Source

ytmanager / gdata / gauth.py

   1
   2
   3
   4
   5
   6
   7
   8
   9
  10
  11
  12
  13
  14
  15
  16
  17
  18
  19
  20
  21
  22
  23
  24
  25
  26
  27
  28
  29
  30
  31
  32
  33
  34
  35
  36
  37
  38
  39
  40
  41
  42
  43
  44
  45
  46
  47
  48
  49
  50
  51
  52
  53
  54
  55
  56
  57
  58
  59
  60
  61
  62
  63
  64
  65
  66
  67
  68
  69
  70
  71
  72
  73
  74
  75
  76
  77
  78
  79
  80
  81
  82
  83
  84
  85
  86
  87
  88
  89
  90
  91
  92
  93
  94
  95
  96
  97
  98
  99
 100
 101
 102
 103
 104
 105
 106
 107
 108
 109
 110
 111
 112
 113
 114
 115
 116
 117
 118
 119
 120
 121
 122
 123
 124
 125
 126
 127
 128
 129
 130
 131
 132
 133
 134
 135
 136
 137
 138
 139
 140
 141
 142
 143
 144
 145
 146
 147
 148
 149
 150
 151
 152
 153
 154
 155
 156
 157
 158
 159
 160
 161
 162
 163
 164
 165
 166
 167
 168
 169
 170
 171
 172
 173
 174
 175
 176
 177
 178
 179
 180
 181
 182
 183
 184
 185
 186
 187
 188
 189
 190
 191
 192
 193
 194
 195
 196
 197
 198
 199
 200
 201
 202
 203
 204
 205
 206
 207
 208
 209
 210
 211
 212
 213
 214
 215
 216
 217
 218
 219
 220
 221
 222
 223
 224
 225
 226
 227
 228
 229
 230
 231
 232
 233
 234
 235
 236
 237
 238
 239
 240
 241
 242
 243
 244
 245
 246
 247
 248
 249
 250
 251
 252
 253
 254
 255
 256
 257
 258
 259
 260
 261
 262
 263
 264
 265
 266
 267
 268
 269
 270
 271
 272
 273
 274
 275
 276
 277
 278
 279
 280
 281
 282
 283
 284
 285
 286
 287
 288
 289
 290
 291
 292
 293
 294
 295
 296
 297
 298
 299
 300
 301
 302
 303
 304
 305
 306
 307
 308
 309
 310
 311
 312
 313
 314
 315
 316
 317
 318
 319
 320
 321
 322
 323
 324
 325
 326
 327
 328
 329
 330
 331
 332
 333
 334
 335
 336
 337
 338
 339
 340
 341
 342
 343
 344
 345
 346
 347
 348
 349
 350
 351
 352
 353
 354
 355
 356
 357
 358
 359
 360
 361
 362
 363
 364
 365
 366
 367
 368
 369
 370
 371
 372
 373
 374
 375
 376
 377
 378
 379
 380
 381
 382
 383
 384
 385
 386
 387
 388
 389
 390
 391
 392
 393
 394
 395
 396
 397
 398
 399
 400
 401
 402
 403
 404
 405
 406
 407
 408
 409
 410
 411
 412
 413
 414
 415
 416
 417
 418
 419
 420
 421
 422
 423
 424
 425
 426
 427
 428
 429
 430
 431
 432
 433
 434
 435
 436
 437
 438
 439
 440
 441
 442
 443
 444
 445
 446
 447
 448
 449
 450
 451
 452
 453
 454
 455
 456
 457
 458
 459
 460
 461
 462
 463
 464
 465
 466
 467
 468
 469
 470
 471
 472
 473
 474
 475
 476
 477
 478
 479
 480
 481
 482
 483
 484
 485
 486
 487
 488
 489
 490
 491
 492
 493
 494
 495
 496
 497
 498
 499
 500
 501
 502
 503
 504
 505
 506
 507
 508
 509
 510
 511
 512
 513
 514
 515
 516
 517
 518
 519
 520
 521
 522
 523
 524
 525
 526
 527
 528
 529
 530
 531
 532
 533
 534
 535
 536
 537
 538
 539
 540
 541
 542
 543
 544
 545
 546
 547
 548
 549
 550
 551
 552
 553
 554
 555
 556
 557
 558
 559
 560
 561
 562
 563
 564
 565
 566
 567
 568
 569
 570
 571
 572
 573
 574
 575
 576
 577
 578
 579
 580
 581
 582
 583
 584
 585
 586
 587
 588
 589
 590
 591
 592
 593
 594
 595
 596
 597
 598
 599
 600
 601
 602
 603
 604
 605
 606
 607
 608
 609
 610
 611
 612
 613
 614
 615
 616
 617
 618
 619
 620
 621
 622
 623
 624
 625
 626
 627
 628
 629
 630
 631
 632
 633
 634
 635
 636
 637
 638
 639
 640
 641
 642
 643
 644
 645
 646
 647
 648
 649
 650
 651
 652
 653
 654
 655
 656
 657
 658
 659
 660
 661
 662
 663
 664
 665
 666
 667
 668
 669
 670
 671
 672
 673
 674
 675
 676
 677
 678
 679
 680
 681
 682
 683
 684
 685
 686
 687
 688
 689
 690
 691
 692
 693
 694
 695
 696
 697
 698
 699
 700
 701
 702
 703
 704
 705
 706
 707
 708
 709
 710
 711
 712
 713
 714
 715
 716
 717
 718
 719
 720
 721
 722
 723
 724
 725
 726
 727
 728
 729
 730
 731
 732
 733
 734
 735
 736
 737
 738
 739
 740
 741
 742
 743
 744
 745
 746
 747
 748
 749
 750
 751
 752
 753
 754
 755
 756
 757
 758
 759
 760
 761
 762
 763
 764
 765
 766
 767
 768
 769
 770
 771
 772
 773
 774
 775
 776
 777
 778
 779
 780
 781
 782
 783
 784
 785
 786
 787
 788
 789
 790
 791
 792
 793
 794
 795
 796
 797
 798
 799
 800
 801
 802
 803
 804
 805
 806
 807
 808
 809
 810
 811
 812
 813
 814
 815
 816
 817
 818
 819
 820
 821
 822
 823
 824
 825
 826
 827
 828
 829
 830
 831
 832
 833
 834
 835
 836
 837
 838
 839
 840
 841
 842
 843
 844
 845
 846
 847
 848
 849
 850
 851
 852
 853
 854
 855
 856
 857
 858
 859
 860
 861
 862
 863
 864
 865
 866
 867
 868
 869
 870
 871
 872
 873
 874
 875
 876
 877
 878
 879
 880
 881
 882
 883
 884
 885
 886
 887
 888
 889
 890
 891
 892
 893
 894
 895
 896
 897
 898
 899
 900
 901
 902
 903
 904
 905
 906
 907
 908
 909
 910
 911
 912
 913
 914
 915
 916
 917
 918
 919
 920
 921
 922
 923
 924
 925
 926
 927
 928
 929
 930
 931
 932
 933
 934
 935
 936
 937
 938
 939
 940
 941
 942
 943
 944
 945
 946
 947
 948
 949
 950
 951
 952
 953
 954
 955
 956
 957
 958
 959
 960
 961
 962
 963
 964
 965
 966
 967
 968
 969
 970
 971
 972
 973
 974
 975
 976
 977
 978
 979
 980
 981
 982
 983
 984
 985
 986
 987
 988
 989
 990
 991
 992
 993
 994
 995
 996
 997
 998
 999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
#!/usr/bin/env python
#
# Copyright (C) 2009 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


# This module is used for version 2 of the Google Data APIs.


"""Provides auth related token classes and functions for Google Data APIs.

Token classes represent a user's authorization of this app to access their
data. Usually these are not created directly but by a GDClient object.

ClientLoginToken
AuthSubToken
SecureAuthSubToken
OAuthHmacToken
OAuthRsaToken
TwoLeggedOAuthHmacToken
TwoLeggedOAuthRsaToken

Functions which are often used in application code (as opposed to just within
the gdata-python-client library) are the following:

generate_auth_sub_url
authorize_request_token

The following are helper functions which are used to save and load auth token
objects in the App Engine datastore. These should only be used if you are using
this library within App Engine:

ae_load
ae_save
"""


import time
import random
import urllib
import atom.http_core


__author__ = 'j.s@google.com (Jeff Scudder)'


PROGRAMMATIC_AUTH_LABEL = 'GoogleLogin auth='
AUTHSUB_AUTH_LABEL = 'AuthSub token='


# This dict provides the AuthSub and OAuth scopes for all services by service
# name. The service name (key) is used in ClientLogin requests.
AUTH_SCOPES = {
    'cl': ( # Google Calendar API
        'https://www.google.com/calendar/feeds/',
        'http://www.google.com/calendar/feeds/'),
    'gbase': ( # Google Base API
        'http://base.google.com/base/feeds/',
        'http://www.google.com/base/feeds/'),
    'blogger': ( # Blogger API
        'http://www.blogger.com/feeds/',),
    'codesearch': ( # Google Code Search API
        'http://www.google.com/codesearch/feeds/',),
    'cp': ( # Contacts API
        'https://www.google.com/m8/feeds/',
        'http://www.google.com/m8/feeds/'),
    'finance': ( # Google Finance API
        'http://finance.google.com/finance/feeds/',),
    'health': ( # Google Health API
        'https://www.google.com/health/feeds/',),
    'writely': ( # Documents List API
        'https://docs.google.com/feeds/',
        'http://docs.google.com/feeds/'),
    'lh2': ( # Picasa Web Albums API
        'http://picasaweb.google.com/data/',),
    'apps': ( # Google Apps Provisioning API
        'http://www.google.com/a/feeds/',
        'https://www.google.com/a/feeds/',
        'http://apps-apis.google.com/a/feeds/',
        'https://apps-apis.google.com/a/feeds/'),
    'weaver': ( # Health H9 Sandbox
        'https://www.google.com/h9/feeds/',),
    'wise': ( # Spreadsheets Data API
        'https://spreadsheets.google.com/feeds/',
        'http://spreadsheets.google.com/feeds/'),
    'sitemaps': ( # Google Webmaster Tools API
        'https://www.google.com/webmasters/tools/feeds/',),
    'youtube': ( # YouTube API
        'http://gdata.youtube.com/feeds/api/',
        'http://uploads.gdata.youtube.com/feeds/api',
        'http://gdata.youtube.com/action/GetUploadToken'),
    'books': ( # Google Books API
        'http://www.google.com/books/feeds/',),
    'analytics': ( # Google Analytics API
        'https://www.google.com/analytics/feeds/',),
    'jotspot': ( # Google Sites API
        'http://sites.google.com/feeds/',
        'https://sites.google.com/feeds/'),
    'local': ( # Google Maps Data API
        'http://maps.google.com/maps/feeds/',),
    'code': ( # Project Hosting Data API
        'http://code.google.com/feeds/issues',)}



class Error(Exception):
  pass


class UnsupportedTokenType(Error):
  """Raised when token to or from blob is unable to convert the token."""
  pass


# ClientLogin functions and classes.
def generate_client_login_request_body(email, password, service, source,
    account_type='HOSTED_OR_GOOGLE', captcha_token=None,
    captcha_response=None):
  """Creates the body of the autentication request

  See http://code.google.com/apis/accounts/AuthForInstalledApps.html#Request
  for more details.

  Args:
    email: str
    password: str
    service: str
    source: str
    account_type: str (optional) Defaul is 'HOSTED_OR_GOOGLE', other valid
        values are 'GOOGLE' and 'HOSTED'
    captcha_token: str (optional)
    captcha_response: str (optional)

  Returns:
    The HTTP body to send in a request for a client login token.
  """
  # Create a POST body containing the user's credentials.
  request_fields = {'Email': email,
                    'Passwd': password,
                    'accountType': account_type,
                    'service': service,
                    'source': source}
  if captcha_token and captcha_response:
    # Send the captcha token and response as part of the POST body if the
    # user is responding to a captch challenge.
    request_fields['logintoken'] = captcha_token
    request_fields['logincaptcha'] = captcha_response
  return urllib.urlencode(request_fields)


GenerateClientLoginRequestBody = generate_client_login_request_body


def get_client_login_token_string(http_body):
  """Returns the token value for a ClientLoginToken.

  Reads the token from the server's response to a Client Login request and
  creates the token value string to use in requests.

  Args:
    http_body: str The body of the server's HTTP response to a Client Login
        request

  Returns:
    The token value string for a ClientLoginToken.
  """
  for response_line in http_body.splitlines():
    if response_line.startswith('Auth='):
      # Strip off the leading Auth= and return the Authorization value.
      return response_line[5:]
  return None


GetClientLoginTokenString = get_client_login_token_string


def get_captcha_challenge(http_body,
    captcha_base_url='http://www.google.com/accounts/'):
  """Returns the URL and token for a CAPTCHA challenge issued by the server.

  Args:
    http_body: str The body of the HTTP response from the server which
        contains the CAPTCHA challenge.
    captcha_base_url: str This function returns a full URL for viewing the
        challenge image which is built from the server's response. This
        base_url is used as the beginning of the URL because the server
        only provides the end of the URL. For example the server provides
        'Captcha?ctoken=Hi...N' and the URL for the image is
        'http://www.google.com/accounts/Captcha?ctoken=Hi...N'

  Returns:
    A dictionary containing the information needed to repond to the CAPTCHA
    challenge, the image URL and the ID token of the challenge. The
    dictionary is in the form:
    {'token': string identifying the CAPTCHA image,
     'url': string containing the URL of the image}
    Returns None if there was no CAPTCHA challenge in the response.
  """
  contains_captcha_challenge = False
  captcha_parameters = {}
  for response_line in http_body.splitlines():
    if response_line.startswith('Error=CaptchaRequired'):
      contains_captcha_challenge = True
    elif response_line.startswith('CaptchaToken='):
      # Strip off the leading CaptchaToken=
      captcha_parameters['token'] = response_line[13:]
    elif response_line.startswith('CaptchaUrl='):
      captcha_parameters['url'] = '%s%s' % (captcha_base_url,
          response_line[11:])
  if contains_captcha_challenge:
    return captcha_parameters
  else:
    return None


GetCaptchaChallenge = get_captcha_challenge


class ClientLoginToken(object):

  def __init__(self, token_string):
    self.token_string = token_string

  def modify_request(self, http_request):
    http_request.headers['Authorization'] = '%s%s' % (PROGRAMMATIC_AUTH_LABEL,
        self.token_string)

  ModifyRequest = modify_request


# AuthSub functions and classes.
def _to_uri(str_or_uri):
  if isinstance(str_or_uri, (str, unicode)):
    return atom.http_core.Uri.parse_uri(str_or_uri)
  return str_or_uri


def generate_auth_sub_url(next, scopes, secure=False, session=True,
    request_url=atom.http_core.parse_uri(
        'https://www.google.com/accounts/AuthSubRequest'),
    domain='default', scopes_param_prefix='auth_sub_scopes'):
  """Constructs a URI for requesting a multiscope AuthSub token.

  The generated token will contain a URL parameter to pass along the
  requested scopes to the next URL. When the Google Accounts page
  redirects the broswser to the 'next' URL, it appends the single use
  AuthSub token value to the URL as a URL parameter with the key 'token'.
  However, the information about which scopes were requested is not
  included by Google Accounts. This method adds the scopes to the next
  URL before making the request so that the redirect will be sent to
  a page, and both the token value and the list of scopes for which the token
  was requested.

  Args:
    next: atom.http_core.Uri or string The URL user will be sent to after
          authorizing this web application to access their data.
    scopes: list containint strings or atom.http_core.Uri objects. The URLs
            of the services to be accessed. Could also be a single string
            or single atom.http_core.Uri for requesting just one scope.
    secure: boolean (optional) Determines whether or not the issued token
            is a secure token.
    session: boolean (optional) Determines whether or not the issued token
             can be upgraded to a session token.
    request_url: atom.http_core.Uri or str The beginning of the request URL.
                 This is normally
                 'http://www.google.com/accounts/AuthSubRequest' or
                 '/accounts/AuthSubRequest'
    domain: The domain which the account is part of. This is used for Google
            Apps accounts, the default value is 'default' which means that
            the requested account is a Google Account (@gmail.com for
            example)
    scopes_param_prefix: str (optional) The requested scopes are added as a
                         URL parameter to the next URL so that the page at
                         the 'next' URL can extract the token value and the
                         valid scopes from the URL. The key for the URL
                         parameter defaults to 'auth_sub_scopes'

  Returns:
    An atom.http_core.Uri which the user's browser should be directed to in
    order to authorize this application to access their information.
  """
  if isinstance(next, (str, unicode)):
    next = atom.http_core.Uri.parse_uri(next)
  # If the user passed in a string instead of a list for scopes, convert to
  # a single item tuple.
  if isinstance(scopes, (str, unicode, atom.http_core.Uri)):
    scopes = (scopes,)
  scopes_string = ' '.join([str(scope) for scope in scopes])
  next.query[scopes_param_prefix] = scopes_string

  if isinstance(request_url, (str, unicode)):
    request_url = atom.http_core.Uri.parse_uri(request_url)
  request_url.query['next'] = str(next)
  request_url.query['scope'] = scopes_string
  if session:
    request_url.query['session'] = '1'
  else:
    request_url.query['session'] = '0'
  if secure:
    request_url.query['secure'] = '1'
  else:
    request_url.query['secure'] = '0'
  request_url.query['hd'] = domain
  return request_url


def auth_sub_string_from_url(url, scopes_param_prefix='auth_sub_scopes'):
  """Finds the token string (and scopes) after the browser is redirected.

  After the Google Accounts AuthSub pages redirect the user's broswer back to
  the web application (using the 'next' URL from the request) the web app must
  extract the token from the current page's URL. The token is provided as a
  URL parameter named 'token' and if generate_auth_sub_url was used to create
  the request, the token's valid scopes are included in a URL parameter whose
  name is specified in scopes_param_prefix.

  Args:
    url: atom.url.Url or str representing the current URL. The token value
         and valid scopes should be included as URL parameters.
    scopes_param_prefix: str (optional) The URL parameter key which maps to
                         the list of valid scopes for the token.

  Returns:
    A tuple containing the token value as a string, and a tuple of scopes
    (as atom.http_core.Uri objects) which are URL prefixes under which this
    token grants permission to read and write user data.
    (token_string, (scope_uri, scope_uri, scope_uri, ...))
    If no scopes were included in the URL, the second value in the tuple is
    None. If there was no token param in the url, the tuple returned is
    (None, None)
  """
  if isinstance(url, (str, unicode)):
    url = atom.http_core.Uri.parse_uri(url)
  if 'token' not in url.query:
    return (None, None)
  token = url.query['token']
  # TODO: decide whether no scopes should be None or ().
  scopes = None # Default to None for no scopes.
  if scopes_param_prefix in url.query:
    scopes = tuple(url.query[scopes_param_prefix].split(' '))
  return (token, scopes)


AuthSubStringFromUrl = auth_sub_string_from_url


def auth_sub_string_from_body(http_body):
  """Extracts the AuthSub token from an HTTP body string.

  Used to find the new session token after making a request to upgrade a
  single use AuthSub token.

  Args:
    http_body: str The repsonse from the server which contains the AuthSub
        key. For example, this function would find the new session token
        from the server's response to an upgrade token request.

  Returns:
    The raw token value string to use in an AuthSubToken object.
  """
  for response_line in http_body.splitlines():
    if response_line.startswith('Token='):
      # Strip off Token= and return the token value string.
      return response_line[6:]
  return None


class AuthSubToken(object):

  def __init__(self, token_string, scopes=None):
    self.token_string = token_string
    self.scopes = scopes or []

  def modify_request(self, http_request):
    """Sets Authorization header, allows app to act on the user's behalf."""
    http_request.headers['Authorization'] = '%s%s' % (AUTHSUB_AUTH_LABEL,
        self.token_string)

  ModifyRequest = modify_request

  def from_url(str_or_uri):
    """Creates a new AuthSubToken using information in the URL.

    Uses auth_sub_string_from_url.

    Args:
      str_or_uri: The current page's URL (as a str or atom.http_core.Uri)
                  which should contain a token query parameter since the
                  Google auth server redirected the user's browser to this
                  URL.
    """
    token_and_scopes = auth_sub_string_from_url(str_or_uri)
    return AuthSubToken(token_and_scopes[0], token_and_scopes[1])

  from_url = staticmethod(from_url)
  FromUrl = from_url

  def _upgrade_token(self, http_body):
    """Replaces the token value with a session token from the auth server.

    Uses the response of a token upgrade request to modify this token. Uses
    auth_sub_string_from_body.
    """
    self.token_string = auth_sub_string_from_body(http_body)


# Functions and classes for Secure-mode AuthSub
def build_auth_sub_data(http_request, timestamp, nonce):
  """Creates the data string which must be RSA-signed in secure requests.

  For more details see the documenation on secure AuthSub requests:
  http://code.google.com/apis/accounts/docs/AuthSub.html#signingrequests

  Args:
    http_request: The request being made to the server. The Request's URL
        must be complete before this signature is calculated as any changes
        to the URL will invalidate the signature.
    nonce: str Random 64-bit, unsigned number encoded as an ASCII string in
        decimal format. The nonce/timestamp pair should always be unique to
        prevent replay attacks.
    timestamp: Integer representing the time the request is sent. The
        timestamp should be expressed in number of seconds after January 1,
        1970 00:00:00 GMT.
  """
  return '%s %s %s %s' % (http_request.method, str(http_request.uri),
                          str(timestamp), nonce)


def generate_signature(data, rsa_key):
  """Signs the data string for a secure AuthSub request."""
  import base64
  try:
    from tlslite.utils import keyfactory
  except ImportError:
    from gdata.tlslite.utils import keyfactory
  private_key = keyfactory.parsePrivateKey(rsa_key)
  signed = private_key.hashAndSign(data)
  # Python2.3 and lower does not have the base64.b64encode function.
  if hasattr(base64, 'b64encode'):
    return base64.b64encode(signed)
  else:
    return base64.encodestring(signed).replace('\n', '')


class SecureAuthSubToken(AuthSubToken):

  def __init__(self, token_string, rsa_private_key, scopes=None):
    self.token_string = token_string
    self.scopes = scopes or []
    self.rsa_private_key = rsa_private_key

  def from_url(str_or_uri, rsa_private_key):
    """Creates a new SecureAuthSubToken using information in the URL.

    Uses auth_sub_string_from_url.

    Args:
      str_or_uri: The current page's URL (as a str or atom.http_core.Uri)
          which should contain a token query parameter since the Google auth
          server redirected the user's browser to this URL.
      rsa_private_key: str the private RSA key cert used to sign all requests
          made with this token.
    """
    token_and_scopes = auth_sub_string_from_url(str_or_uri)
    return SecureAuthSubToken(token_and_scopes[0], rsa_private_key,
                              token_and_scopes[1])

  from_url = staticmethod(from_url)
  FromUrl = from_url

  def modify_request(self, http_request):
    """Sets the Authorization header and includes a digital signature.

    Calculates a digital signature using the private RSA key, a timestamp
    (uses now at the time this method is called) and a random nonce.

    Args:
      http_request: The atom.http_core.HttpRequest which contains all of the
          information needed to send a request to the remote server. The
          URL and the method of the request must be already set and cannot be
          changed after this token signs the request, or the signature will
          not be valid.
    """
    timestamp = str(int(time.time()))
    nonce = ''.join([str(random.randint(0, 9)) for i in xrange(15)])
    data = build_auth_sub_data(http_request, timestamp, nonce)
    signature = generate_signature(data, self.rsa_private_key)
    http_request.headers['Authorization'] = (
        '%s%s sigalg="rsa-sha1" data="%s" sig="%s"' % (AUTHSUB_AUTH_LABEL,
            self.token_string, data, signature))

  ModifyRequest = modify_request


# OAuth functions and classes.
RSA_SHA1 = 'RSA-SHA1'
HMAC_SHA1 = 'HMAC-SHA1'


def build_oauth_base_string(http_request, consumer_key, nonce, signaure_type,
                            timestamp, version, next='oob', token=None,
                            verifier=None):
  """Generates the base string to be signed in the OAuth request.

  Args:
    http_request: The request being made to the server. The Request's URL
        must be complete before this signature is calculated as any changes
        to the URL will invalidate the signature.
    consumer_key: Domain identifying the third-party web application. This is
        the domain used when registering the application with Google. It
        identifies who is making the request on behalf of the user.
    nonce: Random 64-bit, unsigned number encoded as an ASCII string in decimal
        format. The nonce/timestamp pair should always be unique to prevent
        replay attacks.
    signaure_type: either RSA_SHA1 or HMAC_SHA1
    timestamp: Integer representing the time the request is sent. The
        timestamp should be expressed in number of seconds after January 1,
        1970 00:00:00 GMT.
    version: The OAuth version used by the requesting web application. This
        value must be '1.0' or '1.0a'. If not provided, Google assumes version
        1.0 is in use.
    next: The URL the user should be redirected to after granting access
        to a Google service(s). It can include url-encoded query parameters.
        The default value is 'oob'. (This is the oauth_callback.)
    token: The string for the OAuth request token or OAuth access token.
    verifier: str Sent as the oauth_verifier and required when upgrading a
        request token to an access token.
  """
  # First we must build the canonical base string for the request.
  params = http_request.uri.query.copy()
  params['oauth_consumer_key'] = consumer_key
  params['oauth_nonce'] = nonce
  params['oauth_signature_method'] = signaure_type
  params['oauth_timestamp'] = str(timestamp)
  if next is not None:
    params['oauth_callback'] = str(next)
  if token is not None:
    params['oauth_token'] = token
  if version is not None:
    params['oauth_version'] = version
  if verifier is not None:
    params['oauth_verifier'] = verifier
  # We need to get the key value pairs in lexigraphically sorted order.
  sorted_keys = None
  try:
    sorted_keys = sorted(params.keys())
  # The sorted function is not available in Python2.3 and lower
  except NameError:
    sorted_keys = params.keys()
    sorted_keys.sort()
  pairs = []
  for key in sorted_keys:
    pairs.append('%s=%s' % (urllib.quote(key, safe='~'),
                            urllib.quote(params[key], safe='~')))
  # We want to escape /'s too, so use safe='~'
  all_parameters = urllib.quote('&'.join(pairs), safe='~')
  normailzed_host = http_request.uri.host.lower()
  normalized_scheme = (http_request.uri.scheme or 'http').lower()
  non_default_port = None
  if (http_request.uri.port is not None
      and ((normalized_scheme == 'https' and http_request.uri.port != 443)
           or (normalized_scheme == 'http' and http_request.uri.port != 80))):
    non_default_port = http_request.uri.port
  path = http_request.uri.path or '/'
  request_path = None
  if not path.startswith('/'):
    path = '/%s' % path
  if non_default_port is not None:
    # Set the only safe char in url encoding to ~ since we want to escape /
    # as well.
    request_path = urllib.quote('%s://%s:%s%s' % (
        normalized_scheme, normailzed_host, non_default_port, path), safe='~')
  else:
    # Set the only safe char in url encoding to ~ since we want to escape /
    # as well.
    request_path = urllib.quote('%s://%s%s' % (
        normalized_scheme, normailzed_host, path), safe='~')
  # TODO: ensure that token escaping logic is correct, not sure if the token
  # value should be double escaped instead of single.
  base_string = '&'.join((http_request.method.upper(), request_path,
                          all_parameters))
  # Now we have the base string, we can calculate the oauth_signature.
  return base_string


def generate_hmac_signature(http_request, consumer_key, consumer_secret,
                            timestamp, nonce, version, next='oob',
                            token=None, token_secret=None, verifier=None):
  import hmac
  import base64
  base_string = build_oauth_base_string(
      http_request, consumer_key, nonce, HMAC_SHA1, timestamp, version,
      next, token, verifier=verifier)
  hash_key = None
  hashed = None
  if token_secret is not None:
    hash_key = '%s&%s' % (urllib.quote(consumer_secret, safe='~'),
                          urllib.quote(token_secret, safe='~'))
  else:
    hash_key = '%s&' % urllib.quote(consumer_secret, safe='~')
  try:
    import hashlib
    hashed = hmac.new(hash_key, base_string, hashlib.sha1)
  except ImportError:
    import sha
    hashed = hmac.new(hash_key, base_string, sha)
  # Python2.3 does not have base64.b64encode.
  if hasattr(base64, 'b64encode'):
    return base64.b64encode(hashed.digest())
  else:
    return base64.encodestring(hashed.digest()).replace('\n', '')


def generate_rsa_signature(http_request, consumer_key, rsa_key,
                           timestamp, nonce, version, next='oob',
                           token=None, token_secret=None, verifier=None):
  import base64
  try:
    from tlslite.utils import keyfactory
  except ImportError:
    from gdata.tlslite.utils import keyfactory
  base_string = build_oauth_base_string(
      http_request, consumer_key, nonce, RSA_SHA1, timestamp, version,
      next, token, verifier=verifier)
  private_key = keyfactory.parsePrivateKey(rsa_key)
  # Sign using the key
  signed = private_key.hashAndSign(base_string)
  # Python2.3 does not have base64.b64encode.
  if hasattr(base64, 'b64encode'):
    return base64.b64encode(signed)
  else:
    return base64.encodestring(signed).replace('\n', '')


def generate_auth_header(consumer_key, timestamp, nonce, signature_type,
                         signature, version='1.0', next=None, token=None,
                         verifier=None):
  """Builds the Authorization header to be sent in the request.

  Args:
    consumer_key: Identifies the application making the request (str).
    timestamp:
    nonce:
    signature_type: One of either HMAC_SHA1 or RSA_SHA1
    signature: The HMAC or RSA signature for the request as a base64
        encoded string.
    version: The version of the OAuth protocol that this request is using.
        Default is '1.0'
    next: The URL of the page that the user's browser should be sent to
        after they authorize the token. (Optional)
    token: str The OAuth token value to be used in the oauth_token parameter
        of the header.
    verifier: str The OAuth verifier which must be included when you are
        upgrading a request token to an access token.
  """
  params = {
      'oauth_consumer_key': consumer_key,
      'oauth_version': version,
      'oauth_nonce': nonce,
      'oauth_timestamp': str(timestamp),
      'oauth_signature_method': signature_type,
      'oauth_signature': signature}
  if next is not None:
    params['oauth_callback'] = str(next)
  if token is not None:
    params['oauth_token'] = token
  if verifier is not None:
    params['oauth_verifier'] = verifier
  pairs = [
      '%s="%s"' % (
          k, urllib.quote(v, safe='~')) for k, v in params.iteritems()]
  return 'OAuth %s' % (', '.join(pairs))


REQUEST_TOKEN_URL = 'https://www.google.com/accounts/OAuthGetRequestToken'
ACCESS_TOKEN_URL = 'https://www.google.com/accounts/OAuthGetAccessToken'


def generate_request_for_request_token(
    consumer_key, signature_type, scopes, rsa_key=None, consumer_secret=None,
    auth_server_url=REQUEST_TOKEN_URL, next='oob', version='1.0'):
  """Creates request to be sent to auth server to get an OAuth request token.

  Args:
    consumer_key:
    signature_type: either RSA_SHA1 or HMAC_SHA1. The rsa_key must be
        provided if the signature type is RSA but if the signature method
        is HMAC, the consumer_secret must be used.
    scopes: List of URL prefixes for the data which we want to access. For
        example, to request access to the user's Blogger and Google Calendar
        data, we would request
        ['http://www.blogger.com/feeds/',
         'https://www.google.com/calendar/feeds/',
         'http://www.google.com/calendar/feeds/']
    rsa_key: Only used if the signature method is RSA_SHA1.
    consumer_secret: Only used if the signature method is HMAC_SHA1.
    auth_server_url: The URL to which the token request should be directed.
        Defaults to 'https://www.google.com/accounts/OAuthGetRequestToken'.
    next: The URL of the page that the user's browser should be sent to
        after they authorize the token. (Optional)
    version: The OAuth version used by the requesting web application.
        Defaults to '1.0a'

  Returns:
    An atom.http_core.HttpRequest object with the URL, Authorization header
    and body filled in.
  """
  request = atom.http_core.HttpRequest(auth_server_url, 'POST')
  # Add the requested auth scopes to the Auth request URL.
  if scopes:
    request.uri.query['scope'] = ' '.join(scopes)

  timestamp = str(int(time.time()))
  nonce = ''.join([str(random.randint(0, 9)) for i in xrange(15)])
  signature = None
  if signature_type == HMAC_SHA1:
    signature = generate_hmac_signature(
        request, consumer_key, consumer_secret, timestamp, nonce, version,
        next=next)
  elif signature_type == RSA_SHA1:
    signature = generate_rsa_signature(
        request, consumer_key, rsa_key, timestamp, nonce, version, next=next)
  else:
    return None

  request.headers['Authorization'] = generate_auth_header(
      consumer_key, timestamp, nonce, signature_type, signature, version,
      next)
  request.headers['Content-Length'] = '0'
  return request


def generate_request_for_access_token(
    request_token, auth_server_url=ACCESS_TOKEN_URL):
  """Creates a request to ask the OAuth server for an access token.

  Requires a request token which the user has authorized. See the
  documentation on OAuth with Google Data for more details:
  http://code.google.com/apis/accounts/docs/OAuth.html#AccessToken

  Args:
    request_token: An OAuthHmacToken or OAuthRsaToken which the user has
        approved using their browser.
    auth_server_url: (optional) The URL at which the OAuth access token is
        requested. Defaults to
        https://www.google.com/accounts/OAuthGetAccessToken

  Returns:
    A new HttpRequest object which can be sent to the OAuth server to
    request an OAuth Access Token.
  """
  http_request = atom.http_core.HttpRequest(auth_server_url, 'POST')
  http_request.headers['Content-Length'] = '0'
  return request_token.modify_request(http_request)


def oauth_token_info_from_body(http_body):
  """Exracts an OAuth request token from the server's response.

  Returns:
    A tuple of strings containing the OAuth token and token secret. If
    neither of these are present in the body, returns (None, None)
  """
  token = None
  token_secret = None
  for pair in http_body.split('&'):
    if pair.startswith('oauth_token='):
      token = urllib.unquote(pair[len('oauth_token='):])
    if pair.startswith('oauth_token_secret='):
      token_secret = urllib.unquote(pair[len('oauth_token_secret='):])
  return (token, token_secret)


def hmac_token_from_body(http_body, consumer_key, consumer_secret,
                         auth_state):
  token_value, token_secret = oauth_token_info_from_body(http_body)
  token = OAuthHmacToken(consumer_key, consumer_secret, token_value,
                         token_secret, auth_state)
  return token


def rsa_token_from_body(http_body, consumer_key, rsa_private_key,
                        auth_state):
  token_value, token_secret = oauth_token_info_from_body(http_body)
  token = OAuthRsaToken(consumer_key, rsa_private_key, token_value,
                        token_secret, auth_state)
  return token


DEFAULT_DOMAIN = 'default'
OAUTH_AUTHORIZE_URL = 'https://www.google.com/accounts/OAuthAuthorizeToken'


def generate_oauth_authorization_url(
    token, next=None, hd=DEFAULT_DOMAIN, hl=None, btmpl=None,
    auth_server=OAUTH_AUTHORIZE_URL):
  """Creates a URL for the page where the request token can be authorized.

  Args:
    token: str The request token from the OAuth server.
    next: str (optional) URL the user should be redirected to after granting
        access to a Google service(s). It can include url-encoded query
        parameters.
    hd: str (optional) Identifies a particular hosted domain account to be
        accessed (for example, 'mycollege.edu'). Uses 'default' to specify a
        regular Google account ('username@gmail.com').
    hl: str (optional) An ISO 639 country code identifying what language the
        approval page should be translated in (for example, 'hl=en' for
        English). The default is the user's selected language.
    btmpl: str (optional) Forces a mobile version of the approval page. The
        only accepted value is 'mobile'.
    auth_server: str (optional) The start of the token authorization web
        page. Defaults to
        'https://www.google.com/accounts/OAuthAuthorizeToken'

  Returns:
    An atom.http_core.Uri pointing to the token authorization page where the
    user may allow or deny this app to access their Google data.
  """
  uri = atom.http_core.Uri.parse_uri(auth_server)
  uri.query['oauth_token'] = token
  uri.query['hd'] = hd
  if next is not None:
    uri.query['oauth_callback'] = str(next)
  if hl is not None:
    uri.query['hl'] = hl
  if btmpl is not None:
    uri.query['btmpl'] = btmpl
  return uri


def oauth_token_info_from_url(url):
  """Exracts an OAuth access token from the redirected page's URL.

  Returns:
    A tuple of strings containing the OAuth token and the OAuth verifier which
    need to sent when upgrading a request token to an access token.
  """
  if isinstance(url, (str, unicode)):
    url = atom.http_core.Uri.parse_uri(url)
  token = None
  verifier = None
  if 'oauth_token' in url.query:
    token = urllib.unquote(url.query['oauth_token'])
  if 'oauth_verifier' in url.query:
    verifier = urllib.unquote(url.query['oauth_verifier'])
  return (token, verifier)


def authorize_request_token(request_token, url):
  """Adds information to request token to allow it to become an access token.

  Modifies the request_token object passed in by setting and unsetting the
  necessary fields to allow this token to form a valid upgrade request.

  Args:
    request_token: The OAuth request token which has been authorized by the
        user. In order for this token to be upgraded to an access token,
        certain fields must be extracted from the URL and added to the token
        so that they can be passed in an upgrade-token request.
    url: The URL of the current page which the user's browser was redirected
        to after they authorized access for the app. This function extracts
        information from the URL which is needed to upgraded the token from
        a request token to an access token.

  Returns:
    The same token object which was passed in.
  """
  token, verifier = oauth_token_info_from_url(url)
  request_token.token = token
  request_token.verifier = verifier
  request_token.auth_state = AUTHORIZED_REQUEST_TOKEN
  return request_token


AuthorizeRequestToken = authorize_request_token


def upgrade_to_access_token(request_token, server_response_body):
  """Extracts access token information from response to an upgrade request.

  Once the server has responded with the new token info for the OAuth
  access token, this method modifies the request_token to set and unset
  necessary fields to create valid OAuth authorization headers for requests.

  Args:
    request_token: An OAuth token which this function modifies to allow it
        to be used as an access token.
    server_response_body: str The server's response to an OAuthAuthorizeToken
        request. This should contain the new token and token_secret which
        are used to generate the signature and parameters of the Authorization
        header in subsequent requests to Google Data APIs.

  Returns:
    The same token object which was passed in.
  """
  token, token_secret = oauth_token_info_from_body(server_response_body)
  request_token.token = token
  request_token.token_secret = token_secret
  request_token.auth_state = ACCESS_TOKEN
  request_token.next = None
  request_token.verifier = None
  return request_token


UpgradeToAccessToken = upgrade_to_access_token


REQUEST_TOKEN = 1
AUTHORIZED_REQUEST_TOKEN = 2
ACCESS_TOKEN = 3


class OAuthHmacToken(object):
  SIGNATURE_METHOD = HMAC_SHA1

  def __init__(self, consumer_key, consumer_secret, token, token_secret,
               auth_state, next=None, verifier=None):
    self.consumer_key = consumer_key
    self.consumer_secret = consumer_secret
    self.token = token
    self.token_secret = token_secret
    self.auth_state = auth_state
    self.next = next
    self.verifier = verifier # Used to convert request token to access token.

  def generate_authorization_url(
      self, google_apps_domain=DEFAULT_DOMAIN, language=None, btmpl=None,
      auth_server=OAUTH_AUTHORIZE_URL):
    """Creates the URL at which the user can authorize this app to access.

    Args:
      google_apps_domain: str (optional) If the user should be signing in
          using an account under a known Google Apps domain, provide the
          domain name ('example.com') here. If not provided, 'default'
          will be used, and the user will be prompted to select an account
          if they are signed in with a Google Account and Google Apps
          accounts.
      language: str (optional) An ISO 639 country code identifying what
          language the approval page should be translated in (for example,
          'en' for English). The default is the user's selected language.
      btmpl: str (optional) Forces a mobile version of the approval page. The
        only accepted value is 'mobile'.
      auth_server: str (optional) The start of the token authorization web
        page. Defaults to
        'https://www.google.com/accounts/OAuthAuthorizeToken'
    """
    return generate_oauth_authorization_url(
        self.token, hd=google_apps_domain, hl=language, btmpl=btmpl,
        auth_server=auth_server)

  GenerateAuthorizationUrl = generate_authorization_url

  def modify_request(self, http_request):
    """Sets the Authorization header in the HTTP request using the token.

    Calculates an HMAC signature using the information in the token to
    indicate that the request came from this application and that this
    application has permission to access a particular user's data.

    Returns:
      The same HTTP request object which was passed in.
    """
    timestamp = str(int(time.time()))
    nonce = ''.join([str(random.randint(0, 9)) for i in xrange(15)])
    signature = generate_hmac_signature(
        http_request, self.consumer_key, self.consumer_secret, timestamp,
        nonce, version='1.0', next=self.next, token=self.token,
        token_secret=self.token_secret, verifier=self.verifier)
    http_request.headers['Authorization'] = generate_auth_header(
        self.consumer_key, timestamp, nonce, HMAC_SHA1, signature,
        version='1.0', next=self.next, token=self.token,
        verifier=self.verifier)
    return http_request

  ModifyRequest = modify_request


class OAuthRsaToken(OAuthHmacToken):
  SIGNATURE_METHOD = RSA_SHA1

  def __init__(self, consumer_key, rsa_private_key, token, token_secret,
               auth_state, next=None, verifier=None):
    self.consumer_key = consumer_key
    self.rsa_private_key = rsa_private_key
    self.token = token
    self.token_secret = token_secret
    self.auth_state = auth_state
    self.next = next
    self.verifier = verifier # Used to convert request token to access token.

  def modify_request(self, http_request):
    """Sets the Authorization header in the HTTP request using the token.

    Calculates an RSA signature using the information in the token to
    indicate that the request came from this application and that this
    application has permission to access a particular user's data.

    Returns:
      The same HTTP request object which was passed in.
    """
    timestamp = str(int(time.time()))
    nonce = ''.join([str(random.randint(0, 9)) for i in xrange(15)])
    signature = generate_rsa_signature(
        http_request, self.consumer_key, self.rsa_private_key, timestamp,
        nonce, version='1.0', next=self.next, token=self.token,
        token_secret=self.token_secret, verifier=self.verifier)
    http_request.headers['Authorization'] = generate_auth_header(
        self.consumer_key, timestamp, nonce, RSA_SHA1, signature,
        version='1.0', next=self.next, token=self.token,
        verifier=self.verifier)
    return http_request

  ModifyRequest = modify_request


class TwoLeggedOAuthHmacToken(OAuthHmacToken):

  def __init__(self, consumer_key, consumer_secret, requestor_id):
    self.requestor_id = requestor_id
    OAuthHmacToken.__init__(
        self, consumer_key, consumer_secret, None, None, ACCESS_TOKEN,
        next=None, verifier=None)

  def modify_request(self, http_request):
    """Sets the Authorization header in the HTTP request using the token.

    Calculates an HMAC signature using the information in the token to
    indicate that the request came from this application and that this
    application has permission to access a particular user's data using 2LO.

    Returns:
      The same HTTP request object which was passed in.
    """
    http_request.uri.query['xoauth_requestor_id'] = self.requestor_id
    return OAuthHmacToken.modify_request(self, http_request)

  ModifyRequest = modify_request


class TwoLeggedOAuthRsaToken(OAuthRsaToken):

  def __init__(self, consumer_key, rsa_private_key, requestor_id):
    self.requestor_id = requestor_id
    OAuthRsaToken.__init__(
        self, consumer_key, rsa_private_key, None, None, ACCESS_TOKEN,
        next=None, verifier=None)

  def modify_request(self, http_request):
    """Sets the Authorization header in the HTTP request using the token.

    Calculates an RSA signature using the information in the token to
    indicate that the request came from this application and that this
    application has permission to access a particular user's data using 2LO.

    Returns:
      The same HTTP request object which was passed in.
    """
    http_request.uri.query['xoauth_requestor_id'] = self.requestor_id
    return OAuthRsaToken.modify_request(self, http_request)

  ModifyRequest = modify_request


def _join_token_parts(*args):
  """"Escapes and combines all strings passed in.

  Used to convert a token object's members into a string instead of
  using pickle.

  Note: A None value will be converted to an empty string.

  Returns:
    A string in the form 1x|member1|member2|member3...
  """
  return '|'.join([urllib.quote_plus(a or '') for a in args])


def _split_token_parts(blob):
  """Extracts and unescapes fields from the provided binary string.

  Reverses the packing performed by _join_token_parts. Used to extract
  the members of a token object.

  Note: An empty string from the blob will be interpreted as None.

  Args:
    blob: str A string of the form 1x|member1|member2|member3 as created
        by _join_token_parts

  Returns:
    A list of unescaped strings.
  """
  return [urllib.unquote_plus(part) or None for part in blob.split('|')]


def token_to_blob(token):
  """Serializes the token data as a string for storage in a datastore.

  Supported token classes: ClientLoginToken, AuthSubToken, SecureAuthSubToken,
  OAuthRsaToken, and OAuthHmacToken, TwoLeggedOAuthRsaToken,
  TwoLeggedOAuthHmacToken.

  Args:
    token: A token object which must be of one of the supported token classes.

  Raises:
    UnsupportedTokenType if the token is not one of the supported token
    classes listed above.

  Returns:
    A string represenging this token. The string can be converted back into
    an equivalent token object using token_from_blob. Note that any members
    which are set to '' will be set to None when the token is deserialized
    by token_from_blob.
  """
  if isinstance(token, ClientLoginToken):
    return _join_token_parts('1c', token.token_string)
  # Check for secure auth sub type first since it is a subclass of
  # AuthSubToken.
  elif isinstance(token, SecureAuthSubToken):
    return _join_token_parts('1s', token.token_string, token.rsa_private_key,
                             *token.scopes)
  elif isinstance(token, AuthSubToken):
    return _join_token_parts('1a', token.token_string, *token.scopes)
  elif isinstance(token, TwoLeggedOAuthRsaToken):
    return _join_token_parts(
        '1rtl', token.consumer_key, token.rsa_private_key, token.requestor_id)
  elif isinstance(token, TwoLeggedOAuthHmacToken):
    return _join_token_parts(
        '1htl', token.consumer_key, token.consumer_secret, token.requestor_id)
  # Check RSA OAuth token first since the OAuthRsaToken is a subclass of
  # OAuthHmacToken.
  elif isinstance(token, OAuthRsaToken):
    return _join_token_parts(
        '1r', token.consumer_key, token.rsa_private_key, token.token,
        token.token_secret, str(token.auth_state), token.next,
        token.verifier)
  elif isinstance(token, OAuthHmacToken):
    return _join_token_parts(
        '1h', token.consumer_key, token.consumer_secret, token.token,
        token.token_secret, str(token.auth_state), token.next,
        token.verifier)
  else:
    raise UnsupportedTokenType(
        'Unable to serialize token of type %s' % type(token))


TokenToBlob = token_to_blob


def token_from_blob(blob):
  """Deserializes a token string from the datastore back into a token object.

  Supported token classes: ClientLoginToken, AuthSubToken, SecureAuthSubToken,
  OAuthRsaToken, and OAuthHmacToken, TwoLeggedOAuthRsaToken,
  TwoLeggedOAuthHmacToken.

  Args:
    blob: string created by token_to_blob.

  Raises:
    UnsupportedTokenType if the token is not one of the supported token
    classes listed above.

  Returns:
    A new token object with members set to the values serialized in the
    blob string. Note that any members which were set to '' in the original
    token will now be None.
  """
  parts = _split_token_parts(blob)
  if parts[0] == '1c':
    return ClientLoginToken(parts[1])
  elif parts[0] == '1a':
    return AuthSubToken(parts[1], parts[2:])
  elif parts[0] == '1s':
    return SecureAuthSubToken(parts[1], parts[2], parts[3:])
  elif parts[0] == '1rtl':
    return TwoLeggedOAuthRsaToken(parts[1], parts[2], parts[3])
  elif parts[0] == '1htl':
    return TwoLeggedOAuthHmacToken(parts[1], parts[2], parts[3])
  elif parts[0] == '1r':
    auth_state = int(parts[5])
    return OAuthRsaToken(parts[1], parts[2], parts[3], parts[4], auth_state,
                         parts[6], parts[7])
  elif parts[0] == '1h':
    auth_state = int(parts[5])
    return OAuthHmacToken(parts[1], parts[2], parts[3], parts[4], auth_state,
                          parts[6], parts[7])
  else:
    raise UnsupportedTokenType(
        'Unable to deserialize token with type marker of %s' % parts[0])


TokenFromBlob = token_from_blob


def dump_tokens(tokens):
  return ','.join([token_to_blob(t) for t in tokens])


def load_tokens(blob):
  return [token_from_blob(s) for s in blob.split(',')]


def find_scopes_for_services(service_names=None):
  """Creates a combined list of scope URLs for the desired services.

  This method searches the AUTH_SCOPES dictionary.
  
  Args:
    service_names: list of strings (optional) Each name must be a key in the
                   AUTH_SCOPES dictionary. If no list is provided (None) then
                   the resulting list will contain all scope URLs in the
                   AUTH_SCOPES dict.

  Returns:
    A list of URL strings which are the scopes needed to access these services
    when requesting a token using AuthSub or OAuth.
  """
  result_scopes = []
  if service_names is None:
    for service_name, scopes in AUTH_SCOPES.iteritems():
      result_scopes.extend(scopes)
  else:
    for service_name in service_names:
      result_scopes.extend(AUTH_SCOPES[service_name])
  return result_scopes


FindScopesForServices = find_scopes_for_services


def ae_save(token, token_key):
  """Stores an auth token in the App Engine datastore.

  This is a convenience method for using the library with App Engine.
  Recommended usage is to associate the auth token with the current_user.
  If a user is signed in to the app using the App Engine users API, you
  can use
  gdata.gauth.ae_save(some_token, users.get_current_user().user_id())
  If you are not using the Users API you are free to choose whatever
  string you would like for a token_string.

  Args:
    token: an auth token object. Must be one of ClientLoginToken,
           AuthSubToken, SecureAuthSubToken, OAuthRsaToken, or OAuthHmacToken
           (see token_to_blob).
    token_key: str A unique identified to be used when you want to retrieve
               the token. If the user is signed in to App Engine using the
               users API, I recommend using the user ID for the token_key:
               users.get_current_user().user_id()
  """
  import gdata.alt.app_engine
  key_name = ''.join(('gd_auth_token', token_key))
  return gdata.alt.app_engine.set_token(key_name, token_to_blob(token))


AeSave = ae_save


def ae_load(token_key):
  """Retrieves a token object from the App Engine datastore.

  This is a convenience method for using the library with App Engine.
  See also ae_save.

  Args:
    token_key: str The unique key associated with the desired token when it
               was saved using ae_save.

  Returns:
    A token object if there was a token associated with the token_key or None
    if the key could not be found.
  """
  import gdata.alt.app_engine
  key_name = ''.join(('gd_auth_token', token_key))
  token_string = gdata.alt.app_engine.get_token(key_name)
  if token_string is not None:
    return token_from_blob(token_string)
  else:
    return None


AeLoad = ae_load


def ae_delete(token_key):
  """Removes the token object from the App Engine datastore."""
  import gdata.alt.app_engine
  key_name = ''.join(('gd_auth_token', token_key))
  gdata.alt.app_engine.delete_token(key_name)


AeDelete = ae_delete
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.