Update oauth2client to v2.0.1 and googleapiclient to v1.5.0.

client/third_party/oauth2client/client.py

 # Copyright 2014 Google Inc. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
@@ skipping 12 matching lines @@
 import datetime
 import json
 import logging
 import os
 import socket
 import sys
 import tempfile
 import time
 import shutil
 import six
+from six.moves import http_client
 from six.moves import urllib
 
 import httplib2
 from oauth2client import GOOGLE_AUTH_URI
 from oauth2client import GOOGLE_DEVICE_URI
 from oauth2client import GOOGLE_REVOKE_URI
 from oauth2client import GOOGLE_TOKEN_URI
 from oauth2client import GOOGLE_TOKEN_INFO_URI
 from oauth2client._helpers import _from_bytes
 from oauth2client._helpers import _to_bytes
@@ skipping 23 matching lines @@
 # Which certs to use to validate id_tokens received.
 ID_TOKEN_VERIFICATION_CERTS = 'https://www.googleapis.com/oauth2/v1/certs'
 # This symbol previously had a typo in the name; we keep the old name
 # around for now, but will remove it in the future.
 ID_TOKEN_VERIFICATON_CERTS = ID_TOKEN_VERIFICATION_CERTS
 
 # Constant to use for the out of band OAuth 2.0 flow.
 OOB_CALLBACK_URN = 'urn:ietf:wg:oauth:2.0:oob'
 
 # Google Data client libraries may need to set this to [401, 403].
-REFRESH_STATUS_CODES = [401]
+REFRESH_STATUS_CODES = (http_client.UNAUTHORIZED,)
 
 # The value representing user credentials.
 AUTHORIZED_USER = 'authorized_user'
 
 # The value representing service account credentials.
 SERVICE_ACCOUNT = 'service_account'
 
 # The environment variable pointing the file with local
 # Application Default Credentials.
 GOOGLE_APPLICATION_CREDENTIALS = 'GOOGLE_APPLICATION_CREDENTIALS'
 # The ~/.config subdirectory containing gcloud credentials. Intended
 # to be swapped out in tests.
 _CLOUDSDK_CONFIG_DIRECTORY = 'gcloud'
 # The environment variable name which can replace ~/.config if set.
 _CLOUDSDK_CONFIG_ENV_VAR = 'CLOUDSDK_CONFIG'
 
 # The error message we show users when we can't find the Application
 # Default Credentials.
 ADC_HELP_MSG = (
     'The Application Default Credentials are not available. They are '
     'available if running in Google Compute Engine. Otherwise, the '
     'environment variable ' +
     GOOGLE_APPLICATION_CREDENTIALS +
     ' must be defined pointing to a file defining the credentials. See '
     'https://developers.google.com/accounts/docs/'
     'application-default-credentials for more information.')
 
+_WELL_KNOWN_CREDENTIALS_FILE = 'application_default_credentials.json'
+
 # The access token along with the seconds in which it expires.
 AccessTokenInfo = collections.namedtuple(
     'AccessTokenInfo', ['access_token', 'expires_in'])
 
 DEFAULT_ENV_NAME = 'UNKNOWN'
 
 # If set to True _get_environment avoid GCE check (_detect_gce_environment)
 NO_GCE_CHECK = os.environ.setdefault('NO_GCE_CHECK', 'False')
 
 _SERVER_SOFTWARE = 'SERVER_SOFTWARE'
 _GCE_METADATA_HOST = '169.254.169.254'
 _METADATA_FLAVOR_HEADER = 'Metadata-Flavor'
 _DESIRED_METADATA_FLAVOR = 'Google'
 
+# Expose utcnow() at module level to allow for
+# easier testing (by replacing with a stub).
+_UTCNOW = datetime.datetime.utcnow
+
 
 class SETTINGS(object):
     """Settings namespace for globally defined values."""
     env_name = None
 
 
 class Error(Exception):
     """Base error for this module."""
 
 
@@ skipping 57 matching lines @@
     def get(self, key):
         return self.cache.get(key)
 
     def set(self, key, value):
         self.cache[key] = value
 
     def delete(self, key):
         self.cache.pop(key, None)
 
 
+def _parse_expiry(expiry):
+    if expiry and isinstance(expiry, datetime.datetime):
+        return expiry.strftime(EXPIRY_FORMAT)
+    else:
+        return None
+
+
 class Credentials(object):
     """Base class for all Credentials objects.
 
     Subclasses must define an authorize() method that applies the credentials
     to an HTTP transport.
 
     Subclasses must also specify a classmethod named 'from_json' that takes a
     JSON string as input and returns an instantiated Credentials object.
     """
 
-    NON_SERIALIZED_MEMBERS = ['store']
+    NON_SERIALIZED_MEMBERS = frozenset(['store'])
 
     def authorize(self, http):
         """Take an httplib2.Http instance (or equivalent) and authorizes it.
 
         Authorizes it for the set of credentials, usually by replacing
         http.request() with a method that adds in the appropriate headers and
         then delegates to the original Http.request() method.
 
         Args:
             http: httplib2.Http, an http object to be used to make the refresh
@@ skipping 20 matching lines @@
         _abstract()
 
     def apply(self, headers):
         """Add the authorization to the headers.
 
         Args:
             headers: dict, the headers to add the Authorization header to.
         """
         _abstract()
 
-    def _to_json(self, strip):
+    def _to_json(self, strip, to_serialize=None):
         """Utility function that creates JSON repr. of a Credentials object.
 
         Args:
-            strip: array, An array of names of members to not include in the
+            strip: array, An array of names of members to exclude from the
                    JSON.
+            to_serialize: dict, (Optional) The properties for this object
+                          that will be serialized. This allows callers to modify
+                          before serializing.
 
         Returns:
             string, a JSON representation of this instance, suitable to pass to
             from_json().
         """
-        t = type(self)
-        d = copy.copy(self.__dict__)
+        curr_type = self.__class__
+        if to_serialize is None:
+            to_serialize = copy.copy(self.__dict__)
         for member in strip:
-            if member in d:
-                del d[member]
-        if (d.get('token_expiry') and
-                isinstance(d['token_expiry'], datetime.datetime)):
-            d['token_expiry'] = d['token_expiry'].strftime(EXPIRY_FORMAT)
-        # Add in information we will need later to reconsistitue this instance.
-        d['_class'] = t.__name__
-        d['_module'] = t.__module__
-        for key, val in d.items():
+            if member in to_serialize:
+                del to_serialize[member]
+        to_serialize['token_expiry'] = _parse_expiry(
+            to_serialize.get('token_expiry'))
+        # Add in information we will need later to reconstitute this instance.
+        to_serialize['_class'] = curr_type.__name__
+        to_serialize['_module'] = curr_type.__module__
+        for key, val in to_serialize.items():
             if isinstance(val, bytes):
-                d[key] = val.decode('utf-8')
+                to_serialize[key] = val.decode('utf-8')
             if isinstance(val, set):
-                d[key] = list(val)
-        return json.dumps(d)
+                to_serialize[key] = list(val)
+        return json.dumps(to_serialize)
 
     def to_json(self):
         """Creating a JSON representation of an instance of Credentials.
 
         Returns:
             string, a JSON representation of this instance, suitable to pass to
             from_json().
         """
-        return self._to_json(Credentials.NON_SERIALIZED_MEMBERS)
+        return self._to_json(self.NON_SERIALIZED_MEMBERS)
 
     @classmethod
-    def new_from_json(cls, s):
+    def new_from_json(cls, json_data):
         """Utility class method to instantiate a Credentials subclass from JSON.
 
         Expects the JSON string to have been produced by to_json().
 
         Args:
-            s: string or bytes, JSON from to_json().
+            json_data: string or bytes, JSON from to_json().
 
         Returns:
             An instance of the subclass of Credentials that was serialized with
             to_json().
         """
-        json_string_as_unicode = _from_bytes(s)
-        data = json.loads(json_string_as_unicode)
+        json_data_as_unicode = _from_bytes(json_data)
+        data = json.loads(json_data_as_unicode)
         # Find and call the right classmethod from_json() to restore
         # the object.
         module_name = data['_module']
         try:
             module_obj = __import__(module_name)
         except ImportError:
             # In case there's an object from the old package structure,
             # update it
             module_name = module_name.replace('.googleapiclient', '')
             module_obj = __import__(module_name)
 
         module_obj = __import__(module_name,
                                 fromlist=module_name.split('.')[:-1])
         kls = getattr(module_obj, data['_class'])
-        from_json = getattr(kls, 'from_json')
-        return from_json(json_string_as_unicode)
+        return kls.from_json(json_data_as_unicode)
 
     @classmethod
     def from_json(cls, unused_data):
         """Instantiate a Credentials object from a JSON description of it.
 
         The JSON should have been produced by calling .to_json() on the object.
 
         Args:
             unused_data: dict, A deserialized JSON object.
 
         Returns:
             An instance of a Credentials subclass.
         """
         return Credentials()
 
 
 class Flow(object):
     """Base class for all Flow objects."""
     pass
 
 
 class Storage(object):
     """Base class for all Storage objects.
 
     Store and retrieve a single credential. This class supports locking
     such that multiple processes and threads can operate on a single
     store.
     """
+    def __init__(self, lock=None):
+        """Create a Storage instance.
+
+        Args:
+            lock: An optional threading.Lock-like object. Must implement at
+                  least acquire() and release(). Does not need to be re-entrant.
+        """
+        self._lock = lock
 
     def acquire_lock(self):
         """Acquires any lock necessary to access this Storage.
 
         This lock is not reentrant.
         """
-        pass
+        if self._lock is not None:
+            self._lock.acquire()
 
     def release_lock(self):
         """Release the Storage lock.
 
         Trying to release a lock that isn't held will result in a
-        RuntimeError.
+        RuntimeError in the case of a threading.Lock or multiprocessing.Lock.
         """
-        pass
+        if self._lock is not None:
+            self._lock.release()
 
     def locked_get(self):
         """Retrieve credential.
 
         The Storage lock must be held when this is called.
 
         Returns:
             oauth2client.client.Credentials
         """
         _abstract()
@@ skipping 308 matching lines @@
         Args:
             http: httplib2.Http, an http object to be used to make the refresh
                   request.
 
         Returns:
             A set of strings containing the canonical list of scopes.
         """
         self._retrieve_scopes(http.request)
         return self.scopes
 
-    def to_json(self):
-        return self._to_json(Credentials.NON_SERIALIZED_MEMBERS)
-
     @classmethod
-    def from_json(cls, s):
+    def from_json(cls, json_data):
         """Instantiate a Credentials object from a JSON description of it.
 
         The JSON should have been produced by calling .to_json() on the object.
 
         Args:
-            data: dict, A deserialized JSON object.
+            json_data: string or bytes, JSON to deserialize.
 
         Returns:
             An instance of a Credentials subclass.
         """
-        s = _from_bytes(s)
-        data = json.loads(s)
+        data = json.loads(_from_bytes(json_data))
         if (data.get('token_expiry') and
                 not isinstance(data['token_expiry'], datetime.datetime)):
             try:
                 data['token_expiry'] = datetime.datetime.strptime(
                     data['token_expiry'], EXPIRY_FORMAT)
             except ValueError:
                 data['token_expiry'] = None
         retval = cls(
             data['access_token'],
             data['client_id'],
@@ skipping 15 matching lines @@
         """True if the credential is expired or invalid.
 
         If the token_expiry isn't set, we assume the token doesn't expire.
         """
         if self.invalid:
             return True
 
         if not self.token_expiry:
             return False
 
-        now = datetime.datetime.utcnow()
+        now = _UTCNOW()
         if now >= self.token_expiry:
             logger.info('access_token is expired. Now: %s, token_expiry: %s',
                         now, self.token_expiry)
             return True
         return False
 
     def get_access_token(self, http=None):
         """Return the access token and its expiration information.
 
         If the token does not exist, get one.
@@ skipping 22 matching lines @@
         """Return the number of seconds until this token expires.
 
         If token_expiry is in the past, this method will return 0, meaning the
         token has already expired.
 
         If token_expiry is None, this method will return None. Note that
         returning 0 in such a case would not be fair: the token may still be
         valid; we just don't know anything about it.
         """
         if self.token_expiry:
-            now = datetime.datetime.utcnow()
+            now = _UTCNOW()
             if self.token_expiry > now:
                 time_delta = self.token_expiry - now
                 # TODO(orestica): return time_delta.total_seconds()
                 # once dropping support for Python 2.6
                 return time_delta.days * 86400 + time_delta.seconds
             else:
                 return 0
 
     def _updateFromCredential(self, other):
         """Update this Credential from another instance."""
@@ skipping 74 matching lines @@
         Raises:
             HttpAccessTokenRefreshError: When the refresh fails.
         """
         body = self._generate_refresh_request_body()
         headers = self._generate_refresh_request_headers()
 
         logger.info('Refreshing access_token')
         resp, content = http_request(
             self.token_uri, method='POST', body=body, headers=headers)
         content = _from_bytes(content)
-        if resp.status == 200:
+        if resp.status == http_client.OK:
             d = json.loads(content)
             self.token_response = d
             self.access_token = d['access_token']
             self.refresh_token = d.get('refresh_token', self.refresh_token)
             if 'expires_in' in d:
-                self.token_expiry = datetime.timedelta(
-                    seconds=int(d['expires_in'])) + datetime.datetime.utcnow()
+                delta = datetime.timedelta(seconds=int(d['expires_in']))
+                self.token_expiry = delta + _UTCNOW()
             else:
                 self.token_expiry = None
+            if 'id_token' in d:
+                self.id_token = _extract_id_token(d['id_token'])
+            else:
+                self.id_token = None
             # On temporary refresh errors, the user does not actually have to
             # re-authorize, so we unflag here.
             self.invalid = False
             if self.store:
                 self.store.locked_put(self)
         else:
             # An {'error':...} response body means the token is expired or
             # revoked, so we flag the credentials as such.
             logger.info('Failed to retrieve access token: %s', content)
             error_msg = 'Invalid response %s.' % resp['status']
@@ skipping 31 matching lines @@
                    access_token or refresh_token.
 
         Raises:
             TokenRevokeError: If the revoke request does not return with a
                               200 OK.
         """
         logger.info('Revoking token')
         query_params = {'token': token}
         token_revoke_uri = _update_query_params(self.revoke_uri, query_params)
         resp, content = http_request(token_revoke_uri)
-        if resp.status == 200:
+        if resp.status == http_client.OK:
             self.invalid = True
         else:
             error_msg = 'Invalid response %s.' % resp.status
             try:
                 d = json.loads(_from_bytes(content))
                 if 'error' in d:
                     error_msg = d['error']
             except (TypeError, ValueError):
                 pass
             raise TokenRevokeError(error_msg)
@@ skipping 24 matching lines @@
         Raises:
             Error: When refresh fails, indicating the the access token is
                    invalid.
         """
         logger.info('Refreshing scopes')
         query_params = {'access_token': token, 'fields': 'scope'}
         token_info_uri = _update_query_params(self.token_info_uri,
                                               query_params)
         resp, content = http_request(token_info_uri)
         content = _from_bytes(content)
-        if resp.status == 200:
+        if resp.status == http_client.OK:
             d = json.loads(content)
             self.scopes = set(util.string_to_scopes(d.get('scope', '')))
         else:
             error_msg = 'Invalid response %s.' % (resp.status,)
             try:
                 d = json.loads(content)
                 if 'error_description' in d:
                     error_msg = d['error_description']
             except (TypeError, ValueError):
                 pass
@@ skipping 43 matching lines @@
             access_token,
             None,
             None,
             None,
             None,
             None,
             user_agent,
             revoke_uri=revoke_uri)
 
     @classmethod
-    def from_json(cls, s):
-        data = json.loads(_from_bytes(s))
+    def from_json(cls, json_data):
+        data = json.loads(_from_bytes(json_data))
         retval = AccessTokenCredentials(
             data['access_token'],
             data['user_agent'])
         return retval
 
     def _refresh(self, http_request):
         raise AccessTokenCredentialsError(
             'The access_token is expired or invalid and can\'t be refreshed.')
 
     def _revoke(self, http_request):
@@ skipping 20 matching lines @@
     #       could lead to false negatives in the event that we are on GCE, but
     #       the metadata resolution was particularly slow. The latter case is
     #       "unlikely".
     connection = six.moves.http_client.HTTPConnection(
         _GCE_METADATA_HOST, timeout=1)
 
     try:
         headers = {_METADATA_FLAVOR_HEADER: _DESIRED_METADATA_FLAVOR}
         connection.request('GET', '/', headers=headers)
         response = connection.getresponse()
-        if response.status == 200:
+        if response.status == http_client.OK:
             return (response.getheader(_METADATA_FLAVOR_HEADER) ==
                     _DESIRED_METADATA_FLAVOR)
     except socket.error:  # socket.timeout or socket.error(64, 'Host is down')
         logger.info('Timeout attempting to reach GCE metadata service.')
         return False
     finally:
         connection.close()
 
 
 def _in_gae_environment():
@@ skipping 54 matching lines @@
         service = build('compute', 'v1', credentials=credentials)
 
         PROJECT = 'bamboo-machine-422'
         ZONE = 'us-central1-a'
         request = service.instances().list(project=PROJECT, zone=ZONE)
         response = request.execute()
 
         print(response)
     """
 
+    NON_SERIALIZED_MEMBERS =  (
+        frozenset(['_private_key']) |
+        OAuth2Credentials.NON_SERIALIZED_MEMBERS)
+    """Members that aren't serialized when object is converted to JSON."""
+
     def __init__(self, access_token, client_id, client_secret, refresh_token,
                  token_expiry, token_uri, user_agent,
                  revoke_uri=GOOGLE_REVOKE_URI):
         """Create an instance of GoogleCredentials.
 
         This constructor is not usually called by the user, instead
         GoogleCredentials objects are instantiated by
         GoogleCredentials.from_stream() or
         GoogleCredentials.get_application_default().
 
@@ skipping 22 matching lines @@
         """
         return False
 
     def create_scoped(self, scopes):
         """Create a Credentials object for the given scopes.
 
         The Credentials type is preserved.
         """
         return self
 
+    @classmethod
+    def from_json(cls, json_data):
+        # TODO(issue 388): eliminate the circularity that is the reason for
+        #                  this non-top-level import.
+        from oauth2client.service_account import ServiceAccountCredentials
+        data = json.loads(_from_bytes(json_data))
+
+        # We handle service_account.ServiceAccountCredentials since it is a
+        # possible return type of GoogleCredentials.get_application_default()
+        if (data['_module'] == 'oauth2client.service_account' and
+            data['_class'] == 'ServiceAccountCredentials'):
+            return ServiceAccountCredentials.from_json(data)
+
+        token_expiry = _parse_expiry(data.get('token_expiry'))
+        google_credentials = cls(
+            data['access_token'],
+            data['client_id'],
+            data['client_secret'],
+            data['refresh_token'],
+            token_expiry,
+            data['token_uri'],
+            data['user_agent'],
+            revoke_uri=data.get('revoke_uri', None))
+        google_credentials.invalid = data['invalid']
+        return google_credentials
+
     @property
     def serialization_data(self):
         """Get the fields and values identifying the current credentials."""
         return {
             'type': 'authorized_user',
             'client_id': self.client_id,
             'client_secret': self.client_secret,
             'refresh_token': self.refresh_token
         }
 
@@ skipping 193 matching lines @@
                 'File ' + application_default_credential_filename +
                 ' (pointed by ' +
                 GOOGLE_APPLICATION_CREDENTIALS +
                 ' environment variable) does not exist!')
 
 
 def _get_well_known_file():
     """Get the well known file produced by command 'gcloud auth login'."""
     # TODO(orestica): Revisit this method once gcloud provides a better way
     # of pinpointing the exact location of the file.
-
-    WELL_KNOWN_CREDENTIALS_FILE = 'application_default_credentials.json'
-
     default_config_dir = os.getenv(_CLOUDSDK_CONFIG_ENV_VAR)
     if default_config_dir is None:
         if os.name == 'nt':
             try:
                 default_config_dir = os.path.join(os.environ['APPDATA'],
                                                   _CLOUDSDK_CONFIG_DIRECTORY)
             except KeyError:
                 # This should never happen unless someone is really
                 # messing with things.
                 drive = os.environ.get('SystemDrive', 'C:')
                 default_config_dir = os.path.join(drive, '\\',
                                                   _CLOUDSDK_CONFIG_DIRECTORY)
         else:
             default_config_dir = os.path.join(os.path.expanduser('~'),
                                               '.config',
                                               _CLOUDSDK_CONFIG_DIRECTORY)
 
-    return os.path.join(default_config_dir, WELL_KNOWN_CREDENTIALS_FILE)
+    return os.path.join(default_config_dir, _WELL_KNOWN_CREDENTIALS_FILE)
 
 
 def _get_application_default_credential_from_file(filename):
     """Build the Application Default Credentials from file."""
-
-    from oauth2client import service_account
-
     # read the credentials from the file
     with open(filename) as file_obj:
         client_credentials = json.load(file_obj)
 
     credentials_type = client_credentials.get('type')
     if credentials_type == AUTHORIZED_USER:
         required_fields = set(['client_id', 'client_secret', 'refresh_token'])
     elif credentials_type == SERVICE_ACCOUNT:
         required_fields = set(['client_id', 'client_email', 'private_key_id',
                                'private_key'])
@@ skipping 10 matching lines @@
     if client_credentials['type'] == AUTHORIZED_USER:
         return GoogleCredentials(
             access_token=None,
             client_id=client_credentials['client_id'],
             client_secret=client_credentials['client_secret'],
             refresh_token=client_credentials['refresh_token'],
             token_expiry=None,
             token_uri=GOOGLE_TOKEN_URI,
             user_agent='Python client library')
     else:  # client_credentials['type'] == SERVICE_ACCOUNT
-        return service_account._ServiceAccountCredentials(
-            service_account_id=client_credentials['client_id'],
-            service_account_email=client_credentials['client_email'],
-            private_key_id=client_credentials['private_key_id'],
-            private_key_pkcs8_text=client_credentials['private_key'],
-            scopes=[])
+        from oauth2client.service_account import ServiceAccountCredentials
+        return ServiceAccountCredentials.from_json_keyfile_dict(
+            client_credentials)
 
 
 def _raise_exception_for_missing_fields(missing_fields):
     raise ApplicationDefaultCredentialsError(
         'The following field(s) must be defined: ' + ', '.join(missing_fields))
 
 
 def _raise_exception_for_reading_json(credential_file,
                                       extra_help,
                                       error):
     raise ApplicationDefaultCredentialsError(
       'An error was encountered while reading json file: ' +
       credential_file + extra_help + ': ' + str(error))
 
 
 def _get_application_default_credential_GAE():
-    from oauth2client.appengine import AppAssertionCredentials
+    from oauth2client.contrib.appengine import AppAssertionCredentials
 
     return AppAssertionCredentials([])
 
 
 def _get_application_default_credential_GCE():
-    from oauth2client.gce import AppAssertionCredentials
+    from oauth2client.contrib.gce import AppAssertionCredentials
 
-    return AppAssertionCredentials([])
+    return AppAssertionCredentials()
 
 
 class AssertionCredentials(GoogleCredentials):
     """Abstract Credentials object used for OAuth 2.0 assertion grants.
 
     This credential does not require a flow to instantiate because it
     represents a two legged flow, and therefore has all of the required
     information to generate and refresh its own access tokens. It must
     be subclassed to generate the appropriate assertion string.
 
@@ skipping 45 matching lines @@
     def _revoke(self, http_request):
         """Revokes the access_token and deletes the store if available.
 
         Args:
             http_request: callable, a callable that matches the method
                           signature of httplib2.Http.request, used to make the
                           revoke request.
         """
         self._do_revoke(http_request, self.access_token)
 
+    def sign_blob(self, blob):
+        """Cryptographically sign a blob (of bytes).
+
+        Args:
+            blob: bytes, Message to be signed.
+
+        Returns:
+            tuple, A pair of the private key ID used to sign the blob and
+            the signed contents.
+        """
+        raise NotImplementedError('This method is abstract.')
+
 
 def _RequireCryptoOrDie():
     """Ensure we have a crypto library, or throw CryptoUnavailableError.
 
     The oauth2client.crypt module requires either PyCrypto or PyOpenSSL
     to be available in order to function, but these are optional
     dependencies.
     """
     if not HAS_CRYPTO:
         raise CryptoUnavailableError('No crypto library available')
 
 
-class SignedJwtAssertionCredentials(AssertionCredentials):
-    """Credentials object used for OAuth 2.0 Signed JWT assertion grants.
-
-    This credential does not require a flow to instantiate because it
-    represents a two legged flow, and therefore has all of the required
-    information to generate and refresh its own access tokens.
-
-    SignedJwtAssertionCredentials requires either PyOpenSSL, or PyCrypto
-    2.6 or later. For App Engine you may also consider using
-    AppAssertionCredentials.
-    """
-
-    MAX_TOKEN_LIFETIME_SECS = 3600  # 1 hour in seconds
-
-    @util.positional(4)
-    def __init__(self,
-                 service_account_name,
-                 private_key,
-                 scope,
-                 private_key_password='notasecret',
-                 user_agent=None,
-                 token_uri=GOOGLE_TOKEN_URI,
-                 revoke_uri=GOOGLE_REVOKE_URI,
-                 **kwargs):
-        """Constructor for SignedJwtAssertionCredentials.
-
-        Args:
-            service_account_name: string, id for account, usually an email
-                                  address.
-            private_key: string or bytes, private key in PKCS12 or PEM format.
-            scope: string or iterable of strings, scope(s) of the credentials
-                   being requested.
-            private_key_password: string, password for private_key, unused if
-                                  private_key is in PEM format.
-            user_agent: string, HTTP User-Agent to provide for this
-                        application.
-            token_uri: string, URI for token endpoint. For convenience defaults
-                       to Google's endpoints but any OAuth 2.0 provider can be
-                       used.
-            revoke_uri: string, URI for revoke endpoint.
-            kwargs: kwargs, Additional parameters to add to the JWT token, for
-                    example sub=joe@xample.org.
-
-        Raises:
-            CryptoUnavailableError if no crypto library is available.
-        """
-        _RequireCryptoOrDie()
-        super(SignedJwtAssertionCredentials, self).__init__(
-            None,
-            user_agent=user_agent,
-            token_uri=token_uri,
-            revoke_uri=revoke_uri,
-        )
-
-        self.scope = util.scopes_to_string(scope)
-
-        # Keep base64 encoded so it can be stored in JSON.
-        self.private_key = base64.b64encode(_to_bytes(private_key))
-        self.private_key_password = private_key_password
-        self.service_account_name = service_account_name
-        self.kwargs = kwargs
-
-    @classmethod
-    def from_json(cls, s):
-        data = json.loads(_from_bytes(s))
-        retval = SignedJwtAssertionCredentials(
-            data['service_account_name'],
-            base64.b64decode(data['private_key']),
-            data['scope'],
-            private_key_password=data['private_key_password'],
-            user_agent=data['user_agent'],
-            token_uri=data['token_uri'],
-            **data['kwargs']
-        )
-        retval.invalid = data['invalid']
-        retval.access_token = data['access_token']
-        return retval
-
-    def _generate_assertion(self):
-        """Generate the assertion that will be used in the request."""
-        now = int(time.time())
-        payload = {
-            'aud': self.token_uri,
-            'scope': self.scope,
-            'iat': now,
-            'exp': now + SignedJwtAssertionCredentials.MAX_TOKEN_LIFETIME_SECS,
-            'iss': self.service_account_name
-        }
-        payload.update(self.kwargs)
-        logger.debug(str(payload))
-
-        private_key = base64.b64decode(self.private_key)
-        return crypt.make_signed_jwt(crypt.Signer.from_string(
-            private_key, self.private_key_password), payload)
-
 # Only used in verify_id_token(), which is always calling to the same URI
 # for the certs.
 _cached_http = httplib2.Http(MemoryCache())
 
 
 @util.positional(2)
 def verify_id_token(id_token, audience, http=None,
                     cert_uri=ID_TOKEN_VERIFICATION_CERTS):
     """Verifies a signed JWT id_token.
 
@@ skipping 13 matching lines @@
 
     Raises:
         oauth2client.crypt.AppIdentityError: if the JWT fails to verify.
         CryptoUnavailableError: if no crypto library is available.
     """
     _RequireCryptoOrDie()
     if http is None:
         http = _cached_http
 
     resp, content = http.request(cert_uri)
-    if resp.status == 200:
+    if resp.status == http_client.OK:
         certs = json.loads(_from_bytes(content))
         return crypt.verify_signed_jwt_with_certs(id_token, certs, audience)
     else:
         raise VerifyJwtTokenError('Status code: %d' % resp.status)
 
 
 def _extract_id_token(id_token):
     """Extract the JSON payload from a JWT.
 
     Does the extraction w/o checking the signature.
@@ skipping 324 matching lines @@
 
         if self.user_agent is not None:
             headers['user-agent'] = self.user_agent
 
         if http is None:
             http = httplib2.Http()
 
         resp, content = http.request(self.device_uri, method='POST', body=body,
                                      headers=headers)
         content = _from_bytes(content)
-        if resp.status == 200:
+        if resp.status == http_client.OK:
             try:
                 flow_info = json.loads(content)
             except ValueError as e:
                 raise OAuth2DeviceCodeError(
                     'Could not parse server response as JSON: "%s", '
                     'error: "%s"' % (content, e))
             return DeviceFlowInfo.FromResponse(flow_info)
         else:
             error_msg = 'Invalid response %s.' % resp.status
             try:
@@ skipping 62 matching lines @@
             headers['Authorization'] = self.authorization_header
         if self.user_agent is not None:
             headers['user-agent'] = self.user_agent
 
         if http is None:
             http = httplib2.Http()
 
         resp, content = http.request(self.token_uri, method='POST', body=body,
                                      headers=headers)
         d = _parse_exchange_token_response(content)
-        if resp.status == 200 and 'access_token' in d:
+        if resp.status == http_client.OK and 'access_token' in d:
             access_token = d['access_token']
             refresh_token = d.get('refresh_token', None)
             if not refresh_token:
                 logger.info(
                     'Received token response with no refresh_token. Consider '
                     "reauthenticating with approval_prompt='force'.")
             token_expiry = None
             if 'expires_in' in d:
-                token_expiry = (
-                    datetime.datetime.utcnow() +
-                    datetime.timedelta(seconds=int(d['expires_in'])))
+                delta = datetime.timedelta(seconds=int(d['expires_in']))
+                token_expiry = delta + _UTCNOW()
 
             extracted_id_token = None
             if 'id_token' in d:
                 extracted_id_token = _extract_id_token(d['id_token'])
 
             logger.info('Successfully retrieved access token')
             return OAuth2Credentials(
                 access_token, self.client_id, self.client_secret,
                 refresh_token, token_expiry, self.token_uri, self.user_agent,
                 revoke_uri=self.revoke_uri, id_token=extracted_id_token,
@@ skipping 71 matching lines @@
                 scope, **constructor_kwargs)
 
     except clientsecrets.InvalidClientSecretsError:
         if message:
             sys.exit(message)
         else:
             raise
     else:
         raise UnknownClientSecretsFlowError(
             'This OAuth 2.0 flow is unsupported: %r' % client_type)