# Copyright 2014 Google Inc. All rights reserved.

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

# http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

"""A simple wrapper around the OAuth2 credentials library."""

from oauth2client import client

def get_credentials():

"""Gets credentials implicitly from the current environment.

.. note::

You should not need to use this function directly. Instead, use the

helper methods provided in

:func:`gcloud.datastore.__init__.get_connection` and

:func:`gcloud.datastore.__init__.get_dataset` which use this method

under the hood.

Checks environment in order of precedence:

- Google App Engine (production and testing)

- Environment variable GOOGLE_APPLICATION_CREDENTIALS pointing to

a file with stored credentials information.

- Stored "well known" file associated with `gcloud` command line tool.

- Google Compute Engine production environment.

The file referred to in GOOGLE_APPLICATION_CREDENTIALS is expected to

contain information about credentials that are ready to use. This means

either service account information or user account information with

a ready-to-use refresh token:

{ {

'type': 'authorized_user', 'type': 'service_account',

'client_id': '...', 'client_id': '...',

'client_secret': '...', OR 'client_email': '...',

'refresh_token': '..., 'private_key_id': '...',

} 'private_key': '...',

}

The second of these is simply a JSON key downloaded from the Google APIs

console. The first is a close cousin of the "client secrets" JSON file

used by `oauth2client.clientsecrets` but differs in formatting.

:rtype: :class:`oauth2client.client.GoogleCredentials`,

:class:`oauth2client.appengine.AppAssertionCredentials`,

:class:`oauth2client.gce.AppAssertionCredentials`,

:class:`oauth2client.service_account._ServiceAccountCredentials`

:returns: A new credentials instance corresponding to the implicit

environment.

"""

return client.GoogleCredentials.get_application_default()

def get_for_service_account_p12(client_email, private_key_path, scope=None):

"""Gets the credentials for a service account.

.. note::

This method is not used by default, instead :func:`get_credentials`

is used. This method is intended to be used when the environments is

known explicitly and detecting the environment implicitly would be

superfluous.

:type client_email: string

:param client_email: The e-mail attached to the service account.

:type private_key_path: string

:param private_key_path: The path to a private key file (this file was

given to you when you created the service

account). This file must be in P12 format.

:type scope: string or tuple of strings

:param scope: The scope against which to authenticate. (Different services

require different scopes, check the documentation for which

scope is required for the different levels of access to any

particular API.)

:rtype: :class:`oauth2client.client.SignedJwtAssertionCredentials`

:returns: A new SignedJwtAssertionCredentials instance with the

needed service account settings.

"""

return client.SignedJwtAssertionCredentials(

service_account_name=client_email,

private_key=open(private_key_path, 'rb').read(),

scope=scope)