Updates/cleanup (#1614)

* Handle socks error when checking local time offset * Keep pylint happy * Avoid trap when authentication flow blows up * Fix bug that causes trap on create project
2026-06-28 09:51:36 +00:00 · 2023-03-16 09:31:20 -07:00
parent a6582503f2
commit 42ed5509ee
3 changed files with 27 additions and 13 deletions
--- a/src/gam/init.py
+++ b/src/gam/init.py
@@ -636,8 +636,10 @@ TIME_OFFSET_UNITS = [('day', 86400), ('hour', 3600), ('minute', 60),


 def getLocalGoogleTimeOffset(testLocation='admin.googleapis.com'):
+    # If local time is well off, it breaks https because the server certificate
+    # will be seen as too old or new and thus invalid; http doesn't have that issue.
    # Try with http first, if time is close (<MAX_LOCAL_GOOGLE_TIME_OFFSET seconds),
-    # retry with https
+    # retry with https as it should be OK
    badhttp = transport.create_http()
    for prot in ['http', 'https']:
        localUTC = datetime.datetime.now(datetime.timezone.utc)
@@ -646,6 +648,12 @@ def getLocalGoogleTimeOffset(testLocation='admin.googleapis.com'):
                badhttp.request(f'{prot}://' + testLocation, 'HEAD')[0]['date'])
        except (httplib2.ServerNotFoundError, RuntimeError, ValueError) as e:
            controlflow.system_error_exit(4, str(e))
+        except httplib2.socks.HTTPError as e:
+            # If user has specified an HTTPS proxy, the http request will probably fail as httplib2
+            # turns a GET into a CONNECT which is not valid for an http address
+            if prot == 'http':
+                continue
+            handleServerError(e)
        offset = remainder = int(abs((localUTC - googleUTC).total_seconds()))
        if offset < MAX_LOCAL_GOOGLE_TIME_OFFSET and prot == 'http':
            continue
@@ -7957,6 +7965,7 @@ def doCreateOrRotateServiceAccountKeys(iam=None,
                                       client_email=None,
                                       client_id=None):
    local_key_size = 2048
+    validity_hours = 0
    mode = 'retainexisting'
    body = {}
    if iam:
@@ -7976,7 +7985,6 @@ def doCreateOrRotateServiceAccountKeys(iam=None,
        mode = 'retainnone'
        i = 3
        iam = buildGAPIServiceObject('iam', None)
-        validity_hours = 0
        while i < len(sys.argv):
            myarg = sys.argv[i].lower().replace('_', '')
            if myarg == 'algorithm':
--- a/src/gam/auth/init.py
+++ b/src/gam/auth/init.py
@@ -5,7 +5,6 @@ import os

 from google.auth.jwt import Credentials as JWTCredentials

-import gam
 from gam import utils

 from gam.auth import oauth
@@ -29,8 +28,7 @@ def get_admin_credentials_filename():
    # some custom name in it. Otherwise, just use the default name.
    if GC_Values[GC_ENABLE_DASA]:
        return GC_Values[GC_OAUTH2SERVICE_JSON] if GC_Values[GC_OAUTH2SERVICE_JSON] else _FN_OAUTH2SERVICE_JSON
-    else:
-        return GC_Values[GC_OAUTH2_TXT] if GC_Values[GC_OAUTH2_TXT] else _FN_OAUTH2_TXT
+    return GC_Values[GC_OAUTH2_TXT] if GC_Values[GC_OAUTH2_TXT] else _FN_OAUTH2_TXT


 def get_admin_credentials(api=None):
@@ -47,12 +45,12 @@ def get_admin_credentials(api=None):
        if key_type == 'default':
            return JWTCredentials.from_service_account_info(creds_data,
                                                            audience=audience)
-        elif key_type == 'yubikey':
+        if key_type == 'yubikey':
            yksigner = yubikey.YubiKey(creds_data)
            return JWTCredentials._from_signer_and_info(yksigner,
                creds_data,
                audience=audience)
-        elif key_type == 'signjwt':
+        if key_type == 'signjwt':
            sjsigner = signjwt.SignJwt(creds_data)
            return signjwt.JWTCredentials._from_signer_and_info(sjsigner,
                    creds_data,
--- a/src/gam/auth/oauth.py
+++ b/src/gam/auth/oauth.py
@@ -50,6 +50,7 @@ MESSAGE_LOCAL_SERVER_SUCCESS = ('The authentication flow has completed. You may'
                                ' close this browser window and return to GAM.')

 MESSAGE_AUTHENTICATION_COMPLETE = ('\nThe authentication flow has completed.\n')
+MESSAGE_AUTHENTICATION_FAILED = ('\nThe authentication flow failed, reissue command')


 class CredentialsError(Exception):
@@ -629,15 +630,22 @@ class _ShortURLFlow(google_auth_oauthlib.flow.InstalledAppFlow):
        print(MESSAGE_CONSOLE_AUTHORIZATION_PROMPT.format(url=d['auth_url']))
        user_input.start()
        userInput = False
-        while True:
+        alive = 2
+        while alive > 0:
            sleep(0.1)
            if not http_client.is_alive():
-                user_input.terminate()
-                break
-            elif not user_input.is_alive():
+                if 'code' in d:
+                    user_input.terminate()
+                    break
+                alive -= 1
+            if not user_input.is_alive():
                userInput = True
-                http_client.terminate()
-                break
+                if 'code' in d:
+                    http_client.terminate()
+                    break
+                alive -= 1
+        if 'code' not in d:
+            controlflow.system_error_exit(8, MESSAGE_AUTHENTICATION_FAILED)
        while True:
            code = d['code']
            if code.startswith('http'):