U

KD�g#n�@s�dZd
dl
Z
d
dlZd
dlZd
dlZd
dlZd
dlZd
dlmZ
d
dlmZ
d
dlm	Z	
d
dlm
Z

dZdZd	Z
Gd
d�dej�Zdd
�ZGdd�de�ZdS)z/oauth2client Service account credentials class.�N)
�_helpers)
�client)
�crypt)
�	transportZ
notasecret�_private_key_pkcs12a


This library only implements PKCS#12 support via the pyOpenSSL library.
Either install pyOpenSSL, or please convert the .p12 file
to .pem format:
    $ cat key.p12 | \
    >   openssl pkcs12 -nodes -nocerts -passin pass:notasecret | \
    >   openssl rsa > key.pem
cs.
eZ
dZd
ZdZedg
�
ejjBZdZ	dZ
dZddddej
ejf�f
dd�	Zd(�f
dd	�	Zed)d
d�
�
Zed*dd
�
�
Zed+dd�
�
Zeddej
ejfdd�
�
Zeddej
ejfdd�
�
Zeddej
ejfdd�
�
Zdd�Zdd�Zedd��
Zedd��
Zedd��
Zd d!�Zd"d#�Zd$d%�Z d&d'�Z!�Z"S),�ServiceAccountCredentialsa�Service Account credential for OAuth 2.0 signed JWT grants.

    Supports

    * JSON keyfile (typically contains a PKCS8 key stored as
      PEM text)
    * ``.p12`` key (stores PKCS12 key and certificate)

    Makes an assertion to server using a signed JWT assertion in exchange
    for an access token.

    This credential does not require a flow to instantiate because it
    represents a two legged flow, and therefore has all of the required
    information to generate and refresh its own access tokens.

    Args:
        service_account_email: string, The email associated with the
                               service account.
        signer: ``crypt.Signer``, A signer which can be used to sign content.
        scopes: List or string, (Optional) Scopes to use when acquiring
                an access token.
        private_key_id: string, (Optional) Private key identifier. Typically
                        only used with a JSON keyfile. Can be sent in the
                        header of a JWT token assertion.
        client_id: string, (Optional) Client ID for the project that owns the
                   service account.
        user_agent: string, (Optional) User agent to use when sending
                    request.
        token_uri: string, URI for token endpoint. For convenience defaults
                   to Google's endpoints but any OAuth 2.0 provider can be
                   used.
        revoke_uri: string, URI for revoke endpoint.  For convenience defaults
                   to Google's endpoints but any OAuth 2.0 provider can be
                   used.
        kwargs: dict, Extra key-value pairs (both strings) to send in the
                payload body when making an assertion.
    ��_signerN�c	
sLtt
|�jd|||d
�
|
|_||_t�|�
|_||_||_	||_
|	|_dS)N)�
user_agent�	token_uri�
revoke_uri)�superr�__init__�_service_account_emailr	rZscopes_to_string�_scopes�_private_key_id�	client_id�_user_agent�_kwargs)
�self�service_account_email�signer�scopes�private_key_idrrrr
�kwargs�
�	__class__��I/opt/cppython/lib/python3.8/site-packages/oauth2client/service_account.pyr_s


�





z"ServiceAccountCredentials.__init__csH|d
krt�|j
�
}|�t�
}|d
k	r4t�|�
|t<tt|�j|
|d�S)acUtility function that creates JSON repr. of a credentials object.

        Over-ride is needed since PKCS#12 keys will not in general be JSON
        serializable.

        Args:
            strip: array, An array of names of members to exclude from the
                   JSON.
            to_serialize: dict, (Optional) The properties for this object
                          that will be serialized. This allows callers to
                          modify before serializing.

        Returns:
            string, a JSON representation of this instance, suitable to pass to
            from_json().
        N)
�to_serialize)	�copy�__dict__�get�_PKCS12_KEY�base64�	b64encoderr�_to_json)r�stripr �
pkcs12_valrrrr'vs







�z"ServiceAccountCredentials._to_jsonc	Cs�|
�d
�
}|t
jkr$td|dt
j��
|
d}|
d}|
d}|
d}	|sV|
�dtj�}|sh|
�d	tj�}tj�	|�
}
|||
|||	||d
�}||_
|S)a	Helper for factory constructors from JSON keyfile.

        Args:
            keyfile_dict: dict-like object, The parsed dictionary-like object
                          containing the contents of the JSON keyfile.
            scopes: List or string, Scopes to use when acquiring an
                    access token.
            token_uri: string, URI for OAuth 2.0 provider token endpoint.
                       If unset and not present in keyfile_dict, defaults
                       to Google's endpoints.
            revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint.
                       If unset and not present in keyfile_dict, defaults
                       to Google's endpoints.

        Returns:
            ServiceAccountCredentials, a credentials object created from
            the keyfile contents.

        Raises:
            ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`.
            KeyError, if one of the expected keys is not present in
                the keyfile.
        �typezUnexpected credentials typeZExpected�client_email�private_keyrrrr
)rrrrr
)r#rZSERVICE_ACCOUNT�
ValueError�oauth2client�GOOGLE_TOKEN_URI�GOOGLE_REVOKE_URIr�Signer�from_string�_private_key_pkcs8_pem)�cls�keyfile_dictrrr
Z
creds_typer�private_key_pkcs8_pemrrr�credentialsrrr�_from_parsed_json_keyfile�s6




�





�

�



�
z3ServiceAccountCredentials._from_parsed_json_keyfilec	Cs2t|
d
��}t
�|�
}W5QRX|j||||d�S)a�Factory constructor from JSON keyfile by name.

        Args:
            filename: string, The location of the keyfile.
            scopes: List or string, (Optional) Scopes to use when acquiring an
                    access token.
            token_uri: string, URI for OAuth 2.0 provider token endpoint.
                       If unset and not present in the key file, defaults
                       to Google's endpoints.
            revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint.
                       If unset and not present in the key file, defaults
                       to Google's endpoints.

        Returns:
            ServiceAccountCredentials, a credentials object created from
            the keyfile.

        Raises:
            ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`.
            KeyError, if one of the expected keys is not present in
                the keyfile.
        �
r�rr
)�open�json�loadr8)r4�filenamerrr
�file_objZclient_credentialsrrr�from_json_keyfile_name�s



�z0ServiceAccountCredentials.from_json_keyfile_namecCs|j|
|||d
�S)aFactory constructor from parsed JSON keyfile.

        Args:
            keyfile_dict: dict-like object, The parsed dictionary-like object
                          containing the contents of the JSON keyfile.
            scopes: List or string, (Optional) Scopes to use when acquiring an
                    access token.
            token_uri: string, URI for OAuth 2.0 provider token endpoint.
                       If unset and not present in keyfile_dict, defaults
                       to Google's endpoints.
            revoke_uri: string, URI for OAuth 2.0 provider revoke endpoint.
                       If unset and not present in keyfile_dict, defaults
                       to Google's endpoints.

        Returns:
            ServiceAccountCredentials, a credentials object created from
            the keyfile.

        Raises:
            ValueError, if the credential type is not :data:`SERVICE_ACCOUNT`.
            KeyError, if one of the expected keys is not present in
                the keyfile.
        r:)
r8)r4r5rrr
rrr�from_json_keyfile_dict�s

�z0ServiceAccountCredentials.from_json_keyfile_dictc	CsP|d
krt}t
jt
jk	r tt�
�
t
j�||�}||
||||d�}||_||_|S)axFactory constructor from JSON keyfile.

        Args:
            service_account_email: string, The email associated with the
                                   service account.
            private_key_pkcs12: string, The contents of a PKCS#12 keyfile.
            private_key_password: string, (Optional) Password for PKCS#12
                                  private key. Defaults to ``notasecret``.
            scopes: List or string, (Optional) Scopes to use when acquiring an
                    access token.
            token_uri: string, URI for token endpoint. For convenience defaults
                       to Google's endpoints but any OAuth 2.0 provider can be
                       used.
            revoke_uri: string, URI for revoke endpoint. For convenience
                        defaults to Google's endpoints but any OAuth 2.0
                        provider can be used.

        Returns:
            ServiceAccountCredentials, a credentials object created from
            the keyfile.

        Raises:
            NotImplementedError if pyOpenSSL is not installed / not the
            active crypto library.
        N)rrr
)	�_PASSWORD_DEFAULTrr1Z
OpenSSLSigner�NotImplementedError�
_PKCS12_ERRORr2r�_private_key_password)	r4r�private_key_pkcs12�private_key_passwordrrr
rr7rrr�_from_p12_keyfile_contents�s




�
�

z4ServiceAccountCredentials._from_p12_keyfile_contentsc		Cs4t|d
��}|�
�}W5QRX|j|
|||||d�S)apFactory constructor from JSON keyfile.

        Args:
            service_account_email: string, The email associated with the
                                   service account.
            filename: string, The location of the PKCS#12 keyfile.
            private_key_password: string, (Optional) Password for PKCS#12
                                  private key. Defaults to ``notasecret``.
            scopes: List or string, (Optional) Scopes to use when acquiring an
                    access token.
            token_uri: string, URI for token endpoint. For convenience defaults
                       to Google's endpoints but any OAuth 2.0 provider can be
                       used.
            revoke_uri: string, URI for revoke endpoint. For convenience
                        defaults to Google's endpoints but any OAuth 2.0
                        provider can be used.

        Returns:
            ServiceAccountCredentials, a credentials object created from
            the keyfile.

        Raises:
            NotImplementedError if pyOpenSSL is not installed / not the
            active crypto library.
        �rb�rGrrr
)r;�readrH)	r4rr>rGrrr
r?rFrrr�from_p12_keyfile*
s




�z*ServiceAccountCredentials.from_p12_keyfilecCs|��}|j
|
|||||d
�S)a�Factory constructor from JSON keyfile.

        Args:
            service_account_email: string, The email associated with the
                                   service account.
            file_buffer: stream, A buffer that implements ``read()``
                         and contains the PKCS#12 key contents.
            private_key_password: string, (Optional) Password for PKCS#12
                                  private key. Defaults to ``notasecret``.
            scopes: List or string, (Optional) Scopes to use when acquiring an
                    access token.
            token_uri: string, URI for token endpoint. For convenience defaults
                       to Google's endpoints but any OAuth 2.0 provider can be
                       used.
            revoke_uri: string, URI for revoke endpoint. For convenience
                        defaults to Google's endpoints but any OAuth 2.0
                        provider can be used.

        Returns:
            ServiceAccountCredentials, a credentials object created from
            the keyfile.

        Raises:
            NotImplementedError if pyOpenSSL is not installed / not the
            active crypto library.
        rJ)rKrH)r4rZfile_bufferrGrrr
rFrrr�from_p12_keyfile_bufferP
s



�z1ServiceAccountCredentials.from_p12_keyfile_bufferc
CsHtt
�
��
}
|j|j|
|
|j|jd
�}|�|j�

tj	|j
||jd�S)z8Generate the assertion that will be used in the request.)Zaud�scope�iat�exp�iss�
Zkey_id)�int�timerr�MAX_TOKEN_LIFETIME_SECSr�updaterr�make_signed_jwtr	r)r�now�payloadrrr�_generate_assertionu
s



�


�z-ServiceAccountCredentials._generate_assertioncCs|j|j
�|
�
fS)
aU
Cryptographically sign a blob (of bytes).

        Implements abstract method
        :meth:`oauth2client.client.AssertionCredentials.sign_blob`.

        Args:
            blob: bytes, Message to be signed.

        Returns:
            tuple, A pair of the private key ID used to sign the blob and
            the signed contents.
        )rr	�sign)rZblobrrr�	sign_blob�
s
z#ServiceAccountCredentials.sign_blobc


Cs|jS)
z�Get the email for the current service account.

        Returns:
            string, The email associated with the service account.
        )
r�
rrrrr�
sz/ServiceAccountCredentials.service_account_emailc

Csd
|j|j
|j|jd�S)NZservice_account)r*r+rr,r)rrr3rr]rrr�serialization_data�
s



�z,ServiceAccountCredentials.serialization_datacCs
t|
t
�st�t�|
�
�
}
d
}|
�t�
}d
}|d
krJ|
d}tj	�
|�
}n t�|�
}|
d}tj	�
||�}||
d|f|
d|
d|
d|
dd	�|
d
��
}|d
k	r�||_
|d
k	r�||_|d
k	r�||_|
d|_|
d|_|
d
|_|
d|_|
�dd
�}|d
k	�
rtj�|tj�|_|S)aM
Deserialize a JSON-serialized instance.

        Inverse to :meth:`to_json`.

        Args:
            json_data: dict or string, Serialized JSON (as a string or an
                       already parsed dictionary) representing a credential.

        Returns:
            ServiceAccountCredentials from the serialized data.
        Nr3rErrrrr�rrrrr�invalid�access_tokenrr
�token_expiry)�
isinstance�dictr<�loadsrZ_from_bytesr#r$rr1r2r%�	b64decoder3rrEr`rarr
�datetime�strptimerZ
EXPIRY_FORMATrb)r4Z	json_datar6r)�passwordrr7rbrrr�	from_json�
sN












�


��	

















�z#ServiceAccountCredentials.from_jsonc


Cs|jS)
N)
rr]rrr�create_scoped_required�
s
z0ServiceAccountCredentials.create_scoped_requiredcCsV|j|j
|jf|
|j|j|jd
�|j��
}|j|_|j|_|j	|_	|j
|_
|j|_|S)Nr_)rrr	rrrrrr
r3rrE)rr�resultrrr�
create_scoped�
s 

�


��




z'ServiceAccountCredentials.create_scopedcCsjt|j
�
}|�|
�

|j|j|jf|j|j|j|j	d
�|��
}|j
|_
|j|_|j|_|j
|_
|j|_|S)a<
Create credentials that specify additional claims.

        Args:
            claims: dict, key-value pairs for claims.

        Returns:
            ServiceAccountCredentials, a copy of the current service account
            credentials with updated claims to use when obtaining access
            tokens.
        r_)rdrrVrrr	rrrrrr
r3rrE)rZclaimsZ
new_kwargsrlrrr�create_with_claims�
s$




�


��




z,ServiceAccountCredentials.create_with_claimscCs|�d
|
i
�
S)aYCreate credentials that act as domain-wide delegation of authority.

        Use the ``sub`` parameter as the subject to delegate on behalf of
        that user.

        For example::

          >>> account_sub = 'foo@email.com'
          >>> delegate_creds = creds.create_delegated(account_sub)

        Args:
            sub: string, An email address that this service account will
                 act on behalf of (via domain-wide delegation).

        Returns:
            ServiceAccountCredentials, a copy of the current service account
            updated to act on behalf of ``sub``.
        �sub)
rn)rrorrr�create_delegated
sz*ServiceAccountCredentials.create_delegated)
N)NN)r
NN)r
NN)#�__name__�
__module__�__qualname__�__doc__rU�	frozensetr�AssertionCredentialsZNON_SERIALIZED_MEMBERSr3rrEr.r/r0rr'�classmethodr8r@rArHrLrMrZr\�propertyrr^rjrkrmrnrp�
__classcell__rrrrr*sz
&
��






��1

�

�

�*

�%

�$






6rc
Cs&t�d
dd�}
||
}|j
d|jS)Ni��
i�Q
)rg�days�seconds)Zutc_time�epochZ
time_deltarrr�_datetime_to_secs s

r~cs�eZ
dZd
ZdZddddejejdf�f
dd�	Zdd�Z	ddd	�
Z
d
d�Zdd
�Zejejfdd�
Z
dd�Zdd�Zddd�
Z�ZS)�_JWTAccessCredentialsz�Self signed JWT credentials.

    Makes an assertion to server using a self signed JWT from service account
    credentials.  These credentials do NOT use OAuth 2.0 and instead
    authenticate directly.
    rNc

s6|	dkri}	tt
|�j|
|f|||||d
�|	��

dS)N)rrrrr
)rrr)
rrrrrrrrr
�additional_claimsrrrr2s





�



��z_JWTAccessCredentials.__init__cCst�
||
�
|
S)
a�
Authorize an httplib2.Http instance with a JWT assertion.

        Unless specified, the 'aud' of the assertion will be the base
        uri of the request.

        Args:
            http: An instance of ``httplib2.Http`` or something that acts
                  like it.
        Returns:
            A modified instance of http that was passed in.
        Example::
            h = httplib2.Http()
            h = credentials.authorize(h)
        )rZwrap_http_for_jwt_access�r�httprrr�	authorizeHs
z_JWTAccessCredentials.authorizecCsX|d
kr6|jd
ks|j
r"|�d
�

tj|j|��d�S|�|�
\}}tj||jd�Sd
S)z�Create a signed jwt.

        Args:
            http: unused
            additional_claims: dict, additional claims to add to
                the payload of the JWT.
        Returns:
            An AccessTokenInfo with the signed jwt
        N)raZ
expires_in)raZaccess_token_expired�refreshrZAccessTokenInfoZ_expires_in�
_create_token�_MAX_TOKEN_LIFETIME_SECS)rr�r��tokenZ
unused_expiryrrr�get_access_tokenZs





�

�z&_JWTAccessCredentials.get_access_tokenc
Csd
S)z*Cannot revoke JWTAccessCredentials tokens.Nrr�rrr�revokeosz_JWTAccessCredentials.revokec


Csd
S)NTrr]rrrrkssz,_JWTAccessCredentials.create_scoped_requiredc	Csft|j
|jf|
|j|j|j||d
�|j��
}|jdk	r>|j|_|jdk	rP|j|_|j	dk	rb|j	|_	|S)N)rrrrrr
)
rrr	rrrrr3rrE)rrrr
rlrrrrmws&
�




��	








z#_JWTAccessCredentials.create_scopedcCs|�d
�

d
S)z�Refreshes the access_token.

        The HTTP object is unused since no request needs to be made to
        get a new token, it can just be generated locally.

        Args:
            http: unused HTTP object
        N)
�_refreshr�rrrr��s	z_JWTAccessCredentials.refreshcCs|��\|_
|_d
S)zXRefreshes the access_token.

        Args:
            http: unused HTTP object
        N)r�rarbr�rrrr��sz_JWTAccessCredentials._refreshcCsxt�
�}tj|jd
�
}||}t|�
t|�
|j|jd�}|�|j�

|
dk	rV|�|
�

t	j
|j||jd�}|�
d�
|fS)N)
r|)rOrPrQrorR�ascii)rZ_UTCNOWrg�	timedeltar�r~rrVrrrWr	r�decode)rr�rXZlifetimeZexpiryrYZjwtrrrr��s





�





�z#_JWTAccessCredentials._create_token)NN)
N)rqrrrsrtr�r.r/r0rr�r�r�rkrmr�r�r�ryrrrrr(s(






�

�
r)rtr%r!rgr<rTr.rrrrrBr$rDrvrr~rrrrr�<module>s&










y