o >cnA@sdZddlZddlZddlZddlZddlZddlZddlZddlZddl m Z ddl Z ddl ZddlZddlZddlmZddlmZeZdZdZdZdZd Zgd ZGd d d eZ ddejj j!fddZ"GdddZ#Gddde j$Z%ddZ&dS)z8Provides authentication support for TensorBoardUploader.N)util) tb_logging)Zopenidz.https://www.googleapis.com/auth/userinfo.emaila  { "installed":{ "client_id":"373649185512-8v619h5kft38l4456nm2dj4ubeqsrvh6.apps.googleusercontent.com", "project_id":"hosted-tensorboard-prod", "auth_uri":"https://accounts.google.com/o/oauth2/auth", "token_uri":"https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs", "client_secret":"pOyAuU2yq2arsM98Bw5hwYtr", "redirect_uris":["http://localhost"] } } z)https://oauth2.googleapis.com/device/codez,urn:ietf:params:oauth:grant-type:device_codea { "installed":{ "client_id":"373649185512-26ojik4u7dt0rdtfdmfnhpajqqh579qd.apps.googleusercontent.com", "project_id":"hosted-tensorboard-prod", "auth_uri":"https://accounts.google.com/o/oauth2/auth", "token_uri":"https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs", "client_secret":"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" } } )Z tensorboard credentialszuploader-creds.jsonc@s:eZdZdZeZefddZddZddZdd Z d S) CredentialsStorezAPrivate file store for a `google.oauth2.credentials.Credentials`.cCsP|tjurt}|durtd|durd|_dStjj |gt R|_dS)awCreates a CredentialsStore. Args: user_config_directory: Optional absolute path to the root directory for storing user configs, under which to store the credentials file. If not set, defaults to a platform-specific location. If set to None, the store is disabled (reads return None; write and clear are no-ops). Nz@Credentials caching disabled - no private config directory found) r_DEFAULT_CONFIG_DIRECTORYrZget_user_config_directoryloggerZwarning_credentials_filepathospathjoin&TENSORBOARD_CREDENTIALS_FILEPATH_PARTS)selfZuser_config_directoryr9lib/python3.10/site-packages/tensorboard/uploader/auth.py__init__s  zCredentialsStore.__init__cCs2|jdurdStj|jrtjjj|jSdS)zMReturns the current `google.oauth2.credentials.Credentials`, or None.N) rr r existsgoogleoauth2r CredentialsZfrom_authorized_user_file)r rrrread_credentialss  z!CredentialsStore.read_credentialscCst|tjjjstdt||jdurdStj dk}t j |j|d|j |j |j|j|jdd}t|jd}t||WddS1sJwYdS)z>Writes a `google.oauth2.credentials.Credentials` to the store.z#Cannot write credentials of type %sNnt)privateZauthorized_user) refresh_token token_uri client_id client_secretscopestypew) isinstancerrrr TypeErrorrrr namerZmake_file_with_directoriesrrrrropenjsondump)r rrdatafrrrwrite_credentialss(   "z"CredentialsStore.write_credentialsc CsV|jdurdSz t|jWdSty*}z|jtjkrWYd}~dSd}~ww)z:Clears the store of any persisted credentials information.N)rr removeOSErrorerrnoENOENT)r errrclears  zCredentialsStore.clearN) __name__ __module__ __qualname____doc__objectrrrr'r-rrrrr|s  rFreturncCszt}|s.tdr.ztt}tjj||d}|j ddWSt j y-t j dYnwtt}t||d}|S)a+Makes the user authenticate to retrieve auth credentials. The default behavior is to use the [installed app flow]( http://developers.google.com/identity/protocols/oauth2/native-app), in which a browser is started for the user to authenticate, along with a local web server. The authentication in the browser would produce a redirect response to `localhost` with an authorization code that would then be received by the local web server started here. The two most notable cases where the default flow is not well supported are: - When the uploader is run from a colab notebook. - Then the uploader is run via a remote terminal (SSH). If any of the following is true, a different auth flow will be used: - the flag `--auth_force_console` is set to true, or - a browser is not available, or - a local web server cannot be started In this case, a [limited-input device flow]( http://developers.google.com/identity/protocols/oauth2/limited-input-device) will be used, in which the user is presented with a URL and a short code that they'd need to use to authenticate and authorize access in a separate browser or device. The uploader will poll for access until the access is granted or rejected, or the initiated authorization request expires. ZDISPLAY)rr)portz.Falling back to remote authentication flow... )OPENID_CONNECT_SCOPESr getenvr#loads"_INSTALLED_APP_OAUTH_CLIENT_CONFIG auth_flowsZInstalledAppFlowZfrom_client_configZrun_local_server webbrowserErrorsysstderrwrite)_LIMITED_INPUT_DEVICE_OAUTH_CLIENT_CONFIG_LimitedInputDeviceAuthFlowrun)Z force_consoler client_configflowrrrauthenticate_users   rDc@s^eZdZdZddZdejjjfddZ ddZ d e d e d e fd d Z dejjjfddZdS)r@zOAuth flow to authenticate using the limited-input device flow. See: http://developers.google.com/identity/protocols/oauth2/limited-input-device cCs|d|_||_dS)NZ installed)_client_config_scopes)r rBrrrrrs  z$_LimitedInputDeviceAuthFlow.__init__r3cCsL|}dj|d|dd}t||j|d|d|dd}||S) NzTo sign in with the TensorBoard uploader: 1. On your computer or phone, visit: {url} 2. Sign in with your Google account, then enter: {code} Zverification_urlZ user_code)urlcode device_codeinterval expires_in)rIpolling_intervalexpiration_seconds)_send_device_auth_requestformatprint_poll_for_auth_token_build_credentials)r Zdevice_responseZprompt_message auth_responserrrrAs z_LimitedInputDeviceAuthFlow.runcCs>|jdd|jd}tjt|d}d|vrtd|S)Nr )rZscoper%rIzZThere was an error while contacting Google's authorization server. Please try again later.)rEr rFrequestspost_DEVICE_AUTH_CODE_URIr# RuntimeError)r paramsrrrrrNs z5_LimitedInputDeviceAuthFlow._send_device_auth_requestrIrLrMc Cs|jd}|jd|jd|td}t|}t|krvtj||d}|}d|vr/|Sd|vr?|ddkr?t|n1d|vrU|dd krUt|d }t|nd|vrc|dd krctd |j d vrlt dt dt|kst d)Nrrr)rrrIZ grant_typerU access_tokenerrorZauthorization_pendingZ slow_downg?Z access_deniedzAccess was denied by user.>iiz&There must be an error in the request.z=An unexpected error occurred while waiting for authorization.z$Timed out waiting for authorization.) rE%_LIMITED_INPUT_DEVICE_AUTH_GRANT_TYPEtimerVrWr#sleepintPermissionErrorZ status_code ValueErrorrY TimeoutError) r rIrLrMrrZZexpiration_timeZrespr[rrrrQ*s4        z0_LimitedInputDeviceAuthFlow._poll_for_auth_tokenc CsZtjtt|d}tjjj|d|d|d|jd|jd|jd|j |dS) NrKr\rid_tokenrrr)rrerrrrZexpiry) datetimeZutcfromtimestamprar_rrrrrErF)r rSZexpiration_datetimerrrrRRsz._LimitedInputDeviceAuthFlow._build_credentialsN)r.r/r0r1rrrrrrArNstrrarQrRrrrrr@s  (r@cs(eZdZdZfddZddZZS)IdTokenAuthMetadataPluginasA `gRPC AuthMetadataPlugin` that uses ID tokens. This works like the existing `google.auth.transport.grpc.AuthMetadataPlugin` except that instead of always using access tokens, it preferentially uses the `Credentials.id_token` property if available (and logs an error otherwise). See http://www.grpc.io/grpc/python/grpc.html#grpc.AuthMetadataPlugin cs>tt|t|tjjjstdt |||_ ||_ dS)a3Constructs an IdTokenAuthMetadataPlugin. Args: credentials (google.auth.credentials.Credentials): The credentials to add to requests. request (google.auth.transport.Request): A HTTP transport request object used to refresh credentials as needed. z-Cannot get ID tokens from credentials type %sN) superrhrrrrrrr r _credentials_request)r rrequest __class__rrros  z"IdTokenAuthMetadataPlugin.__init__cCs`i}|j|j|j|j|t|jdd}|r |jj||dntd|t | ddS)aPasses authorization metadata into the given callback. Args: context (grpc.AuthMetadataContext): The RPC context. callback (grpc.AuthMetadataPluginCallback): The callback that will be invoked to pass in the authorization metadata. reN)tokenz#Failed to find ID token credentials) rjZbefore_requestrk method_nameZ service_urlgetattrZapplyrr]listitems)r contextcallbackZheadersrerrr__call__s z"IdTokenAuthMetadataPlugin.__call__)r.r/r0r1rrv __classcell__rrrmrrhes rhcCstjjj}tt||S)zConstructs `grpc.CallCredentials` using `google.auth.Credentials.id_token`. Args: credentials (google.auth.credentials.Credentials): The credentials to use. Returns: grpc.CallCredentials: The call credentials. )rZauthZ transportrVZRequestgrpcZmetadata_call_credentialsrh)rrlrrrid_token_call_credentialss ry)F)'r1rfr*r#r rVr<r_r:Zgoogle_auth_oauthlib.flowrCr9rxZ google.authrZgoogle.auth.transport.requestsZgoogle.oauth2.credentialsZtensorboard.uploaderrZtensorboard.utilrZ get_loggerrr5r8rXr^r?r r2rrrrrDr@ZAuthMetadataPluginrhryrrrrs@   N -o 1