Add files using upload-large-folder tool

.venv/lib/python3.11/site-packages/httptools/__init__.py

@@ -0,0 +1,6 @@
+from . import parser
+from .parser import *  # NOQA
+
+from ._version import __version__  # NOQA
+
+__all__ = parser.__all__ + ('__version__',)  # NOQA

.venv/lib/python3.11/site-packages/httptools/_version.py

@@ -0,0 +1,13 @@
+# This file MUST NOT contain anything but the __version__ assignment.
+#
+# When making a release, change the value of __version__
+# to an appropriate value, and open a pull request against
+# the correct branch (master if making a new feature release).
+# The commit message MUST contain a properly formatted release
+# log, and the commit must be signed.
+#
+# The release automation will: build and test the packages for the
+# supported platforms, publish the packages on PyPI, merge the PR
+# to the target branch, create a Git tag pointing to the commit.
+
+__version__ = '0.6.4'

.venv/lib/python3.11/site-packages/httptools/parser/__init__.py

@@ -0,0 +1,5 @@
+from .parser import *  # NoQA
+from .errors import *  # NoQA
+from .url_parser import *  # NoQA
+
+__all__ = parser.__all__ + errors.__all__ + url_parser.__all__  # NoQA

.venv/lib/python3.11/site-packages/httptools/parser/cparser.pxd

@@ -0,0 +1,167 @@
+from libc.stdint cimport int32_t, uint8_t, uint16_t, uint64_t
+
+
+cdef extern from "llhttp.h":
+    struct llhttp__internal_s:
+        int32_t _index
+        void *_span_pos0
+        void *_span_cb0
+        int32_t error
+        const char *reason
+        const char *error_pos
+        void *data
+        void *_current
+        uint64_t content_length
+        uint8_t type
+        uint8_t method
+        uint8_t http_major
+        uint8_t http_minor
+        uint8_t header_state
+        uint16_t flags
+        uint8_t upgrade
+        uint16_t status_code
+        uint8_t finish
+        void *settings
+    ctypedef llhttp__internal_s llhttp__internal_t
+    ctypedef llhttp__internal_t llhttp_t
+
+    ctypedef int (*llhttp_data_cb) (llhttp_t*,
+                                  const char *at,
+                                  size_t length) except -1
+
+    ctypedef int (*llhttp_cb) (llhttp_t*) except -1
+
+    struct llhttp_settings_s:
+        llhttp_cb      on_message_begin
+        llhttp_data_cb on_url
+        llhttp_data_cb on_status
+        llhttp_data_cb on_header_field
+        llhttp_data_cb on_header_value
+        llhttp_cb      on_headers_complete
+        llhttp_data_cb on_body
+        llhttp_cb      on_message_complete
+        llhttp_cb      on_chunk_header
+        llhttp_cb      on_chunk_complete
+    ctypedef llhttp_settings_s llhttp_settings_t
+
+    enum llhttp_type:
+        HTTP_BOTH,
+        HTTP_REQUEST,
+        HTTP_RESPONSE
+    ctypedef llhttp_type llhttp_type_t
+
+    enum llhttp_errno:
+        HPE_OK,
+        HPE_INTERNAL,
+        HPE_STRICT,
+        HPE_LF_EXPECTED,
+        HPE_UNEXPECTED_CONTENT_LENGTH,
+        HPE_CLOSED_CONNECTION,
+        HPE_INVALID_METHOD,
+        HPE_INVALID_URL,
+        HPE_INVALID_CONSTANT,
+        HPE_INVALID_VERSION,
+        HPE_INVALID_HEADER_TOKEN,
+        HPE_INVALID_CONTENT_LENGTH,
+        HPE_INVALID_CHUNK_SIZE,
+        HPE_INVALID_STATUS,
+        HPE_INVALID_EOF_STATE,
+        HPE_INVALID_TRANSFER_ENCODING,
+        HPE_CB_MESSAGE_BEGIN,
+        HPE_CB_HEADERS_COMPLETE,
+        HPE_CB_MESSAGE_COMPLETE,
+        HPE_CB_CHUNK_HEADER,
+        HPE_CB_CHUNK_COMPLETE,
+        HPE_PAUSED,
+        HPE_PAUSED_UPGRADE,
+        HPE_USER
+    ctypedef llhttp_errno llhttp_errno_t
+
+    enum llhttp_flags:
+        F_CONNECTION_KEEP_ALIVE,
+        F_CONNECTION_CLOSE,
+        F_CONNECTION_UPGRADE,
+        F_CHUNKED,
+        F_UPGRADE,
+        F_CONTENT_LENGTH,
+        F_SKIPBODY,
+        F_TRAILING,
+        F_LENIENT,
+        F_TRANSFER_ENCODING
+    ctypedef llhttp_flags llhttp_flags_t
+
+    enum llhttp_method:
+        HTTP_DELETE,
+        HTTP_GET,
+        HTTP_HEAD,
+        HTTP_POST,
+        HTTP_PUT,
+        HTTP_CONNECT,
+        HTTP_OPTIONS,
+        HTTP_TRACE,
+        HTTP_COPY,
+        HTTP_LOCK,
+        HTTP_MKCOL,
+        HTTP_MOVE,
+        HTTP_PROPFIND,
+        HTTP_PROPPATCH,
+        HTTP_SEARCH,
+        HTTP_UNLOCK,
+        HTTP_BIND,
+        HTTP_REBIND,
+        HTTP_UNBIND,
+        HTTP_ACL,
+        HTTP_REPORT,
+        HTTP_MKACTIVITY,
+        HTTP_CHECKOUT,
+        HTTP_MERGE,
+        HTTP_MSEARCH,
+        HTTP_NOTIFY,
+        HTTP_SUBSCRIBE,
+        HTTP_UNSUBSCRIBE,
+        HTTP_PATCH,
+        HTTP_PURGE,
+        HTTP_MKCALENDAR,
+        HTTP_LINK,
+        HTTP_UNLINK,
+        HTTP_SOURCE,
+        HTTP_PRI,
+        HTTP_DESCRIBE,
+        HTTP_ANNOUNCE,
+        HTTP_SETUP,
+        HTTP_PLAY,
+        HTTP_PAUSE,
+        HTTP_TEARDOWN,
+        HTTP_GET_PARAMETER,
+        HTTP_SET_PARAMETER,
+        HTTP_REDIRECT,
+        HTTP_RECORD,
+        HTTP_FLUSH
+    ctypedef llhttp_method llhttp_method_t
+
+    void llhttp_init(llhttp_t* parser, llhttp_type_t type, const llhttp_settings_t* settings)
+
+    void llhttp_settings_init(llhttp_settings_t* settings)
+
+    llhttp_errno_t llhttp_execute(llhttp_t* parser, const char* data, size_t len)
+
+    void llhttp_resume_after_upgrade(llhttp_t* parser)
+
+    int llhttp_should_keep_alive(const llhttp_t* parser)
+
+    const char* llhttp_get_error_pos(const llhttp_t* parser)
+    const char* llhttp_get_error_reason(const llhttp_t* parser)
+    const char* llhttp_method_name(llhttp_method_t method)
+
+    void llhttp_set_error_reason(llhttp_t* parser, const char* reason);
+
+    void llhttp_set_lenient_headers(llhttp_t* parser, bint enabled);
+    void llhttp_set_lenient_chunked_length(llhttp_t* parser, bint enabled);
+    void llhttp_set_lenient_keep_alive(llhttp_t* parser, bint enabled);
+    void llhttp_set_lenient_transfer_encoding(llhttp_t* parser, bint enabled);
+    void llhttp_set_lenient_version(llhttp_t* parser, bint enabled);
+    void llhttp_set_lenient_data_after_close(llhttp_t* parser, bint enabled);
+    void llhttp_set_lenient_optional_lf_after_cr(llhttp_t* parser, bint enabled);
+    void llhttp_set_lenient_optional_cr_before_lf(llhttp_t* parser, bint enabled);
+    void llhttp_set_lenient_optional_crlf_after_chunk(llhttp_t* parser, bint enabled);
+    void llhttp_set_lenient_spaces_after_chunk_size(llhttp_t* parser, bint enabled);

.venv/lib/python3.11/site-packages/httptools/parser/errors.py

@@ -0,0 +1,30 @@
+__all__ = ('HttpParserError',
+           'HttpParserCallbackError',
+           'HttpParserInvalidStatusError',
+           'HttpParserInvalidMethodError',
+           'HttpParserInvalidURLError',
+           'HttpParserUpgrade')
+
+
+class HttpParserError(Exception):
+    pass
+
+
+class HttpParserCallbackError(HttpParserError):
+    pass
+
+
+class HttpParserInvalidStatusError(HttpParserError):
+    pass
+
+
+class HttpParserInvalidMethodError(HttpParserError):
+    pass
+
+
+class HttpParserInvalidURLError(HttpParserError):
+    pass
+
+
+class HttpParserUpgrade(Exception):
+    pass

.venv/lib/python3.11/site-packages/httptools/parser/parser.pyx

@@ -0,0 +1,436 @@
+#cython: language_level=3
+
+from __future__ import print_function
+from typing import Optional
+
+from cpython.mem cimport PyMem_Malloc, PyMem_Free
+from cpython cimport PyObject_GetBuffer, PyBuffer_Release, PyBUF_SIMPLE, \
+                     Py_buffer, PyBytes_AsString
+
+from .python cimport PyMemoryView_Check, PyMemoryView_GET_BUFFER
+
+
+from .errors import (HttpParserError,
+                     HttpParserCallbackError,
+                     HttpParserInvalidStatusError,
+                     HttpParserInvalidMethodError,
+                     HttpParserInvalidURLError,
+                     HttpParserUpgrade)
+
+cimport cython
+from . cimport cparser
+
+
+__all__ = ('HttpRequestParser', 'HttpResponseParser')
+
+
+@cython.internal
+cdef class HttpParser:
+
+    cdef:
+        cparser.llhttp_t* _cparser
+        cparser.llhttp_settings_t* _csettings
+
+        bytes _current_header_name
+        bytes _current_header_value
+
+        _proto_on_url, _proto_on_status, _proto_on_body, \
+        _proto_on_header, _proto_on_headers_complete, \
+        _proto_on_message_complete, _proto_on_chunk_header, \
+        _proto_on_chunk_complete, _proto_on_message_begin
+
+        object _last_error
+
+        Py_buffer py_buf
+
+    def __cinit__(self):
+        self._cparser = <cparser.llhttp_t*> \
+                                PyMem_Malloc(sizeof(cparser.llhttp_t))
+        if self._cparser is NULL:
+            raise MemoryError()
+
+        self._csettings = <cparser.llhttp_settings_t*> \
+                                PyMem_Malloc(sizeof(cparser.llhttp_settings_t))
+        if self._csettings is NULL:
+            raise MemoryError()
+
+    def __dealloc__(self):
+        PyMem_Free(self._cparser)
+        PyMem_Free(self._csettings)
+
+    cdef _init(self, protocol, cparser.llhttp_type_t mode):
+        cparser.llhttp_settings_init(self._csettings)
+
+        cparser.llhttp_init(self._cparser, mode, self._csettings)
+        self._cparser.data = <void*>self
+
+        self._current_header_name = None
+        self._current_header_value = None
+
+        self._proto_on_header = getattr(protocol, 'on_header', None)
+        if self._proto_on_header is not None:
+            self._csettings.on_header_field = cb_on_header_field
+            self._csettings.on_header_value = cb_on_header_value
+        self._proto_on_headers_complete = getattr(
+            protocol, 'on_headers_complete', None)
+        self._csettings.on_headers_complete = cb_on_headers_complete
+
+        self._proto_on_body = getattr(protocol, 'on_body', None)
+        if self._proto_on_body is not None:
+            self._csettings.on_body = cb_on_body
+
+        self._proto_on_message_begin = getattr(
+            protocol, 'on_message_begin', None)
+        if self._proto_on_message_begin is not None:
+            self._csettings.on_message_begin = cb_on_message_begin
+
+        self._proto_on_message_complete = getattr(
+            protocol, 'on_message_complete', None)
+        if self._proto_on_message_complete is not None:
+            self._csettings.on_message_complete = cb_on_message_complete
+
+        self._proto_on_chunk_header = getattr(
+            protocol, 'on_chunk_header', None)
+        self._csettings.on_chunk_header = cb_on_chunk_header
+
+        self._proto_on_chunk_complete = getattr(
+            protocol, 'on_chunk_complete', None)
+        self._csettings.on_chunk_complete = cb_on_chunk_complete
+
+        self._last_error = None
+
+    cdef _maybe_call_on_header(self):
+        if self._current_header_value is not None:
+            current_header_name = self._current_header_name
+            current_header_value = self._current_header_value
+
+            self._current_header_name = self._current_header_value = None
+
+            if self._proto_on_header is not None:
+                self._proto_on_header(current_header_name,
+                                      current_header_value)
+
+    cdef _on_header_field(self, bytes field):
+        self._maybe_call_on_header()
+        if self._current_header_name is None:
+            self._current_header_name = field
+        else:
+            self._current_header_name += field
+
+    cdef _on_header_value(self, bytes val):
+        if self._current_header_value is None:
+            self._current_header_value = val
+        else:
+            # This is unlikely, as mostly HTTP headers are one-line
+            self._current_header_value += val
+
+    cdef _on_headers_complete(self):
+        self._maybe_call_on_header()
+
+        if self._proto_on_headers_complete is not None:
+            self._proto_on_headers_complete()
+
+    cdef _on_chunk_header(self):
+        if (self._current_header_value is not None or
+            self._current_header_name is not None):
+            raise HttpParserError('invalid headers state')
+
+        if self._proto_on_chunk_header is not None:
+            self._proto_on_chunk_header()
+
+    cdef _on_chunk_complete(self):
+        self._maybe_call_on_header()
+
+        if self._proto_on_chunk_complete is not None:
+            self._proto_on_chunk_complete()
+
+    ### Public API ###
+
+    def set_dangerous_leniencies(
+        self,
+        lenient_headers: Optional[bool] = None,
+        lenient_chunked_length: Optional[bool] = None,
+        lenient_keep_alive: Optional[bool] = None,
+        lenient_transfer_encoding: Optional[bool] = None,
+        lenient_version: Optional[bool] = None,
+        lenient_data_after_close: Optional[bool] = None,
+        lenient_optional_lf_after_cr: Optional[bool] = None,
+        lenient_optional_cr_before_lf: Optional[bool] = None,
+        lenient_optional_crlf_after_chunk: Optional[bool] = None,
+        lenient_spaces_after_chunk_size: Optional[bool] = None,
+    ):
+        cdef cparser.llhttp_t* parser = self._cparser
+        if lenient_headers is not None:
+            cparser.llhttp_set_lenient_headers(
+                parser, lenient_headers)
+        if lenient_chunked_length is not None:
+            cparser.llhttp_set_lenient_chunked_length(
+                parser, lenient_chunked_length)
+        if lenient_keep_alive is not None:
+            cparser.llhttp_set_lenient_keep_alive(
+                parser, lenient_keep_alive)
+        if lenient_transfer_encoding is not None:
+            cparser.llhttp_set_lenient_transfer_encoding(
+                parser, lenient_transfer_encoding)
+        if lenient_version is not None:
+            cparser.llhttp_set_lenient_version(
+                parser, lenient_version)
+        if lenient_data_after_close is not None:
+            cparser.llhttp_set_lenient_data_after_close(
+                parser, lenient_data_after_close)
+        if lenient_optional_lf_after_cr is not None:
+            cparser.llhttp_set_lenient_optional_lf_after_cr(
+                parser, lenient_optional_lf_after_cr)
+        if lenient_optional_cr_before_lf is not None:
+            cparser.llhttp_set_lenient_optional_cr_before_lf(
+                parser, lenient_optional_cr_before_lf)
+        if lenient_optional_crlf_after_chunk is not None:
+            cparser.llhttp_set_lenient_optional_crlf_after_chunk(
+                parser, lenient_optional_crlf_after_chunk)
+        if lenient_spaces_after_chunk_size is not None:
+            cparser.llhttp_set_lenient_spaces_after_chunk_size(
+                parser, lenient_spaces_after_chunk_size)
+
+    def get_http_version(self):
+        cdef cparser.llhttp_t* parser = self._cparser
+        return '{}.{}'.format(parser.http_major, parser.http_minor)
+
+    def should_keep_alive(self):
+        return bool(cparser.llhttp_should_keep_alive(self._cparser))
+
+    def should_upgrade(self):
+        cdef cparser.llhttp_t* parser = self._cparser
+        return bool(parser.upgrade)
+
+    def feed_data(self, data):
+        cdef:
+            size_t data_len
+            cparser.llhttp_errno_t err
+            Py_buffer *buf
+            bint owning_buf = False
+            const char* err_pos
+
+        if PyMemoryView_Check(data):
+            buf = PyMemoryView_GET_BUFFER(data)
+            data_len = <size_t>buf.len
+            err = cparser.llhttp_execute(
+                self._cparser,
+                <char*>buf.buf,
+                data_len)
+
+        else:
+            buf = &self.py_buf
+            PyObject_GetBuffer(data, buf, PyBUF_SIMPLE)
+            owning_buf = True
+            data_len = <size_t>buf.len
+
+            err = cparser.llhttp_execute(
+                self._cparser,
+                <char*>buf.buf,
+                data_len)
+
+        try:
+            if self._cparser.upgrade == 1 and err == cparser.HPE_PAUSED_UPGRADE:
+                err_pos = cparser.llhttp_get_error_pos(self._cparser)
+
+                # Immediately free the parser from "error" state, simulating
+                # http-parser behavior here because 1) we never had the API to
+                # allow users manually "resume after upgrade", and 2) the use
+                # case for resuming parsing is very rare.
+                cparser.llhttp_resume_after_upgrade(self._cparser)
+
+                # The err_pos here is specific for the input buf. So if we ever
+                # switch to the llhttp behavior (re-raise HttpParserUpgrade for
+                # successive calls to feed_data() until resume_after_upgrade is
+                # called), we have to store the result and keep our own state.
+                raise HttpParserUpgrade(err_pos - <char*>buf.buf)
+        finally:
+            if owning_buf:
+                PyBuffer_Release(buf)
+
+        if err != cparser.HPE_OK:
+            ex = parser_error_from_errno(
+                self._cparser,
+                <cparser.llhttp_errno_t> self._cparser.error)
+            if isinstance(ex, HttpParserCallbackError):
+                if self._last_error is not None:
+                    ex.__context__ = self._last_error
+                    self._last_error = None
+            raise ex
+
+
+cdef class HttpRequestParser(HttpParser):
+
+    def __init__(self, protocol):
+        self._init(protocol, cparser.HTTP_REQUEST)
+
+        self._proto_on_url = getattr(protocol, 'on_url', None)
+        if self._proto_on_url is not None:
+            self._csettings.on_url = cb_on_url
+
+    def get_method(self):
+        cdef cparser.llhttp_t* parser = self._cparser
+        return cparser.llhttp_method_name(<cparser.llhttp_method_t> parser.method)
+
+
+cdef class HttpResponseParser(HttpParser):
+
+    def __init__(self, protocol):
+        self._init(protocol, cparser.HTTP_RESPONSE)
+
+        self._proto_on_status = getattr(protocol, 'on_status', None)
+        if self._proto_on_status is not None:
+            self._csettings.on_status = cb_on_status
+
+    def get_status_code(self):
+        cdef cparser.llhttp_t* parser = self._cparser
+        return parser.status_code
+
+
+cdef int cb_on_message_begin(cparser.llhttp_t* parser) except -1:
+    cdef HttpParser pyparser = <HttpParser>parser.data
+    try:
+        pyparser._proto_on_message_begin()
+    except BaseException as ex:
+        pyparser._last_error = ex
+        return -1
+    else:
+        return 0
+
+
+cdef int cb_on_url(cparser.llhttp_t* parser,
+                   const char *at, size_t length) except -1:
+    cdef HttpParser pyparser = <HttpParser>parser.data
+    try:
+        pyparser._proto_on_url(at[:length])
+    except BaseException as ex:
+        cparser.llhttp_set_error_reason(parser, "`on_url` callback error")
+        pyparser._last_error = ex
+        return cparser.HPE_USER
+    else:
+        return 0
+
+
+cdef int cb_on_status(cparser.llhttp_t* parser,
+                      const char *at, size_t length) except -1:
+    cdef HttpParser pyparser = <HttpParser>parser.data
+    try:
+        pyparser._proto_on_status(at[:length])
+    except BaseException as ex:
+        cparser.llhttp_set_error_reason(parser, "`on_status` callback error")
+        pyparser._last_error = ex
+        return cparser.HPE_USER
+    else:
+        return 0
+
+
+cdef int cb_on_header_field(cparser.llhttp_t* parser,
+                            const char *at, size_t length) except -1:
+    cdef HttpParser pyparser = <HttpParser>parser.data
+    try:
+        pyparser._on_header_field(at[:length])
+    except BaseException as ex:
+        cparser.llhttp_set_error_reason(parser, "`on_header_field` callback error")
+        pyparser._last_error = ex
+        return cparser.HPE_USER
+    else:
+        return 0
+
+
+cdef int cb_on_header_value(cparser.llhttp_t* parser,
+                            const char *at, size_t length) except -1:
+    cdef HttpParser pyparser = <HttpParser>parser.data
+    try:
+        pyparser._on_header_value(at[:length])
+    except BaseException as ex:
+        cparser.llhttp_set_error_reason(parser, "`on_header_value` callback error")
+        pyparser._last_error = ex
+        return cparser.HPE_USER
+    else:
+        return 0
+
+
+cdef int cb_on_headers_complete(cparser.llhttp_t* parser) except -1:
+    cdef HttpParser pyparser = <HttpParser>parser.data
+    try:
+        pyparser._on_headers_complete()
+    except BaseException as ex:
+        pyparser._last_error = ex
+        return -1
+    else:
+        if pyparser._cparser.upgrade:
+            return 1
+        else:
+            return 0
+
+
+cdef int cb_on_body(cparser.llhttp_t* parser,
+                    const char *at, size_t length) except -1:
+    cdef HttpParser pyparser = <HttpParser>parser.data
+    try:
+        pyparser._proto_on_body(at[:length])
+    except BaseException as ex:
+        cparser.llhttp_set_error_reason(parser, "`on_body` callback error")
+        pyparser._last_error = ex
+        return cparser.HPE_USER
+    else:
+        return 0
+
+
+cdef int cb_on_message_complete(cparser.llhttp_t* parser) except -1:
+    cdef HttpParser pyparser = <HttpParser>parser.data
+    try:
+        pyparser._proto_on_message_complete()
+    except BaseException as ex:
+        pyparser._last_error = ex
+        return -1
+    else:
+        return 0
+
+
+cdef int cb_on_chunk_header(cparser.llhttp_t* parser) except -1:
+    cdef HttpParser pyparser = <HttpParser>parser.data
+    try:
+        pyparser._on_chunk_header()
+    except BaseException as ex:
+        pyparser._last_error = ex
+        return -1
+    else:
+        return 0
+
+
+cdef int cb_on_chunk_complete(cparser.llhttp_t* parser) except -1:
+    cdef HttpParser pyparser = <HttpParser>parser.data
+    try:
+        pyparser._on_chunk_complete()
+    except BaseException as ex:
+        pyparser._last_error = ex
+        return -1
+    else:
+        return 0
+
+
+cdef parser_error_from_errno(cparser.llhttp_t* parser, cparser.llhttp_errno_t errno):
+    cdef bytes reason = cparser.llhttp_get_error_reason(parser)
+
+    if errno in (cparser.HPE_CB_MESSAGE_BEGIN,
+                 cparser.HPE_CB_HEADERS_COMPLETE,
+                 cparser.HPE_CB_MESSAGE_COMPLETE,
+                 cparser.HPE_CB_CHUNK_HEADER,
+                 cparser.HPE_CB_CHUNK_COMPLETE,
+                 cparser.HPE_USER):
+        cls = HttpParserCallbackError
+
+    elif errno == cparser.HPE_INVALID_STATUS:
+        cls = HttpParserInvalidStatusError
+
+    elif errno == cparser.HPE_INVALID_METHOD:
+        cls = HttpParserInvalidMethodError
+
+    elif errno == cparser.HPE_INVALID_URL:
+        cls = HttpParserInvalidURLError
+
+    else:
+        cls = HttpParserError
+
+    return cls(reason.decode('latin-1'))

.venv/lib/python3.11/site-packages/httptools/parser/python.pxd

@@ -0,0 +1,6 @@
+cimport cpython
+
+
+cdef extern from "Python.h":
+    cpython.Py_buffer* PyMemoryView_GET_BUFFER(object)
+    bint PyMemoryView_Check(object)

.venv/lib/python3.11/site-packages/httptools/parser/url_cparser.pxd

@@ -0,0 +1,31 @@
+from libc.stdint cimport uint16_t
+
+
+cdef extern from "http_parser.h":
+    # URL Parser
+
+    enum http_parser_url_fields:
+        UF_SCHEMA   = 0,
+        UF_HOST     = 1,
+        UF_PORT     = 2,
+        UF_PATH     = 3,
+        UF_QUERY    = 4,
+        UF_FRAGMENT = 5,
+        UF_USERINFO = 6,
+        UF_MAX      = 7
+
+    struct http_parser_url_field_data:
+        uint16_t off
+        uint16_t len
+
+    struct http_parser_url:
+        uint16_t field_set
+        uint16_t port
+        http_parser_url_field_data[<int>UF_MAX] field_data
+
+    void http_parser_url_init(http_parser_url *u)
+
+    int http_parser_parse_url(const char *buf,
+                              size_t buflen,
+                              int is_connect,
+                              http_parser_url *u)

.venv/lib/python3.11/site-packages/httptools/parser/url_parser.pyx

@@ -0,0 +1,108 @@
+#cython: language_level=3
+
+from __future__ import print_function
+from cpython.mem cimport PyMem_Malloc, PyMem_Free
+from cpython cimport PyObject_GetBuffer, PyBuffer_Release, PyBUF_SIMPLE, \
+                     Py_buffer
+
+from .errors import HttpParserInvalidURLError
+
+cimport cython
+from . cimport url_cparser as uparser
+
+__all__ = ('parse_url',)
+
+@cython.freelist(250)
+cdef class URL:
+    cdef readonly bytes schema
+    cdef readonly bytes host
+    cdef readonly object port
+    cdef readonly bytes path
+    cdef readonly bytes query
+    cdef readonly bytes fragment
+    cdef readonly bytes userinfo
+
+    def __cinit__(self, bytes schema, bytes host, object port, bytes path,
+                  bytes query, bytes fragment, bytes userinfo):
+
+        self.schema = schema
+        self.host = host
+        self.port = port
+        self.path = path
+        self.query = query
+        self.fragment = fragment
+        self.userinfo = userinfo
+
+    def __repr__(self):
+        return ('<URL schema: {!r}, host: {!r}, port: {!r}, path: {!r}, '
+                'query: {!r}, fragment: {!r}, userinfo: {!r}>'
+                .format(self.schema, self.host, self.port, self.path,
+                    self.query, self.fragment, self.userinfo))
+
+
+def parse_url(url):
+    cdef:
+        Py_buffer py_buf
+        char* buf_data
+        uparser.http_parser_url* parsed
+        int res
+        bytes schema = None
+        bytes host = None
+        object port = None
+        bytes path = None
+        bytes query = None
+        bytes fragment = None
+        bytes userinfo = None
+        object result = None
+        int off
+        int ln
+
+    parsed = <uparser.http_parser_url*> \
+                        PyMem_Malloc(sizeof(uparser.http_parser_url))
+    uparser.http_parser_url_init(parsed)
+
+    PyObject_GetBuffer(url, &py_buf, PyBUF_SIMPLE)
+    try:
+        buf_data = <char*>py_buf.buf
+        res = uparser.http_parser_parse_url(buf_data, py_buf.len, 0, parsed)
+
+        if res == 0:
+            if parsed.field_set & (1 << uparser.UF_SCHEMA):
+                off = parsed.field_data[<int>uparser.UF_SCHEMA].off
+                ln = parsed.field_data[<int>uparser.UF_SCHEMA].len
+                schema = buf_data[off:off+ln]
+
+            if parsed.field_set & (1 << uparser.UF_HOST):
+                off = parsed.field_data[<int>uparser.UF_HOST].off
+                ln = parsed.field_data[<int>uparser.UF_HOST].len
+                host = buf_data[off:off+ln]
+
+            if parsed.field_set & (1 << uparser.UF_PORT):
+                port = parsed.port
+
+            if parsed.field_set & (1 << uparser.UF_PATH):
+                off = parsed.field_data[<int>uparser.UF_PATH].off
+                ln = parsed.field_data[<int>uparser.UF_PATH].len
+                path = buf_data[off:off+ln]
+
+            if parsed.field_set & (1 << uparser.UF_QUERY):
+                off = parsed.field_data[<int>uparser.UF_QUERY].off
+                ln = parsed.field_data[<int>uparser.UF_QUERY].len
+                query = buf_data[off:off+ln]
+
+            if parsed.field_set & (1 << uparser.UF_FRAGMENT):
+                off = parsed.field_data[<int>uparser.UF_FRAGMENT].off
+                ln = parsed.field_data[<int>uparser.UF_FRAGMENT].len
+                fragment = buf_data[off:off+ln]
+
+            if parsed.field_set & (1 << uparser.UF_USERINFO):
+                off = parsed.field_data[<int>uparser.UF_USERINFO].off
+                ln = parsed.field_data[<int>uparser.UF_USERINFO].len
+                userinfo = buf_data[off:off+ln]
+
+            return URL(schema, host, port, path, query, fragment, userinfo)
+        else:
+            raise HttpParserInvalidURLError("invalid url {!r}".format(url))
+    finally:
+        PyBuffer_Release(&py_buf)
+        PyMem_Free(parsed)

.venv/lib/python3.11/site-packages/networkx/utils/tests/test_config.py

@@ -0,0 +1,231 @@
+import collections
+import pickle
+
+import pytest
+
+import networkx as nx
+from networkx.utils.configs import BackendPriorities, Config
+
+
+# Define this at module level so we can test pickling
+class ExampleConfig(Config):
+    """Example configuration."""
+
+    x: int
+    y: str
+
+    def _on_setattr(self, key, value):
+        if key == "x" and value <= 0:
+            raise ValueError("x must be positive")
+        if key == "y" and not isinstance(value, str):
+            raise TypeError("y must be a str")
+        return value
+
+
+class EmptyConfig(Config):
+    pass
+
+
+@pytest.mark.parametrize("cfg", [EmptyConfig(), Config()])
+def test_config_empty(cfg):
+    assert dir(cfg) == []
+    with pytest.raises(AttributeError):
+        cfg.x = 1
+    with pytest.raises(KeyError):
+        cfg["x"] = 1
+    with pytest.raises(AttributeError):
+        cfg.x
+    with pytest.raises(KeyError):
+        cfg["x"]
+    assert len(cfg) == 0
+    assert "x" not in cfg
+    assert cfg == cfg
+    assert cfg.get("x", 2) == 2
+    assert set(cfg.keys()) == set()
+    assert set(cfg.values()) == set()
+    assert set(cfg.items()) == set()
+    cfg2 = pickle.loads(pickle.dumps(cfg))
+    assert cfg == cfg2
+    assert isinstance(cfg, collections.abc.Collection)
+    assert isinstance(cfg, collections.abc.Mapping)
+
+
+def test_config_subclass():
+    with pytest.raises(TypeError, match="missing 2 required keyword-only"):
+        ExampleConfig()
+    with pytest.raises(ValueError, match="x must be positive"):
+        ExampleConfig(x=0, y="foo")
+    with pytest.raises(TypeError, match="unexpected keyword"):
+        ExampleConfig(x=1, y="foo", z="bad config")
+    with pytest.raises(TypeError, match="unexpected keyword"):
+        EmptyConfig(z="bad config")
+    cfg = ExampleConfig(x=1, y="foo")
+    assert cfg.x == 1
+    assert cfg["x"] == 1
+    assert cfg["y"] == "foo"
+    assert cfg.y == "foo"
+    assert "x" in cfg
+    assert "y" in cfg
+    assert "z" not in cfg
+    assert len(cfg) == 2
+    assert set(iter(cfg)) == {"x", "y"}
+    assert set(cfg.keys()) == {"x", "y"}
+    assert set(cfg.values()) == {1, "foo"}
+    assert set(cfg.items()) == {("x", 1), ("y", "foo")}
+    assert dir(cfg) == ["x", "y"]
+    cfg.x = 2
+    cfg["y"] = "bar"
+    assert cfg["x"] == 2
+    assert cfg.y == "bar"
+    with pytest.raises(TypeError, match="can't be deleted"):
+        del cfg.x
+    with pytest.raises(TypeError, match="can't be deleted"):
+        del cfg["y"]
+    assert cfg.x == 2
+    assert cfg == cfg
+    assert cfg == ExampleConfig(x=2, y="bar")
+    assert cfg != ExampleConfig(x=3, y="baz")
+    assert cfg != Config(x=2, y="bar")
+    with pytest.raises(TypeError, match="y must be a str"):
+        cfg["y"] = 5
+    with pytest.raises(ValueError, match="x must be positive"):
+        cfg.x = -5
+    assert cfg.get("x", 10) == 2
+    with pytest.raises(AttributeError):
+        cfg.z = 5
+    with pytest.raises(KeyError):
+        cfg["z"] = 5
+    with pytest.raises(AttributeError):
+        cfg.z
+    with pytest.raises(KeyError):
+        cfg["z"]
+    cfg2 = pickle.loads(pickle.dumps(cfg))
+    assert cfg == cfg2
+    assert cfg.__doc__ == "Example configuration."
+    assert cfg2.__doc__ == "Example configuration."
+
+
+def test_config_defaults():
+    class DefaultConfig(Config):
+        x: int = 0
+        y: int
+
+    cfg = DefaultConfig(y=1)
+    assert cfg.x == 0
+    cfg = DefaultConfig(x=2, y=1)
+    assert cfg.x == 2
+
+
+def test_nxconfig():
+    assert isinstance(nx.config.backend_priority, BackendPriorities)
+    assert isinstance(nx.config.backend_priority.algos, list)
+    assert isinstance(nx.config.backends, Config)
+    with pytest.raises(TypeError, match="must be a list of backend names"):
+        nx.config.backend_priority.algos = "nx_loopback"
+    with pytest.raises(ValueError, match="Unknown backend when setting"):
+        nx.config.backend_priority.algos = ["this_almost_certainly_is_not_a_backend"]
+    with pytest.raises(TypeError, match="must be a Config of backend configs"):
+        nx.config.backends = {}
+    with pytest.raises(TypeError, match="must be a Config of backend configs"):
+        nx.config.backends = Config(plausible_backend_name={})
+    with pytest.raises(ValueError, match="Unknown backend when setting"):
+        nx.config.backends = Config(this_almost_certainly_is_not_a_backend=Config())
+    with pytest.raises(TypeError, match="must be True or False"):
+        nx.config.cache_converted_graphs = "bad value"
+    with pytest.raises(TypeError, match="must be a set of "):
+        nx.config.warnings_to_ignore = 7
+    with pytest.raises(ValueError, match="Unknown warning "):
+        nx.config.warnings_to_ignore = {"bad value"}
+
+
+def test_not_strict():
+    class FlexibleConfig(Config, strict=False):
+        x: int
+
+    cfg = FlexibleConfig(x=1)
+    assert "_strict" not in cfg
+    assert len(cfg) == 1
+    assert list(cfg) == ["x"]
+    assert list(cfg.keys()) == ["x"]
+    assert list(cfg.values()) == [1]
+    assert list(cfg.items()) == [("x", 1)]
+    assert cfg.x == 1
+    assert cfg["x"] == 1
+    assert "x" in cfg
+    assert hasattr(cfg, "x")
+    assert "FlexibleConfig(x=1)" in repr(cfg)
+    assert cfg == FlexibleConfig(x=1)
+    del cfg.x
+    assert "FlexibleConfig()" in repr(cfg)
+    assert len(cfg) == 0
+    assert not hasattr(cfg, "x")
+    assert "x" not in cfg
+    assert not hasattr(cfg, "y")
+    assert "y" not in cfg
+    cfg.y = 2
+    assert len(cfg) == 1
+    assert list(cfg) == ["y"]
+    assert list(cfg.keys()) == ["y"]
+    assert list(cfg.values()) == [2]
+    assert list(cfg.items()) == [("y", 2)]
+    assert cfg.y == 2
+    assert cfg["y"] == 2
+    assert hasattr(cfg, "y")
+    assert "y" in cfg
+    del cfg["y"]
+    assert len(cfg) == 0
+    assert list(cfg) == []
+    with pytest.raises(AttributeError, match="y"):
+        del cfg.y
+    with pytest.raises(KeyError, match="y"):
+        del cfg["y"]
+    with pytest.raises(TypeError, match="missing 1 required keyword-only"):
+        FlexibleConfig()
+    # Be strict when first creating the config object
+    with pytest.raises(TypeError, match="unexpected keyword argument 'y'"):
+        FlexibleConfig(x=1, y=2)
+
+    class FlexibleConfigWithDefault(Config, strict=False):
+        x: int = 0
+
+    assert FlexibleConfigWithDefault().x == 0
+    assert FlexibleConfigWithDefault(x=1)["x"] == 1
+
+
+def test_context():
+    cfg = Config(x=1)
+    with cfg(x=2) as c:
+        assert c.x == 2
+        c.x = 3
+        assert cfg.x == 3
+    assert cfg.x == 1
+
+    with cfg(x=2) as c:
+        assert c == cfg
+        assert cfg.x == 2
+        with cfg(x=3) as c2:
+            assert c2 == cfg
+            assert cfg.x == 3
+            with pytest.raises(RuntimeError, match="context manager without"):
+                with cfg as c3:  # Forgot to call `cfg(...)`
+                    pass
+            assert cfg.x == 3
+        assert cfg.x == 2
+    assert cfg.x == 1
+
+    c = cfg(x=4)  # Not yet as context (not recommended, but possible)
+    assert c == cfg
+    assert cfg.x == 4
+    # Cheat by looking at internal data; context stack should only grow with __enter__
+    assert cfg._prev is not None
+    assert cfg._context_stack == []
+    with c:
+        assert c == cfg
+        assert cfg.x == 4
+    assert cfg.x == 1
+    # Cheat again; there was no preceding `cfg(...)` call this time
+    assert cfg._prev is None
+    with pytest.raises(RuntimeError, match="context manager without"):
+        with cfg:
+            pass
+    assert cfg.x == 1

.venv/lib/python3.11/site-packages/networkx/utils/tests/test_mapped_queue.py

@@ -0,0 +1,268 @@
+import pytest
+
+from networkx.utils.mapped_queue import MappedQueue, _HeapElement
+
+
+def test_HeapElement_gtlt():
+    bar = _HeapElement(1.1, "a")
+    foo = _HeapElement(1, "b")
+    assert foo < bar
+    assert bar > foo
+    assert foo < 1.1
+    assert 1 < bar
+
+
+def test_HeapElement_gtlt_tied_priority():
+    bar = _HeapElement(1, "a")
+    foo = _HeapElement(1, "b")
+    assert foo > bar
+    assert bar < foo
+
+
+def test_HeapElement_eq():
+    bar = _HeapElement(1.1, "a")
+    foo = _HeapElement(1, "a")
+    assert foo == bar
+    assert bar == foo
+    assert foo == "a"
+
+
+def test_HeapElement_iter():
+    foo = _HeapElement(1, "a")
+    bar = _HeapElement(1.1, (3, 2, 1))
+    assert list(foo) == [1, "a"]
+    assert list(bar) == [1.1, 3, 2, 1]
+
+
+def test_HeapElement_getitem():
+    foo = _HeapElement(1, "a")
+    bar = _HeapElement(1.1, (3, 2, 1))
+    assert foo[1] == "a"
+    assert foo[0] == 1
+    assert bar[0] == 1.1
+    assert bar[2] == 2
+    assert bar[3] == 1
+    pytest.raises(IndexError, bar.__getitem__, 4)
+    pytest.raises(IndexError, foo.__getitem__, 2)
+
+
+class TestMappedQueue:
+    def setup_method(self):
+        pass
+
+    def _check_map(self, q):
+        assert q.position == {elt: pos for pos, elt in enumerate(q.heap)}
+
+    def _make_mapped_queue(self, h):
+        q = MappedQueue()
+        q.heap = h
+        q.position = {elt: pos for pos, elt in enumerate(h)}
+        return q
+
+    def test_heapify(self):
+        h = [5, 4, 3, 2, 1, 0]
+        q = self._make_mapped_queue(h)
+        q._heapify()
+        self._check_map(q)
+
+    def test_init(self):
+        h = [5, 4, 3, 2, 1, 0]
+        q = MappedQueue(h)
+        self._check_map(q)
+
+    def test_incomparable(self):
+        h = [5, 4, "a", 2, 1, 0]
+        pytest.raises(TypeError, MappedQueue, h)
+
+    def test_len(self):
+        h = [5, 4, 3, 2, 1, 0]
+        q = MappedQueue(h)
+        self._check_map(q)
+        assert len(q) == 6
+
+    def test_siftup_leaf(self):
+        h = [2]
+        h_sifted = [2]
+        q = self._make_mapped_queue(h)
+        q._siftup(0)
+        assert q.heap == h_sifted
+        self._check_map(q)
+
+    def test_siftup_one_child(self):
+        h = [2, 0]
+        h_sifted = [0, 2]
+        q = self._make_mapped_queue(h)
+        q._siftup(0)
+        assert q.heap == h_sifted
+        self._check_map(q)
+
+    def test_siftup_left_child(self):
+        h = [2, 0, 1]
+        h_sifted = [0, 2, 1]
+        q = self._make_mapped_queue(h)
+        q._siftup(0)
+        assert q.heap == h_sifted
+        self._check_map(q)
+
+    def test_siftup_right_child(self):
+        h = [2, 1, 0]
+        h_sifted = [0, 1, 2]
+        q = self._make_mapped_queue(h)
+        q._siftup(0)
+        assert q.heap == h_sifted
+        self._check_map(q)
+
+    def test_siftup_multiple(self):
+        h = [0, 1, 2, 4, 3, 5, 6]
+        h_sifted = [0, 1, 2, 4, 3, 5, 6]
+        q = self._make_mapped_queue(h)
+        q._siftup(0)
+        assert q.heap == h_sifted
+        self._check_map(q)
+
+    def test_siftdown_leaf(self):
+        h = [2]
+        h_sifted = [2]
+        q = self._make_mapped_queue(h)
+        q._siftdown(0, 0)
+        assert q.heap == h_sifted
+        self._check_map(q)
+
+    def test_siftdown_single(self):
+        h = [1, 0]
+        h_sifted = [0, 1]
+        q = self._make_mapped_queue(h)
+        q._siftdown(0, len(h) - 1)
+        assert q.heap == h_sifted
+        self._check_map(q)
+
+    def test_siftdown_multiple(self):
+        h = [1, 2, 3, 4, 5, 6, 7, 0]
+        h_sifted = [0, 1, 3, 2, 5, 6, 7, 4]
+        q = self._make_mapped_queue(h)
+        q._siftdown(0, len(h) - 1)
+        assert q.heap == h_sifted
+        self._check_map(q)
+
+    def test_push(self):
+        to_push = [6, 1, 4, 3, 2, 5, 0]
+        h_sifted = [0, 2, 1, 6, 3, 5, 4]
+        q = MappedQueue()
+        for elt in to_push:
+            q.push(elt)
+        assert q.heap == h_sifted
+        self._check_map(q)
+
+    def test_push_duplicate(self):
+        to_push = [2, 1, 0]
+        h_sifted = [0, 2, 1]
+        q = MappedQueue()
+        for elt in to_push:
+            inserted = q.push(elt)
+            assert inserted
+        assert q.heap == h_sifted
+        self._check_map(q)
+        inserted = q.push(1)
+        assert not inserted
+
+    def test_pop(self):
+        h = [3, 4, 6, 0, 1, 2, 5]
+        h_sorted = sorted(h)
+        q = self._make_mapped_queue(h)
+        q._heapify()
+        popped = [q.pop() for _ in range(len(h))]
+        assert popped == h_sorted
+        self._check_map(q)
+
+    def test_remove_leaf(self):
+        h = [0, 2, 1, 6, 3, 5, 4]
+        h_removed = [0, 2, 1, 6, 4, 5]
+        q = self._make_mapped_queue(h)
+        removed = q.remove(3)
+        assert q.heap == h_removed
+
+    def test_remove_root(self):
+        h = [0, 2, 1, 6, 3, 5, 4]
+        h_removed = [1, 2, 4, 6, 3, 5]
+        q = self._make_mapped_queue(h)
+        removed = q.remove(0)
+        assert q.heap == h_removed
+
+    def test_update_leaf(self):
+        h = [0, 20, 10, 60, 30, 50, 40]
+        h_updated = [0, 15, 10, 60, 20, 50, 40]
+        q = self._make_mapped_queue(h)
+        removed = q.update(30, 15)
+        assert q.heap == h_updated
+
+    def test_update_root(self):
+        h = [0, 20, 10, 60, 30, 50, 40]
+        h_updated = [10, 20, 35, 60, 30, 50, 40]
+        q = self._make_mapped_queue(h)
+        removed = q.update(0, 35)
+        assert q.heap == h_updated
+
+
+class TestMappedDict(TestMappedQueue):
+    def _make_mapped_queue(self, h):
+        priority_dict = {elt: elt for elt in h}
+        return MappedQueue(priority_dict)
+
+    def test_init(self):
+        d = {5: 0, 4: 1, "a": 2, 2: 3, 1: 4}
+        q = MappedQueue(d)
+        assert q.position == d
+
+    def test_ties(self):
+        d = {5: 0, 4: 1, 3: 2, 2: 3, 1: 4}
+        q = MappedQueue(d)
+        assert q.position == {elt: pos for pos, elt in enumerate(q.heap)}
+
+    def test_pop(self):
+        d = {5: 0, 4: 1, 3: 2, 2: 3, 1: 4}
+        q = MappedQueue(d)
+        assert q.pop() == _HeapElement(0, 5)
+        assert q.position == {elt: pos for pos, elt in enumerate(q.heap)}
+
+    def test_empty_pop(self):
+        q = MappedQueue()
+        pytest.raises(IndexError, q.pop)
+
+    def test_incomparable_ties(self):
+        d = {5: 0, 4: 0, "a": 0, 2: 0, 1: 0}
+        pytest.raises(TypeError, MappedQueue, d)
+
+    def test_push(self):
+        to_push = [6, 1, 4, 3, 2, 5, 0]
+        h_sifted = [0, 2, 1, 6, 3, 5, 4]
+        q = MappedQueue()
+        for elt in to_push:
+            q.push(elt, priority=elt)
+        assert q.heap == h_sifted
+        self._check_map(q)
+
+    def test_push_duplicate(self):
+        to_push = [2, 1, 0]
+        h_sifted = [0, 2, 1]
+        q = MappedQueue()
+        for elt in to_push:
+            inserted = q.push(elt, priority=elt)
+            assert inserted
+        assert q.heap == h_sifted
+        self._check_map(q)
+        inserted = q.push(1, priority=1)
+        assert not inserted
+
+    def test_update_leaf(self):
+        h = [0, 20, 10, 60, 30, 50, 40]
+        h_updated = [0, 15, 10, 60, 20, 50, 40]
+        q = self._make_mapped_queue(h)
+        removed = q.update(30, 15, priority=15)
+        assert q.heap == h_updated
+
+    def test_update_root(self):
+        h = [0, 20, 10, 60, 30, 50, 40]
+        h_updated = [10, 20, 35, 60, 30, 50, 40]
+        q = self._make_mapped_queue(h)
+        removed = q.update(0, 35, priority=35)
+        assert q.heap == h_updated

.venv/lib/python3.11/site-packages/networkx/utils/tests/test_misc.py

@@ -0,0 +1,268 @@
+import random
+from copy import copy
+
+import pytest
+
+import networkx as nx
+from networkx.utils import (
+    PythonRandomInterface,
+    PythonRandomViaNumpyBits,
+    arbitrary_element,
+    create_py_random_state,
+    create_random_state,
+    dict_to_numpy_array,
+    discrete_sequence,
+    flatten,
+    groups,
+    make_list_of_ints,
+    pairwise,
+    powerlaw_sequence,
+)
+from networkx.utils.misc import _dict_to_numpy_array1, _dict_to_numpy_array2
+
+nested_depth = (
+    1,
+    2,
+    (3, 4, ((5, 6, (7,), (8, (9, 10), 11), (12, 13, (14, 15)), 16), 17), 18, 19),
+    20,
+)
+
+nested_set = {
+    (1, 2, 3, 4),
+    (5, 6, 7, 8, 9),
+    (10, 11, (12, 13, 14), (15, 16, 17, 18)),
+    19,
+    20,
+}
+
+nested_mixed = [
+    1,
+    (2, 3, {4, (5, 6), 7}, [8, 9]),
+    {10: "foo", 11: "bar", (12, 13): "baz"},
+    {(14, 15): "qwe", 16: "asd"},
+    (17, (18, "19"), 20),
+]
+
+
+@pytest.mark.parametrize("result", [None, [], ["existing"], ["existing1", "existing2"]])
+@pytest.mark.parametrize("nested", [nested_depth, nested_mixed, nested_set])
+def test_flatten(nested, result):
+    if result is None:
+        val = flatten(nested, result)
+        assert len(val) == 20
+    else:
+        _result = copy(result)  # because pytest passes parameters as is
+        nexisting = len(_result)
+        val = flatten(nested, _result)
+        assert len(val) == len(_result) == 20 + nexisting
+
+    assert issubclass(type(val), tuple)
+
+
+def test_make_list_of_ints():
+    mylist = [1, 2, 3.0, 42, -2]
+    assert make_list_of_ints(mylist) is mylist
+    assert make_list_of_ints(mylist) == mylist
+    assert type(make_list_of_ints(mylist)[2]) is int
+    pytest.raises(nx.NetworkXError, make_list_of_ints, [1, 2, 3, "kermit"])
+    pytest.raises(nx.NetworkXError, make_list_of_ints, [1, 2, 3.1])
+
+
+def test_random_number_distribution():
+    # smoke test only
+    z = powerlaw_sequence(20, exponent=2.5)
+    z = discrete_sequence(20, distribution=[0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 3])
+
+
+class TestNumpyArray:
+    @classmethod
+    def setup_class(cls):
+        global np
+        np = pytest.importorskip("numpy")
+
+    def test_numpy_to_list_of_ints(self):
+        a = np.array([1, 2, 3], dtype=np.int64)
+        b = np.array([1.0, 2, 3])
+        c = np.array([1.1, 2, 3])
+        assert type(make_list_of_ints(a)) == list
+        assert make_list_of_ints(b) == list(b)
+        B = make_list_of_ints(b)
+        assert type(B[0]) == int
+        pytest.raises(nx.NetworkXError, make_list_of_ints, c)
+
+    def test__dict_to_numpy_array1(self):
+        d = {"a": 1, "b": 2}
+        a = _dict_to_numpy_array1(d, mapping={"a": 0, "b": 1})
+        np.testing.assert_allclose(a, np.array([1, 2]))
+        a = _dict_to_numpy_array1(d, mapping={"b": 0, "a": 1})
+        np.testing.assert_allclose(a, np.array([2, 1]))
+
+        a = _dict_to_numpy_array1(d)
+        np.testing.assert_allclose(a.sum(), 3)
+
+    def test__dict_to_numpy_array2(self):
+        d = {"a": {"a": 1, "b": 2}, "b": {"a": 10, "b": 20}}
+
+        mapping = {"a": 1, "b": 0}
+        a = _dict_to_numpy_array2(d, mapping=mapping)
+        np.testing.assert_allclose(a, np.array([[20, 10], [2, 1]]))
+
+        a = _dict_to_numpy_array2(d)
+        np.testing.assert_allclose(a.sum(), 33)
+
+    def test_dict_to_numpy_array_a(self):
+        d = {"a": {"a": 1, "b": 2}, "b": {"a": 10, "b": 20}}
+
+        mapping = {"a": 0, "b": 1}
+        a = dict_to_numpy_array(d, mapping=mapping)
+        np.testing.assert_allclose(a, np.array([[1, 2], [10, 20]]))
+
+        mapping = {"a": 1, "b": 0}
+        a = dict_to_numpy_array(d, mapping=mapping)
+        np.testing.assert_allclose(a, np.array([[20, 10], [2, 1]]))
+
+        a = _dict_to_numpy_array2(d)
+        np.testing.assert_allclose(a.sum(), 33)
+
+    def test_dict_to_numpy_array_b(self):
+        d = {"a": 1, "b": 2}
+
+        mapping = {"a": 0, "b": 1}
+        a = dict_to_numpy_array(d, mapping=mapping)
+        np.testing.assert_allclose(a, np.array([1, 2]))
+
+        a = _dict_to_numpy_array1(d)
+        np.testing.assert_allclose(a.sum(), 3)
+
+
+def test_pairwise():
+    nodes = range(4)
+    node_pairs = [(0, 1), (1, 2), (2, 3)]
+    node_pairs_cycle = node_pairs + [(3, 0)]
+    assert list(pairwise(nodes)) == node_pairs
+    assert list(pairwise(iter(nodes))) == node_pairs
+    assert list(pairwise(nodes, cyclic=True)) == node_pairs_cycle
+    empty_iter = iter(())
+    assert list(pairwise(empty_iter)) == []
+    empty_iter = iter(())
+    assert list(pairwise(empty_iter, cyclic=True)) == []
+
+
+def test_groups():
+    many_to_one = dict(zip("abcde", [0, 0, 1, 1, 2]))
+    actual = groups(many_to_one)
+    expected = {0: {"a", "b"}, 1: {"c", "d"}, 2: {"e"}}
+    assert actual == expected
+    assert {} == groups({})
+
+
+def test_create_random_state():
+    np = pytest.importorskip("numpy")
+    rs = np.random.RandomState
+
+    assert isinstance(create_random_state(1), rs)
+    assert isinstance(create_random_state(None), rs)
+    assert isinstance(create_random_state(np.random), rs)
+    assert isinstance(create_random_state(rs(1)), rs)
+    # Support for numpy.random.Generator
+    rng = np.random.default_rng()
+    assert isinstance(create_random_state(rng), np.random.Generator)
+    pytest.raises(ValueError, create_random_state, "a")
+
+    assert np.all(rs(1).rand(10) == create_random_state(1).rand(10))
+
+
+def test_create_py_random_state():
+    pyrs = random.Random
+
+    assert isinstance(create_py_random_state(1), pyrs)
+    assert isinstance(create_py_random_state(None), pyrs)
+    assert isinstance(create_py_random_state(pyrs(1)), pyrs)
+    pytest.raises(ValueError, create_py_random_state, "a")
+
+    np = pytest.importorskip("numpy")
+
+    rs = np.random.RandomState
+    rng = np.random.default_rng(1000)
+    rng_explicit = np.random.Generator(np.random.SFC64())
+    old_nprs = PythonRandomInterface
+    nprs = PythonRandomViaNumpyBits
+    assert isinstance(create_py_random_state(np.random), nprs)
+    assert isinstance(create_py_random_state(rs(1)), old_nprs)
+    assert isinstance(create_py_random_state(rng), nprs)
+    assert isinstance(create_py_random_state(rng_explicit), nprs)
+    # test default rng input
+    assert isinstance(PythonRandomInterface(), old_nprs)
+    assert isinstance(PythonRandomViaNumpyBits(), nprs)
+
+    # VeryLargeIntegers Smoke test (they raise error for np.random)
+    int64max = 9223372036854775807  # from np.iinfo(np.int64).max
+    for r in (rng, rs(1)):
+        prs = create_py_random_state(r)
+        prs.randrange(3, int64max + 5)
+        prs.randint(3, int64max + 5)
+
+
+def test_PythonRandomInterface_RandomState():
+    np = pytest.importorskip("numpy")
+
+    seed = 42
+    rs = np.random.RandomState
+    rng = PythonRandomInterface(rs(seed))
+    rs42 = rs(seed)
+
+    # make sure these functions are same as expected outcome
+    assert rng.randrange(3, 5) == rs42.randint(3, 5)
+    assert rng.choice([1, 2, 3]) == rs42.choice([1, 2, 3])
+    assert rng.gauss(0, 1) == rs42.normal(0, 1)
+    assert rng.expovariate(1.5) == rs42.exponential(1 / 1.5)
+    assert np.all(rng.shuffle([1, 2, 3]) == rs42.shuffle([1, 2, 3]))
+    assert np.all(
+        rng.sample([1, 2, 3], 2) == rs42.choice([1, 2, 3], (2,), replace=False)
+    )
+    assert np.all(
+        [rng.randint(3, 5) for _ in range(100)]
+        == [rs42.randint(3, 6) for _ in range(100)]
+    )
+    assert rng.random() == rs42.random_sample()
+
+
+def test_PythonRandomInterface_Generator():
+    np = pytest.importorskip("numpy")
+
+    seed = 42
+    rng = np.random.default_rng(seed)
+    pri = PythonRandomInterface(np.random.default_rng(seed))
+
+    # make sure these functions are same as expected outcome
+    assert pri.randrange(3, 5) == rng.integers(3, 5)
+    assert pri.choice([1, 2, 3]) == rng.choice([1, 2, 3])
+    assert pri.gauss(0, 1) == rng.normal(0, 1)
+    assert pri.expovariate(1.5) == rng.exponential(1 / 1.5)
+    assert np.all(pri.shuffle([1, 2, 3]) == rng.shuffle([1, 2, 3]))
+    assert np.all(
+        pri.sample([1, 2, 3], 2) == rng.choice([1, 2, 3], (2,), replace=False)
+    )
+    assert np.all(
+        [pri.randint(3, 5) for _ in range(100)]
+        == [rng.integers(3, 6) for _ in range(100)]
+    )
+    assert pri.random() == rng.random()
+
+
+@pytest.mark.parametrize(
+    ("iterable_type", "expected"), ((list, 1), (tuple, 1), (str, "["), (set, 1))
+)
+def test_arbitrary_element(iterable_type, expected):
+    iterable = iterable_type([1, 2, 3])
+    assert arbitrary_element(iterable) == expected
+
+
+@pytest.mark.parametrize(
+    "iterator",
+    ((i for i in range(3)), iter([1, 2, 3])),  # generator
+)
+def test_arbitrary_element_raises(iterator):
+    """Value error is raised when input is an iterator."""
+    with pytest.raises(ValueError, match="from an iterator"):
+        arbitrary_element(iterator)

.venv/lib/python3.11/site-packages/networkx/utils/tests/test_random_sequence.py

@@ -0,0 +1,38 @@
+import pytest
+
+from networkx.utils import (
+    powerlaw_sequence,
+    random_weighted_sample,
+    weighted_choice,
+    zipf_rv,
+)
+
+
+def test_degree_sequences():
+    seq = powerlaw_sequence(10, seed=1)
+    seq = powerlaw_sequence(10)
+    assert len(seq) == 10
+
+
+def test_zipf_rv():
+    r = zipf_rv(2.3, xmin=2, seed=1)
+    r = zipf_rv(2.3, 2, 1)
+    r = zipf_rv(2.3)
+    assert type(r), int
+    pytest.raises(ValueError, zipf_rv, 0.5)
+    pytest.raises(ValueError, zipf_rv, 2, xmin=0)
+
+
+def test_random_weighted_sample():
+    mapping = {"a": 10, "b": 20}
+    s = random_weighted_sample(mapping, 2, seed=1)
+    s = random_weighted_sample(mapping, 2)
+    assert sorted(s) == sorted(mapping.keys())
+    pytest.raises(ValueError, random_weighted_sample, mapping, 3)
+
+
+def test_random_weighted_choice():
+    mapping = {"a": 10, "b": 0}
+    c = weighted_choice(mapping, seed=1)
+    c = weighted_choice(mapping)
+    assert c == "a"

.venv/lib/python3.11/site-packages/oauth2client/__init__.py

@@ -0,0 +1,24 @@
+# Copyright 2015 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Client library for using OAuth2, especially with Google APIs."""
+
+__version__ = '4.1.3'
+
+GOOGLE_AUTH_URI = 'https://accounts.google.com/o/oauth2/v2/auth'
+GOOGLE_DEVICE_URI = 'https://oauth2.googleapis.com/device/code'
+GOOGLE_REVOKE_URI = 'https://oauth2.googleapis.com/revoke'
+GOOGLE_TOKEN_URI = 'https://oauth2.googleapis.com/token'
+GOOGLE_TOKEN_INFO_URI = 'https://oauth2.googleapis.com/tokeninfo'
+

.venv/lib/python3.11/site-packages/oauth2client/_helpers.py

@@ -0,0 +1,341 @@
+# Copyright 2015 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Helper functions for commonly used utilities."""
+
+import base64
+import functools
+import inspect
+import json
+import logging
+import os
+import warnings
+
+import six
+from six.moves import urllib
+
+
+logger = logging.getLogger(__name__)
+
+POSITIONAL_WARNING = 'WARNING'
+POSITIONAL_EXCEPTION = 'EXCEPTION'
+POSITIONAL_IGNORE = 'IGNORE'
+POSITIONAL_SET = frozenset([POSITIONAL_WARNING, POSITIONAL_EXCEPTION,
+                            POSITIONAL_IGNORE])
+
+positional_parameters_enforcement = POSITIONAL_WARNING
+
+_SYM_LINK_MESSAGE = 'File: {0}: Is a symbolic link.'
+_IS_DIR_MESSAGE = '{0}: Is a directory'
+_MISSING_FILE_MESSAGE = 'Cannot access {0}: No such file or directory'
+
+
+def positional(max_positional_args):
+    """A decorator to declare that only the first N arguments my be positional.
+
+    This decorator makes it easy to support Python 3 style keyword-only
+    parameters. For example, in Python 3 it is possible to write::
+
+        def fn(pos1, *, kwonly1=None, kwonly1=None):
+            ...
+
+    All named parameters after ``*`` must be a keyword::
+
+        fn(10, 'kw1', 'kw2')  # Raises exception.
+        fn(10, kwonly1='kw1')  # Ok.
+
+    Example
+    ^^^^^^^
+
+    To define a function like above, do::
+
+        @positional(1)
+        def fn(pos1, kwonly1=None, kwonly2=None):
+            ...
+
+    If no default value is provided to a keyword argument, it becomes a
+    required keyword argument::
+
+        @positional(0)
+        def fn(required_kw):
+            ...
+
+    This must be called with the keyword parameter::
+
+        fn()  # Raises exception.
+        fn(10)  # Raises exception.
+        fn(required_kw=10)  # Ok.
+
+    When defining instance or class methods always remember to account for
+    ``self`` and ``cls``::
+
+        class MyClass(object):
+
+            @positional(2)
+            def my_method(self, pos1, kwonly1=None):
+                ...
+
+            @classmethod
+            @positional(2)
+            def my_method(cls, pos1, kwonly1=None):
+                ...
+
+    The positional decorator behavior is controlled by
+    ``_helpers.positional_parameters_enforcement``, which may be set to
+    ``POSITIONAL_EXCEPTION``, ``POSITIONAL_WARNING`` or
+    ``POSITIONAL_IGNORE`` to raise an exception, log a warning, or do
+    nothing, respectively, if a declaration is violated.
+
+    Args:
+        max_positional_arguments: Maximum number of positional arguments. All
+                                  parameters after the this index must be
+                                  keyword only.
+
+    Returns:
+        A decorator that prevents using arguments after max_positional_args
+        from being used as positional parameters.
+
+    Raises:
+        TypeError: if a key-word only argument is provided as a positional
+                   parameter, but only if
+                   _helpers.positional_parameters_enforcement is set to
+                   POSITIONAL_EXCEPTION.
+    """
+
+    def positional_decorator(wrapped):
+        @functools.wraps(wrapped)
+        def positional_wrapper(*args, **kwargs):
+            if len(args) > max_positional_args:
+                plural_s = ''
+                if max_positional_args != 1:
+                    plural_s = 's'
+                message = ('{function}() takes at most {args_max} positional '
+                           'argument{plural} ({args_given} given)'.format(
+                               function=wrapped.__name__,
+                               args_max=max_positional_args,
+                               args_given=len(args),
+                               plural=plural_s))
+                if positional_parameters_enforcement == POSITIONAL_EXCEPTION:
+                    raise TypeError(message)
+                elif positional_parameters_enforcement == POSITIONAL_WARNING:
+                    logger.warning(message)
+            return wrapped(*args, **kwargs)
+        return positional_wrapper
+
+    if isinstance(max_positional_args, six.integer_types):
+        return positional_decorator
+    else:
+        args, _, _, defaults = inspect.getargspec(max_positional_args)
+        return positional(len(args) - len(defaults))(max_positional_args)
+
+
+def scopes_to_string(scopes):
+    """Converts scope value to a string.
+
+    If scopes is a string then it is simply passed through. If scopes is an
+    iterable then a string is returned that is all the individual scopes
+    concatenated with spaces.
+
+    Args:
+        scopes: string or iterable of strings, the scopes.
+
+    Returns:
+        The scopes formatted as a single string.
+    """
+    if isinstance(scopes, six.string_types):
+        return scopes
+    else:
+        return ' '.join(scopes)
+
+
+def string_to_scopes(scopes):
+    """Converts stringifed scope value to a list.
+
+    If scopes is a list then it is simply passed through. If scopes is an
+    string then a list of each individual scope is returned.
+
+    Args:
+        scopes: a string or iterable of strings, the scopes.
+
+    Returns:
+        The scopes in a list.
+    """
+    if not scopes:
+        return []
+    elif isinstance(scopes, six.string_types):
+        return scopes.split(' ')
+    else:
+        return scopes
+
+
+def parse_unique_urlencoded(content):
+    """Parses unique key-value parameters from urlencoded content.
+
+    Args:
+        content: string, URL-encoded key-value pairs.
+
+    Returns:
+        dict, The key-value pairs from ``content``.
+
+    Raises:
+        ValueError: if one of the keys is repeated.
+    """
+    urlencoded_params = urllib.parse.parse_qs(content)
+    params = {}
+    for key, value in six.iteritems(urlencoded_params):
+        if len(value) != 1:
+            msg = ('URL-encoded content contains a repeated value:'
+                   '%s -> %s' % (key, ', '.join(value)))
+            raise ValueError(msg)
+        params[key] = value[0]
+    return params
+
+
+def update_query_params(uri, params):
+    """Updates a URI with new query parameters.
+
+    If a given key from ``params`` is repeated in the ``uri``, then
+    the URI will be considered invalid and an error will occur.
+
+    If the URI is valid, then each value from ``params`` will
+    replace the corresponding value in the query parameters (if
+    it exists).
+
+    Args:
+        uri: string, A valid URI, with potential existing query parameters.
+        params: dict, A dictionary of query parameters.
+
+    Returns:
+        The same URI but with the new query parameters added.
+    """
+    parts = urllib.parse.urlparse(uri)
+    query_params = parse_unique_urlencoded(parts.query)
+    query_params.update(params)
+    new_query = urllib.parse.urlencode(query_params)
+    new_parts = parts._replace(query=new_query)
+    return urllib.parse.urlunparse(new_parts)
+
+
+def _add_query_parameter(url, name, value):
+    """Adds a query parameter to a url.
+
+    Replaces the current value if it already exists in the URL.
+
+    Args:
+        url: string, url to add the query parameter to.
+        name: string, query parameter name.
+        value: string, query parameter value.
+
+    Returns:
+        Updated query parameter. Does not update the url if value is None.
+    """
+    if value is None:
+        return url
+    else:
+        return update_query_params(url, {name: value})
+
+
+def validate_file(filename):
+    if os.path.islink(filename):
+        raise IOError(_SYM_LINK_MESSAGE.format(filename))
+    elif os.path.isdir(filename):
+        raise IOError(_IS_DIR_MESSAGE.format(filename))
+    elif not os.path.isfile(filename):
+        warnings.warn(_MISSING_FILE_MESSAGE.format(filename))
+
+
+def _parse_pem_key(raw_key_input):
+    """Identify and extract PEM keys.
+
+    Determines whether the given key is in the format of PEM key, and extracts
+    the relevant part of the key if it is.
+
+    Args:
+        raw_key_input: The contents of a private key file (either PEM or
+                       PKCS12).
+
+    Returns:
+        string, The actual key if the contents are from a PEM file, or
+        else None.
+    """
+    offset = raw_key_input.find(b'-----BEGIN ')
+    if offset != -1:
+        return raw_key_input[offset:]
+
+
+def _json_encode(data):
+    return json.dumps(data, separators=(',', ':'))
+
+
+def _to_bytes(value, encoding='ascii'):
+    """Converts a string value to bytes, if necessary.
+
+    Unfortunately, ``six.b`` is insufficient for this task since in
+    Python2 it does not modify ``unicode`` objects.
+
+    Args:
+        value: The string/bytes value to be converted.
+        encoding: The encoding to use to convert unicode to bytes. Defaults
+                  to "ascii", which will not allow any characters from ordinals
+                  larger than 127. Other useful values are "latin-1", which
+                  which will only allows byte ordinals (up to 255) and "utf-8",
+                  which will encode any unicode that needs to be.
+
+    Returns:
+        The original value converted to bytes (if unicode) or as passed in
+        if it started out as bytes.
+
+    Raises:
+        ValueError if the value could not be converted to bytes.
+    """
+    result = (value.encode(encoding)
+              if isinstance(value, six.text_type) else value)
+    if isinstance(result, six.binary_type):
+        return result
+    else:
+        raise ValueError('{0!r} could not be converted to bytes'.format(value))
+
+
+def _from_bytes(value):
+    """Converts bytes to a string value, if necessary.
+
+    Args:
+        value: The string/bytes value to be converted.
+
+    Returns:
+        The original value converted to unicode (if bytes) or as passed in
+        if it started out as unicode.
+
+    Raises:
+        ValueError if the value could not be converted to unicode.
+    """
+    result = (value.decode('utf-8')
+              if isinstance(value, six.binary_type) else value)
+    if isinstance(result, six.text_type):
+        return result
+    else:
+        raise ValueError(
+            '{0!r} could not be converted to unicode'.format(value))
+
+
+def _urlsafe_b64encode(raw_bytes):
+    raw_bytes = _to_bytes(raw_bytes, encoding='utf-8')
+    return base64.urlsafe_b64encode(raw_bytes).rstrip(b'=')
+
+
+def _urlsafe_b64decode(b64string):
+    # Guard against unicode strings, which base64 can't handle.
+    b64string = _to_bytes(b64string)
+    padded = b64string + b'=' * (4 - len(b64string) % 4)
+    return base64.urlsafe_b64decode(padded)

.venv/lib/python3.11/site-packages/oauth2client/_openssl_crypt.py

@@ -0,0 +1,136 @@
+# Copyright 2015 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""OpenSSL Crypto-related routines for oauth2client."""
+
+from OpenSSL import crypto
+
+from oauth2client import _helpers
+
+
+class OpenSSLVerifier(object):
+    """Verifies the signature on a message."""
+
+    def __init__(self, pubkey):
+        """Constructor.
+
+        Args:
+            pubkey: OpenSSL.crypto.PKey, The public key to verify with.
+        """
+        self._pubkey = pubkey
+
+    def verify(self, message, signature):
+        """Verifies a message against a signature.
+
+        Args:
+        message: string or bytes, The message to verify. If string, will be
+                 encoded to bytes as utf-8.
+        signature: string or bytes, The signature on the message. If string,
+                   will be encoded to bytes as utf-8.
+
+        Returns:
+            True if message was signed by the private key associated with the
+            public key that this object was constructed with.
+        """
+        message = _helpers._to_bytes(message, encoding='utf-8')
+        signature = _helpers._to_bytes(signature, encoding='utf-8')
+        try:
+            crypto.verify(self._pubkey, signature, message, 'sha256')
+            return True
+        except crypto.Error:
+            return False
+
+    @staticmethod
+    def from_string(key_pem, is_x509_cert):
+        """Construct a Verified instance from a string.
+
+        Args:
+            key_pem: string, public key in PEM format.
+            is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it
+                          is expected to be an RSA key in PEM format.
+
+        Returns:
+            Verifier instance.
+
+        Raises:
+            OpenSSL.crypto.Error: if the key_pem can't be parsed.
+        """
+        key_pem = _helpers._to_bytes(key_pem)
+        if is_x509_cert:
+            pubkey = crypto.load_certificate(crypto.FILETYPE_PEM, key_pem)
+        else:
+            pubkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem)
+        return OpenSSLVerifier(pubkey)
+
+
+class OpenSSLSigner(object):
+    """Signs messages with a private key."""
+
+    def __init__(self, pkey):
+        """Constructor.
+
+        Args:
+            pkey: OpenSSL.crypto.PKey (or equiv), The private key to sign with.
+        """
+        self._key = pkey
+
+    def sign(self, message):
+        """Signs a message.
+
+        Args:
+            message: bytes, Message to be signed.
+
+        Returns:
+            string, The signature of the message for the given key.
+        """
+        message = _helpers._to_bytes(message, encoding='utf-8')
+        return crypto.sign(self._key, message, 'sha256')
+
+    @staticmethod
+    def from_string(key, password=b'notasecret'):
+        """Construct a Signer instance from a string.
+
+        Args:
+            key: string, private key in PKCS12 or PEM format.
+            password: string, password for the private key file.
+
+        Returns:
+            Signer instance.
+
+        Raises:
+            OpenSSL.crypto.Error if the key can't be parsed.
+        """
+        key = _helpers._to_bytes(key)
+        parsed_pem_key = _helpers._parse_pem_key(key)
+        if parsed_pem_key:
+            pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, parsed_pem_key)
+        else:
+            password = _helpers._to_bytes(password, encoding='utf-8')
+            pkey = crypto.load_pkcs12(key, password).get_privatekey()
+        return OpenSSLSigner(pkey)
+
+
+def pkcs12_key_as_pem(private_key_bytes, private_key_password):
+    """Convert the contents of a PKCS#12 key to PEM using pyOpenSSL.
+
+    Args:
+        private_key_bytes: Bytes. PKCS#12 key in DER format.
+        private_key_password: String. Password for PKCS#12 key.
+
+    Returns:
+        String. PEM contents of ``private_key_bytes``.
+    """
+    private_key_password = _helpers._to_bytes(private_key_password)
+    pkcs12 = crypto.load_pkcs12(private_key_bytes, private_key_password)
+    return crypto.dump_privatekey(crypto.FILETYPE_PEM,
+                                  pkcs12.get_privatekey())

.venv/lib/python3.11/site-packages/oauth2client/_pkce.py

@@ -0,0 +1,67 @@
+# Copyright 2016 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+Utility functions for implementing Proof Key for Code Exchange (PKCE) by OAuth
+Public Clients
+
+See RFC7636.
+"""
+
+import base64
+import hashlib
+import os
+
+
+def code_verifier(n_bytes=64):
+    """
+    Generates a 'code_verifier' as described in section 4.1 of RFC 7636.
+
+    This is a 'high-entropy cryptographic random string' that will be
+    impractical for an attacker to guess.
+
+    Args:
+        n_bytes: integer between 31 and 96, inclusive. default: 64
+            number of bytes of entropy to include in verifier.
+
+    Returns:
+        Bytestring, representing urlsafe base64-encoded random data.
+    """
+    verifier = base64.urlsafe_b64encode(os.urandom(n_bytes)).rstrip(b'=')
+    # https://tools.ietf.org/html/rfc7636#section-4.1
+    # minimum length of 43 characters and a maximum length of 128 characters.
+    if len(verifier) < 43:
+        raise ValueError("Verifier too short. n_bytes must be > 30.")
+    elif len(verifier) > 128:
+        raise ValueError("Verifier too long. n_bytes must be < 97.")
+    else:
+        return verifier
+
+
+def code_challenge(verifier):
+    """
+    Creates a 'code_challenge' as described in section 4.2 of RFC 7636
+    by taking the sha256 hash of the verifier and then urlsafe
+    base64-encoding it.
+
+    Args:
+        verifier: bytestring, representing a code_verifier as generated by
+            code_verifier().
+
+    Returns:
+        Bytestring, representing a urlsafe base64-encoded sha256 hash digest,
+            without '=' padding.
+    """
+    digest = hashlib.sha256(verifier).digest()
+    return base64.urlsafe_b64encode(digest).rstrip(b'=')

.venv/lib/python3.11/site-packages/oauth2client/_pure_python_crypt.py

@@ -0,0 +1,184 @@
+# Copyright 2016 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Pure Python crypto-related routines for oauth2client.
+
+Uses the ``rsa``, ``pyasn1`` and ``pyasn1_modules`` packages
+to parse PEM files storing PKCS#1 or PKCS#8 keys as well as
+certificates.
+"""
+
+from pyasn1.codec.der import decoder
+from pyasn1_modules import pem
+from pyasn1_modules.rfc2459 import Certificate
+from pyasn1_modules.rfc5208 import PrivateKeyInfo
+import rsa
+import six
+
+from oauth2client import _helpers
+
+
+_PKCS12_ERROR = r"""\
+PKCS12 format is not supported by the RSA library.
+Either install PyOpenSSL, or please convert .p12 format
+to .pem format:
+    $ cat key.p12 | \
+    >   openssl pkcs12 -nodes -nocerts -passin pass:notasecret | \
+    >   openssl rsa > key.pem
+"""
+
+_POW2 = (128, 64, 32, 16, 8, 4, 2, 1)
+_PKCS1_MARKER = ('-----BEGIN RSA PRIVATE KEY-----',
+                 '-----END RSA PRIVATE KEY-----')
+_PKCS8_MARKER = ('-----BEGIN PRIVATE KEY-----',
+                 '-----END PRIVATE KEY-----')
+_PKCS8_SPEC = PrivateKeyInfo()
+
+
+def _bit_list_to_bytes(bit_list):
+    """Converts an iterable of 1's and 0's to bytes.
+
+    Combines the list 8 at a time, treating each group of 8 bits
+    as a single byte.
+    """
+    num_bits = len(bit_list)
+    byte_vals = bytearray()
+    for start in six.moves.xrange(0, num_bits, 8):
+        curr_bits = bit_list[start:start + 8]
+        char_val = sum(val * digit
+                       for val, digit in zip(_POW2, curr_bits))
+        byte_vals.append(char_val)
+    return bytes(byte_vals)
+
+
+class RsaVerifier(object):
+    """Verifies the signature on a message.
+
+    Args:
+        pubkey: rsa.key.PublicKey (or equiv), The public key to verify with.
+    """
+
+    def __init__(self, pubkey):
+        self._pubkey = pubkey
+
+    def verify(self, message, signature):
+        """Verifies a message against a signature.
+
+        Args:
+            message: string or bytes, The message to verify. If string, will be
+                     encoded to bytes as utf-8.
+            signature: string or bytes, The signature on the message. If
+                       string, will be encoded to bytes as utf-8.
+
+        Returns:
+            True if message was signed by the private key associated with the
+            public key that this object was constructed with.
+        """
+        message = _helpers._to_bytes(message, encoding='utf-8')
+        try:
+            return rsa.pkcs1.verify(message, signature, self._pubkey)
+        except (ValueError, rsa.pkcs1.VerificationError):
+            return False
+
+    @classmethod
+    def from_string(cls, key_pem, is_x509_cert):
+        """Construct an RsaVerifier instance from a string.
+
+        Args:
+            key_pem: string, public key in PEM format.
+            is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it
+                          is expected to be an RSA key in PEM format.
+
+        Returns:
+            RsaVerifier instance.
+
+        Raises:
+            ValueError: if the key_pem can't be parsed. In either case, error
+                        will begin with 'No PEM start marker'. If
+                        ``is_x509_cert`` is True, will fail to find the
+                        "-----BEGIN CERTIFICATE-----" error, otherwise fails
+                        to find "-----BEGIN RSA PUBLIC KEY-----".
+        """
+        key_pem = _helpers._to_bytes(key_pem)
+        if is_x509_cert:
+            der = rsa.pem.load_pem(key_pem, 'CERTIFICATE')
+            asn1_cert, remaining = decoder.decode(der, asn1Spec=Certificate())
+            if remaining != b'':
+                raise ValueError('Unused bytes', remaining)
+
+            cert_info = asn1_cert['tbsCertificate']['subjectPublicKeyInfo']
+            key_bytes = _bit_list_to_bytes(cert_info['subjectPublicKey'])
+            pubkey = rsa.PublicKey.load_pkcs1(key_bytes, 'DER')
+        else:
+            pubkey = rsa.PublicKey.load_pkcs1(key_pem, 'PEM')
+        return cls(pubkey)
+
+
+class RsaSigner(object):
+    """Signs messages with a private key.
+
+    Args:
+        pkey: rsa.key.PrivateKey (or equiv), The private key to sign with.
+    """
+
+    def __init__(self, pkey):
+        self._key = pkey
+
+    def sign(self, message):
+        """Signs a message.
+
+        Args:
+            message: bytes, Message to be signed.
+
+        Returns:
+            string, The signature of the message for the given key.
+        """
+        message = _helpers._to_bytes(message, encoding='utf-8')
+        return rsa.pkcs1.sign(message, self._key, 'SHA-256')
+
+    @classmethod
+    def from_string(cls, key, password='notasecret'):
+        """Construct an RsaSigner instance from a string.
+
+        Args:
+            key: string, private key in PEM format.
+            password: string, password for private key file. Unused for PEM
+                      files.
+
+        Returns:
+            RsaSigner instance.
+
+        Raises:
+            ValueError if the key cannot be parsed as PKCS#1 or PKCS#8 in
+            PEM format.
+        """
+        key = _helpers._from_bytes(key)  # pem expects str in Py3
+        marker_id, key_bytes = pem.readPemBlocksFromFile(
+            six.StringIO(key), _PKCS1_MARKER, _PKCS8_MARKER)
+
+        if marker_id == 0:
+            pkey = rsa.key.PrivateKey.load_pkcs1(key_bytes,
+                                                 format='DER')
+        elif marker_id == 1:
+            key_info, remaining = decoder.decode(
+                key_bytes, asn1Spec=_PKCS8_SPEC)
+            if remaining != b'':
+                raise ValueError('Unused bytes', remaining)
+            pkey_info = key_info.getComponentByName('privateKey')
+            pkey = rsa.key.PrivateKey.load_pkcs1(pkey_info.asOctets(),
+                                                 format='DER')
+        else:
+            raise ValueError('No key could be detected.')
+
+        return cls(pkey)

.venv/lib/python3.11/site-packages/oauth2client/_pycrypto_crypt.py

@@ -0,0 +1,124 @@
+# Copyright 2015 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""pyCrypto Crypto-related routines for oauth2client."""
+
+from Crypto.Hash import SHA256
+from Crypto.PublicKey import RSA
+from Crypto.Signature import PKCS1_v1_5
+from Crypto.Util.asn1 import DerSequence
+
+from oauth2client import _helpers
+
+
+class PyCryptoVerifier(object):
+    """Verifies the signature on a message."""
+
+    def __init__(self, pubkey):
+        """Constructor.
+
+        Args:
+            pubkey: OpenSSL.crypto.PKey (or equiv), The public key to verify
+            with.
+        """
+        self._pubkey = pubkey
+
+    def verify(self, message, signature):
+        """Verifies a message against a signature.
+
+        Args:
+            message: string or bytes, The message to verify. If string, will be
+                     encoded to bytes as utf-8.
+            signature: string or bytes, The signature on the message.
+
+        Returns:
+            True if message was signed by the private key associated with the
+            public key that this object was constructed with.
+        """
+        message = _helpers._to_bytes(message, encoding='utf-8')
+        return PKCS1_v1_5.new(self._pubkey).verify(
+            SHA256.new(message), signature)
+
+    @staticmethod
+    def from_string(key_pem, is_x509_cert):
+        """Construct a Verified instance from a string.
+
+        Args:
+            key_pem: string, public key in PEM format.
+            is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it
+                          is expected to be an RSA key in PEM format.
+
+        Returns:
+            Verifier instance.
+        """
+        if is_x509_cert:
+            key_pem = _helpers._to_bytes(key_pem)
+            pemLines = key_pem.replace(b' ', b'').split()
+            certDer = _helpers._urlsafe_b64decode(b''.join(pemLines[1:-1]))
+            certSeq = DerSequence()
+            certSeq.decode(certDer)
+            tbsSeq = DerSequence()
+            tbsSeq.decode(certSeq[0])
+            pubkey = RSA.importKey(tbsSeq[6])
+        else:
+            pubkey = RSA.importKey(key_pem)
+        return PyCryptoVerifier(pubkey)
+
+
+class PyCryptoSigner(object):
+    """Signs messages with a private key."""
+
+    def __init__(self, pkey):
+        """Constructor.
+
+        Args:
+            pkey, OpenSSL.crypto.PKey (or equiv), The private key to sign with.
+        """
+        self._key = pkey
+
+    def sign(self, message):
+        """Signs a message.
+
+        Args:
+            message: string, Message to be signed.
+
+        Returns:
+            string, The signature of the message for the given key.
+        """
+        message = _helpers._to_bytes(message, encoding='utf-8')
+        return PKCS1_v1_5.new(self._key).sign(SHA256.new(message))
+
+    @staticmethod
+    def from_string(key, password='notasecret'):
+        """Construct a Signer instance from a string.
+
+        Args:
+            key: string, private key in PEM format.
+            password: string, password for private key file. Unused for PEM
+                      files.
+
+        Returns:
+            Signer instance.
+
+        Raises:
+            NotImplementedError if the key isn't in PEM format.
+        """
+        parsed_pem_key = _helpers._parse_pem_key(_helpers._to_bytes(key))
+        if parsed_pem_key:
+            pkey = RSA.importKey(parsed_pem_key)
+        else:
+            raise NotImplementedError(
+                'No key in PEM format was detected. This implementation '
+                'can only use the PyCrypto library for keys in PEM '
+                'format.')
+        return PyCryptoSigner(pkey)

.venv/lib/python3.11/site-packages/oauth2client/client.py

@@ -0,0 +1,2170 @@
+# Copyright 2014 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""An OAuth 2.0 client.
+
+Tools for interacting with OAuth 2.0 protected resources.
+"""
+
+import collections
+import copy
+import datetime
+import json
+import logging
+import os
+import shutil
+import socket
+import sys
+import tempfile
+
+import six
+from six.moves import http_client
+from six.moves import urllib
+
+import oauth2client
+from oauth2client import _helpers
+from oauth2client import _pkce
+from oauth2client import clientsecrets
+from oauth2client import transport
+
+
+HAS_OPENSSL = False
+HAS_CRYPTO = False
+try:
+    from oauth2client import crypt
+    HAS_CRYPTO = True
+    HAS_OPENSSL = crypt.OpenSSLVerifier is not None
+except ImportError:  # pragma: NO COVER
+    pass
+
+
+logger = logging.getLogger(__name__)
+
+# Expiry is stored in RFC3339 UTC format
+EXPIRY_FORMAT = '%Y-%m-%dT%H:%M:%SZ'
+
+# Which certs to use to validate id_tokens received.
+ID_TOKEN_VERIFICATION_CERTS = 'https://www.googleapis.com/oauth2/v1/certs'
+# This symbol previously had a typo in the name; we keep the old name
+# around for now, but will remove it in the future.
+ID_TOKEN_VERIFICATON_CERTS = ID_TOKEN_VERIFICATION_CERTS
+
+# Constant to use for the out of band OAuth 2.0 flow.
+OOB_CALLBACK_URN = 'urn:ietf:wg:oauth:2.0:oob'
+
+# The value representing user credentials.
+AUTHORIZED_USER = 'authorized_user'
+
+# The value representing service account credentials.
+SERVICE_ACCOUNT = 'service_account'
+
+# The environment variable pointing the file with local
+# Application Default Credentials.
+GOOGLE_APPLICATION_CREDENTIALS = 'GOOGLE_APPLICATION_CREDENTIALS'
+# The ~/.config subdirectory containing gcloud credentials. Intended
+# to be swapped out in tests.
+_CLOUDSDK_CONFIG_DIRECTORY = 'gcloud'
+# The environment variable name which can replace ~/.config if set.
+_CLOUDSDK_CONFIG_ENV_VAR = 'CLOUDSDK_CONFIG'
+
+# The error message we show users when we can't find the Application
+# Default Credentials.
+ADC_HELP_MSG = (
+    'The Application Default Credentials are not available. They are '
+    'available if running in Google Compute Engine. Otherwise, the '
+    'environment variable ' +
+    GOOGLE_APPLICATION_CREDENTIALS +
+    ' must be defined pointing to a file defining the credentials. See '
+    'https://developers.google.com/accounts/docs/'
+    'application-default-credentials for more information.')
+
+_WELL_KNOWN_CREDENTIALS_FILE = 'application_default_credentials.json'
+
+# The access token along with the seconds in which it expires.
+AccessTokenInfo = collections.namedtuple(
+    'AccessTokenInfo', ['access_token', 'expires_in'])
+
+DEFAULT_ENV_NAME = 'UNKNOWN'
+
+# If set to True _get_environment avoid GCE check (_detect_gce_environment)
+NO_GCE_CHECK = os.getenv('NO_GCE_CHECK', 'False')
+
+# Timeout in seconds to wait for the GCE metadata server when detecting the
+# GCE environment.
+try:
+    GCE_METADATA_TIMEOUT = int(os.getenv('GCE_METADATA_TIMEOUT', 3))
+except ValueError:  # pragma: NO COVER
+    GCE_METADATA_TIMEOUT = 3
+
+_SERVER_SOFTWARE = 'SERVER_SOFTWARE'
+_GCE_METADATA_URI = 'http://' + os.getenv('GCE_METADATA_IP', '169.254.169.254')
+_METADATA_FLAVOR_HEADER = 'metadata-flavor'  # lowercase header
+_DESIRED_METADATA_FLAVOR = 'Google'
+_GCE_HEADERS = {_METADATA_FLAVOR_HEADER: _DESIRED_METADATA_FLAVOR}
+
+# Expose utcnow() at module level to allow for
+# easier testing (by replacing with a stub).
+_UTCNOW = datetime.datetime.utcnow
+
+# NOTE: These names were previously defined in this module but have been
+#       moved into `oauth2client.transport`,
+clean_headers = transport.clean_headers
+MemoryCache = transport.MemoryCache
+REFRESH_STATUS_CODES = transport.REFRESH_STATUS_CODES
+
+
+class SETTINGS(object):
+    """Settings namespace for globally defined values."""
+    env_name = None
+
+
+class Error(Exception):
+    """Base error for this module."""
+
+
+class FlowExchangeError(Error):
+    """Error trying to exchange an authorization grant for an access token."""
+
+
+class AccessTokenRefreshError(Error):
+    """Error trying to refresh an expired access token."""
+
+
+class HttpAccessTokenRefreshError(AccessTokenRefreshError):
+    """Error (with HTTP status) trying to refresh an expired access token."""
+    def __init__(self, *args, **kwargs):
+        super(HttpAccessTokenRefreshError, self).__init__(*args)
+        self.status = kwargs.get('status')
+
+
+class TokenRevokeError(Error):
+    """Error trying to revoke a token."""
+
+
+class UnknownClientSecretsFlowError(Error):
+    """The client secrets file called for an unknown type of OAuth 2.0 flow."""
+
+
+class AccessTokenCredentialsError(Error):
+    """Having only the access_token means no refresh is possible."""
+
+
+class VerifyJwtTokenError(Error):
+    """Could not retrieve certificates for validation."""
+
+
+class NonAsciiHeaderError(Error):
+    """Header names and values must be ASCII strings."""
+
+
+class ApplicationDefaultCredentialsError(Error):
+    """Error retrieving the Application Default Credentials."""
+
+
+class OAuth2DeviceCodeError(Error):
+    """Error trying to retrieve a device code."""
+
+
+class CryptoUnavailableError(Error, NotImplementedError):
+    """Raised when a crypto library is required, but none is available."""
+
+
+def _parse_expiry(expiry):
+    if expiry and isinstance(expiry, datetime.datetime):
+        return expiry.strftime(EXPIRY_FORMAT)
+    else:
+        return None
+
+
+class Credentials(object):
+    """Base class for all Credentials objects.
+
+    Subclasses must define an authorize() method that applies the credentials
+    to an HTTP transport.
+
+    Subclasses must also specify a classmethod named 'from_json' that takes a
+    JSON string as input and returns an instantiated Credentials object.
+    """
+
+    NON_SERIALIZED_MEMBERS = frozenset(['store'])
+
+    def authorize(self, http):
+        """Take an httplib2.Http instance (or equivalent) and authorizes it.
+
+        Authorizes it for the set of credentials, usually by replacing
+        http.request() with a method that adds in the appropriate headers and
+        then delegates to the original Http.request() method.
+
+        Args:
+            http: httplib2.Http, an http object to be used to make the refresh
+                  request.
+        """
+        raise NotImplementedError
+
+    def refresh(self, http):
+        """Forces a refresh of the access_token.
+
+        Args:
+            http: httplib2.Http, an http object to be used to make the refresh
+                  request.
+        """
+        raise NotImplementedError
+
+    def revoke(self, http):
+        """Revokes a refresh_token and makes the credentials void.
+
+        Args:
+            http: httplib2.Http, an http object to be used to make the revoke
+                  request.
+        """
+        raise NotImplementedError
+
+    def apply(self, headers):
+        """Add the authorization to the headers.
+
+        Args:
+            headers: dict, the headers to add the Authorization header to.
+        """
+        raise NotImplementedError
+
+    def _to_json(self, strip, to_serialize=None):
+        """Utility function that creates JSON repr. of a Credentials object.
+
+        Args:
+            strip: array, An array of names of members to exclude from the
+                   JSON.
+            to_serialize: dict, (Optional) The properties for this object
+                          that will be serialized. This allows callers to
+                          modify before serializing.
+
+        Returns:
+            string, a JSON representation of this instance, suitable to pass to
+            from_json().
+        """
+        curr_type = self.__class__
+        if to_serialize is None:
+            to_serialize = copy.copy(self.__dict__)
+        else:
+            # Assumes it is a str->str dictionary, so we don't deep copy.
+            to_serialize = copy.copy(to_serialize)
+        for member in strip:
+            if member in to_serialize:
+                del to_serialize[member]
+        to_serialize['token_expiry'] = _parse_expiry(
+            to_serialize.get('token_expiry'))
+        # Add in information we will need later to reconstitute this instance.
+        to_serialize['_class'] = curr_type.__name__
+        to_serialize['_module'] = curr_type.__module__
+        for key, val in to_serialize.items():
+            if isinstance(val, bytes):
+                to_serialize[key] = val.decode('utf-8')
+            if isinstance(val, set):
+                to_serialize[key] = list(val)
+        return json.dumps(to_serialize)
+
+    def to_json(self):
+        """Creating a JSON representation of an instance of Credentials.
+
+        Returns:
+            string, a JSON representation of this instance, suitable to pass to
+            from_json().
+        """
+        return self._to_json(self.NON_SERIALIZED_MEMBERS)
+
+    @classmethod
+    def new_from_json(cls, json_data):
+        """Utility class method to instantiate a Credentials subclass from JSON.
+
+        Expects the JSON string to have been produced by to_json().
+
+        Args:
+            json_data: string or bytes, JSON from to_json().
+
+        Returns:
+            An instance of the subclass of Credentials that was serialized with
+            to_json().
+        """
+        json_data_as_unicode = _helpers._from_bytes(json_data)
+        data = json.loads(json_data_as_unicode)
+        # Find and call the right classmethod from_json() to restore
+        # the object.
+        module_name = data['_module']
+        try:
+            module_obj = __import__(module_name)
+        except ImportError:
+            # In case there's an object from the old package structure,
+            # update it
+            module_name = module_name.replace('.googleapiclient', '')
+            module_obj = __import__(module_name)
+
+        module_obj = __import__(module_name,
+                                fromlist=module_name.split('.')[:-1])
+        kls = getattr(module_obj, data['_class'])
+        return kls.from_json(json_data_as_unicode)
+
+    @classmethod
+    def from_json(cls, unused_data):
+        """Instantiate a Credentials object from a JSON description of it.
+
+        The JSON should have been produced by calling .to_json() on the object.
+
+        Args:
+            unused_data: dict, A deserialized JSON object.
+
+        Returns:
+            An instance of a Credentials subclass.
+        """
+        return Credentials()
+
+
+class Flow(object):
+    """Base class for all Flow objects."""
+    pass
+
+
+class Storage(object):
+    """Base class for all Storage objects.
+
+    Store and retrieve a single credential. This class supports locking
+    such that multiple processes and threads can operate on a single
+    store.
+    """
+    def __init__(self, lock=None):
+        """Create a Storage instance.
+
+        Args:
+            lock: An optional threading.Lock-like object. Must implement at
+                  least acquire() and release(). Does not need to be
+                  re-entrant.
+        """
+        self._lock = lock
+
+    def acquire_lock(self):
+        """Acquires any lock necessary to access this Storage.
+
+        This lock is not reentrant.
+        """
+        if self._lock is not None:
+            self._lock.acquire()
+
+    def release_lock(self):
+        """Release the Storage lock.
+
+        Trying to release a lock that isn't held will result in a
+        RuntimeError in the case of a threading.Lock or multiprocessing.Lock.
+        """
+        if self._lock is not None:
+            self._lock.release()
+
+    def locked_get(self):
+        """Retrieve credential.
+
+        The Storage lock must be held when this is called.
+
+        Returns:
+            oauth2client.client.Credentials
+        """
+        raise NotImplementedError
+
+    def locked_put(self, credentials):
+        """Write a credential.
+
+        The Storage lock must be held when this is called.
+
+        Args:
+            credentials: Credentials, the credentials to store.
+        """
+        raise NotImplementedError
+
+    def locked_delete(self):
+        """Delete a credential.
+
+        The Storage lock must be held when this is called.
+        """
+        raise NotImplementedError
+
+    def get(self):
+        """Retrieve credential.
+
+        The Storage lock must *not* be held when this is called.
+
+        Returns:
+            oauth2client.client.Credentials
+        """
+        self.acquire_lock()
+        try:
+            return self.locked_get()
+        finally:
+            self.release_lock()
+
+    def put(self, credentials):
+        """Write a credential.
+
+        The Storage lock must be held when this is called.
+
+        Args:
+            credentials: Credentials, the credentials to store.
+        """
+        self.acquire_lock()
+        try:
+            self.locked_put(credentials)
+        finally:
+            self.release_lock()
+
+    def delete(self):
+        """Delete credential.
+
+        Frees any resources associated with storing the credential.
+        The Storage lock must *not* be held when this is called.
+
+        Returns:
+            None
+        """
+        self.acquire_lock()
+        try:
+            return self.locked_delete()
+        finally:
+            self.release_lock()
+
+
+class OAuth2Credentials(Credentials):
+    """Credentials object for OAuth 2.0.
+
+    Credentials can be applied to an httplib2.Http object using the authorize()
+    method, which then adds the OAuth 2.0 access token to each request.
+
+    OAuth2Credentials objects may be safely pickled and unpickled.
+    """
+
+    @_helpers.positional(8)
+    def __init__(self, access_token, client_id, client_secret, refresh_token,
+                 token_expiry, token_uri, user_agent, revoke_uri=None,
+                 id_token=None, token_response=None, scopes=None,
+                 token_info_uri=None, id_token_jwt=None):
+        """Create an instance of OAuth2Credentials.
+
+        This constructor is not usually called by the user, instead
+        OAuth2Credentials objects are instantiated by the OAuth2WebServerFlow.
+
+        Args:
+            access_token: string, access token.
+            client_id: string, client identifier.
+            client_secret: string, client secret.
+            refresh_token: string, refresh token.
+            token_expiry: datetime, when the access_token expires.
+            token_uri: string, URI of token endpoint.
+            user_agent: string, The HTTP User-Agent to provide for this
+                        application.
+            revoke_uri: string, URI for revoke endpoint. Defaults to None; a
+                        token can't be revoked if this is None.
+            id_token: object, The identity of the resource owner.
+            token_response: dict, the decoded response to the token request.
+                            None if a token hasn't been requested yet. Stored
+                            because some providers (e.g. wordpress.com) include
+                            extra fields that clients may want.
+            scopes: list, authorized scopes for these credentials.
+            token_info_uri: string, the URI for the token info endpoint.
+                            Defaults to None; scopes can not be refreshed if
+                            this is None.
+            id_token_jwt: string, the encoded and signed identity JWT. The
+                          decoded version of this is stored in id_token.
+
+        Notes:
+            store: callable, A callable that when passed a Credential
+                   will store the credential back to where it came from.
+                   This is needed to store the latest access_token if it
+                   has expired and been refreshed.
+        """
+        self.access_token = access_token
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.refresh_token = refresh_token
+        self.store = None
+        self.token_expiry = token_expiry
+        self.token_uri = token_uri
+        self.user_agent = user_agent
+        self.revoke_uri = revoke_uri
+        self.id_token = id_token
+        self.id_token_jwt = id_token_jwt
+        self.token_response = token_response
+        self.scopes = set(_helpers.string_to_scopes(scopes or []))
+        self.token_info_uri = token_info_uri
+
+        # True if the credentials have been revoked or expired and can't be
+        # refreshed.
+        self.invalid = False
+
+    def authorize(self, http):
+        """Authorize an httplib2.Http instance with these credentials.
+
+        The modified http.request method will add authentication headers to
+        each request and will refresh access_tokens when a 401 is received on a
+        request. In addition the http.request method has a credentials
+        property, http.request.credentials, which is the Credentials object
+        that authorized it.
+
+        Args:
+            http: An instance of ``httplib2.Http`` or something that acts
+                  like it.
+
+        Returns:
+            A modified instance of http that was passed in.
+
+        Example::
+
+            h = httplib2.Http()
+            h = credentials.authorize(h)
+
+        You can't create a new OAuth subclass of httplib2.Authentication
+        because it never gets passed the absolute URI, which is needed for
+        signing. So instead we have to overload 'request' with a closure
+        that adds in the Authorization header and then calls the original
+        version of 'request()'.
+        """
+        transport.wrap_http_for_auth(self, http)
+        return http
+
+    def refresh(self, http):
+        """Forces a refresh of the access_token.
+
+        Args:
+            http: httplib2.Http, an http object to be used to make the refresh
+                  request.
+        """
+        self._refresh(http)
+
+    def revoke(self, http):
+        """Revokes a refresh_token and makes the credentials void.
+
+        Args:
+            http: httplib2.Http, an http object to be used to make the revoke
+                  request.
+        """
+        self._revoke(http)
+
+    def apply(self, headers):
+        """Add the authorization to the headers.
+
+        Args:
+            headers: dict, the headers to add the Authorization header to.
+        """
+        headers['Authorization'] = 'Bearer ' + self.access_token
+
+    def has_scopes(self, scopes):
+        """Verify that the credentials are authorized for the given scopes.
+
+        Returns True if the credentials authorized scopes contain all of the
+        scopes given.
+
+        Args:
+            scopes: list or string, the scopes to check.
+
+        Notes:
+            There are cases where the credentials are unaware of which scopes
+            are authorized. Notably, credentials obtained and stored before
+            this code was added will not have scopes, AccessTokenCredentials do
+            not have scopes. In both cases, you can use refresh_scopes() to
+            obtain the canonical set of scopes.
+        """
+        scopes = _helpers.string_to_scopes(scopes)
+        return set(scopes).issubset(self.scopes)
+
+    def retrieve_scopes(self, http):
+        """Retrieves the canonical list of scopes for this access token.
+
+        Gets the scopes from the OAuth2 provider.
+
+        Args:
+            http: httplib2.Http, an http object to be used to make the refresh
+                  request.
+
+        Returns:
+            A set of strings containing the canonical list of scopes.
+        """
+        self._retrieve_scopes(http)
+        return self.scopes
+
+    @classmethod
+    def from_json(cls, json_data):
+        """Instantiate a Credentials object from a JSON description of it.
+
+        The JSON should have been produced by calling .to_json() on the object.
+
+        Args:
+            json_data: string or bytes, JSON to deserialize.
+
+        Returns:
+            An instance of a Credentials subclass.
+        """
+        data = json.loads(_helpers._from_bytes(json_data))
+        if (data.get('token_expiry') and
+                not isinstance(data['token_expiry'], datetime.datetime)):
+            try:
+                data['token_expiry'] = datetime.datetime.strptime(
+                    data['token_expiry'], EXPIRY_FORMAT)
+            except ValueError:
+                data['token_expiry'] = None
+        retval = cls(
+            data['access_token'],
+            data['client_id'],
+            data['client_secret'],
+            data['refresh_token'],
+            data['token_expiry'],
+            data['token_uri'],
+            data['user_agent'],
+            revoke_uri=data.get('revoke_uri', None),
+            id_token=data.get('id_token', None),
+            id_token_jwt=data.get('id_token_jwt', None),
+            token_response=data.get('token_response', None),
+            scopes=data.get('scopes', None),
+            token_info_uri=data.get('token_info_uri', None))
+        retval.invalid = data['invalid']
+        return retval
+
+    @property
+    def access_token_expired(self):
+        """True if the credential is expired or invalid.
+
+        If the token_expiry isn't set, we assume the token doesn't expire.
+        """
+        if self.invalid:
+            return True
+
+        if not self.token_expiry:
+            return False
+
+        now = _UTCNOW()
+        if now >= self.token_expiry:
+            logger.info('access_token is expired. Now: %s, token_expiry: %s',
+                        now, self.token_expiry)
+            return True
+        return False
+
+    def get_access_token(self, http=None):
+        """Return the access token and its expiration information.
+
+        If the token does not exist, get one.
+        If the token expired, refresh it.
+        """
+        if not self.access_token or self.access_token_expired:
+            if not http:
+                http = transport.get_http_object()
+            self.refresh(http)
+        return AccessTokenInfo(access_token=self.access_token,
+                               expires_in=self._expires_in())
+
+    def set_store(self, store):
+        """Set the Storage for the credential.
+
+        Args:
+            store: Storage, an implementation of Storage object.
+                   This is needed to store the latest access_token if it
+                   has expired and been refreshed. This implementation uses
+                   locking to check for updates before updating the
+                   access_token.
+        """
+        self.store = store
+
+    def _expires_in(self):
+        """Return the number of seconds until this token expires.
+
+        If token_expiry is in the past, this method will return 0, meaning the
+        token has already expired.
+
+        If token_expiry is None, this method will return None. Note that
+        returning 0 in such a case would not be fair: the token may still be
+        valid; we just don't know anything about it.
+        """
+        if self.token_expiry:
+            now = _UTCNOW()
+            if self.token_expiry > now:
+                time_delta = self.token_expiry - now
+                # TODO(orestica): return time_delta.total_seconds()
+                # once dropping support for Python 2.6
+                return time_delta.days * 86400 + time_delta.seconds
+            else:
+                return 0
+
+    def _updateFromCredential(self, other):
+        """Update this Credential from another instance."""
+        self.__dict__.update(other.__getstate__())
+
+    def __getstate__(self):
+        """Trim the state down to something that can be pickled."""
+        d = copy.copy(self.__dict__)
+        del d['store']
+        return d
+
+    def __setstate__(self, state):
+        """Reconstitute the state of the object from being pickled."""
+        self.__dict__.update(state)
+        self.store = None
+
+    def _generate_refresh_request_body(self):
+        """Generate the body that will be used in the refresh request."""
+        body = urllib.parse.urlencode({
+            'grant_type': 'refresh_token',
+            'client_id': self.client_id,
+            'client_secret': self.client_secret,
+            'refresh_token': self.refresh_token,
+        })
+        return body
+
+    def _generate_refresh_request_headers(self):
+        """Generate the headers that will be used in the refresh request."""
+        headers = {
+            'content-type': 'application/x-www-form-urlencoded',
+        }
+
+        if self.user_agent is not None:
+            headers['user-agent'] = self.user_agent
+
+        return headers
+
+    def _refresh(self, http):
+        """Refreshes the access_token.
+
+        This method first checks by reading the Storage object if available.
+        If a refresh is still needed, it holds the Storage lock until the
+        refresh is completed.
+
+        Args:
+            http: an object to be used to make HTTP requests.
+
+        Raises:
+            HttpAccessTokenRefreshError: When the refresh fails.
+        """
+        if not self.store:
+            self._do_refresh_request(http)
+        else:
+            self.store.acquire_lock()
+            try:
+                new_cred = self.store.locked_get()
+
+                if (new_cred and not new_cred.invalid and
+                        new_cred.access_token != self.access_token and
+                        not new_cred.access_token_expired):
+                    logger.info('Updated access_token read from Storage')
+                    self._updateFromCredential(new_cred)
+                else:
+                    self._do_refresh_request(http)
+            finally:
+                self.store.release_lock()
+
+    def _do_refresh_request(self, http):
+        """Refresh the access_token using the refresh_token.
+
+        Args:
+            http: an object to be used to make HTTP requests.
+
+        Raises:
+            HttpAccessTokenRefreshError: When the refresh fails.
+        """
+        body = self._generate_refresh_request_body()
+        headers = self._generate_refresh_request_headers()
+
+        logger.info('Refreshing access_token')
+        resp, content = transport.request(
+            http, self.token_uri, method='POST',
+            body=body, headers=headers)
+        content = _helpers._from_bytes(content)
+        if resp.status == http_client.OK:
+            d = json.loads(content)
+            self.token_response = d
+            self.access_token = d['access_token']
+            self.refresh_token = d.get('refresh_token', self.refresh_token)
+            if 'expires_in' in d:
+                delta = datetime.timedelta(seconds=int(d['expires_in']))
+                self.token_expiry = delta + _UTCNOW()
+            else:
+                self.token_expiry = None
+            if 'id_token' in d:
+                self.id_token = _extract_id_token(d['id_token'])
+                self.id_token_jwt = d['id_token']
+            else:
+                self.id_token = None
+                self.id_token_jwt = None
+            # On temporary refresh errors, the user does not actually have to
+            # re-authorize, so we unflag here.
+            self.invalid = False
+            if self.store:
+                self.store.locked_put(self)
+        else:
+            # An {'error':...} response body means the token is expired or
+            # revoked, so we flag the credentials as such.
+            logger.info('Failed to retrieve access token: %s', content)
+            error_msg = 'Invalid response {0}.'.format(resp.status)
+            try:
+                d = json.loads(content)
+                if 'error' in d:
+                    error_msg = d['error']
+                    if 'error_description' in d:
+                        error_msg += ': ' + d['error_description']
+                    self.invalid = True
+                    if self.store is not None:
+                        self.store.locked_put(self)
+            except (TypeError, ValueError):
+                pass
+            raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
+
+    def _revoke(self, http):
+        """Revokes this credential and deletes the stored copy (if it exists).
+
+        Args:
+            http: an object to be used to make HTTP requests.
+        """
+        self._do_revoke(http, self.refresh_token or self.access_token)
+
+    def _do_revoke(self, http, token):
+        """Revokes this credential and deletes the stored copy (if it exists).
+
+        Args:
+            http: an object to be used to make HTTP requests.
+            token: A string used as the token to be revoked. Can be either an
+                   access_token or refresh_token.
+
+        Raises:
+            TokenRevokeError: If the revoke request does not return with a
+                              200 OK.
+        """
+        logger.info('Revoking token')
+        query_params = {'token': token}
+        token_revoke_uri = _helpers.update_query_params(
+            self.revoke_uri, query_params)
+        resp, content = transport.request(http, token_revoke_uri)
+        if resp.status == http_client.METHOD_NOT_ALLOWED:
+            body = urllib.parse.urlencode(query_params)
+            resp, content = transport.request(http, token_revoke_uri,
+                                              method='POST', body=body)
+        if resp.status == http_client.OK:
+            self.invalid = True
+        else:
+            error_msg = 'Invalid response {0}.'.format(resp.status)
+            try:
+                d = json.loads(_helpers._from_bytes(content))
+                if 'error' in d:
+                    error_msg = d['error']
+            except (TypeError, ValueError):
+                pass
+            raise TokenRevokeError(error_msg)
+
+        if self.store:
+            self.store.delete()
+
+    def _retrieve_scopes(self, http):
+        """Retrieves the list of authorized scopes from the OAuth2 provider.
+
+        Args:
+            http: an object to be used to make HTTP requests.
+        """
+        self._do_retrieve_scopes(http, self.access_token)
+
+    def _do_retrieve_scopes(self, http, token):
+        """Retrieves the list of authorized scopes from the OAuth2 provider.
+
+        Args:
+            http: an object to be used to make HTTP requests.
+            token: A string used as the token to identify the credentials to
+                   the provider.
+
+        Raises:
+            Error: When refresh fails, indicating the the access token is
+                   invalid.
+        """
+        logger.info('Refreshing scopes')
+        query_params = {'access_token': token, 'fields': 'scope'}
+        token_info_uri = _helpers.update_query_params(
+            self.token_info_uri, query_params)
+        resp, content = transport.request(http, token_info_uri)
+        content = _helpers._from_bytes(content)
+        if resp.status == http_client.OK:
+            d = json.loads(content)
+            self.scopes = set(_helpers.string_to_scopes(d.get('scope', '')))
+        else:
+            error_msg = 'Invalid response {0}.'.format(resp.status)
+            try:
+                d = json.loads(content)
+                if 'error_description' in d:
+                    error_msg = d['error_description']
+            except (TypeError, ValueError):
+                pass
+            raise Error(error_msg)
+
+
+class AccessTokenCredentials(OAuth2Credentials):
+    """Credentials object for OAuth 2.0.
+
+    Credentials can be applied to an httplib2.Http object using the
+    authorize() method, which then signs each request from that object
+    with the OAuth 2.0 access token. This set of credentials is for the
+    use case where you have acquired an OAuth 2.0 access_token from
+    another place such as a JavaScript client or another web
+    application, and wish to use it from Python. Because only the
+    access_token is present it can not be refreshed and will in time
+    expire.
+
+    AccessTokenCredentials objects may be safely pickled and unpickled.
+
+    Usage::
+
+        credentials = AccessTokenCredentials('<an access token>',
+            'my-user-agent/1.0')
+        http = httplib2.Http()
+        http = credentials.authorize(http)
+
+    Raises:
+        AccessTokenCredentialsExpired: raised when the access_token expires or
+                                       is revoked.
+    """
+
+    def __init__(self, access_token, user_agent, revoke_uri=None):
+        """Create an instance of OAuth2Credentials
+
+        This is one of the few types if Credentials that you should contrust,
+        Credentials objects are usually instantiated by a Flow.
+
+        Args:
+            access_token: string, access token.
+            user_agent: string, The HTTP User-Agent to provide for this
+                        application.
+            revoke_uri: string, URI for revoke endpoint. Defaults to None; a
+                        token can't be revoked if this is None.
+        """
+        super(AccessTokenCredentials, self).__init__(
+            access_token,
+            None,
+            None,
+            None,
+            None,
+            None,
+            user_agent,
+            revoke_uri=revoke_uri)
+
+    @classmethod
+    def from_json(cls, json_data):
+        data = json.loads(_helpers._from_bytes(json_data))
+        retval = AccessTokenCredentials(
+            data['access_token'],
+            data['user_agent'])
+        return retval
+
+    def _refresh(self, http):
+        """Refreshes the access token.
+
+        Args:
+            http: unused HTTP object.
+
+        Raises:
+            AccessTokenCredentialsError: always
+        """
+        raise AccessTokenCredentialsError(
+            'The access_token is expired or invalid and can\'t be refreshed.')
+
+    def _revoke(self, http):
+        """Revokes the access_token and deletes the store if available.
+
+        Args:
+            http: an object to be used to make HTTP requests.
+        """
+        self._do_revoke(http, self.access_token)
+
+
+def _detect_gce_environment():
+    """Determine if the current environment is Compute Engine.
+
+    Returns:
+        Boolean indicating whether or not the current environment is Google
+        Compute Engine.
+    """
+    # NOTE: The explicit ``timeout`` is a workaround. The underlying
+    #       issue is that resolving an unknown host on some networks will take
+    #       20-30 seconds; making this timeout short fixes the issue, but
+    #       could lead to false negatives in the event that we are on GCE, but
+    #       the metadata resolution was particularly slow. The latter case is
+    #       "unlikely".
+    http = transport.get_http_object(timeout=GCE_METADATA_TIMEOUT)
+    try:
+        response, _ = transport.request(
+            http, _GCE_METADATA_URI, headers=_GCE_HEADERS)
+        return (
+            response.status == http_client.OK and
+            response.get(_METADATA_FLAVOR_HEADER) == _DESIRED_METADATA_FLAVOR)
+    except socket.error:  # socket.timeout or socket.error(64, 'Host is down')
+        logger.info('Timeout attempting to reach GCE metadata service.')
+        return False
+
+
+def _in_gae_environment():
+    """Detects if the code is running in the App Engine environment.
+
+    Returns:
+        True if running in the GAE environment, False otherwise.
+    """
+    if SETTINGS.env_name is not None:
+        return SETTINGS.env_name in ('GAE_PRODUCTION', 'GAE_LOCAL')
+
+    try:
+        import google.appengine  # noqa: unused import
+    except ImportError:
+        pass
+    else:
+        server_software = os.environ.get(_SERVER_SOFTWARE, '')
+        if server_software.startswith('Google App Engine/'):
+            SETTINGS.env_name = 'GAE_PRODUCTION'
+            return True
+        elif server_software.startswith('Development/'):
+            SETTINGS.env_name = 'GAE_LOCAL'
+            return True
+
+    return False
+
+
+def _in_gce_environment():
+    """Detect if the code is running in the Compute Engine environment.
+
+    Returns:
+        True if running in the GCE environment, False otherwise.
+    """
+    if SETTINGS.env_name is not None:
+        return SETTINGS.env_name == 'GCE_PRODUCTION'
+
+    if NO_GCE_CHECK != 'True' and _detect_gce_environment():
+        SETTINGS.env_name = 'GCE_PRODUCTION'
+        return True
+    return False
+
+
+class GoogleCredentials(OAuth2Credentials):
+    """Application Default Credentials for use in calling Google APIs.
+
+    The Application Default Credentials are being constructed as a function of
+    the environment where the code is being run.
+    More details can be found on this page:
+    https://developers.google.com/accounts/docs/application-default-credentials
+
+    Here is an example of how to use the Application Default Credentials for a
+    service that requires authentication::
+
+        from googleapiclient.discovery import build
+        from oauth2client.client import GoogleCredentials
+
+        credentials = GoogleCredentials.get_application_default()
+        service = build('compute', 'v1', credentials=credentials)
+
+        PROJECT = 'bamboo-machine-422'
+        ZONE = 'us-central1-a'
+        request = service.instances().list(project=PROJECT, zone=ZONE)
+        response = request.execute()
+
+        print(response)
+    """
+
+    NON_SERIALIZED_MEMBERS = (
+        frozenset(['_private_key']) |
+        OAuth2Credentials.NON_SERIALIZED_MEMBERS)
+    """Members that aren't serialized when object is converted to JSON."""
+
+    def __init__(self, access_token, client_id, client_secret, refresh_token,
+                 token_expiry, token_uri, user_agent,
+                 revoke_uri=oauth2client.GOOGLE_REVOKE_URI):
+        """Create an instance of GoogleCredentials.
+
+        This constructor is not usually called by the user, instead
+        GoogleCredentials objects are instantiated by
+        GoogleCredentials.from_stream() or
+        GoogleCredentials.get_application_default().
+
+        Args:
+            access_token: string, access token.
+            client_id: string, client identifier.
+            client_secret: string, client secret.
+            refresh_token: string, refresh token.
+            token_expiry: datetime, when the access_token expires.
+            token_uri: string, URI of token endpoint.
+            user_agent: string, The HTTP User-Agent to provide for this
+                        application.
+            revoke_uri: string, URI for revoke endpoint. Defaults to
+                        oauth2client.GOOGLE_REVOKE_URI; a token can't be
+                        revoked if this is None.
+        """
+        super(GoogleCredentials, self).__init__(
+            access_token, client_id, client_secret, refresh_token,
+            token_expiry, token_uri, user_agent, revoke_uri=revoke_uri)
+
+    def create_scoped_required(self):
+        """Whether this Credentials object is scopeless.
+
+        create_scoped(scopes) method needs to be called in order to create
+        a Credentials object for API calls.
+        """
+        return False
+
+    def create_scoped(self, scopes):
+        """Create a Credentials object for the given scopes.
+
+        The Credentials type is preserved.
+        """
+        return self
+
+    @classmethod
+    def from_json(cls, json_data):
+        # TODO(issue 388): eliminate the circularity that is the reason for
+        #                  this non-top-level import.
+        from oauth2client import service_account
+        data = json.loads(_helpers._from_bytes(json_data))
+
+        # We handle service_account.ServiceAccountCredentials since it is a
+        # possible return type of GoogleCredentials.get_application_default()
+        if (data['_module'] == 'oauth2client.service_account' and
+                data['_class'] == 'ServiceAccountCredentials'):
+            return service_account.ServiceAccountCredentials.from_json(data)
+        elif (data['_module'] == 'oauth2client.service_account' and
+                data['_class'] == '_JWTAccessCredentials'):
+            return service_account._JWTAccessCredentials.from_json(data)
+
+        token_expiry = _parse_expiry(data.get('token_expiry'))
+        google_credentials = cls(
+            data['access_token'],
+            data['client_id'],
+            data['client_secret'],
+            data['refresh_token'],
+            token_expiry,
+            data['token_uri'],
+            data['user_agent'],
+            revoke_uri=data.get('revoke_uri', None))
+        google_credentials.invalid = data['invalid']
+        return google_credentials
+
+    @property
+    def serialization_data(self):
+        """Get the fields and values identifying the current credentials."""
+        return {
+            'type': 'authorized_user',
+            'client_id': self.client_id,
+            'client_secret': self.client_secret,
+            'refresh_token': self.refresh_token
+        }
+
+    @staticmethod
+    def _implicit_credentials_from_gae():
+        """Attempts to get implicit credentials in Google App Engine env.
+
+        If the current environment is not detected as App Engine, returns None,
+        indicating no Google App Engine credentials can be detected from the
+        current environment.
+
+        Returns:
+            None, if not in GAE, else an appengine.AppAssertionCredentials
+            object.
+        """
+        if not _in_gae_environment():
+            return None
+
+        return _get_application_default_credential_GAE()
+
+    @staticmethod
+    def _implicit_credentials_from_gce():
+        """Attempts to get implicit credentials in Google Compute Engine env.
+
+        If the current environment is not detected as Compute Engine, returns
+        None, indicating no Google Compute Engine credentials can be detected
+        from the current environment.
+
+        Returns:
+            None, if not in GCE, else a gce.AppAssertionCredentials object.
+        """
+        if not _in_gce_environment():
+            return None
+
+        return _get_application_default_credential_GCE()
+
+    @staticmethod
+    def _implicit_credentials_from_files():
+        """Attempts to get implicit credentials from local credential files.
+
+        First checks if the environment variable GOOGLE_APPLICATION_CREDENTIALS
+        is set with a filename and then falls back to a configuration file (the
+        "well known" file) associated with the 'gcloud' command line tool.
+
+        Returns:
+            Credentials object associated with the
+            GOOGLE_APPLICATION_CREDENTIALS file or the "well known" file if
+            either exist. If neither file is define, returns None, indicating
+            no credentials from a file can detected from the current
+            environment.
+        """
+        credentials_filename = _get_environment_variable_file()
+        if not credentials_filename:
+            credentials_filename = _get_well_known_file()
+            if os.path.isfile(credentials_filename):
+                extra_help = (' (produced automatically when running'
+                              ' "gcloud auth login" command)')
+            else:
+                credentials_filename = None
+        else:
+            extra_help = (' (pointed to by ' + GOOGLE_APPLICATION_CREDENTIALS +
+                          ' environment variable)')
+
+        if not credentials_filename:
+            return
+
+        # If we can read the credentials from a file, we don't need to know
+        # what environment we are in.
+        SETTINGS.env_name = DEFAULT_ENV_NAME
+
+        try:
+            return _get_application_default_credential_from_file(
+                credentials_filename)
+        except (ApplicationDefaultCredentialsError, ValueError) as error:
+            _raise_exception_for_reading_json(credentials_filename,
+                                              extra_help, error)
+
+    @classmethod
+    def _get_implicit_credentials(cls):
+        """Gets credentials implicitly from the environment.
+
+        Checks environment in order of precedence:
+        - Environment variable GOOGLE_APPLICATION_CREDENTIALS pointing to
+          a file with stored credentials information.
+        - Stored "well known" file associated with `gcloud` command line tool.
+        - Google App Engine (production and testing)
+        - Google Compute Engine production environment.
+
+        Raises:
+            ApplicationDefaultCredentialsError: raised when the credentials
+                                                fail to be retrieved.
+        """
+        # Environ checks (in order).
+        environ_checkers = [
+            cls._implicit_credentials_from_files,
+            cls._implicit_credentials_from_gae,
+            cls._implicit_credentials_from_gce,
+        ]
+
+        for checker in environ_checkers:
+            credentials = checker()
+            if credentials is not None:
+                return credentials
+
+        # If no credentials, fail.
+        raise ApplicationDefaultCredentialsError(ADC_HELP_MSG)
+
+    @staticmethod
+    def get_application_default():
+        """Get the Application Default Credentials for the current environment.
+
+        Raises:
+            ApplicationDefaultCredentialsError: raised when the credentials
+                                                fail to be retrieved.
+        """
+        return GoogleCredentials._get_implicit_credentials()
+
+    @staticmethod
+    def from_stream(credential_filename):
+        """Create a Credentials object by reading information from a file.
+
+        It returns an object of type GoogleCredentials.
+
+        Args:
+            credential_filename: the path to the file from where the
+                                 credentials are to be read
+
+        Raises:
+            ApplicationDefaultCredentialsError: raised when the credentials
+                                                fail to be retrieved.
+        """
+        if credential_filename and os.path.isfile(credential_filename):
+            try:
+                return _get_application_default_credential_from_file(
+                    credential_filename)
+            except (ApplicationDefaultCredentialsError, ValueError) as error:
+                extra_help = (' (provided as parameter to the '
+                              'from_stream() method)')
+                _raise_exception_for_reading_json(credential_filename,
+                                                  extra_help,
+                                                  error)
+        else:
+            raise ApplicationDefaultCredentialsError(
+                'The parameter passed to the from_stream() '
+                'method should point to a file.')
+
+
+def _save_private_file(filename, json_contents):
+    """Saves a file with read-write permissions on for the owner.
+
+    Args:
+        filename: String. Absolute path to file.
+        json_contents: JSON serializable object to be saved.
+    """
+    temp_filename = tempfile.mktemp()
+    file_desc = os.open(temp_filename, os.O_WRONLY | os.O_CREAT, 0o600)
+    with os.fdopen(file_desc, 'w') as file_handle:
+        json.dump(json_contents, file_handle, sort_keys=True,
+                  indent=2, separators=(',', ': '))
+    shutil.move(temp_filename, filename)
+
+
+def save_to_well_known_file(credentials, well_known_file=None):
+    """Save the provided GoogleCredentials to the well known file.
+
+    Args:
+        credentials: the credentials to be saved to the well known file;
+                     it should be an instance of GoogleCredentials
+        well_known_file: the name of the file where the credentials are to be
+                         saved; this parameter is supposed to be used for
+                         testing only
+    """
+    # TODO(orestica): move this method to tools.py
+    # once the argparse import gets fixed (it is not present in Python 2.6)
+
+    if well_known_file is None:
+        well_known_file = _get_well_known_file()
+
+    config_dir = os.path.dirname(well_known_file)
+    if not os.path.isdir(config_dir):
+        raise OSError(
+            'Config directory does not exist: {0}'.format(config_dir))
+
+    credentials_data = credentials.serialization_data
+    _save_private_file(well_known_file, credentials_data)
+
+
+def _get_environment_variable_file():
+    application_default_credential_filename = (
+        os.environ.get(GOOGLE_APPLICATION_CREDENTIALS, None))
+
+    if application_default_credential_filename:
+        if os.path.isfile(application_default_credential_filename):
+            return application_default_credential_filename
+        else:
+            raise ApplicationDefaultCredentialsError(
+                'File ' + application_default_credential_filename +
+                ' (pointed by ' +
+                GOOGLE_APPLICATION_CREDENTIALS +
+                ' environment variable) does not exist!')
+
+
+def _get_well_known_file():
+    """Get the well known file produced by command 'gcloud auth login'."""
+    # TODO(orestica): Revisit this method once gcloud provides a better way
+    # of pinpointing the exact location of the file.
+    default_config_dir = os.getenv(_CLOUDSDK_CONFIG_ENV_VAR)
+    if default_config_dir is None:
+        if os.name == 'nt':
+            try:
+                default_config_dir = os.path.join(os.environ['APPDATA'],
+                                                  _CLOUDSDK_CONFIG_DIRECTORY)
+            except KeyError:
+                # This should never happen unless someone is really
+                # messing with things.
+                drive = os.environ.get('SystemDrive', 'C:')
+                default_config_dir = os.path.join(drive, '\\',
+                                                  _CLOUDSDK_CONFIG_DIRECTORY)
+        else:
+            default_config_dir = os.path.join(os.path.expanduser('~'),
+                                              '.config',
+                                              _CLOUDSDK_CONFIG_DIRECTORY)
+
+    return os.path.join(default_config_dir, _WELL_KNOWN_CREDENTIALS_FILE)
+
+
+def _get_application_default_credential_from_file(filename):
+    """Build the Application Default Credentials from file."""
+    # read the credentials from the file
+    with open(filename) as file_obj:
+        client_credentials = json.load(file_obj)
+
+    credentials_type = client_credentials.get('type')
+    if credentials_type == AUTHORIZED_USER:
+        required_fields = set(['client_id', 'client_secret', 'refresh_token'])
+    elif credentials_type == SERVICE_ACCOUNT:
+        required_fields = set(['client_id', 'client_email', 'private_key_id',
+                               'private_key'])
+    else:
+        raise ApplicationDefaultCredentialsError(
+            "'type' field should be defined (and have one of the '" +
+            AUTHORIZED_USER + "' or '" + SERVICE_ACCOUNT + "' values)")
+
+    missing_fields = required_fields.difference(client_credentials.keys())
+
+    if missing_fields:
+        _raise_exception_for_missing_fields(missing_fields)
+
+    if client_credentials['type'] == AUTHORIZED_USER:
+        return GoogleCredentials(
+            access_token=None,
+            client_id=client_credentials['client_id'],
+            client_secret=client_credentials['client_secret'],
+            refresh_token=client_credentials['refresh_token'],
+            token_expiry=None,
+            token_uri=oauth2client.GOOGLE_TOKEN_URI,
+            user_agent='Python client library')
+    else:  # client_credentials['type'] == SERVICE_ACCOUNT
+        from oauth2client import service_account
+        return service_account._JWTAccessCredentials.from_json_keyfile_dict(
+            client_credentials)
+
+
+def _raise_exception_for_missing_fields(missing_fields):
+    raise ApplicationDefaultCredentialsError(
+        'The following field(s) must be defined: ' + ', '.join(missing_fields))
+
+
+def _raise_exception_for_reading_json(credential_file,
+                                      extra_help,
+                                      error):
+    raise ApplicationDefaultCredentialsError(
+        'An error was encountered while reading json file: ' +
+        credential_file + extra_help + ': ' + str(error))
+
+
+def _get_application_default_credential_GAE():
+    from oauth2client.contrib.appengine import AppAssertionCredentials
+
+    return AppAssertionCredentials([])
+
+
+def _get_application_default_credential_GCE():
+    from oauth2client.contrib.gce import AppAssertionCredentials
+
+    return AppAssertionCredentials()
+
+
+class AssertionCredentials(GoogleCredentials):
+    """Abstract Credentials object used for OAuth 2.0 assertion grants.
+
+    This credential does not require a flow to instantiate because it
+    represents a two legged flow, and therefore has all of the required
+    information to generate and refresh its own access tokens. It must
+    be subclassed to generate the appropriate assertion string.
+
+    AssertionCredentials objects may be safely pickled and unpickled.
+    """
+
+    @_helpers.positional(2)
+    def __init__(self, assertion_type, user_agent=None,
+                 token_uri=oauth2client.GOOGLE_TOKEN_URI,
+                 revoke_uri=oauth2client.GOOGLE_REVOKE_URI,
+                 **unused_kwargs):
+        """Constructor for AssertionFlowCredentials.
+
+        Args:
+            assertion_type: string, assertion type that will be declared to the
+                            auth server
+            user_agent: string, The HTTP User-Agent to provide for this
+                        application.
+            token_uri: string, URI for token endpoint. For convenience defaults
+                       to Google's endpoints but any OAuth 2.0 provider can be
+                       used.
+            revoke_uri: string, URI for revoke endpoint.
+        """
+        super(AssertionCredentials, self).__init__(
+            None,
+            None,
+            None,
+            None,
+            None,
+            token_uri,
+            user_agent,
+            revoke_uri=revoke_uri)
+        self.assertion_type = assertion_type
+
+    def _generate_refresh_request_body(self):
+        assertion = self._generate_assertion()
+
+        body = urllib.parse.urlencode({
+            'assertion': assertion,
+            'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+        })
+
+        return body
+
+    def _generate_assertion(self):
+        """Generate assertion string to be used in the access token request."""
+        raise NotImplementedError
+
+    def _revoke(self, http):
+        """Revokes the access_token and deletes the store if available.
+
+        Args:
+            http: an object to be used to make HTTP requests.
+        """
+        self._do_revoke(http, self.access_token)
+
+    def sign_blob(self, blob):
+        """Cryptographically sign a blob (of bytes).
+
+        Args:
+            blob: bytes, Message to be signed.
+
+        Returns:
+            tuple, A pair of the private key ID used to sign the blob and
+            the signed contents.
+        """
+        raise NotImplementedError('This method is abstract.')
+
+
+def _require_crypto_or_die():
+    """Ensure we have a crypto library, or throw CryptoUnavailableError.
+
+    The oauth2client.crypt module requires either PyCrypto or PyOpenSSL
+    to be available in order to function, but these are optional
+    dependencies.
+    """
+    if not HAS_CRYPTO:
+        raise CryptoUnavailableError('No crypto library available')
+
+
+@_helpers.positional(2)
+def verify_id_token(id_token, audience, http=None,
+                    cert_uri=ID_TOKEN_VERIFICATION_CERTS):
+    """Verifies a signed JWT id_token.
+
+    This function requires PyOpenSSL and because of that it does not work on
+    App Engine.
+
+    Args:
+        id_token: string, A Signed JWT.
+        audience: string, The audience 'aud' that the token should be for.
+        http: httplib2.Http, instance to use to make the HTTP request. Callers
+              should supply an instance that has caching enabled.
+        cert_uri: string, URI of the certificates in JSON format to
+                  verify the JWT against.
+
+    Returns:
+        The deserialized JSON in the JWT.
+
+    Raises:
+        oauth2client.crypt.AppIdentityError: if the JWT fails to verify.
+        CryptoUnavailableError: if no crypto library is available.
+    """
+    _require_crypto_or_die()
+    if http is None:
+        http = transport.get_cached_http()
+
+    resp, content = transport.request(http, cert_uri)
+    if resp.status == http_client.OK:
+        certs = json.loads(_helpers._from_bytes(content))
+        return crypt.verify_signed_jwt_with_certs(id_token, certs, audience)
+    else:
+        raise VerifyJwtTokenError('Status code: {0}'.format(resp.status))
+
+
+def _extract_id_token(id_token):
+    """Extract the JSON payload from a JWT.
+
+    Does the extraction w/o checking the signature.
+
+    Args:
+        id_token: string or bytestring, OAuth 2.0 id_token.
+
+    Returns:
+        object, The deserialized JSON payload.
+    """
+    if type(id_token) == bytes:
+        segments = id_token.split(b'.')
+    else:
+        segments = id_token.split(u'.')
+
+    if len(segments) != 3:
+        raise VerifyJwtTokenError(
+            'Wrong number of segments in token: {0}'.format(id_token))
+
+    return json.loads(
+        _helpers._from_bytes(_helpers._urlsafe_b64decode(segments[1])))
+
+
+def _parse_exchange_token_response(content):
+    """Parses response of an exchange token request.
+
+    Most providers return JSON but some (e.g. Facebook) return a
+    url-encoded string.
+
+    Args:
+        content: The body of a response
+
+    Returns:
+        Content as a dictionary object. Note that the dict could be empty,
+        i.e. {}. That basically indicates a failure.
+    """
+    resp = {}
+    content = _helpers._from_bytes(content)
+    try:
+        resp = json.loads(content)
+    except Exception:
+        # different JSON libs raise different exceptions,
+        # so we just do a catch-all here
+        resp = _helpers.parse_unique_urlencoded(content)
+
+    # some providers respond with 'expires', others with 'expires_in'
+    if resp and 'expires' in resp:
+        resp['expires_in'] = resp.pop('expires')
+
+    return resp
+
+
+@_helpers.positional(4)
+def credentials_from_code(client_id, client_secret, scope, code,
+                          redirect_uri='postmessage', http=None,
+                          user_agent=None,
+                          token_uri=oauth2client.GOOGLE_TOKEN_URI,
+                          auth_uri=oauth2client.GOOGLE_AUTH_URI,
+                          revoke_uri=oauth2client.GOOGLE_REVOKE_URI,
+                          device_uri=oauth2client.GOOGLE_DEVICE_URI,
+                          token_info_uri=oauth2client.GOOGLE_TOKEN_INFO_URI,
+                          pkce=False,
+                          code_verifier=None):
+    """Exchanges an authorization code for an OAuth2Credentials object.
+
+    Args:
+        client_id: string, client identifier.
+        client_secret: string, client secret.
+        scope: string or iterable of strings, scope(s) to request.
+        code: string, An authorization code, most likely passed down from
+              the client
+        redirect_uri: string, this is generally set to 'postmessage' to match
+                      the redirect_uri that the client specified
+        http: httplib2.Http, optional http instance to use to do the fetch
+        token_uri: string, URI for token endpoint. For convenience defaults
+                   to Google's endpoints but any OAuth 2.0 provider can be
+                   used.
+        auth_uri: string, URI for authorization endpoint. For convenience
+                  defaults to Google's endpoints but any OAuth 2.0 provider
+                  can be used.
+        revoke_uri: string, URI for revoke endpoint. For convenience
+                    defaults to Google's endpoints but any OAuth 2.0 provider
+                    can be used.
+        device_uri: string, URI for device authorization endpoint. For
+                    convenience defaults to Google's endpoints but any OAuth
+                    2.0 provider can be used.
+        pkce: boolean, default: False, Generate and include a "Proof Key
+              for Code Exchange" (PKCE) with your authorization and token
+              requests. This adds security for installed applications that
+              cannot protect a client_secret. See RFC 7636 for details.
+        code_verifier: bytestring or None, default: None, parameter passed
+                       as part of the code exchange when pkce=True. If
+                       None, a code_verifier will automatically be
+                       generated as part of step1_get_authorize_url(). See
+                       RFC 7636 for details.
+
+    Returns:
+        An OAuth2Credentials object.
+
+    Raises:
+        FlowExchangeError if the authorization code cannot be exchanged for an
+        access token
+    """
+    flow = OAuth2WebServerFlow(client_id, client_secret, scope,
+                               redirect_uri=redirect_uri,
+                               user_agent=user_agent,
+                               auth_uri=auth_uri,
+                               token_uri=token_uri,
+                               revoke_uri=revoke_uri,
+                               device_uri=device_uri,
+                               token_info_uri=token_info_uri,
+                               pkce=pkce,
+                               code_verifier=code_verifier)
+
+    credentials = flow.step2_exchange(code, http=http)
+    return credentials
+
+
+@_helpers.positional(3)
+def credentials_from_clientsecrets_and_code(filename, scope, code,
+                                            message=None,
+                                            redirect_uri='postmessage',
+                                            http=None,
+                                            cache=None,
+                                            device_uri=None):
+    """Returns OAuth2Credentials from a clientsecrets file and an auth code.
+
+    Will create the right kind of Flow based on the contents of the
+    clientsecrets file or will raise InvalidClientSecretsError for unknown
+    types of Flows.
+
+    Args:
+        filename: string, File name of clientsecrets.
+        scope: string or iterable of strings, scope(s) to request.
+        code: string, An authorization code, most likely passed down from
+              the client
+        message: string, A friendly string to display to the user if the
+                 clientsecrets file is missing or invalid. If message is
+                 provided then sys.exit will be called in the case of an error.
+                 If message in not provided then
+                 clientsecrets.InvalidClientSecretsError will be raised.
+        redirect_uri: string, this is generally set to 'postmessage' to match
+                      the redirect_uri that the client specified
+        http: httplib2.Http, optional http instance to use to do the fetch
+        cache: An optional cache service client that implements get() and set()
+               methods. See clientsecrets.loadfile() for details.
+        device_uri: string, OAuth 2.0 device authorization endpoint
+        pkce: boolean, default: False, Generate and include a "Proof Key
+              for Code Exchange" (PKCE) with your authorization and token
+              requests. This adds security for installed applications that
+              cannot protect a client_secret. See RFC 7636 for details.
+        code_verifier: bytestring or None, default: None, parameter passed
+                       as part of the code exchange when pkce=True. If
+                       None, a code_verifier will automatically be
+                       generated as part of step1_get_authorize_url(). See
+                       RFC 7636 for details.
+
+    Returns:
+        An OAuth2Credentials object.
+
+    Raises:
+        FlowExchangeError: if the authorization code cannot be exchanged for an
+                           access token
+        UnknownClientSecretsFlowError: if the file describes an unknown kind
+                                       of Flow.
+        clientsecrets.InvalidClientSecretsError: if the clientsecrets file is
+                                                 invalid.
+    """
+    flow = flow_from_clientsecrets(filename, scope, message=message,
+                                   cache=cache, redirect_uri=redirect_uri,
+                                   device_uri=device_uri)
+    credentials = flow.step2_exchange(code, http=http)
+    return credentials
+
+
+class DeviceFlowInfo(collections.namedtuple('DeviceFlowInfo', (
+        'device_code', 'user_code', 'interval', 'verification_url',
+        'user_code_expiry'))):
+    """Intermediate information the OAuth2 for devices flow."""
+
+    @classmethod
+    def FromResponse(cls, response):
+        """Create a DeviceFlowInfo from a server response.
+
+        The response should be a dict containing entries as described here:
+
+        http://tools.ietf.org/html/draft-ietf-oauth-v2-05#section-3.7.1
+        """
+        # device_code, user_code, and verification_url are required.
+        kwargs = {
+            'device_code': response['device_code'],
+            'user_code': response['user_code'],
+        }
+        # The response may list the verification address as either
+        # verification_url or verification_uri, so we check for both.
+        verification_url = response.get(
+            'verification_url', response.get('verification_uri'))
+        if verification_url is None:
+            raise OAuth2DeviceCodeError(
+                'No verification_url provided in server response')
+        kwargs['verification_url'] = verification_url
+        # expires_in and interval are optional.
+        kwargs.update({
+            'interval': response.get('interval'),
+            'user_code_expiry': None,
+        })
+        if 'expires_in' in response:
+            kwargs['user_code_expiry'] = (
+                _UTCNOW() +
+                datetime.timedelta(seconds=int(response['expires_in'])))
+        return cls(**kwargs)
+
+
+def _oauth2_web_server_flow_params(kwargs):
+    """Configures redirect URI parameters for OAuth2WebServerFlow."""
+    params = {
+        'access_type': 'offline',
+        'response_type': 'code',
+    }
+
+    params.update(kwargs)
+
+    # Check for the presence of the deprecated approval_prompt param and
+    # warn appropriately.
+    approval_prompt = params.get('approval_prompt')
+    if approval_prompt is not None:
+        logger.warning(
+            'The approval_prompt parameter for OAuth2WebServerFlow is '
+            'deprecated. Please use the prompt parameter instead.')
+
+        if approval_prompt == 'force':
+            logger.warning(
+                'approval_prompt="force" has been adjusted to '
+                'prompt="consent"')
+            params['prompt'] = 'consent'
+            del params['approval_prompt']
+
+    return params
+
+
+class OAuth2WebServerFlow(Flow):
+    """Does the Web Server Flow for OAuth 2.0.
+
+    OAuth2WebServerFlow objects may be safely pickled and unpickled.
+    """
+
+    @_helpers.positional(4)
+    def __init__(self, client_id,
+                 client_secret=None,
+                 scope=None,
+                 redirect_uri=None,
+                 user_agent=None,
+                 auth_uri=oauth2client.GOOGLE_AUTH_URI,
+                 token_uri=oauth2client.GOOGLE_TOKEN_URI,
+                 revoke_uri=oauth2client.GOOGLE_REVOKE_URI,
+                 login_hint=None,
+                 device_uri=oauth2client.GOOGLE_DEVICE_URI,
+                 token_info_uri=oauth2client.GOOGLE_TOKEN_INFO_URI,
+                 authorization_header=None,
+                 pkce=False,
+                 code_verifier=None,
+                 **kwargs):
+        """Constructor for OAuth2WebServerFlow.
+
+        The kwargs argument is used to set extra query parameters on the
+        auth_uri. For example, the access_type and prompt
+        query parameters can be set via kwargs.
+
+        Args:
+            client_id: string, client identifier.
+            client_secret: string client secret.
+            scope: string or iterable of strings, scope(s) of the credentials
+                   being requested.
+            redirect_uri: string, Either the string 'urn:ietf:wg:oauth:2.0:oob'
+                          for a non-web-based application, or a URI that
+                          handles the callback from the authorization server.
+            user_agent: string, HTTP User-Agent to provide for this
+                        application.
+            auth_uri: string, URI for authorization endpoint. For convenience
+                      defaults to Google's endpoints but any OAuth 2.0 provider
+                      can be used.
+            token_uri: string, URI for token endpoint. For convenience
+                       defaults to Google's endpoints but any OAuth 2.0
+                       provider can be used.
+            revoke_uri: string, URI for revoke endpoint. For convenience
+                        defaults to Google's endpoints but any OAuth 2.0
+                        provider can be used.
+            login_hint: string, Either an email address or domain. Passing this
+                        hint will either pre-fill the email box on the sign-in
+                        form or select the proper multi-login session, thereby
+                        simplifying the login flow.
+            device_uri: string, URI for device authorization endpoint. For
+                        convenience defaults to Google's endpoints but any
+                        OAuth 2.0 provider can be used.
+            authorization_header: string, For use with OAuth 2.0 providers that
+                                  require a client to authenticate using a
+                                  header value instead of passing client_secret
+                                  in the POST body.
+            pkce: boolean, default: False, Generate and include a "Proof Key
+                  for Code Exchange" (PKCE) with your authorization and token
+                  requests. This adds security for installed applications that
+                  cannot protect a client_secret. See RFC 7636 for details.
+            code_verifier: bytestring or None, default: None, parameter passed
+                           as part of the code exchange when pkce=True. If
+                           None, a code_verifier will automatically be
+                           generated as part of step1_get_authorize_url(). See
+                           RFC 7636 for details.
+            **kwargs: dict, The keyword arguments are all optional and required
+                      parameters for the OAuth calls.
+        """
+        # scope is a required argument, but to preserve backwards-compatibility
+        # we don't want to rearrange the positional arguments
+        if scope is None:
+            raise TypeError("The value of scope must not be None")
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.scope = _helpers.scopes_to_string(scope)
+        self.redirect_uri = redirect_uri
+        self.login_hint = login_hint
+        self.user_agent = user_agent
+        self.auth_uri = auth_uri
+        self.token_uri = token_uri
+        self.revoke_uri = revoke_uri
+        self.device_uri = device_uri
+        self.token_info_uri = token_info_uri
+        self.authorization_header = authorization_header
+        self._pkce = pkce
+        self.code_verifier = code_verifier
+        self.params = _oauth2_web_server_flow_params(kwargs)
+
+    @_helpers.positional(1)
+    def step1_get_authorize_url(self, redirect_uri=None, state=None):
+        """Returns a URI to redirect to the provider.
+
+        Args:
+            redirect_uri: string, Either the string 'urn:ietf:wg:oauth:2.0:oob'
+                          for a non-web-based application, or a URI that
+                          handles the callback from the authorization server.
+                          This parameter is deprecated, please move to passing
+                          the redirect_uri in via the constructor.
+            state: string, Opaque state string which is passed through the
+                   OAuth2 flow and returned to the client as a query parameter
+                   in the callback.
+
+        Returns:
+            A URI as a string to redirect the user to begin the authorization
+            flow.
+        """
+        if redirect_uri is not None:
+            logger.warning((
+                'The redirect_uri parameter for '
+                'OAuth2WebServerFlow.step1_get_authorize_url is deprecated. '
+                'Please move to passing the redirect_uri in via the '
+                'constructor.'))
+            self.redirect_uri = redirect_uri
+
+        if self.redirect_uri is None:
+            raise ValueError('The value of redirect_uri must not be None.')
+
+        query_params = {
+            'client_id': self.client_id,
+            'redirect_uri': self.redirect_uri,
+            'scope': self.scope,
+        }
+        if state is not None:
+            query_params['state'] = state
+        if self.login_hint is not None:
+            query_params['login_hint'] = self.login_hint
+        if self._pkce:
+            if not self.code_verifier:
+                self.code_verifier = _pkce.code_verifier()
+            challenge = _pkce.code_challenge(self.code_verifier)
+            query_params['code_challenge'] = challenge
+            query_params['code_challenge_method'] = 'S256'
+
+        query_params.update(self.params)
+        return _helpers.update_query_params(self.auth_uri, query_params)
+
+    @_helpers.positional(1)
+    def step1_get_device_and_user_codes(self, http=None):
+        """Returns a user code and the verification URL where to enter it
+
+        Returns:
+            A user code as a string for the user to authorize the application
+            An URL as a string where the user has to enter the code
+        """
+        if self.device_uri is None:
+            raise ValueError('The value of device_uri must not be None.')
+
+        body = urllib.parse.urlencode({
+            'client_id': self.client_id,
+            'scope': self.scope,
+        })
+        headers = {
+            'content-type': 'application/x-www-form-urlencoded',
+        }
+
+        if self.user_agent is not None:
+            headers['user-agent'] = self.user_agent
+
+        if http is None:
+            http = transport.get_http_object()
+
+        resp, content = transport.request(
+            http, self.device_uri, method='POST', body=body, headers=headers)
+        content = _helpers._from_bytes(content)
+        if resp.status == http_client.OK:
+            try:
+                flow_info = json.loads(content)
+            except ValueError as exc:
+                raise OAuth2DeviceCodeError(
+                    'Could not parse server response as JSON: "{0}", '
+                    'error: "{1}"'.format(content, exc))
+            return DeviceFlowInfo.FromResponse(flow_info)
+        else:
+            error_msg = 'Invalid response {0}.'.format(resp.status)
+            try:
+                error_dict = json.loads(content)
+                if 'error' in error_dict:
+                    error_msg += ' Error: {0}'.format(error_dict['error'])
+            except ValueError:
+                # Couldn't decode a JSON response, stick with the
+                # default message.
+                pass
+            raise OAuth2DeviceCodeError(error_msg)
+
+    @_helpers.positional(2)
+    def step2_exchange(self, code=None, http=None, device_flow_info=None):
+        """Exchanges a code for OAuth2Credentials.
+
+        Args:
+            code: string, a dict-like object, or None. For a non-device
+                  flow, this is either the response code as a string, or a
+                  dictionary of query parameters to the redirect_uri. For a
+                  device flow, this should be None.
+            http: httplib2.Http, optional http instance to use when fetching
+                  credentials.
+            device_flow_info: DeviceFlowInfo, return value from step1 in the
+                              case of a device flow.
+
+        Returns:
+            An OAuth2Credentials object that can be used to authorize requests.
+
+        Raises:
+            FlowExchangeError: if a problem occurred exchanging the code for a
+                               refresh_token.
+            ValueError: if code and device_flow_info are both provided or both
+                        missing.
+        """
+        if code is None and device_flow_info is None:
+            raise ValueError('No code or device_flow_info provided.')
+        if code is not None and device_flow_info is not None:
+            raise ValueError('Cannot provide both code and device_flow_info.')
+
+        if code is None:
+            code = device_flow_info.device_code
+        elif not isinstance(code, (six.string_types, six.binary_type)):
+            if 'code' not in code:
+                raise FlowExchangeError(code.get(
+                    'error', 'No code was supplied in the query parameters.'))
+            code = code['code']
+
+        post_data = {
+            'client_id': self.client_id,
+            'code': code,
+            'scope': self.scope,
+        }
+        if self.client_secret is not None:
+            post_data['client_secret'] = self.client_secret
+        if self._pkce:
+            post_data['code_verifier'] = self.code_verifier
+        if device_flow_info is not None:
+            post_data['grant_type'] = 'http://oauth.net/grant_type/device/1.0'
+        else:
+            post_data['grant_type'] = 'authorization_code'
+            post_data['redirect_uri'] = self.redirect_uri
+        body = urllib.parse.urlencode(post_data)
+        headers = {
+            'content-type': 'application/x-www-form-urlencoded',
+        }
+        if self.authorization_header is not None:
+            headers['Authorization'] = self.authorization_header
+        if self.user_agent is not None:
+            headers['user-agent'] = self.user_agent
+
+        if http is None:
+            http = transport.get_http_object()
+
+        resp, content = transport.request(
+            http, self.token_uri, method='POST', body=body, headers=headers)
+        d = _parse_exchange_token_response(content)
+        if resp.status == http_client.OK and 'access_token' in d:
+            access_token = d['access_token']
+            refresh_token = d.get('refresh_token', None)
+            if not refresh_token:
+                logger.info(
+                    'Received token response with no refresh_token. Consider '
+                    "reauthenticating with prompt='consent'.")
+            token_expiry = None
+            if 'expires_in' in d:
+                delta = datetime.timedelta(seconds=int(d['expires_in']))
+                token_expiry = delta + _UTCNOW()
+
+            extracted_id_token = None
+            id_token_jwt = None
+            if 'id_token' in d:
+                extracted_id_token = _extract_id_token(d['id_token'])
+                id_token_jwt = d['id_token']
+
+            logger.info('Successfully retrieved access token')
+            return OAuth2Credentials(
+                access_token, self.client_id, self.client_secret,
+                refresh_token, token_expiry, self.token_uri, self.user_agent,
+                revoke_uri=self.revoke_uri, id_token=extracted_id_token,
+                id_token_jwt=id_token_jwt, token_response=d, scopes=self.scope,
+                token_info_uri=self.token_info_uri)
+        else:
+            logger.info('Failed to retrieve access token: %s', content)
+            if 'error' in d:
+                # you never know what those providers got to say
+                error_msg = (str(d['error']) +
+                             str(d.get('error_description', '')))
+            else:
+                error_msg = 'Invalid response: {0}.'.format(str(resp.status))
+            raise FlowExchangeError(error_msg)
+
+
+@_helpers.positional(2)
+def flow_from_clientsecrets(filename, scope, redirect_uri=None,
+                            message=None, cache=None, login_hint=None,
+                            device_uri=None, pkce=None, code_verifier=None,
+                            prompt=None):
+    """Create a Flow from a clientsecrets file.
+
+    Will create the right kind of Flow based on the contents of the
+    clientsecrets file or will raise InvalidClientSecretsError for unknown
+    types of Flows.
+
+    Args:
+        filename: string, File name of client secrets.
+        scope: string or iterable of strings, scope(s) to request.
+        redirect_uri: string, Either the string 'urn:ietf:wg:oauth:2.0:oob' for
+                      a non-web-based application, or a URI that handles the
+                      callback from the authorization server.
+        message: string, A friendly string to display to the user if the
+                 clientsecrets file is missing or invalid. If message is
+                 provided then sys.exit will be called in the case of an error.
+                 If message in not provided then
+                 clientsecrets.InvalidClientSecretsError will be raised.
+        cache: An optional cache service client that implements get() and set()
+               methods. See clientsecrets.loadfile() for details.
+        login_hint: string, Either an email address or domain. Passing this
+                    hint will either pre-fill the email box on the sign-in form
+                    or select the proper multi-login session, thereby
+                    simplifying the login flow.
+        device_uri: string, URI for device authorization endpoint. For
+                    convenience defaults to Google's endpoints but any
+                    OAuth 2.0 provider can be used.
+
+    Returns:
+        A Flow object.
+
+    Raises:
+        UnknownClientSecretsFlowError: if the file describes an unknown kind of
+                                       Flow.
+        clientsecrets.InvalidClientSecretsError: if the clientsecrets file is
+                                                 invalid.
+    """
+    try:
+        client_type, client_info = clientsecrets.loadfile(filename,
+                                                          cache=cache)
+        if client_type in (clientsecrets.TYPE_WEB,
+                           clientsecrets.TYPE_INSTALLED):
+            constructor_kwargs = {
+                'redirect_uri': redirect_uri,
+                'auth_uri': client_info['auth_uri'],
+                'token_uri': client_info['token_uri'],
+                'login_hint': login_hint,
+            }
+            revoke_uri = client_info.get('revoke_uri')
+            optional = (
+                'revoke_uri',
+                'device_uri',
+                'pkce',
+                'code_verifier',
+                'prompt'
+            )
+            for param in optional:
+                if locals()[param] is not None:
+                    constructor_kwargs[param] = locals()[param]
+
+            return OAuth2WebServerFlow(
+                client_info['client_id'], client_info['client_secret'],
+                scope, **constructor_kwargs)
+
+    except clientsecrets.InvalidClientSecretsError as e:
+        if message is not None:
+            if e.args:
+                message = ('The client secrets were invalid: '
+                           '\n{0}\n{1}'.format(e, message))
+            sys.exit(message)
+        else:
+            raise
+    else:
+        raise UnknownClientSecretsFlowError(
+            'This OAuth 2.0 flow is unsupported: {0!r}'.format(client_type))

.venv/lib/python3.11/site-packages/oauth2client/clientsecrets.py

@@ -0,0 +1,173 @@
+# Copyright 2014 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Utilities for reading OAuth 2.0 client secret files.
+
+A client_secrets.json file contains all the information needed to interact with
+an OAuth 2.0 protected service.
+"""
+
+import json
+
+import six
+
+
+# Properties that make a client_secrets.json file valid.
+TYPE_WEB = 'web'
+TYPE_INSTALLED = 'installed'
+
+VALID_CLIENT = {
+    TYPE_WEB: {
+        'required': [
+            'client_id',
+            'client_secret',
+            'redirect_uris',
+            'auth_uri',
+            'token_uri',
+        ],
+        'string': [
+            'client_id',
+            'client_secret',
+        ],
+    },
+    TYPE_INSTALLED: {
+        'required': [
+            'client_id',
+            'client_secret',
+            'redirect_uris',
+            'auth_uri',
+            'token_uri',
+        ],
+        'string': [
+            'client_id',
+            'client_secret',
+        ],
+    },
+}
+
+
+class Error(Exception):
+    """Base error for this module."""
+
+
+class InvalidClientSecretsError(Error):
+    """Format of ClientSecrets file is invalid."""
+
+
+def _validate_clientsecrets(clientsecrets_dict):
+    """Validate parsed client secrets from a file.
+
+    Args:
+        clientsecrets_dict: dict, a dictionary holding the client secrets.
+
+    Returns:
+        tuple, a string of the client type and the information parsed
+        from the file.
+    """
+    _INVALID_FILE_FORMAT_MSG = (
+        'Invalid file format. See '
+        'https://developers.google.com/api-client-library/'
+        'python/guide/aaa_client_secrets')
+
+    if clientsecrets_dict is None:
+        raise InvalidClientSecretsError(_INVALID_FILE_FORMAT_MSG)
+    try:
+        (client_type, client_info), = clientsecrets_dict.items()
+    except (ValueError, AttributeError):
+        raise InvalidClientSecretsError(
+            _INVALID_FILE_FORMAT_MSG + ' '
+            'Expected a JSON object with a single property for a "web" or '
+            '"installed" application')
+
+    if client_type not in VALID_CLIENT:
+        raise InvalidClientSecretsError(
+            'Unknown client type: {0}.'.format(client_type))
+
+    for prop_name in VALID_CLIENT[client_type]['required']:
+        if prop_name not in client_info:
+            raise InvalidClientSecretsError(
+                'Missing property "{0}" in a client type of "{1}".'.format(
+                    prop_name, client_type))
+    for prop_name in VALID_CLIENT[client_type]['string']:
+        if client_info[prop_name].startswith('[['):
+            raise InvalidClientSecretsError(
+                'Property "{0}" is not configured.'.format(prop_name))
+    return client_type, client_info
+
+
+def load(fp):
+    obj = json.load(fp)
+    return _validate_clientsecrets(obj)
+
+
+def loads(s):
+    obj = json.loads(s)
+    return _validate_clientsecrets(obj)
+
+
+def _loadfile(filename):
+    try:
+        with open(filename, 'r') as fp:
+            obj = json.load(fp)
+    except IOError as exc:
+        raise InvalidClientSecretsError('Error opening file', exc.filename,
+                                        exc.strerror, exc.errno)
+    return _validate_clientsecrets(obj)
+
+
+def loadfile(filename, cache=None):
+    """Loading of client_secrets JSON file, optionally backed by a cache.
+
+    Typical cache storage would be App Engine memcache service,
+    but you can pass in any other cache client that implements
+    these methods:
+
+    * ``get(key, namespace=ns)``
+    * ``set(key, value, namespace=ns)``
+
+    Usage::
+
+        # without caching
+        client_type, client_info = loadfile('secrets.json')
+        # using App Engine memcache service
+        from google.appengine.api import memcache
+        client_type, client_info = loadfile('secrets.json', cache=memcache)
+
+    Args:
+        filename: string, Path to a client_secrets.json file on a filesystem.
+        cache: An optional cache service client that implements get() and set()
+        methods. If not specified, the file is always being loaded from
+                 a filesystem.
+
+    Raises:
+        InvalidClientSecretsError: In case of a validation error or some
+                                   I/O failure. Can happen only on cache miss.
+
+    Returns:
+        (client_type, client_info) tuple, as _loadfile() normally would.
+        JSON contents is validated only during first load. Cache hits are not
+        validated.
+    """
+    _SECRET_NAMESPACE = 'oauth2client:secrets#ns'
+
+    if not cache:
+        return _loadfile(filename)
+
+    obj = cache.get(filename, namespace=_SECRET_NAMESPACE)
+    if obj is None:
+        client_type, client_info = _loadfile(filename)
+        obj = {client_type: client_info}
+        cache.set(filename, obj, namespace=_SECRET_NAMESPACE)
+
+    return next(six.iteritems(obj))

.venv/lib/python3.11/site-packages/oauth2client/contrib/__init__.py

@@ -0,0 +1,6 @@
+"""Contributed modules.
+
+Contrib contains modules that are not considered part of the core oauth2client
+library but provide additional functionality. These modules are intended to
+make it easier to use oauth2client.
+"""