o +3@sdZddlmZddlmZddlmZddlZddlZddlmZ ddlm Z ddl m Z ddl mZddl mZdd l mZdd l mZdd l mZdd lmZd ZGdddejZGdddeZGdddeZddZdddZddZGdddeZGdddejZdS) z%Utilities for the iamcredentials API.)absolute_import)division)unicode_literalsN exceptions) http_wrapper) apis_internal) properties) resources) transport)clientz&https://iamcredentials.googleapis.com/c@eZdZdZdS)Errorz*Exception that are defined by this module.N__name__ __module__ __qualname____doc__rrG/tmp/google-cloud-sdk/lib/googlecloudsdk/api_lib/iamcredentials/util.pyr'rc@r )InvalidImpersonationAccountz1Exception when the service account id is invalid.Nrrrrrr+rrc@r )&ImpersonatedCredGoogleAuthRefreshErrorzAException for google auth impersonated credentials refresh error.Nrrrrrr/rrc Csddlm}tjj|dd|dd}|jdtjdd}tj d d |d }z|j |j j ||j j|d d }|WStjyS}z tj|dj|j|ddd}~wtjyd}zt|d}~ww)z8Generates an access token for the given service account.r transportsiamcredentials.serviceAccounts- projectsIdserviceAccountsId collectionparamsFenable_resource_quotaresponse_encodingallow_account_impersonationiamcredentialsv1 http_client)scope)namegenerateAccessTokenRequestzError {code} (Forbidden) - failed to impersonate [{service_acc}]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.)code service_acc error_formatN)googlecloudsdk.core.credentialsrr REGISTRYParseGetApitoolsTransportr ENCODINGr_GetClientInstanceprojects_serviceAccountsGenerateAccessTokenMESSAGES_MODULE?IamcredentialsProjectsServiceAccountsGenerateAccessTokenRequest RelativeNameGenerateAccessTokenRequestapitools_exceptionsHttpForbiddenErrorr HttpExceptionformat status_code HttpError)service_account_idscopesrservice_account_refr* iam_clientresponseerrrr93sJ  r9FcCstddlm}tjj|dd|dd}|jdtjdd}tj d d |d }|j |j j ||j j||d d }|jS)z4Generates an id token for the given service account.rrrrrr Fr#r'r(r))audience includeEmail)r,generateIdTokenRequest)r2rr r3r4r5r r6rr7r8GenerateIdTokenr:;IamcredentialsProjectsServiceAccountsGenerateIdTokenRequestr<GenerateIdTokenRequesttoken)rDrJ include_emailrrFr*rGrHrrrrM[s. rMcCsHtjjjrtjjjStjjj}||jkr"t d|St S)aReturns the effective IAM endpoint. (1) If the [api_endpoint_overrides/iamcredentials] property is explicitly set, return the property value. (2) Otherwise if [core/universe_domain] value is not default, return "https://iamcredentials.{universe_domain_value}/". (3) Otherise return "https://iamcredentials.googleapis.com/" Returns: str: The effective IAM endpoint. zgoogleapis.com) r VALUESapi_endpoint_overridesr'IsExplicitlySetGetcoreuniverse_domaindefaultIAM_ENDPOINT_GDUreplace)universe_domain_propertyrrrGetEffectiveIamEndpointws  r\c@sHeZdZdZddZddZddZdd Zed d Z ed d Z dS) ImpersonationAccessTokenProviderzzA token provider for service account elevation. This supports the interface required by the core/credentials module. cCs,d|vrtdt||}t||j|j|S)N,zMore than one service accounts were specified, which is not supported. If being set, please unset the auth/disable_load_google_auth property and retry.)rr9ImpersonationCredentials accessToken expireTime)selfrDrErHrrrGetElevationAccessTokens  z8ImpersonationAccessTokenProvider.GetElevationAccessTokencCs t|||SN)rM)rbrDrJrQrrrGetElevationIdTokens z4ImpersonationAccessTokenProvider.GetElevationIdTokenc Csddlm}ddlm}ddlm}|}|||j||||d} |z| |W| S|j y} zNdj |d} d} z/t | j d } | d | d d | d d <tjd | d dit | dd}tj|} Wn tyyYnw| rtj| ddt| d} ~ ww)zCCreates a fresh impersonation credential using google-auth library.rrimpersonated_credentialsrequests)source_credentialstarget_principal target_scopes delegateszFailed to impersonate [{service_acc}]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.)r/N errormessagestatusr.)infocontent request_urlz{message} {details? {?}}r0) google.authrrggooglecloudsdk.coreriGoogleAuthRequestrefresh CredentialsPerformIamEndpointsOverride RefreshErrorrAjsonloadsargsrResponsedumpsr>rC FromResponse Exceptionr@r)rbrjrkrmrEgoogle_auth_exceptions$google_auth_impersonated_credentials core_requestsrequest_clientcredrIoriginal_message http_errorrt http_responserrr!GetElevationAccessTokenGoogleAuthsT     .   zBImpersonationAccessTokenProvider.GetElevationAccessTokenGoogleAuthcCsFddlm}ddlm}|j|||d}|}||||S)z=Creates an ID token credentials for impersonated credentials.rrfrh)target_audiencerQ)rvrgrwriIDTokenCredentialsrxr{ry)rb%google_auth_impersonation_credentialsrJrQrrrrrrrGetElevationIdTokenGoogleAuths   z>ImpersonationAccessTokenProvider.GetElevationIdTokenGoogleAuthcCs"ddlm}t|tpt||jS)Nrrf)rvrg isinstancer_rz)clsrrrrrIsImpersonationCredentials  z:ImpersonationAccessTokenProvider.IsImpersonationCredentialcCsFddlm}t}|jt||_|jt||_|jt||_dS)a.Perform IAM endpoint override if needed. We will override IAM generateAccessToken, signBlob, and generateIdToken endpoint under the following conditions. (1) If the [api_endpoint_overrides/iamcredentials] property is explicitly set, we replace "https://iamcredentials.googleapis.com/" with the given property value in these endpoints. (2) If the property above is not set, and the [core/universe_domain] value is not default, we replace "googleapis.com" with the [core/universe_domain] property value in these endpoints. r)iamN)rvrr\ _IAM_ENDPOINTrZrY_IAM_SIGN_ENDPOINT_IAM_IDTOKEN_ENDPOINT)rgoogle_auth_iameffective_iam_endpointrrrr{s" zrgooglecloudsdk.api_lib.utilrrwcore_exceptionsr r r oauth2clientr rYrrrr9rMr\objectr]OAuth2Credentialsr_rrrrs2             (