a !fYE @sdZddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl m Z ddl mZddlZddlmZddlmZddlmZddlmZd Zd Zzdd lmZd ZejduZWneyYn0eeZd Zd ZeZdZdZ dZ!dZ"dZ#dZ$de"dZ%dZ&e'dddgZ(dZ)e*ddZ+ze,e*ddZ-Wne.ypdZ-Yn0dZ/d e*d!d"Z0d#Z1d$Z2e1e2iZ3ejj4Z5ej6Z6ej7Z7ej8Z8Gd%d&d&e9Z:Gd'd(d(e;ZGd-d.d.e>Z?Gd/d0d0e<Z@Gd1d2d2e<ZAGd3d4d4e<ZBGd5d6d6e<ZCGd7d8d8e<ZDGd9d:d:e<ZEGd;d<dd>eGenerate the headers that will be used in the refresh request. content-type!application/x-www-form-urlencodedN user-agent)rrErrr!_generate_refresh_request_headerss   z3OAuth2Credentials._generate_refresh_request_headerscCs|js||nl|jzT|j}|rZ|jsZ|j|jkrZ|jsZtd| |n ||W|j n |j 0dS)ayRefreshes the access_token. This method first checks by reading the Storage object if available. If a refresh is still needed, it holds the Storage lock until the refresh is completed. Args: http: an object to be used to make HTTP requests. Raises: HttpAccessTokenRefreshError: When the refresh fails. z&Updated access_token read from StorageN) r:_do_refresh_requestrurxrr rrrrrw)r&r>Znew_credrrrrs         zOAuth2Credentials._refreshc Cs|}|}tdtj||jd||d\}}t|}|j t j krt |}||_|d|_|d|j|_d|vrtjt|dd}|t|_nd|_d |vrt|d |_|d |_n d|_d|_d |_|jr|j|ntd |d |j }zXt |}d |vrZ|d }d|vr<|d|d7}d|_|jdurZ|j|WnttfytYn0t ||j ddS)zRefresh the access_token using the refresh_token. Args: http: an object to be used to make HTTP requests. Raises: HttpAccessTokenRefreshError: When the refresh fails. zRefreshing access_tokenPOSTmethodrrFr rrrNrF#Failed to retrieve access token: %sInvalid response {0}.errorerror_description: T)r")!rrrrrrequestrrr`r"rOKrRrarr r%rr5 timedeltaintrrH_extract_id_tokenrrrr:r|format TypeErrorrr!) r&r>rrFrespcontentrdelta error_msgrrrrsN              z%OAuth2Credentials._do_refresh_requestcCs|||jp|jdS)zRevokes this credential and deletes the stored copy (if it exists). Args: http: an object to be used to make HTTP requests. N) _do_revokerr r=rrrr5szOAuth2Credentials._revokec Cstdd|i}t|j|}t||\}}|jtj kr^t j |}tj||d|d\}}|jtj krrd|_nPd|j}z$tt|} d| vr| d}WnttfyYn0t||jr|jdS) aRevokes this credential and deletes the stored copy (if it exists). Args: http: an object to be used to make HTTP requests. token: A string used as the token to be revoked. Can be either an access_token or refresh_token. Raises: TokenRevokeError: If the revoke request does not return with a 200 OK. zRevoking tokentokenr)rrTrrN)rrrupdate_query_paramsrrrr"rMETHOD_NOT_ALLOWEDrrrrrrrRrar`rrr,r:r) r&r>r query_paramsZtoken_revoke_urirrrrrrrrr=s.       zOAuth2Credentials._do_revokecCs|||jdS)zRetrieves the list of authorized scopes from the OAuth2 provider. Args: http: an object to be used to make HTTP requests. N)_do_retrieve_scopesr r=rrrrasz"OAuth2Credentials._retrieve_scopesc Cstd|dd}t|j|}t||\}}t|}|jt j krlt |}t t|dd|_nJd|j}zt |}d|vr|d}WnttfyYn0t|dS)a|Retrieves the list of authorized scopes from the OAuth2 provider. Args: http: an object to be used to make HTTP requests. token: A string used as the token to identify the credentials to the provider. Raises: Error: When refresh fails, indicating the the access token is invalid. zRefreshing scopesscope)r fieldsr\rrN)rrrrrrrr`r"rrrRrarPrr%rrrrr) r&r>rrrrrrrrrrris$        z%OAuth2Credentials._do_retrieve_scopes)NNNNNN)N)rrrrr positionalr$r?rArCrGrrrorgpropertyrrrrrrrrrrrrrrrrrrrrs< 9   $     8$rcs>eZdZdZd fdd ZeddZddZd d ZZ S) AccessTokenCredentialsaCredentials object for OAuth 2.0. Credentials can be applied to an httplib2.Http object using the authorize() method, which then signs each request from that object with the OAuth 2.0 access token. This set of credentials is for the use case where you have acquired an OAuth 2.0 access_token from another place such as a JavaScript client or another web application, and wish to use it from Python. Because only the access_token is present it can not be refreshed and will in time expire. AccessTokenCredentials objects may be safely pickled and unpickled. Usage:: credentials = AccessTokenCredentials('', 'my-user-agent/1.0') http = httplib2.Http() http = credentials.authorize(http) Raises: AccessTokenCredentialsExpired: raised when the access_token expires or is revoked. Nc s$tt|j|ddddd||ddS)aCreate an instance of OAuth2Credentials This is one of the few types if Credentials that you should contrust, Credentials objects are usually instantiated by a Flow. Args: access_token: string, access token. user_agent: string, The HTTP User-Agent to provide for this application. revoke_uri: string, URI for revoke endpoint. Defaults to None; a token can't be revoked if this is None. Nr)r#rr$)r&r rrr)rrr$s zAccessTokenCredentials.__init__cCs&tt|}t|d|d}|S)Nr r)rRrarr`rrrrrrgs z AccessTokenCredentials.from_jsoncCs tddS)zRefreshes the access token. Args: http: unused HTTP object. Raises: AccessTokenCredentialsError: always z>The access_token is expired or invalid and can't be refreshed.N)r.r=rrrrs zAccessTokenCredentials._refreshcCs|||jdSzRevokes the access_token and deletes the store if available. Args: http: an object to be used to make HTTP requests. Nrr r=rrrrszAccessTokenCredentials._revoke)N) rrrrr$rorgrrr+rrr)rrs   rcCsbtjtd}z0tj|ttd\}}|jtjko:| t t kWSt j y\tdYdS0dS)zDetermine if the current environment is Compute Engine. Returns: Boolean indicating whether or not the current environment is Google Compute Engine. )timeout)rFz1Timeout attempting to reach GCE metadata service.FN)rrrr_GCE_METADATA_URI _GCE_HEADERSr"rrr%_METADATA_FLAVOR_HEADER_DESIRED_METADATA_FLAVORsocketrrr)r>response_rrr_detect_gce_environments     rcCsntjdurtjdvSz ddl}Wnty2Yn80tjtd}|drVdt_dS|drjd t_dSd S) zDetects if the code is running in the App Engine environment. Returns: True if running in the GAE environment, False otherwise. N)GAE_PRODUCTION GAE_LOCALrr\zGoogle App Engine/rTz Development/rF) rrZgoogle.appenginercosenvironr%_SERVER_SOFTWARE startswith)ZgoogleZserver_softwarerrr_in_gae_environments      rcCs0tjdurtjdkStdkr,tr,dt_dSdS)zDetect if the code is running in the Compute Engine environment. Returns: True if running in the GCE environment, False otherwise. NZGCE_PRODUCTIONTrueTF)rrrrrrrr_in_gce_environment s   rcseZdZdZedgejBZejffdd Z ddZ ddZ e d d Z ed d Zed dZeddZeddZe ddZeddZeddZZS)GoogleCredentialsa|Application Default Credentials for use in calling Google APIs. The Application Default Credentials are being constructed as a function of the environment where the code is being run. More details can be found on this page: https://developers.google.com/accounts/docs/application-default-credentials Here is an example of how to use the Application Default Credentials for a service that requires authentication:: from googleapiclient.discovery import build from oauth2client.client import GoogleCredentials credentials = GoogleCredentials.get_application_default() service = build('compute', 'v1', credentials=credentials) PROJECT = 'bamboo-machine-422' ZONE = 'us-central1-a' request = service.instances().list(project=PROJECT, zone=ZONE) response = request.execute() print(response) Z _private_keyc s$tt|j||||||||ddS)aCreate an instance of GoogleCredentials. This constructor is not usually called by the user, instead GoogleCredentials objects are instantiated by GoogleCredentials.from_stream() or GoogleCredentials.get_application_default(). Args: access_token: string, access token. client_id: string, client identifier. client_secret: string, client secret. refresh_token: string, refresh token. token_expiry: datetime, when the access_token expires. token_uri: string, URI of token endpoint. user_agent: string, The HTTP User-Agent to provide for this application. revoke_uri: string, URI for revoke endpoint. Defaults to oauth2client.GOOGLE_REVOKE_URI; a token can't be revoked if this is None. rN)r#rr$) r&r rrrrHrrrr)rrr$6s zGoogleCredentials.__init__cCsdS)zWhether this Credentials object is scopeless. create_scoped(scopes) method needs to be called in order to create a Credentials object for API calls. FrrZrrrcreate_scoped_requiredQsz(GoogleCredentials.create_scoped_requiredcCs|S)zfCreate a Credentials object for the given scopes. The Credentials type is preserved. rrrrr create_scopedYszGoogleCredentials.create_scopedc Csddlm}tt|}|ddkr@|ddkr@|j|S|ddkrd|ddkrd|j|St | d}||d |d |d |d ||d |d| ddd}|d|_ |S)Nrr rJzoauth2client.service_accountrIServiceAccountCredentials_JWTAccessCredentialsrHr rrrrrrrr) oauth2clientr rRrarr`rrgrr8r%r)rhrir rjrHZgoogle_credentialsrrrrg`s.         zGoogleCredentials.from_jsoncCsd|j|j|jdS)z>Get the fields and values identifying the current credentials.r )typerrrrrrrZrrrserialization_data}s z$GoogleCredentials.serialization_datacCsts dStS)asAttempts to get implicit credentials in Google App Engine env. If the current environment is not detected as App Engine, returns None, indicating no Google App Engine credentials can be detected from the current environment. Returns: None, if not in GAE, else an appengine.AppAssertionCredentials object. N)r'_get_application_default_credential_GAErrrr_implicit_credentials_from_gaes z0GoogleCredentials._implicit_credentials_from_gaecCsts dStS)alAttempts to get implicit credentials in Google Compute Engine env. If the current environment is not detected as Compute Engine, returns None, indicating no Google Compute Engine credentials can be detected from the current environment. Returns: None, if not in GCE, else a gce.AppAssertionCredentials object. N)r'_get_application_default_credential_GCErrrr_implicit_credentials_from_gces z0GoogleCredentials._implicit_credentials_from_gcec Cst}|s(t}tj|r"d}q4d}n dtd}|stjtd}|r:tj|r"|Std|dtddS)NzFile z (pointed by z& environment variable) does not exist!)rrr%r rrr1)Z'application_default_credential_filenamerrrr?s  rcCstt}|durtjdkrhztjtjdt}Wqtydtj dd}tj|dt}Yq0ntjtj ddt}tj|t S) z@Get the well known file produced by command 'gcloud auth login'.NntAPPDATAZ SystemDrivezC:\~z.config) rgetenv_CLOUDSDK_CONFIG_ENV_VARnamerjoinr_CLOUDSDK_CONFIG_DIRECTORYKeyErrorr% expanduser_WELL_KNOWN_CREDENTIALS_FILE)Zdefault_config_dirdriverrrrNs"     rc Cst|}t|}Wdn1s(0Y|d}|tkrRtgd}n.|tkrhtgd}ntdtdtd|| }|rt ||dtkrt d|d|d |d dt j d d Sd dl m}|j|SdS)z4Build the Application Default Credentials from file.Nrr)rZ client_emailZprivate_key_idZ private_keyz5'type' field should be defined (and have one of the 'z' or 'z ' values)rrrzPython client library)r rrrrHrrrr)rrRloadr%AUTHORIZED_USERrPSERVICE_ACCOUNTr1 differencekeys#_raise_exception_for_missing_fieldsrrGOOGLE_TOKEN_URIr rZfrom_json_keyfile_dict)rZfile_objZclient_credentialsZcredentials_typeZrequired_fieldsmissing_fieldsr rrrrfsF (   rcCstdd|dS)Nz(The following field(s) must be defined: z, )r1r&)r3rrrr1s r1cCs td||dt|dS)Nz2An error was encountered while reading json file: r)r1str)Zcredential_filerrrrrrsrcCsddlm}|gSNrAppAssertionCredentials)Zoauth2client.contrib.appenginer7r6rrrrs rcCsddlm}|Sr5)Zoauth2client.contrib.gcer7r6rrrrs rcsVeZdZdZeddejejffdd Z ddZ dd Z d d Z d d Z ZS)AssertionCredentialsaAbstract Credentials object used for OAuth 2.0 assertion grants. This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens. It must be subclassed to generate the appropriate assertion string. AssertionCredentials objects may be safely pickled and unpickled. r Nc s*tt|jddddd|||d||_dS)aConstructor for AssertionFlowCredentials. Args: assertion_type: string, assertion type that will be declared to the auth server user_agent: string, The HTTP User-Agent to provide for this application. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. Nr)r#r8r$assertion_type)r&r9rrrZ unused_kwargsr)rrr$s  zAssertionCredentials.__init__cCs|}tj|dd}|S)Nz+urn:ietf:params:oauth:grant-type:jwt-bearer) assertionr)_generate_assertionrrr)r&r:rrrrrs z3AssertionCredentials._generate_refresh_request_bodycCstdS)zAGenerate assertion string to be used in the access token request.Nr;rZrrrr;sz(AssertionCredentials._generate_assertioncCs|||jdSrrr=rrrrszAssertionCredentials._revokecCs tddS)zCryptographically sign a blob (of bytes). Args: blob: bytes, Message to be signed. Returns: tuple, A pair of the private key ID used to sign the blob and the signed contents. zThis method is abstract.Nr;)r&Zblobrrr sign_blobs zAssertionCredentials.sign_blob)rrrrrrrr2rr$rr;rr<r+rrr)rr8s  r8cCsts tddS)zEnsure we have a crypto library, or throw CryptoUnavailableError. The oauth2client.crypt module requires either PyCrypto or PyOpenSSL to be available in order to function, but these are optional dependencies. zNo crypto library availableN) HAS_CRYPTOr3rrrr_require_crypto_or_diesr>r cCsdt|durt}t||\}}|jtjkrPtt |}t |||St d|jdS)aVerifies a signed JWT id_token. This function requires PyOpenSSL and because of that it does not work on App Engine. Args: id_token: string, A Signed JWT. audience: string, The audience 'aud' that the token should be for. http: httplib2.Http, instance to use to make the HTTP request. Callers should supply an instance that has caching enabled. cert_uri: string, URI of the certificates in JSON format to verify the JWT against. Returns: The deserialized JSON in the JWT. Raises: oauth2client.crypt.AppIdentityError: if the JWT fails to verify. CryptoUnavailableError: if no crypto library is available. NzStatus code: {0})r>rZget_cached_httprr"rrrRrarr`rZverify_signed_jwt_with_certsr/r)rZaudiencer>Zcert_urirrcertsrrrverify_id_tokens r@cCsVt|tkr|d}n |d}t|dkr)OAuth2WebServerFlowstep2_exchange)rrrcoderKr>rrrLrrMrrNrOflowr{rrrcredentials_from_codeQs3 rUc Cs&t||||||d}|j||d} | S)a Returns OAuth2Credentials from a clientsecrets file and an auth code. Will create the right kind of Flow based on the contents of the clientsecrets file or will raise InvalidClientSecretsError for unknown types of Flows. Args: filename: string, File name of clientsecrets. scope: string or iterable of strings, scope(s) to request. code: string, An authorization code, most likely passed down from the client message: string, A friendly string to display to the user if the clientsecrets file is missing or invalid. If message is provided then sys.exit will be called in the case of an error. If message in not provided then clientsecrets.InvalidClientSecretsError will be raised. redirect_uri: string, this is generally set to 'postmessage' to match the redirect_uri that the client specified http: httplib2.Http, optional http instance to use to do the fetch cache: An optional cache service client that implements get() and set() methods. See clientsecrets.loadfile() for details. device_uri: string, OAuth 2.0 device authorization endpoint pkce: boolean, default: False, Generate and include a "Proof Key for Code Exchange" (PKCE) with your authorization and token requests. This adds security for installed applications that cannot protect a client_secret. See RFC 7636 for details. code_verifier: bytestring or None, default: None, parameter passed as part of the code exchange when pkce=True. If None, a code_verifier will automatically be generated as part of step1_get_authorize_url(). See RFC 7636 for details. Returns: An OAuth2Credentials object. Raises: FlowExchangeError: if the authorization code cannot be exchanged for an access token UnknownClientSecretsFlowError: if the file describes an unknown kind of Flow. clientsecrets.InvalidClientSecretsError: if the clientsecrets file is invalid. )messagecacherKrMrP)flow_from_clientsecretsrR) rrrSrVrKr>rWrMrTr{rrr'credentials_from_clientsecrets_and_codes 2rYc@seZdZdZeddZdS)DeviceFlowInfoz5Intermediate information the OAuth2 for devices flow.cCs|d|dd}|d|d}|dur4td||d<||ddd d |vrxttjt|d d |d <|fi|S) zCreate a DeviceFlowInfo from a server response. The response should be a dict containing entries as described here: http://tools.ietf.org/html/draft-ietf-oauth-v2-05#section-3.7.1 device_code user_code)r[r\verification_urlZverification_uriNz/No verification_url provided in server responseinterval)r^user_code_expiryrrr_)r%r2rrr5rr)rhrr(r]rrr FromResponses*  zDeviceFlowInfo.FromResponseN)rrrrror`rrrrrZsrZ)r[r\r^r]r_cCsTddd}|||d}|durPtd|dkrPtdd |d <|d=|S) z;Configures redirect URI parameters for OAuth2WebServerFlow.ZofflinerS)Z access_typeZ response_typeapproval_promptNzmThe approval_prompt parameter for OAuth2WebServerFlow is deprecated. Please use the prompt parameter instead.forcez=approval_prompt="force" has been adjusted to prompt="consent"Zconsentprompt)rr%rwarning)r(paramsrarrr_oauth2_web_server_flow_paramss   rfc@seZdZdZedddddejejej dej ej dddf ddZ edddd Z eddd d Zed dd dZdS)rQzrDoes the Web Server Flow for OAuth 2.0. OAuth2WebServerFlow objects may be safely pickled and unpickled. rINFcKsx|durtd||_||_t||_||_| |_||_||_ ||_ ||_ | |_ | |_ | |_| |_||_t||_dS)a~ Constructor for OAuth2WebServerFlow. The kwargs argument is used to set extra query parameters on the auth_uri. For example, the access_type and prompt query parameters can be set via kwargs. Args: client_id: string, client identifier. client_secret: string client secret. scope: string or iterable of strings, scope(s) of the credentials being requested. redirect_uri: string, Either the string 'urn:ietf:wg:oauth:2.0:oob' for a non-web-based application, or a URI that handles the callback from the authorization server. user_agent: string, HTTP User-Agent to provide for this application. auth_uri: string, URI for authorization endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. login_hint: string, Either an email address or domain. Passing this hint will either pre-fill the email box on the sign-in form or select the proper multi-login session, thereby simplifying the login flow. device_uri: string, URI for device authorization endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. authorization_header: string, For use with OAuth 2.0 providers that require a client to authenticate using a header value instead of passing client_secret in the POST body. pkce: boolean, default: False, Generate and include a "Proof Key for Code Exchange" (PKCE) with your authorization and token requests. This adds security for installed applications that cannot protect a client_secret. See RFC 7636 for details. code_verifier: bytestring or None, default: None, parameter passed as part of the code exchange when pkce=True. If None, a code_verifier will automatically be generated as part of step1_get_authorize_url(). See RFC 7636 for details. **kwargs: dict, The keyword arguments are all optional and required parameters for the OAuth calls. Nz#The value of scope must not be None)rrrrZscopes_to_stringrrK login_hintrrLrrrMrauthorization_headerrrOrfre)r&rrrrKrrLrrrgrMrrhrNrOr(rrrr$s"B zOAuth2WebServerFlow.__init__rBcCs|durtd||_|jdur*td|j|j|jd}|durL||d<|jdur`|j|d<|jr|jsvt|_t |j}||d<d|d <| |j t |j|S) aReturns a URI to redirect to the provider. Args: redirect_uri: string, Either the string 'urn:ietf:wg:oauth:2.0:oob' for a non-web-based application, or a URI that handles the callback from the authorization server. This parameter is deprecated, please move to passing the redirect_uri in via the constructor. state: string, Opaque state string which is passed through the OAuth2 flow and returned to the client as a query parameter in the callback. Returns: A URI as a string to redirect the user to begin the authorization flow. NzThe redirect_uri parameter for OAuth2WebServerFlow.step1_get_authorize_url is deprecated. Please move to passing the redirect_uri in via the constructor.z+The value of redirect_uri must not be None.)rrKrrrgcode_challengeZS256Zcode_challenge_method)rrdrKrrrrgrrOrirrerrrL)r&rKrr challengerrrstep1_get_authorize_urlgs.      z+OAuth2WebServerFlow.step1_get_authorize_urlc Cs*|jdurtdtj|j|jd}ddi}|jdurD|j|d<|durTt }tj ||jd||d\}}t |}|j tjkrzt|}Wn4ty}ztd ||WYd}~n d}~00t|Sd |j }z*t|} d | vr|d | d 7}WntyYn0t|dS) zReturns a user code and the verification URL where to enter it Returns: A user code as a string for the user to authorize the application An URL as a string where the user has to enter the code Nz)The value of device_uri must not be None.)rrrrrrrzrrFrrZ flow_infoexcrZ error_dictrrrstep1_get_device_and_user_codessD          z3OAuth2WebServerFlow.step1_get_device_and_user_codesr cCsT|dur|durtd|dur0|dur0td|dur@|j}n2t|tjtjfsrd|vrjt|dd|d}|j||j d}|j dur|j |d<|j r|j |d <|durd |d <nd |d <|j |d <tj|}ddi}|jdur|j|d<|jdur|j|d<|durt}tj||jd||d\}}t|} |jtjkrd| vr| d} | dd} | sxtdd} d| vrtjt| dd} | t } d}d}d| vrt!| d}| d}tdt"| |j|j | | |j|j|j#||| |j |j$d Std|d| vr8t%| dt%| dd}nd&t%|j}t|dS) aExchanges a code for OAuth2Credentials. Args: code: string, a dict-like object, or None. For a non-device flow, this is either the response code as a string, or a dictionary of query parameters to the redirect_uri. For a device flow, this should be None. http: httplib2.Http, optional http instance to use when fetching credentials. device_flow_info: DeviceFlowInfo, return value from step1 in the case of a device flow. Returns: An OAuth2Credentials object that can be used to authorize requests. Raises: FlowExchangeError: if a problem occurred exchanging the code for a refresh_token. ValueError: if code and device_flow_info are both provided or both missing. Nz%No code or device_flow_info provided.z.Cannot provide both code and device_flow_info.rSrz-No code was supplied in the query parameters.)rrSrrrOz&http://oauth.net/grant_type/device/1.0rZauthorization_coderKrrrrrrr rz_Received token response with no refresh_token. Consider reauthenticating with prompt='consent'.rrrz#Successfully retrieved access tokenrrrr\zInvalid response: {0}.)'rr[r4six string_types binary_typerr%rrrrrOrKrrrrhrrrrrrHr"rrrrr5rrrrrrrr4r)r&rSr>Zdevice_flow_infoZ post_datarrFrrrr rrHrZextracted_id_tokenrrrrrrRs                       z"OAuth2WebServerFlow.step2_exchange)NN)N)NNN)rrrrrrrGOOGLE_AUTH_URIr2rGOOGLE_DEVICE_URIGOOGLE_TOKEN_INFO_URIr$rkrmrRrrrrrQ s, S / /rQc  Csztj||d\} } | tjtjfvr|| d| d|d} | d} d}|D] }t|durLt|| |<qLt| d| d |fi| WSWnNtjy}z4|dur|jrd ||}t |nWYd}~nd}~00t d | dS) a*Create a Flow from a clientsecrets file. Will create the right kind of Flow based on the contents of the clientsecrets file or will raise InvalidClientSecretsError for unknown types of Flows. Args: filename: string, File name of client secrets. scope: string or iterable of strings, scope(s) to request. redirect_uri: string, Either the string 'urn:ietf:wg:oauth:2.0:oob' for a non-web-based application, or a URI that handles the callback from the authorization server. message: string, A friendly string to display to the user if the clientsecrets file is missing or invalid. If message is provided then sys.exit will be called in the case of an error. If message in not provided then clientsecrets.InvalidClientSecretsError will be raised. cache: An optional cache service client that implements get() and set() methods. See clientsecrets.loadfile() for details. login_hint: string, Either an email address or domain. Passing this hint will either pre-fill the email box on the sign-in form or select the proper multi-login session, thereby simplifying the login flow. device_uri: string, URI for device authorization endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. Returns: A Flow object. Raises: UnknownClientSecretsFlowError: if the file describes an unknown kind of Flow. clientsecrets.InvalidClientSecretsError: if the clientsecrets file is invalid. )rWrLr)rKrLrrgr)rrMrNrOrcNrrz)The client secrets were invalid: {0} {1}z)This OAuth 2.0 flow is unsupported: {0!r}) rZloadfileZTYPE_WEBZTYPE_INSTALLEDr%localsrQZInvalidClientSecretsErrorr'rsysexitr-)rrrKrVrWrgrMrNrOrcZ client_typeZ client_infoZconstructor_kwargsroptionalparamerrrrX,sD)     rX)N)NrJNNN)NNNNNNNN)mr collectionsrKr5rRloggingrrrrurrnZ six.movesrrrrrrrZ HAS_OPENSSLr=rZOpenSSLVerifierrc getLoggerrrr7ZID_TOKEN_VERIFICATION_CERTSZID_TOKEN_VERIFICATON_CERTSZOOB_CALLBACK_URNr-r.r r'r$rr* namedtupler rr#rrrrrrrrrutcnowrZ clean_headersZ MemoryCacheZREFRESH_STATUS_CODESobjectrrFrrr r!r,r-r.r/r0r1r2r<r3r8r9rprqrrrrrrrrrrrr1rrrr8r>rr@rrHr2rqrrrrsrUrYrZrfrQrXrrrrs            iSN %J  " A 8&!