrr rr7rrL)rclaims new_kwargsr|r r r!create_with_claimss$ z,ServiceAccountCredentials.create_with_claimscCs|d|iS)aYCreate credentials that act as domain-wide delegation of authority. Use the ``sub`` parameter as the subject to delegate on behalf of that user. For example:: >>> account_sub = 'foo@email.com' >>> delegate_creds = creds.create_delegated(account_sub) Args: sub: string, An email address that this service account will act on behalf of (via domain-wide delegation). Returns: ServiceAccountCredentials, a copy of the current service account updated to act on behalf of ``sub``. sub)r)rrr r r!create_delegated sz*ServiceAccountCredentials.create_delegatedrzNN)r NN)#__name__ __module__ __qualname____doc__r_ frozensetrAssertionCredentialsNON_SERIALIZED_MEMBERSr7rrLr2r3r4rr) classmethodr=rFrGrOrSrUrdrgpropertyrrjryr{r}rr __classcell__r r rr!r*st& 1   * % $   6rcCs&tddd}||}|jd|jS)NiiQ)rtdaysseconds)utc_timeepoch time_deltar r r!_datetime_to_secs srcseZdZdZdZ ddddejejdffdd ZddZ ddd Z d d Z d d Z ejejfddZ ddZddZdddZZS)_JWTAccessCredentialszSelf signed JWT credentials. Makes an assertion to server using a self signed JWT from service account credentials. These credentials do NOT use OAuth 2.0 and instead authenticate directly. r Nc s6| duri} tt|j||f|||||d| dS)N)rrr r r)rrr) rrrrrrr r radditional_claimsrr r!r2s   z_JWTAccessCredentials.__init__cCst|||S)aAuthorize an httplib2.Http instance with a JWT assertion. Unless specified, the 'aud' of the assertion will be the base uri of the request. Args: http: An instance of ``httplib2.Http`` or something that acts like it. Returns: A modified instance of http that was passed in. Example:: h = httplib2.Http() h = credentials.authorize(h) )rwrap_http_for_jwt_accessrhttpr r r! authorizeHs z_JWTAccessCredentials.authorizecCsT|dur|jdus |jr|dtj|j|dS||\}}tj||jdS)zCreate a signed jwt. Args: http: unused additional_claims: dict, additional claims to add to the payload of the JWT. Returns: An AccessTokenInfo with the signed jwt N)rm expires_in)rmaccess_token_expiredrefreshrAccessTokenInfo _expires_in _create_token_MAX_TOKEN_LIFETIME_SECS)rrrtoken unused_expiryr r r!get_access_tokenZs   z&_JWTAccessCredentials.get_access_tokencCdS)z*Cannot revoke JWTAccessCredentials tokens.Nr rr r r!revokeoz_JWTAccessCredentials.revokecCr)NTr rhr r r!r{srz,_JWTAccessCredentials.create_scoped_requiredc Csft|j|jf||j|j|j||d|j}|jdur|j|_|jdur(|j|_|j dur1|j |_ |S)N)rrrr r r) rrr rrrrr7rrL)rrr rr|r r r!r}ws&   z#_JWTAccessCredentials.create_scopedcCs|ddS)zRefreshes the access_token. The HTTP object is unused since no request needs to be made to get a new token, it can just be generated locally. Args: http: unused HTTP object N)_refreshrr r r!rs z_JWTAccessCredentials.refreshcCs|\|_|_dS)zXRefreshes the access_token. Args: http: unused HTTP object N)rrmrnrr r r!rsz_JWTAccessCredentials._refreshcCsxt}tj|jd}||}t|t||j|jd}||j|dur+||t j |j ||j d}| d|fS)N)r)rXrYrZrr[ascii)r_UTCNOWrt timedeltarrrr`rrrar rdecode)rrrblifetimeexpiryrcjwtr r r!rs   z#_JWTAccessCredentials._create_tokenrrz)rrrrrr2r3r4rrrrr{r}rrrrr r rr!r(s,   r)rr'r#rtrAr^r2rrrrrHr&rKrrrrr r r r!s(     y