third_party/google_api_python_client/MODIFICATIONS.diff - Issue 1085893002: Upgrade 3rd packages

Unified Diff: third_party/google_api_python_client/MODIFICATIONS.diff

Issue 1085893002: Upgrade 3rd packages (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/tools/depot_tools

Patch Set: update readme Created 5 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: third_party/google_api_python_client/MODIFICATIONS.diff

diff --git a/third_party/google_api_python_client/MODIFICATIONS.diff b/third_party/google_api_python_client/MODIFICATIONS.diff

new file mode 100644

index 0000000000000000000000000000000000000000..d437a39aa7024f1dda1d55877b9bb5572572be17

--- /dev/null

+++ b/third_party/google_api_python_client/MODIFICATIONS.diff

@@ -0,0 +1,4008 @@

+diff --git a/third_party/google_api_python_client/apiclient/__init__.py b/third_party/google_api_python_client/apiclient/__init__.py

+index 5efb142..acb1a23 100644

+--- a/third_party/google_api_python_client/apiclient/__init__.py

++++ b/third_party/google_api_python_client/apiclient/__init__.py

+@@ -3,7 +3,7 @@

+ import googleapiclient

+ try:

+- import oauth2client

++ from third_party import oauth2client

+ except ImportError:

+ raise RuntimeError(

+ 'Previous version of google-api-python-client detected; due to a '

+diff --git a/third_party/google_api_python_client/googleapiclient/channel.py b/third_party/google_api_python_client/googleapiclient/channel.py

+index 68a3b89..4626094 100644

+--- a/third_party/google_api_python_client/googleapiclient/channel.py

++++ b/third_party/google_api_python_client/googleapiclient/channel.py

+@@ -60,7 +60,7 @@ import datetime

+ import uuid

+ from googleapiclient import errors

+-from ...oauth2client import util

++from third_party.oauth2client import util

+ # The unix time epoch starts at midnight 1970.

+diff --git a/third_party/google_api_python_client/googleapiclient/discovery.py b/third_party/google_api_python_client/googleapiclient/discovery.py

+index 3ddac57..0e9e5cf 100644

+--- a/third_party/google_api_python_client/googleapiclient/discovery.py

++++ b/third_party/google_api_python_client/googleapiclient/discovery.py

+@@ -47,9 +47,9 @@ except ImportError:

+ from cgi import parse_qsl

+ # Third-party imports

+-from ... import httplib2

++from third_party import httplib2

++from third_party.uritemplate import uritemplate

+ import mimeparse

+-from ... import uritemplate

+ # Local imports

+ from googleapiclient.errors import HttpError

+@@ -65,9 +65,9 @@ from googleapiclient.model import JsonModel

+ from googleapiclient.model import MediaModel

+ from googleapiclient.model import RawModel

+ from googleapiclient.schema import Schemas

+-from oauth2client.client import GoogleCredentials

+-from oauth2client.util import _add_query_parameter

+-from oauth2client.util import positional

++from third_party.oauth2client.client import GoogleCredentials

++from third_party.oauth2client.util import _add_query_parameter

++from third_party.oauth2client.util import positional

+ # The client library requires a version of httplib2 that supports RETRIES.

+diff --git a/third_party/google_api_python_client/googleapiclient/errors.py b/third_party/google_api_python_client/googleapiclient/errors.py

+index a1999fd..18c52e6 100644

+--- a/third_party/google_api_python_client/googleapiclient/errors.py

++++ b/third_party/google_api_python_client/googleapiclient/errors.py

+@@ -24,7 +24,7 @@ __author__ = 'jcgregorio@google.com (Joe Gregorio)'

+ import json

+-from ...oauth2client import util

++from third_party.oauth2client import util

+ class Error(Exception):

+diff --git a/third_party/google_api_python_client/googleapiclient/http.py b/third_party/google_api_python_client/googleapiclient/http.py

+index 8638279..d2ce70c 100644

+--- a/third_party/google_api_python_client/googleapiclient/http.py

++++ b/third_party/google_api_python_client/googleapiclient/http.py

+@@ -25,7 +25,6 @@ import StringIO

+ import base64

+ import copy

+ import gzip

+-import httplib2

+ import json

+ import logging

+ import mimeparse

+@@ -49,7 +48,8 @@ from errors import ResumableUploadError

+ from errors import UnexpectedBodyError

+ from errors import UnexpectedMethodError

+ from model import JsonModel

+-from ...oauth2client import util

++from third_party import httplib2

++from third_party.oauth2client import util

+ DEFAULT_CHUNK_SIZE = 512*1024

+diff --git a/third_party/google_api_python_client/googleapiclient/sample_tools.py b/third_party/google_api_python_client/googleapiclient/sample_tools.py

+index cbd6d6f..cc0790b 100644

+--- a/third_party/google_api_python_client/googleapiclient/sample_tools.py

++++ b/third_party/google_api_python_client/googleapiclient/sample_tools.py

+@@ -22,13 +22,13 @@ __all__ = ['init']

+ import argparse

+-import httplib2

+ import os

+ from googleapiclient import discovery

+-from ...oauth2client import client

+-from ...oauth2client import file

+-from ...oauth2client import tools

++from third_party import httplib2

++from third_party.oauth2client import client

++from third_party.oauth2client import file

++from third_party.oauth2client import tools

+ def init(argv, name, version, doc, filename, scope=None, parents=[], discovery_filename=None):

+diff --git a/third_party/google_api_python_client/googleapiclient/schema.py b/third_party/google_api_python_client/googleapiclient/schema.py

+index af41317..92543ec 100644

+--- a/third_party/google_api_python_client/googleapiclient/schema.py

++++ b/third_party/google_api_python_client/googleapiclient/schema.py

+@@ -63,7 +63,7 @@ __author__ = 'jcgregorio@google.com (Joe Gregorio)'

+ import copy

+-from oauth2client import util

++from third_party.oauth2client import util

+ class Schemas(object):

+diff --git a/third_party/oauth2client/README.chromium b/third_party/oauth2client/README.chromium

+index ea15b96..bfc4a01 100644

+--- a/third_party/oauth2client/README.chromium

++++ b/third_party/oauth2client/README.chromium

+@@ -1,7 +1,7 @@

+ Name: oauth2client

+ Short Name: oauth2client

+-URL: https://pypi.python.org/packages/source/o/oauth2client/oauth2client-1.2.tar.gz

+-Version: 1.2

++URL: https://pypi.python.org/packages/source/o/oauth2client/oauth2client-1.4.7.tar.gz

++Version: 1.4.7

+ License: Apache License 2.0

+ Description:

+diff --git a/third_party/oauth2client/__init__.py b/third_party/oauth2client/__init__.py

+index ac84748..fea30ca 100644

+--- a/third_party/oauth2client/__init__.py

++++ b/third_party/oauth2client/__init__.py

+@@ -1,5 +1,8 @@

+-__version__ = "1.2"

++"""Client library for using OAuth2, especially with Google APIs."""

++__version__ = '1.4.7'

+ GOOGLE_AUTH_URI = 'https://accounts.google.com/o/oauth2/auth'

++GOOGLE_DEVICE_URI = 'https://accounts.google.com/o/oauth2/device/code'

+ GOOGLE_REVOKE_URI = 'https://accounts.google.com/o/oauth2/revoke'

+-GOOGLE_TOKEN_URI = 'https://accounts.google.com/o/oauth2/token'

++GOOGLE_TOKEN_URI = 'https://accounts.google.com/o/oauth2/token'

+\ No newline at end of file

+diff --git a/third_party/oauth2client/anyjson.py b/third_party/oauth2client/anyjson.py

+deleted file mode 100644

+index ae21c33..0000000

+--- a/third_party/oauth2client/anyjson.py

++++ /dev/null

+@@ -1,32 +0,0 @@

+-#

+-# Licensed under the Apache License, Version 2.0 (the "License");

+-# you may not use this file except in compliance with the License.

+-# You may obtain a copy of the License at

+-#

+-# http://www.apache.org/licenses/LICENSE-2.0

+-#

+-# Unless required by applicable law or agreed to in writing, software

+-# distributed under the License is distributed on an "AS IS" BASIS,

+-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+-# See the License for the specific language governing permissions and

+-# limitations under the License.

+-"""Utility module to import a JSON module

+-Hides all the messy details of exactly where

+-we get a simplejson module from.

+-"""

+-__author__ = 'jcgregorio@google.com (Joe Gregorio)'

+-try: # pragma: no cover

+- # Should work for Python2.6 and higher.

+- import json as simplejson

+-except ImportError: # pragma: no cover

+- try:

+- import simplejson

+- except ImportError:

+- # Try to import from django, should work on App Engine

+- from django.utils import simplejson

+diff --git a/third_party/oauth2client/appengine.py b/third_party/oauth2client/appengine.py

+index 5cd3f4b..4131513 100644

+--- a/third_party/oauth2client/appengine.py

++++ b/third_party/oauth2client/appengine.py

+@@ -1,4 +1,4 @@

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -19,14 +19,14 @@ Utilities for making it easier to use OAuth 2.0 on Google App Engine.

+ __author__ = 'jcgregorio@google.com (Joe Gregorio)'

+-import base64

+ import cgi

+-import httplib2

++import json

+ import logging

+ import os

+ import pickle

+ import threading

+-import time

++import httplib2

+ from google.appengine.api import app_identity

+ from google.appengine.api import memcache

+@@ -41,7 +41,6 @@ from oauth2client import GOOGLE_TOKEN_URI

+ from oauth2client import clientsecrets

+ from oauth2client import util

+ from oauth2client import xsrfutil

+-from oauth2client.anyjson import simplejson

+ from oauth2client.client import AccessTokenRefreshError

+ from oauth2client.client import AssertionCredentials

+ from oauth2client.client import Credentials

+@@ -159,15 +158,20 @@ class AppAssertionCredentials(AssertionCredentials):

+ Args:

+ scope: string or iterable of strings, scope(s) of the credentials being

+ requested.

++ **kwargs: optional keyword args, including:

++ service_account_id: service account id of the application. If None or

++ unspecified, the default service account for the app is used.

+ """

+ self.scope = util.scopes_to_string(scope)

++ self._kwargs = kwargs

++ self.service_account_id = kwargs.get('service_account_id', None)

+ # Assertion type is no longer used, but still in the parent class signature.

+ super(AppAssertionCredentials, self).__init__(None)

+ @classmethod

+- def from_json(cls, json):

+- data = simplejson.loads(json)

++ def from_json(cls, json_data):

++ data = json.loads(json_data)

+ return AppAssertionCredentials(data['scope'])

+ def _refresh(self, http_request):

+@@ -186,11 +190,22 @@ class AppAssertionCredentials(AssertionCredentials):

+ """

+ try:

+ scopes = self.scope.split()

+- (token, _) = app_identity.get_access_token(scopes)

+- except app_identity.Error, e:

++ (token, _) = app_identity.get_access_token(

++ scopes, service_account_id=self.service_account_id)

++ except app_identity.Error as e:

+ raise AccessTokenRefreshError(str(e))

+ self.access_token = token

++ @property

++ def serialization_data(self):

++ raise NotImplementedError('Cannot serialize credentials for AppEngine.')

++ def create_scoped_required(self):

++ return not self.scope

++ def create_scoped(self, scopes):

++ return AppAssertionCredentials(scopes, **self._kwargs)

+ class FlowProperty(db.Property):

+ """App Engine datastore Property for Flow.

+@@ -434,6 +449,7 @@ class StorageByKeyName(Storage):

+ entity_key = db.Key.from_path(self._model.kind(), self._key_name)

+ db.delete(entity_key)

++ @db.non_transactional(allow_existing=True)

+ def locked_get(self):

+ """Retrieve Credential from datastore.

+@@ -456,6 +472,7 @@ class StorageByKeyName(Storage):

+ credentials.set_store(self)

+ return credentials

++ @db.non_transactional(allow_existing=True)

+ def locked_put(self, credentials):

+ """Write a Credentials to the datastore.

+@@ -468,6 +485,7 @@ class StorageByKeyName(Storage):

+ if self._cache:

+ self._cache.set(self._key_name, credentials.to_json())

++ @db.non_transactional(allow_existing=True)

+ def locked_delete(self):

+ """Delete Credential from datastore."""

+@@ -553,16 +571,14 @@ class OAuth2Decorator(object):

+ Instantiate and then use with oauth_required or oauth_aware

+ as decorators on webapp.RequestHandler methods.

+- Example:

++ ::

+ decorator = OAuth2Decorator(

+ client_id='837...ent.com',

+ client_secret='Qh...wwI',

+ scope='https://www.googleapis.com/auth/plus')

+ class MainHandler(webapp.RequestHandler):

+ @decorator.oauth_required

+ def get(self):

+ http = decorator.http()

+@@ -650,8 +666,9 @@ class OAuth2Decorator(object):

+ provided to this constructor. A string indicating the name of the field

+ on the _credentials_class where a Credentials object will be stored.

+ Defaults to 'credentials'.

+- **kwargs: dict, Keyword arguments are be passed along as kwargs to the

+- OAuth2WebServerFlow constructor.

++ **kwargs: dict, Keyword arguments are passed along as kwargs to

++ the OAuth2WebServerFlow constructor.

+ """

+ self._tls = threading.local()

+ self.flow = None

+@@ -798,14 +815,18 @@ class OAuth2Decorator(object):

+ url = self.flow.step1_get_authorize_url()

+ return str(url)

+- def http(self):

++ def http(self, *args, **kwargs):

+ """Returns an authorized http instance.

+ Must only be called from within an @oauth_required decorated method, or

+ from within an @oauth_aware decorated method where has_credentials()

+ returns True.

++ Args:

++ *args: Positional arguments passed to httplib2.Http constructor.

++ **kwargs: Positional arguments passed to httplib2.Http constructor.

+ """

+- return self.credentials.authorize(httplib2.Http())

++ return self.credentials.authorize(httplib2.Http(*args, **kwargs))

+ @property

+ def callback_path(self):

+@@ -824,7 +845,8 @@ class OAuth2Decorator(object):

+ def callback_handler(self):

+ """RequestHandler for the OAuth 2.0 redirect callback.

+- Usage:

++ Usage::

+ app = webapp.WSGIApplication([

+ ('/index', MyIndexHandler),

+ ...,

+@@ -858,7 +880,7 @@ class OAuth2Decorator(object):

+ user)

+ if decorator._token_response_param and credentials.token_response:

+- resp_json = simplejson.dumps(credentials.token_response)

++ resp_json = json.dumps(credentials.token_response)

+ redirect_uri = util._add_query_parameter(

+ redirect_uri, decorator._token_response_param, resp_json)

+@@ -887,24 +909,23 @@ class OAuth2DecoratorFromClientSecrets(OAuth2Decorator):

+ Uses a clientsecrets file as the source for all the information when

+ constructing an OAuth2Decorator.

+- Example:

++ ::

+ decorator = OAuth2DecoratorFromClientSecrets(

+ os.path.join(os.path.dirname(__file__), 'client_secrets.json')

+ scope='https://www.googleapis.com/auth/plus')

+ class MainHandler(webapp.RequestHandler):

+ @decorator.oauth_required

+ def get(self):

+ http = decorator.http()

+ # http is authorized with the user's Credentials and can be used

+ # in API calls

+ """

+ @util.positional(3)

+- def __init__(self, filename, scope, message=None, cache=None):

++ def __init__(self, filename, scope, message=None, cache=None, **kwargs):

+ """Constructor

+ Args:

+@@ -917,17 +938,20 @@ class OAuth2DecoratorFromClientSecrets(OAuth2Decorator):

+ decorator.

+ cache: An optional cache service client that implements get() and set()

+ methods. See clientsecrets.loadfile() for details.

++ **kwargs: dict, Keyword arguments are passed along as kwargs to

++ the OAuth2WebServerFlow constructor.

+ """

+ client_type, client_info = clientsecrets.loadfile(filename, cache=cache)

+ if client_type not in [

+ clientsecrets.TYPE_WEB, clientsecrets.TYPE_INSTALLED]:

+ raise InvalidClientSecretsError(

+- 'OAuth2Decorator doesn\'t support this OAuth 2.0 flow.')

+- constructor_kwargs = {

+- 'auth_uri': client_info['auth_uri'],

+- 'token_uri': client_info['token_uri'],

+- 'message': message,

+- }

++ "OAuth2Decorator doesn't support this OAuth 2.0 flow.")

++ constructor_kwargs = dict(kwargs)

++ constructor_kwargs.update({

++ 'auth_uri': client_info['auth_uri'],

++ 'token_uri': client_info['token_uri'],

++ 'message': message,

++ })

+ revoke_uri = client_info.get('revoke_uri')

+ if revoke_uri is not None:

+ constructor_kwargs['revoke_uri'] = revoke_uri

+@@ -960,4 +984,4 @@ def oauth2decorator_from_clientsecrets(filename, scope,

+ """

+ return OAuth2DecoratorFromClientSecrets(filename, scope,

+- message=message, cache=cache)

++ message=message, cache=cache)

+\ No newline at end of file

+diff --git a/third_party/oauth2client/client.py b/third_party/oauth2client/client.py

+index 6901f3f..8fe28a3 100644

+--- a/third_party/oauth2client/client.py

++++ b/third_party/oauth2client/client.py

+@@ -1,4 +1,4 @@

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -20,44 +20,48 @@ Tools for interacting with OAuth 2.0 protected resources.

+ __author__ = 'jcgregorio@google.com (Joe Gregorio)'

+ import base64

+-import clientsecrets

++import collections

+ import copy

+ import datetime

+-from .. import httplib2

++import json

+ import logging

++import os

++import socket

+ import sys

++import tempfile

+ import time

+-import urllib

+-import urlparse

++import shutil

++from .. import httplib2

++from . import clientsecrets

+ from . import GOOGLE_AUTH_URI

++from . import GOOGLE_DEVICE_URI

+ from . import GOOGLE_REVOKE_URI

+ from . import GOOGLE_TOKEN_URI

+ from . import util

+-from .anyjson import simplejson

++from third_party import six

++from third_party.six.moves import urllib

+ HAS_OPENSSL = False

+ HAS_CRYPTO = False

+ try:

+- from . import crypt

++ from oauth2client import crypt

+ HAS_CRYPTO = True

+ if crypt.OpenSSLVerifier is not None:

+ HAS_OPENSSL = True

+ except ImportError:

+ pass

+-try:

+- from urlparse import parse_qsl

+-except ImportError:

+- from cgi import parse_qsl

+ logger = logging.getLogger(__name__)

+ # Expiry is stored in RFC3339 UTC format

+ EXPIRY_FORMAT = '%Y-%m-%dT%H:%M:%SZ'

+ # Which certs to use to validate id_tokens received.

+-ID_TOKEN_VERIFICATON_CERTS = 'https://www.googleapis.com/oauth2/v1/certs'

++ID_TOKEN_VERIFICATION_CERTS = 'https://www.googleapis.com/oauth2/v1/certs'

++# This symbol previously had a typo in the name; we keep the old name

++# around for now, but will remove it in the future.

++ID_TOKEN_VERIFICATON_CERTS = ID_TOKEN_VERIFICATION_CERTS

+ # Constant to use for the out of band OAuth 2.0 flow.

+ OOB_CALLBACK_URN = 'urn:ietf:wg:oauth:2.0:oob'

+@@ -65,6 +69,42 @@ OOB_CALLBACK_URN = 'urn:ietf:wg:oauth:2.0:oob'

+ # Google Data client libraries may need to set this to [401, 403].

+ REFRESH_STATUS_CODES = [401]

++# The value representing user credentials.

++AUTHORIZED_USER = 'authorized_user'

++# The value representing service account credentials.

++SERVICE_ACCOUNT = 'service_account'

++# The environment variable pointing the file with local

++# Application Default Credentials.

++GOOGLE_APPLICATION_CREDENTIALS = 'GOOGLE_APPLICATION_CREDENTIALS'

++# The ~/.config subdirectory containing gcloud credentials. Intended

++# to be swapped out in tests.

++_CLOUDSDK_CONFIG_DIRECTORY = 'gcloud'

++# The error message we show users when we can't find the Application

++# Default Credentials.

++ADC_HELP_MSG = (

++ 'The Application Default Credentials are not available. They are available '

++ 'if running in Google Compute Engine. Otherwise, the environment variable '

++ + GOOGLE_APPLICATION_CREDENTIALS +

++ ' must be defined pointing to a file defining the credentials. See '

++ 'https://developers.google.com/accounts/docs/application-default-credentials' # pylint:disable=line-too-long

++ ' for more information.')

++# The access token along with the seconds in which it expires.

++AccessTokenInfo = collections.namedtuple(

++ 'AccessTokenInfo', ['access_token', 'expires_in'])

++DEFAULT_ENV_NAME = 'UNKNOWN'

++# If set to True _get_environment avoid GCE check (_detect_gce_environment)

++NO_GCE_CHECK = os.environ.setdefault('NO_GCE_CHECK', 'False')

++class SETTINGS(object):

++ """Settings namespace for globally defined values."""

++ env_name = None

+ class Error(Exception):

+ """Base error for this module."""

+@@ -91,13 +131,25 @@ class AccessTokenCredentialsError(Error):

+ class VerifyJwtTokenError(Error):

+- """Could on retrieve certificates for validation."""

++ """Could not retrieve certificates for validation."""

+ class NonAsciiHeaderError(Error):

+ """Header names and values must be ASCII strings."""

++class ApplicationDefaultCredentialsError(Error):

++ """Error retrieving the Application Default Credentials."""

++class OAuth2DeviceCodeError(Error):

++ """Error trying to retrieve a device code."""

++class CryptoUnavailableError(Error, NotImplementedError):

++ """Raised when a crypto library is required, but none is available."""

+ def _abstract():

+ raise NotImplementedError('You need to override this function')

+@@ -125,11 +177,12 @@ class Credentials(object):

+ an HTTP transport.

+ Subclasses must also specify a classmethod named 'from_json' that takes a JSON

+- string as input and returns an instaniated Credentials object.

++ string as input and returns an instantiated Credentials object.

+ """

+ NON_SERIALIZED_MEMBERS = ['store']

+ def authorize(self, http):

+ """Take an httplib2.Http instance (or equivalent) and authorizes it.

+@@ -143,6 +196,7 @@ class Credentials(object):

+ """

+ _abstract()

+ def refresh(self, http):

+ """Forces a refresh of the access_token.

+@@ -152,6 +206,7 @@ class Credentials(object):

+ """

+ _abstract()

+ def revoke(self, http):

+ """Revokes a refresh_token and makes the credentials void.

+@@ -161,6 +216,7 @@ class Credentials(object):

+ """

+ _abstract()

+ def apply(self, headers):

+ """Add the authorization to the headers.

+@@ -184,12 +240,16 @@ class Credentials(object):

+ for member in strip:

+ if member in d:

+ del d[member]

+- if 'token_expiry' in d and isinstance(d['token_expiry'], datetime.datetime):

++ if (d.get('token_expiry') and

++ isinstance(d['token_expiry'], datetime.datetime)):

+ d['token_expiry'] = d['token_expiry'].strftime(EXPIRY_FORMAT)

+ # Add in information we will need later to reconsistitue this instance.

+ d['_class'] = t.__name__

+ d['_module'] = t.__module__

+- return simplejson.dumps(d)

++ for key, val in d.items():

++ if isinstance(val, bytes):

++ d[key] = val.decode('utf-8')

++ return json.dumps(d)

+ def to_json(self):

+ """Creating a JSON representation of an instance of Credentials.

+@@ -212,14 +272,16 @@ class Credentials(object):

+ An instance of the subclass of Credentials that was serialized with

+ to_json().

+ """

+- data = simplejson.loads(s)

++ if six.PY3 and isinstance(s, bytes):

++ s = s.decode('utf-8')

++ data = json.loads(s)

+ # Find and call the right classmethod from_json() to restore the object.

+ module = data['_module']

+ try:

+ m = __import__(module)

+ except ImportError:

+ # In case there's an object from the old package structure, update it

+- module = module.replace('.apiclient', '')

++ module = module.replace('.googleapiclient', '')

+ m = __import__(module)

+ m = __import__(module, fromlist=module.split('.')[:-1])

+@@ -228,13 +290,13 @@ class Credentials(object):

+ return from_json(s)

+ @classmethod

+- def from_json(cls, s):

++ def from_json(cls, unused_data):

+ """Instantiate a Credentials object from a JSON description of it.

+ The JSON should have been produced by calling .to_json() on the object.

+ Args:

+- data: dict, A deserialized JSON object.

++ unused_data: dict, A deserialized JSON object.

+ Returns:

+ An instance of a Credentials subclass.

+@@ -356,8 +418,10 @@ def clean_headers(headers):

+ """

+ clean = {}

+ try:

+- for k, v in headers.iteritems():

+- clean[str(k)] = str(v)

++ for k, v in six.iteritems(headers):

++ clean_k = k if isinstance(k, bytes) else str(k).encode('ascii')

++ clean_v = v if isinstance(v, bytes) else str(v).encode('ascii')

++ clean[clean_k] = clean_v

+ except UnicodeEncodeError:

+ raise NonAsciiHeaderError(k + ': ' + v)

+ return clean

+@@ -373,11 +437,11 @@ def _update_query_params(uri, params):

+ Returns:

+ The same URI but with the new query parameters added.

+ """

+- parts = list(urlparse.urlparse(uri))

+- query_params = dict(parse_qsl(parts[4])) # 4 is the index of the query part

++ parts = urllib.parse.urlparse(uri)

++ query_params = dict(urllib.parse.parse_qsl(parts.query))

+ query_params.update(params)

+- parts[4] = urllib.urlencode(query_params)

+- return urlparse.urlunparse(parts)

++ new_parts = parts._replace(query=urllib.parse.urlencode(query_params))

++ return urllib.parse.urlunparse(new_parts)

+ class OAuth2Credentials(Credentials):

+@@ -445,22 +509,23 @@ class OAuth2Credentials(Credentials):

+ it.

+ Args:

+- http: An instance of httplib2.Http

+- or something that acts like it.

++ http: An instance of ``httplib2.Http`` or something that acts

++ like it.

+ Returns:

+ A modified instance of http that was passed in.

+- Example:

++ Example::

+ h = httplib2.Http()

+ h = credentials.authorize(h)

+- You can't create a new OAuth subclass of httplib2.Authenication

++ You can't create a new OAuth subclass of httplib2.Authentication

+ because it never gets passed the absolute URI, which is needed for

+ signing. So instead we have to overload 'request' with a closure

+ that adds in the Authorization header and then calls the original

+ version of 'request()'.

+ """

+ request_orig = http.request

+@@ -473,10 +538,12 @@ class OAuth2Credentials(Credentials):

+ logger.info('Attempting refresh to obtain initial access_token')

+ self._refresh(request_orig)

+- # Modify the request headers to add the appropriate

++ # Clone and modify the request headers to add the appropriate

+ # Authorization header.

+ if headers is None:

+ headers = {}

++ else:

++ headers = dict(headers)

+ self.apply(headers)

+ if self.user_agent is not None:

+@@ -489,7 +556,7 @@ class OAuth2Credentials(Credentials):

+ redirections, connection_type)

+ if resp.status in REFRESH_STATUS_CODES:

+- logger.info('Refreshing due to a %s' % str(resp.status))

++ logger.info('Refreshing due to a %s', resp.status)

+ self._refresh(request_orig)

+ self.apply(headers)

+ return request_orig(uri, method, body, clean_headers(headers),

+@@ -545,13 +612,15 @@ class OAuth2Credentials(Credentials):

+ Returns:

+ An instance of a Credentials subclass.

+ """

+- data = simplejson.loads(s)

+- if 'token_expiry' in data and not isinstance(data['token_expiry'],

+- datetime.datetime):

++ if six.PY3 and isinstance(s, bytes):

++ s = s.decode('utf-8')

++ data = json.loads(s)

++ if (data.get('token_expiry') and

++ not isinstance(data['token_expiry'], datetime.datetime)):

+ try:

+ data['token_expiry'] = datetime.datetime.strptime(

+ data['token_expiry'], EXPIRY_FORMAT)

+- except:

++ except ValueError:

+ data['token_expiry'] = None

+ retval = cls(

+ data['access_token'],

+@@ -586,11 +655,24 @@ class OAuth2Credentials(Credentials):

+ return True

+ return False

++ def get_access_token(self, http=None):

++ """Return the access token and its expiration information.

++ If the token does not exist, get one.

++ If the token expired, refresh it.

++ """

++ if not self.access_token or self.access_token_expired:

++ if not http:

++ http = httplib2.Http()

++ self.refresh(http)

++ return AccessTokenInfo(access_token=self.access_token,

++ expires_in=self._expires_in())

+ def set_store(self, store):

+ """Set the Storage for the credential.

+ Args:

+- store: Storage, an implementation of Stroage object.

++ store: Storage, an implementation of Storage object.

+ This is needed to store the latest access_token if it

+ has expired and been refreshed. This implementation uses

+ locking to check for updates before updating the

+@@ -598,6 +680,25 @@ class OAuth2Credentials(Credentials):

+ """

+ self.store = store

++ def _expires_in(self):

++ """Return the number of seconds until this token expires.

++ If token_expiry is in the past, this method will return 0, meaning the

++ token has already expired.

++ If token_expiry is None, this method will return None. Note that returning

++ 0 in such a case would not be fair: the token may still be valid;

++ we just don't know anything about it.

++ """

++ if self.token_expiry:

++ now = datetime.datetime.utcnow()

++ if self.token_expiry > now:

++ time_delta = self.token_expiry - now

++ # TODO(orestica): return time_delta.total_seconds()

++ # once dropping support for Python 2.6

++ return time_delta.days * 86400 + time_delta.seconds

++ else:

++ return 0

+ def _updateFromCredential(self, other):

+ """Update this Credential from another instance."""

+ self.__dict__.update(other.__getstate__())

+@@ -615,7 +716,7 @@ class OAuth2Credentials(Credentials):

+ def _generate_refresh_request_body(self):

+ """Generate the body that will be used in the refresh request."""

+- body = urllib.urlencode({

++ body = urllib.parse.urlencode({

+ 'grant_type': 'refresh_token',

+ 'client_id': self.client_id,

+ 'client_secret': self.client_secret,

+@@ -679,9 +780,10 @@ class OAuth2Credentials(Credentials):

+ logger.info('Refreshing access_token')

+ resp, content = http_request(

+ self.token_uri, method='POST', body=body, headers=headers)

++ if six.PY3 and isinstance(content, bytes):

++ content = content.decode('utf-8')

+ if resp.status == 200:

+- # TODO(jcgregorio) Raise an error if loads fails?

+- d = simplejson.loads(content)

++ d = json.loads(content)

+ self.token_response = d

+ self.access_token = d['access_token']

+ self.refresh_token = d.get('refresh_token', self.refresh_token)

+@@ -690,35 +792,40 @@ class OAuth2Credentials(Credentials):

+ seconds=int(d['expires_in'])) + datetime.datetime.utcnow()

+ else:

+ self.token_expiry = None

++ # On temporary refresh errors, the user does not actually have to

++ # re-authorize, so we unflag here.

++ self.invalid = False

+ if self.store:

+ self.store.locked_put(self)

+ else:

+ # An {'error':...} response body means the token is expired or revoked,

+ # so we flag the credentials as such.

+- logger.info('Failed to retrieve access token: %s' % content)

++ logger.info('Failed to retrieve access token: %s', content)

+ error_msg = 'Invalid response %s.' % resp['status']

+ try:

+- d = simplejson.loads(content)

++ d = json.loads(content)

+ if 'error' in d:

+ error_msg = d['error']

++ if 'error_description' in d:

++ error_msg += ': ' + d['error_description']

+ self.invalid = True

+ if self.store:

+ self.store.locked_put(self)

+- except StandardError:

++ except (TypeError, ValueError):

+ pass

+ raise AccessTokenRefreshError(error_msg)

+ def _revoke(self, http_request):

+- """Revokes the refresh_token and deletes the store if available.

++ """Revokes this credential and deletes the stored copy (if it exists).

+ Args:

+ http_request: callable, a callable that matches the method signature of

+ httplib2.Http.request, used to make the revoke request.

+ """

+- self._do_revoke(http_request, self.refresh_token)

++ self._do_revoke(http_request, self.refresh_token or self.access_token)

+ def _do_revoke(self, http_request, token):

+- """Revokes the credentials and deletes the store if available.

++ """Revokes this credential and deletes the stored copy (if it exists).

+ Args:

+ http_request: callable, a callable that matches the method signature of

+@@ -738,10 +845,10 @@ class OAuth2Credentials(Credentials):

+ else:

+ error_msg = 'Invalid response %s.' % resp.status

+ try:

+- d = simplejson.loads(content)

++ d = json.loads(content)

+ if 'error' in d:

+ error_msg = d['error']

+- except StandardError:

++ except (TypeError, ValueError):

+ pass

+ raise TokenRevokeError(error_msg)

+@@ -763,7 +870,8 @@ class AccessTokenCredentials(OAuth2Credentials):

+ AccessTokenCredentials objects may be safely pickled and unpickled.

+- Usage:

++ Usage::

+ credentials = AccessTokenCredentials('<an access token>',

+ 'my-user-agent/1.0')

+ http = httplib2.Http()

+@@ -799,10 +907,12 @@ class AccessTokenCredentials(OAuth2Credentials):

+ @classmethod

+ def from_json(cls, s):

+- data = simplejson.loads(s)

++ if six.PY3 and isinstance(s, bytes):

++ s = s.decode('utf-8')

++ data = json.loads(s)

+ retval = AccessTokenCredentials(

+- data['access_token'],

+- data['user_agent'])

++ data['access_token'],

++ data['user_agent'])

+ return retval

+ def _refresh(self, http_request):

+@@ -819,7 +929,434 @@ class AccessTokenCredentials(OAuth2Credentials):

+ self._do_revoke(http_request, self.access_token)

+-class AssertionCredentials(OAuth2Credentials):

++def _detect_gce_environment(urlopen=None):

++ """Determine if the current environment is Compute Engine.

++ Args:

++ urlopen: Optional argument. Function used to open a connection to a URL.

++ Returns:

++ Boolean indicating whether or not the current environment is Google

++ Compute Engine.

++ """

++ urlopen = urlopen or urllib.request.urlopen

++ # Note: the explicit `timeout` below is a workaround. The underlying

++ # issue is that resolving an unknown host on some networks will take

++ # 20-30 seconds; making this timeout short fixes the issue, but

++ # could lead to false negatives in the event that we are on GCE, but

++ # the metadata resolution was particularly slow. The latter case is

++ # "unlikely".

++ try:

++ response = urlopen('http://169.254.169.254/', timeout=1)

++ return response.info().get('Metadata-Flavor', '') == 'Google'

++ except socket.timeout:

++ logger.info('Timeout attempting to reach GCE metadata service.')

++ return False

++ except urllib.error.URLError as e:

++ if isinstance(getattr(e, 'reason', None), socket.timeout):

++ logger.info('Timeout attempting to reach GCE metadata service.')

++ return False

++def _get_environment(urlopen=None):

++ """Detect the environment the code is being run on.

++ Args:

++ urlopen: Optional argument. Function used to open a connection to a URL.

++ Returns:

++ The value of SETTINGS.env_name after being set. If already

++ set, simply returns the value.

++ """

++ if SETTINGS.env_name is not None:

++ return SETTINGS.env_name

++ # None is an unset value, not the default.

++ SETTINGS.env_name = DEFAULT_ENV_NAME

++ server_software = os.environ.get('SERVER_SOFTWARE', '')

++ if server_software.startswith('Google App Engine/'):

++ SETTINGS.env_name = 'GAE_PRODUCTION'

++ elif server_software.startswith('Development/'):

++ SETTINGS.env_name = 'GAE_LOCAL'

++ elif NO_GCE_CHECK != 'True' and _detect_gce_environment(urlopen=urlopen):

++ SETTINGS.env_name = 'GCE_PRODUCTION'

++ return SETTINGS.env_name

++class GoogleCredentials(OAuth2Credentials):

++ """Application Default Credentials for use in calling Google APIs.

++ The Application Default Credentials are being constructed as a function of

++ the environment where the code is being run.

++ More details can be found on this page:

++ https://developers.google.com/accounts/docs/application-default-credentials

++ Here is an example of how to use the Application Default Credentials for a

++ service that requires authentication:

++ from googleapiclient.discovery import build

++ from oauth2client.client import GoogleCredentials

++ credentials = GoogleCredentials.get_application_default()

++ service = build('compute', 'v1', credentials=credentials)

++ PROJECT = 'bamboo-machine-422'

++ ZONE = 'us-central1-a'

++ request = service.instances().list(project=PROJECT, zone=ZONE)

++ response = request.execute()

++ print(response)

++ """

++ def __init__(self, access_token, client_id, client_secret, refresh_token,

++ token_expiry, token_uri, user_agent,

++ revoke_uri=GOOGLE_REVOKE_URI):

++ """Create an instance of GoogleCredentials.

++ This constructor is not usually called by the user, instead

++ GoogleCredentials objects are instantiated by

++ GoogleCredentials.from_stream() or

++ GoogleCredentials.get_application_default().

++ Args:

++ access_token: string, access token.

++ client_id: string, client identifier.

++ client_secret: string, client secret.

++ refresh_token: string, refresh token.

++ token_expiry: datetime, when the access_token expires.

++ token_uri: string, URI of token endpoint.

++ user_agent: string, The HTTP User-Agent to provide for this application.

++ revoke_uri: string, URI for revoke endpoint.

++ Defaults to GOOGLE_REVOKE_URI; a token can't be revoked if this is None.

++ """

++ super(GoogleCredentials, self).__init__(

++ access_token, client_id, client_secret, refresh_token, token_expiry,

++ token_uri, user_agent, revoke_uri=revoke_uri)

++ def create_scoped_required(self):

++ """Whether this Credentials object is scopeless.

++ create_scoped(scopes) method needs to be called in order to create

++ a Credentials object for API calls.

++ """

++ return False

++ def create_scoped(self, scopes):

++ """Create a Credentials object for the given scopes.

++ The Credentials type is preserved.

++ """

++ return self

++ @property

++ def serialization_data(self):

++ """Get the fields and their values identifying the current credentials."""

++ return {

++ 'type': 'authorized_user',

++ 'client_id': self.client_id,

++ 'client_secret': self.client_secret,

++ 'refresh_token': self.refresh_token

++ }

++ @staticmethod

++ def _implicit_credentials_from_gae(env_name=None):

++ """Attempts to get implicit credentials in Google App Engine env.

++ If the current environment is not detected as App Engine, returns None,

++ indicating no Google App Engine credentials can be detected from the

++ current environment.

++ Args:

++ env_name: String, indicating current environment.

++ Returns:

++ None, if not in GAE, else an appengine.AppAssertionCredentials object.

++ """

++ env_name = env_name or _get_environment()

++ if env_name not in ('GAE_PRODUCTION', 'GAE_LOCAL'):

++ return None

++ return _get_application_default_credential_GAE()

++ @staticmethod

++ def _implicit_credentials_from_gce(env_name=None):

++ """Attempts to get implicit credentials in Google Compute Engine env.

++ If the current environment is not detected as Compute Engine, returns None,

++ indicating no Google Compute Engine credentials can be detected from the

++ current environment.

++ Args:

++ env_name: String, indicating current environment.

++ Returns:

++ None, if not in GCE, else a gce.AppAssertionCredentials object.

++ """

++ env_name = env_name or _get_environment()

++ if env_name != 'GCE_PRODUCTION':

++ return None

++ return _get_application_default_credential_GCE()

++ @staticmethod

++ def _implicit_credentials_from_files(env_name=None):

++ """Attempts to get implicit credentials from local credential files.

++ First checks if the environment variable GOOGLE_APPLICATION_CREDENTIALS

++ is set with a filename and then falls back to a configuration file (the

++ "well known" file) associated with the 'gcloud' command line tool.

++ Args:

++ env_name: Unused argument.

++ Returns:

++ Credentials object associated with the GOOGLE_APPLICATION_CREDENTIALS

++ file or the "well known" file if either exist. If neither file is

++ define, returns None, indicating no credentials from a file can

++ detected from the current environment.

++ """

++ credentials_filename = _get_environment_variable_file()

++ if not credentials_filename:

++ credentials_filename = _get_well_known_file()

++ if os.path.isfile(credentials_filename):

++ extra_help = (' (produced automatically when running'

++ ' "gcloud auth login" command)')

++ else:

++ credentials_filename = None

++ else:

++ extra_help = (' (pointed to by ' + GOOGLE_APPLICATION_CREDENTIALS +

++ ' environment variable)')

++ if not credentials_filename:

++ return

++ try:

++ return _get_application_default_credential_from_file(credentials_filename)

++ except (ApplicationDefaultCredentialsError, ValueError) as error:

++ _raise_exception_for_reading_json(credentials_filename, extra_help, error)

++ @classmethod

++ def _get_implicit_credentials(cls):

++ """Gets credentials implicitly from the environment.

++ Checks environment in order of precedence:

++ - Google App Engine (production and testing)

++ - Environment variable GOOGLE_APPLICATION_CREDENTIALS pointing to

++ a file with stored credentials information.

++ - Stored "well known" file associated with `gcloud` command line tool.

++ - Google Compute Engine production environment.

++ Exceptions:

++ ApplicationDefaultCredentialsError: raised when the credentials fail

++ to be retrieved.

++ """

++ env_name = _get_environment()

++ # Environ checks (in order). Assumes each checker takes `env_name`

++ # as a kwarg.

++ environ_checkers = [

++ cls._implicit_credentials_from_gae,

++ cls._implicit_credentials_from_files,

++ cls._implicit_credentials_from_gce,

++ ]

++ for checker in environ_checkers:

++ credentials = checker(env_name=env_name)

++ if credentials is not None:

++ return credentials

++ # If no credentials, fail.

++ raise ApplicationDefaultCredentialsError(ADC_HELP_MSG)

++ @staticmethod

++ def get_application_default():

++ """Get the Application Default Credentials for the current environment.

++ Exceptions:

++ ApplicationDefaultCredentialsError: raised when the credentials fail

++ to be retrieved.

++ """

++ return GoogleCredentials._get_implicit_credentials()

++ @staticmethod

++ def from_stream(credential_filename):

++ """Create a Credentials object by reading the information from a given file.

++ It returns an object of type GoogleCredentials.

++ Args:

++ credential_filename: the path to the file from where the credentials

++ are to be read

++ Exceptions:

++ ApplicationDefaultCredentialsError: raised when the credentials fail

++ to be retrieved.

++ """

++ if credential_filename and os.path.isfile(credential_filename):

++ try:

++ return _get_application_default_credential_from_file(

++ credential_filename)

++ except (ApplicationDefaultCredentialsError, ValueError) as error:

++ extra_help = ' (provided as parameter to the from_stream() method)'

++ _raise_exception_for_reading_json(credential_filename,

++ extra_help,

++ error)

++ else:

++ raise ApplicationDefaultCredentialsError(

++ 'The parameter passed to the from_stream() '

++ 'method should point to a file.')

++def _save_private_file(filename, json_contents):

++ """Saves a file with read-write permissions on for the owner.

++ Args:

++ filename: String. Absolute path to file.

++ json_contents: JSON serializable object to be saved.

++ """

++ temp_filename = tempfile.mktemp()

++ file_desc = os.open(temp_filename, os.O_WRONLY | os.O_CREAT, 0o600)

++ with os.fdopen(file_desc, 'w') as file_handle:

++ json.dump(json_contents, file_handle, sort_keys=True,

++ indent=2, separators=(',', ': '))

++ shutil.move(temp_filename, filename)

++def save_to_well_known_file(credentials, well_known_file=None):

++ """Save the provided GoogleCredentials to the well known file.

++ Args:

++ credentials:

++ the credentials to be saved to the well known file;

++ it should be an instance of GoogleCredentials

++ well_known_file:

++ the name of the file where the credentials are to be saved;

++ this parameter is supposed to be used for testing only

++ """

++ # TODO(orestica): move this method to tools.py

++ # once the argparse import gets fixed (it is not present in Python 2.6)

++ if well_known_file is None:

++ well_known_file = _get_well_known_file()

++ credentials_data = credentials.serialization_data

++ _save_private_file(well_known_file, credentials_data)

++def _get_environment_variable_file():

++ application_default_credential_filename = (

++ os.environ.get(GOOGLE_APPLICATION_CREDENTIALS,

++ None))

++ if application_default_credential_filename:

++ if os.path.isfile(application_default_credential_filename):

++ return application_default_credential_filename

++ else:

++ raise ApplicationDefaultCredentialsError(

++ 'File ' + application_default_credential_filename + ' (pointed by ' +

++ GOOGLE_APPLICATION_CREDENTIALS +

++ ' environment variable) does not exist!')

++def _get_well_known_file():

++ """Get the well known file produced by command 'gcloud auth login'."""

++ # TODO(orestica): Revisit this method once gcloud provides a better way

++ # of pinpointing the exact location of the file.

++ WELL_KNOWN_CREDENTIALS_FILE = 'application_default_credentials.json'

++ if os.name == 'nt':

++ try:

++ default_config_path = os.path.join(os.environ['APPDATA'],

++ _CLOUDSDK_CONFIG_DIRECTORY)

++ except KeyError:

++ # This should never happen unless someone is really messing with things.

++ drive = os.environ.get('SystemDrive', 'C:')

++ default_config_path = os.path.join(drive, '\\',

++ _CLOUDSDK_CONFIG_DIRECTORY)

++ else:

++ default_config_path = os.path.join(os.path.expanduser('~'),

++ '.config',

++ _CLOUDSDK_CONFIG_DIRECTORY)

++ default_config_path = os.path.join(default_config_path,

++ WELL_KNOWN_CREDENTIALS_FILE)

++ return default_config_path

++def _get_application_default_credential_from_file(filename):

++ """Build the Application Default Credentials from file."""

++ from oauth2client import service_account

++ # read the credentials from the file

++ with open(filename) as file_obj:

++ client_credentials = json.load(file_obj)

++ credentials_type = client_credentials.get('type')

++ if credentials_type == AUTHORIZED_USER:

++ required_fields = set(['client_id', 'client_secret', 'refresh_token'])

++ elif credentials_type == SERVICE_ACCOUNT:

++ required_fields = set(['client_id', 'client_email', 'private_key_id',

++ 'private_key'])

++ else:

++ raise ApplicationDefaultCredentialsError(

++ "'type' field should be defined (and have one of the '" +

++ AUTHORIZED_USER + "' or '" + SERVICE_ACCOUNT + "' values)")

++ missing_fields = required_fields.difference(client_credentials.keys())

++ if missing_fields:

++ _raise_exception_for_missing_fields(missing_fields)

++ if client_credentials['type'] == AUTHORIZED_USER:

++ return GoogleCredentials(

++ access_token=None,

++ client_id=client_credentials['client_id'],

++ client_secret=client_credentials['client_secret'],

++ refresh_token=client_credentials['refresh_token'],

++ token_expiry=None,

++ token_uri=GOOGLE_TOKEN_URI,

++ user_agent='Python client library')

++ else: # client_credentials['type'] == SERVICE_ACCOUNT

++ return service_account._ServiceAccountCredentials(

++ service_account_id=client_credentials['client_id'],

++ service_account_email=client_credentials['client_email'],

++ private_key_id=client_credentials['private_key_id'],

++ private_key_pkcs8_text=client_credentials['private_key'],

++ scopes=[])

++def _raise_exception_for_missing_fields(missing_fields):

++ raise ApplicationDefaultCredentialsError(

++ 'The following field(s) must be defined: ' + ', '.join(missing_fields))

++def _raise_exception_for_reading_json(credential_file,

++ extra_help,

++ error):

++ raise ApplicationDefaultCredentialsError(

++ 'An error was encountered while reading json file: '+

++ credential_file + extra_help + ': ' + str(error))

++def _get_application_default_credential_GAE():

++ from oauth2client.appengine import AppAssertionCredentials

++ return AppAssertionCredentials([])

++def _get_application_default_credential_GCE():

++ from oauth2client.gce import AppAssertionCredentials

++ return AppAssertionCredentials([])

++class AssertionCredentials(GoogleCredentials):

+ """Abstract Credentials object used for OAuth 2.0 assertion grants.

+ This credential does not require a flow to instantiate because it

+@@ -859,7 +1396,7 @@ class AssertionCredentials(OAuth2Credentials):

+ def _generate_refresh_request_body(self):

+ assertion = self._generate_assertion()

+- body = urllib.urlencode({

++ body = urllib.parse.urlencode({

+ 'assertion': assertion,

+ 'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',

+ })

+@@ -882,141 +1419,157 @@ class AssertionCredentials(OAuth2Credentials):

+ self._do_revoke(http_request, self.access_token)

+-if HAS_CRYPTO:

+- # PyOpenSSL and PyCrypto are not prerequisites for oauth2client, so if it is

+- # missing then don't create the SignedJwtAssertionCredentials or the

+- # verify_id_token() method.

++def _RequireCryptoOrDie():

++ """Ensure we have a crypto library, or throw CryptoUnavailableError.

++ The oauth2client.crypt module requires either PyCrypto or PyOpenSSL

++ to be available in order to function, but these are optional

++ dependencies.

++ """

++ if not HAS_CRYPTO:

++ raise CryptoUnavailableError('No crypto library available')

+- class SignedJwtAssertionCredentials(AssertionCredentials):

+- """Credentials object used for OAuth 2.0 Signed JWT assertion grants.

+- This credential does not require a flow to instantiate because it represents

+- a two legged flow, and therefore has all of the required information to

+- generate and refresh its own access tokens.

++class SignedJwtAssertionCredentials(AssertionCredentials):

++ """Credentials object used for OAuth 2.0 Signed JWT assertion grants.

++ This credential does not require a flow to instantiate because it

++ represents a two legged flow, and therefore has all of the required

++ information to generate and refresh its own access tokens.

++ SignedJwtAssertionCredentials requires either PyOpenSSL, or PyCrypto

++ 2.6 or later. For App Engine you may also consider using

++ AppAssertionCredentials.

++ """

++ MAX_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds

++ @util.positional(4)

++ def __init__(self,

++ service_account_name,

++ private_key,

++ scope,

++ private_key_password='notasecret',

++ user_agent=None,

++ token_uri=GOOGLE_TOKEN_URI,

++ revoke_uri=GOOGLE_REVOKE_URI,

++ **kwargs):

++ """Constructor for SignedJwtAssertionCredentials.

++ Args:

++ service_account_name: string, id for account, usually an email address.

++ private_key: string, private key in PKCS12 or PEM format.

++ scope: string or iterable of strings, scope(s) of the credentials being

++ requested.

++ private_key_password: string, password for private_key, unused if

++ private_key is in PEM format.

++ user_agent: string, HTTP User-Agent to provide for this application.

++ token_uri: string, URI for token endpoint. For convenience

++ defaults to Google's endpoints but any OAuth 2.0 provider can be used.

++ revoke_uri: string, URI for revoke endpoint.

++ kwargs: kwargs, Additional parameters to add to the JWT token, for

++ example sub=joe@xample.org.

+- SignedJwtAssertionCredentials requires either PyOpenSSL, or PyCrypto 2.6 or

+- later. For App Engine you may also consider using AppAssertionCredentials.

++ Raises:

++ CryptoUnavailableError if no crypto library is available.

+ """

++ _RequireCryptoOrDie()

++ super(SignedJwtAssertionCredentials, self).__init__(

++ None,

++ user_agent=user_agent,

++ token_uri=token_uri,

++ revoke_uri=revoke_uri,

++ )

+- MAX_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds

++ self.scope = util.scopes_to_string(scope)

+- @util.positional(4)

+- def __init__(self,

+- service_account_name,

+- private_key,

+- scope,

+- private_key_password='notasecret',

+- user_agent=None,

+- token_uri=GOOGLE_TOKEN_URI,

+- revoke_uri=GOOGLE_REVOKE_URI,

+- **kwargs):

+- """Constructor for SignedJwtAssertionCredentials.

+- Args:

+- service_account_name: string, id for account, usually an email address.

+- private_key: string, private key in PKCS12 or PEM format.

+- scope: string or iterable of strings, scope(s) of the credentials being

+- requested.

+- private_key_password: string, password for private_key, unused if

+- private_key is in PEM format.

+- user_agent: string, HTTP User-Agent to provide for this application.

+- token_uri: string, URI for token endpoint. For convenience

+- defaults to Google's endpoints but any OAuth 2.0 provider can be used.

+- revoke_uri: string, URI for revoke endpoint.

+- kwargs: kwargs, Additional parameters to add to the JWT token, for

+- example sub=joe@xample.org."""

+- super(SignedJwtAssertionCredentials, self).__init__(

+- None,

+- user_agent=user_agent,

+- token_uri=token_uri,

+- revoke_uri=revoke_uri,

+- )

+- self.scope = util.scopes_to_string(scope)

+- # Keep base64 encoded so it can be stored in JSON.

+- self.private_key = base64.b64encode(private_key)

+- self.private_key_password = private_key_password

+- self.service_account_name = service_account_name

+- self.kwargs = kwargs

+- @classmethod

+- def from_json(cls, s):

+- data = simplejson.loads(s)

+- retval = SignedJwtAssertionCredentials(

+- data['service_account_name'],

+- base64.b64decode(data['private_key']),

+- data['scope'],

+- private_key_password=data['private_key_password'],

+- user_agent=data['user_agent'],

+- token_uri=data['token_uri'],

+- **data['kwargs']

+- )

+- retval.invalid = data['invalid']

+- retval.access_token = data['access_token']

+- return retval

+- def _generate_assertion(self):

+- """Generate the assertion that will be used in the request."""

+- now = long(time.time())

+- payload = {

+- 'aud': self.token_uri,

+- 'scope': self.scope,

+- 'iat': now,

+- 'exp': now + SignedJwtAssertionCredentials.MAX_TOKEN_LIFETIME_SECS,

+- 'iss': self.service_account_name

+- }

+- payload.update(self.kwargs)

+- logger.debug(str(payload))

++ # Keep base64 encoded so it can be stored in JSON.

++ self.private_key = base64.b64encode(private_key)

++ if isinstance(self.private_key, six.text_type):

++ self.private_key = self.private_key.encode('utf-8')

+- private_key = base64.b64decode(self.private_key)

+- return crypt.make_signed_jwt(crypt.Signer.from_string(

+- private_key, self.private_key_password), payload)

++ self.private_key_password = private_key_password

++ self.service_account_name = service_account_name

++ self.kwargs = kwargs

+- # Only used in verify_id_token(), which is always calling to the same URI

+- # for the certs.

+- _cached_http = httplib2.Http(MemoryCache())

++ @classmethod

++ def from_json(cls, s):

++ data = json.loads(s)

++ retval = SignedJwtAssertionCredentials(

++ data['service_account_name'],

++ base64.b64decode(data['private_key']),

++ data['scope'],

++ private_key_password=data['private_key_password'],

++ user_agent=data['user_agent'],

++ token_uri=data['token_uri'],

++ **data['kwargs']

++ )

++ retval.invalid = data['invalid']

++ retval.access_token = data['access_token']

++ return retval

+- @util.positional(2)

+- def verify_id_token(id_token, audience, http=None,

+- cert_uri=ID_TOKEN_VERIFICATON_CERTS):

+- """Verifies a signed JWT id_token.

++ def _generate_assertion(self):

++ """Generate the assertion that will be used in the request."""

++ now = int(time.time())

++ payload = {

++ 'aud': self.token_uri,

++ 'scope': self.scope,

++ 'iat': now,

++ 'exp': now + SignedJwtAssertionCredentials.MAX_TOKEN_LIFETIME_SECS,

++ 'iss': self.service_account_name

++ }

++ payload.update(self.kwargs)

++ logger.debug(str(payload))

+- This function requires PyOpenSSL and because of that it does not work on

+- App Engine.

++ private_key = base64.b64decode(self.private_key)

++ return crypt.make_signed_jwt(crypt.Signer.from_string(

++ private_key, self.private_key_password), payload)

+- Args:

+- id_token: string, A Signed JWT.

+- audience: string, The audience 'aud' that the token should be for.

+- http: httplib2.Http, instance to use to make the HTTP request. Callers

+- should supply an instance that has caching enabled.

+- cert_uri: string, URI of the certificates in JSON format to

+- verify the JWT against.

++# Only used in verify_id_token(), which is always calling to the same URI

++# for the certs.

++_cached_http = httplib2.Http(MemoryCache())

+- Returns:

+- The deserialized JSON in the JWT.

++@util.positional(2)

++def verify_id_token(id_token, audience, http=None,

++ cert_uri=ID_TOKEN_VERIFICATION_CERTS):

++ """Verifies a signed JWT id_token.

+- Raises:

+- oauth2client.crypt.AppIdentityError if the JWT fails to verify.

+- """

+- if http is None:

+- http = _cached_http

++ This function requires PyOpenSSL and because of that it does not work on

++ App Engine.

+- resp, content = http.request(cert_uri)

++ Args:

++ id_token: string, A Signed JWT.

++ audience: string, The audience 'aud' that the token should be for.

++ http: httplib2.Http, instance to use to make the HTTP request. Callers

++ should supply an instance that has caching enabled.

++ cert_uri: string, URI of the certificates in JSON format to

++ verify the JWT against.

+- if resp.status == 200:

+- certs = simplejson.loads(content)

+- return crypt.verify_signed_jwt_with_certs(id_token, certs, audience)

+- else:

+- raise VerifyJwtTokenError('Status code: %d' % resp.status)

++ Returns:

++ The deserialized JSON in the JWT.

++ Raises:

++ oauth2client.crypt.AppIdentityError: if the JWT fails to verify.

++ CryptoUnavailableError: if no crypto library is available.

++ """

++ _RequireCryptoOrDie()

++ if http is None:

++ http = _cached_http

++ resp, content = http.request(cert_uri)

++ if resp.status == 200:

++ certs = json.loads(content.decode('utf-8'))

++ return crypt.verify_signed_jwt_with_certs(id_token, certs, audience)

++ else:

++ raise VerifyJwtTokenError('Status code: %d' % resp.status)

+ def _urlsafe_b64decode(b64string):

+ # Guard against unicode strings, which base64 can't handle.

+- b64string = b64string.encode('ascii')

+- padded = b64string + '=' * (4 - len(b64string) % 4)

++ if isinstance(b64string, six.text_type):

++ b64string = b64string.encode('ascii')

++ padded = b64string + b'=' * (4 - len(b64string) % 4)

+ return base64.urlsafe_b64decode(padded)

+@@ -1026,18 +1579,21 @@ def _extract_id_token(id_token):

+ Does the extraction w/o checking the signature.

+ Args:

+- id_token: string, OAuth 2.0 id_token.

++ id_token: string or bytestring, OAuth 2.0 id_token.

+ Returns:

+ object, The deserialized JSON payload.

+ """

+- segments = id_token.split('.')

++ if type(id_token) == bytes:

++ segments = id_token.split(b'.')

++ else:

++ segments = id_token.split(u'.')

+- if (len(segments) != 3):

++ if len(segments) != 3:

+ raise VerifyJwtTokenError(

+- 'Wrong number of segments in token: %s' % id_token)

++ 'Wrong number of segments in token: %s' % id_token)

+- return simplejson.loads(_urlsafe_b64decode(segments[1]))

++ return json.loads(_urlsafe_b64decode(segments[1]).decode('utf-8'))

+ def _parse_exchange_token_response(content):

+@@ -1055,11 +1611,12 @@ def _parse_exchange_token_response(content):

+ """

+ resp = {}

+ try:

+- resp = simplejson.loads(content)

+- except StandardError:

++ resp = json.loads(content.decode('utf-8'))

++ except Exception:

+ # different JSON libs raise different exceptions,

+ # so we just do a catch-all here

+- resp = dict(parse_qsl(content))

++ content = content.decode('utf-8')

++ resp = dict(urllib.parse.parse_qsl(content))

+ # some providers respond with 'expires', others with 'expires_in'

+ if resp and 'expires' in resp:

+@@ -1073,14 +1630,15 @@ def credentials_from_code(client_id, client_secret, scope, code,

+ redirect_uri='postmessage', http=None,

+ user_agent=None, token_uri=GOOGLE_TOKEN_URI,

+ auth_uri=GOOGLE_AUTH_URI,

+- revoke_uri=GOOGLE_REVOKE_URI):

++ revoke_uri=GOOGLE_REVOKE_URI,

++ device_uri=GOOGLE_DEVICE_URI):

+ """Exchanges an authorization code for an OAuth2Credentials object.

+ Args:

+ client_id: string, client identifier.

+ client_secret: string, client secret.

+ scope: string or iterable of strings, scope(s) to request.

+- code: string, An authroization code, most likely passed down from

++ code: string, An authorization code, most likely passed down from

+ the client

+ redirect_uri: string, this is generally set to 'postmessage' to match the

+ redirect_uri that the client specified

+@@ -1091,6 +1649,8 @@ def credentials_from_code(client_id, client_secret, scope, code,

+ defaults to Google's endpoints but any OAuth 2.0 provider can be used.

+ revoke_uri: string, URI for revoke endpoint. For convenience

+ defaults to Google's endpoints but any OAuth 2.0 provider can be used.

++ device_uri: string, URI for device authorization endpoint. For convenience

++ defaults to Google's endpoints but any OAuth 2.0 provider can be used.

+ Returns:

+ An OAuth2Credentials object.

+@@ -1102,7 +1662,7 @@ def credentials_from_code(client_id, client_secret, scope, code,

+ flow = OAuth2WebServerFlow(client_id, client_secret, scope,

+ redirect_uri=redirect_uri, user_agent=user_agent,

+ auth_uri=auth_uri, token_uri=token_uri,

+- revoke_uri=revoke_uri)

++ revoke_uri=revoke_uri, device_uri=device_uri)

+ credentials = flow.step2_exchange(code, http=http)

+ return credentials

+@@ -1113,7 +1673,8 @@ def credentials_from_clientsecrets_and_code(filename, scope, code,

+ message = None,

+ redirect_uri='postmessage',

+ http=None,

+- cache=None):

++ cache=None,

++ device_uri=None):

+ """Returns OAuth2Credentials from a clientsecrets file and an auth code.

+ Will create the right kind of Flow based on the contents of the clientsecrets

+@@ -1133,6 +1694,7 @@ def credentials_from_clientsecrets_and_code(filename, scope, code,

+ http: httplib2.Http, optional http instance to use to do the fetch

+ cache: An optional cache service client that implements get() and set()

+ methods. See clientsecrets.loadfile() for details.

++ device_uri: string, OAuth 2.0 device authorization endpoint

+ Returns:

+ An OAuth2Credentials object.

+@@ -1145,11 +1707,49 @@ def credentials_from_clientsecrets_and_code(filename, scope, code,

+ invalid.

+ """

+ flow = flow_from_clientsecrets(filename, scope, message=message, cache=cache,

+- redirect_uri=redirect_uri)

++ redirect_uri=redirect_uri,

++ device_uri=device_uri)

+ credentials = flow.step2_exchange(code, http=http)

+ return credentials

++class DeviceFlowInfo(collections.namedtuple('DeviceFlowInfo', (

++ 'device_code', 'user_code', 'interval', 'verification_url',

++ 'user_code_expiry'))):

++ """Intermediate information the OAuth2 for devices flow."""

++ @classmethod

++ def FromResponse(cls, response):

++ """Create a DeviceFlowInfo from a server response.

++ The response should be a dict containing entries as described here:

++ http://tools.ietf.org/html/draft-ietf-oauth-v2-05#section-3.7.1

++ """

++ # device_code, user_code, and verification_url are required.

++ kwargs = {

++ 'device_code': response['device_code'],

++ 'user_code': response['user_code'],

++ }

++ # The response may list the verification address as either

++ # verification_url or verification_uri, so we check for both.

++ verification_url = response.get(

++ 'verification_url', response.get('verification_uri'))

++ if verification_url is None:

++ raise OAuth2DeviceCodeError(

++ 'No verification_url provided in server response')

++ kwargs['verification_url'] = verification_url

++ # expires_in and interval are optional.

++ kwargs.update({

++ 'interval': response.get('interval'),

++ 'user_code_expiry': None,

++ })

++ if 'expires_in' in response:

++ kwargs['user_code_expiry'] = datetime.datetime.now() + datetime.timedelta(

++ seconds=int(response['expires_in']))

++ return cls(**kwargs)

+ class OAuth2WebServerFlow(Flow):

+ """Does the Web Server Flow for OAuth 2.0.

+@@ -1163,6 +1763,8 @@ class OAuth2WebServerFlow(Flow):

+ auth_uri=GOOGLE_AUTH_URI,

+ token_uri=GOOGLE_TOKEN_URI,

+ revoke_uri=GOOGLE_REVOKE_URI,

++ login_hint=None,

++ device_uri=GOOGLE_DEVICE_URI,

+ **kwargs):

+ """Constructor for OAuth2WebServerFlow.

+@@ -1185,6 +1787,11 @@ class OAuth2WebServerFlow(Flow):

+ defaults to Google's endpoints but any OAuth 2.0 provider can be used.

+ revoke_uri: string, URI for revoke endpoint. For convenience

+ defaults to Google's endpoints but any OAuth 2.0 provider can be used.

++ login_hint: string, Either an email address or domain. Passing this hint

++ will either pre-fill the email box on the sign-in form or select the

++ proper multi-login session, thereby simplifying the login flow.

++ device_uri: string, URI for device authorization endpoint. For convenience

++ defaults to Google's endpoints but any OAuth 2.0 provider can be used.

+ **kwargs: dict, The keyword arguments are all optional and required

+ parameters for the OAuth calls.

+ """

+@@ -1192,10 +1799,12 @@ class OAuth2WebServerFlow(Flow):

+ self.client_secret = client_secret

+ self.scope = util.scopes_to_string(scope)

+ self.redirect_uri = redirect_uri

++ self.login_hint = login_hint

+ self.user_agent = user_agent

+ self.auth_uri = auth_uri

+ self.token_uri = token_uri

+ self.revoke_uri = revoke_uri

++ self.device_uri = device_uri

+ self.params = {

+ 'access_type': 'offline',

+ 'response_type': 'code',

+@@ -1216,8 +1825,9 @@ class OAuth2WebServerFlow(Flow):

+ A URI as a string to redirect the user to begin the authorization flow.

+ """

+ if redirect_uri is not None:

+- logger.warning(('The redirect_uri parameter for'

+- 'OAuth2WebServerFlow.step1_get_authorize_url is deprecated. Please'

++ logger.warning((

++ 'The redirect_uri parameter for '

++ 'OAuth2WebServerFlow.step1_get_authorize_url is deprecated. Please '

+ 'move to passing the redirect_uri in via the constructor.'))

+ self.redirect_uri = redirect_uri

+@@ -1229,45 +1839,107 @@ class OAuth2WebServerFlow(Flow):

+ 'redirect_uri': self.redirect_uri,

+ 'scope': self.scope,

+ }

++ if self.login_hint is not None:

++ query_params['login_hint'] = self.login_hint

+ query_params.update(self.params)

+ return _update_query_params(self.auth_uri, query_params)

++ @util.positional(1)

++ def step1_get_device_and_user_codes(self, http=None):

++ """Returns a user code and the verification URL where to enter it

++ Returns:

++ A user code as a string for the user to authorize the application

++ An URL as a string where the user has to enter the code

++ """

++ if self.device_uri is None:

++ raise ValueError('The value of device_uri must not be None.')

++ body = urllib.parse.urlencode({

++ 'client_id': self.client_id,

++ 'scope': self.scope,

++ })

++ headers = {

++ 'content-type': 'application/x-www-form-urlencoded',

++ }

++ if self.user_agent is not None:

++ headers['user-agent'] = self.user_agent

++ if http is None:

++ http = httplib2.Http()

++ resp, content = http.request(self.device_uri, method='POST', body=body,

++ headers=headers)

++ if resp.status == 200:

++ try:

++ flow_info = json.loads(content)

++ except ValueError as e:

++ raise OAuth2DeviceCodeError(

++ 'Could not parse server response as JSON: "%s", error: "%s"' % (

++ content, e))

++ return DeviceFlowInfo.FromResponse(flow_info)

++ else:

++ error_msg = 'Invalid response %s.' % resp.status

++ try:

++ d = json.loads(content)

++ if 'error' in d:

++ error_msg += ' Error: %s' % d['error']

++ except ValueError:

++ # Couldn't decode a JSON response, stick with the default message.

++ pass

++ raise OAuth2DeviceCodeError(error_msg)

+ @util.positional(2)

+- def step2_exchange(self, code, http=None):

+- """Exhanges a code for OAuth2Credentials.

++ def step2_exchange(self, code=None, http=None, device_flow_info=None):

++ """Exchanges a code for OAuth2Credentials.

+ Args:

+- code: string or dict, either the code as a string, or a dictionary

+- of the query parameters to the redirect_uri, which contains

+- the code.

+- http: httplib2.Http, optional http instance to use to do the fetch

++ code: string, a dict-like object, or None. For a non-device

++ flow, this is either the response code as a string, or a

++ dictionary of query parameters to the redirect_uri. For a

++ device flow, this should be None.

++ http: httplib2.Http, optional http instance to use when fetching

++ credentials.

++ device_flow_info: DeviceFlowInfo, return value from step1 in the

++ case of a device flow.

+ Returns:

+ An OAuth2Credentials object that can be used to authorize requests.

+ Raises:

+- FlowExchangeError if a problem occured exchanging the code for a

+- refresh_token.

+- """

++ FlowExchangeError: if a problem occurred exchanging the code for a

++ refresh_token.

++ ValueError: if code and device_flow_info are both provided or both

++ missing.

+- if not (isinstance(code, str) or isinstance(code, unicode)):

++ """

++ if code is None and device_flow_info is None:

++ raise ValueError('No code or device_flow_info provided.')

++ if code is not None and device_flow_info is not None:

++ raise ValueError('Cannot provide both code and device_flow_info.')

++ if code is None:

++ code = device_flow_info.device_code

++ elif not isinstance(code, six.string_types):

+ if 'code' not in code:

+- if 'error' in code:

+- error_msg = code['error']

+- else:

+- error_msg = 'No code was supplied in the query parameters.'

+- raise FlowExchangeError(error_msg)

+- else:

+- code = code['code']

++ raise FlowExchangeError(code.get(

++ 'error', 'No code was supplied in the query parameters.'))

++ code = code['code']

+- body = urllib.urlencode({

+- 'grant_type': 'authorization_code',

++ post_data = {

+ 'client_id': self.client_id,

+ 'client_secret': self.client_secret,

+ 'code': code,

+- 'redirect_uri': self.redirect_uri,

+ 'scope': self.scope,

+- })

++ }

++ if device_flow_info is not None:

++ post_data['grant_type'] = 'http://oauth.net/grant_type/device/1.0'

++ else:

++ post_data['grant_type'] = 'authorization_code'

++ post_data['redirect_uri'] = self.redirect_uri

++ body = urllib.parse.urlencode(post_data)

+ headers = {

+ 'content-type': 'application/x-www-form-urlencoded',

+ }

+@@ -1284,26 +1956,31 @@ class OAuth2WebServerFlow(Flow):

+ if resp.status == 200 and 'access_token' in d:

+ access_token = d['access_token']

+ refresh_token = d.get('refresh_token', None)

++ if not refresh_token:

++ logger.info(

++ 'Received token response with no refresh_token. Consider '

++ "reauthenticating with approval_prompt='force'.")

+ token_expiry = None

+ if 'expires_in' in d:

+ token_expiry = datetime.datetime.utcnow() + datetime.timedelta(

+ seconds=int(d['expires_in']))

++ extracted_id_token = None

+ if 'id_token' in d:

+- d['id_token'] = _extract_id_token(d['id_token'])

++ extracted_id_token = _extract_id_token(d['id_token'])

+ logger.info('Successfully retrieved access token')

+ return OAuth2Credentials(access_token, self.client_id,

+ self.client_secret, refresh_token, token_expiry,

+ self.token_uri, self.user_agent,

+ revoke_uri=self.revoke_uri,

+- id_token=d.get('id_token', None),

++ id_token=extracted_id_token,

+ token_response=d)

+ else:

+- logger.info('Failed to retrieve access token: %s' % content)

++ logger.info('Failed to retrieve access token: %s', content)

+ if 'error' in d:

+ # you never know what those providers got to say

+- error_msg = unicode(d['error'])

++ error_msg = str(d['error']) + str(d.get('error_description', ''))

+ else:

+ error_msg = 'Invalid response: %s.' % str(resp.status)

+ raise FlowExchangeError(error_msg)

+@@ -1311,7 +1988,8 @@ class OAuth2WebServerFlow(Flow):

+ @util.positional(2)

+ def flow_from_clientsecrets(filename, scope, redirect_uri=None,

+- message=None, cache=None):

++ message=None, cache=None, login_hint=None,

++ device_uri=None):

+ """Create a Flow from a clientsecrets file.

+ Will create the right kind of Flow based on the contents of the clientsecrets

+@@ -1329,6 +2007,11 @@ def flow_from_clientsecrets(filename, scope, redirect_uri=None,

+ provided then clientsecrets.InvalidClientSecretsError will be raised.

+ cache: An optional cache service client that implements get() and set()

+ methods. See clientsecrets.loadfile() for details.

++ login_hint: string, Either an email address or domain. Passing this hint

++ will either pre-fill the email box on the sign-in form or select the

++ proper multi-login session, thereby simplifying the login flow.

++ device_uri: string, URI for device authorization endpoint. For convenience

++ defaults to Google's endpoints but any OAuth 2.0 provider can be used.

+ Returns:

+ A Flow object.

+@@ -1345,10 +2028,13 @@ def flow_from_clientsecrets(filename, scope, redirect_uri=None,

+ 'redirect_uri': redirect_uri,

+ 'auth_uri': client_info['auth_uri'],

+ 'token_uri': client_info['token_uri'],

++ 'login_hint': login_hint,

+ }

+ revoke_uri = client_info.get('revoke_uri')

+ if revoke_uri is not None:

+ constructor_kwargs['revoke_uri'] = revoke_uri

++ if device_uri is not None:

++ constructor_kwargs['device_uri'] = device_uri

+ return OAuth2WebServerFlow(

+ client_info['client_id'], client_info['client_secret'],

+ scope, **constructor_kwargs)

+@@ -1360,4 +2046,4 @@ def flow_from_clientsecrets(filename, scope, redirect_uri=None,

+ raise

+ else:

+ raise UnknownClientSecretsFlowError(

+- 'This OAuth 2.0 flow is unsupported: %r' % client_type)

++ 'This OAuth 2.0 flow is unsupported: %r' % client_type)

+\ No newline at end of file

+diff --git a/third_party/oauth2client/clientsecrets.py b/third_party/oauth2client/clientsecrets.py

+index ac99aae..af079ec 100644

+--- a/third_party/oauth2client/clientsecrets.py

++++ b/third_party/oauth2client/clientsecrets.py

+@@ -1,4 +1,4 @@

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -20,8 +20,10 @@ an OAuth 2.0 protected service.

+ __author__ = 'jcgregorio@google.com (Joe Gregorio)'

++import json

++from third_party import six

+-from anyjson import simplejson

+ # Properties that make a client_secrets.json file valid.

+ TYPE_WEB = 'web'

+@@ -68,11 +70,21 @@ class InvalidClientSecretsError(Error):

+ def _validate_clientsecrets(obj):

+- if obj is None or len(obj) != 1:

+- raise InvalidClientSecretsError('Invalid file format.')

+- client_type = obj.keys()[0]

+- if client_type not in VALID_CLIENT.keys():

+- raise InvalidClientSecretsError('Unknown client type: %s.' % client_type)

++ _INVALID_FILE_FORMAT_MSG = (

++ 'Invalid file format. See '

++ 'https://developers.google.com/api-client-library/'

++ 'python/guide/aaa_client_secrets')

++ if obj is None:

++ raise InvalidClientSecretsError(_INVALID_FILE_FORMAT_MSG)

++ if len(obj) != 1:

++ raise InvalidClientSecretsError(

++ _INVALID_FILE_FORMAT_MSG + ' '

++ 'Expected a JSON object with a single property for a "web" or '

++ '"installed" application')

++ client_type = tuple(obj)[0]

++ if client_type not in VALID_CLIENT:

++ raise InvalidClientSecretsError('Unknown client type: %s.' % (client_type,))

+ client_info = obj[client_type]

+ for prop_name in VALID_CLIENT[client_type]['required']:

+ if prop_name not in client_info:

+@@ -87,22 +99,19 @@ def _validate_clientsecrets(obj):

+ def load(fp):

+- obj = simplejson.load(fp)

++ obj = json.load(fp)

+ return _validate_clientsecrets(obj)

+ def loads(s):

+- obj = simplejson.loads(s)

++ obj = json.loads(s)

+ return _validate_clientsecrets(obj)

+ def _loadfile(filename):

+ try:

+- fp = file(filename, 'r')

+- try:

+- obj = simplejson.load(fp)

+- finally:

+- fp.close()

++ with open(filename, 'r') as fp:

++ obj = json.load(fp)

+ except IOError:

+ raise InvalidClientSecretsError('File not found: "%s"' % filename)

+ return _validate_clientsecrets(obj)

+@@ -114,10 +123,12 @@ def loadfile(filename, cache=None):

+ Typical cache storage would be App Engine memcache service,

+ but you can pass in any other cache client that implements

+ these methods:

+- - get(key, namespace=ns)

+- - set(key, value, namespace=ns)

+- Usage:

++ * ``get(key, namespace=ns)``

++ * ``set(key, value, namespace=ns)``

++ Usage::

+ # without caching

+ client_type, client_info = loadfile('secrets.json')

+ # using App Engine memcache service

+@@ -150,4 +161,4 @@ def loadfile(filename, cache=None):

+ obj = {client_type: client_info}

+ cache.set(filename, obj, namespace=_SECRET_NAMESPACE)

+- return obj.iteritems().next()

++ return next(six.iteritems(obj))

+\ No newline at end of file

+diff --git a/third_party/oauth2client/crypt.py b/third_party/oauth2client/crypt.py

+index 2d31815..b5b8cab 100644

+--- a/third_party/oauth2client/crypt.py

++++ b/third_party/oauth2client/crypt.py

+@@ -1,7 +1,6 @@

+-#!/usr/bin/python2.4

+ # -*- coding: utf-8 -*-

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -14,13 +13,15 @@

+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+ # See the License for the specific language governing permissions and

+ # limitations under the License.

++"""Crypto-related routines for oauth2client."""

+ import base64

+-import hashlib

++import json

+ import logging

++import sys

+ import time

+-from anyjson import simplejson

++from third_party import six

+ CLOCK_SKEW_SECS = 300 # 5 minutes in seconds

+@@ -38,7 +39,6 @@ class AppIdentityError(Exception):

+ try:

+ from OpenSSL import crypto

+ class OpenSSLVerifier(object):

+ """Verifies the signature on a message."""

+@@ -62,6 +62,8 @@ try:

+ key that this object was constructed with.

+ """

+ try:

++ if isinstance(message, six.text_type):

++ message = message.encode('utf-8')

+ crypto.verify(self._pubkey, signature, message, 'sha256')

+ return True

+ except:

+@@ -104,15 +106,17 @@ try:

+ """Signs a message.

+ Args:

+- message: string, Message to be signed.

++ message: bytes, Message to be signed.

+ Returns:

+ string, The signature of the message for the given key.

+ """

++ if isinstance(message, six.text_type):

++ message = message.encode('utf-8')

+ return crypto.sign(self._key, message, 'sha256')

+ @staticmethod

+- def from_string(key, password='notasecret'):

++ def from_string(key, password=b'notasecret'):

+ """Construct a Signer instance from a string.

+ Args:

+@@ -125,21 +129,45 @@ try:

+ Raises:

+ OpenSSL.crypto.Error if the key can't be parsed.

+ """

+- if key.startswith('-----BEGIN '):

+- pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key)

++ parsed_pem_key = _parse_pem_key(key)

++ if parsed_pem_key:

++ pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, parsed_pem_key)

+ else:

++ if isinstance(password, six.text_type):

++ password = password.encode('utf-8')

+ pkey = crypto.load_pkcs12(key, password).get_privatekey()

+ return OpenSSLSigner(pkey)

++ def pkcs12_key_as_pem(private_key_text, private_key_password):

++ """Convert the contents of a PKCS12 key to PEM using OpenSSL.

++ Args:

++ private_key_text: String. Private key.

++ private_key_password: String. Password for PKCS12.

++ Returns:

++ String. PEM contents of ``private_key_text``.

++ """

++ decoded_body = base64.b64decode(private_key_text)

++ if isinstance(private_key_password, six.string_types):

++ private_key_password = private_key_password.encode('ascii')

++ pkcs12 = crypto.load_pkcs12(decoded_body, private_key_password)

++ return crypto.dump_privatekey(crypto.FILETYPE_PEM,

++ pkcs12.get_privatekey())

+ except ImportError:

+ OpenSSLVerifier = None

+ OpenSSLSigner = None

++ def pkcs12_key_as_pem(*args, **kwargs):

++ raise NotImplementedError('pkcs12_key_as_pem requires OpenSSL.')

+ try:

+ from Crypto.PublicKey import RSA

+ from Crypto.Hash import SHA256

+ from Crypto.Signature import PKCS1_v1_5

++ from Crypto.Util.asn1 import DerSequence

+ class PyCryptoVerifier(object):

+@@ -181,14 +209,17 @@ try:

+ Returns:

+ Verifier instance.

+- Raises:

+- NotImplementedError if is_x509_cert is true.

+ """

+ if is_x509_cert:

+- raise NotImplementedError(

+- 'X509 certs are not supported by the PyCrypto library. '

+- 'Try using PyOpenSSL if native code is an option.')

++ if isinstance(key_pem, six.text_type):

++ key_pem = key_pem.encode('ascii')

++ pemLines = key_pem.replace(b' ', b'').split()

++ certDer = _urlsafe_b64decode(b''.join(pemLines[1:-1]))

++ certSeq = DerSequence()

++ certSeq.decode(certDer)

++ tbsSeq = DerSequence()

++ tbsSeq.decode(certSeq[0])

++ pubkey = RSA.importKey(tbsSeq[6])

+ else:

+ pubkey = RSA.importKey(key_pem)

+ return PyCryptoVerifier(pubkey)

+@@ -214,6 +245,8 @@ try:

+ Returns:

+ string, The signature of the message for the given key.

+ """

++ if isinstance(message, six.text_type):

++ message = message.encode('utf-8')

+ return PKCS1_v1_5.new(self._key).sign(SHA256.new(message))

+ @staticmethod

+@@ -230,11 +263,12 @@ try:

+ Raises:

+ NotImplementedError if they key isn't in PEM format.

+ """

+- if key.startswith('-----BEGIN '):

+- pkey = RSA.importKey(key)

++ parsed_pem_key = _parse_pem_key(key)

++ if parsed_pem_key:

++ pkey = RSA.importKey(parsed_pem_key)

+ else:

+ raise NotImplementedError(

+- 'PKCS12 format is not supported by the PyCrpto library. '

++ 'PKCS12 format is not supported by the PyCrypto library. '

+ 'Try converting to a "PEM" '

+ '(openssl pkcs12 -in xxxxx.p12 -nodes -nocerts > privatekey.pem) '

+ 'or using PyOpenSSL if native code is an option.')

+@@ -256,19 +290,39 @@ else:

+ 'PyOpenSSL, or PyCrypto 2.6 or later')

++def _parse_pem_key(raw_key_input):

++ """Identify and extract PEM keys.

++ Determines whether the given key is in the format of PEM key, and extracts

++ the relevant part of the key if it is.

++ Args:

++ raw_key_input: The contents of a private key file (either PEM or PKCS12).

++ Returns:

++ string, The actual key if the contents are from a PEM file, or else None.

++ """

++ offset = raw_key_input.find(b'-----BEGIN ')

++ if offset != -1:

++ return raw_key_input[offset:]

+ def _urlsafe_b64encode(raw_bytes):

+- return base64.urlsafe_b64encode(raw_bytes).rstrip('=')

++ if isinstance(raw_bytes, six.text_type):

++ raw_bytes = raw_bytes.encode('utf-8')

++ return base64.urlsafe_b64encode(raw_bytes).decode('ascii').rstrip('=')

+ def _urlsafe_b64decode(b64string):

+ # Guard against unicode strings, which base64 can't handle.

+- b64string = b64string.encode('ascii')

+- padded = b64string + '=' * (4 - len(b64string) % 4)

++ if isinstance(b64string, six.text_type):

++ b64string = b64string.encode('ascii')

++ padded = b64string + b'=' * (4 - len(b64string) % 4)

+ return base64.urlsafe_b64decode(padded)

+ def _json_encode(data):

+- return simplejson.dumps(data, separators = (',', ':'))

++ return json.dumps(data, separators=(',', ':'))

+ def make_signed_jwt(signer, payload):

+@@ -286,8 +340,8 @@ def make_signed_jwt(signer, payload):

+ header = {'typ': 'JWT', 'alg': 'RS256'}

+ segments = [

+- _urlsafe_b64encode(_json_encode(header)),

+- _urlsafe_b64encode(_json_encode(payload)),

++ _urlsafe_b64encode(_json_encode(header)),

++ _urlsafe_b64encode(_json_encode(payload)),

+ ]

+ signing_input = '.'.join(segments)

+@@ -318,9 +372,8 @@ def verify_signed_jwt_with_certs(jwt, certs, audience):

+ """

+ segments = jwt.split('.')

+- if (len(segments) != 3):

+- raise AppIdentityError(

+- 'Wrong number of segments in token: %s' % jwt)

++ if len(segments) != 3:

++ raise AppIdentityError('Wrong number of segments in token: %s' % jwt)

+ signed = '%s.%s' % (segments[0], segments[1])

+ signature = _urlsafe_b64decode(segments[2])

+@@ -328,15 +381,15 @@ def verify_signed_jwt_with_certs(jwt, certs, audience):

+ # Parse token.

+ json_body = _urlsafe_b64decode(segments[1])

+ try:

+- parsed = simplejson.loads(json_body)

++ parsed = json.loads(json_body.decode('utf-8'))

+ except:

+ raise AppIdentityError('Can\'t parse token: %s' % json_body)

+ # Check signature.

+ verified = False

+- for (keyname, pem) in certs.items():

++ for pem in certs.values():

+ verifier = Verifier.from_string(pem, True)

+- if (verifier.verify(signed, signature)):

++ if verifier.verify(signed, signature):

+ verified = True

+ break

+ if not verified:

+@@ -349,21 +402,20 @@ def verify_signed_jwt_with_certs(jwt, certs, audience):

+ earliest = iat - CLOCK_SKEW_SECS

+ # Check expiration timestamp.

+- now = long(time.time())

++ now = int(time.time())

+ exp = parsed.get('exp')

+ if exp is None:

+ raise AppIdentityError('No exp field in token: %s' % json_body)

+ if exp >= now + MAX_TOKEN_LIFETIME_SECS:

+- raise AppIdentityError(

+- 'exp field too far in future: %s' % json_body)

++ raise AppIdentityError('exp field too far in future: %s' % json_body)

+ latest = exp + CLOCK_SKEW_SECS

+ if now < earliest:

+ raise AppIdentityError('Token used too early, %d < %d: %s' %

+- (now, earliest, json_body))

++ (now, earliest, json_body))

+ if now > latest:

+ raise AppIdentityError('Token used too late, %d > %d: %s' %

+- (now, latest, json_body))

++ (now, latest, json_body))

+ # Check audience.

+ if audience is not None:

+@@ -372,6 +424,6 @@ def verify_signed_jwt_with_certs(jwt, certs, audience):

+ raise AppIdentityError('No aud field in token: %s' % json_body)

+ if aud != audience:

+ raise AppIdentityError('Wrong recipient, %s != %s: %s' %

+- (aud, audience, json_body))

++ (aud, audience, json_body))

+- return parsed

++ return parsed

+\ No newline at end of file

+diff --git a/third_party/oauth2client/devshell.py b/third_party/oauth2client/devshell.py

+new file mode 100644

+index 0000000..69d3808

+--- /dev/null

++++ b/third_party/oauth2client/devshell.py

+@@ -0,0 +1,135 @@

++#

++# Licensed under the Apache License, Version 2.0 (the "License");

++# you may not use this file except in compliance with the License.

++# You may obtain a copy of the License at

++#

++# http://www.apache.org/licenses/LICENSE-2.0

++#

++# Unless required by applicable law or agreed to in writing, software

++# distributed under the License is distributed on an "AS IS" BASIS,

++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

++# See the License for the specific language governing permissions and

++# limitations under the License.

++"""OAuth 2.0 utitilies for Google Developer Shell environment."""

++import json

++import os

++from . import client

++DEVSHELL_ENV = 'DEVSHELL_CLIENT_PORT'

++class Error(Exception):

++ """Errors for this module."""

++ pass

++class CommunicationError(Error):

++ """Errors for communication with the Developer Shell server."""

++class NoDevshellServer(Error):

++ """Error when no Developer Shell server can be contacted."""

++# The request for credential information to the Developer Shell client socket is

++# always an empty PBLite-formatted JSON object, so just define it as a constant.

++CREDENTIAL_INFO_REQUEST_JSON = '[]'

++class CredentialInfoResponse(object):

++ """Credential information response from Developer Shell server.

++ The credential information response from Developer Shell socket is a

++ PBLite-formatted JSON array with fields encoded by their index in the array:

++ * Index 0 - user email

++ * Index 1 - default project ID. None if the project context is not known.

++ * Index 2 - OAuth2 access token. None if there is no valid auth context.

++ """

++ def __init__(self, json_string):

++ """Initialize the response data from JSON PBLite array."""

++ pbl = json.loads(json_string)

++ if not isinstance(pbl, list):

++ raise ValueError('Not a list: ' + str(pbl))

++ pbl_len = len(pbl)

++ self.user_email = pbl[0] if pbl_len > 0 else None

++ self.project_id = pbl[1] if pbl_len > 1 else None

++ self.access_token = pbl[2] if pbl_len > 2 else None

++def _SendRecv():

++ """Communicate with the Developer Shell server socket."""

++ port = int(os.getenv(DEVSHELL_ENV, 0))

++ if port == 0:

++ raise NoDevshellServer()

++ import socket

++ sock = socket.socket()

++ sock.connect(('localhost', port))

++ data = CREDENTIAL_INFO_REQUEST_JSON

++ msg = '%s\n%s' % (len(data), data)

++ sock.sendall(msg.encode())

++ header = sock.recv(6).decode()

++ if '\n' not in header:

++ raise CommunicationError('saw no newline in the first 6 bytes')

++ len_str, json_str = header.split('\n', 1)

++ to_read = int(len_str) - len(json_str)

++ if to_read > 0:

++ json_str += sock.recv(to_read, socket.MSG_WAITALL).decode()

++ return CredentialInfoResponse(json_str)

++class DevshellCredentials(client.GoogleCredentials):

++ """Credentials object for Google Developer Shell environment.

++ This object will allow a Google Developer Shell session to identify its user

++ to Google and other OAuth 2.0 servers that can verify assertions. It can be

++ used for the purpose of accessing data stored under the user account.

++ This credential does not require a flow to instantiate because it represents

++ a two legged flow, and therefore has all of the required information to

++ generate and refresh its own access tokens.

++ """

++ def __init__(self, user_agent=None):

++ super(DevshellCredentials, self).__init__(

++ None, # access_token, initialized below

++ None, # client_id

++ None, # client_secret

++ None, # refresh_token

++ None, # token_expiry

++ None, # token_uri

++ user_agent)

++ self._refresh(None)

++ def _refresh(self, http_request):

++ self.devshell_response = _SendRecv()

++ self.access_token = self.devshell_response.access_token

++ @property

++ def user_email(self):

++ return self.devshell_response.user_email

++ @property

++ def project_id(self):

++ return self.devshell_response.project_id

++ @classmethod

++ def from_json(cls, json_data):

++ raise NotImplementedError(

++ 'Cannot load Developer Shell credentials from JSON.')

++ @property

++ def serialization_data(self):

++ raise NotImplementedError(

++ 'Cannot serialize Developer Shell credentials.')

+diff --git a/third_party/oauth2client/django_orm.py b/third_party/oauth2client/django_orm.py

+index d54d20c..ffbcf92 100644

+--- a/third_party/oauth2client/django_orm.py

++++ b/third_party/oauth2client/django_orm.py

+@@ -1,4 +1,4 @@

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -116,14 +116,21 @@ class Storage(BaseStorage):

+ credential.set_store(self)

+ return credential

+- def locked_put(self, credentials):

++ def locked_put(self, credentials, overwrite=False):

+ """Write a Credentials to the datastore.

+ Args:

+ credentials: Credentials, the credentials to store.

++ overwrite: Boolean, indicates whether you would like these credentials to

++ overwrite any existing stored credentials.

+ """

+ args = {self.key_name: self.key_value}

+- entity = self.model_class(**args)

++ if overwrite:

++ entity, unused_is_new = self.model_class.objects.get_or_create(**args)

++ else:

++ entity = self.model_class(**args)

+ setattr(entity, self.property_name, credentials)

+ entity.save()

+@@ -131,4 +138,4 @@ class Storage(BaseStorage):

+ """Delete Credentials from the datastore."""

+ query = {self.key_name: self.key_value}

+- entities = self.model_class.objects.filter(**query).delete()

++ entities = self.model_class.objects.filter(**query).delete()

+\ No newline at end of file

+diff --git a/third_party/oauth2client/file.py b/third_party/oauth2client/file.py

+index 1895f94..4337fcf 100644

+--- a/third_party/oauth2client/file.py

++++ b/third_party/oauth2client/file.py

+@@ -1,4 +1,4 @@

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -21,12 +21,10 @@ credentials.

+ __author__ = 'jcgregorio@google.com (Joe Gregorio)'

+ import os

+-import stat

+ import threading

+-from anyjson import simplejson

+-from client import Storage as BaseStorage

+ from client import Credentials

++from client import Storage as BaseStorage

+ class CredentialsFileSymbolicLinkError(Exception):

+@@ -92,7 +90,7 @@ class Storage(BaseStorage):

+ simple version of "touch" to ensure the file has been created.

+ """

+ if not os.path.exists(self._filename):

+- old_umask = os.umask(0177)

++ old_umask = os.umask(0o177)

+ try:

+ open(self._filename, 'a+b').close()

+ finally:

+@@ -110,7 +108,7 @@ class Storage(BaseStorage):

+ self._create_file_if_needed()

+ self._validate_file()

+- f = open(self._filename, 'wb')

++ f = open(self._filename, 'w')

+ f.write(credentials.to_json())

+ f.close()

+@@ -121,4 +119,4 @@ class Storage(BaseStorage):

+ credentials: Credentials, the credentials to store.

+ """

+- os.unlink(self._filename)

++ os.unlink(self._filename)

+\ No newline at end of file

+diff --git a/third_party/oauth2client/gce.py b/third_party/oauth2client/gce.py

+index c7fd7c1..ebd14e3 100644

+--- a/third_party/oauth2client/gce.py

++++ b/third_party/oauth2client/gce.py

+@@ -1,4 +1,4 @@

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -19,14 +19,13 @@ Utilities for making it easier to use OAuth 2.0 on Google Compute Engine.

+ __author__ = 'jcgregorio@google.com (Joe Gregorio)'

+-import httplib2

++import json

+ import logging

+-import uritemplate

++from third_party.six.moves import urllib

+-from oauth2client import util

+-from oauth2client.anyjson import simplejson

+-from oauth2client.client import AccessTokenRefreshError

+-from oauth2client.client import AssertionCredentials

++from third_party.oauth2client import util

++from third_party.oauth2client.client import AccessTokenRefreshError

++from third_party.oauth2client.client import AssertionCredentials

+ logger = logging.getLogger(__name__)

+@@ -57,13 +56,14 @@ class AppAssertionCredentials(AssertionCredentials):

+ requested.

+ """

+ self.scope = util.scopes_to_string(scope)

++ self.kwargs = kwargs

+ # Assertion type is no longer used, but still in the parent class signature.

+ super(AppAssertionCredentials, self).__init__(None)

+ @classmethod

+- def from_json(cls, json):

+- data = simplejson.loads(json)

++ def from_json(cls, json_data):

++ data = json.loads(json_data)

+ return AppAssertionCredentials(data['scope'])

+ def _refresh(self, http_request):

+@@ -78,13 +78,28 @@ class AppAssertionCredentials(AssertionCredentials):

+ Raises:

+ AccessTokenRefreshError: When the refresh fails.

+ """

+- uri = uritemplate.expand(META, {'scope': self.scope})

++ query = '?scope=%s' % urllib.parse.quote(self.scope, '')

++ uri = META.replace('{?scope}', query)

+ response, content = http_request(uri)

+ if response.status == 200:

+ try:

+- d = simplejson.loads(content)

+- except StandardError, e:

++ d = json.loads(content)

++ except Exception as e:

+ raise AccessTokenRefreshError(str(e))

+ self.access_token = d['accessToken']

+ else:

++ if response.status == 404:

++ content += (' This can occur if a VM was created'

++ ' with no service account or scopes.')

+ raise AccessTokenRefreshError(content)

++ @property

++ def serialization_data(self):

++ raise NotImplementedError(

++ 'Cannot serialize credentials for GCE service accounts.')

++ def create_scoped_required(self):

++ return not self.scope

++ def create_scoped(self, scopes):

++ return AppAssertionCredentials(scopes, **self.kwargs)

+\ No newline at end of file

+diff --git a/third_party/oauth2client/keyring_storage.py b/third_party/oauth2client/keyring_storage.py

+index efe2949..512ac77 100644

+--- a/third_party/oauth2client/keyring_storage.py

++++ b/third_party/oauth2client/keyring_storage.py

+@@ -1,4 +1,4 @@

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -19,11 +19,12 @@ A Storage for Credentials that uses the keyring module.

+ __author__ = 'jcgregorio@google.com (Joe Gregorio)'

+-import keyring

+ import threading

+-from client import Storage as BaseStorage

++import keyring

+ from client import Credentials

++from client import Storage as BaseStorage

+ class Storage(BaseStorage):

+@@ -106,4 +107,4 @@ class Storage(BaseStorage):

+ Args:

+ credentials: Credentials, the credentials to store.

+ """

+- keyring.set_password(self._service_name, self._user_name, '')

++ keyring.set_password(self._service_name, self._user_name, '')

+\ No newline at end of file

+diff --git a/third_party/oauth2client/locked_file.py b/third_party/oauth2client/locked_file.py

+index 858b702..fa2c6c1 100644

+--- a/third_party/oauth2client/locked_file.py

++++ b/third_party/oauth2client/locked_file.py

+@@ -1,4 +1,4 @@

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -17,17 +17,21 @@

+ This module first tries to use fcntl locking to ensure serialized access

+ to a file, then falls back on a lock file if that is unavialable.

+-Usage:

++Usage::

+ f = LockedFile('filename', 'r+b', 'rb')

+ f.open_and_lock()

+ if f.is_locked():

+- print 'Acquired filename with r+b mode'

++ print('Acquired filename with r+b mode')

+ f.file_handle().write('locked data')

+ else:

+- print 'Aquired filename with rb mode'

++ print('Acquired filename with rb mode')

+ f.unlock_and_close()

+ """

++from __future__ import print_function

+ __author__ = 'cache@google.com (David T McWherter)'

+ import errno

+@@ -70,6 +74,7 @@ class _Opener(object):

+ self._mode = mode

+ self._fallback_mode = fallback_mode

+ self._fh = None

++ self._lock_fd = None

+ def is_locked(self):

+ """Was the file locked."""

+@@ -122,7 +127,7 @@ class _PosixOpener(_Opener):

+ validate_file(self._filename)

+ try:

+ self._fh = open(self._filename, self._mode)

+- except IOError, e:

++ except IOError as e:

+ # If we can't access with _mode, try _fallback_mode and don't lock.

+ if e.errno == errno.EACCES:

+ self._fh = open(self._filename, self._fallback_mode)

+@@ -137,12 +142,12 @@ class _PosixOpener(_Opener):

+ self._locked = True

+ break

+- except OSError, e:

++ except OSError as e:

+ if e.errno != errno.EEXIST:

+ raise

+ if (time.time() - start_time) >= timeout:

+- logger.warn('Could not acquire lock %s in %s seconds' % (

+- lock_filename, timeout))

++ logger.warn('Could not acquire lock %s in %s seconds',

++ lock_filename, timeout)

+ # Close the file and open in fallback_mode.

+ if self._fh:

+ self._fh.close()

+@@ -192,9 +197,9 @@ try:

+ validate_file(self._filename)

+ try:

+ self._fh = open(self._filename, self._mode)

+- except IOError, e:

++ except IOError as e:

+ # If we can't access with _mode, try _fallback_mode and don't lock.

+- if e.errno == errno.EACCES:

++ if e.errno in (errno.EPERM, errno.EACCES):

+ self._fh = open(self._filename, self._fallback_mode)

+ return

+@@ -204,16 +209,16 @@ try:

+ fcntl.lockf(self._fh.fileno(), fcntl.LOCK_EX)

+ self._locked = True

+ return

+- except IOError, e:

++ except IOError as e:

+ # If not retrying, then just pass on the error.

+ if timeout == 0:

+- raise e

++ raise

+ if e.errno != errno.EACCES:

+- raise e

++ raise

+ # We could not acquire the lock. Try again.

+ if (time.time() - start_time) >= timeout:

+- logger.warn('Could not lock %s in %s seconds' % (

+- self._filename, timeout))

++ logger.warn('Could not lock %s in %s seconds',

++ self._filename, timeout)

+ if self._fh:

+ self._fh.close()

+ self._fh = open(self._filename, self._fallback_mode)

+@@ -267,7 +272,7 @@ try:

+ validate_file(self._filename)

+ try:

+ self._fh = open(self._filename, self._mode)

+- except IOError, e:

++ except IOError as e:

+ # If we can't access with _mode, try _fallback_mode and don't lock.

+ if e.errno == errno.EACCES:

+ self._fh = open(self._filename, self._fallback_mode)

+@@ -284,9 +289,9 @@ try:

+ pywintypes.OVERLAPPED())

+ self._locked = True

+ return

+- except pywintypes.error, e:

++ except pywintypes.error as e:

+ if timeout == 0:

+- raise e

++ raise

+ # If the error is not that the file is already in use, raise.

+ if e[0] != _Win32Opener.FILE_IN_USE_ERROR:

+@@ -308,7 +313,7 @@ try:

+ try:

+ hfile = win32file._get_osfhandle(self._fh.fileno())

+ win32file.UnlockFileEx(hfile, 0, -0x10000, pywintypes.OVERLAPPED())

+- except pywintypes.error, e:

++ except pywintypes.error as e:

+ if e[0] != _Win32Opener.FILE_ALREADY_UNLOCKED_ERROR:

+ raise

+ self._locked = False

+@@ -370,4 +375,4 @@ class LockedFile(object):

+ def unlock_and_close(self):

+ """Unlock and close a file."""

+- self._opener.unlock_and_close()

++ self._opener.unlock_and_close()

+\ No newline at end of file

+diff --git a/third_party/oauth2client/multistore_file.py b/third_party/oauth2client/multistore_file.py

+index ea89027..5008c00 100644

+--- a/third_party/oauth2client/multistore_file.py

++++ b/third_party/oauth2client/multistore_file.py

+@@ -1,4 +1,4 @@

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -19,39 +19,41 @@ credentials can be stored in one file. That file supports locking

+ both in a single process and across processes.

+ The credential themselves are keyed off of:

+ * client_id

+ * user_agent

+ * scope

+-The format of the stored data is like so:

+-{

+- 'file_version': 1,

+- 'data': [

+- {

+- 'key': {

+- 'clientId': '<client id>',

+- 'userAgent': '<user agent>',

+- 'scope': '<scope>'

+- },

+- 'credential': {

+- # JSON serialized Credentials.

++The format of the stored data is like so::

++ {

++ 'file_version': 1,

++ 'data': [

++ {

++ 'key': {

++ 'clientId': '<client id>',

++ 'userAgent': '<user agent>',

++ 'scope': '<scope>'

++ },

++ 'credential': {

++ # JSON serialized Credentials.

++ }

+ }

+- }

+- ]

+-}

++ ]

++ }

+ """

+ __author__ = 'jbeda@google.com (Joe Beda)'

+-import base64

+ import errno

++import json

+ import logging

+ import os

+ import threading

+-from anyjson import simplejson

+-from .client import Storage as BaseStorage

+ from .client import Credentials

++from .client import Storage as BaseStorage

+ from . import util

+ from locked_file import LockedFile

+@@ -64,12 +66,10 @@ _multistores_lock = threading.Lock()

+ class Error(Exception):

+ """Base error for this module."""

+- pass

+ class NewerCredentialStoreError(Error):

+- """The credential store is a newer version that supported."""

+- pass

++ """The credential store is a newer version than supported."""

+ @util.positional(4)

+@@ -193,7 +193,7 @@ class _MultiStore(object):

+ This will create the file if necessary.

+ """

+- self._file = LockedFile(filename, 'r+b', 'rb')

++ self._file = LockedFile(filename, 'r+', 'r')

+ self._thread_lock = threading.Lock()

+ self._read_only = False

+ self._warn_on_readonly = warn_on_readonly

+@@ -271,7 +271,7 @@ class _MultiStore(object):

+ simple version of "touch" to ensure the file has been created.

+ """

+ if not os.path.exists(self._file.filename()):

+- old_umask = os.umask(0177)

++ old_umask = os.umask(0o177)

+ try:

+ open(self._file.filename(), 'a+b').close()

+ finally:

+@@ -280,13 +280,23 @@ class _MultiStore(object):

+ def _lock(self):

+ """Lock the entire multistore."""

+ self._thread_lock.acquire()

+- self._file.open_and_lock()

++ try:

++ self._file.open_and_lock()

++ except IOError as e:

++ if e.errno == errno.ENOSYS:

++ logger.warn('File system does not support locking the credentials '

++ 'file.')

++ elif e.errno == errno.ENOLCK:

++ logger.warn('File system is out of resources for writing the '

++ 'credentials file (is your disk full?).')

++ else:

++ raise

+ if not self._file.is_locked():

+ self._read_only = True

+ if self._warn_on_readonly:

+ logger.warn('The credentials file (%s) is not writable. Opening in '

+ 'read-only mode. Any refreshed credentials will only be '

+- 'valid for this run.' % self._file.filename())

++ 'valid for this run.', self._file.filename())

+ if os.path.getsize(self._file.filename()) == 0:

+ logger.debug('Initializing empty multistore file')

+ # The multistore is empty so write out an empty file.

+@@ -315,7 +325,7 @@ class _MultiStore(object):

+ """

+ assert self._thread_lock.locked()

+ self._file.file_handle().seek(0)

+- return simplejson.load(self._file.file_handle())

++ return json.load(self._file.file_handle())

+ def _locked_json_write(self, data):

+ """Write a JSON serializable data structure to the multistore.

+@@ -329,7 +339,7 @@ class _MultiStore(object):

+ if self._read_only:

+ return

+ self._file.file_handle().seek(0)

+- simplejson.dump(data, self._file.file_handle(), sort_keys=True, indent=2)

++ json.dump(data, self._file.file_handle(), sort_keys=True, indent=2, separators=(',', ': '))

+ self._file.file_handle().truncate()

+ def _refresh_data_cache(self):

+@@ -387,7 +397,7 @@ class _MultiStore(object):

+ raw_key = cred_entry['key']

+ key = util.dict_to_tuple_key(raw_key)

+ credential = None

+- credential = Credentials.new_from_json(simplejson.dumps(cred_entry['credential']))

++ credential = Credentials.new_from_json(json.dumps(cred_entry['credential']))

+ return (key, credential)

+ def _write(self):

+@@ -400,7 +410,7 @@ class _MultiStore(object):

+ raw_data['data'] = raw_creds

+ for (cred_key, cred) in self._data.items():

+ raw_key = dict(cred_key)

+- raw_cred = simplejson.loads(cred.to_json())

++ raw_cred = json.loads(cred.to_json())

+ raw_creds.append({'key': raw_key, 'credential': raw_cred})

+ self._locked_json_write(raw_data)

+@@ -462,4 +472,4 @@ class _MultiStore(object):

+ Returns:

+ A Storage object that can be used to get/set this cred

+ """

+- return self._Storage(self, key)

++ return self._Storage(self, key)

+\ No newline at end of file

+diff --git a/third_party/oauth2client/old_run.py b/third_party/oauth2client/old_run.py

+index da23358..221fff8 100644

+--- a/third_party/oauth2client/old_run.py

++++ b/third_party/oauth2client/old_run.py

+@@ -1,4 +1,4 @@

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -15,6 +15,7 @@

+ """This module holds the old run() function which is deprecated, the

+ tools.run_flow() function should be used in its place."""

++from __future__ import print_function

+ import logging

+ import socket

+@@ -22,9 +23,9 @@ import sys

+ import webbrowser

+ import gflags

+-from oauth2client import client

+-from oauth2client import util

++from third_party.six.moves import input

++from third_party.oauth2client import client

++from third_party.oauth2client import util

+ from tools import ClientRedirectHandler

+ from tools import ClientRedirectServer

+@@ -48,39 +49,38 @@ gflags.DEFINE_multi_int('auth_host_port', [8080, 8090],

+ def run(flow, storage, http=None):

+ """Core code for a command-line application.

+- The run() function is called from your application and runs through all

+- the steps to obtain credentials. It takes a Flow argument and attempts to

+- open an authorization server page in the user's default web browser. The

+- server asks the user to grant your application access to the user's data.

+- If the user grants access, the run() function returns new credentials. The

+- new credentials are also stored in the Storage argument, which updates the

+- file associated with the Storage object.

++ The ``run()`` function is called from your application and runs

++ through all the steps to obtain credentials. It takes a ``Flow``

++ argument and attempts to open an authorization server page in the

++ user's default web browser. The server asks the user to grant your

++ application access to the user's data. If the user grants access,

++ the ``run()`` function returns new credentials. The new credentials

++ are also stored in the ``storage`` argument, which updates the file

++ associated with the ``Storage`` object.

+ It presumes it is run from a command-line application and supports the

+ following flags:

+- --auth_host_name: Host name to use when running a local web server

+- to handle redirects during OAuth authorization.

+- (default: 'localhost')

++ ``--auth_host_name`` (string, default: ``localhost``)

++ Host name to use when running a local web server to handle

++ redirects during OAuth authorization.

+- --auth_host_port: Port to use when running a local web server to handle

+- redirects during OAuth authorization.;

+- repeat this option to specify a list of values

+- (default: '[8080, 8090]')

+- (an integer)

++ ``--auth_host_port`` (integer, default: ``[8080, 8090]``)

++ Port to use when running a local web server to handle redirects

++ during OAuth authorization. Repeat this option to specify a list

++ of values.

+- --[no]auth_local_webserver: Run a local web server to handle redirects

+- during OAuth authorization.

+- (default: 'true')

++ ``--[no]auth_local_webserver`` (boolean, default: ``True``)

++ Run a local web server to handle redirects during OAuth authorization.

+- Since it uses flags make sure to initialize the gflags module before

+- calling run().

++ Since it uses flags make sure to initialize the ``gflags`` module before

++ calling ``run()``.

+ Args:

+ flow: Flow, an OAuth 2.0 Flow to step through.

+- storage: Storage, a Storage to store the credential in.

+- http: An instance of httplib2.Http.request

+- or something that acts like it.

++ storage: Storage, a ``Storage`` to store the credential in.

++ http: An instance of ``httplib2.Http.request`` or something that acts

++ like it.

+ Returns:

+ Credentials, the obtained credential.

+@@ -96,20 +96,20 @@ def run(flow, storage, http=None):

+ try:

+ httpd = ClientRedirectServer((FLAGS.auth_host_name, port),

+ ClientRedirectHandler)

+- except socket.error, e:

++ except socket.error as e:

+ pass

+ else:

+ success = True

+ break

+ FLAGS.auth_local_webserver = success

+ if not success:

+- print 'Failed to start a local webserver listening on either port 8080'

+- print 'or port 9090. Please check your firewall settings and locally'

+- print 'running programs that may be blocking or using those ports.'

+- print

+- print 'Falling back to --noauth_local_webserver and continuing with',

+- print 'authorization.'

+- print

++ print('Failed to start a local webserver listening on either port 8080')

++ print('or port 9090. Please check your firewall settings and locally')

++ print('running programs that may be blocking or using those ports.')

++ print()

++ print('Falling back to --noauth_local_webserver and continuing with')

++ print('authorization.')

++ print()

+ if FLAGS.auth_local_webserver:

+ oauth_callback = 'http://%s:%s/' % (FLAGS.auth_host_name, port_number)

+@@ -120,20 +120,20 @@ def run(flow, storage, http=None):

+ if FLAGS.auth_local_webserver:

+ webbrowser.open(authorize_url, new=1, autoraise=True)

+- print 'Your browser has been opened to visit:'

+- print

+- print ' ' + authorize_url

+- print

+- print 'If your browser is on a different machine then exit and re-run'

+- print 'this application with the command-line parameter '

+- print

+- print ' --noauth_local_webserver'

+- print

++ print('Your browser has been opened to visit:')

++ print()

++ print(' ' + authorize_url)

++ print()

++ print('If your browser is on a different machine then exit and re-run')

++ print('this application with the command-line parameter ')

++ print()

++ print(' --noauth_local_webserver')

++ print()

+ else:

+- print 'Go to the following link in your browser:'

+- print

+- print ' ' + authorize_url

+- print

++ print('Go to the following link in your browser:')

++ print()

++ print(' ' + authorize_url)

++ print()

+ code = None

+ if FLAGS.auth_local_webserver:

+@@ -143,18 +143,18 @@ def run(flow, storage, http=None):

+ if 'code' in httpd.query_params:

+ code = httpd.query_params['code']

+ else:

+- print 'Failed to find "code" in the query parameters of the redirect.'

++ print('Failed to find "code" in the query parameters of the redirect.')

+ sys.exit('Try running with --noauth_local_webserver.')

+ else:

+- code = raw_input('Enter verification code: ').strip()

++ code = input('Enter verification code: ').strip()

+ try:

+ credential = flow.step2_exchange(code, http=http)

+- except client.FlowExchangeError, e:

++ except client.FlowExchangeError as e:

+ sys.exit('Authentication has failed: %s' % e)

+ storage.put(credential)

+ credential.set_store(storage)

+- print 'Authentication successful.'

++ print('Authentication successful.')

+- return credential

++ return credential

+\ No newline at end of file

+diff --git a/third_party/oauth2client/service_account.py b/third_party/oauth2client/service_account.py

+new file mode 100644

+index 0000000..b6b694c

+--- /dev/null

++++ b/third_party/oauth2client/service_account.py

+@@ -0,0 +1,139 @@

++#

++# Licensed under the Apache License, Version 2.0 (the "License");

++# you may not use this file except in compliance with the License.

++# You may obtain a copy of the License at

++#

++# http://www.apache.org/licenses/LICENSE-2.0

++#

++# Unless required by applicable law or agreed to in writing, software

++# distributed under the License is distributed on an "AS IS" BASIS,

++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

++# See the License for the specific language governing permissions and

++# limitations under the License.

++"""A service account credentials class.

++This credentials class is implemented on top of rsa library.

++"""

++import base64

++import json

++import time

++from pyasn1.codec.ber import decoder

++from pyasn1_modules.rfc5208 import PrivateKeyInfo

++import rsa

++from . import GOOGLE_REVOKE_URI

++from . import GOOGLE_TOKEN_URI

++from . import util

++from client import AssertionCredentials

++from third_party import six

++class _ServiceAccountCredentials(AssertionCredentials):

++ """Class representing a service account (signed JWT) credential."""

++ MAX_TOKEN_LIFETIME_SECS = 3600 # 1 hour in seconds

++ def __init__(self, service_account_id, service_account_email, private_key_id,

++ private_key_pkcs8_text, scopes, user_agent=None,

++ token_uri=GOOGLE_TOKEN_URI, revoke_uri=GOOGLE_REVOKE_URI,

++ **kwargs):

++ super(_ServiceAccountCredentials, self).__init__(

++ None, user_agent=user_agent, token_uri=token_uri, revoke_uri=revoke_uri)

++ self._service_account_id = service_account_id

++ self._service_account_email = service_account_email

++ self._private_key_id = private_key_id

++ self._private_key = _get_private_key(private_key_pkcs8_text)

++ self._private_key_pkcs8_text = private_key_pkcs8_text

++ self._scopes = util.scopes_to_string(scopes)

++ self._user_agent = user_agent

++ self._token_uri = token_uri

++ self._revoke_uri = revoke_uri

++ self._kwargs = kwargs

++ def _generate_assertion(self):

++ """Generate the assertion that will be used in the request."""

++ header = {

++ 'alg': 'RS256',

++ 'typ': 'JWT',

++ 'kid': self._private_key_id

++ }

++ now = int(time.time())

++ payload = {

++ 'aud': self._token_uri,

++ 'scope': self._scopes,

++ 'iat': now,

++ 'exp': now + _ServiceAccountCredentials.MAX_TOKEN_LIFETIME_SECS,

++ 'iss': self._service_account_email

++ }

++ payload.update(self._kwargs)

++ assertion_input = (_urlsafe_b64encode(header) + b'.' +

++ _urlsafe_b64encode(payload))

++ # Sign the assertion.

++ rsa_bytes = rsa.pkcs1.sign(assertion_input, self._private_key, 'SHA-256')

++ signature = base64.urlsafe_b64encode(rsa_bytes).rstrip(b'=')

++ return assertion_input + b'.' + signature

++ def sign_blob(self, blob):

++ # Ensure that it is bytes

++ try:

++ blob = blob.encode('utf-8')

++ except AttributeError:

++ pass

++ return (self._private_key_id,

++ rsa.pkcs1.sign(blob, self._private_key, 'SHA-256'))

++ @property

++ def service_account_email(self):

++ return self._service_account_email

++ @property

++ def serialization_data(self):

++ return {

++ 'type': 'service_account',

++ 'client_id': self._service_account_id,

++ 'client_email': self._service_account_email,

++ 'private_key_id': self._private_key_id,

++ 'private_key': self._private_key_pkcs8_text

++ }

++ def create_scoped_required(self):

++ return not self._scopes

++ def create_scoped(self, scopes):

++ return _ServiceAccountCredentials(self._service_account_id,

++ self._service_account_email,

++ self._private_key_id,

++ self._private_key_pkcs8_text,

++ scopes,

++ user_agent=self._user_agent,

++ token_uri=self._token_uri,

++ revoke_uri=self._revoke_uri,

++ **self._kwargs)

++def _urlsafe_b64encode(data):

++ return base64.urlsafe_b64encode(

++ json.dumps(data, separators=(',', ':')).encode('UTF-8')).rstrip(b'=')

++def _get_private_key(private_key_pkcs8_text):

++ """Get an RSA private key object from a pkcs8 representation."""

++ if not isinstance(private_key_pkcs8_text, six.binary_type):

++ private_key_pkcs8_text = private_key_pkcs8_text.encode('ascii')

++ der = rsa.pem.load_pem(private_key_pkcs8_text, 'PRIVATE KEY')

++ asn1_private_key, _ = decoder.decode(der, asn1Spec=PrivateKeyInfo())

++ return rsa.PrivateKey.load_pkcs1(

++ asn1_private_key.getComponentByName('privateKey').asOctets(),

++ format='DER')

+\ No newline at end of file

+diff --git a/third_party/oauth2client/tools.py b/third_party/oauth2client/tools.py

+index 12c68bf..3df1bbe 100644

+--- a/third_party/oauth2client/tools.py

++++ b/third_party/oauth2client/tools.py

+@@ -1,4 +1,4 @@

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -19,27 +19,22 @@ generated credentials in a common file that is used by other example apps in

+ the same directory.

+ """

++from __future__ import print_function

+ __author__ = 'jcgregorio@google.com (Joe Gregorio)'

+ __all__ = ['argparser', 'run_flow', 'run', 'message_if_missing']

+-import BaseHTTPServer

+-import argparse

+-import httplib2

+ import logging

+-import os

+ import socket

+ import sys

+-import webbrowser

+-from oauth2client import client

+-from oauth2client import file

+-from oauth2client import util

++from third_party.six.moves import BaseHTTPServer

++from third_party.six.moves import urllib

++from third_party.six.moves import input

++from . import client

++from . import util

+-try:

+- from urlparse import parse_qsl

+-except ImportError:

+- from cgi import parse_qsl

+ _CLIENT_SECRETS_MESSAGE = """WARNING: Please configure OAuth 2.0

+@@ -52,20 +47,27 @@ with information from the APIs Console <https://code.google.com/apis/console>.

+ """

+-# run_parser is an ArgumentParser that contains command-line options expected

++def _CreateArgumentParser():

++ try:

++ import argparse

++ except ImportError:

++ return None

++ parser = argparse.ArgumentParser(add_help=False)

++ parser.add_argument('--auth_host_name', default='localhost',

++ help='Hostname when running a local web server.')

++ parser.add_argument('--noauth_local_webserver', action='store_true',

++ default=False, help='Do not run a local web server.')

++ parser.add_argument('--auth_host_port', default=[8080, 8090], type=int,

++ nargs='*', help='Port web server should listen on.')

++ parser.add_argument('--logging_level', default='ERROR',

++ choices=['DEBUG', 'INFO', 'WARNING', 'ERROR', 'CRITICAL'],

++ help='Set the logging level of detail.')

++ return parser

++# argparser is an ArgumentParser that contains command-line options expected

+ # by tools.run(). Pass it in as part of the 'parents' argument to your own

+ # ArgumentParser.

+-argparser = argparse.ArgumentParser(add_help=False)

+-argparser.add_argument('--auth_host_name', default='localhost',

+- help='Hostname when running a local web server.')

+-argparser.add_argument('--noauth_local_webserver', action='store_true',

+- default=False, help='Do not run a local web server.')

+-argparser.add_argument('--auth_host_port', default=[8080, 8090], type=int,

+- nargs='*', help='Port web server should listen on.')

+-argparser.add_argument('--logging_level', default='ERROR',

+- choices=['DEBUG', 'INFO', 'WARNING', 'ERROR',

+- 'CRITICAL'],

+- help='Set the logging level of detail.')

++argparser = _CreateArgumentParser()

+ class ClientRedirectServer(BaseHTTPServer.HTTPServer):

+@@ -84,72 +86,75 @@ class ClientRedirectHandler(BaseHTTPServer.BaseHTTPRequestHandler):

+ into the servers query_params and then stops serving.

+ """

+- def do_GET(s):

++ def do_GET(self):

+ """Handle a GET request.

+ Parses the query parameters and prints a message

+ if the flow has completed. Note that we can't detect

+ if an error occurred.

+ """

+- s.send_response(200)

+- s.send_header("Content-type", "text/html")

+- s.end_headers()

+- query = s.path.split('?', 1)[-1]

+- query = dict(parse_qsl(query))

+- s.server.query_params = query

+- s.wfile.write("<html><head><title>Authentication Status</title></head>")

+- s.wfile.write("<body><p>The authentication flow has completed.</p>")

+- s.wfile.write("</body></html>")

++ self.send_response(200)

++ self.send_header("Content-type", "text/html")

++ self.end_headers()

++ query = self.path.split('?', 1)[-1]

++ query = dict(urllib.parse.parse_qsl(query))

++ self.server.query_params = query

++ self.wfile.write(b"<html><head><title>Authentication Status</title></head>")

++ self.wfile.write(b"<body><p>The authentication flow has completed.</p>")

++ self.wfile.write(b"</body></html>")

+ def log_message(self, format, *args):

+ """Do not log messages to stdout while running as command line program."""

+- pass

+ @util.positional(3)

+ def run_flow(flow, storage, flags, http=None):

+ """Core code for a command-line application.

+- The run() function is called from your application and runs through all the

+- steps to obtain credentials. It takes a Flow argument and attempts to open an

+- authorization server page in the user's default web browser. The server asks

+- the user to grant your application access to the user's data. If the user

+- grants access, the run() function returns new credentials. The new credentials

+- are also stored in the Storage argument, which updates the file associated

+- with the Storage object.

++ The ``run()`` function is called from your application and runs

++ through all the steps to obtain credentials. It takes a ``Flow``

++ argument and attempts to open an authorization server page in the

++ user's default web browser. The server asks the user to grant your

++ application access to the user's data. If the user grants access,

++ the ``run()`` function returns new credentials. The new credentials

++ are also stored in the ``storage`` argument, which updates the file

++ associated with the ``Storage`` object.

+ It presumes it is run from a command-line application and supports the

+ following flags:

+- --auth_host_name: Host name to use when running a local web server

+- to handle redirects during OAuth authorization.

+- (default: 'localhost')

++ ``--auth_host_name`` (string, default: ``localhost``)

++ Host name to use when running a local web server to handle

++ redirects during OAuth authorization.

++ ``--auth_host_port`` (integer, default: ``[8080, 8090]``)

++ Port to use when running a local web server to handle redirects

++ during OAuth authorization. Repeat this option to specify a list

++ of values.

++ ``--[no]auth_local_webserver`` (boolean, default: ``True``)

++ Run a local web server to handle redirects during OAuth authorization.

+- --auth_host_port: Port to use when running a local web server to handle

+- redirects during OAuth authorization.;

+- repeat this option to specify a list of values

+- (default: '[8080, 8090]')

+- (an integer)

+- --[no]auth_local_webserver: Run a local web server to handle redirects

+- during OAuth authorization.

+- (default: 'true')

+- The tools module defines an ArgumentParser the already contains the flag

+- definitions that run() requires. You can pass that ArgumentParser to your

+- ArgumentParser constructor:

++ The tools module defines an ``ArgumentParser`` the already contains the flag

++ definitions that ``run()`` requires. You can pass that ``ArgumentParser`` to your

++ ``ArgumentParser`` constructor::

+- parser = argparse.ArgumentParser(description=__doc__,

+- formatter_class=argparse.RawDescriptionHelpFormatter,

+- parents=[tools.run_parser])

+- flags = parser.parse_args(argv)

++ parser = argparse.ArgumentParser(description=__doc__,

++ formatter_class=argparse.RawDescriptionHelpFormatter,

++ parents=[tools.argparser])

++ flags = parser.parse_args(argv)

+ Args:

+ flow: Flow, an OAuth 2.0 Flow to step through.

+- storage: Storage, a Storage to store the credential in.

+- flags: argparse.ArgumentParser, the command-line flags.

+- http: An instance of httplib2.Http.request

+- or something that acts like it.

++ storage: Storage, a ``Storage`` to store the credential in.

++ flags: ``argparse.Namespace``, The command-line flags. This is the

++ object returned from calling ``parse_args()`` on

++ ``argparse.ArgumentParser`` as described above.

++ http: An instance of ``httplib2.Http.request`` or something that

++ acts like it.

+ Returns:

+ Credentials, the obtained credential.

+@@ -163,20 +168,20 @@ def run_flow(flow, storage, flags, http=None):

+ try:

+ httpd = ClientRedirectServer((flags.auth_host_name, port),

+ ClientRedirectHandler)

+- except socket.error, e:

++ except socket.error:

+ pass

+ else:

+ success = True

+ break

+ flags.noauth_local_webserver = not success

+ if not success:

+- print 'Failed to start a local webserver listening on either port 8080'

+- print 'or port 9090. Please check your firewall settings and locally'

+- print 'running programs that may be blocking or using those ports.'

+- print

+- print 'Falling back to --noauth_local_webserver and continuing with',

+- print 'authorization.'

+- print

++ print('Failed to start a local webserver listening on either port 8080')

++ print('or port 9090. Please check your firewall settings and locally')

++ print('running programs that may be blocking or using those ports.')

++ print()

++ print('Falling back to --noauth_local_webserver and continuing with')

++ print('authorization.')

++ print()

+ if not flags.noauth_local_webserver:

+ oauth_callback = 'http://%s:%s/' % (flags.auth_host_name, port_number)

+@@ -186,21 +191,22 @@ def run_flow(flow, storage, flags, http=None):

+ authorize_url = flow.step1_get_authorize_url()

+ if not flags.noauth_local_webserver:

++ import webbrowser

+ webbrowser.open(authorize_url, new=1, autoraise=True)

+- print 'Your browser has been opened to visit:'

+- print

+- print ' ' + authorize_url

+- print

+- print 'If your browser is on a different machine then exit and re-run this'

+- print 'application with the command-line parameter '

+- print

+- print ' --noauth_local_webserver'

+- print

++ print('Your browser has been opened to visit:')

++ print()

++ print(' ' + authorize_url)

++ print()

++ print('If your browser is on a different machine then exit and re-run this')

++ print('application with the command-line parameter ')

++ print()

++ print(' --noauth_local_webserver')

++ print()

+ else:

+- print 'Go to the following link in your browser:'

+- print

+- print ' ' + authorize_url

+- print

++ print('Go to the following link in your browser:')

++ print()

++ print(' ' + authorize_url)

++ print()

+ code = None

+ if not flags.noauth_local_webserver:

+@@ -210,19 +216,19 @@ def run_flow(flow, storage, flags, http=None):

+ if 'code' in httpd.query_params:

+ code = httpd.query_params['code']

+ else:

+- print 'Failed to find "code" in the query parameters of the redirect.'

++ print('Failed to find "code" in the query parameters of the redirect.')

+ sys.exit('Try running with --noauth_local_webserver.')

+ else:

+- code = raw_input('Enter verification code: ').strip()

++ code = input('Enter verification code: ').strip()

+ try:

+ credential = flow.step2_exchange(code, http=http)

+- except client.FlowExchangeError, e:

++ except client.FlowExchangeError as e:

+ sys.exit('Authentication has failed: %s' % e)

+ storage.put(credential)

+ credential.set_store(storage)

+- print 'Authentication successful.'

++ print('Authentication successful.')

+ return credential

+@@ -233,11 +239,11 @@ def message_if_missing(filename):

+ return _CLIENT_SECRETS_MESSAGE % filename

+ try:

+- from old_run import run

+- from old_run import FLAGS

++ from oauth2client.old_run import run

++ from oauth2client.old_run import FLAGS

+ except ImportError:

+ def run(*args, **kwargs):

+ raise NotImplementedError(

+ 'The gflags library must be installed to use tools.run(). '

+ 'Please install gflags or preferrably switch to using '

+- 'tools.run_flow().')

++ 'tools.run_flow().')

+\ No newline at end of file

+diff --git a/third_party/oauth2client/util.py b/third_party/oauth2client/util.py

+index 90dff15..b0963ef 100644

+--- a/third_party/oauth2client/util.py

++++ b/third_party/oauth2client/util.py

+@@ -1,6 +1,6 @@

+ #!/usr/bin/env python

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -17,26 +17,27 @@

+ """Common utility library."""

+-__author__ = ['rafek@google.com (Rafe Kaplan)',

+- 'guido@google.com (Guido van Rossum)',

++__author__ = [

++ 'rafek@google.com (Rafe Kaplan)',

++ 'guido@google.com (Guido van Rossum)',

+ ]

+ __all__ = [

+- 'positional',

+- 'POSITIONAL_WARNING',

+- 'POSITIONAL_EXCEPTION',

+- 'POSITIONAL_IGNORE',

++ 'positional',

++ 'POSITIONAL_WARNING',

++ 'POSITIONAL_EXCEPTION',

++ 'POSITIONAL_IGNORE',

+ ]

++import functools

+ import inspect

+ import logging

++import sys

+ import types

+-import urllib

+-import urlparse

+-try:

+- from urlparse import parse_qsl

+-except ImportError:

+- from cgi import parse_qsl

++from third_party import six

++from third_party.six.moves import urllib

+ logger = logging.getLogger(__name__)

+@@ -51,56 +52,58 @@ positional_parameters_enforcement = POSITIONAL_WARNING

+ def positional(max_positional_args):

+ """A decorator to declare that only the first N arguments my be positional.

+- This decorator makes it easy to support Python 3 style key-word only

+- parameters. For example, in Python 3 it is possible to write:

++ This decorator makes it easy to support Python 3 style keyword-only

++ parameters. For example, in Python 3 it is possible to write::

+ def fn(pos1, *, kwonly1=None, kwonly1=None):

+ ...

+- All named parameters after * must be a keyword:

++ All named parameters after ``*`` must be a keyword::

+ fn(10, 'kw1', 'kw2') # Raises exception.

+ fn(10, kwonly1='kw1') # Ok.

+- Example:

+- To define a function like above, do:

++ Example

++ ^^^^^^^

+- @positional(1)

+- def fn(pos1, kwonly1=None, kwonly2=None):

+- ...

++ To define a function like above, do::

+- If no default value is provided to a keyword argument, it becomes a required

+- keyword argument:

++ @positional(1)

++ def fn(pos1, kwonly1=None, kwonly2=None):

++ ...

+- @positional(0)

+- def fn(required_kw):

+- ...

++ If no default value is provided to a keyword argument, it becomes a required

++ keyword argument::

+- This must be called with the keyword parameter:

++ @positional(0)

++ def fn(required_kw):

++ ...

+- fn() # Raises exception.

+- fn(10) # Raises exception.

+- fn(required_kw=10) # Ok.

++ This must be called with the keyword parameter::

+- When defining instance or class methods always remember to account for

+- 'self' and 'cls':

++ fn() # Raises exception.

++ fn(10) # Raises exception.

++ fn(required_kw=10) # Ok.

+- class MyClass(object):

++ When defining instance or class methods always remember to account for

++ ``self`` and ``cls``::

+- @positional(2)

+- def my_method(self, pos1, kwonly1=None):

+- ...

++ class MyClass(object):

+- @classmethod

+- @positional(2)

+- def my_method(cls, pos1, kwonly1=None):

+- ...

++ @positional(2)

++ def my_method(self, pos1, kwonly1=None):

++ ...

++ @classmethod

++ @positional(2)

++ def my_method(cls, pos1, kwonly1=None):

++ ...

+ The positional decorator behavior is controlled by

+- util.positional_parameters_enforcement, which may be set to

+- POSITIONAL_EXCEPTION, POSITIONAL_WARNING or POSITIONAL_IGNORE to raise an

+- exception, log a warning, or do nothing, respectively, if a declaration is

+- violated.

++ ``util.positional_parameters_enforcement``, which may be set to

++ ``POSITIONAL_EXCEPTION``, ``POSITIONAL_WARNING`` or

++ ``POSITIONAL_IGNORE`` to raise an exception, log a warning, or do

++ nothing, respectively, if a declaration is violated.

+ Args:

+ max_positional_arguments: Maximum number of positional arguments. All

+@@ -114,8 +117,10 @@ def positional(max_positional_args):

+ TypeError if a key-word only argument is provided as a positional

+ parameter, but only if util.positional_parameters_enforcement is set to

+ POSITIONAL_EXCEPTION.

+ """

+ def positional_decorator(wrapped):

++ @functools.wraps(wrapped)

+ def positional_wrapper(*args, **kwargs):

+ if len(args) > max_positional_args:

+ plural_s = ''

+@@ -132,7 +137,7 @@ def positional(max_positional_args):

+ return wrapped(*args, **kwargs)

+ return positional_wrapper

+- if isinstance(max_positional_args, (int, long)):

++ if isinstance(max_positional_args, six.integer_types):

+ return positional_decorator

+ else:

+ args, _, _, defaults = inspect.getargspec(max_positional_args)

+@@ -152,7 +157,7 @@ def scopes_to_string(scopes):

+ Returns:

+ The scopes formatted as a single string.

+ """

+- if isinstance(scopes, types.StringTypes):

++ if isinstance(scopes, six.string_types):

+ return scopes

+ else:

+ return ' '.join(scopes)

+@@ -189,8 +194,8 @@ def _add_query_parameter(url, name, value):

+ if value is None:

+ return url

+ else:

+- parsed = list(urlparse.urlparse(url))

+- q = dict(parse_qsl(parsed[4]))

++ parsed = list(urllib.parse.urlparse(url))

++ q = dict(urllib.parse.parse_qsl(parsed[4]))

+ q[name] = value

+- parsed[4] = urllib.urlencode(q)

+- return urlparse.urlunparse(parsed)

++ parsed[4] = urllib.parse.urlencode(q)

++ return urllib.parse.urlunparse(parsed)

+\ No newline at end of file

+diff --git a/third_party/oauth2client/xsrfutil.py b/third_party/oauth2client/xsrfutil.py

+index 7e1fe5c..bea7c87 100644

+--- a/third_party/oauth2client/xsrfutil.py

++++ b/third_party/oauth2client/xsrfutil.py

+@@ -1,6 +1,5 @@

+-#!/usr/bin/python2.5

+ #

+ # Licensed under the Apache License, Version 2.0 (the "License");

+ # you may not use this file except in compliance with the License.

+@@ -17,25 +16,36 @@

+ """Helper methods for creating & verifying XSRF tokens."""

+ __authors__ = [

+- '"Doug Coker" <dcoker@google.com>',

+- '"Joe Gregorio" <jcgregorio@google.com>',

++ '"Doug Coker" <dcoker@google.com>',

++ '"Joe Gregorio" <jcgregorio@google.com>',

+ ]

+ import base64

+ import hmac

+-import os # for urandom

+ import time

++import six

+ from oauth2client import util

+ # Delimiter character

+-DELIMITER = ':'

++DELIMITER = b':'

+ # 1 hour in seconds

+ DEFAULT_TIMEOUT_SECS = 1*60*60

++def _force_bytes(s):

++ if isinstance(s, bytes):

++ return s

++ s = str(s)

++ if isinstance(s, six.text_type):

++ return s.encode('utf-8')

++ return s

+ @util.positional(2)

+ def generate_token(key, user_id, action_id="", when=None):

+ """Generates a URL-safe token for the given user, action, time tuple.

+@@ -51,18 +61,16 @@ def generate_token(key, user_id, action_id="", when=None):

+ Returns:

+ A string XSRF protection token.

+ """

+- when = when or int(time.time())

+- digester = hmac.new(key)

+- digester.update(str(user_id))

++ when = _force_bytes(when or int(time.time()))

++ digester = hmac.new(_force_bytes(key))

++ digester.update(_force_bytes(user_id))

+ digester.update(DELIMITER)

+- digester.update(action_id)

++ digester.update(_force_bytes(action_id))

+ digester.update(DELIMITER)

+- digester.update(str(when))

++ digester.update(when)

+ digest = digester.digest()

+- token = base64.urlsafe_b64encode('%s%s%d' % (digest,

+- DELIMITER,

+- when))

++ token = base64.urlsafe_b64encode(digest + DELIMITER + when)

+ return token

+@@ -87,8 +95,8 @@ def validate_token(key, token, user_id, action_id="", current_time=None):

+ if not token:

+ return False

+ try:

+- decoded = base64.urlsafe_b64decode(str(token))

+- token_time = long(decoded.split(DELIMITER)[-1])

++ decoded = base64.urlsafe_b64decode(token)

++ token_time = int(decoded.split(DELIMITER)[-1])

+ except (TypeError, ValueError):

+ return False

+ if current_time is None:

+@@ -105,9 +113,6 @@ def validate_token(key, token, user_id, action_id="", current_time=None):

+ # Perform constant time comparison to avoid timing attacks

+ different = 0

+- for x, y in zip(token, expected_token):

+- different |= ord(x) ^ ord(y)

+- if different:

+- return False

+- return True

++ for x, y in zip(bytearray(token), bytearray(expected_token)):

++ different |= x ^ y

++ return not different

+\ No newline at end of file

« no previous file with comments | « no previous file | third_party/google_api_python_client/README.chromium » ('j') | third_party/google_api_python_client/README.chromium » ('J')