SrSSKJr SSKJr SSKJr SSKrSSKJr SSKJ r SSK r SSK J r S r "S S \ 5rS rS rSrSrSrSrSrSrSrg)z,Utilities for Binary Authorization commands.)absolute_import)division)unicode_literalsN) docker_name)Error)urllibz/binaryauthorization.googleapis.com/attestationsc\rSrSrSrSrg)BadImageUrlError!z@Raised when a container image URL cannot be parsed successfully.N)__name__ __module__ __qualname____firstlineno____doc____static_attributes__r 9lib/googlecloudsdk/command_lib/container/binauthz/util.pyr r !sHrr cU=(d Sn[RRU5nUR(a)UR(d[ SR US95eUR(d.[RRSR U55nURUS9R5RS5$)ajReturns the passed `image_url` with the scheme replaced. Args: image_url: The URL to replace (or strip) the scheme from. (string) scheme: The scheme of the returned URL. If this is an empty string or `None`, the scheme is stripped and the leading `//` of the resulting URL will be stripped off. Raises: BadImageUrlError: `image_url` isn't valid. zMImage URL '{image_url}' is invalid because it does not have a host component.) image_urlz//{}scheme/) rparseurlparsernetlocr format_replacegeturllstrip)rr parsed_urls rReplaceImageUrlSchemer#%s     % % 1 sAA>. A99A>c[U5n[R"USSSSS9nSRU5R S5$)aCreates a JSON bytestring representing a signature object to sign. Args: container_image_url: See `containerregistry.client.docker_name.Digest` for artifact URL validation and parsing details. `container_image_url` must be a fully qualified image URL with a valid sha256 digest. Returns: A bytestring representing a JSON-encoded structure of nested dictionaries and strings. T),z: ) ensure_asciiindent separators sort_keysz{} utf-8)r3jsondumpsrencode)r/ payload_dictpayloads rMakeSignaturePayloadrAesJ**=>, JJ   ' w  & &w //rc[USS9n[R"U5 U$![Ran[ U5eSnAff=f)zEnsures the given URL has no scheme (e.g. replaces "https://gcr.io/foo/bar" with "gcr.io/foo/bar" and leaves "gcr.io/foo/bar" unchanged). Args: artifact_url: A URL string. Returns: The URL with the scheme removed. rrN)r#rr)r*r ) artifact_urlurl_without_schemer2s rRemoveArtifactUrlSchemerEsR-\"E)*   % % 1 s$A AAc[USS9n[R"U5nUR $![Ran[ U5eSnAff=f)zReturns the digest of an image given its url. Args: artifact_url: An image url. e.g. "https://gcr.io/foo/bar@sha256:123" Returns: The image digest. e.g. "sha256:123" rrN)r#rr)r*r r.)rCrDr.r2s rGetImageDigestrGsX-\"E   2 3F   % % 1 s.A A  Ac URS5nURS5nSRSS[U5-US[U5-U/5$)zPae encode input using the specified dsse type. Args: dsse_type: DSSE envelope type. body: payload string. Returns: Pae-encoded payload byte string. r; sDSSEv1s%d)r>joinlen) dsse_typebodydsse_type_bytes body_bytess r PaeEncoderPsZ$$W-/{{7#*  c/"" c*o  rc LSSSS0SUVs/sHnSU0PM sn0S.nU$s snf)zCreates a minimal PodSpec from a list of images. Args: images: list of images being evaluated. Returns: PodSpec object in JSON form. v1Podnamer containersr') apiVersionkindmetadataspecr )imagesr'rYs rGeneratePodSpecFromImagesr[sG " v>ve'5)v> $ + ?s! cUSRS05nUR[S5nU(aSRU/U-5U['OSRU5U['X SS'U$)aInlines attestations into a Kubernetes PodSpec. Args: pod_spec: The PodSpec provided by the user. attestations: List of attestations returned by the policy evaluator in comma separated DSSE form. Returns: Modified PodSpec with attestations inlined. rX annotationsNr6)get$_BINAUTHZ_ATTESTATION_ANNOTATION_KEYrJ)pod_spec attestationsr]existing_attestationss rAddInlineAttestationsToPodSpecrcs{$((;+%//*D8; ,.9K459<8NK45(3:}% /rc^USS:wa[USSU5USS'U$[X5$)aInlines attestations into a Kubernetes resource. Args: resource: The Kubernetes resource provided by the user. attestations: List of attestations returned by the policy evaluator in comma separated DSSE form. Returns: Modified Kubernetes resource with attestations inlined. rWrSrYtemplate)rc)resourceras rAddInlineAttestationsToResourcergsFf#A$l$HVZ  O ' ??r)r __future__rrrr<containerregistry.clientrgooglecloudsdk.core.exceptionsrr+ six.movesrr_r r#r3rArErGrPr[rcrgr rrrlsj3&' 00 6% IuIAD<08*(*.2@r