[catapult] - Copy Telemetry's gsutilz over to third_party.

third_party/gsutil/gslib/commands/config.py

+# -*- coding: utf-8 -*-
+# Copyright 2011 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Implementation of config command for creating a gsutil configuration file."""
+
+from __future__ import absolute_import
+
+import datetime
+from httplib import ResponseNotReady
+import json
+import multiprocessing
+import os
+import platform
+import signal
+import socket
+import stat
+import sys
+import textwrap
+import time
+import webbrowser
+
+import boto
+from boto.provider import Provider
+from httplib2 import ServerNotFoundError
+from oauth2client.client import HAS_CRYPTO
+
+import gslib
+from gslib.command import Command
+from gslib.commands.compose import MAX_COMPONENT_COUNT
+from gslib.cred_types import CredTypes
+from gslib.exception import AbortException
+from gslib.exception import CommandException
+from gslib.hashing_helper import CHECK_HASH_ALWAYS
+from gslib.hashing_helper import CHECK_HASH_IF_FAST_ELSE_FAIL
+from gslib.hashing_helper import CHECK_HASH_IF_FAST_ELSE_SKIP
+from gslib.hashing_helper import CHECK_HASH_NEVER
+from gslib.sig_handling import RegisterSignalHandler
+from gslib.util import EIGHT_MIB
+from gslib.util import IS_WINDOWS
+
+
+_SYNOPSIS = """
+  gsutil [-D] config [-a] [-b] [-e] [-f] [-o <file>] [-r] [-s <scope>] [-w]
+"""
+
+_DETAILED_HELP_TEXT = ("""
+<B>SYNOPSIS</B>
+""" + _SYNOPSIS + """
+
+
+<B>DESCRIPTION</B>
+  The gsutil config command obtains access credentials for Google Cloud
+  Storage and writes a boto/gsutil configuration file containing the obtained
+  credentials along with a number of other configuration-controllable values.
+
+  Unless specified otherwise (see OPTIONS), the configuration file is written
+  to ~/.boto (i.e., the file .boto under the user's home directory). If the
+  default file already exists, an attempt is made to rename the existing file
+  to ~/.boto.bak; if that attempt fails the command will exit. A different
+  destination file can be specified with the -o option (see OPTIONS).
+
+  Because the boto configuration file contains your credentials you should
+  keep its file permissions set so no one but you has read access. (The file
+  is created read-only when you run gsutil config.)
+
+
+<B>CREDENTIALS</B>
+  By default gsutil config obtains OAuth2 credentials, and writes them
+  to the [Credentials] section of the configuration file. The -r, -w,
+  -f options (see OPTIONS below) cause gsutil config to request a token
+  with restricted scope; the resulting token will be restricted to read-only
+  operations, read-write operations, or all operations (including acl get/set,
+  defacl get/set, and logging get/'set on'/'set off' operations). In
+  addition, -s <scope> can be used to request additional (non-Google-Storage)
+  scopes.
+
+  If you want to use credentials based on access key and secret (the older
+  authentication method before OAuth2 was supported) instead of OAuth2,
+  see help about the -a option in the OPTIONS section.
+
+  If you wish to use gsutil with other providers (or to copy data back and
+  forth between multiple providers) you can edit their credentials into the
+  [Credentials] section after creating the initial configuration file.
+
+
+<B>CONFIGURING SERVICE ACCOUNT CREDENTIALS</B>
+  You can configure credentials for service accounts using the gsutil config -e
+  option. Service accounts are useful for authenticating on behalf of a service
+  or application (as opposed to a user).
+
+  When you run gsutil config -e, you will be prompted for your service account
+  email address and the path to your private key file. To get these data, visit
+  the `Google Developers Console <https://cloud.google.com/console#/project>`_,
+  click on the project you are using, then click "APIs & auth", then click
+  "Credentials", then click "Create new Client ID"; on the pop-up dialog box
+  select "Service account" and click "Create Client ID". This will download
+  a private key file, which you should move to somewhere
+  accessible from the machine where you run gsutil. Make sure to set its
+  protection so only the users you want to be able to authenticate have
+  access.
+
+  Note that your service account will NOT be considered an Owner for the
+  purposes of API access (see "gsutil help creds" for more information about
+  this). See https://developers.google.com/accounts/docs/OAuth2ServiceAccount
+  for further information on service account authentication.
+
+
+<B>CONFIGURATION FILE SELECTION PROCEDURE</B>
+  By default, gsutil will look for the configuration file in /etc/boto.cfg and
+  ~/.boto. You can override this choice by setting the BOTO_CONFIG environment
+  variable. This is also useful if you have several different identities or
+  cloud storage environments: By setting up the credentials and any additional
+  configuration in separate files for each, you can switch environments by
+  changing environment variables.
+
+  You can also set up a path of configuration files, by setting the BOTO_PATH
+  environment variable to contain a ":" delimited path. For example setting
+  the BOTO_PATH environment variable to:
+
+    /etc/projects/my_group_project.boto.cfg:/home/mylogin/.boto
+
+  will cause gsutil to load each configuration file found in the path in
+  order. This is useful if you want to set up some shared configuration
+  state among many users: The shared state can go in the central shared file
+  ( /etc/projects/my_group_project.boto.cfg) and each user's individual
+  credentials can be placed in the configuration file in each of their home
+  directories. (For security reasons users should never share credentials
+  via a shared configuration file.)
+
+
+<B>CONFIGURATION FILE STRUCTURE</B>
+  The configuration file contains a number of sections: [Credentials],
+  [Boto], [GSUtil], and [OAuth2]. If you edit the file make sure to edit the
+  appropriate section (discussed below), and to be careful not to mis-edit
+  any of the setting names (like "gs_access_key_id") and not to remove the
+  section delimiters (like "[Credentials]").
+
+
+<B>ADDITIONAL CONFIGURATION-CONTROLLABLE FEATURES</B>
+  With the exception of setting up gsutil to work through a proxy (see
+  below), most users won't need to edit values in the boto configuration file;
+  values found in there tend to be of more specialized use than command line
+  option-controllable features.
+
+  The following are the currently defined configuration settings, broken
+  down by section. Their use is documented in comments preceding each, in
+  the configuration file. If you see a setting you want to change that's not
+  listed in your current file, see the section below on Updating to the Latest
+  Configuration File.
+
+  The currently supported settings, are, by section:
+
+    [Credentials]
+      aws_access_key_id
+      aws_secret_access_key
+      gs_access_key_id
+      gs_host
+      gs_json_host
+      gs_json_port
+      gs_oauth2_refresh_token
+      gs_port
+      gs_secret_access_key
+      s3_host
+      s3_port
+
+    [Boto]
+      proxy
+      proxy_port
+      proxy_user
+      proxy_pass
+      proxy_rdns
+      http_socket_timeout
+      https_validate_certificates
+      debug
+      max_retry_delay
+      num_retries
+
+    [GSUtil]
+      check_hashes
+      content_language
+      default_api_version
+      default_project_id
+      json_api_version
+      parallel_composite_upload_component_size
+      parallel_composite_upload_threshold
+      parallel_process_count
+      parallel_thread_count
+      prefer_api
+      resumable_threshold
+      resumable_tracker_dir (deprecated in 4.6, use state_dir)
+      rsync_buffer_lines
+      software_update_check_period
+      state_dir
+      tab_completion_time_logs
+      tab_completion_timeout
+      use_magicfile
+
+    [OAuth2]
+      client_id
+      client_secret
+      oauth2_refresh_retries
+      provider_authorization_uri
+      provider_label
+      provider_token_uri
+      token_cache
+
+
+<B>UPDATING TO THE LATEST CONFIGURATION FILE</B>
+  We add new configuration controllable features to the boto configuration file
+  over time, but most gsutil users create a configuration file once and then
+  keep it for a long time, so new features aren't apparent when you update
+  to a newer version of gsutil. If you want to get the latest configuration
+  file (which includes all the latest settings and documentation about each)
+  you can rename your current file (e.g., to '.boto_old'), run gsutil config,
+  and then edit any configuration settings you wanted from your old file
+  into the newly created file. Note, however, that if you're using OAuth2
+  credentials and you go back through the OAuth2 configuration dialog it will
+  invalidate your previous OAuth2 credentials.
+
+  If no explicit scope option is given, -f (full control) is assumed by default.
+
+
+<B>OPTIONS</B>
+  -a          Prompt for Google Cloud Storage access key and secret (the older
+              authentication method before OAuth2 was supported) instead of
+              obtaining an OAuth2 token.
+
+  -b          Causes gsutil config to launch a browser to obtain OAuth2 approval
+              and the project ID instead of showing the URL for each and asking
+              the user to open the browser. This will probably not work as
+              expected if you are running gsutil from an ssh window, or using
+              gsutil on Windows.
+
+  -e          Prompt for service account credentials. This option requires that
+              -a is not set.
+
+  -f          Request token with full-control access (default).
+
+  -o <file>   Write the configuration to <file> instead of ~/.boto.
+              Use '-' for stdout.
+
+  -r          Request token restricted to read-only access.
+
+  -s <scope>  Request additional OAuth2 <scope>.
+
+  -w          Request token restricted to read-write access.
+""")
+
+
+try:
+  from gcs_oauth2_boto_plugin import oauth2_helper  # pylint: disable=g-import-not-at-top
+except ImportError:
+  pass
+
+GOOG_CLOUD_CONSOLE_URI = 'https://cloud.google.com/console#/project'
+
+SCOPE_FULL_CONTROL = 'https://www.googleapis.com/auth/devstorage.full_control'
+SCOPE_READ_WRITE = 'https://www.googleapis.com/auth/devstorage.read_write'
+SCOPE_READ_ONLY = 'https://www.googleapis.com/auth/devstorage.read_only'
+
+CONFIG_PRELUDE_CONTENT = """
+# This file contains credentials and other configuration information needed
+# by the boto library, used by gsutil. You can edit this file (e.g., to add
+# credentials) but be careful not to mis-edit any of the variable names (like
+# "gs_access_key_id") or remove important markers (like the "[Credentials]" and
+# "[Boto]" section delimiters).
+#
+"""
+
+# Default number of OS processes and Python threads for parallel operations.
+# On Linux systems we automatically scale the number of processes to match
+# the underlying CPU/core count. Given we'll be running multiple concurrent
+# processes on a typical multi-core Linux computer, to avoid being too
+# aggressive with resources, the default number of threads is reduced from
+# the previous value of 24 to 10.
+# On Windows and Mac systems parallel multi-processing and multi-threading
+# in Python presents various challenges so we retain compatibility with
+# the established parallel mode operation, i.e. one process and 24 threads.
+if platform.system() == 'Linux':
+  DEFAULT_PARALLEL_PROCESS_COUNT = multiprocessing.cpu_count()
+  DEFAULT_PARALLEL_THREAD_COUNT = 10
+else:
+  DEFAULT_PARALLEL_PROCESS_COUNT = 1
+  DEFAULT_PARALLEL_THREAD_COUNT = 24
+
+# TODO: Once compiled crcmod is being distributed by major Linux distributions
+# revert DEFAULT_PARALLEL_COMPOSITE_UPLOAD_THRESHOLD value to '150M'.
+DEFAULT_PARALLEL_COMPOSITE_UPLOAD_THRESHOLD = '0'
+DEFAULT_PARALLEL_COMPOSITE_UPLOAD_COMPONENT_SIZE = '50M'
+
+CONFIG_BOTO_SECTION_CONTENT = """
+[Boto]
+
+# http_socket_timeout specifies the timeout (in seconds) used to tell httplib
+# how long to wait for socket timeouts. The default is 70 seconds. Note that
+# this timeout only applies to httplib, not to httplib2 (which is used for
+# OAuth2 refresh/access token exchanges).
+#http_socket_timeout = 70
+
+# The following two options control the use of a secure transport for requests
+# to S3 and Google Cloud Storage. It is highly recommended to set both options
+# to True in production environments, especially when using OAuth2 bearer token
+# authentication with Google Cloud Storage.
+
+# Set 'https_validate_certificates' to False to disable server certificate
+# checking. The default for this option in the boto library is currently
+# 'False' (to avoid breaking apps that depend on invalid certificates); it is
+# therefore strongly recommended to always set this option explicitly to True
+# in configuration files, to protect against "man-in-the-middle" attacks.
+https_validate_certificates = True
+
+# 'debug' controls the level of debug messages printed: 0 for none, 1
+# for basic boto debug, 2 for all boto debug plus HTTP requests/responses.
+# Note: 'gsutil -d' sets debug to 2 for that one command run.
+#debug = <0, 1, or 2>
+
+# 'num_retries' controls the number of retry attempts made when errors occur
+# during data transfers. The default is 6.
+# Note 1: You can cause gsutil to retry failures effectively infinitely by
+# setting this value to a large number (like 10000). Doing that could be useful
+# in cases where your network connection occasionally fails and is down for an
+# extended period of time, because when it comes back up gsutil will continue
+# retrying.  However, in general we recommend not setting the value above 10,
+# because otherwise gsutil could appear to "hang" due to excessive retries
+# (since unless you run gsutil -D you won't see any logged evidence that gsutil
+# is retrying).
+# Note 2: Don't set this value to 0, as it will cause boto to fail when reusing
+# HTTP connections.
+#num_retries = <integer value>
+
+# 'max_retry_delay' controls the max delay (in seconds) between retries. The
+# default value is 60, so the backoff sequence will be 1 seconds, 2 seconds, 4,
+# 8, 16, 32, and then 60 for all subsequent retries for a given HTTP request.
+# Note: At present this value only impacts the XML API and the JSON API uses a
+# fixed value of 60.
+#max_retry_delay = <integer value>
+"""
+
+CONFIG_INPUTLESS_GSUTIL_SECTION_CONTENT = """
+[GSUtil]
+
+# 'resumable_threshold' specifies the smallest file size [bytes] for which
+# resumable Google Cloud Storage uploads are attempted. The default is 8388608
+# (8 MiB).
+#resumable_threshold = %(resumable_threshold)d
+
+# 'rsync_buffer_lines' specifies the number of lines of bucket or directory
+# listings saved in each temp file during sorting. (The complete set is
+# split across temp files and separately sorted/merged, to avoid needing to
+# fit everything in memory at once.) If you are trying to synchronize very
+# large directories/buckets (e.g., containing millions or more objects),
+# having too small a value here can cause gsutil to run out of open file
+# handles. If that happens, you can try to increase the number of open file
+# handles your system allows (e.g., see 'man ulimit' on Linux; see also
+# http://docs.python.org/2/library/resource.html). If you can't do that (or
+# if you're already at the upper limit), increasing rsync_buffer_lines will
+# cause gsutil to use fewer file handles, but at the cost of more memory. With
+# rsync_buffer_lines set to 32000 and assuming a typical URL is 100 bytes
+# long, gsutil will require approximately 10 MiB of memory while building
+# the synchronization state, and will require approximately 60 open file
+# descriptors to build the synchronization state over all 1M source and 1M
+# destination URLs. Memory and file descriptors are only consumed while
+# building the state; once the state is built, it resides in two temp files that
+# are read and processed incrementally during the actual copy/delete
+# operations.
+#rsync_buffer_lines = 32000
+
+# 'state_dir' specifies the base location where files that
+# need a static location are stored, such as pointers to credentials,
+# resumable transfer tracker files, and the last software update check.
+# By default these files are stored in ~/.gsutil
+#state_dir = <file_path>
+# gsutil periodically checks whether a new version of the gsutil software is
+# available. 'software_update_check_period' specifies the number of days
+# between such checks. The default is 30. Setting the value to 0 disables
+# periodic software update checks.
+#software_update_check_period = 30
+
+# 'tab_completion_timeout' controls the timeout (in seconds) for tab
+# completions that involve remote requests (such as bucket or object names).
+# If tab completion does not succeed within this timeout, no tab completion
+# suggestions will be returned.
+# A value of 0 will disable completions that involve remote requests.
+#tab_completion_timeout = 5
+
+# 'parallel_process_count' and 'parallel_thread_count' specify the number
+# of OS processes and Python threads, respectively, to use when executing
+# operations in parallel. The default settings should work well as configured,
+# however, to enhance performance for transfers involving large numbers of
+# files, you may experiment with hand tuning these values to optimize
+# performance for your particular system configuration.
+# MacOS and Windows users should see
+# https://github.com/GoogleCloudPlatform/gsutil/issues/77 before attempting
+# to experiment with these values.
+#parallel_process_count = %(parallel_process_count)d
+#parallel_thread_count = %(parallel_thread_count)d
+
+# 'parallel_composite_upload_threshold' specifies the maximum size of a file to
+# upload in a single stream. Files larger than this threshold will be
+# partitioned into component parts and uploaded in parallel and then composed
+# into a single object.
+# The number of components will be the smaller of
+# ceil(file_size / parallel_composite_upload_component_size) and
+# MAX_COMPONENT_COUNT. The current value of MAX_COMPONENT_COUNT is
+# %(max_component_count)d.
+# If 'parallel_composite_upload_threshold' is set to 0, then automatic parallel
+# uploads will never occur.
+# Setting an extremely low threshold is unadvisable. The vast majority of
+# environments will see degraded performance for thresholds below 80M, and it
+# is almost never advantageous to have a threshold below 20M.
+# 'parallel_composite_upload_component_size' specifies the ideal size of a
+# component in bytes, which will act as an upper bound to the size of the
+# components if ceil(file_size / parallel_composite_upload_component_size) is
+# less than MAX_COMPONENT_COUNT.
+# Values can be provided either in bytes or as human-readable values
+# (e.g., "150M" to represent 150 mebibytes)
+#
+# Note: At present parallel composite uploads are disabled by default, because
+# using composite objects requires a compiled crcmod (see "gsutil help crcmod"),
+# and for operating systems that don't already have this package installed this
+# makes gsutil harder to use. Google is actively working with a number of the
+# Linux distributions to get crcmod included with the stock distribution. Once
+# that is done we will re-enable parallel composite uploads by default in
+# gsutil.
+#parallel_composite_upload_threshold = %(parallel_composite_upload_threshold)s
+#parallel_composite_upload_component_size = %(parallel_composite_upload_component_size)s
+
+# 'use_magicfile' specifies if the 'file --mime-type <filename>' command should
+# be used to guess content types instead of the default filename extension-based
+# mechanism. Available on UNIX and MacOS (and possibly on Windows, if you're
+# running Cygwin or some other package that provides implementations of
+# UNIX-like commands). When available and enabled use_magicfile should be more
+# robust because it analyzes file contents in addition to extensions.
+#use_magicfile = False
+
+# 'content_language' specifies the ISO 639-1 language code of the content, to be
+# passed in the Content-Language header. By default no Content-Language is sent.
+# See the ISO 639-1 column of
+# http://www.loc.gov/standards/iso639-2/php/code_list.php for a list of
+# language codes.
+content_language = en
+
+# 'check_hashes' specifies how strictly to require integrity checking for
+# downloaded data. Legal values are:
+#   '%(hash_fast_else_fail)s' - (default) Only integrity check if the digest
+#       will run efficiently (using compiled code), else fail the download.
+#   '%(hash_fast_else_skip)s' - Only integrity check if the server supplies a
+#       hash and the local digest computation will run quickly, else skip the
+#       check.
+#   '%(hash_always)s' - Always check download integrity regardless of possible
+#       performance costs.
+#   '%(hash_never)s' - Don't perform download integrity checks. This setting is
+#       not recommended except for special cases such as measuring download
+#       performance excluding time for integrity checking.
+# This option exists to assist users who wish to download a GCS composite object
+# and are unable to install crcmod with the C-extension. CRC32c is the only
+# available integrity check for composite objects, and without the C-extension,
+# download performance can be significantly degraded by the digest computation.
+# This option is ignored for daisy-chain copies, which don't compute hashes but
+# instead (inexpensively) compare the cloud source and destination hashes.
+#check_hashes = if_fast_else_fail
+
+# The ability to specify an alternative JSON API version is primarily for cloud
+# storage service developers.
+#json_api_version = v1
+
+# Specifies the API to use when interacting with cloud storage providers.  If
+# the gsutil command supports this API for the provider, it will be used
+# instead of the default.
+# Commands typically default to XML for S3 and JSON for GCS.
+#prefer_api = json
+#prefer_api = xml
+
+""" % {'hash_fast_else_fail': CHECK_HASH_IF_FAST_ELSE_FAIL,
+       'hash_fast_else_skip': CHECK_HASH_IF_FAST_ELSE_SKIP,
+       'hash_always': CHECK_HASH_ALWAYS,
+       'hash_never': CHECK_HASH_NEVER,
+       'resumable_threshold': EIGHT_MIB,
+       'parallel_process_count': DEFAULT_PARALLEL_PROCESS_COUNT,
+       'parallel_thread_count': DEFAULT_PARALLEL_THREAD_COUNT,
+       'parallel_composite_upload_threshold': (
+           DEFAULT_PARALLEL_COMPOSITE_UPLOAD_THRESHOLD),
+       'parallel_composite_upload_component_size': (
+           DEFAULT_PARALLEL_COMPOSITE_UPLOAD_COMPONENT_SIZE),
+       'max_component_count': MAX_COMPONENT_COUNT}
+
+CONFIG_OAUTH2_CONFIG_CONTENT = """
+[OAuth2]
+# This section specifies options used with OAuth2 authentication.
+
+# 'token_cache' specifies how the OAuth2 client should cache access tokens.
+# Valid values are:
+#  'in_memory': an in-memory cache is used. This is only useful if the boto
+#      client instance (and with it the OAuth2 plugin instance) persists
+#      across multiple requests.
+#  'file_system' : access tokens will be cached in the file system, in files
+#      whose names include a key derived from the refresh token the access token
+#      based on.
+# The default is 'file_system'.
+#token_cache = file_system
+#token_cache = in_memory
+
+# 'token_cache_path_pattern' specifies a path pattern for token cache files.
+# This option is only relevant if token_cache = file_system.
+# The value of this option should be a path, with place-holders '%(key)s' (which
+# will be replaced with a key derived from the refresh token the cached access
+# token was based on), and (optionally), %(uid)s (which will be replaced with
+# the UID of the current user, if available via os.getuid()).
+# Note that the config parser itself interpolates '%' placeholders, and hence
+# the above placeholders need to be escaped as '%%(key)s'.
+# The default value of this option is
+#  token_cache_path_pattern = <tmpdir>/oauth2client-tokencache.%%(uid)s.%%(key)s
+# where <tmpdir> is the system-dependent default temp directory.
+
+# The following options specify the OAuth2 client identity and secret that is
+# used when requesting and using OAuth2 tokens. If not specified, a default
+# OAuth2 client for the gsutil tool is used; for uses of the boto library (with
+# OAuth2 authentication plugin) in other client software, it is recommended to
+# use a tool/client-specific OAuth2 client. For more information on OAuth2, see
+# http://code.google.com/apis/accounts/docs/OAuth2.html
+#client_id = <OAuth2 client id>
+#client_secret = <OAuth2 client secret>
+
+# The following options specify the label and endpoint URIs for the OAUth2
+# authorization provider being used. Primarily useful for tool developers.
+#provider_label = Google
+#provider_authorization_uri = https://accounts.google.com/o/oauth2/auth
+#provider_token_uri = https://accounts.google.com/o/oauth2/token
+
+# 'oauth2_refresh_retries' controls the number of retry attempts made when
+# rate limiting errors occur for OAuth2 requests to retrieve an access token.
+# The default value is 6.
+#oauth2_refresh_retries = <integer value>
+"""
+
+
+class ConfigCommand(Command):
+  """Implementation of gsutil config command."""
+
+  # Command specification. See base class for documentation.
+  command_spec = Command.CreateCommandSpec(
+      'config',
+      command_name_aliases=['cfg', 'conf', 'configure'],
+      usage_synopsis=_SYNOPSIS,
+      min_args=0,
+      max_args=0,
+      supported_sub_args='habefwrs:o:',
+      file_url_ok=False,
+      provider_url_ok=False,
+      urls_start_arg=0,
+  )
+  # Help specification. See help_provider.py for documentation.
+  help_spec = Command.HelpSpec(
+      help_name='config',
+      help_name_aliases=['cfg', 'conf', 'configure', 'aws', 's3'],
+      help_type='command_help',
+      help_one_line_summary=(
+          'Obtain credentials and create configuration file'),
+      help_text=_DETAILED_HELP_TEXT,
+      subcommand_help_text={},
+  )
+
+  def _OpenConfigFile(self, file_path):
+    """Creates and opens a configuration file for writing.
+
+    The file is created with mode 0600, and attempts to open existing files will
+    fail (the latter is important to prevent symlink attacks).
+
+    It is the caller's responsibility to close the file.
+
+    Args:
+      file_path: Path of the file to be created.
+
+    Returns:
+      A writable file object for the opened file.
+
+    Raises:
+      CommandException: if an error occurred when opening the file (including
+          when the file already exists).
+    """
+    flags = os.O_RDWR | os.O_CREAT | os.O_EXCL
+    # Accommodate Windows; copied from python2.6/tempfile.py.
+    if hasattr(os, 'O_NOINHERIT'):
+      flags |= os.O_NOINHERIT
+    try:
+      fd = os.open(file_path, flags, 0600)
+    except (OSError, IOError), e:
+      raise CommandException('Failed to open %s for writing: %s' %
+                             (file_path, e))
+    return os.fdopen(fd, 'w')
+
+  def _CheckPrivateKeyFilePermissions(self, file_path):
+    """Checks that the file has reasonable permissions for a private key.
+
+    In particular, check that the filename provided by the user is not
+    world- or group-readable. If either of these are true, we issue a warning
+    and offer to fix the permissions.
+
+    Args:
+      file_path: The name of the private key file.
+    """
+    if IS_WINDOWS:
+      # For Windows, this check doesn't work (it actually just checks whether
+      # the file is read-only). Since Windows files have a complicated ACL
+      # system, this check doesn't make much sense on Windows anyway, so we
+      # just don't do it.
+      return
+
+    st = os.stat(file_path)
+    if bool((stat.S_IRGRP | stat.S_IROTH) & st.st_mode):
+      self.logger.warn(
+          '\nYour private key file is readable by people other than yourself.\n'
+          'This is a security risk, since anyone with this information can use '
+          'your service account.\n')
+      fix_it = raw_input('Would you like gsutil to change the file '
+                         'permissions for you? (y/N) ')
+      if fix_it in ('y', 'Y'):
+        try:
+          os.chmod(file_path, 0400)
+          self.logger.info(
+              '\nThe permissions on your file have been successfully '
+              'modified.'
+              '\nThe only access allowed is readability by the user '
+              '(permissions 0400 in chmod).')
+        except Exception, _:  # pylint: disable=broad-except
+          self.logger.warn(
+              '\nWe were unable to modify the permissions on your file.\n'
+              'If you would like to fix this yourself, consider running:\n'
+              '"sudo chmod 400 </path/to/key>" for improved security.')
+      else:
+        self.logger.info(
+            '\nYou have chosen to allow this file to be readable by others.\n'
+            'If you would like to fix this yourself, consider running:\n'
+            '"sudo chmod 400 </path/to/key>" for improved security.')
+
+  def _PromptForProxyConfigVarAndMaybeSaveToBotoConfig(self, varname, prompt,
+                                                       convert_to_bool=False):
+    """Prompts for one proxy config line, saves to boto.config if not empty.
+
+    Args:
+      varname: The config variable name.
+      prompt: The prompt to output to the user.
+      convert_to_bool: Whether to convert "y/n" to True/False.
+    """
+    value = raw_input(prompt)
+    if value:
+      if convert_to_bool:
+        if value == 'y' or value == 'Y':
+          value = 'True'
+        else:
+          value = 'False'
+      boto.config.set('Boto', varname, value)
+
+  def _PromptForProxyConfig(self):
+    """Prompts for proxy config data, loads non-empty values into boto.config.
+    """
+    self._PromptForProxyConfigVarAndMaybeSaveToBotoConfig(
+        'proxy', 'What is your proxy host? ')
+    self._PromptForProxyConfigVarAndMaybeSaveToBotoConfig(
+        'proxy_port', 'What is your proxy port? ')
+    self._PromptForProxyConfigVarAndMaybeSaveToBotoConfig(
+        'proxy_user', 'What is your proxy user (leave blank if not used)? ')
+    self._PromptForProxyConfigVarAndMaybeSaveToBotoConfig(
+        'proxy_pass', 'What is your proxy pass (leave blank if not used)? ')
+    self._PromptForProxyConfigVarAndMaybeSaveToBotoConfig(
+        'proxy_rdns',
+        'Should DNS lookups be resolved by your proxy? (Y if your site '
+        'disallows client DNS lookups)? ',
+        convert_to_bool=True)
+
+  def _WriteConfigLineMaybeCommented(self, config_file, name, value, desc):
+    """Writes proxy name/value pair or comment line to config file.
+
+    Writes proxy name/value pair if value is not None.  Otherwise writes
+    comment line.
+
+    Args:
+      config_file: File object to which the resulting config file will be
+          written.
+      name: The config variable name.
+      value: The value, or None.
+      desc: Human readable description (for comment).
+    """
+    if not value:
+      name = '#%s' % name
+      value = '<%s>' % desc
+    config_file.write('%s = %s\n' % (name, value))
+
+  def _WriteProxyConfigFileSection(self, config_file):
+    """Writes proxy section of configuration file.
+
+    Args:
+      config_file: File object to which the resulting config file will be
+          written.
+    """
+    config = boto.config
+    config_file.write(
+        '# To use a proxy, edit and uncomment the proxy and proxy_port lines.\n'
+        '# If you need a user/password with this proxy, edit and uncomment\n'
+        '# those lines as well. If your organization also disallows DNS\n'
+        '# lookups by client machines set proxy_rdns = True\n'
+        '# If proxy_host and proxy_port are not specified in this file and\n'
+        '# one of the OS environment variables http_proxy, https_proxy, or\n'
+        '# HTTPS_PROXY is defined, gsutil will use the proxy server specified\n'
+        '# in these environment variables, in order of precedence according\n'
+        '# to how they are listed above.\n')
+    self._WriteConfigLineMaybeCommented(
+        config_file, 'proxy', config.get_value('Boto', 'proxy', None),
+        'proxy host')
+    self._WriteConfigLineMaybeCommented(
+        config_file, 'proxy_port', config.get_value('Boto', 'proxy_port', None),
+        'proxy port')
+    self._WriteConfigLineMaybeCommented(
+        config_file, 'proxy_user', config.get_value('Boto', 'proxy_user', None),
+        'proxy user')
+    self._WriteConfigLineMaybeCommented(
+        config_file, 'proxy_pass', config.get_value('Boto', 'proxy_pass', None),
+        'proxy password')
+    self._WriteConfigLineMaybeCommented(
+        config_file, 'proxy_rdns',
+        config.get_value('Boto', 'proxy_rdns', False),
+        'let proxy server perform DNS lookups')
+
+  # pylint: disable=dangerous-default-value,too-many-statements
+  def _WriteBotoConfigFile(self, config_file, launch_browser=True,
+                           oauth2_scopes=[SCOPE_FULL_CONTROL],
+                           cred_type=CredTypes.OAUTH2_USER_ACCOUNT):
+    """Creates a boto config file interactively.
+
+    Needed credentials are obtained interactively, either by asking the user for
+    access key and secret, or by walking the user through the OAuth2 approval
+    flow.
+
+    Args:
+      config_file: File object to which the resulting config file will be
+          written.
+      launch_browser: In the OAuth2 approval flow, attempt to open a browser
+          window and navigate to the approval URL.
+      oauth2_scopes: A list of OAuth2 scopes to request authorization for, when
+          using OAuth2.
+      cred_type: There are three options:
+        - for HMAC, ask the user for access key and secret
+        - for OAUTH2_USER_ACCOUNT, walk the user through OAuth2 approval flow
+          and produce a config with an oauth2_refresh_token credential.
+        - for OAUTH2_SERVICE_ACCOUNT, prompt the user for OAuth2 for service
+          account email address and private key file (and if the file is a .p12
+          file, the password for that file).
+    """
+    # Collect credentials
+    provider_map = {'aws': 'aws', 'google': 'gs'}
+    uri_map = {'aws': 's3', 'google': 'gs'}
+    key_ids = {}
+    sec_keys = {}
+    service_account_key_is_json = False
+    if cred_type == CredTypes.OAUTH2_SERVICE_ACCOUNT:
+      gs_service_key_file = raw_input('What is the full path to your private '
+                                      'key file? ')
+      # JSON files have the email address built-in and don't require a password.
+      try:
+        with open(gs_service_key_file, 'rb') as key_file_fp:
+          json.loads(key_file_fp.read())
+        service_account_key_is_json = True
+      except ValueError:
+        if not HAS_CRYPTO:
+          raise CommandException(
+              'Service account authentication via a .p12 file requires '
+              'either\nPyOpenSSL or PyCrypto 2.6 or later. Please install '
+              'either of these\nto proceed, use a JSON-format key file, or '
+              'configure a different type of credentials.')
+
+      if not service_account_key_is_json:
+        gs_service_client_id = raw_input('What is your service account email '
+                                         'address? ')
+        gs_service_key_file_password = raw_input(
+            '\n'.join(textwrap.wrap(
+                'What is the password for your service key file [if you '
+                'haven\'t set one explicitly, leave this line blank]?')) + ' ')
+      self._CheckPrivateKeyFilePermissions(gs_service_key_file)
+    elif cred_type == CredTypes.OAUTH2_USER_ACCOUNT:
+      oauth2_client = oauth2_helper.OAuth2ClientFromBotoConfig(boto.config,
+                                                               cred_type)
+      try:
+        oauth2_refresh_token = oauth2_helper.OAuth2ApprovalFlow(
+            oauth2_client, oauth2_scopes, launch_browser)
+      except (ResponseNotReady, ServerNotFoundError, socket.error):
+        # TODO: Determine condition to check for in the ResponseNotReady
+        # exception so we only run proxy config flow if failure was caused by
+        # request being blocked because it wasn't sent through proxy. (This
+        # error could also happen if gsutil or the oauth2 client had a bug that
+        # attempted to incorrectly reuse an HTTP connection, for example.)
+        sys.stdout.write('\n'.join(textwrap.wrap(
+            "Unable to connect to accounts.google.com during OAuth2 flow. This "
+            "can happen if your site uses a proxy. If you are using gsutil "
+            "through a proxy, please enter the proxy's information; otherwise "
+            "leave the following fields blank.")) + '\n')
+        self._PromptForProxyConfig()
+        oauth2_client = oauth2_helper.OAuth2ClientFromBotoConfig(boto.config,
+                                                                 cred_type)
+        oauth2_refresh_token = oauth2_helper.OAuth2ApprovalFlow(
+            oauth2_client, oauth2_scopes, launch_browser)
+    elif cred_type == CredTypes.HMAC:
+      got_creds = False
+      for provider in provider_map:
+        if provider == 'google':
+          key_ids[provider] = raw_input('What is your %s access key ID? ' %
+                                        provider)
+          sec_keys[provider] = raw_input('What is your %s secret access key? ' %
+                                         provider)
+          got_creds = True
+          if not key_ids[provider] or not sec_keys[provider]:
+            raise CommandException(
+                'Incomplete credentials provided. Please try again.')
+      if not got_creds:
+        raise CommandException('No credentials provided. Please try again.')
+
+    # Write the config file prelude.
+    config_file.write(CONFIG_PRELUDE_CONTENT.lstrip())
+    config_file.write(
+        '# This file was created by gsutil version %s at %s.\n'
+        % (gslib.VERSION,
+           datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')))
+    config_file.write(
+        '#\n# You can create additional configuration files by '
+        'running\n# gsutil config [options] [-o <config-file>]\n\n\n')
+
+    # Write the config file Credentials section.
+    config_file.write('[Credentials]\n\n')
+    if cred_type == CredTypes.OAUTH2_SERVICE_ACCOUNT:
+      config_file.write('# Google OAuth2 service account credentials '
+                        '(for "gs://" URIs):\n')
+      config_file.write('gs_service_key_file = %s\n' % gs_service_key_file)
+      if not service_account_key_is_json:
+        config_file.write('gs_service_client_id = %s\n'
+                          % gs_service_client_id)
+
+        if not gs_service_key_file_password:
+          config_file.write(
+              '# If you would like to set your password, you can do so using\n'
+              '# the following commands (replaced with your information):\n'
+              '# "openssl pkcs12 -in cert1.p12 -out temp_cert.pem"\n'
+              '# "openssl pkcs12 -export -in temp_cert.pem -out cert2.p12"\n'
+              '# "rm -f temp_cert.pem"\n'
+              '# Your initial password is "notasecret" - for more information,'
+              '\n# please see http://www.openssl.org/docs/apps/pkcs12.html.\n')
+          config_file.write('#gs_service_key_file_password =\n\n')
+        else:
+          config_file.write('gs_service_key_file_password = %s\n\n'
+                            % gs_service_key_file_password)
+    elif cred_type == CredTypes.OAUTH2_USER_ACCOUNT:
+      config_file.write(
+          '# Google OAuth2 credentials (for "gs://" URIs):\n'
+          '# The following OAuth2 account is authorized for scope(s):\n')
+      for scope in oauth2_scopes:
+        config_file.write('#     %s\n' % scope)
+      config_file.write(
+          'gs_oauth2_refresh_token = %s\n\n' % oauth2_refresh_token)
+    else:
+      config_file.write(
+          '# To add Google OAuth2 credentials ("gs://" URIs), '
+          'edit and uncomment the\n# following line:\n'
+          '#gs_oauth2_refresh_token = <your OAuth2 refresh token>\n\n')
+
+    for provider in provider_map:
+      key_prefix = provider_map[provider]
+      uri_scheme = uri_map[provider]
+      if provider in key_ids and provider in sec_keys:
+        config_file.write('# %s credentials ("%s://" URIs):\n' %
+                          (provider, uri_scheme))
+        config_file.write('%s_access_key_id = %s\n' %
+                          (key_prefix, key_ids[provider]))
+        config_file.write('%s_secret_access_key = %s\n' %
+                          (key_prefix, sec_keys[provider]))
+      else:
+        config_file.write(
+            '# To add %s credentials ("%s://" URIs), edit and '
+            'uncomment the\n# following two lines:\n'
+            '#%s_access_key_id = <your %s access key ID>\n'
+            '#%s_secret_access_key = <your %s secret access key>\n' %
+            (provider, uri_scheme, key_prefix, provider, key_prefix,
+             provider))
+      host_key = Provider.HostKeyMap[provider]
+      config_file.write(
+          '# The ability to specify an alternate storage host and port\n'
+          '# is primarily for cloud storage service developers.\n'
+          '# Setting a non-default gs_host only works if prefer_api=xml.\n'
+          '#%s_host = <alternate storage host address>\n'
+          '#%s_port = <alternate storage host port>\n'
+          % (host_key, host_key))
+      if host_key == 'gs':
+        config_file.write(
+            '#%s_json_host = <alternate JSON API storage host address>\n'
+            '#%s_json_port = <alternate JSON API storage host port>\n\n'
+            % (host_key, host_key))
+      config_file.write('\n')
+
+    # Write the config file Boto section.
+    config_file.write('%s\n' % CONFIG_BOTO_SECTION_CONTENT)
+    self._WriteProxyConfigFileSection(config_file)
+
+    # Write the config file GSUtil section that doesn't depend on user input.
+    config_file.write(CONFIG_INPUTLESS_GSUTIL_SECTION_CONTENT)
+
+    # Write the default API version.
+    config_file.write("""
+# 'default_api_version' specifies the default Google Cloud Storage XML API
+# version to use. If not set below gsutil defaults to API version 1.
+""")
+    api_version = 2
+    if cred_type == CredTypes.HMAC: api_version = 1
+
+    config_file.write('default_api_version = %d\n' % api_version)
+
+    # Write the config file GSUtil section that includes the default
+    # project ID input from the user.
+    if launch_browser:
+      sys.stdout.write(
+          'Attempting to launch a browser to open the Google Cloud Console at '
+          'URL: %s\n\n'
+          '[Note: due to a Python bug, you may see a spurious error message '
+          '"object is not\ncallable [...] in [...] Popen.__del__" which can '
+          'be ignored.]\n\n' % GOOG_CLOUD_CONSOLE_URI)
+      sys.stdout.write(
+          'In your browser you should see the Cloud Console. Find the project '
+          'you will\nuse, and then copy the Project ID string from the second '
+          'column. Older projects do\nnot have Project ID strings. For such '
+          'projects, click the project and then copy the\nProject Number '
+          'listed under that project.\n\n')
+      if not webbrowser.open(GOOG_CLOUD_CONSOLE_URI, new=1, autoraise=True):
+        sys.stdout.write(
+            'Launching browser appears to have failed; please navigate a '
+            'browser to the following URL:\n%s\n' % GOOG_CLOUD_CONSOLE_URI)
+      # Short delay; webbrowser.open on linux insists on printing out a message
+      # which we don't want to run into the prompt for the auth code.
+      time.sleep(2)
+    else:
+      sys.stdout.write(
+          '\nPlease navigate your browser to %s,\nthen find the project you '
+          'will use, and copy the Project ID string from the\nsecond column. '
+          'Older projects do not have Project ID strings. For such projects,\n'
+          'click the project and then copy the Project Number listed under '
+          'that project.\n\n' % GOOG_CLOUD_CONSOLE_URI)
+    default_project_id = raw_input('What is your project-id? ').strip()
+    project_id_section_prelude = """
+# 'default_project_id' specifies the default Google Cloud Storage project ID to
+# use with the 'mb' and 'ls' commands. This default can be overridden by
+# specifying the -p option to the 'mb' and 'ls' commands.
+"""
+    if not default_project_id:
+      raise CommandException(
+          'No default project ID entered. The default project ID is needed by '
+          'the\nls and mb commands; please try again.')
+    config_file.write('%sdefault_project_id = %s\n\n\n' %
+                      (project_id_section_prelude, default_project_id))
+
+    # Write the config file OAuth2 section.
+    config_file.write(CONFIG_OAUTH2_CONFIG_CONTENT)
+
+  def RunCommand(self):
+    """Command entry point for the config command."""
+    scopes = []
+    cred_type = CredTypes.OAUTH2_USER_ACCOUNT
+    launch_browser = False
+    output_file_name = None
+    has_a = False
+    has_e = False
+    for opt, opt_arg in self.sub_opts:
+      if opt == '-a':
+        cred_type = CredTypes.HMAC
+        has_a = True
+      elif opt == '-b':
+        launch_browser = True
+      elif opt == '-e':
+        cred_type = CredTypes.OAUTH2_SERVICE_ACCOUNT
+        has_e = True
+      elif opt == '-f':
+        scopes.append(SCOPE_FULL_CONTROL)
+      elif opt == '-o':
+        output_file_name = opt_arg
+      elif opt == '-r':
+        scopes.append(SCOPE_READ_ONLY)
+      elif opt == '-s':
+        scopes.append(opt_arg)
+      elif opt == '-w':
+        scopes.append(SCOPE_READ_WRITE)
+      else:
+        self.RaiseInvalidArgumentException()
+
+    if has_e and has_a:
+      raise CommandException('Both -a and -e cannot be specified. Please see '
+                             '"gsutil help config" for more information.')
+
+    if not scopes:
+      scopes.append(SCOPE_FULL_CONTROL)
+
+    default_config_path_bak = None
+    if not output_file_name:
+      # Check to see if a default config file name is requested via
+      # environment variable. If so, use it, otherwise use the hard-coded
+      # default file. Then use the default config file name, if it doesn't
+      # exist or can be moved out of the way without clobbering an existing
+      # backup file.
+      boto_config_from_env = os.environ.get('BOTO_CONFIG', None)
+      if boto_config_from_env:
+        default_config_path = boto_config_from_env
+      else:
+        default_config_path = os.path.expanduser(os.path.join('~', '.boto'))
+      if not os.path.exists(default_config_path):
+        output_file_name = default_config_path
+      else:
+        default_config_path_bak = default_config_path + '.bak'
+        if os.path.exists(default_config_path_bak):
+          raise CommandException(
+              'Cannot back up existing config '
+              'file "%s": backup file exists ("%s").'
+              % (default_config_path, default_config_path_bak))
+        else:
+          try:
+            sys.stderr.write(
+                'Backing up existing config file "%s" to "%s"...\n'
+                % (default_config_path, default_config_path_bak))
+            os.rename(default_config_path, default_config_path_bak)
+          except Exception, e:
+            raise CommandException(
+                'Failed to back up existing config '
+                'file ("%s" -> "%s"): %s.'
+                % (default_config_path, default_config_path_bak, e))
+          output_file_name = default_config_path
+
+    if output_file_name == '-':
+      output_file = sys.stdout
+    else:
+      output_file = self._OpenConfigFile(output_file_name)
+      sys.stderr.write('\n'.join(textwrap.wrap(
+          'This command will create a boto config file at %s containing your '
+          'credentials, based on your responses to the following questions.'
+          % output_file_name)) + '\n')
+
+    # Catch ^C so we can restore the backup.
+    RegisterSignalHandler(signal.SIGINT, _CleanupHandler)
+    try:
+      self._WriteBotoConfigFile(output_file, launch_browser=launch_browser,
+                                oauth2_scopes=scopes, cred_type=cred_type)
+    except Exception as e:
+      user_aborted = isinstance(e, AbortException)
+      if user_aborted:
+        sys.stderr.write('\nCaught ^C; cleaning up\n')
+      # If an error occurred during config file creation, remove the invalid
+      # config file and restore the backup file.
+      if output_file_name != '-':
+        output_file.close()
+        os.unlink(output_file_name)
+        try:
+          if default_config_path_bak:
+            sys.stderr.write('Restoring previous backed up file (%s)\n' %
+                             default_config_path_bak)
+            os.rename(default_config_path_bak, output_file_name)
+        except Exception as e:
+          # Raise the original exception so that we can see what actually went
+          # wrong, rather than just finding out that we died before assigning
+          # a value to default_config_path_bak.
+          raise e
+      raise
+
+    if output_file_name != '-':
+      output_file.close()
+      if not boto.config.has_option('Boto', 'proxy'):
+        sys.stderr.write('\n' + '\n'.join(textwrap.wrap(
+            'Boto config file "%s" created.\nIf you need to use a proxy to '
+            'access the Internet please see the instructions in that file.'
+            % output_file_name)) + '\n')
+
+    return 0
+
+
+def _CleanupHandler(unused_signalnum, unused_handler):
+  raise AbortException('User interrupted config command')