From 91a893238cf2b0a4813533c9d242ff2cef19981a Mon Sep 17 00:00:00 2001 From: Matt Houglum Date: Fri, 15 Dec 2017 10:42:40 -0800 Subject: [PATCH] Fix GCE creds serialization w/ oauth2client >= 4.0 (#195) Fix GCE creds serialization w/ oauth2client >= 4.0 When updating gsutil to use oauth2client 4.1.2 and apitools 0.5.19, testing on GCE instances showed that GceAssertionCredentials were not being written to our credential storage file. Debugging showed that this was because of a KeyError when looking for the 'scope' attribute in a serialized credential (no longer included as of oauth2client 3.0). This change maintains backward compatibility for oauth2client versions that used the 'scope' attribute while also working for current versions that don't include 'scope' when constructing a GceAssertionCredentials object. --- apitools/base/py/credentials_lib.py | 18 +++++++++++++++--- apitools/base/py/credentials_lib_test.py | 13 +++++++++++++ 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/apitools/base/py/credentials_lib.py b/apitools/base/py/credentials_lib.py index 8eb9be3f..72a86204 100644 --- a/apitools/base/py/credentials_lib.py +++ b/apitools/base/py/credentials_lib.py @@ -268,7 +268,7 @@ def __init__(self, scopes=None, service_account_name='default', **kwds): # catch and squelch the warning. with warnings.catch_warnings(): warnings.simplefilter('ignore') - super(GceAssertionCredentials, self).__init__(scopes, **kwds) + super(GceAssertionCredentials, self).__init__(scope=scopes, **kwds) @classmethod def Get(cls, *args, **kwds): @@ -412,14 +412,26 @@ def _do_refresh_request(self, unused_http_request): if self.store: self.store.locked_put(self) + def to_json(self): + # OAuth2Client made gce.AppAssertionCredentials unserializable as of + # v3.0, but we need those credentials to be serializable for use with + # this library, so we use AppAssertionCredentials' parent's to_json + # method. + # pylint: disable=bad-super-call + return super(gce.AppAssertionCredentials, self).to_json() + @classmethod def from_json(cls, json_data): data = json.loads(json_data) kwargs = {} if 'cache_filename' in data.get('kwargs', []): kwargs['cache_filename'] = data['kwargs']['cache_filename'] - credentials = GceAssertionCredentials(scopes=[data['scope']], - **kwargs) + # Newer versions of GceAssertionCredentials don't have a "scope" + # attribute. + scope_list = None + if 'scope' in data: + scope_list = [data['scope']] + credentials = GceAssertionCredentials(scopes=scope_list, **kwargs) if 'access_token' in data: credentials.access_token = data['access_token'] if 'token_expiry' in data: diff --git a/apitools/base/py/credentials_lib_test.py b/apitools/base/py/credentials_lib_test.py index d628d71b..80b970c4 100644 --- a/apitools/base/py/credentials_lib_test.py +++ b/apitools/base/py/credentials_lib_test.py @@ -13,6 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +import json import os.path import shutil import tempfile @@ -81,6 +82,18 @@ def testGceServiceAccounts(self): service_account_name='my_service_account', scopes=scopes) + def testGceAssertionCredentialsToJson(self): + scopes = ['scope1'] + service_account_name = 'my_service_account' + # Ensure that we can obtain a JSON representation of + # GceAssertionCredentials to put in a credential Storage object, and + # that the JSON representation is valid. + original_creds = self._GetServiceCreds( + service_account_name=service_account_name, + scopes=scopes) + original_creds_json_str = original_creds.to_json() + json.loads(original_creds_json_str) + @mock.patch.object(util, 'DetectGce', autospec=True) def testGceServiceAccountsCached(self, mock_detect): mock_detect.return_value = True