Fix GCE creds serialization w/ oauth2client >= 4.0 (#195)

Fix GCE creds serialization w/ oauth2client >= 4.0 When updating gsutil to use oauth2client 4.1.2 and apitools 0.5.19, testing on GCE instances showed that GceAssertionCredentials were not being written to our credential storage file. Debugging showed that this was because of a KeyError when looking for the 'scope' attribute in a serialized credential (no longer included as of oauth2client 3.0). This change maintains backward compatibility for oauth2client versions that used the 'scope' attribute while also working for current versions that don't include 'scope' when constructing a GceAssertionCredentials object.
google · Dec 15, 2017 · 91a8932 · 91a8932
1 parent b1c9c71
commit 91a8932
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/apitools/base/py/credentials_lib.py b/apitools/base/py/credentials_lib.py
@@ -268,7 +268,7 @@ def __init__(self, scopes=None, service_account_name='default', **kwds):
         # catch and squelch the warning.
         with warnings.catch_warnings():
             warnings.simplefilter('ignore')
-            super(GceAssertionCredentials, self).__init__(scopes, **kwds)
+            super(GceAssertionCredentials, self).__init__(scope=scopes, **kwds)
 
     @classmethod
     def Get(cls, *args, **kwds):
@@ -412,14 +412,26 @@ def _do_refresh_request(self, unused_http_request):
         if self.store:
             self.store.locked_put(self)
 
+    def to_json(self):
+        # OAuth2Client made gce.AppAssertionCredentials unserializable as of
+        # v3.0, but we need those credentials to be serializable for use with
+        # this library, so we use AppAssertionCredentials' parent's to_json
+        # method.
+        # pylint: disable=bad-super-call
+        return super(gce.AppAssertionCredentials, self).to_json()
+
     @classmethod
     def from_json(cls, json_data):
         data = json.loads(json_data)
         kwargs = {}
         if 'cache_filename' in data.get('kwargs', []):
             kwargs['cache_filename'] = data['kwargs']['cache_filename']
-        credentials = GceAssertionCredentials(scopes=[data['scope']],
-                                              **kwargs)
+        # Newer versions of GceAssertionCredentials don't have a "scope"
+        # attribute.
+        scope_list = None
+        if 'scope' in data:
+            scope_list = [data['scope']]
+        credentials = GceAssertionCredentials(scopes=scope_list, **kwargs)
         if 'access_token' in data:
             credentials.access_token = data['access_token']
         if 'token_expiry' in data:

diff --git a/apitools/base/py/credentials_lib_test.py b/apitools/base/py/credentials_lib_test.py
@@ -13,6 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import json
 import os.path
 import shutil
 import tempfile
@@ -81,6 +82,18 @@ def testGceServiceAccounts(self):
             service_account_name='my_service_account',
             scopes=scopes)
 
+    def testGceAssertionCredentialsToJson(self):
+        scopes = ['scope1']
+        service_account_name = 'my_service_account'
+        # Ensure that we can obtain a JSON representation of
+        # GceAssertionCredentials to put in a credential Storage object, and
+        # that the JSON representation is valid.
+        original_creds = self._GetServiceCreds(
+            service_account_name=service_account_name,
+            scopes=scopes)
+        original_creds_json_str = original_creds.to_json()
+        json.loads(original_creds_json_str)
+
     @mock.patch.object(util, 'DetectGce', autospec=True)
     def testGceServiceAccountsCached(self, mock_detect):
         mock_detect.return_value = True