From af357e8d370801ffb2c586653a7f49c3a8b54c7d Mon Sep 17 00:00:00 2001 From: Sijun Liu Date: Tue, 9 Jul 2024 07:33:25 +0000 Subject: [PATCH 1/3] tmp --- google/auth/_default.py | 3 + google/auth/compute_engine/credentials.py | 4 ++ google/auth/credentials.py | 7 ++ google/auth/external_account.py | 14 +++- google/auth/impersonated_credentials.py | 14 +++- google/oauth2/credentials.py | 86 +++++++---------------- google/oauth2/service_account.py | 11 ++- 7 files changed, 76 insertions(+), 63 deletions(-) diff --git a/google/auth/_default.py b/google/auth/_default.py index 63009dfb8..2d091f2e0 100644 --- a/google/auth/_default.py +++ b/google/auth/_default.py @@ -241,6 +241,8 @@ def _get_gcloud_sdk_credentials(quota_project_id=None): if not project_id: project_id = _cloud_sdk.get_project_id() + credentials._cred_file_path = credentials_filename + return credentials, project_id @@ -270,6 +272,7 @@ def _get_explicit_environ_credentials(quota_project_id=None): credentials, project_id = load_credentials_from_file( os.environ[environment_vars.CREDENTIALS], quota_project_id=quota_project_id ) + credentials._cred_file_path = explicit_file return credentials, project_id diff --git a/google/auth/compute_engine/credentials.py b/google/auth/compute_engine/credentials.py index 008b991bb..d8877ef44 100644 --- a/google/auth/compute_engine/credentials.py +++ b/google/auth/compute_engine/credentials.py @@ -157,6 +157,10 @@ def universe_domain(self): self._universe_domain_cached = True return self._universe_domain + @_helpers.copy_docstring(credentials.Credentials) + def _get_cred_info(self): + return f"This API call is authenticated as {self.service_account_email} from the metadata server." + @_helpers.copy_docstring(credentials.CredentialsWithQuotaProject) def with_quota_project(self, quota_project_id): creds = self.__class__( diff --git a/google/auth/credentials.py b/google/auth/credentials.py index e31930311..b8ea0be2a 100644 --- a/google/auth/credentials.py +++ b/google/auth/credentials.py @@ -62,6 +62,9 @@ def __init__(self): self._universe_domain = DEFAULT_UNIVERSE_DOMAIN """Optional[str]: The universe domain value, default is googleapis.com """ + self._cred_file_path = None + """Optional[str]: The credential file path. + """ self._use_non_blocking_refresh = False self._refresh_worker = RefreshThreadManager() @@ -128,6 +131,10 @@ def universe_domain(self): """The universe domain value.""" return self._universe_domain + def _get_cred_info(self): + """The credential information string.""" + return None + @abc.abstractmethod def refresh(self, request): """Refreshes the access token. diff --git a/google/auth/external_account.py b/google/auth/external_account.py index df0511f25..85b460ed6 100644 --- a/google/auth/external_account.py +++ b/google/auth/external_account.py @@ -321,11 +321,20 @@ def token_info_url(self): return self._token_info_url + @_helpers.copy_docstring(credentials.Credentials) + def _get_red_info(self): + if self._cred_file_path and self.service_account_email: + return f"This API call is authenticated as {self.service_account_email} from {self._cred_file_path} via the GOOGLE_APPLICATION_CREDENTIALS environment variable." + elif self._cred_file_path: + return f"This API call is authenticated from {self._cred_file_path} via the GOOGLE_APPLICATION_CREDENTIALS environment variable." + return None + @_helpers.copy_docstring(credentials.Scoped) def with_scopes(self, scopes, default_scopes=None): kwargs = self._constructor_args() kwargs.update(scopes=scopes, default_scopes=default_scopes) scoped = self.__class__(**kwargs) + scoped._cred_file_path = self._cred_file_path scoped._metrics_options = self._metrics_options return scoped @@ -448,6 +457,7 @@ def with_quota_project(self, quota_project_id): kwargs = self._constructor_args() kwargs.update(quota_project_id=quota_project_id) new_cred = self.__class__(**kwargs) + new_cred._cred_file_path = self._cred_file_path new_cred._metrics_options = self._metrics_options return new_cred @@ -456,6 +466,7 @@ def with_token_uri(self, token_uri): kwargs = self._constructor_args() kwargs.update(token_url=token_uri) new_cred = self.__class__(**kwargs) + new_cred._cred_file_path = self._cred_file_path new_cred._metrics_options = self._metrics_options return new_cred @@ -464,6 +475,7 @@ def with_universe_domain(self, universe_domain): kwargs = self._constructor_args() kwargs.update(universe_domain=universe_domain) new_cred = self.__class__(**kwargs) + new_cred._cred_file_path = self._cred_file_path new_cred._metrics_options = self._metrics_options return new_cred @@ -593,7 +605,7 @@ def from_info(cls, info, **kwargs): universe_domain=info.get( "universe_domain", credentials.DEFAULT_UNIVERSE_DOMAIN ), - **kwargs + **kwargs, ) @classmethod diff --git a/google/auth/impersonated_credentials.py b/google/auth/impersonated_credentials.py index 3c6f8712a..9a0970e3b 100644 --- a/google/auth/impersonated_credentials.py +++ b/google/auth/impersonated_credentials.py @@ -316,9 +316,15 @@ def signer(self): def requires_scopes(self): return not self._target_scopes + @_helpers.copy_docstring(credentials.Credentials) + def _get_cred_info(self): + if self._cred_file_path: + return f"This API call is authenticated as {self._target_principal}, using the {self._cred_file_path} file via the GOOGLE_APPLICATION_CREDENTIALS environment variable." + return None + @_helpers.copy_docstring(credentials.CredentialsWithQuotaProject) def with_quota_project(self, quota_project_id): - return self.__class__( + cred = self.__class__( self._source_credentials, target_principal=self._target_principal, target_scopes=self._target_scopes, @@ -327,10 +333,12 @@ def with_quota_project(self, quota_project_id): quota_project_id=quota_project_id, iam_endpoint_override=self._iam_endpoint_override, ) + cred._cred_file_path = self._cred_file_path + return cred @_helpers.copy_docstring(credentials.Scoped) def with_scopes(self, scopes, default_scopes=None): - return self.__class__( + cred = self.__class__( self._source_credentials, target_principal=self._target_principal, target_scopes=scopes or default_scopes, @@ -339,6 +347,8 @@ def with_scopes(self, scopes, default_scopes=None): quota_project_id=self._quota_project_id, iam_endpoint_override=self._iam_endpoint_override, ) + cred._cred_file_path = self._cred_file_path + return cred class IDTokenCredentials(credentials.CredentialsWithQuotaProject): diff --git a/google/oauth2/credentials.py b/google/oauth2/credentials.py index 5ca00d4c5..9e2c81f79 100644 --- a/google/oauth2/credentials.py +++ b/google/oauth2/credentials.py @@ -189,6 +189,7 @@ def __setstate__(self, d): self._universe_domain = ( d.get("_universe_domain") or credentials.DEFAULT_UNIVERSE_DOMAIN ) + self._cred_file_path = d.get("_cred_file_path") # The refresh_handler setter should be used to repopulate this. self._refresh_handler = None self._refresh_worker = None @@ -278,10 +279,8 @@ def account(self): """str: The user account associated with the credential. If the account is unknown an empty string is returned.""" return self._account - @_helpers.copy_docstring(credentials.CredentialsWithQuotaProject) - def with_quota_project(self, quota_project_id): - - return self.__class__( + def _make_copy(self): + cred = self.__class__( self.token, refresh_token=self.refresh_token, id_token=self.id_token, @@ -291,34 +290,33 @@ def with_quota_project(self, quota_project_id): scopes=self.scopes, default_scopes=self.default_scopes, granted_scopes=self.granted_scopes, - quota_project_id=quota_project_id, + quota_project_id=self.quota_project_id, rapt_token=self.rapt_token, enable_reauth_refresh=self._enable_reauth_refresh, trust_boundary=self._trust_boundary, universe_domain=self._universe_domain, account=self._account, ) + cred._cred_file_path = self._cred_file_path + return cred + + @_helpers.copy_docstring(credentials.Credentials) + def _get_cred_info(self): + if self._cred_file_path: + return f"This API call is authenticated from {self._cred_file_path}." + return None + + @_helpers.copy_docstring(credentials.CredentialsWithQuotaProject) + def with_quota_project(self, quota_project_id): + cred = self._make_copy() + cred._quota_project_id = quota_project_id + return cred @_helpers.copy_docstring(credentials.CredentialsWithTokenUri) def with_token_uri(self, token_uri): - - return self.__class__( - self.token, - refresh_token=self.refresh_token, - id_token=self.id_token, - token_uri=token_uri, - client_id=self.client_id, - client_secret=self.client_secret, - scopes=self.scopes, - default_scopes=self.default_scopes, - granted_scopes=self.granted_scopes, - quota_project_id=self.quota_project_id, - rapt_token=self.rapt_token, - enable_reauth_refresh=self._enable_reauth_refresh, - trust_boundary=self._trust_boundary, - universe_domain=self._universe_domain, - account=self._account, - ) + cred = self._make_copy() + cred._token_uri = token_uri + return cred def with_account(self, account): """Returns a copy of these credentials with a modified account. @@ -329,45 +327,15 @@ def with_account(self, account): Returns: google.oauth2.credentials.Credentials: A new credentials instance. """ - - return self.__class__( - self.token, - refresh_token=self.refresh_token, - id_token=self.id_token, - token_uri=self._token_uri, - client_id=self.client_id, - client_secret=self.client_secret, - scopes=self.scopes, - default_scopes=self.default_scopes, - granted_scopes=self.granted_scopes, - quota_project_id=self.quota_project_id, - rapt_token=self.rapt_token, - enable_reauth_refresh=self._enable_reauth_refresh, - trust_boundary=self._trust_boundary, - universe_domain=self._universe_domain, - account=account, - ) + cred = self._make_copy() + cred._account = account + return cred @_helpers.copy_docstring(credentials.CredentialsWithUniverseDomain) def with_universe_domain(self, universe_domain): - - return self.__class__( - self.token, - refresh_token=self.refresh_token, - id_token=self.id_token, - token_uri=self._token_uri, - client_id=self.client_id, - client_secret=self.client_secret, - scopes=self.scopes, - default_scopes=self.default_scopes, - granted_scopes=self.granted_scopes, - quota_project_id=self.quota_project_id, - rapt_token=self.rapt_token, - enable_reauth_refresh=self._enable_reauth_refresh, - trust_boundary=self._trust_boundary, - universe_domain=universe_domain, - account=self._account, - ) + cred = self._make_copy() + cred._universe_domain = universe_domain + return cred def _metric_header_for_usage(self): return metrics.CRED_TYPE_USER diff --git a/google/oauth2/service_account.py b/google/oauth2/service_account.py index 0e12868f1..538ec6680 100644 --- a/google/oauth2/service_account.py +++ b/google/oauth2/service_account.py @@ -220,7 +220,7 @@ def _from_signer_and_info(cls, signer, info, **kwargs): "universe_domain", credentials.DEFAULT_UNIVERSE_DOMAIN ), trust_boundary=info.get("trust_boundary"), - **kwargs + **kwargs, ) @classmethod @@ -294,6 +294,7 @@ def _make_copy(self): always_use_jwt_access=self._always_use_jwt_access, universe_domain=self._universe_domain, ) + cred._cred_file_path = self.__cred_file_path return cred @_helpers.copy_docstring(credentials.Scoped) @@ -503,6 +504,14 @@ def signer(self): def signer_email(self): return self._service_account_email + @_helpers.copy_docstring(credentials.Credentials) + def _get_cred_info(self): + if self._cred_file_path and self.service_account_email: + return f"This API call is authenticated as {self.service_account_email} from {self._source} via the GOOGLE_APPLICATION_CREDENTIALS environment variable." + if self._cred_file_path: + return f"This API call is authenticated from {self._cred_file_path} via the GOOGLE_APPLICATION_CREDENTIALS environment variable." + return None + class IDTokenCredentials( credentials.Signing, From 4c5397baf36a4d40284b32e3a44fcd6486407961 Mon Sep 17 00:00:00 2001 From: Sijun Liu Date: Tue, 9 Jul 2024 08:11:46 +0000 Subject: [PATCH 2/3] tmp --- google/oauth2/service_account.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/google/oauth2/service_account.py b/google/oauth2/service_account.py index 538ec6680..61fca9d1b 100644 --- a/google/oauth2/service_account.py +++ b/google/oauth2/service_account.py @@ -294,7 +294,7 @@ def _make_copy(self): always_use_jwt_access=self._always_use_jwt_access, universe_domain=self._universe_domain, ) - cred._cred_file_path = self.__cred_file_path + cred._cred_file_path = self._cred_file_path return cred @_helpers.copy_docstring(credentials.Scoped) From f7038b1a723fb6c926cc80f59d30f1bbe604fca3 Mon Sep 17 00:00:00 2001 From: Sijun Liu Date: Tue, 9 Jul 2024 08:13:40 +0000 Subject: [PATCH 3/3] tmp --- google/oauth2/service_account.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/google/oauth2/service_account.py b/google/oauth2/service_account.py index 61fca9d1b..4612d73d4 100644 --- a/google/oauth2/service_account.py +++ b/google/oauth2/service_account.py @@ -507,7 +507,7 @@ def signer_email(self): @_helpers.copy_docstring(credentials.Credentials) def _get_cred_info(self): if self._cred_file_path and self.service_account_email: - return f"This API call is authenticated as {self.service_account_email} from {self._source} via the GOOGLE_APPLICATION_CREDENTIALS environment variable." + return f"This API call is authenticated as {self.service_account_email} from {self._cred_file_path} via the GOOGLE_APPLICATION_CREDENTIALS environment variable." if self._cred_file_path: return f"This API call is authenticated from {self._cred_file_path} via the GOOGLE_APPLICATION_CREDENTIALS environment variable." return None