Add support for google-auth and remove Python 2.6 support (#319)

* `discovery.build` and `discovery.build_from_document` now accept both oauth2client credentials and google-auth credentials.
* `discovery.build` and `discovery.build_from_document` now unambiguously use the http argument for *all* requests, including the request to get the discovery document.
* The `http` and `credentials` arguments to `discovery.build` and `discovery.build_from_document` are now mutally exclusive.
* If neither `http` or `credentials` is specified to `discovery.build` and `discovery.build_from_document`, then Application Default Credentials will be used.
* oauth2client is still the "default" authentication library.

Author: Jon Wayne Parrott

.travis.yml

@@ -4,7 +4,6 @@ sudo: false
 cache: pip
 env:
   matrix:
-  - TOX_ENV=py26
   - TOX_ENV=py27
   - TOX_ENV=py33
   - TOX_ENV=py34

googleapiclient/_auth.py

@@ -0,0 +1,90 @@
+# Copyright 2016 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Helpers for authentication using oauth2client or google-auth."""
+
+import httplib2
+
+try:
+    import google.auth
+    import google_auth_httplib2
+    HAS_GOOGLE_AUTH = True
+except ImportError:  # pragma: NO COVER
+    HAS_GOOGLE_AUTH = False
+
+try:
+    import oauth2client
+    import oauth2client.client
+    HAS_OAUTH2CLIENT = True
+except ImportError:  # pragma: NO COVER
+    HAS_OAUTH2CLIENT = False
+
+
+def default_credentials():
+    """Returns Application Default Credentials."""
+    if HAS_GOOGLE_AUTH:
+        credentials, _ = google.auth.default()
+        return credentials
+    elif HAS_OAUTH2CLIENT:
+        return oauth2client.client.GoogleCredentials.get_application_default()
+    else:
+        raise EnvironmentError(
+            'No authentication library is available. Please install either '
+            'google-auth or oauth2client.')
+
+
+def with_scopes(credentials, scopes):
+    """Scopes the credentials if necessary.
+
+    Args:
+        credentials (Union[
+            google.auth.credentials.Credentials,
+            oauth2client.client.Credentials]): The credentials to scope.
+        scopes (Sequence[str]): The list of scopes.
+
+    Returns:
+        Union[google.auth.credentials.Credentials,
+            oauth2client.client.Credentials]: The scoped credentials.
+    """
+    if HAS_GOOGLE_AUTH and isinstance(
+            credentials, google.auth.credentials.Credentials):
+        return google.auth.credentials.with_scopes_if_required(
+            credentials, scopes)
+    else:
+        try:
+            if credentials.create_scoped_required():
+                return credentials.create_scoped(scopes)
+            else:
+                return credentials
+        except AttributeError:
+            return credentials
+
+
+def authorized_http(credentials):
+    """Returns an http client that is authorized with the given credentials.
+
+    Args:
+        credentials (Union[
+            google.auth.credentials.Credentials,
+            oauth2client.client.Credentials]): The credentials to use.
+
+    Returns:
+        Union[httplib2.Http, google_auth_httplib2.AuthorizedHttp]: An
+            authorized http client.
+    """
+    if HAS_GOOGLE_AUTH and isinstance(
+            credentials, google.auth.credentials.Credentials):
+        return google_auth_httplib2.AuthorizedHttp(credentials)
+    else:
+        return credentials.authorize(httplib2.Http())

googleapiclient/discovery.py

@@ -53,6 +53,7 @@
 import uritemplate
 
 # Local imports
+from googleapiclient import _auth
 from googleapiclient import mimeparse
 from googleapiclient.errors import HttpError
 from googleapiclient.errors import InvalidJsonError
@@ -197,7 +198,8 @@ def build(serviceName,
     model: googleapiclient.Model, converts to and from the wire format.
     requestBuilder: googleapiclient.http.HttpRequest, encapsulator for an HTTP
       request.
-    credentials: oauth2client.Credentials, credentials to be used for
+    credentials: oauth2client.Credentials or
+      google.auth.credentials.Credentials, credentials to be used for
       authentication.
     cache_discovery: Boolean, whether or not to cache the discovery doc.
     cache: googleapiclient.discovery_cache.base.CacheBase, an optional
@@ -211,15 +213,14 @@ def build(serviceName,
       'apiVersion': version
       }
 
-  if http is None:
-    http = httplib2.Http()
+  discovery_http = http if http is not None else httplib2.Http()
 
   for discovery_url in (discoveryServiceUrl, V2_DISCOVERY_URI,):
     requested_url = uritemplate.expand(discovery_url, params)
 
     try:
-      content = _retrieve_discovery_doc(requested_url, http, cache_discovery,
-                                        cache)
+      content = _retrieve_discovery_doc(
+        requested_url, discovery_http, cache_discovery, cache)
       return build_from_document(content, base=discovery_url, http=http,
           developerKey=developerKey, model=model, requestBuilder=requestBuilder,
           credentials=credentials)
@@ -316,17 +317,16 @@ def build_from_document(
     model: Model class instance that serializes and de-serializes requests and
       responses.
     requestBuilder: Takes an http request and packages it up to be executed.
-    credentials: object, credentials to be used for authentication.
+    credentials: oauth2client.Credentials or
+      google.auth.credentials.Credentials, credentials to be used for
+      authentication.
 
   Returns:
     A Resource object with methods for interacting with the service.
   """
 
-  if http is None:
-    http = httplib2.Http()
-
-  # future is no longer used.
-  future = {}
+  if http is not None and credentials is not None:
+    raise ValueError('Arguments http and credentials are mutually exclusive.')
 
   if isinstance(service, six.string_types):
     service = json.loads(service)
@@ -342,31 +342,36 @@ def build_from_document(
   base = urljoin(service['rootUrl'], service['servicePath'])
   schema = Schemas(service)
 
-  if credentials:
-    # If credentials were passed in, we could have two cases:
-    # 1. the scopes were specified, in which case the given credentials
-    #    are used for authorizing the http;
-    # 2. the scopes were not provided (meaning the Application Default
-    #    Credentials are to be used). In this case, the Application Default
-    #    Credentials are built and used instead of the original credentials.
-    #    If there are no scopes found (meaning the given service requires no
-    #    authentication), there is no authorization of the http.
-    if (isinstance(credentials, GoogleCredentials) and
-        credentials.create_scoped_required()):
-      scopes = service.get('auth', {}).get('oauth2', {}).get('scopes', {})
-      if scopes:
-        credentials = credentials.create_scoped(list(scopes.keys()))
-      else:
-        # No need to authorize the http object
-        # if the service does not require authentication.
-        credentials = None
+  # If the http client is not specified, then we must construct an http client
+  # to make requests. If the service has scopes, then we also need to setup
+  # authentication.
+  if http is None:
+    # Does the service require scopes?
+    scopes = list(
+      service.get('auth', {}).get('oauth2', {}).get('scopes', {}).keys())
 
-    if credentials:
-      http = credentials.authorize(http)
+    # If so, then the we need to setup authentication.
+    if scopes:
+      # If the user didn't pass in credentials, attempt to acquire application
+      # default credentials.
+      if credentials is None:
+        credentials = _auth.default_credentials()
+
+      # The credentials need to be scoped.
+      credentials = _auth.with_scopes(credentials, scopes)
+
+      # Create an authorized http instance
+      http = _auth.authorized_http(credentials)
+
+    # If the service doesn't require scopes then there is no need for
+    # authentication.
+    else:
+      http = httplib2.Http()
 
   if model is None:
     features = service.get('features', [])
     model = JsonModel('dataWrapper' in features)
+
   return Resource(http=http, baseUrl=base, model=model,
                   developerKey=developerKey, requestBuilder=requestBuilder,
                   resourceDesc=service, rootDesc=service, schema=schema)

setup.py

@@ -21,8 +21,8 @@
 
 import sys
 
-if sys.version_info < (2, 6):
-  print('google-api-python-client requires python version >= 2.6.',
+if sys.version_info < (2, 7):
+  print('google-api-python-client requires python version >= 2.7.',
         file=sys.stderr)
   sys.exit(1)
 if (3, 1) <= sys.version_info < (3, 3):
@@ -69,9 +69,6 @@ def _DetectBadness():
     'uritemplate>=3.0.0,<4dev',
 ]
 
-if sys.version_info < (2, 7):
-  install_requires.append('argparse')
-
 long_desc = """The Google API Client for Python is a client library for
 accessing the Plus, Moderator, and many other Google APIs."""
 
@@ -92,7 +89,6 @@ def _DetectBadness():
     keywords="google api client",
     classifiers=[
         'Programming Language :: Python :: 2',
-        'Programming Language :: Python :: 2.6',
         'Programming Language :: Python :: 2.7',
         'Programming Language :: Python :: 3',
         'Programming Language :: Python :: 3.3',

tests/test__auth.py

@@ -0,0 +1,134 @@
+# Copyright 2016 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import mock
+
+import google.auth.credentials
+import google_auth_httplib2
+import httplib2
+import oauth2client.client
+import unittest2
+
+from googleapiclient import _auth
+
+
+class TestAuthWithGoogleAuth(unittest2.TestCase):
+    def setUp(self):
+        _auth.HAS_GOOGLE_AUTH = True
+        _auth.HAS_OAUTH2CLIENT = False
+
+    def tearDown(self):
+        _auth.HAS_GOOGLE_AUTH = True
+        _auth.HAS_OAUTH2CLIENT = True
+
+    def test_default_credentials(self):
+        with mock.patch('google.auth.default', autospec=True) as default:
+            default.return_value = (
+                mock.sentinel.credentials, mock.sentinel.project)
+
+            credentials = _auth.default_credentials()
+
+            self.assertEqual(credentials, mock.sentinel.credentials)
+
+    def test_with_scopes_non_scoped(self):
+        credentials = mock.Mock(spec=google.auth.credentials.Credentials)
+
+        returned = _auth.with_scopes(credentials, mock.sentinel.scopes)
+
+        self.assertEqual(credentials, returned)
+
+    def test_with_scopes_scoped(self):
+        class CredentialsWithScopes(
+                google.auth.credentials.Credentials,
+                google.auth.credentials.Scoped):
+            pass
+
+        credentials = mock.Mock(spec=CredentialsWithScopes)
+        credentials.requires_scopes = True
+
+        returned = _auth.with_scopes(credentials, mock.sentinel.scopes)
+
+        self.assertNotEqual(credentials, returned)
+        self.assertEqual(returned, credentials.with_scopes.return_value)
+        credentials.with_scopes.assert_called_once_with(mock.sentinel.scopes)
+
+    def test_authorized_http(self):
+        credentials = mock.Mock(spec=google.auth.credentials.Credentials)
+
+        http = _auth.authorized_http(credentials)
+
+        self.assertIsInstance(http, google_auth_httplib2.AuthorizedHttp)
+        self.assertEqual(http.credentials, credentials)
+
+
+class TestAuthWithOAuth2Client(unittest2.TestCase):
+    def setUp(self):
+        _auth.HAS_GOOGLE_AUTH = False
+        _auth.HAS_OAUTH2CLIENT = True
+
+    def tearDown(self):
+        _auth.HAS_GOOGLE_AUTH = True
+        _auth.HAS_OAUTH2CLIENT = True
+
+    def test_default_credentials(self):
+        default_patch = mock.patch(
+            'oauth2client.client.GoogleCredentials.get_application_default')
+
+        with default_patch as default:
+            default.return_value = mock.sentinel.credentials
+
+            credentials = _auth.default_credentials()
+
+            self.assertEqual(credentials, mock.sentinel.credentials)
+
+    def test_with_scopes_non_scoped(self):
+        credentials = mock.Mock(spec=oauth2client.client.Credentials)
+
+        returned = _auth.with_scopes(credentials, mock.sentinel.scopes)
+
+        self.assertEqual(credentials, returned)
+
+    def test_with_scopes_scoped(self):
+        credentials = mock.Mock(spec=oauth2client.client.GoogleCredentials)
+        credentials.create_scoped_required.return_value = True
+
+        returned = _auth.with_scopes(credentials, mock.sentinel.scopes)
+
+        self.assertNotEqual(credentials, returned)
+        self.assertEqual(returned, credentials.create_scoped.return_value)
+        credentials.create_scoped.assert_called_once_with(mock.sentinel.scopes)
+
+    def test_authorized_http(self):
+        credentials = mock.Mock(spec=oauth2client.client.Credentials)
+
+        http = _auth.authorized_http(credentials)
+
+        self.assertEqual(http, credentials.authorize.return_value)
+        self.assertIsInstance(
+            credentials.authorize.call_args[0][0], httplib2.Http)
+
+
+class TestAuthWithoutAuth(unittest2.TestCase):
+
+    def setUp(self):
+        _auth.HAS_GOOGLE_AUTH = False
+        _auth.HAS_OAUTH2CLIENT = False
+
+    def tearDown(self):
+        _auth.HAS_GOOGLE_AUTH = True
+        _auth.HAS_OAUTH2CLIENT = True
+
+    def test_default_credentials(self):
+        with self.assertRaises(EnvironmentError):
+            print(_auth.default_credentials())