a !f#n@sdZddlZddlZddlZddlZddlZddlZddlmZddlmZddlm Z ddlm Z dZ dZ d Z Gd d d ejZd d ZGdddeZdS)z/oauth2client Service account credentials class.N)_helpers)client)crypt) transportZ notasecret_private_key_pkcs12a  This library only implements PKCS#12 support via the pyOpenSSL library. Either install pyOpenSSL, or please convert the .p12 file to .pem format: $ cat key.p12 | \ > openssl pkcs12 -nodes -nocerts -passin pass:notasecret | \ > openssl rsa > key.pem cs.eZdZdZdZedgejjBZdZ dZ dZ dddde j e jffdd Zd(fdd Zed)d d Zed*d d Zed+ddZedde j e jfddZedde j e jfddZedde j e jfddZddZddZeddZeddZeddZd d!Zd"d#Zd$d%Z d&d'Z!Z"S),ServiceAccountCredentialsaService Account credential for OAuth 2.0 signed JWT grants. Supports * JSON keyfile (typically contains a PKCS8 key stored as PEM text) * ``.p12`` key (stores PKCS12 key and certificate) Makes an assertion to server using a signed JWT assertion in exchange for an access token. This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens. Args: service_account_email: string, The email associated with the service account. signer: ``crypt.Signer``, A signer which can be used to sign content. scopes: List or string, (Optional) Scopes to use when acquiring an access token. private_key_id: string, (Optional) Private key identifier. Typically only used with a JSON keyfile. Can be sent in the header of a JWT token assertion. client_id: string, (Optional) Client ID for the project that owns the service account. user_agent: string, (Optional) User agent to use when sending request. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. kwargs: dict, Extra key-value pairs (both strings) to send in the payload body when making an assertion. _signerNc  sLtt|jd|||d||_||_t||_||_||_ ||_ | |_ dS)N) user_agent token_uri revoke_uri) superr__init___service_account_emailr rZscopes_to_string_scopes_private_key_id client_id _user_agent_kwargs) selfservice_account_emailsignerscopesprivate_key_idrr r r kwargs __class__]/var/www/html/python-backend/venv/lib/python3.9/site-packages/oauth2client/service_account.pyr_s  z"ServiceAccountCredentials.__init__csH|durt|j}|t}|dur4t||t<tt|j||dS)acUtility function that creates JSON repr. of a credentials object. Over-ride is needed since PKCS#12 keys will not in general be JSON serializable. Args: strip: array, An array of names of members to exclude from the JSON. to_serialize: dict, (Optional) The properties for this object that will be serialized. This allows callers to modify before serializing. Returns: string, a JSON representation of this instance, suitable to pass to from_json(). N) to_serialize) copy__dict__get _PKCS12_KEYbase64 b64encoderr_to_json)rstripr pkcs12_valrrrr'vs   z"ServiceAccountCredentials._to_jsonc Cs|d}|tjkr$td|dtj|d}|d}|d}|d} |sV|dtj}|sh|d tj}tj |} ||| ||| ||d } || _ | S) a Helper for factory constructors from JSON keyfile. Args: keyfile_dict: dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile. scopes: List or string, Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile contents. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. typezUnexpected credentials typeZExpected client_email private_keyrrr r )rrrr r ) r#rZSERVICE_ACCOUNT ValueError oauth2clientGOOGLE_TOKEN_URIGOOGLE_REVOKE_URIrSigner from_string_private_key_pkcs8_pem) cls keyfile_dictrr r Z creds_typerprivate_key_pkcs8_pemrrr credentialsrrr_from_parsed_json_keyfiles2   z3ServiceAccountCredentials._from_parsed_json_keyfilecCsFt|d}t|}Wdn1s*0Y|j||||dS)aFactory constructor from JSON keyfile by name. Args: filename: string, The location of the keyfile. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in the key file, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in the key file, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. rNr r )openjsonloadr8)r4filenamerr r file_objZclient_credentialsrrrfrom_json_keyfile_names  (z0ServiceAccountCredentials.from_json_keyfile_namecCs|j||||dS)aFactory constructor from parsed JSON keyfile. Args: keyfile_dict: dict-like object, The parsed dictionary-like object containing the contents of the JSON keyfile. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for OAuth 2.0 provider token endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint. If unset and not present in keyfile_dict, defaults to Google's endpoints. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`. KeyError, if one of the expected keys is not present in the keyfile. r:)r8)r4r5rr r rrrfrom_json_keyfile_dictsz0ServiceAccountCredentials.from_json_keyfile_dictc CsP|dur t}tjtjur tttj||}||||||d}||_||_|S)axFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. private_key_pkcs12: string, The contents of a PKCS#12 keyfile. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. N)rr r ) _PASSWORD_DEFAULTrr1Z OpenSSLSignerNotImplementedError _PKCS12_ERRORr2r_private_key_password) r4rprivate_key_pkcs12private_key_passwordrr r rr7rrr_from_p12_keyfile_contentss z4ServiceAccountCredentials._from_p12_keyfile_contentsc CsHt|d}|}Wdn1s(0Y|j||||||dS)apFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. filename: string, The location of the PKCS#12 keyfile. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. rbNrGrr r )r;readrH) r4rr>rGrr r r?rFrrrfrom_p12_keyfile*s &z*ServiceAccountCredentials.from_p12_keyfilecCs|}|j||||||dS)aFactory constructor from JSON keyfile. Args: service_account_email: string, The email associated with the service account. file_buffer: stream, A buffer that implements ``read()`` and contains the PKCS#12 key contents. private_key_password: string, (Optional) Password for PKCS#12 private key. Defaults to ``notasecret``. scopes: List or string, (Optional) Scopes to use when acquiring an access token. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: ServiceAccountCredentials, a credentials object created from the keyfile. Raises: NotImplementedError if pyOpenSSL is not installed / not the active crypto library. rJ)rKrH)r4rZ file_bufferrGrr r rFrrrfrom_p12_keyfile_bufferPs z1ServiceAccountCredentials.from_p12_keyfile_buffercCsHtt}|j|j|||j|jd}||jtj |j ||j dS)z8Generate the assertion that will be used in the request.)ZaudscopeiatexpissZkey_id) inttimer rMAX_TOKEN_LIFETIME_SECSrupdaterrmake_signed_jwtr r)rnowpayloadrrr_generate_assertionus   z-ServiceAccountCredentials._generate_assertioncCs|j|j|fS)aUCryptographically sign a blob (of bytes). Implements abstract method :meth:`oauth2client.client.AssertionCredentials.sign_blob`. Args: blob: bytes, Message to be signed. Returns: tuple, A pair of the private key ID used to sign the blob and the signed contents. )rr sign)rZblobrrr sign_blobs z#ServiceAccountCredentials.sign_blobcCs|jS)zGet the email for the current service account. Returns: string, The email associated with the service account. )rrrrrrsz/ServiceAccountCredentials.service_account_emailcCsd|j|j|j|jdS)NZservice_account)r*r+rr,r)rrr3rr]rrrserialization_datas z,ServiceAccountCredentials.serialization_datacCst|tstt|}d}|t}d}|durJ|d}tj |}n t |}|d}tj ||}||d|f|d|d|d|dd |d }|dur||_ |dur||_|dur||_|d |_|d |_|d |_|d|_|dd}|durtj|tj|_|S)aMDeserialize a JSON-serialized instance. Inverse to :meth:`to_json`. Args: json_data: dict or string, Serialized JSON (as a string or an already parsed dictionary) representing a credential. Returns: ServiceAccountCredentials from the serialized data. Nr3rErrrrrrrrr rinvalid access_tokenr r token_expiry) isinstancedictr<loadsrZ _from_bytesr#r$rr1r2r% b64decoder3rrEr`rar r datetimestrptimerZ EXPIRY_FORMATrb)r4Z json_datar6r)passwordrr7rbrrr from_jsonsL          z#ServiceAccountCredentials.from_jsoncCs|j S)N)rr]rrrcreate_scoped_requiredsz0ServiceAccountCredentials.create_scoped_requiredcCsV|j|j|jf||j|j|jd|j}|j|_|j|_|j |_ |j |_ |j |_ |S)Nr_) rrr rrrrr r r3rrE)rrresultrrr create_scopeds z'ServiceAccountCredentials.create_scopedcCsjt|j}|||j|j|jf|j|j|j|j d|}|j |_ |j |_ |j |_ |j |_ |j|_|S)a<Create credentials that specify additional claims. Args: claims: dict, key-value pairs for claims. Returns: ServiceAccountCredentials, a copy of the current service account credentials with updated claims to use when obtaining access tokens. r_)rdrrVrrr rrrrr r r3rrE)rZclaimsZ new_kwargsrlrrrcreate_with_claimss$  z,ServiceAccountCredentials.create_with_claimscCs|d|iS)aYCreate credentials that act as domain-wide delegation of authority. Use the ``sub`` parameter as the subject to delegate on behalf of that user. For example:: >>> account_sub = 'foo@email.com' >>> delegate_creds = creds.create_delegated(account_sub) Args: sub: string, An email address that this service account will act on behalf of (via domain-wide delegation). Returns: ServiceAccountCredentials, a copy of the current service account updated to act on behalf of ``sub``. sub)rn)rrorrrcreate_delegated sz*ServiceAccountCredentials.create_delegated)N)NN)r NN)r NN)#__name__ __module__ __qualname____doc__rU frozensetrAssertionCredentialsZNON_SERIALIZED_MEMBERSr3rrEr.r/r0rr' classmethodr8r@rArHrLrMrZr\propertyrr^rjrkrmrnrp __classcell__rrrrr*sn& 1   * % $   6rcCs&tddd}||}|jd|jS)NiiQ)rgdaysseconds)Zutc_timeepochZ time_deltarrr_datetime_to_secs sr~cseZdZdZdZddddejejdffdd ZddZ ddd Z d d Z d d Z ejejfddZ ddZddZdddZZS)_JWTAccessCredentialszSelf signed JWT credentials. Makes an assertion to server using a self signed JWT from service account credentials. These credentials do NOT use OAuth 2.0 and instead authenticate directly. rNc s6| dur i} tt|j||f|||||d| dS)N)rrr r r )rrr) rrrrrrr r r additional_claimsrrrr2s  z_JWTAccessCredentials.__init__cCst|||S)aAuthorize an httplib2.Http instance with a JWT assertion. Unless specified, the 'aud' of the assertion will be the base uri of the request. Args: http: An instance of ``httplib2.Http`` or something that acts like it. Returns: A modified instance of http that was passed in. Example:: h = httplib2.Http() h = credentials.authorize(h) )rZwrap_http_for_jwt_accessrhttprrr authorizeHs z_JWTAccessCredentials.authorizecCsX|dur6|jdus|jr"|dtj|j|dS||\}}tj||jdSdS)zCreate a signed jwt. Args: http: unused additional_claims: dict, additional claims to add to the payload of the JWT. Returns: An AccessTokenInfo with the signed jwt N)raZ expires_in)raZaccess_token_expiredrefreshrZAccessTokenInfoZ _expires_in _create_token_MAX_TOKEN_LIFETIME_SECS)rrrtokenZ unused_expiryrrrget_access_tokenZs   z&_JWTAccessCredentials.get_access_tokencCsdS)z*Cannot revoke JWTAccessCredentials tokens.Nrrrrrrevokeosz_JWTAccessCredentials.revokecCsdS)NTrr]rrrrkssz,_JWTAccessCredentials.create_scoped_requiredc Csft|j|jf||j|j|j||d|j}|jdur>|j|_|jdurP|j|_|j durb|j |_ |S)N)rrrr r r ) rrr rrrrr3rrE)rrr r rlrrrrmws&   z#_JWTAccessCredentials.create_scopedcCs|ddS)zRefreshes the access_token. The HTTP object is unused since no request needs to be made to get a new token, it can just be generated locally. Args: http: unused HTTP object N)_refreshrrrrrs z_JWTAccessCredentials.refreshcCs|\|_|_dS)zXRefreshes the access_token. Args: http: unused HTTP object N)rrarbrrrrrsz_JWTAccessCredentials._refreshcCsxt}tj|jd}||}t|t||j|jd}||j|durV||t j |j ||j d}| d|fS)N)r|)rOrPrQrorRascii)rZ_UTCNOWrg timedeltarr~rrVrrrWr rdecode)rrrXZlifetimeZexpiryrYZjwtrrrrs   z#_JWTAccessCredentials._create_token)NN)N)rqrrrsrtrr.r/r0rrrrrkrmrrrryrrrrr(s(   r)rtr%r!rgr<rTr.rrrrrBr$rDrvrr~rrrrrs&     y