Move CSR off disk, fix hardcoded client_secrets path.

oauthproxy.py

@@ -49,6 +49,11 @@ parser.add_argument(
     dest='certserver',
     action='store',
     required=True)
+parser.add_argument(
+    '--client-secrets',
+    dest='client_secrets',
+    action='store',
+    required=True)
 parser.add_argument(
     '--export-password',
     dest='export_password',
@@ -89,7 +94,8 @@ class HTTPServer6(server.HTTPServer):
 
 class OAuthProxy(object):
 
-  def __init__(self, listen_host, listen_port, server_key, server_cert, api_key, allowed_domain, subject, ca_cert, export_password, certclient):
+  def __init__(self, listen_host, listen_port, server_key, server_cert, client_secrets, api_key, allowed_domain, subject, ca_cert, export_password, certclient):
+    self._client_secrets = client_secrets
     self._api_key = api_key
     self._allowed_domain = allowed_domain
     self._subject = subject
@@ -129,7 +135,7 @@ class OAuthProxy(object):
       '/oauth2callback',
     ])
     return client.flow_from_clientsecrets(
-        'client_secrets.json',
+        self._client_secrets,
         login_hint=self._allowed_domain,
         scope='https://www.googleapis.com/auth/userinfo.email',
         redirect_uri=return_url)
@@ -143,13 +149,13 @@ class OAuthProxy(object):
           '-out', key_path,
       ])
       csr_path = os.path.join(td, 'csr.pem')
-      subprocess.check_call([
+      proc = subprocess.Popen([
           'openssl', 'req', '-new',
           '-key', key_path,
-        '-out', csr_path,
           '-subj', self._subject.replace('EMAIL', email),
-      ])
-      csr = open(csr_path, 'rb').read()
+        ],
+        stdout=subprocess.PIPE)
+      csr = proc.stdout.read()
       cert = self._certclient.Request(csr)
       proc = subprocess.Popen([
           'openssl', 'pkcs12', '-export',
@@ -204,6 +210,7 @@ def main():
       FLAGS.listen_port,
       FLAGS.server_key,
       FLAGS.server_cert,
+      FLAGS.client_secrets,
       FLAGS.api_key,
       FLAGS.allowed_domain,
       FLAGS.subject,