| # -*- coding: utf-8 -*- |
| # Copyright 2011 Google Inc. All Rights Reserved. |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| """Implementation of config command for creating a gsutil configuration file.""" |
| |
| from __future__ import absolute_import |
| |
| import datetime |
| from httplib import ResponseNotReady |
| import json |
| import multiprocessing |
| import os |
| import platform |
| import signal |
| import socket |
| import stat |
| import sys |
| import textwrap |
| import time |
| import webbrowser |
| |
| import boto |
| from boto.provider import Provider |
| from httplib2 import ServerNotFoundError |
| from oauth2client.client import HAS_CRYPTO |
| |
| import gslib |
| from gslib.command import Command |
| from gslib.commands.compose import MAX_COMPONENT_COUNT |
| from gslib.cred_types import CredTypes |
| from gslib.exception import AbortException |
| from gslib.exception import CommandException |
| from gslib.hashing_helper import CHECK_HASH_ALWAYS |
| from gslib.hashing_helper import CHECK_HASH_IF_FAST_ELSE_FAIL |
| from gslib.hashing_helper import CHECK_HASH_IF_FAST_ELSE_SKIP |
| from gslib.hashing_helper import CHECK_HASH_NEVER |
| from gslib.sig_handling import RegisterSignalHandler |
| from gslib.util import EIGHT_MIB |
| from gslib.util import IS_WINDOWS |
| |
| |
| _SYNOPSIS = """ |
| gsutil [-D] config [-a] [-b] [-e] [-f] [-o <file>] [-r] [-s <scope>] [-w] |
| """ |
| |
| _DETAILED_HELP_TEXT = (""" |
| <B>SYNOPSIS</B> |
| """ + _SYNOPSIS + """ |
| |
| |
| <B>DESCRIPTION</B> |
| The gsutil config command obtains access credentials for Google Cloud |
| Storage and writes a boto/gsutil configuration file containing the obtained |
| credentials along with a number of other configuration-controllable values. |
| |
| Unless specified otherwise (see OPTIONS), the configuration file is written |
| to ~/.boto (i.e., the file .boto under the user's home directory). If the |
| default file already exists, an attempt is made to rename the existing file |
| to ~/.boto.bak; if that attempt fails the command will exit. A different |
| destination file can be specified with the -o option (see OPTIONS). |
| |
| Because the boto configuration file contains your credentials you should |
| keep its file permissions set so no one but you has read access. (The file |
| is created read-only when you run gsutil config.) |
| |
| |
| <B>CREDENTIALS</B> |
| By default gsutil config obtains OAuth2 credentials, and writes them |
| to the [Credentials] section of the configuration file. The -r, -w, |
| -f options (see OPTIONS below) cause gsutil config to request a token |
| with restricted scope; the resulting token will be restricted to read-only |
| operations, read-write operations, or all operations (including acl get/set, |
| defacl get/set, and logging get/'set on'/'set off' operations). In |
| addition, -s <scope> can be used to request additional (non-Google-Storage) |
| scopes. |
| |
| If you want to use credentials based on access key and secret (the older |
| authentication method before OAuth2 was supported) instead of OAuth2, |
| see help about the -a option in the OPTIONS section. |
| |
| If you wish to use gsutil with other providers (or to copy data back and |
| forth between multiple providers) you can edit their credentials into the |
| [Credentials] section after creating the initial configuration file. |
| |
| |
| <B>CONFIGURING SERVICE ACCOUNT CREDENTIALS</B> |
| You can configure credentials for service accounts using the gsutil config -e |
| option. Service accounts are useful for authenticating on behalf of a service |
| or application (as opposed to a user). |
| |
| When you run gsutil config -e, you will be prompted for your service account |
| email address and the path to your private key file. To get these data, visit |
| the `Google Developers Console <https://cloud.google.com/console#/project>`_, |
| click on the project you are using, then click "APIs & auth", then click |
| "Credentials", then click "Create new Client ID"; on the pop-up dialog box |
| select "Service account" and click "Create Client ID". This will download |
| a private key file, which you should move to somewhere |
| accessible from the machine where you run gsutil. Make sure to set its |
| protection so only the users you want to be able to authenticate have |
| access. |
| |
| Note that your service account will NOT be considered an Owner for the |
| purposes of API access (see "gsutil help creds" for more information about |
| this). See https://developers.google.com/accounts/docs/OAuth2ServiceAccount |
| for further information on service account authentication. |
| |
| |
| <B>CONFIGURATION FILE SELECTION PROCEDURE</B> |
| By default, gsutil will look for the configuration file in /etc/boto.cfg and |
| ~/.boto. You can override this choice by setting the BOTO_CONFIG environment |
| variable. This is also useful if you have several different identities or |
| cloud storage environments: By setting up the credentials and any additional |
| configuration in separate files for each, you can switch environments by |
| changing environment variables. |
| |
| You can also set up a path of configuration files, by setting the BOTO_PATH |
| environment variable to contain a ":" delimited path. For example setting |
| the BOTO_PATH environment variable to: |
| |
| /etc/projects/my_group_project.boto.cfg:/home/mylogin/.boto |
| |
| will cause gsutil to load each configuration file found in the path in |
| order. This is useful if you want to set up some shared configuration |
| state among many users: The shared state can go in the central shared file |
| ( /etc/projects/my_group_project.boto.cfg) and each user's individual |
| credentials can be placed in the configuration file in each of their home |
| directories. (For security reasons users should never share credentials |
| via a shared configuration file.) |
| |
| |
| <B>CONFIGURATION FILE STRUCTURE</B> |
| The configuration file contains a number of sections: [Credentials], |
| [Boto], [GSUtil], and [OAuth2]. If you edit the file make sure to edit the |
| appropriate section (discussed below), and to be careful not to mis-edit |
| any of the setting names (like "gs_access_key_id") and not to remove the |
| section delimiters (like "[Credentials]"). |
| |
| |
| <B>ADDITIONAL CONFIGURATION-CONTROLLABLE FEATURES</B> |
| With the exception of setting up gsutil to work through a proxy (see |
| below), most users won't need to edit values in the boto configuration file; |
| values found in there tend to be of more specialized use than command line |
| option-controllable features. |
| |
| The following are the currently defined configuration settings, broken |
| down by section. Their use is documented in comments preceding each, in |
| the configuration file. If you see a setting you want to change that's not |
| listed in your current file, see the section below on Updating to the Latest |
| Configuration File. |
| |
| The currently supported settings, are, by section: |
| |
| [Credentials] |
| aws_access_key_id |
| aws_secret_access_key |
| gs_access_key_id |
| gs_host |
| gs_json_host |
| gs_json_port |
| gs_oauth2_refresh_token |
| gs_port |
| gs_secret_access_key |
| s3_host |
| s3_port |
| |
| [Boto] |
| proxy |
| proxy_port |
| proxy_user |
| proxy_pass |
| proxy_rdns |
| http_socket_timeout |
| https_validate_certificates |
| debug |
| max_retry_delay |
| num_retries |
| |
| [GSUtil] |
| check_hashes |
| content_language |
| default_api_version |
| default_project_id |
| json_api_version |
| parallel_composite_upload_component_size |
| parallel_composite_upload_threshold |
| parallel_process_count |
| parallel_thread_count |
| prefer_api |
| resumable_threshold |
| resumable_tracker_dir (deprecated in 4.6, use state_dir) |
| rsync_buffer_lines |
| software_update_check_period |
| state_dir |
| tab_completion_time_logs |
| tab_completion_timeout |
| use_magicfile |
| |
| [OAuth2] |
| client_id |
| client_secret |
| oauth2_refresh_retries |
| provider_authorization_uri |
| provider_label |
| provider_token_uri |
| token_cache |
| |
| |
| <B>UPDATING TO THE LATEST CONFIGURATION FILE</B> |
| We add new configuration controllable features to the boto configuration file |
| over time, but most gsutil users create a configuration file once and then |
| keep it for a long time, so new features aren't apparent when you update |
| to a newer version of gsutil. If you want to get the latest configuration |
| file (which includes all the latest settings and documentation about each) |
| you can rename your current file (e.g., to '.boto_old'), run gsutil config, |
| and then edit any configuration settings you wanted from your old file |
| into the newly created file. Note, however, that if you're using OAuth2 |
| credentials and you go back through the OAuth2 configuration dialog it will |
| invalidate your previous OAuth2 credentials. |
| |
| If no explicit scope option is given, -f (full control) is assumed by default. |
| |
| |
| <B>OPTIONS</B> |
| -a Prompt for Google Cloud Storage access key and secret (the older |
| authentication method before OAuth2 was supported) instead of |
| obtaining an OAuth2 token. |
| |
| -b Causes gsutil config to launch a browser to obtain OAuth2 approval |
| and the project ID instead of showing the URL for each and asking |
| the user to open the browser. This will probably not work as |
| expected if you are running gsutil from an ssh window, or using |
| gsutil on Windows. |
| |
| -e Prompt for service account credentials. This option requires that |
| -a is not set. |
| |
| -f Request token with full-control access (default). |
| |
| -o <file> Write the configuration to <file> instead of ~/.boto. |
| Use '-' for stdout. |
| |
| -r Request token restricted to read-only access. |
| |
| -s <scope> Request additional OAuth2 <scope>. |
| |
| -w Request token restricted to read-write access. |
| """) |
| |
| |
| try: |
| from gcs_oauth2_boto_plugin import oauth2_helper # pylint: disable=g-import-not-at-top |
| except ImportError: |
| pass |
| |
| GOOG_CLOUD_CONSOLE_URI = 'https://cloud.google.com/console#/project' |
| |
| SCOPE_FULL_CONTROL = 'https://www.googleapis.com/auth/devstorage.full_control' |
| SCOPE_READ_WRITE = 'https://www.googleapis.com/auth/devstorage.read_write' |
| SCOPE_READ_ONLY = 'https://www.googleapis.com/auth/devstorage.read_only' |
| |
| CONFIG_PRELUDE_CONTENT = """ |
| # This file contains credentials and other configuration information needed |
| # by the boto library, used by gsutil. You can edit this file (e.g., to add |
| # credentials) but be careful not to mis-edit any of the variable names (like |
| # "gs_access_key_id") or remove important markers (like the "[Credentials]" and |
| # "[Boto]" section delimiters). |
| # |
| """ |
| |
| # Default number of OS processes and Python threads for parallel operations. |
| # On Linux systems we automatically scale the number of processes to match |
| # the underlying CPU/core count. Given we'll be running multiple concurrent |
| # processes on a typical multi-core Linux computer, to avoid being too |
| # aggressive with resources, the default number of threads is reduced from |
| # the previous value of 24 to 10. |
| # On Windows and Mac systems parallel multi-processing and multi-threading |
| # in Python presents various challenges so we retain compatibility with |
| # the established parallel mode operation, i.e. one process and 24 threads. |
| if platform.system() == 'Linux': |
| DEFAULT_PARALLEL_PROCESS_COUNT = multiprocessing.cpu_count() |
| DEFAULT_PARALLEL_THREAD_COUNT = 10 |
| else: |
| DEFAULT_PARALLEL_PROCESS_COUNT = 1 |
| DEFAULT_PARALLEL_THREAD_COUNT = 24 |
| |
| # TODO: Once compiled crcmod is being distributed by major Linux distributions |
| # revert DEFAULT_PARALLEL_COMPOSITE_UPLOAD_THRESHOLD value to '150M'. |
| DEFAULT_PARALLEL_COMPOSITE_UPLOAD_THRESHOLD = '0' |
| DEFAULT_PARALLEL_COMPOSITE_UPLOAD_COMPONENT_SIZE = '50M' |
| |
| CONFIG_BOTO_SECTION_CONTENT = """ |
| [Boto] |
| |
| # http_socket_timeout specifies the timeout (in seconds) used to tell httplib |
| # how long to wait for socket timeouts. The default is 70 seconds. Note that |
| # this timeout only applies to httplib, not to httplib2 (which is used for |
| # OAuth2 refresh/access token exchanges). |
| #http_socket_timeout = 70 |
| |
| # The following two options control the use of a secure transport for requests |
| # to S3 and Google Cloud Storage. It is highly recommended to set both options |
| # to True in production environments, especially when using OAuth2 bearer token |
| # authentication with Google Cloud Storage. |
| |
| # Set 'https_validate_certificates' to False to disable server certificate |
| # checking. The default for this option in the boto library is currently |
| # 'False' (to avoid breaking apps that depend on invalid certificates); it is |
| # therefore strongly recommended to always set this option explicitly to True |
| # in configuration files, to protect against "man-in-the-middle" attacks. |
| https_validate_certificates = True |
| |
| # 'debug' controls the level of debug messages printed: 0 for none, 1 |
| # for basic boto debug, 2 for all boto debug plus HTTP requests/responses. |
| # Note: 'gsutil -d' sets debug to 2 for that one command run. |
| #debug = <0, 1, or 2> |
| |
| # 'num_retries' controls the number of retry attempts made when errors occur |
| # during data transfers. The default is 6. |
| # Note 1: You can cause gsutil to retry failures effectively infinitely by |
| # setting this value to a large number (like 10000). Doing that could be useful |
| # in cases where your network connection occasionally fails and is down for an |
| # extended period of time, because when it comes back up gsutil will continue |
| # retrying. However, in general we recommend not setting the value above 10, |
| # because otherwise gsutil could appear to "hang" due to excessive retries |
| # (since unless you run gsutil -D you won't see any logged evidence that gsutil |
| # is retrying). |
| # Note 2: Don't set this value to 0, as it will cause boto to fail when reusing |
| # HTTP connections. |
| #num_retries = <integer value> |
| |
| # 'max_retry_delay' controls the max delay (in seconds) between retries. The |
| # default value is 60, so the backoff sequence will be 1 seconds, 2 seconds, 4, |
| # 8, 16, 32, and then 60 for all subsequent retries for a given HTTP request. |
| # Note: At present this value only impacts the XML API and the JSON API uses a |
| # fixed value of 60. |
| #max_retry_delay = <integer value> |
| """ |
| |
| CONFIG_INPUTLESS_GSUTIL_SECTION_CONTENT = """ |
| [GSUtil] |
| |
| # 'resumable_threshold' specifies the smallest file size [bytes] for which |
| # resumable Google Cloud Storage uploads are attempted. The default is 8388608 |
| # (8 MiB). |
| #resumable_threshold = %(resumable_threshold)d |
| |
| # 'rsync_buffer_lines' specifies the number of lines of bucket or directory |
| # listings saved in each temp file during sorting. (The complete set is |
| # split across temp files and separately sorted/merged, to avoid needing to |
| # fit everything in memory at once.) If you are trying to synchronize very |
| # large directories/buckets (e.g., containing millions or more objects), |
| # having too small a value here can cause gsutil to run out of open file |
| # handles. If that happens, you can try to increase the number of open file |
| # handles your system allows (e.g., see 'man ulimit' on Linux; see also |
| # http://docs.python.org/2/library/resource.html). If you can't do that (or |
| # if you're already at the upper limit), increasing rsync_buffer_lines will |
| # cause gsutil to use fewer file handles, but at the cost of more memory. With |
| # rsync_buffer_lines set to 32000 and assuming a typical URL is 100 bytes |
| # long, gsutil will require approximately 10 MiB of memory while building |
| # the synchronization state, and will require approximately 60 open file |
| # descriptors to build the synchronization state over all 1M source and 1M |
| # destination URLs. Memory and file descriptors are only consumed while |
| # building the state; once the state is built, it resides in two temp files that |
| # are read and processed incrementally during the actual copy/delete |
| # operations. |
| #rsync_buffer_lines = 32000 |
| |
| # 'state_dir' specifies the base location where files that |
| # need a static location are stored, such as pointers to credentials, |
| # resumable transfer tracker files, and the last software update check. |
| # By default these files are stored in ~/.gsutil |
| #state_dir = <file_path> |
| # gsutil periodically checks whether a new version of the gsutil software is |
| # available. 'software_update_check_period' specifies the number of days |
| # between such checks. The default is 30. Setting the value to 0 disables |
| # periodic software update checks. |
| #software_update_check_period = 30 |
| |
| # 'tab_completion_timeout' controls the timeout (in seconds) for tab |
| # completions that involve remote requests (such as bucket or object names). |
| # If tab completion does not succeed within this timeout, no tab completion |
| # suggestions will be returned. |
| # A value of 0 will disable completions that involve remote requests. |
| #tab_completion_timeout = 5 |
| |
| # 'parallel_process_count' and 'parallel_thread_count' specify the number |
| # of OS processes and Python threads, respectively, to use when executing |
| # operations in parallel. The default settings should work well as configured, |
| # however, to enhance performance for transfers involving large numbers of |
| # files, you may experiment with hand tuning these values to optimize |
| # performance for your particular system configuration. |
| # MacOS and Windows users should see |
| # https://github.com/GoogleCloudPlatform/gsutil/issues/77 before attempting |
| # to experiment with these values. |
| #parallel_process_count = %(parallel_process_count)d |
| #parallel_thread_count = %(parallel_thread_count)d |
| |
| # 'parallel_composite_upload_threshold' specifies the maximum size of a file to |
| # upload in a single stream. Files larger than this threshold will be |
| # partitioned into component parts and uploaded in parallel and then composed |
| # into a single object. |
| # The number of components will be the smaller of |
| # ceil(file_size / parallel_composite_upload_component_size) and |
| # MAX_COMPONENT_COUNT. The current value of MAX_COMPONENT_COUNT is |
| # %(max_component_count)d. |
| # If 'parallel_composite_upload_threshold' is set to 0, then automatic parallel |
| # uploads will never occur. |
| # Setting an extremely low threshold is unadvisable. The vast majority of |
| # environments will see degraded performance for thresholds below 80M, and it |
| # is almost never advantageous to have a threshold below 20M. |
| # 'parallel_composite_upload_component_size' specifies the ideal size of a |
| # component in bytes, which will act as an upper bound to the size of the |
| # components if ceil(file_size / parallel_composite_upload_component_size) is |
| # less than MAX_COMPONENT_COUNT. |
| # Values can be provided either in bytes or as human-readable values |
| # (e.g., "150M" to represent 150 mebibytes) |
| # |
| # Note: At present parallel composite uploads are disabled by default, because |
| # using composite objects requires a compiled crcmod (see "gsutil help crcmod"), |
| # and for operating systems that don't already have this package installed this |
| # makes gsutil harder to use. Google is actively working with a number of the |
| # Linux distributions to get crcmod included with the stock distribution. Once |
| # that is done we will re-enable parallel composite uploads by default in |
| # gsutil. |
| #parallel_composite_upload_threshold = %(parallel_composite_upload_threshold)s |
| #parallel_composite_upload_component_size = %(parallel_composite_upload_component_size)s |
| |
| # 'use_magicfile' specifies if the 'file --mime-type <filename>' command should |
| # be used to guess content types instead of the default filename extension-based |
| # mechanism. Available on UNIX and MacOS (and possibly on Windows, if you're |
| # running Cygwin or some other package that provides implementations of |
| # UNIX-like commands). When available and enabled use_magicfile should be more |
| # robust because it analyzes file contents in addition to extensions. |
| #use_magicfile = False |
| |
| # 'content_language' specifies the ISO 639-1 language code of the content, to be |
| # passed in the Content-Language header. By default no Content-Language is sent. |
| # See the ISO 639-1 column of |
| # http://www.loc.gov/standards/iso639-2/php/code_list.php for a list of |
| # language codes. |
| content_language = en |
| |
| # 'check_hashes' specifies how strictly to require integrity checking for |
| # downloaded data. Legal values are: |
| # '%(hash_fast_else_fail)s' - (default) Only integrity check if the digest |
| # will run efficiently (using compiled code), else fail the download. |
| # '%(hash_fast_else_skip)s' - Only integrity check if the server supplies a |
| # hash and the local digest computation will run quickly, else skip the |
| # check. |
| # '%(hash_always)s' - Always check download integrity regardless of possible |
| # performance costs. |
| # '%(hash_never)s' - Don't perform download integrity checks. This setting is |
| # not recommended except for special cases such as measuring download |
| # performance excluding time for integrity checking. |
| # This option exists to assist users who wish to download a GCS composite object |
| # and are unable to install crcmod with the C-extension. CRC32c is the only |
| # available integrity check for composite objects, and without the C-extension, |
| # download performance can be significantly degraded by the digest computation. |
| # This option is ignored for daisy-chain copies, which don't compute hashes but |
| # instead (inexpensively) compare the cloud source and destination hashes. |
| #check_hashes = if_fast_else_fail |
| |
| # The ability to specify an alternative JSON API version is primarily for cloud |
| # storage service developers. |
| #json_api_version = v1 |
| |
| # Specifies the API to use when interacting with cloud storage providers. If |
| # the gsutil command supports this API for the provider, it will be used |
| # instead of the default. |
| # Commands typically default to XML for S3 and JSON for GCS. |
| #prefer_api = json |
| #prefer_api = xml |
| |
| """ % {'hash_fast_else_fail': CHECK_HASH_IF_FAST_ELSE_FAIL, |
| 'hash_fast_else_skip': CHECK_HASH_IF_FAST_ELSE_SKIP, |
| 'hash_always': CHECK_HASH_ALWAYS, |
| 'hash_never': CHECK_HASH_NEVER, |
| 'resumable_threshold': EIGHT_MIB, |
| 'parallel_process_count': DEFAULT_PARALLEL_PROCESS_COUNT, |
| 'parallel_thread_count': DEFAULT_PARALLEL_THREAD_COUNT, |
| 'parallel_composite_upload_threshold': ( |
| DEFAULT_PARALLEL_COMPOSITE_UPLOAD_THRESHOLD), |
| 'parallel_composite_upload_component_size': ( |
| DEFAULT_PARALLEL_COMPOSITE_UPLOAD_COMPONENT_SIZE), |
| 'max_component_count': MAX_COMPONENT_COUNT} |
| |
| CONFIG_OAUTH2_CONFIG_CONTENT = """ |
| [OAuth2] |
| # This section specifies options used with OAuth2 authentication. |
| |
| # 'token_cache' specifies how the OAuth2 client should cache access tokens. |
| # Valid values are: |
| # 'in_memory': an in-memory cache is used. This is only useful if the boto |
| # client instance (and with it the OAuth2 plugin instance) persists |
| # across multiple requests. |
| # 'file_system' : access tokens will be cached in the file system, in files |
| # whose names include a key derived from the refresh token the access token |
| # based on. |
| # The default is 'file_system'. |
| #token_cache = file_system |
| #token_cache = in_memory |
| |
| # 'token_cache_path_pattern' specifies a path pattern for token cache files. |
| # This option is only relevant if token_cache = file_system. |
| # The value of this option should be a path, with place-holders '%(key)s' (which |
| # will be replaced with a key derived from the refresh token the cached access |
| # token was based on), and (optionally), %(uid)s (which will be replaced with |
| # the UID of the current user, if available via os.getuid()). |
| # Note that the config parser itself interpolates '%' placeholders, and hence |
| # the above placeholders need to be escaped as '%%(key)s'. |
| # The default value of this option is |
| # token_cache_path_pattern = <tmpdir>/oauth2client-tokencache.%%(uid)s.%%(key)s |
| # where <tmpdir> is the system-dependent default temp directory. |
| |
| # The following options specify the OAuth2 client identity and secret that is |
| # used when requesting and using OAuth2 tokens. If not specified, a default |
| # OAuth2 client for the gsutil tool is used; for uses of the boto library (with |
| # OAuth2 authentication plugin) in other client software, it is recommended to |
| # use a tool/client-specific OAuth2 client. For more information on OAuth2, see |
| # http://code.google.com/apis/accounts/docs/OAuth2.html |
| #client_id = <OAuth2 client id> |
| #client_secret = <OAuth2 client secret> |
| |
| # The following options specify the label and endpoint URIs for the OAUth2 |
| # authorization provider being used. Primarily useful for tool developers. |
| #provider_label = Google |
| #provider_authorization_uri = https://accounts.google.com/o/oauth2/auth |
| #provider_token_uri = https://accounts.google.com/o/oauth2/token |
| |
| # 'oauth2_refresh_retries' controls the number of retry attempts made when |
| # rate limiting errors occur for OAuth2 requests to retrieve an access token. |
| # The default value is 6. |
| #oauth2_refresh_retries = <integer value> |
| """ |
| |
| |
| class ConfigCommand(Command): |
| """Implementation of gsutil config command.""" |
| |
| # Command specification. See base class for documentation. |
| command_spec = Command.CreateCommandSpec( |
| 'config', |
| command_name_aliases=['cfg', 'conf', 'configure'], |
| usage_synopsis=_SYNOPSIS, |
| min_args=0, |
| max_args=0, |
| supported_sub_args='habefwrs:o:', |
| file_url_ok=False, |
| provider_url_ok=False, |
| urls_start_arg=0, |
| ) |
| # Help specification. See help_provider.py for documentation. |
| help_spec = Command.HelpSpec( |
| help_name='config', |
| help_name_aliases=['cfg', 'conf', 'configure', 'aws', 's3'], |
| help_type='command_help', |
| help_one_line_summary=( |
| 'Obtain credentials and create configuration file'), |
| help_text=_DETAILED_HELP_TEXT, |
| subcommand_help_text={}, |
| ) |
| |
| def _OpenConfigFile(self, file_path): |
| """Creates and opens a configuration file for writing. |
| |
| The file is created with mode 0600, and attempts to open existing files will |
| fail (the latter is important to prevent symlink attacks). |
| |
| It is the caller's responsibility to close the file. |
| |
| Args: |
| file_path: Path of the file to be created. |
| |
| Returns: |
| A writable file object for the opened file. |
| |
| Raises: |
| CommandException: if an error occurred when opening the file (including |
| when the file already exists). |
| """ |
| flags = os.O_RDWR | os.O_CREAT | os.O_EXCL |
| # Accommodate Windows; copied from python2.6/tempfile.py. |
| if hasattr(os, 'O_NOINHERIT'): |
| flags |= os.O_NOINHERIT |
| try: |
| fd = os.open(file_path, flags, 0600) |
| except (OSError, IOError), e: |
| raise CommandException('Failed to open %s for writing: %s' % |
| (file_path, e)) |
| return os.fdopen(fd, 'w') |
| |
| def _CheckPrivateKeyFilePermissions(self, file_path): |
| """Checks that the file has reasonable permissions for a private key. |
| |
| In particular, check that the filename provided by the user is not |
| world- or group-readable. If either of these are true, we issue a warning |
| and offer to fix the permissions. |
| |
| Args: |
| file_path: The name of the private key file. |
| """ |
| if IS_WINDOWS: |
| # For Windows, this check doesn't work (it actually just checks whether |
| # the file is read-only). Since Windows files have a complicated ACL |
| # system, this check doesn't make much sense on Windows anyway, so we |
| # just don't do it. |
| return |
| |
| st = os.stat(file_path) |
| if bool((stat.S_IRGRP | stat.S_IROTH) & st.st_mode): |
| self.logger.warn( |
| '\nYour private key file is readable by people other than yourself.\n' |
| 'This is a security risk, since anyone with this information can use ' |
| 'your service account.\n') |
| fix_it = raw_input('Would you like gsutil to change the file ' |
| 'permissions for you? (y/N) ') |
| if fix_it in ('y', 'Y'): |
| try: |
| os.chmod(file_path, 0400) |
| self.logger.info( |
| '\nThe permissions on your file have been successfully ' |
| 'modified.' |
| '\nThe only access allowed is readability by the user ' |
| '(permissions 0400 in chmod).') |
| except Exception, _: # pylint: disable=broad-except |
| self.logger.warn( |
| '\nWe were unable to modify the permissions on your file.\n' |
| 'If you would like to fix this yourself, consider running:\n' |
| '"sudo chmod 400 </path/to/key>" for improved security.') |
| else: |
| self.logger.info( |
| '\nYou have chosen to allow this file to be readable by others.\n' |
| 'If you would like to fix this yourself, consider running:\n' |
| '"sudo chmod 400 </path/to/key>" for improved security.') |
| |
| def _PromptForProxyConfigVarAndMaybeSaveToBotoConfig(self, varname, prompt, |
| convert_to_bool=False): |
| """Prompts for one proxy config line, saves to boto.config if not empty. |
| |
| Args: |
| varname: The config variable name. |
| prompt: The prompt to output to the user. |
| convert_to_bool: Whether to convert "y/n" to True/False. |
| """ |
| value = raw_input(prompt) |
| if value: |
| if convert_to_bool: |
| if value == 'y' or value == 'Y': |
| value = 'True' |
| else: |
| value = 'False' |
| boto.config.set('Boto', varname, value) |
| |
| def _PromptForProxyConfig(self): |
| """Prompts for proxy config data, loads non-empty values into boto.config. |
| """ |
| self._PromptForProxyConfigVarAndMaybeSaveToBotoConfig( |
| 'proxy', 'What is your proxy host? ') |
| self._PromptForProxyConfigVarAndMaybeSaveToBotoConfig( |
| 'proxy_port', 'What is your proxy port? ') |
| self._PromptForProxyConfigVarAndMaybeSaveToBotoConfig( |
| 'proxy_user', 'What is your proxy user (leave blank if not used)? ') |
| self._PromptForProxyConfigVarAndMaybeSaveToBotoConfig( |
| 'proxy_pass', 'What is your proxy pass (leave blank if not used)? ') |
| self._PromptForProxyConfigVarAndMaybeSaveToBotoConfig( |
| 'proxy_rdns', |
| 'Should DNS lookups be resolved by your proxy? (Y if your site ' |
| 'disallows client DNS lookups)? ', |
| convert_to_bool=True) |
| |
| def _WriteConfigLineMaybeCommented(self, config_file, name, value, desc): |
| """Writes proxy name/value pair or comment line to config file. |
| |
| Writes proxy name/value pair if value is not None. Otherwise writes |
| comment line. |
| |
| Args: |
| config_file: File object to which the resulting config file will be |
| written. |
| name: The config variable name. |
| value: The value, or None. |
| desc: Human readable description (for comment). |
| """ |
| if not value: |
| name = '#%s' % name |
| value = '<%s>' % desc |
| config_file.write('%s = %s\n' % (name, value)) |
| |
| def _WriteProxyConfigFileSection(self, config_file): |
| """Writes proxy section of configuration file. |
| |
| Args: |
| config_file: File object to which the resulting config file will be |
| written. |
| """ |
| config = boto.config |
| config_file.write( |
| '# To use a proxy, edit and uncomment the proxy and proxy_port lines.\n' |
| '# If you need a user/password with this proxy, edit and uncomment\n' |
| '# those lines as well. If your organization also disallows DNS\n' |
| '# lookups by client machines set proxy_rdns = True\n' |
| '# If proxy_host and proxy_port are not specified in this file and\n' |
| '# one of the OS environment variables http_proxy, https_proxy, or\n' |
| '# HTTPS_PROXY is defined, gsutil will use the proxy server specified\n' |
| '# in these environment variables, in order of precedence according\n' |
| '# to how they are listed above.\n') |
| self._WriteConfigLineMaybeCommented( |
| config_file, 'proxy', config.get_value('Boto', 'proxy', None), |
| 'proxy host') |
| self._WriteConfigLineMaybeCommented( |
| config_file, 'proxy_port', config.get_value('Boto', 'proxy_port', None), |
| 'proxy port') |
| self._WriteConfigLineMaybeCommented( |
| config_file, 'proxy_user', config.get_value('Boto', 'proxy_user', None), |
| 'proxy user') |
| self._WriteConfigLineMaybeCommented( |
| config_file, 'proxy_pass', config.get_value('Boto', 'proxy_pass', None), |
| 'proxy password') |
| self._WriteConfigLineMaybeCommented( |
| config_file, 'proxy_rdns', |
| config.get_value('Boto', 'proxy_rdns', False), |
| 'let proxy server perform DNS lookups') |
| |
| # pylint: disable=dangerous-default-value,too-many-statements |
| def _WriteBotoConfigFile(self, config_file, launch_browser=True, |
| oauth2_scopes=[SCOPE_FULL_CONTROL], |
| cred_type=CredTypes.OAUTH2_USER_ACCOUNT): |
| """Creates a boto config file interactively. |
| |
| Needed credentials are obtained interactively, either by asking the user for |
| access key and secret, or by walking the user through the OAuth2 approval |
| flow. |
| |
| Args: |
| config_file: File object to which the resulting config file will be |
| written. |
| launch_browser: In the OAuth2 approval flow, attempt to open a browser |
| window and navigate to the approval URL. |
| oauth2_scopes: A list of OAuth2 scopes to request authorization for, when |
| using OAuth2. |
| cred_type: There are three options: |
| - for HMAC, ask the user for access key and secret |
| - for OAUTH2_USER_ACCOUNT, walk the user through OAuth2 approval flow |
| and produce a config with an oauth2_refresh_token credential. |
| - for OAUTH2_SERVICE_ACCOUNT, prompt the user for OAuth2 for service |
| account email address and private key file (and if the file is a .p12 |
| file, the password for that file). |
| """ |
| # Collect credentials |
| provider_map = {'aws': 'aws', 'google': 'gs'} |
| uri_map = {'aws': 's3', 'google': 'gs'} |
| key_ids = {} |
| sec_keys = {} |
| service_account_key_is_json = False |
| if cred_type == CredTypes.OAUTH2_SERVICE_ACCOUNT: |
| gs_service_key_file = raw_input('What is the full path to your private ' |
| 'key file? ') |
| # JSON files have the email address built-in and don't require a password. |
| try: |
| with open(gs_service_key_file, 'rb') as key_file_fp: |
| json.loads(key_file_fp.read()) |
| service_account_key_is_json = True |
| except ValueError: |
| if not HAS_CRYPTO: |
| raise CommandException( |
| 'Service account authentication via a .p12 file requires ' |
| 'either\nPyOpenSSL or PyCrypto 2.6 or later. Please install ' |
| 'either of these\nto proceed, use a JSON-format key file, or ' |
| 'configure a different type of credentials.') |
| |
| if not service_account_key_is_json: |
| gs_service_client_id = raw_input('What is your service account email ' |
| 'address? ') |
| gs_service_key_file_password = raw_input( |
| '\n'.join(textwrap.wrap( |
| 'What is the password for your service key file [if you ' |
| 'haven\'t set one explicitly, leave this line blank]?')) + ' ') |
| self._CheckPrivateKeyFilePermissions(gs_service_key_file) |
| elif cred_type == CredTypes.OAUTH2_USER_ACCOUNT: |
| oauth2_client = oauth2_helper.OAuth2ClientFromBotoConfig(boto.config, |
| cred_type) |
| try: |
| oauth2_refresh_token = oauth2_helper.OAuth2ApprovalFlow( |
| oauth2_client, oauth2_scopes, launch_browser) |
| except (ResponseNotReady, ServerNotFoundError, socket.error): |
| # TODO: Determine condition to check for in the ResponseNotReady |
| # exception so we only run proxy config flow if failure was caused by |
| # request being blocked because it wasn't sent through proxy. (This |
| # error could also happen if gsutil or the oauth2 client had a bug that |
| # attempted to incorrectly reuse an HTTP connection, for example.) |
| sys.stdout.write('\n'.join(textwrap.wrap( |
| "Unable to connect to accounts.google.com during OAuth2 flow. This " |
| "can happen if your site uses a proxy. If you are using gsutil " |
| "through a proxy, please enter the proxy's information; otherwise " |
| "leave the following fields blank.")) + '\n') |
| self._PromptForProxyConfig() |
| oauth2_client = oauth2_helper.OAuth2ClientFromBotoConfig(boto.config, |
| cred_type) |
| oauth2_refresh_token = oauth2_helper.OAuth2ApprovalFlow( |
| oauth2_client, oauth2_scopes, launch_browser) |
| elif cred_type == CredTypes.HMAC: |
| got_creds = False |
| for provider in provider_map: |
| if provider == 'google': |
| key_ids[provider] = raw_input('What is your %s access key ID? ' % |
| provider) |
| sec_keys[provider] = raw_input('What is your %s secret access key? ' % |
| provider) |
| got_creds = True |
| if not key_ids[provider] or not sec_keys[provider]: |
| raise CommandException( |
| 'Incomplete credentials provided. Please try again.') |
| if not got_creds: |
| raise CommandException('No credentials provided. Please try again.') |
| |
| # Write the config file prelude. |
| config_file.write(CONFIG_PRELUDE_CONTENT.lstrip()) |
| config_file.write( |
| '# This file was created by gsutil version %s at %s.\n' |
| % (gslib.VERSION, |
| datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S'))) |
| config_file.write( |
| '#\n# You can create additional configuration files by ' |
| 'running\n# gsutil config [options] [-o <config-file>]\n\n\n') |
| |
| # Write the config file Credentials section. |
| config_file.write('[Credentials]\n\n') |
| if cred_type == CredTypes.OAUTH2_SERVICE_ACCOUNT: |
| config_file.write('# Google OAuth2 service account credentials ' |
| '(for "gs://" URIs):\n') |
| config_file.write('gs_service_key_file = %s\n' % gs_service_key_file) |
| if not service_account_key_is_json: |
| config_file.write('gs_service_client_id = %s\n' |
| % gs_service_client_id) |
| |
| if not gs_service_key_file_password: |
| config_file.write( |
| '# If you would like to set your password, you can do so using\n' |
| '# the following commands (replaced with your information):\n' |
| '# "openssl pkcs12 -in cert1.p12 -out temp_cert.pem"\n' |
| '# "openssl pkcs12 -export -in temp_cert.pem -out cert2.p12"\n' |
| '# "rm -f temp_cert.pem"\n' |
| '# Your initial password is "notasecret" - for more information,' |
| '\n# please see http://www.openssl.org/docs/apps/pkcs12.html.\n') |
| config_file.write('#gs_service_key_file_password =\n\n') |
| else: |
| config_file.write('gs_service_key_file_password = %s\n\n' |
| % gs_service_key_file_password) |
| elif cred_type == CredTypes.OAUTH2_USER_ACCOUNT: |
| config_file.write( |
| '# Google OAuth2 credentials (for "gs://" URIs):\n' |
| '# The following OAuth2 account is authorized for scope(s):\n') |
| for scope in oauth2_scopes: |
| config_file.write('# %s\n' % scope) |
| config_file.write( |
| 'gs_oauth2_refresh_token = %s\n\n' % oauth2_refresh_token) |
| else: |
| config_file.write( |
| '# To add Google OAuth2 credentials ("gs://" URIs), ' |
| 'edit and uncomment the\n# following line:\n' |
| '#gs_oauth2_refresh_token = <your OAuth2 refresh token>\n\n') |
| |
| for provider in provider_map: |
| key_prefix = provider_map[provider] |
| uri_scheme = uri_map[provider] |
| if provider in key_ids and provider in sec_keys: |
| config_file.write('# %s credentials ("%s://" URIs):\n' % |
| (provider, uri_scheme)) |
| config_file.write('%s_access_key_id = %s\n' % |
| (key_prefix, key_ids[provider])) |
| config_file.write('%s_secret_access_key = %s\n' % |
| (key_prefix, sec_keys[provider])) |
| else: |
| config_file.write( |
| '# To add %s credentials ("%s://" URIs), edit and ' |
| 'uncomment the\n# following two lines:\n' |
| '#%s_access_key_id = <your %s access key ID>\n' |
| '#%s_secret_access_key = <your %s secret access key>\n' % |
| (provider, uri_scheme, key_prefix, provider, key_prefix, |
| provider)) |
| host_key = Provider.HostKeyMap[provider] |
| config_file.write( |
| '# The ability to specify an alternate storage host and port\n' |
| '# is primarily for cloud storage service developers.\n' |
| '# Setting a non-default gs_host only works if prefer_api=xml.\n' |
| '#%s_host = <alternate storage host address>\n' |
| '#%s_port = <alternate storage host port>\n' |
| % (host_key, host_key)) |
| if host_key == 'gs': |
| config_file.write( |
| '#%s_json_host = <alternate JSON API storage host address>\n' |
| '#%s_json_port = <alternate JSON API storage host port>\n\n' |
| % (host_key, host_key)) |
| config_file.write('\n') |
| |
| # Write the config file Boto section. |
| config_file.write('%s\n' % CONFIG_BOTO_SECTION_CONTENT) |
| self._WriteProxyConfigFileSection(config_file) |
| |
| # Write the config file GSUtil section that doesn't depend on user input. |
| config_file.write(CONFIG_INPUTLESS_GSUTIL_SECTION_CONTENT) |
| |
| # Write the default API version. |
| config_file.write(""" |
| # 'default_api_version' specifies the default Google Cloud Storage XML API |
| # version to use. If not set below gsutil defaults to API version 1. |
| """) |
| api_version = 2 |
| if cred_type == CredTypes.HMAC: api_version = 1 |
| |
| config_file.write('default_api_version = %d\n' % api_version) |
| |
| # Write the config file GSUtil section that includes the default |
| # project ID input from the user. |
| if launch_browser: |
| sys.stdout.write( |
| 'Attempting to launch a browser to open the Google Cloud Console at ' |
| 'URL: %s\n\n' |
| '[Note: due to a Python bug, you may see a spurious error message ' |
| '"object is not\ncallable [...] in [...] Popen.__del__" which can ' |
| 'be ignored.]\n\n' % GOOG_CLOUD_CONSOLE_URI) |
| sys.stdout.write( |
| 'In your browser you should see the Cloud Console. Find the project ' |
| 'you will\nuse, and then copy the Project ID string from the second ' |
| 'column. Older projects do\nnot have Project ID strings. For such ' |
| 'projects, click the project and then copy the\nProject Number ' |
| 'listed under that project.\n\n') |
| if not webbrowser.open(GOOG_CLOUD_CONSOLE_URI, new=1, autoraise=True): |
| sys.stdout.write( |
| 'Launching browser appears to have failed; please navigate a ' |
| 'browser to the following URL:\n%s\n' % GOOG_CLOUD_CONSOLE_URI) |
| # Short delay; webbrowser.open on linux insists on printing out a message |
| # which we don't want to run into the prompt for the auth code. |
| time.sleep(2) |
| else: |
| sys.stdout.write( |
| '\nPlease navigate your browser to %s,\nthen find the project you ' |
| 'will use, and copy the Project ID string from the\nsecond column. ' |
| 'Older projects do not have Project ID strings. For such projects,\n' |
| 'click the project and then copy the Project Number listed under ' |
| 'that project.\n\n' % GOOG_CLOUD_CONSOLE_URI) |
| default_project_id = raw_input('What is your project-id? ').strip() |
| project_id_section_prelude = """ |
| # 'default_project_id' specifies the default Google Cloud Storage project ID to |
| # use with the 'mb' and 'ls' commands. This default can be overridden by |
| # specifying the -p option to the 'mb' and 'ls' commands. |
| """ |
| if not default_project_id: |
| raise CommandException( |
| 'No default project ID entered. The default project ID is needed by ' |
| 'the\nls and mb commands; please try again.') |
| config_file.write('%sdefault_project_id = %s\n\n\n' % |
| (project_id_section_prelude, default_project_id)) |
| |
| # Write the config file OAuth2 section. |
| config_file.write(CONFIG_OAUTH2_CONFIG_CONTENT) |
| |
| def RunCommand(self): |
| """Command entry point for the config command.""" |
| scopes = [] |
| cred_type = CredTypes.OAUTH2_USER_ACCOUNT |
| launch_browser = False |
| output_file_name = None |
| has_a = False |
| has_e = False |
| for opt, opt_arg in self.sub_opts: |
| if opt == '-a': |
| cred_type = CredTypes.HMAC |
| has_a = True |
| elif opt == '-b': |
| launch_browser = True |
| elif opt == '-e': |
| cred_type = CredTypes.OAUTH2_SERVICE_ACCOUNT |
| has_e = True |
| elif opt == '-f': |
| scopes.append(SCOPE_FULL_CONTROL) |
| elif opt == '-o': |
| output_file_name = opt_arg |
| elif opt == '-r': |
| scopes.append(SCOPE_READ_ONLY) |
| elif opt == '-s': |
| scopes.append(opt_arg) |
| elif opt == '-w': |
| scopes.append(SCOPE_READ_WRITE) |
| else: |
| self.RaiseInvalidArgumentException() |
| |
| if has_e and has_a: |
| raise CommandException('Both -a and -e cannot be specified. Please see ' |
| '"gsutil help config" for more information.') |
| |
| if not scopes: |
| scopes.append(SCOPE_FULL_CONTROL) |
| |
| default_config_path_bak = None |
| if not output_file_name: |
| # Check to see if a default config file name is requested via |
| # environment variable. If so, use it, otherwise use the hard-coded |
| # default file. Then use the default config file name, if it doesn't |
| # exist or can be moved out of the way without clobbering an existing |
| # backup file. |
| boto_config_from_env = os.environ.get('BOTO_CONFIG', None) |
| if boto_config_from_env: |
| default_config_path = boto_config_from_env |
| else: |
| default_config_path = os.path.expanduser(os.path.join('~', '.boto')) |
| if not os.path.exists(default_config_path): |
| output_file_name = default_config_path |
| else: |
| default_config_path_bak = default_config_path + '.bak' |
| if os.path.exists(default_config_path_bak): |
| raise CommandException( |
| 'Cannot back up existing config ' |
| 'file "%s": backup file exists ("%s").' |
| % (default_config_path, default_config_path_bak)) |
| else: |
| try: |
| sys.stderr.write( |
| 'Backing up existing config file "%s" to "%s"...\n' |
| % (default_config_path, default_config_path_bak)) |
| os.rename(default_config_path, default_config_path_bak) |
| except Exception, e: |
| raise CommandException( |
| 'Failed to back up existing config ' |
| 'file ("%s" -> "%s"): %s.' |
| % (default_config_path, default_config_path_bak, e)) |
| output_file_name = default_config_path |
| |
| if output_file_name == '-': |
| output_file = sys.stdout |
| else: |
| output_file = self._OpenConfigFile(output_file_name) |
| sys.stderr.write('\n'.join(textwrap.wrap( |
| 'This command will create a boto config file at %s containing your ' |
| 'credentials, based on your responses to the following questions.' |
| % output_file_name)) + '\n') |
| |
| # Catch ^C so we can restore the backup. |
| RegisterSignalHandler(signal.SIGINT, _CleanupHandler) |
| try: |
| self._WriteBotoConfigFile(output_file, launch_browser=launch_browser, |
| oauth2_scopes=scopes, cred_type=cred_type) |
| except Exception as e: |
| user_aborted = isinstance(e, AbortException) |
| if user_aborted: |
| sys.stderr.write('\nCaught ^C; cleaning up\n') |
| # If an error occurred during config file creation, remove the invalid |
| # config file and restore the backup file. |
| if output_file_name != '-': |
| output_file.close() |
| os.unlink(output_file_name) |
| try: |
| if default_config_path_bak: |
| sys.stderr.write('Restoring previous backed up file (%s)\n' % |
| default_config_path_bak) |
| os.rename(default_config_path_bak, output_file_name) |
| except Exception as e: |
| # Raise the original exception so that we can see what actually went |
| # wrong, rather than just finding out that we died before assigning |
| # a value to default_config_path_bak. |
| raise e |
| raise |
| |
| if output_file_name != '-': |
| output_file.close() |
| if not boto.config.has_option('Boto', 'proxy'): |
| sys.stderr.write('\n' + '\n'.join(textwrap.wrap( |
| 'Boto config file "%s" created.\nIf you need to use a proxy to ' |
| 'access the Internet please see the instructions in that file.' |
| % output_file_name)) + '\n') |
| |
| return 0 |
| |
| |
| def _CleanupHandler(unused_signalnum, unused_handler): |
| raise AbortException('User interrupted config command') |