3 L(Y%(@sdZddlZddlZddlmZejejGdddeZejejGdddeZ Gdd d e Z d d Z ejejGd d d eZ dS)zInterfaces for credentials.N)_helpersc@sPeZdZdZddZeddZeddZej dd Z dd d Z d dZ d S) CredentialsaQBase class for all credentials. All credentials have a :attr:`token` that is used for authentication and may also optionally set an :attr:`expiry` to indicate when the token will no longer be valid. Most credentials will be :attr:`invalid` until :meth:`refresh` is called. Credentials can do this automatically before the first HTTP request in :meth:`before_request`. Although the token and expiration will change as the credentials are :meth:`refreshed ` and used, credentials should be considered immutable. Various credentials will accept configuration such as private keys, scopes, and other options. These options are not changeable after construction. Some classes will provide mechanisms to copy the credentials with modifications such as :meth:`ScopedCredentials.with_scopes`. cCsd|_d|_dS)N)tokenexpiry)selfrF/private/tmp/pip-build-nl73fm5q/google-auth/google/auth/credentials.py__init__,szCredentials.__init__cCs"|js dS|jtj}tj|kS)zChecks if the credentials are expired. Note that credentials can be invalid but not expired becaue Credentials with :attr:`expiry` set to None is considered to never expire. F)rrZ CLOCK_SKEWutcnow)rZ skewed_expiryrrrexpired4s zCredentials.expiredcCs|jdk o|j S)zChecks the validity of the credentials. This is True if the credentials have a :attr:`token` and the token is not :attr:`expired`. N)rr )rrrrvalidCszCredentials.validcCs tddS)aRefreshes the access token. Args: request (google.auth.transport.Request): The object used to make HTTP requests. Raises: google.auth.exceptions.RefreshError: If the credentials could not be refreshed. zRefresh must be implementedN)NotImplementedError)rrequestrrrrefreshLszCredentials.refreshNcCsdjtj|p|j|d<dS)zApply the token to the authentication header. Args: headers (Mapping): The HTTP request headers. token (Optional[str]): If specified, overrides the current access token. z Bearer {} authorizationN)formatr from_bytesr)rheadersrrrrapply\szCredentials.applycCs|js|j||j|dS)aPerforms credential-specific before request logic. Refreshes the credentials if necessary, then calls :meth:`apply` to apply the token to the authentication header. Args: request (google.auth.transport.Request): The object used to make HTTP requests. method (str): The request's HTTP method or the RPC method being invoked. url (str): The request's URI or the RPC service's URI. headers (Mapping): The request's headers. N)r rr)rrmethodurlrrrrbefore_requestgs zCredentials.before_request)N) __name__ __module__ __qualname____doc__r propertyr r abcabstractmethodrrrrrrrrs   rcsBeZdZdZfddZeddZejddZ dd Z Z S) ReadOnlyScopeda&Interface for credentials whose scopes can be queried. OAuth 2.0-based credentials allow limiting access using scopes as described in `RFC6749 Section 3.3`_. If a credential class implements this interface then the credentials either use scopes in their implementation. Some credentials require scopes in order to obtain a token. You can check if scoping is necessary with :attr:`requires_scopes`:: if credentials.requires_scopes: # Scoping is required. credentials = credentials.create_scoped(['one', 'two']) Credentials that require scopes must either be constructed with scopes:: credentials = SomeScopedCredentials(scopes=['one', 'two']) Or must copy an existing instance using :meth:`with_scopes`:: scoped_credentials = credentials.with_scopes(scopes=['one', 'two']) Some credentials have scopes but do not allow or require scopes to be set, these credentials can be used as-is. .. _RFC6749 Section 3.3: https://tools.ietf.org/html/rfc6749#section-3.3 cstt|jd|_dS)N)superrr _scopes)r) __class__rrr szReadOnlyScoped.__init__cCs|jS)z6Sequence[str]: the credentials' current set of scopes.)r!)rrrrscopesszReadOnlyScoped.scopescCsdS)zLTrue if these credentials require scopes to obtain an access token. Fr)rrrrrequires_scopesszReadOnlyScoped.requires_scopescCst|jt|jpgS)aChecks if the credentials have the given scopes. .. warning: This method is not guaranteed to be accurate if the credentials are :attr:`~Credentials.invalid`. Returns: bool: True if the credentials have the given scopes. )setissubsetr!)rr#rrr has_scopess zReadOnlyScoped.has_scopes) rrrrr rr#rabstractpropertyr$r' __classcell__rr)r"rr}s   rc@seZdZdZejddZdS)Scopeda5Interface for credentials whose scopes can be replaced while copying. OAuth 2.0-based credentials allow limiting access using scopes as described in `RFC6749 Section 3.3`_. If a credential class implements this interface then the credentials either use scopes in their implementation. Some credentials require scopes in order to obtain a token. You can check if scoping is necessary with :attr:`requires_scopes`:: if credentials.requires_scopes: # Scoping is required. credentials = credentials.create_scoped(['one', 'two']) Credentials that require scopes must either be constructed with scopes:: credentials = SomeScopedCredentials(scopes=['one', 'two']) Or must copy an existing instance using :meth:`with_scopes`:: scoped_credentials = credentials.with_scopes(scopes=['one', 'two']) Some credentials have scopes but do not allow or require scopes to be set, these credentials can be used as-is. .. _RFC6749 Section 3.3: https://tools.ietf.org/html/rfc6749#section-3.3 cCs tddS)amCreate a copy of these credentials with the specified scopes. Args: scopes (Sequence[str]): The list of scopes to request. Raises: NotImplementedError: If the credentials' scopes can not be changed. This can be avoided by checking :attr:`requires_scopes` before calling this method. z$This class does not require scoping.N)r )rr#rrr with_scopess zScoped.with_scopesN)rrrrrrr+rrrrr*sr*cCs"t|tr|jr|j|S|SdS)a3Creates a copy of the credentials with scopes if scoping is required. This helper function is useful when you do not know (or care to know) the specific type of credentials you are using (such as when you use :func:`google.auth.default`). This function will call :meth:`Scoped.with_scopes` if the credentials are scoped credentials and if the credentials require scoping. Otherwise, it will return the credentials as-is. Args: credentials (google.auth.credentials.Credentials): The credentials to scope if necessary. scopes (Sequence[str]): The list of scopes to use. Returns: google.auth.credentials.Credentials: Either a new set of scoped credentials, or the passed in credentials instance if no scoping was required. N) isinstancer*r$r+) credentialsr#rrrwith_scopes_if_requireds r.c@s:eZdZdZejddZejddZejddZ dS) SigningzCInterface for credentials that can cryptographically sign messages.cCs tddS)zSigns the given message. Args: message (bytes): The message to sign. Returns: bytes: The message's cryptographic signature. zSign bytes must be implemented.N)r )rmessagerrr sign_bytess zSigning.sign_bytescCs tddS)z;Optional[str]: An email address that identifies the signer.z!Signer email must be implemented.N)r )rrrr signer_email szSigning.signer_emailcCs tddS)z8google.auth.crypt.Signer: The signer used to sign bytes.zSigner must be implemented.N)r )rrrrsignerszSigning.signerN) rrrrrrr1r(r2r3rrrrr/sr/) rrsixZ google.authr add_metaclassABCMetaobjectrrr*r.r/rrrrs c7+