WhGAVdZddlZddlZddlZddlZddlZddlZddlZddlZddl m Z ddl Z ddl ZddlZddlZddlmZddlmZejZdZdZdZdZd Zgd ZGd d Z ddejjj fdZ!GddZ"Gdde j#Z$dZ%dS)z8Provides authentication support for TensorBoardUploader.N)util) tb_logging)openidz.https://www.googleapis.com/auth/userinfo.emaila  { "installed":{ "client_id":"373649185512-8v619h5kft38l4456nm2dj4ubeqsrvh6.apps.googleusercontent.com", "project_id":"hosted-tensorboard-prod", "auth_uri":"https://accounts.google.com/o/oauth2/auth", "token_uri":"https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs", "client_secret":"pOyAuU2yq2arsM98Bw5hwYtr", "redirect_uris":["http://localhost"] } } z)https://oauth2.googleapis.com/device/codez,urn:ietf:params:oauth:grant-type:device_codea { "installed":{ "client_id":"373649185512-26ojik4u7dt0rdtfdmfnhpajqqh579qd.apps.googleusercontent.com", "project_id":"hosted-tensorboard-prod", "auth_uri":"https://accounts.google.com/o/oauth2/auth", "token_uri":"https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs", "client_secret":"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" } } ) tensorboard credentialszuploader-creds.jsoncBeZdZdZeZefdZdZdZdZ dS)CredentialsStorezAPrivate file store for a `google.oauth2.credentials.Credentials`.c|tjur/tj}|td| d|_dStjj |gtR|_dS)awCreates a CredentialsStore. Args: user_config_directory: Optional absolute path to the root directory for storing user configs, under which to store the credentials file. If not set, defaults to a platform-specific location. If set to None, the store is disabled (reads return None; write and clear are no-ops). Nz@Credentials caching disabled - no private config directory found) r _DEFAULT_CONFIG_DIRECTORYrget_user_config_directoryloggerwarning_credentials_filepathospathjoin&TENSORBOARD_CREDENTIALS_FILEPATH_PARTS)selfuser_config_directorys _/var/www/html/movieo_spanner_bot/venv/lib/python3.11/site-packages/tensorboard/uploader/auth.py__init__zCredentialsStore.__init__s !$4$N N N$($B$D$D !$,V ! ()-D & & &)+%*(N***D & & &c|jdStj|jr.tjjj|jSdS)zMReturns the current `google.oauth2.credentials.Credentials`, or None.N) rrrexistsgoogleoauth2r Credentialsfrom_authorized_user_file)rs rread_credentialsz!CredentialsStore.read_credentialssX  % -4 7>>$4 5 5  )5OO.  trct|tjjjst dt |z|jdStj dk}tj |j||j |j |j|j|jdd}t#|jd5}t%j||ddddS#1swxYwYdS)z>Writes a `google.oauth2.credentials.Credentials` to the store.z#Cannot write credentials of type %sNnt)privateauthorized_user) refresh_token token_uri client_id client_secretscopestypew) isinstancerrrr TypeErrorr)rrnamermake_file_with_directoriesr$r%r&r'r(openjsondump)rrr"datafs rwrite_credentialsz"CredentialsStore.write_credentialss4+v}'@'LMM 5[8I8II   % - F'T/ '  &    )6$.$.(6!(%   $,c 2 2 a IdA                     s/CCCc|jdS tj|jdS#t$r!}|jtjkrYd}~dSd}~wwxYw)z:Clears the store of any persisted credentials information.N)rrremoveOSErrorerrnoENOENT)res rclearzCredentialsStore.clearss  % - F  Id0 1 1 1 1 1   w%,&&'&&&&& s& AA  AN) __name__ __module__ __qualname____doc__objectr rrr4r;rrr r |sjKK &-F,   4rr Freturnct}|stjdr tjt }t j||}| dS#tj $r"tj dYnwxYwtjt}t!||}|S)a+Makes the user authenticate to retrieve auth credentials. The default behavior is to use the [installed app flow]( http://developers.google.com/identity/protocols/oauth2/native-app), in which a browser is started for the user to authenticate, along with a local web server. The authentication in the browser would produce a redirect response to `localhost` with an authorization code that would then be received by the local web server started here. The two most notable cases where the default flow is not well supported are: - When the uploader is run from a colab notebook. - Then the uploader is run via a remote terminal (SSH). If any of the following is true, a different auth flow will be used: - the flag `--auth_force_console` is set to true, or - a browser is not available, or - a local web server cannot be started In this case, a [limited-input device flow]( http://developers.google.com/identity/protocols/oauth2/limited-input-device) will be used, in which the user is presented with a URL and a short code that they'd need to use to authenticate and authorize access in a separate browser or device. The uploader will poll for access until the access is granted or rejected, or the initiated authorization request expires. DISPLAY)r(r)portz.Falling back to remote authentication flow... )OPENID_CONNECT_SCOPESrgetenvr0loads"_INSTALLED_APP_OAUTH_CLIENT_CONFIG auth_flowsInstalledAppFlowfrom_client_configrun_local_server webbrowserErrorsysstderrwrite)_LIMITED_INPUT_DEVICE_OAUTH_CLIENT_CONFIG_LimitedInputDeviceAuthFlowrun) force_consoler( client_configflows rauthenticate_userrYs8#F PRYy11P P J'IJJM.AAfBD((a(00 0 P P P J  N O O O O O PJHIIM &}V D D DD 88::sAA//.B B ceZdZdZdZdejjjfdZ dZ de de de fd Z dejjjfd Zd S) rTzOAuth flow to authenticate using the limited-input device flow. See: http://developers.google.com/identity/protocols/oauth2/limited-input-device c.|d|_||_dS)N installed)_client_config_scopes)rrWr(s rrz$_LimitedInputDeviceAuthFlow.__init__s,K8 rrBc |}d|d|d}t|||d|d|d}||S) NzTo sign in with the TensorBoard uploader: 1. On your computer or phone, visit: {url} 2. Sign in with your Google account, then enter: {code} verification_url user_code)urlcode device_codeinterval expires_in)rdpolling_intervalexpiration_seconds)_send_device_auth_requestformatprint_poll_for_auth_token_build_credentials)rdevice_responseprompt_message auth_responses rrUz_LimitedInputDeviceAuthFlow.runs88:: !&#$67$[1!  n11' 6,Z8.|<2  &&}555rc|jdd|jd}tjt |}d|vrtd|S)Nr& )r&scoper2rdzZThere was an error while contacting Google's authorization server. Please try again later.)r]rr^requestspost_DEVICE_AUTH_CODE_URIr0 RuntimeError)rparamsrs rriz5_LimitedInputDeviceAuthFlow._send_device_auth_requestsv,[9XXdl++   M/f = = = B B D D  ! !2 rrdrgrhc|jd}|jd|jd|td}tj|z}tj|krtj||}|}d|vr|Sd|vr!|ddkrtj|n}d|vr3|dd kr't|d z}tj|nFd|vr|dd krtd |j d vrtdtdtj|ktd)Nr%r&r')r&r'rd grant_typert access_tokenerrorauthorization_pending slow_downg? access_deniedzAccess was denied by user.>z&There must be an error in the request.z=An unexpected error occurred while waiting for authorization.z$Timed out waiting for authorization.) r]%_LIMITED_INPUT_DEVICE_AUTH_GRANT_TYPEtimerurvr0sleepintPermissionError status_code ValueErrorrx TimeoutError) rrdrgrhr%ryexpiration_timeresprzs rrlz0_LimitedInputDeviceAuthFlow._poll_for_auth_token*s}' 4 ,[9!0A&?    )++(::ikkO++=888D A""A!G*0G"G"G +,,,,A!G* ";"; $''7#'=#>#>  +,,,,A!G*"?"?%&BCCC!Z// !IJJJ"%+ikkO++2ABBBrc Vtjttj|dz}tjj|d|d|d|jd|jd|jd|j |S) Nrfr}r$id_tokenr%r&r')r$rr%r&r'r(expiry) datetimeutcfromtimestamprrrrrrr]r^)rrpexpiration_datetimes rrmz._LimitedInputDeviceAuthFlow._build_credentialsRs'/@@   }\: :  }(44 . )'8":.)+6)+6-o><&5   rN)r<r=r>r?rrrrrrUristrrrlrmrArrrTrTs  6V].:66664   &C&C25&CKN&C&C&C&CP  " .      rrTc(eZdZdZfdZdZxZS)IdTokenAuthMetadataPluginasA `gRPC AuthMetadataPlugin` that uses ID tokens. This works like the existing `google.auth.transport.grpc.AuthMetadataPlugin` except that instead of always using access tokens, it preferentially uses the `Credentials.id_token` property if available (and logs an error otherwise). See http://www.grpc.io/grpc/python/grpc.html#grpc.AuthMetadataPlugin ctt|tjjjstdt|z||_ ||_ dS)a3Constructs an IdTokenAuthMetadataPlugin. Args: credentials (google.auth.credentials.Credentials): The credentials to add to requests. request (google.auth.transport.Request): A HTTP transport request object used to refresh credentials as needed. z-Cannot get ID tokens from credentials type %sN) superrr+rrrrr,r) _credentials_request)rrrequest __class__s rrz"IdTokenAuthMetadataPlugin.__init__oso +v}'@'LMM ?{##$ ( rcVi}|j|j|j|j|t |jdd}|r|j||ntd|t| ddS)aPasses authorization metadata into the given callback. Args: context (grpc.AuthMetadataContext): The RPC context. callback (grpc.AuthMetadataPluginCallback): The callback that will be invoked to pass in the authorization metadata. rN)tokenz#Failed to find ID token credentials) rbefore_requestr method_name service_urlgetattrapplyr r~listitems)rcontextcallbackheadersrs r__call__z"IdTokenAuthMetadataPlugin.__call__s (( M7.0CW   4,j$??  @   # #G8 # < < < < LL> ? ? ?gmmoo&&-----r)r<r=r>r?rr __classcell__)rs@rrresQ     $.......rrctjjj}t jt||S)zConstructs `grpc.CallCredentials` using `google.auth.Credentials.id_token`. Args: credentials (google.auth.credentials.Credentials): The credentials to use. Returns: grpc.CallCredentials: The call credentials. )rauth transportruRequestgrpcmetadata_call_credentialsr)rrs rid_token_call_credentialsrs?k#,4466G  )!+w77  r)F)&r?rr8r0rrurPrrNgoogle_auth_oauthlib.flowrXrJr google.authrgoogle.auth.transport.requestsgoogle.oauth2.credentialstensorboard.uploaderrtensorboard.utilr get_loggerr rFrIrwrrSrr rrrrYrTAuthMetadataPluginrrrArrrs ?>  ...... %%%% %%%%%%''''''     &"(D3&* -) ***&JJJJJJJJ\** ]*****Zl l l l l l l l ^.......... 7......b     r