a !f@s dZddlZddlZddlZddlZddlZddlZddlmZddlm Z ddlm Z ddl m Z ddl mZddlZddlZddlmZdd lmZdd lmZdd lmZdd lmZzdd lmZWneydZYn0eeZdZdZedurdZdZ dZ!dZ"dZ#dZ$n$ejZej Z ej!Z!ej%Z"ej&Z#ej$Z$ddZ'Gddde j(Z)ddZ*ddZ+Gdddej,Z-Gddde j.Z/Gddde j.Z0Gdddej1Z2Gdd d e j(Z3d!d"Z4d#d$Z5Gd%d&d&e6Z7Gd'd(d(e7Z8e9d)d,d*d+Z:dS)-zgUtilities for Google App Engine Utilities for making it easier to use OAuth 2.0 on Google App Engine. N) app_identity)memcache)users)db)login_required)_helpers)client) clientsecrets) transport)xsrfutil)_appengine_ndbzoauth2client#nsxsrf_secret_keycCstj|ddddS)zEscape text to make it safe to display. Args: s: string, The text to escape. Returns: The escaped text as a string. )quote'z')cgiescapereplace)sr_/var/www/html/python-backend/venv/lib/python3.9/site-packages/oauth2client/contrib/appengine.py _safe_htmlFs rc@seZdZdZeZdS)SiteXsrfSecretKeyzStorage for the sites XSRF secret key. There will only be one instance stored of this model, the one used for the site. N)__name__ __module__ __qualname____doc__rZStringPropertysecretrrrrrRsrcCstddS)z!Returns a random XSRF secret key.hex)osurandomencoderrrr_generate_new_xsrf_secret_key[sr#cCsRtjttd}|sJtjdd}|js4t|_||j}tj t|tdt |S)zReturn the secret key for use for XSRF protection. If the Site entity does not have a secret key, this method will also create one and persist it. Returns: The secret key. ) namespacesite)key_name) rgetXSRF_MEMCACHE_IDOAUTH2CLIENT_NAMESPACEr get_or_insertrr#putaddstr)rmodelrrrr `s  csneZdZdZedfddZeddZddZ e d d Z d d Z d dZ ddZe ddZZS)AppAssertionCredentialsaCredentials object for App Engine Assertion Grants This object will allow an App Engine application to identify itself to Google and other OAuth 2.0 servers that can verify assertions. It can be used for the purpose of accessing data stored under an account assigned to the App Engine application itself. This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens. c s:t||_||_|dd|_d|_tt| ddS)aConstructor for AppAssertionCredentials Args: scope: string or iterable of strings, scope(s) of the credentials being requested. **kwargs: optional keyword args, including: service_account_id: service account id of the application. If None or unspecified, the default service account for the app is used. service_account_idN) rscopes_to_stringscope_kwargsr'r1_service_account_emailsuperr/__init__)selfr3kwargs __class__rrr7s z AppAssertionCredentials.__init__cCst|}t|dS)Nr3)jsonloadsr/)clsZ json_datadatarrr from_jsons z!AppAssertionCredentials.from_jsonc Csbz"|j}tj||jd\}}Wn4tjyV}ztt|WYd}~n d}~00||_ dS)aWRefreshes the access token. Since the underlying App Engine app_identity implementation does its own caching we can skip all the storage hoops and just to a refresh using the API. Args: http: unused HTTP object Raises: AccessTokenRefreshError: When the refresh fails. )r1N) r3splitrZget_access_tokenr1ErrorrAccessTokenRefreshErrorr-Z access_token)r8httpscopestoken_errr_refreshs  $z AppAssertionCredentials._refreshcCs tddS)Nz3Cannot serialize credentials for Google App Engine.)NotImplementedErrorr8rrrserialization_datasz*AppAssertionCredentials.serialization_datacCs|j SN)r3rKrrrcreate_scoped_requiredsz.AppAssertionCredentials.create_scoped_requiredcCst|fi|jSrM)r/r4)r8rErrr create_scopedsz%AppAssertionCredentials.create_scopedcCs t|S)aUCryptographically sign a blob (of bytes). Implements abstract method :meth:`oauth2client.client.AssertionCredentials.sign_blob`. Args: blob: bytes, Message to be signed. Returns: tuple, A pair of the private key ID used to sign the blob and the signed contents. )r sign_blob)r8ZblobrrrrPs z!AppAssertionCredentials.sign_blobcCs|jdurt|_|jS)zGet the email for the current service account. Returns: string, The email associated with the Google App Engine service account. N)r5rZget_service_account_namerKrrrservice_account_emails z-AppAssertionCredentials.service_account_email)rrrrr positionalr7 classmethodr@rIpropertyrLrNrOrPrQ __classcell__rrr:rr/ws   r/csBeZdZdZejZfddZddZfddZ dd Z Z S) FlowPropertyzApp Engine datastore Property for Flow. Utility property that allows easy storage and retrieval of an oauth2client.Flow cs tt||}tt|SrM)r6rVget_value_for_datastorerBlobpickledumps)r8model_instanceflowr:rrrWs z$FlowProperty.get_value_for_datastorecCs|dur dSt|SrM)rYr=r8valuerrrmake_value_from_datastoresz&FlowProperty.make_value_from_datastorecs8|dur(t|tjs(td|j|tt| |S)NzDProperty {0} must be convertible to a FlowThreeLegged instance ({1})) isinstancerFlowr BadValueErrorformatnamer6rVvalidater]r:rrreszFlowProperty.validatecCs| SrMrr]rrremptyszFlowProperty.empty) rrrrrra data_typerWr_rerfrUrrr:rrVs   rVcs:eZdZdZejZfddZddZfddZ Z S)CredentialsPropertyzApp Engine datastore Property for Credentials. Utility property that allows easy storage and retrieval of oauth2client.Credentials csFtdtt|tt||}|dur4d}n|}t |S)Nzget: Got type ) loggerinfor-typer6rhrWto_jsonrrX)r8r[credr:rrrWs z+CredentialsProperty.get_value_for_datastorecCs^tdtt||dur"dSt|dkr2dSztj|}WntyXd}Yn0|S)Nzmake: Got type r) rjrkr-rllenr Credentials new_from_json ValueError)r8r^ credentialsrrrr_s   z-CredentialsProperty.make_value_from_datastorecsRtt||}tdtt||durNt|tj sNt d |j ||S)Nzvalidate: Got type z@Property {0} must be convertible to a Credentials instance ({1}))r6rhrerjrkr-rlr`rrprrbrcrdr]r:rrreszCredentialsProperty.validate) rrrrrrprgrWr_rerUrrr:rrhs   rhcseZdZdZeddfdd ZddZdd Zd d Z e j d d ddZ e j d d ddZ e j d d ddZZS)StorageByKeyNameaStore and retrieve a credential to and from the App Engine datastore. This Storage helper presumes the Credentials have been stored as a CredentialsProperty or CredentialsNDBProperty on a datastore model class, and that entities are stored by key_name. NcsJtt||dur.|dur&td|}||_||_||_||_dS)aConstructor for Storage. Args: model: db.Model or ndb.Model, model class key_name: string, key name for the entity that has the credentials property_name: string, name of the property that is a CredentialsProperty or CredentialsNDBProperty. cache: memcache, a write-through cache to put in front of the datastore. If the model you are using is an NDB model, using a cache will be redundant since the model uses an instance cache and memcache for you. user: users.User object, optional. Can be used to grab user ID as a key_name if no key name is specified. Nz1StorageByKeyName called with no key name or user.) r6rtr7rruser_id_model _key_name_property_name_cache)r8r.r&Z property_namecacheuserr:rrr70szStorageByKeyName.__init__cCsJt|jtr6tdur$t|jtr$dSt|jtjr6dStd|jdS)zDetermine whether the model of the instance is an NDB model. Returns: Boolean indicating whether or not the model is an NDB or DB model. NTFz(Model class not an NDB or DB model: {0}.) r`rwrl _NDB_MODEL issubclassrModel TypeErrorrcrKrrr_is_ndbMs  zStorageByKeyName._is_ndbcCs(|r|j|jS|j|jSdS)aRetrieve entity from datastore. Uses a different model method for db or ndb models. Returns: Instance of the model corresponding to the current storage object and stored using the key name of the storage object. N)rrwZ get_by_idrxZget_by_key_namerKrrr _get_entity_s zStorageByKeyName._get_entitycCs@|rt|j|jn tj|j|j}t|dS)zDelete entity from datastore. Attempts to delete using the key_name stored on the object, whether or not the given key is in the datastore. N) r_NDB_KEYrwrxdeleterKey from_pathkind)r8Z entity_keyrrr_delete_entitymszStorageByKeyName._delete_entityT)Zallow_existingcCsd}|jr(|j|j}|r(tj|}|durf|}|durft||j}|jrf|j |j| |r~t |dr~| ||S)zcRetrieve Credential from datastore. Returns: oauth2client.Credentials N set_store) rzr'rxrrprqrgetattrrysetrmhasattrr)r8rsr<entityrrr locked_getys   zStorageByKeyName.locked_getcCsB|j|j}t||j|||jr>|j|j|dS)z}Write a Credentials to the datastore. Args: credentials: Credentials, the credentials to store. N) rwr*rxsetattrryr+rzrrm)r8rsrrrr locked_puts zStorageByKeyName.locked_putcCs |jr|j|j|dS)z!Delete Credential from datastore.N)rzrrxrrKrrr locked_deleteszStorageByKeyName.locked_delete)NN)rrrrrrRr7rrrrZnon_transactionalrrrrUrrr:rrt(s    rtc@seZdZdZeZdS)CredentialsModelz`Storage for OAuth 2.0 Credentials Storage of the model is keyed by the user.user_id(). N)rrrrrhrsrrrrrsrcCs.|jj}tjt|t|d}|d|S)aComposes the value for the 'state' parameter. Packs the current request URI and an XSRF token into an opaque string that can be passed to the authentication server via the 'state' parameter. Args: request_handler: webapp.RequestHandler, The request. user: google.appengine.api.users.User, The current user. Returns: The state value as a string. Z action_id:)requesturlr Zgenerate_tokenr rvr-)request_handlerr|urirFrrr_build_state_values rcCs4|dd\}}tjt|||dr,|SdSdS)aJParse the value of the 'state' parameter. Parses the value and validates the XSRF token in the state parameter. Args: state: string, The value of the state parameter. user: google.appengine.api.users.User, The current user. Returns: The redirect URI, or None if XSRF token is not valid. rrrN)rsplitr Zvalidate_tokenr rv)stater|rrFrrr_parse_state_values rc @seZdZdZddZddZeeeZddZdd Z ee eZ e d e je je jd d d d eed f ddZddZddZddZddZddZddZddZeddZd d!Zd"d#Zd S)$OAuth2Decoratora`Utility for making OAuth 2.0 easier. Instantiate and then use with oauth_required or oauth_aware as decorators on webapp.RequestHandler methods. :: decorator = OAuth2Decorator( client_id='837...ent.com', client_secret='Qh...wwI', scope='https://www.googleapis.com/auth/plus') class MainHandler(webapp.RequestHandler): @decorator.oauth_required def get(self): http = decorator.http() # http is authorized with the user's Credentials and can be # used in API calls cCs ||j_dSrM)_tlsrs)r8rsrrrset_credentialsszOAuth2Decorator.set_credentialscCst|jddS)zA thread local Credentials object. Returns: A client.Credentials object, or None if credentials hasn't been set in this thread yet, which may happen when calling has_credentials inside oauth_aware. rsNrrrKrrrget_credentialsszOAuth2Decorator.get_credentialscCs ||j_dSrM)rr\)r8r\rrrset_flowszOAuth2Decorator.set_flowcCst|jddS)zA thread local Flow object. Returns: A credentials.Flow object, or None if the flow hasn't been set in this thread yet, which happens in _create_flow() since Flows are created lazily. r\NrrKrrrget_flowszOAuth2Decorator.get_flowruNz/oauth2callbackrscKszt|_d|_d|_||_||_t||_ ||_ ||_ ||_ ||_ ||_||_d|_| |_| |_| |_| |_| |_dS)a Constructor for OAuth2Decorator Args: client_id: string, client identifier. client_secret: string client secret. scope: string or iterable of strings, scope(s) of the credentials being requested. auth_uri: string, URI for authorization endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. user_agent: string, User agent of your application, default to None. message: Message to display if there are problems with the OAuth 2.0 configuration. The message may contain HTML and will be presented on the web interface for any method that uses the decorator. callback_path: string, The absolute path to use as the callback URI. Note that this must match up with the URI given when registering the application in the APIs Console. token_response_param: string. If provided, the full JSON response to the access token request will be encoded and included in this query parameter in the callback URI. This is useful with providers (e.g. wordpress.com) that include extra fields that the client may want. _storage_class: "Protected" keyword argument not typically provided to this constructor. A storage class to aid in storing a Credentials object for a user in the datastore. Defaults to StorageByKeyName. _credentials_class: "Protected" keyword argument not typically provided to this constructor. A db or ndb Model class to hold credentials. Defaults to CredentialsModel. _credentials_property_name: "Protected" keyword argument not typically provided to this constructor. A string indicating the name of the field on the _credentials_class where a Credentials object will be stored. Defaults to 'credentials'. **kwargs: dict, Keyword arguments are passed along as kwargs to the OAuth2WebServerFlow constructor. NF) threadinglocalrr\rs _client_id_client_secretrr2_scope _auth_uri _token_uri _revoke_uri _user_agentr4_message _in_error_callback_path_token_response_param_storage_class_credentials_class_credentials_property_name)r8 client_id client_secretr3auth_uri token_uri revoke_uri user_agentmessage callback_pathZtoken_response_paramrrrr9rrrr7 s$>  zOAuth2Decorator.__init__cCs4|jjd|jjt|j|jjddS)Nz z)responseoutwriterr)r8rrrr_display_error_message[sz&OAuth2Decorator._display_error_messagecsfdd}|S)a,Decorator that starts the OAuth 2.0 dance. Starts the OAuth dance for the logged in user if they haven't already granted access for this application. Args: method: callable, to be decorated method of a webapp.RequestHandler instance. csjr|dSt}|s8|t|jjdS|t ||j j d<j j dj|d_s|SzPz|g|Ri|}Wn*tjy|YWd_S0Wd_nd_0|SNrr|)rrrget_current_userredirectcreate_login_urlrr _create_flowrr\paramsrrrr'rshas_credentials authorize_urlrrCrargsr9r|respmethodr8rr check_oauthks6    z3OAuth2Decorator.oauth_required..check_oauthr)r8rrrrroauth_required`s  zOAuth2Decorator.oauth_requiredcCsP|jdurL|j|j}tj|j|j|jf||j |j |j |j d|j |_dS)aUCreate the Flow object. The Flow is calculated lazily since we don't know where this app is running until it receives a request, at which point redirect_uri can be calculated and then the Flow object can be constructed. Args: request_handler: webapp.RequestHandler, the request handler. N) redirect_urirrrr)r\rZ relative_urlrrZOAuth2WebServerFlowrrrrrrrr4)r8rrrrrrs  zOAuth2Decorator._create_flowcsfdd}|S)a!Decorator that sets up for OAuth 2.0 dance, but doesn't do it. Does all the setup for the OAuth dance, but doesn't initiate it. This decorator is useful if you want to create a page that knows whether or not the user has granted access to this application. From within a method decorated with @oauth_aware the has_credentials() and authorize_url() methods can be called. Args: method: callable, to be decorated method of a webapp.RequestHandler instance. csjr|dSt}|s8|t|jjdS|t ||j j d<j j dj|d_z |g|Ri|}Wd_nd_0|Sr)rrrrrrrrrrr\rrrrr'rsrrrr setup_oauths*    z0OAuth2Decorator.oauth_aware..setup_oauthr)r8rrrrr oauth_awareszOAuth2Decorator.oauth_awarecCs|jduo|jj S)zTrue if for the logged in user there are valid access Credentials. Must only be called from with a webapp.RequestHandler subclassed method that had been decorated with either @oauth_required or @oauth_aware. N)rsinvalidrKrrrrszOAuth2Decorator.has_credentialscCs|j}t|S)zReturns the URL to start the OAuth dance. Must only be called from with a webapp.RequestHandler subclassed method that had been decorated with either @oauth_required or @oauth_aware. )r\Zstep1_get_authorize_urlr-)r8rrrrrs zOAuth2Decorator.authorize_urlcOs|jtj|i|S)aReturns an authorized http instance. Must only be called from within an @oauth_required decorated method, or from within an @oauth_aware decorated method where has_credentials() returns True. Args: *args: Positional arguments passed to httplib2.Http constructor. **kwargs: Positional arguments passed to httplib2.Http constructor. )rsZ authorizer Zget_http_object)r8rr9rrrrDs zOAuth2Decorator.httpcCs|jS)a.The absolute path where the callback will occur. Note this is the absolute path, not the absolute URI, that will be calculated by the decorator at runtime. See callback_handler() for how this should be used. Returns: The callback path as a string. )rrKrrrrs zOAuth2Decorator.callback_pathcs|Gfdddtj}|S)aRequestHandler for the OAuth 2.0 redirect callback. Usage:: app = webapp.WSGIApplication([ ('/index', MyIndexHandler), ..., (decorator.callback_path, decorator.callback_handler()) ]) Returns: A webapp.RequestHandler that handles the redirect back from the server during the OAuth 2.0 dance. cs eZdZdZefddZdS)z7OAuth2Decorator.callback_handler..OAuth2Handlerz4Handler for the redirect_uri of the OAuth 2.0 dance.cs|jd}|r8|jd|}|jjdt|nt} |j |jj }j jdj|d|tt|jd|}|dur|jjddSjr|jrt|j}t|j|}||dS)NerrorZerror_descriptionz%The authorization request failed: {0}rrz The authorization request failed)rr'rrrrcrrrrr\Zstep2_exchangerrrrr+rr-rZtoken_responser<rZrZ_add_query_parameterr)r8rZerrormsgr|rsrZ resp_json decoratorrrr' sJ   z;OAuth2Decorator.callback_handler..OAuth2Handler.getN)rrrrrr'rrrr OAuth2Handlersr)webappZRequestHandler)r8rrrrcallback_handlers$z OAuth2Decorator.callback_handlercCst|j|fgS)aMWSGI application for handling the OAuth 2.0 redirect callback. If you need finer grained control use `callback_handler` which returns just the webapp.RequestHandler. Returns: A webapp.WSGIApplication that handles the redirect back from the server during the OAuth 2.0 dance. )rZWSGIApplicationrrrKrrrcallback_application,s  z$OAuth2Decorator.callback_application)rrrrrrrTrsrrr\rrR oauth2clientZGOOGLE_AUTH_URIZGOOGLE_TOKEN_URIZGOOGLE_REVOKE_URIrtrr7rrrrrrrDrrrrrrrrs<   P-)  7rcs,eZdZdZeddfdd ZZS) OAuth2DecoratorFromClientSecretsa~An OAuth2Decorator that builds from a clientsecrets file. Uses a clientsecrets file as the source for all the information when constructing an OAuth2Decorator. :: decorator = OAuth2DecoratorFromClientSecrets( os.path.join(os.path.dirname(__file__), 'client_secrets.json') scope='https://www.googleapis.com/auth/plus') class MainHandler(webapp.RequestHandler): @decorator.oauth_required def get(self): http = decorator.http() # http is authorized with the user's Credentials and can be # used in API calls Nc  stj||d\}}|tjtjfvr,tdt|}||d|d|d|d} | durh| |d<tt |j |d|d |fi||dur||_ nd |_ dS) a#Constructor Args: filename: string, File name of client secrets. scope: string or iterable of strings, scope(s) of the credentials being requested. message: string, A friendly string to display to the user if the clientsecrets file is missing or invalid. The message may contain HTML and will be presented on the web interface for any method that uses the decorator. cache: An optional cache service client that implements get() and set() methods. See clientsecrets.loadfile() for details. **kwargs: dict, Keyword arguments are passed along as kwargs to the OAuth2WebServerFlow constructor. )r{z4OAuth2Decorator doesn't support this OAuth 2.0 flow.rr)rrrrNrrz0Please configure your application for OAuth 2.0.) r ZloadfileZTYPE_WEBZTYPE_INSTALLEDZInvalidClientSecretsErrordictupdater'r6rr7r) r8filenamer3rr{r9Z client_typeZ client_infoZconstructor_kwargsrr:rrr7Ps6    z)OAuth2DecoratorFromClientSecrets.__init__)NN)rrrrrrRr7rUrrr:rr;srr0cCst||||dS)aCreates an OAuth2Decorator populated from a clientsecrets file. Args: filename: string, File name of client secrets. scope: string or list of strings, scope(s) of the credentials being requested. message: string, A friendly string to display to the user if the clientsecrets file is missing or invalid. The message may contain HTML and will be presented on the web interface for any method that uses the decorator. cache: An optional cache service client that implements get() and set() methods. See clientsecrets.loadfile() for details. Returns: An OAuth2Decorator )rr{)r)rr3rr{rrr"oauth2decorator_from_clientsecrets{sr)NN);rrr<loggingr rYrZgoogle.appengine.apirrrZgoogle.appengine.extrZ google.appengine.ext.webapp.utilrZwebapp2rrrrr r Zoauth2client.contribr r ImportError getLoggerrrjr)r(ZCredentialsNDBModelZCredentialsNDBPropertyZFlowNDBPropertyrr}ZSiteXsrfSecretKeyNDBZNDB_KEYZ NDB_MODELrrrr#r ZAssertionCredentialsr/PropertyrVrhZStoragertrrrobjectrrrRrrrrrsp                d!,g@