Change service auth to use JSON files, since p12 keyfiles are not well supported in oauth2client any more.

Note that the integration test still uses the old code, because it runs against //third_party, and oauth2client.service_account didn't support ServiceAccountCredentials yet in that version.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=133660532

Author: b-daniels

README.md

@@ -122,17 +122,16 @@ created in [Google Developers Console](https://console.developers.google.com).
 If your application runs on Google Compute Engine,
 [metadata service authentication](#Google_Compute_Engine) is an easier option.
 
-The first step for this setup is to create the service account in .p12 format.
+The first step for this setup is to create the service account in .json format.
 Please see this [page](https://cloud.google.com/storage/docs/authentication?hl=en#generating-a-private-key)
 for detailed instructions. If you don't have a Google Cloud Platform project,
 you can create one for free on [Google Developers Console](https://console.developers.google.com).
 
 Once you have the service account, please note the service account e-mail,
 [project ID and project number](https://developers.google.com/console/help/new/#projectnumber).
-Then copy the .p12 file to all the machines that run your application.
+Then copy the .json file to all the machines that run your application.
 
-Then, enable the debugger agent in a similary way as described in
-the [previous](#Google_Compute_Engine) section:
+Then, enable the debugger agent using one of these two options:
 
 _Option A_: add this code to the beginning of your `main()` function:
 
@@ -144,8 +143,7 @@ try:
       enable_service_account_auth=True,
       project_id='my-gcp-project-id',
       project_number='123456789',
-      service_account_email='123@developer.gserviceaccount.com',
-      service_account_p12_file='/opt/cdbg/gcp.p12')
+      service_account_json_file='/opt/cdbg/gcp.json')
 except ImportError:
   pass
 ```
@@ -158,8 +156,7 @@ python \
     --enable_service_account_auth=1 \
     --project_id=<i>my-gcp-project-id</i> \
     --project_number=<i>123456789</i> \
-    --service_account_email=<i>123@developer.gserviceaccount.com</i> \
-    --service_account_p12_file=<i>/opt/cdbg/gcp.p12</i> \
+    --service_account_json_file=<i>/opt/cdbg/gcp.json</i> \
     --</b> \
     myapp.py
 </pre>

src/googleclouddebugger/__init__.py

@@ -60,11 +60,23 @@ def _StartDebugger():
       _breakpoints_manager.SetActiveBreakpoints)
   _hub_client.on_idle = _breakpoints_manager.CheckBreakpointsExpiration
   if _flags.get('enable_service_account_auth') in ('1', 'true', True):
-    _hub_client.EnableServiceAccountAuth(
-        _flags['project_id'],
-        _flags['project_number'],
-        _flags['service_account_email'],
-        _flags['service_account_p12_file'])
+    if _flags.get('service_account_p12_file'):
+      try:
+        _hub_client.EnableServiceAccountAuthP12(
+            _flags['project_id'],
+            _flags['project_number'],
+            _flags['service_account_email'],
+            _flags['service_account_p12_file'])
+      except NotImplementedError as e:
+        raise NotImplementedError(
+            '{0}\nYou must specify project_id, project_number, and '
+            'service_account_json_file in order to use service account '
+            'authentication.'.format(e))
+    else:
+      _hub_client.EnableServiceAccountAuthJson(
+          _flags['project_id'],
+          _flags['project_number'],
+          _flags['service_account_json_file'])
   else:
     _hub_client.EnableGceAuth()
   _hub_client.InitializeDebuggeeLabels(_flags)

src/googleclouddebugger/gcp_hub_client.py

@@ -33,6 +33,7 @@
 from backoff import Backoff
 import httplib2
 import oauth2client
+from oauth2client import service_account
 from oauth2client.contrib.gce import AppAssertionCredentials
 
 import labels
@@ -165,19 +166,46 @@ def InitializeDebuggeeLabels(self, flags):
 
     self._debuggee_labels['projectid'] = self._project_id()
 
-  def EnableServiceAccountAuth(self, project_id, project_number,
-                               email, p12_file):
-    """Selects to use the service account authentication.
+  def EnableServiceAccountAuthP12(self, project_id, project_number,
+                                  email, p12_file):
+    """Selects service account authentication with a p12 file.
 
+      Using this function is not recommended. Use EnableServiceAccountAuthJson
+      for authentication, instead. The p12 file format is no longer recommended.
     Args:
       project_id: GCP project ID (e.g. myproject).
       project_number: numberic GCP project ID (e.g. 72386324623).
-      email: service account identifier (...@developer.gserviceaccount.com).
-      p12_file: path to the file with the private key.
+      email: service account identifier for use with p12_file
+        (...@developer.gserviceaccount.com).
+      p12_file: (deprecated) path to an old-style p12 file with the
+        private key.
+    Raises:
+      NotImplementedError indicates that the installed version of oauth2client
+      does not support using a p12 file.
     """
-    with open(p12_file, 'rb') as f:
-      self._credentials = oauth2client.client.SignedJwtAssertionCredentials(
-          email, f.read(), scope=_CLOUD_PLATFORM_SCOPE)
+    try:
+      with open(p12_file, 'rb') as f:
+        self._credentials = oauth2client.client.SignedJwtAssertionCredentials(
+            email, f.read(), scope=_CLOUD_PLATFORM_SCOPE)
+    except AttributeError:
+      raise NotImplementedError(
+          'P12 key files are no longer supported. Please use a JSON '
+          'credentials file instead.')
+    self._project_id = lambda: project_id
+    self._project_number = lambda: project_number
+
+  def EnableServiceAccountAuthJson(self, project_id, project_number,
+                                   auth_json_file):
+    """Selects service account authentication using Json credentials.
+
+    Args:
+      project_id: GCP project ID (e.g. myproject).
+      project_number: numberic GCP project ID (e.g. 72386324623).
+      auth_json_file: the JSON keyfile
+    """
+    self._credentials = (
+        service_account.ServiceAccountCredentials
+        .from_json_keyfile_name(auth_json_file, scopes=_CLOUD_PLATFORM_SCOPE))
     self._project_id = lambda: project_id
     self._project_number = lambda: project_number