o ΔaZy@sddlmZ eZgdZzddlmZWney$ddlmZYnwddl Z ddl Z ddl Z ddl m Z ddl Z ddlmZddlZzddlmZWney\ddlmZYnwzddlmZWneytddlmZYnwddlZdd lmZmZdd lmZeeureZneZdd l m!Z!dd l"m#Z$m%Z%m&Z&m'Z'dd l(m)Z)dZ*dZ+dZ,dZ-dZ.e/e0e1fZ2ddZ3ddZ4Gddde&Z5Gddde$Z#Gddde$Z6Gddde7Z8Gdd d e8Z9Gd!d"d"e8Z:Gd#d$d$e8Z;Gd%d&d&e7ZGd+d,d,e?Z@Gd-d.d.e@ZAGd/d0d0e@ZBGd1d2d2eBZCGd3d4d4eBZDGd5d6d6eDZEGd7d8d8e@ZFGd9d:d:e@ZGGd;d<dd>e@ZIdS)?)print_function) AccessTokenAnonymousAccessToken AuthorizeRequestTokenWithBrowserCredentialStoreRequestTokenAuthorizationEngineConsumer Credentials)StringION)select)stdin) urlencode)urljoin) b64decode b64encode)parse_qs) HTTPError)rrOAuthAuthorizerSystemWideConsumer)urisz+request-tokenz +access-tokenz+authorize-tokenicCsttjddS)zWhether the user has disabled SSL certificate connection. Some testing servers have broken certificates. Rather than raising an error, we allow an environment variable, ``LP_DISABLE_SSL_CERTIFICATE_VALIDATION`` to disable the check. Z%LP_DISABLE_SSL_CERTIFICATE_VALIDATIONF)boolosenvirongetrr:/usr/lib/python3/dist-packages/launchpadlib/credentials.py$_ssl_certificate_validation_disabledVs rcCsDt}tj|dj|d|t|d\}}|jdkrt||||fS)zPOST to ``url`` with ``headers`` and a body of urlencoded ``params``. Wraps it up to make sure we avoid the SSL certificate validation if our environment tells us to. Also, raises an error on non-200 statuses. )Z"disable_ssl_certificate_validationZPOST)methodheadersbody)rhttplib2ZHttpZrequestr statusr)urlrparamsZ cert_disabledresponsecontentrrr _http_postcs  r(c@sXeZdZdZdZdZdZdZdZddZ e d d Z de j efd d Ze j fd dZdS)r zStandard credentials storage and usage class. :ivar consumer: The consumer (application) :type consumer: `Consumer` :ivar access_token: Access information on behalf of the user :type access_token: `AccessToken` NZuridictz
 cCs0t}|||}t|tr|d}|S)zeTurn this object into a string. This should probably be moved into OAuthAuthorizer. utf-8)r savegetvalue isinstance unicode_typeencode)selfZsio serializedrrr serializes    zCredentials.serializecCs,|}t|ts |d}|t||S)z}Create a `Credentials` object from a serialized string. This should probably be moved into OAuthAuthorizer. r+)r.r/decodeloadr )clsvalue credentialsrrr from_strings   zCredentials.from_stringc Cs|jdus Jd|jdusJdt|}t|jjddd}|t}d|i}||jkr1d|d <t|||\}}t |t rC| d }||jkr]t |}|durU||d <t||_|St||_d |t|jjf}|durz||j_|d |7}|S)aRequest an OAuth token to Launchpad. Also store the token in self._request_token. This method must not be called on an object with no consumer specified or if an access token has already been obtained. :param context: The context of this token, that is, its scope of validity within Launchpad. :param web_root: The URL of the website on which the token should be requested. :token_format: How the token should be presented. URI_TOKEN_FORMAT means just return the URL to the page that authorizes the token. DICT_TOKEN_FORMAT means return a dictionary describing the token and the site's authentication policy. :return: If token_format is URI_TOKEN_FORMAT, the URL for the user to authorize the `AccessToken` provided by Launchpad. If token_format is DICT_TOKEN_FORMAT, a dict of information about the new access token. NzConsumer not specified.zAccess token already obtained. PLAINTEXT&)oauth_consumer_keyoauth_signature_methodoauth_signatureRefererzapplication/jsonZAcceptr+ lp.contextz%s%s?oauth_token=%sz&lp.context=%s)consumer access_tokenrlookup_web_rootr)keyrequest_token_pageDICT_TOKEN_FORMATr(r.bytesr4jsonloadsr from_params_request_tokenr9authorize_token_pagecontext) r1rMweb_root token_formatr%r$rr&r'rrrget_request_tokens>         zCredentials.get_request_tokencCsl|jdus Jdt|}t|jjd|jjd|jjd}|t}d|i}t|||\}}t ||_ dS)adExchange the previously obtained request token for an access token. This method must not be called unless get_request_token() has been called and completed successfully. The access token will be stored as self.access_token. :param web_root: The base URL of the website that granted the request token. Nz5get_request_token() doesn't seem to have been called.r:z&%s)r<r= oauth_tokenr>r?) rKrrCr)rArDsecretaccess_token_pager(rr9rB)r1rNr%r$rr&r'rrr'exchange_request_token_for_access_tokens  z3Credentials.exchange_request_token_for_access_token)__name__ __module__ __qualname____doc__rKZURI_TOKEN_FORMATrFZITEM_SEPARATORNEWLINEr3 classmethodr9rZSTAGING_WEB_ROOTrPrTrrrrr rs    >r c@s(eZdZdZeddZeddZdS)rzAn OAuth access token.cCs&|d}|d}|d}||||S)z:Create and return a new `AccessToken` from the given dict.rQoauth_token_secretr@)r)r6r%rDrRrMrrrrJs  zAccessToken.from_paramscCst|ts |d}t|dd}|d}t|dksJd|d}|d}t|dks0Jd |d}|d }|d urKt|dksGJd |d}||||S) zNFcs,tt||d|_|rt||_dSdSrq)r^rrr_ _fallbackMemoryCredentialStore)r1rdfallbackrarrr_ss zKeyringCredentialStore.__init__cCsLdtvr ddladtvr$z ddlmaWdSty#taYdSwdS)aGEnsure the keyring module is imported (postponing side effects). The keyring module initializes the environment-dependent backend at import time (nasty). We want to avoid that initialization because it may do things like prompt the user to unlock their password store (e.g., KWallet). keyringrNNoKeyringError)rw)globalsrvZkeyring.errorsrw ImportError RuntimeErrorrrrr_ensure_keyring_importedys    z/KeyringCredentialStore._ensure_keyring_importedc Cs||}|jt|}z td||dWdStyF}zttkr/dt |vr/|j r:|j ||nWYd}~dSd}~ww)z2Store newly-authorized credentials in the keyring. launchpadlibr+$No recommended backend was availableN) r{r3 B64MARKERrrvZ set_passwordr4rwrzstrrsr,)r1r8rpr2rjrrrrfs&   zKeyringCredentialStore.do_savec Cs|ztd|}Wn'ty3}zttkrdt|vr|jr.|j|WYd}~Sd}~ww|durst|t rB| d}| |j r`z t |t|j d}Wn ty_YdSwzt|}|WStyrYdSwdS)z&Retrieve credentials from the keyring.r|r}Nutf8)r{rvZ get_passwordrwrzrrsr5r.r/r0 startswithr~rr\ TypeErrorr r9rh)r1rpZcredential_stringrjr8rrrrnsD       zKeyringCredentialStore.do_load)NF) rUrVrWrXr~r_ staticmethodr{rfrnrcrrrarrris rrc2eZdZdZd fdd ZddZddZZS) UnencryptedFileCredentialStorezStore credentials unencrypted in a file on disk. This is a good solution for scripts that need to run without any user interaction. Ncstt||||_dSrq)r^rr_filename)r1rrdrarrr_s  z'UnencryptedFileCredentialStore.__init__cCs||jdS)zSave the credentials to disk.N)Z save_to_pathrr1r8rprrrrfsz&UnencryptedFileCredentialStore.do_savecCs4tj|jrt|jtjdkst|jSdS)zLoad the credentials from disk.rN)rpathexistsrstatST_SIZEr Zload_from_pathrorrrrns  z&UnencryptedFileCredentialStore.do_loadrqrUrVrWrXr_rfrnrcrrrarrs rcr) rtzCredentialStore that stores keys only in memory. This can be used to provide a CredentialStore instance without actually saving any key to persistent storage. Ncstt||i|_dSrq)r^rtr_ _credentialsrerarrr_s zMemoryCredentialStore.__init__cCs||j|<dS)z!Store the credentials in our dictN)rrrrrrfszMemoryCredentialStore.do_savecCs |j|S)z&Retrieve the credentials from our dict)rrrorrrrns zMemoryCredentialStore.do_loadrqrrrrarrts rtc@sPeZdZdZdZ   dddZeddZdd Zd d Z d d Z ddZ dS)ra/The superclass of all request token authorizers. This base class does not implement request token authorization, since that varies depending on how you want the end-user to authorize a request token. You'll need to subclass this class and implement `make_end_user_authorize_token`. Z UNAUTHORIZEDNcCst||_t||_|dur|durtd|dur(|dur(td||f|dur4dg}t|}nt|}|}||_||_ |pCg|_ dS)aDBase class initialization. :param service_root: The root of the Launchpad instance being used. :param application_name: The name of the application that wants to use launchpadlib. This is used in conjunction with a desktop-wide integration. If you specify this argument, your values for consumer_name and allow_access_levels are ignored. :param consumer_name: The OAuth consumer name, for an application that wants its own point of integration into Launchpad. In almost all cases, you want to specify application_name instead and do a desktop-wide integration. The exception is when you're integrating a third-party website into Launchpad. :param allow_access_levels: A list of the Launchpad access levels to present to the user. ('READ_PUBLIC' and so on.) Your value for this argument will be ignored during a desktop-wide integration. :type allow_access_levels: A list of strings. Nz:You must provide either application_name or consumer_name.zZYou must provide only one of application_name and consumer_name. (You provided %r and %r.)ZDESKTOP_INTEGRATION) rZlookup_service_root service_rootZweb_root_for_service_rootrN ValueErrorrrrAapplication_nameallow_access_levels)r1rr consumer_namerrArrrr_ s(  z(RequestTokenAuthorizationEngine.__init__cCs|jjd|jS)z7Return a string identifying this consumer on this host.@)rArDrr`rrrriIsz2RequestTokenAuthorizationEngine.unique_consumer_idcCs>dt|f}d}t|jdkr||||j7}t|j|S)zReturn the authorization URL for a request token. This is the URL the end-user must visit to authorize the token. How exactly does this happen? That depends on the subclass implementation. z%s?oauth_token=%sz&allow_permission=r)rLr\rjoinrrN)r1 request_tokenZpageZallow_permissionrrrauthorization_urlNs  z1RequestTokenAuthorizationEngine.authorization_urlcCs6||}||||jdurdS|||j|S)adAuthorize a token and associate it with the given credentials. If the credential store runs into a problem storing the credential locally, the `credential_save_failed` callback will be invoked. The callback will not be invoked if there's a problem authorizing the credentials. :param credentials: A `Credentials` object. If the end-user authorizes these credentials, this object will have its .access_token property set. :param credential_store: A `CredentialStore` object. If the end-user authorizes the credentials, they will be persisted locally using this object. :return: If the credentials are successfully authorized, the return value is the `Credentials` object originally passed in. Otherwise the return value is None. N)rPmake_end_user_authorize_tokenrBr,ri)r1r8Zcredential_storeZrequest_token_stringrrr__call__]s   z(RequestTokenAuthorizationEngine.__call__cCs|j|jtjd}|dS)z\Get a new request token from the server. :param return: The request token. )rNrOrQ)rPrNr rF)r1r8Zauthorization_jsonrrrrP{sz1RequestTokenAuthorizationEngine.get_request_tokencCrk)a5Authorize the given request token using the given credentials. Your subclass must implement this method: it has no default implementation. Because an access token may expire or be revoked in the middle of a session, this method may be called at arbitrary points in a launchpadlib session, or even multiple times during a single session (with a different request token each time). In most cases, however, this method will be called at the beginning of a launchpadlib session, or not at all. rl)r1r8rrrrrsz=RequestTokenAuthorizationEngine.make_end_user_authorize_tokenNNN) rUrVrWrXZUNAUTHORIZED_ACCESS_LEVELr_propertyrirrrPrrrrrrs @  rc@s@eZdZdZdZdZddZddZdd Zd d Z d d Z dS)AuthorizeRequestTokenWithURLzAuthorize using a URL. This authorizer simply shows the URL for the user to open for authorization, and waits until the server responds. zPlease open this authorization page: (%s) in your browser. Use your browser to authorize this program to access Launchpad on your behalf.z.Press Enter after authorizing in your browser.cCs t|dS)zDisplay a message. By default, prints the message to standard output. The message does not require any user interaction--it's solely informative. N)print)r1messagerrroutputs z#AuthorizeRequestTokenWithURL.outputcCs||j|dS)Notify the end-user of the URL.N)rWAITING_FOR_USER)r1rrrr!notify_end_user_authorization_urlsz>AuthorizeRequestTokenWithURL.notify_end_user_authorization_urlc Cspz||jWn*ty2}z|jjdkrt|j|jjdkr)tdt|t|jd}~ww|j duS)z Check if the end-user authorizediiz#Unexpected response from Launchpad:N) rTrNrr&r#EndUserDeclinedAuthorizationr'rEndUserNoAuthorizationrB)r1r8rjrrrcheck_end_user_authorizations     z9AuthorizeRequestTokenWithURL.check_end_user_authorizationcCs"||jt||dS)"Wait for the end-user to authorizeN)rWAITING_FOR_LAUNCHPADr readliner)r1r8rrrwait_for_end_user_authorizations zs              Kf;f