k6SrSSKJr SSKJr SSKJr SSKrSSKrSSKrSSKJ r SSK J r SSK Jr SS KJr SSKJ r SS KJr SS KJr SS KJr SS KJr SS KJr SSKJr SSKJ r SSKJ!r! SSK"J#r# SSK"J$r$ SSK%J&r' Sr("SS\RR5r*"SS\RR5r+Sr,Sr-Sr.Sr/Sr0S0Sjr1Sr2S r3S!r4S"r5S#r6S$r7S%r8S&r9S'r:S(r;S)rS,r?S-r@S1S.jrAS/rBg)2z%Support library for the auth command.)absolute_import)division)unicode_literalsN)jwt) exceptions) projects_api)util)config)log) properties) console_io)creds)files) platforms)client)service_account)gcezserviceusage.services.usec\rSrSrSrSrg)$MissingPermissionOnQuotaProjectError/zCAn error when ADC does not have permission to bill a quota project.N__name__ __module__ __qualname____firstlineno____doc____static_attributes__r0lib/googlecloudsdk/command_lib/auth/auth_util.pyrr/sKrrc\rSrSrSrSrg)AddQuotaProjectError3zGAn error when quota project ID is added to creds that don't support it.rNrrrr r"r"3sOrr"cSSKJs Jn [U[R 5=(d [XR R5$)zHChecks if the credential is a Compute Engine service account credential.rN)google.auth.compute_engineauthcompute_engine isinstanceoauth2client_gceAppAssertionCredentials credentials Credentials)credgoogle_auth_gces r IsGceAccountCredentialsr/7s; 76 T+CC D D T66BB CErcSSKJs Jn [U[R5=(d [XR 5$)z9Checks if the credential is a service account credential.rN)google.oauth2.service_accountoauth2rr(ServiceAccountCredentialsr,)r-google_auth_service_accounts r IsServiceAccountCredentialr5Bs5 FE T?DD E D TBB CErc@[RRU5$)zGChecks if the credential is an impersonated service account credential.)impersonation_util ImpersonationAccessTokenProviderIsImpersonationCredentialr-s r r9r9Ms  * *+D+DT+JLrc`[U5=(d [U5=(d [U5$N)r9r5r/r:s r ValidIdTokenCredentialr=Ss) #D ) ( $T * ( !$ ')rc[R"5nU(a][R"SR [ R U[R"5S95n[R"USSS9 gg)z/Warns users if ADC environment variable is set.a5 The environment variable [{envvar}] is set to: [{override_file}] Credentials will still be generated to the default location: [{default_file}] To use these credentials, unset this environment variable before running your application. )envvar override_file default_fileT)messagethrow_if_unattended cancel_on_noN) r ADCEnvVariabletextwrapdedentformatrGOOGLE_APPLICATION_CREDENTIALS ADCFilePathr PromptContinue)r@rBs r PromptIfADCEnvVarIsSetrLYsl'')-oof::)!--/1 2GTFrcz[R"U5(d2[R"U5(d[R"S5 g[R"U5(aU(a [ S5e[ 5 U(a [U5 g[R"U5R5 g)z8Writes gclouds's credential from auth login to ADC json.zyCredentials cannot be written to application default credentials because it is not a user or external account credential.NzdThe application default credentials are external account credentials, quota project cannot be added.) c_credsIsUserAccountCredentialsIsExternalAccountCredentialsr warningr"rLDumpADCOptionalQuotaProjectADC DumpADCToFile)radd_quota_projects r WriteGcloudCredentialsToADCrVls  * *5 1 1  . .u 5 5KK  ))%005F  ) **& KK$$&rc&[RR[R"55(dg[ R "[R"55n[R"U5sSSS5 $!,(df  g=f)z5Reads ADC from disk and converts it to a json object.N) ospathisfiler rJr FileReaderjsonload)fs r GetADCAsJsonr_sQ **, - -  **,- 99Q<.--s "B BcN[5nUS$![[4a gf=f)z? Arc0[R"S5 g)Nz Quota project is disabled. You might receive a "quota exceeded" or "API not enabled" error. Run $ gcloud auth application-default set-quota-project to add a quota project.rrrr LogQuotaProjectDisabledrs++23rc[R"U5R5n[U5 U(a [ 5 gg)zDumps the given credentials to ADC file. Args: credentials: a credentials from oauth2client or google-auth libraries, the credentials to dump. quota_project_disabled: bool, If quota project is explicitly disabled by users using flags. N)rNrSrTrr)r+quota_project_disabledrjs r DumpADCrs1[[ % 3 3 5((rcL[R"U5R5n[U5 [R"USS9nU(d [ 5 g[ U[/S9(a/[R"U5RUS9 [U5 g[U5 g)aqDumps the given credentials to ADC file with an optional quota project. Loads quota project from gcloud's context and writes it to application default credentials file if the credentials has the "serviceusage.services.use" permission on the quota project.. Args: credentials: a credentials from oauth2client or google-auth libraries, the credentials to dump. T)force_resource_quotarxrN) rNrSrTrGetQuotaProjectrrzrDumpExtendedADCToFilerr)r+rjrs r rRrRs|[[ % 3 3 5(()).- %"9!:< KK 222O'&}5rcR[5 [5(d[R"S5e[R "5R [R"55upURn[R"U5R5 [U[/S9(dB[R"U5RUS9 [SR!U[55e[R"U5RUS9n[#U5 [%U5 g)a|Adds the quota project to the existing ADC file. Quota project is only added to ADC when the credentials have the "serviceusage.services.use" permission on the project. Args: quota_project: str, The project id of a valid GCP project to add to ADC. Raises: MissingPermissionOnQuotaProjectError: If the credentials do not have the "serviceusage.services.use" permission. z\The application default credentials are not user credentials, quota project cannot be added.rrzCannot add the project "{}" to application default credentials (ADC) as a quota project because the account in ADC does not have the "{}" permission on this project.N)rkrrrgrhrNrmrnr rJrarSrTrzrrrrHrr)rr+rqprevious_quota_projectrjs r AddQuotaProjectToADCrs      #  //1LL .+'77 ++k((* '"9!:  KK 22,3 / ++16 2,  [[ % ; ;!<((}%rcd[R"XX#5R5n[U5 gr<)rNrSrTr)r+target_principal delegatesscopesrjs r #DumpImpersonatedServiceAccountToADCrQs)[[",,9MO (rc[R"URSS9nUSnU(aEUR5UR5:wa#[R "SR XS95eU$)z=Extracts account from creds and validates it against account.F)verifyemailzYou attempted to log in as account [{account}] but the received credentials were for account [{web_flow_account}]. Please check that your browser is logged in as account [{account}] and that you are using the correct browser profile.)accountweb_flow_account)rdecodeid_tokenlowerauth_exceptionsWrongAccountErrorrH)rrdecoded_id_tokenrs r ExtractAndValidateAccountrZsrZZu=%g. $4$:$:$<<  + + >?Ef?E?   r)Fr<)Cr __future__rrrr\rXrF google.authrgooglecloudsdk.api_lib.authrr+googlecloudsdk.api_lib.cloudresourcemanagerr%googlecloudsdk.api_lib.iamcredentialsr r7googlecloudsdk.callioperg#googlecloudsdk.command_lib.projectsrtgooglecloudsdk.corer r r googlecloudsdk.core.consoler googlecloudsdk.core.credentialsrrNgooglecloudsdk.core.utilrr oauth2clientrroauth2client.contribrr)rADCErrorrr"r/r5r9r=rLrVr_rerkrrrzrvrrrrrrrrRrrrrrr rs ,&' EDL7D&#*2<*.(86L7+;+;LP7++PEEL ) F&',K;I P$;0K"A3 645&v04 r