ó ‚¾^Yc@sÜdZddlZddlZddlZddlZddlZddlZddlmZddlmZddlm Z ddlm Z dZ dZ d Z d ejfd „ƒYZd „Zd efd„ƒYZdS(s/oauth2client Service account credentials class.iÿÿÿÿN(t_helpers(tclient(tcrypt(t transportt notasecrett_private_key_pkcs12s  This library only implements PKCS#12 support via the pyOpenSSL library. Either install pyOpenSSL, or please convert the .p12 file to .pem format: $ cat key.p12 | \ > openssl pkcs12 -nodes -nocerts -passin pass:notasecret | \ > openssl rsa > key.pem tServiceAccountCredentialscBsweZdZdZedgƒejjBZdZ dZ dZ dddde j e jd„Zdd„Zeddd„ƒZedddd„ƒZedddd„ƒZedde j e jd „ƒZedde j e jd „ƒZedde j e jd „ƒZd „Zd „Zed„ƒZed„ƒZed„ƒZd„Zd„Zd„Z d„Z!RS(sÅService Account credential for OAuth 2.0 signed JWT grants. Supports * JSON keyfile (typically contains a PKCS8 key stored as PEM text) * ``.p12`` key (stores PKCS12 key and certificate) Makes an assertion to server using a signed JWT assertion in exchange for an access token. This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens. Args: service_account_email: string, The email associated with the service account. signer: ``crypt.Signer``, A signer which can be used to sign content. scopes: List or string, (Optional) Scopes to use when acquiring an access token. private_key_id: string, (Optional) Private key identifier. Typically only used with a JSON keyfile. Can be sent in the header of a JWT token assertion. client_id: string, (Optional) Client ID for the project that owns the service account. user_agent: string, (Optional) User agent to use when sending request. token_uri: string, URI for token endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. revoke_uri: string, URI for revoke endpoint. For convenience defaults to Google's endpoints but any OAuth 2.0 provider can be used. kwargs: dict, Extra key-value pairs (both strings) to send in the payload body when making an assertion. it_signertc Ksttt|ƒjdd|d|d|ƒ||_||_tj|ƒ|_||_ ||_ ||_ | |_ dS(Nt user_agentt token_urit revoke_uri( tsuperRt__init__tNonet_service_account_emailRRtscopes_to_stringt_scopest_private_key_idt client_idt _user_agentt_kwargs( tselftservice_account_emailtsignertscopestprivate_key_idRR R R tkwargs((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pyR _s      cCsn|dkr!tj|jƒ}n|jtƒ}|dk rRtj|ƒ|t>> account_sub = 'foo@email.com' >>> delegate_creds = creds.create_delegated(account_sub) Args: sub: string, An email address that this service account will act on behalf of (via domain-wide delegation). Returns: ServiceAccountCredentials, a copy of the current service account updated to act on behalf of ``sub``. tsub(Ru(RRv((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pytcreate_delegated sN("t__name__t __module__t__doc__RVt frozensetRtAssertionCredentialstNON_SERIALIZED_MEMBERSRR1RRER,R-R.R R#t classmethodR7R?R@RHRKRMR[R^tpropertyRR`RnRoRrRuRw(((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pyR*sV%   0&"!    7   cCs1tjdddƒ}||}|jd|jS(Ni²ii€Q(Ritdaystseconds(tutc_timetepocht time_delta((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pyt_datetime_to_secs s t_JWTAccessCredentialscBs•eZdZdZd d d d ejejd d„Zd„Z d d d„Z d„Z d„Z ejejd„Z d„Zd „Zd d „ZRS( sÐSelf signed JWT credentials. Makes an assertion to server using a self signed JWT from service account credentials. These credentials do NOT use OAuth 2.0 and instead authenticate directly. ic CsS| dkri} ntt|ƒj||d|d|d|d|d|| dS(NRRR R R (RR R†R ( RRRRRRR R R tadditional_claims((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pyR 2s  cCstj||ƒ|S(sÁAuthorize an httplib2.Http instance with a JWT assertion. Unless specified, the 'aud' of the assertion will be the base uri of the request. Args: http: An instance of ``httplib2.Http`` or something that acts like it. Returns: A modified instance of http that was passed in. Example:: h = httplib2.Http() h = credentials.authorize(h) (Rtwrap_http_for_jwt_access(Rthttp((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pyt authorizeHscCs…|dkrS|jdks$|jr4|jdƒntjd|jd|jƒƒS|j|ƒ\}}tjd|d|jƒSdS(sòCreate a signed jwt. Args: http: unused additional_claims: dict, additional claims to add to the payload of the JWT. Returns: An AccessTokenInfo with the signed jwt Rbt expires_inN( RRbtaccess_token_expiredtrefreshRtAccessTokenInfot _expires_int _create_tokent_MAX_TOKEN_LIFETIME_SECS(RR‰R‡ttokent unused_expiry((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pytget_access_tokenZs   cCsdS(s*Cannot revoke JWTAccessCredentials tokens.N((RR‰((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pytrevokeoscCstS(N(tTrue(R((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pyRosscCs¦t|j|jd|d|jd|jd|jd|d||j}|jdk rf|j|_n|j dk r„|j |_ n|j dk r¢|j |_ n|S(NRRRR R R ( RRRRRRRR1RRRE(RRR R Rq((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pyRrws       cCs|jdƒdS(sÛRefreshes the access_token. The HTTP object is unused since no request needs to be made to get a new token, it can just be generated locally. Args: http: unused HTTP object N(t_refreshR(RR‰((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pyR‹s cCs|jƒ\|_|_dS(sXRefreshes the access_token. Args: http: unused HTTP object N(RRbRc(RR‰((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pyR—–scCs¼tjƒ}tjd|jƒ}||}it|ƒd6t|ƒd6|jd6|jd6}|j|jƒ|dk r‹|j|ƒnt j |j |d|j ƒ}|jdƒ|fS(NRRPRQRRRvRStascii(Rt_UTCNOWRit timedeltaR‘R…RRWRRRRXRRtdecode(RR‡RYtlifetimetexpiryRZtjwt((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pyRžs        N(RxRyRzR‘RR,R-R.R RŠR”R•RoRrRR—R(((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pyR†(s$    (RzR!RRiR:RUR,RRRRRAR RDR|RR…R†(((sB/tmp/pip-build-kpPAdC/oauth2client/oauth2client/service_account.pyts"      ÿ÷