Try internal authentication URL if external fails.

third_party/upload.py

 #!/usr/bin/env python
 # coding: utf-8
 #
 # Copyright 2007 Google Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
@@ skipping 271 matching lines @@
   def _CreateRequest(self, url, data=None):
     """Creates a new urllib request."""
     LOGGER.debug("Creating request for: '%s' with payload:\n%s", url, data)
     req = urllib2.Request(url, data=data, headers={"Accept": "text/plain"})
     if self.host_override:
       req.add_header("Host", self.host_override)
     for key, value in self.extra_headers.iteritems():
       req.add_header(key, value)
     return req
 
-  def _GetAuthToken(self, email, password):
+  def _GetAuthToken(self, email, password, internal=False):
     """Uses ClientLogin to authenticate the user, returning an auth token.
 
     Args:
       email:    The user's email address
       password: The user's password
 
     Raises:
       ClientLoginError: If there was an error authenticating with ClientLogin.
       HTTPError: If there was some other form of HTTP error.
 
     Returns:
       The authentication token returned by ClientLogin.
     """
     account_type = self.account_type
     if self.host.endswith(".google.com"):
       # Needed for use inside Google.
       account_type = "HOSTED"
+    service = ('ClientLogin') if not internal else ('ClientAuth')
     req = self._CreateRequest(
-        url="https://www.google.com/accounts/ClientLogin",
+        url="https://www.google.com/accounts/%s" % (service,),
         data=urllib.urlencode({
             "Email": email,
             "Passwd": password,
             "service": "ah",
             "source": "rietveld-codereview-upload",
             "accountType": account_type,
         }),
     )
     try:
       response = self.opener.open(req)
@@ skipping 42 matching lines @@
      2) We use ClientLogin to obtain an AUTH token for the user
         (see http://code.google.com/apis/accounts/AuthForInstalledApps.html).
      3) We pass the auth token to /_ah/login on the server to obtain an
         authentication cookie. If login was successful, it tries to redirect
         us to the URL we provided.
 
     If we attempt to access the upload API without first obtaining an
     authentication cookie, it returns a 401 response (or a 302) and
     directs us to authenticate ourselves with ClientLogin.
     """
+    INTERNAL_ERROR_MAP = {
+        "badauth": "BadAuthentication",
+        "cr": "CaptchaRequired",
+        "adel": "AccountDeleted",
+        "adis": "AccountDisabled",
+        "sdis": "ServiceDisabled",
+        "ire": "ServiceUnavailable",
+    }
+
     for i in range(3):
       credentials = self.auth_function()
+
+      # Try external, then internal.
+      e = None
       try:
         auth_token = self._GetAuthToken(credentials[0], credentials[1])
-      except ClientLoginError, e:
+      except urllib2.HTTPError:
+        try:
+          auth_token = self._GetAuthToken(credentials[0], credentials[1],
+                                          internal=True)
+        except ClientLoginError, exc:
+          e = exc
+      if e:
         print >> sys.stderr, ''
+        if internal:
+          e.reason = INTERNAL_ERROR_MAP.get(e.reason, e.reason)
         if e.reason == "BadAuthentication":
           if e.info == "InvalidSecondFactor":
             print >> sys.stderr, (
                 "Use an application-specific password instead "
                 "of your regular account password.\n"
                 "See http://www.google.com/"
                 "support/accounts/bin/answer.py?answer=185833")
           else:
             print >> sys.stderr, "Invalid username or password."
         elif e.reason == "CaptchaRequired":
@@ skipping 12 matching lines @@
         elif e.reason == "AccountDisabled":
           print >> sys.stderr, "The user account has been disabled."
           break
         elif e.reason == "ServiceDisabled":
           print >> sys.stderr, ("The user's access to the service has been "
                                "disabled.")
         elif e.reason == "ServiceUnavailable":
           print >> sys.stderr, "The service is not available; try again later."
         else:
           # Unknown error.
-          raise
+          raise e
         print >> sys.stderr, ''
         continue
       self._GetAuthCookie(auth_token)
       return
 
   def Send(self, request_path, payload=None,
            content_type="application/octet-stream",
            timeout=None,
            extra_headers=None,
            **kwargs):
@@ skipping 2298 matching lines @@
     os.environ['LC_ALL'] = 'C'
     RealMain(sys.argv)
   except KeyboardInterrupt:
     print
     StatusUpdate("Interrupted.")
     sys.exit(1)
 
 
 if __name__ == "__main__":
   main()