From 42ed5509ee4d35862ba46420b3bd260f6eb2c4c5 Mon Sep 17 00:00:00 2001
From: Ross Scroggs <ross.scroggs@gmail.com>
Date: Thu, 16 Mar 2023 09:31:20 -0700
Subject: [PATCH] Updates/cleanup (#1614)

* Handle socks error when checking local time offset

* Keep pylint happy

* Avoid trap when authentication flow blows up

* Fix bug that causes trap on create project
---
 src/gam/__init__.py      | 12 ++++++++++--
 src/gam/auth/__init__.py |  8 +++-----
 src/gam/auth/oauth.py    | 20 ++++++++++++++------
 3 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/src/gam/__init__.py b/src/gam/__init__.py
index 2ac8f0d2..8a306116 100755
--- a/src/gam/__init__.py
+++ b/src/gam/__init__.py
@@ -636,8 +636,10 @@ TIME_OFFSET_UNITS = [('day', 86400), ('hour', 3600), ('minute', 60),
 
 
 def getLocalGoogleTimeOffset(testLocation='admin.googleapis.com'):
+    # If local time is well off, it breaks https because the server certificate
+    # will be seen as too old or new and thus invalid; http doesn't have that issue.
     # Try with http first, if time is close (<MAX_LOCAL_GOOGLE_TIME_OFFSET seconds),
-    # retry with https
+    # retry with https as it should be OK
     badhttp = transport.create_http()
     for prot in ['http', 'https']:
         localUTC = datetime.datetime.now(datetime.timezone.utc)
@@ -646,6 +648,12 @@ def getLocalGoogleTimeOffset(testLocation='admin.googleapis.com'):
                 badhttp.request(f'{prot}://' + testLocation, 'HEAD')[0]['date'])
         except (httplib2.ServerNotFoundError, RuntimeError, ValueError) as e:
             controlflow.system_error_exit(4, str(e))
+        except httplib2.socks.HTTPError as e:
+            # If user has specified an HTTPS proxy, the http request will probably fail as httplib2
+            # turns a GET into a CONNECT which is not valid for an http address
+            if prot == 'http':
+                continue
+            handleServerError(e)
         offset = remainder = int(abs((localUTC - googleUTC).total_seconds()))
         if offset < MAX_LOCAL_GOOGLE_TIME_OFFSET and prot == 'http':
             continue
@@ -7957,6 +7965,7 @@ def doCreateOrRotateServiceAccountKeys(iam=None,
                                        client_email=None,
                                        client_id=None):
     local_key_size = 2048
+    validity_hours = 0
     mode = 'retainexisting'
     body = {}
     if iam:
@@ -7976,7 +7985,6 @@ def doCreateOrRotateServiceAccountKeys(iam=None,
         mode = 'retainnone'
         i = 3
         iam = buildGAPIServiceObject('iam', None)
-        validity_hours = 0
         while i < len(sys.argv):
             myarg = sys.argv[i].lower().replace('_', '')
             if myarg == 'algorithm':
diff --git a/src/gam/auth/__init__.py b/src/gam/auth/__init__.py
index 5d4206a8..5bba4ac6 100644
--- a/src/gam/auth/__init__.py
+++ b/src/gam/auth/__init__.py
@@ -5,7 +5,6 @@ import os
 
 from google.auth.jwt import Credentials as JWTCredentials
 
-import gam
 from gam import utils
 
 from gam.auth import oauth
@@ -29,8 +28,7 @@ def get_admin_credentials_filename():
     # some custom name in it. Otherwise, just use the default name.
     if GC_Values[GC_ENABLE_DASA]:
         return GC_Values[GC_OAUTH2SERVICE_JSON] if GC_Values[GC_OAUTH2SERVICE_JSON] else _FN_OAUTH2SERVICE_JSON
-    else:
-        return GC_Values[GC_OAUTH2_TXT] if GC_Values[GC_OAUTH2_TXT] else _FN_OAUTH2_TXT
+    return GC_Values[GC_OAUTH2_TXT] if GC_Values[GC_OAUTH2_TXT] else _FN_OAUTH2_TXT
 
 
 def get_admin_credentials(api=None):
@@ -47,12 +45,12 @@ def get_admin_credentials(api=None):
         if key_type == 'default':
             return JWTCredentials.from_service_account_info(creds_data,
                                                             audience=audience)
-        elif key_type == 'yubikey':
+        if key_type == 'yubikey':
             yksigner = yubikey.YubiKey(creds_data)
             return JWTCredentials._from_signer_and_info(yksigner,
                 creds_data,
                 audience=audience)
-        elif key_type == 'signjwt':
+        if key_type == 'signjwt':
             sjsigner = signjwt.SignJwt(creds_data)
             return signjwt.JWTCredentials._from_signer_and_info(sjsigner,
                     creds_data,
diff --git a/src/gam/auth/oauth.py b/src/gam/auth/oauth.py
index b300548f..72acbc09 100644
--- a/src/gam/auth/oauth.py
+++ b/src/gam/auth/oauth.py
@@ -50,6 +50,7 @@ MESSAGE_LOCAL_SERVER_SUCCESS = ('The authentication flow has completed. You may'
                                 ' close this browser window and return to GAM.')
 
 MESSAGE_AUTHENTICATION_COMPLETE = ('\nThe authentication flow has completed.\n')
+MESSAGE_AUTHENTICATION_FAILED = ('\nThe authentication flow failed, reissue command')
 
 
 class CredentialsError(Exception):
@@ -629,15 +630,22 @@ class _ShortURLFlow(google_auth_oauthlib.flow.InstalledAppFlow):
         print(MESSAGE_CONSOLE_AUTHORIZATION_PROMPT.format(url=d['auth_url']))
         user_input.start()
         userInput = False
-        while True:
+        alive = 2
+        while alive > 0:
             sleep(0.1)
             if not http_client.is_alive():
-                user_input.terminate()
-                break
-            elif not user_input.is_alive():
+                if 'code' in d:
+                    user_input.terminate()
+                    break
+                alive -= 1
+            if not user_input.is_alive():
                 userInput = True
-                http_client.terminate()
-                break
+                if 'code' in d:
+                    http_client.terminate()
+                    break
+                alive -= 1
+        if 'code' not in d:
+            controlflow.system_error_exit(8, MESSAGE_AUTHENTICATION_FAILED)
         while True:
             code = d['code']
             if code.startswith('http'):