#ESrSSKJr SSKJr SSKJr SSKJr SSKrSSKJ r SSKJ r SS K J r SS K Jr SS KJ r SS KJr SS KJr SS KJr SS KJr SSKJr SSKJr SSKJr SSKJr SSKJr SSKJr SSK J!r" SSK#J$r$ SSK#J%r% SSK&J'r' SSK(r(SSK)J*r* SSK+r("SS\RX5r-"SS\-5r."SS\-5r/"SS \-5r0S!r1S"r2S#r3"S$S%\ Rh5r5S&r6S'r7S(r8S)r9S*r:S+r;\Rx"54S,jr=S-r>S.r?S/\Rx"54S0jr@S1rAS2rBS3rCS4rDS5rES6rF\S9S7j5rGS:S8jrHg);z,Utilities for the container images commands.)absolute_import)division)unicode_literals)contextmanagerN) docker_creds) docker_name) docker_http) docker_image)docker_image_list)container_analysis_data_util) filter_util)requests)apis) exceptions)log) resources) transports)store) constants)docker)times)mapc\rSrSrSrSrg) UtilError4zBase class for util errors.N__name__ __module__ __qualname____firstlineno____doc____static_attributes__r3lib/googlecloudsdk/api_lib/container/images/util.pyrr4s#r$rc\rSrSrSrSrg)InvalidImageNameError8z4Raised when the user supplies an invalid image name.rNrrr$r%r'r'8s*+ ZZ $(nnX$&. -- !T ).   H % -r$c[U5(a [S5eURS5(a [S5eU[R;a[ R "U5nO[ R"U5n[UR5(a[R"U5eU$![ Ra$n[[R"U55eSnAff=f)aEValidates the repository path. Args: repository_path: str, The repository path supplied by a user. Returns: The parsed docker_name.Repository object. Raises: InvalidImageNameError: If the image name is invalid. docker.UnsupportedRegistryError: If the path is valid, but belongs to a registry we don't support. zPImage names must not be fully-qualified. Remove the tag or digest and try again./zFImage name cannot end with '/'. Remove the trailing '/' and try again.N)r3r'endswithrMIRROR_REGISTRIESrRegistry Repositoryr?r8rUnsupportedRegistryErrorBadNameExceptionsix text_type)repository_path repositoryes r%ValidateRepositoryPathrMVso&&   c"" !K LL 2)555''8j))/:j,,--  + +O <<   % %2  a 0 112sA2B11C)C$$C)c@^\rSrSrSrSrU4Sjr\S5rSr U=r $)CredentialProvideryzFCredentialProvider is a class to refresh oauth2 creds during requests._tokencB>[[U] URS5 g)Nzdoes not matter)superrO__init__ _USERNAME)self __class__s r%rTCredentialProvider.__init__~s d,T^^=NOr$c,[R"5$N)c_storeGetAccessTokenIfEnabled)rVs r%passwordCredentialProvider.passwords  * * ,,r$r) rrr r!r"rUrTpropertyr]r# __classcell__)rWs@r%rOrOys%N)P - -r$rOc[U5n[US- 5n[R"U5$![[R 4a gf=f)Ni)floatroundrGetDateTimeFromTimeStampArithmeticErrorDateTimeValueError)time_created_ms timestamps r%_TimeCreatedToDateTimerisNO$)I$%)  ) )) 44 533 4 s1A AcdUR[R;a[R$UR[R;a[R $UR RS5nSUS;aUS$[U5S:aUSS-US-$[SUS5e)z.Recovers the project-id from a GCR repository.rA.rr0z*Domain-scoped app missing project name: %s) r8rrCMIRROR_PROJECTLAUNCHER_REGISTRIESLAUNCHER_PROJECTrKsplitlen ValueError)rKpartss r%RecoverProjectIdrtsI777  # ##I999  % %%    % %c *%a 8O 5zA~ 8c>E!H $$ A58 LLr$cHSR[R"U5S9$)Nzhttps://{repo}@repoformatrHrIrvs r%_UnqualifiedResourceUrlrzs  ! !s}}T': ! ;;r$cJSR[R"U5US9$)Nzhttps://{repo}@{digest}rwdigestrxr|s r% _ResourceUrlr~s( " ) ) == v * //r$c SRUS9$)Nzhttps://{digest}r})ryrs r%_FullyqualifiedDigestrs  " "& " 11r$c [R"SS5n[R"SS5n[RR USS9nUR UR5US9nURRU5$)z(Helper function to make Summary request.containeranalysisv1alpha1zcloudresourcemanager.projects) collection)parentfilter) rGetClientInstanceGetMessagesModulerREGISTRYParseBContaineranalysisProjectsOccurrencesGetVulnerabilitySummaryRequest RelativeNameprojects_occurrencesGetVulnerabilitySummary) project_id url_filterclientmessages project_refreqs r%_MakeSummaryRequestrs  ! !"5z B&  # #$7 D(""((<)>+HH))+JI@  $ $ < nURU;a/X5R'X5RR U5 M@ U$)z:Fetches the occurrences attached to the list of manifests.)rtrListOccurrencesWithFiltersGetChunkifiedFiltersrappend)rKrroccurrences_by_resources occurrencesrs r%FetchOccurrencesrso +*3388:<+ c 6624/__-44S9 "!r$FcU(d/$0nU(a [XS9n/n[R"U5GH1upgUURS/5[ URS55S.nUR[ X5/5H>n U R U;a/XR 'XR RU 5 M@ U(aUR(aw0US'[ X5n XR;aM[X5n U RH;n U R(dMU RUS[U R5'M= URU5 GM4 U$)z2Transforms the manifests returned from the server.)rtag timeCreatedMs)r}tagsrh vuln_counts)rrH iteritemsgetrir~kindrrrcountsseverity totalCountstr) manifestsrKshow_occurrencesrrresultskvresultrrsummaryseverity_counts r%TransformManifestsrsA  I+"9K 'mmI&daeR +AEE/,BCF|J:B?  xx XXc"@ -77 f]"*0l 88 8Z6g#NN.  " " "''  N$;$; < =+  NN69': .r$cURS-UR-n[U5n[R"[ 5UUS9nUR UR5;a /sSSS5 $UR5RUR 05nURS/5sSSS5 $!,(df  g=f)Gets all of the tags for a given digest. Args: digest: docker_name.Digest, The digest supplied by a user. http_obj: http.Http(), The http transport. Returns: A list of all of the tags associated with the input digest. rA basic_credsname transportNr) r8rKrM v2_2_image FromRegistryrOr}rr)r}http_objrJrKimagemanifest_values r%GetTagNamesForDigestr"sOOc)F,=,==/%o6*$&Z" }}EOO--   __&**6=="=N   eR ( s B50;B55 CczURS-UR-n[U5n/n[X5nUHEn[R "[ R"U5S-U-5nURU5 MG U$![Ra$n[[ R"U55eSnAff=f)rrAr0N) r8rKrMrrTagrHrIrGr'r) r}rrJrKr tag_namestag_namerrLs r%GetDockerTagsForDigestr7sOOc)F,=,==/%o6* $"64)h4 OOCMM*5;hF Gc KK  +  ' '4 !#--"2 334s0BB:B55B:c<SUR;a [S5eU$)NrAz=Image name should start with *.gcr.io/project_id/image_path. )rKr') digest_or_tags r%ValidateImagePathAndReturnrNs+ ((( !C DD r$ch[U5(dUS- n[[R"U55$![Ra Of=fUR SS5n[ U5S:XaqUSRS5(d[SRU55e[ US5S:a,[U5nX :Xa[SRU55eUn[[R"U55$![Ra [SRU55ef=f) aLGets an image object given either a tag or a digest. Args: image_name: Either a fully qualified tag or a fully qualified digest. Defaults to latest if no tag specified. Returns: Either a docker_name.Tag or a docker_name.Digest object. Raises: InvalidImageNameError: Given digest could not be resolved to a full digest. z:latestr1rlzsha256:z3[{0}] digest must be of the form "sha256:".Gz-[{0}] could not be resolved to a full digest.) r3rrrrGrprq startswithr'ryGetDockerDigestFromPrefixDigest)r2rsresolveds r%GetDockerImageFromTagOrDigestrVs. * % %)J %kooj&A BB  % %     3 "%Z1_ 8  y ) ) ! ? F F   58}v*:6h  # ; B B: NP Pj %k&8&8&D EE  % % =DD   s6A  A #D/D1c[U5nSnSnSnU"U5=(d U"U5=(d U"U5nU(d[SRU55e[U[R 5(d[ R"S5 [R "SRURURUS95$)zGets a digest object given a repository, tag or digest. Args: image_name: A docker image reference, possibly underqualified. Returns: a docker_name.Digest object. Raises: InvalidImageNameError: If no digest can be resolved. c[R"[5U[5S9nUR 5(aUR 5sSSS5 $SSS5 g!,(df  g=fNr)v2_imagerrOHttpexistsr})rv2_imgs r% ResolveV2Tag'GetDigestFromName..ResolveV2TagsS   &(s& # }}        %A A  A.c[R"[5U[5[R S9nUR 5(aUR5sSSS5 $SSS5 g!,(df  g=f)N)rrraccepted_mimes)rrrOrv2_2_docker_httpSUPPORTED_MANIFEST_MIMESrr})rv2_2_imgs r% ResolveV22Tag(GetDigestFromName..ResolveV22Tagsj  &( &'@@  BFN     B B B B Bs%A/%A// A=c[R"[5U[5S9nUR 5(aUR 5sSSS5 $SSS5 g!,(df  g=fr)r rrOrrr})r manifest_lists r%ResolveManifestListTag1GetDigestFromName..ResolveManifestListTagsZ  ' '&(s& *     ##%        rz[{0}] is not found or is not a valid name. Expected tag in the form "base:tag" or "tag" or digest in the form "sha256:"zRSuccessfully resolved tag to sha256, but it is recommended to use sha256 directly.z {registry}/{repository}@{sha256})r8rKsha256) rr'ry isinstancerrrwarningr8rK)r2 tag_or_digestrrrrs r%GetDigestFromNamers0 ;-]+"}]/K"=!    Fz  M;#5#5 6 6KK'(   >EE%%)) F r$c (URSS5up[U5n[R"[ 5U[ 5S9nUR 5Vs/sHoURU5(dMUPM nn[U5S:XaUS-UR5-sSSS5 $[U5S:a8[SRUSR[[U5555eUsSSS5 $s snf!,(df  g=f)zGets a full digest string given a potential prefix. Args: digest: The digest prefix Returns: The full digest, or the same prefix if no full digest is found. Raises: InvalidImageNameError: if the prefix supplied isn't unique. r1rlrNz4{0} is not a unique digest prefix. Options are {1}.]z, )rprMrrrOrrrrqpopr'ryjoinrr)r}rJprefixrKrdmatchess r%rrs#LLa0/%o6*$&Z //+D+Q||F/Cq+GD 7|q s "W[[] 2  W  ! @ G GdiiC 12 4 55 Es+DC>6C><&D,AD>D Dc## Sv g![R[R4anUR[R R R[R R R4;a7[SRU=(d [R"U555eUR[R R R:Xa7[SRU=(d [R"U555eeSnAf[R[R4a$n[[R"U55eSnAff=f7f)NzAccess denied: {}z Not found: {})v2_docker_httpV2DiagnosticExceptionrstatusrHmoves http_client UNAUTHORIZED FORBIDDENr*ryrI NOT_FOUNDTokenRefreshExceptionr-)optional_image_nameerrs r%WrapExpectedDockerlessErrorsrs0  . .  0 0 2   zz **CII,A,A,K,K ##6#=#=  3s!3$5 66 syy,,66 6 "?#9#9  3s!3$5 66  . .  0 0 20 CMM#. //0s1E2 E2$E/C7D$$'E/ E**E//E2c*[R"US9$)aGets an transport client for use with containerregistry. For now, this just calls into GetApitoolsTransport, but if we find that implementation does not satisfy our needs, we may need to fork it. This small amount of indirection will make that change a bit cleaner. Args: timeout: the http timeout in seconds Returns: 1. A httplib2.Http-like object backed by httplib2 or requests. timeout)rGetApitoolsTransportrs r%rrs  ( ( 99r$rZ)unset)Ir" __future__rrr contextlibrr5containerregistry.clientrrcontainerregistry.client.v2r rr rcontainerregistry.client.v2_2rrr 'googlecloudsdk.api_lib.container.imagesr (googlecloudsdk.api_lib.containeranalysisr rgooglecloudsdk.api_lib.utilrgooglecloudsdk.corerrrrgooglecloudsdk.core.credentialsrr[googlecloudsdk.core.dockerrrgooglecloudsdk.core.utilrrH six.movesrsix.moves.http_clientErrorrr'r*r-r3r?rMBasicrOrirtrzr~rrContainerAnalysisFilterrrrrrrrrrrrrrr$r%r)sF3&'% 10 F@ID;P@=,*#)*<0-* $   $=I=DYD8 80  2F -++ -  M</ 2 B#."E"E"G2 B ").)4)L)L)N-`)*.*Z?D800& :r$