dSrSSKJr SSKJr SSKJr SSKrSSKJr SSKrSr Sr S r S r S r S rS rSrSrSrSrSrSrSrSrSrSrSrSrSrSrg)z,Utils for GKE Hub Identity Service commands.)absolute_import)division)unicode_literalsN) exceptionsic\[UR5S:wa[R"S5eURSn[ U5 [ U5n[ U5nUcUc[R"S5eUR5n[XA5Ul [X15Ul U$)aLoad FeatureSpec MemberConfig from the parsed ClientConfig CRD yaml file. Args: loaded_config: YamlConfigFile, The data loaded from the ClientConfig CRD yaml file given by the user. YamlConfigFile is from googlecloudsdk.command_lib.anthos.common.file_parsers. msg: The gkehub messages package. Returns: member_config: The MemberConfig configuration containing the AuthMethods for the IdentityServiceFeatureSpec. z1Input config file must contain one YAML document.rzOA valid 'spec.identityServiceOptions' or 'spec.authentication' must be provided) lendatarErrorvalidate_clientconfig_metaget_auth_methodsget_identity_service_optionsIdentityServiceMembershipSpec5validate_and_construct_identity_service_options_protoidentityServiceOptions)validate_and_construct_auth_methods_proto authMethods) loaded_configmsg clientconfig auth_methodsidentity_service_options member_configs Hlib/googlecloudsdk/command_lib/container/fleet/identity_service/utils.py parse_configr#s   !   N OO##A&,\*!,/,9,G6>      335-; "& H- cjUSnUbSU;agUS(d[R"S5eUS$)Nspecrz?Must provide a valid option under 'spec.identityServiceOptions'rr rr s rrrKsI f $ \-T9  & '   I  & ''rc Ucg[[S.nUR5nUHBnXB;a%[R"SR U55e[ UUX$"X55 MD U$)aConstructs an IdentityServiceMembershipSpec.IdentityServiceIdentityServiceOptions instance from the provided `identity_service_options_config` config. Args: identity_service_options_config: a map of non-protocol-related configuration options from the applied configuration. msg: The gkehub message package Returns: an instance of IdentityServiceMembershipSpec.IdentityServiceIdentityServiceOptions Raises: exceptions.Error: if an unsupported option is found under `spec.IdentityServiceOptions` N)sessionDurationdiagnosticInterfacez@Invalid option '{}' provided under 'spec.identityServiceOptions')parse_session_durationparse_diagnostic_interface%IdentityServiceIdentityServiceOptionsrr formatsetattr)identity_service_options_configrsupported_optionsidentity_service_options_protooptions rrrVs~$%, /7$'#L#L#N /f &    L 6&>  &!#G 0 ('rcUSn[U[5(aU[:d U[:a.[R "SR [[55e[US-5S-$)Nr$zS'spec.identityServiceOptions.sessionDuration' must be an integer between {} and {}.<s) isinstanceintSESSION_DURATION_MINSESSION_DURATION_MAXrr r)str)_r+session_durations rr&r&}sl45FG $c * *-- 0 0    $f%9;OP   " #c ))rcUSn[U[5(a SU;dSU;a[R"S5eUR 5nUH|nUS:Xa USUlMUS:Xa>[ R RUSR5S5nUSUl MY[R"SRU55e U$![a [SRUS55ef=f)aConstructs an IdentityServiceDiagnosticInterface instance from the provided config `identity_service_options_config`. Args: msg: The gkehub message package identity_service_options_config: a map of non-protocol-related configuration options from the applied configuration. Returns: an instance of IdentityServiceDiagnosticInterface Raises: ValueError: if the value provided in `diagnosticInterface.expirationTime` is not RFC3339-compliant. r%enabledexpirationTimezhRequired fields 'diagnosticInterface.enabled' and 'diagnosticInterface.expirationTime' must be provided.z%Y-%m-%dT%H:%M:%S%zz'{}' is invalid for the field 'diagnosticInterface.expirationTime'. Please, provide a valid date in the '%Y-%m-%dT%H:%M:%S%z' format.zPUnknown field '{}' found under 'spec.identityServiceOptions.diagnosticInterface') r2dictrr "IdentityServiceDiagnosticInterfacer:datetimestrptime__str__r; ValueErrorr))rr+diagnostic_interface_configdiagnostic_interface_protokeyr7s rr'r's2!@! 0$ 7 7 5 5 !< <    B  #EEG (c i+F , (      & & '(8 9 A A C ! 5P 5 "1    ??Evc{ /)6 $#  99?+,<=:   s +;C(C9cjUSnUbSU;agUS(d[R"S5eUS$)Nr authenticationz>Must provide a valid configuration under 'spec.authentication'r!r"s rrrsI f $ \%T1      H   rcUc/$[U5nU[:a,SRU[5n[R"U5e[ [ [[[S.nSS1n/nUHnUR5Vs/sH oU;dM UPM n n[U 5S:wa[R"S5eU Sn X;a%[R"SRU 55eXJ"Xq5n URU 5 M U$s snf) atConstructs a list of IdentityServiceMembershipSpec.IdentityServiceAuthMethod from the given auth methods config. Args: auth_methods_config: A list of providers from the applied configuration msg: The GKE Hub message package Returns: a list of IdentityServiceMembershipSpec.IdentityServiceAuthMethod Raises: exceptions.Error: if the provided config is invalid ziThe provided configuration contains {} identity providers. The maximum number that can be provided is {}.)oidcgoogleazureADsamlldapnameproxyr zIExactly one identity protocol can be configured per authentication methodrzEUnsupported identity protocol [{}] found under 'spec.authentication'.) r MAX_AUTH_PROVIDERSr)rr provision_oidc_configprovision_google_configprovision_azuread_configprovision_saml_configprovision_ldap_configkeysappend) auth_methods_configrauth_methods_counterr_msgsupported_protocolsauth_method_metaauth_methods_protoauth_method_configrD protocolsprotocol auth_methods rrrs4 I./,, 9 f !34    7 ###')## g&/)..00?O4O0 9~     |H*    $$*F8$4 &/0BHKk*!0" !s D  D c<SU;a[R"S5eg)zValidate the basics of the parsed clientconfig yaml for AIS Hub Feature Spec. Args: clientconfig: The data field of the YamlConfigFile. r zMissing required field 'spec'.Nr!)rs rrrs#  <   ; << rcUR5nSU;a[R"S5eUSUlSU;a USUlSU;a[ USS5UlU$)aProvision FeatureSpec LdapConfig Server from the parsed yaml file. Args: ldap_server_config: YamlConfigFile, The ldap server data loaded from the yaml file given by the user. YamlConfigFile is from googlecloudsdk.command_lib.anthos.common.file_parsers. msg: The gkehub messages package. Returns: member_config: A MemberConfig configuration containing server details of a single LDAP auth method for the IdentityServiceFeatureSpec. hostz4LDAP Authentication method must contain server host.connectionTypecertificateAuthorityDatazutf-8)IdentityServiceServerConfigrr rcrdbytesre)ldap_server_configrservers rprovision_ldap_server_configrjs  * * ,& %%   > #6*&+++./?@F#55&+56'F# -rchUc[R"S5eUR5nSU;anUR5UlUSnUS(a US(d[R"S5eUSURlUSURlU$[R"S5e)aProvision FeatureSpec LdapConfig ServiceAccount from the parsed yaml file. Args: ldap_service_account_config: YamlConfigFile, The ldap service account data loaded from the yaml file given by the user. YamlConfigFile is from googlecloudsdk.command_lib.anthos.common.file_parsers. msg: The gkehub messages package. Returns: member_config: A MemberConfig configuration containing the service account details of a single LDAP auth method for the IdentityServiceFeatureSpec. z@LDAP Authentication method must contain Service Account details.simpleBindCredentialsdnpasswordzNLDAP Authentication method must contain non-empty Service Account credentials.zHUnknown service account type. Supported types are: simpleBindCredentials)rr #IdentityServiceServiceAccountConfig$IdentityServiceSimpleBindCredentialsrlrmrn)ldap_service_account_configrservice_accountldap_simple_bind_credentialss r%provision_ldap_service_account_configrt/s!(   J ;;=/ ;; 002)$?$  ) .+J7     0L 0O)), %Z0))2 P rcUR5nSU;a[R"S5eUSUlSU;a USUlSU;a USUlSU;a USUlU$)aProvision FeatureSpec LdapConfig User from the parsed yaml file. Args: ldap_user_config: YamlConfigFile, The ldap user data loaded from the yaml file given by the user. YamlConfigFile is from googlecloudsdk.command_lib.anthos.common.file_parsers. msg: The gkehub messages package. Returns: member_config: A MemberConfig configuration containing the user details of a single LDAP auth method for the IdentityServiceFeatureSpec. baseDnz4LDAP Authentication method must contain user baseDn.loginAttribute idAttributefilter)IdentityServiceUserConfigrr rvrwrxry)ldap_user_configrusers rprovision_ldap_user_configr}^s & & ($%%   > !*$+))*+;!>!@(D(S)%,K8H,I3O-'A&3'#  )DGc*  & rcSU;a[R"S5eUR5nUSUlUSnSU;dSU;a[R"S5eUR 5UlUSUR lUSUR l[UR R US5 SU;a USUl SU;aUSUR l S U;aUS UR l S U;aUS UR l S U;aUS UR l S U;aUS UR lUR R(dCUR R(a([R"S RUS55eSU;aUSUR lSU;aUSUR lSU;aUSUR lSU;aUSUR lSU;aUSUR lSU;aUSUR lU$)aProvision FeatureSpec OIDCConfig from the parsed yaml file. Args: auth_method: YamlConfigFile, The data loaded from the yaml file given by the user. YamlConfigFile is from googlecloudsdk.command_lib.anthos.common.file_parsers. msg: The gkehub messages package. Returns: member_config: A MemberConfig configuration containing a single OIDC auth method for the IdentityServiceFeatureSpec. rMz-OIDC Authentication method must contain name.rH issuerURIclientIDzBinput config file OIDC Config must contain issuerURI and clientID.rNredeployCloudConsoleProxy extraParams groupPrefix groupsClaimzIgroupPrefix should be empty for method [{}] because groupsClaim is empty.kubectlRedirectURIscopes userClaim userPrefix clientSecretenableAccessToken)rr rrMIdentityServiceOidcConfig oidcConfig issuerUriclientIdvalidate_issuer_urirNrerrrrr)kubectlRedirectUrirrrrr)r`rr oidc_configs rrPrPsw ;   J KK335&v.F#+ #z'D   L "%!>!>!@+6{+C(*5j*A'"",,k&.A  )'2 ;.!>!@/('*  &'    P  F#TYY/D%E F  5@ 4N18C95?J?;  #1<_1M  .+%3>4  0[ .9,.G  +k!/:=/I  ,;& %%;;=  1+6+ eg+&   ' ' = = P P R -!0""33HHOO + as  G=&G=cJSU;a[R"S5eUR5nUSUlUSnUR 5UlSU;a USUlSU;a([R"SRUS55eUSUR lU$)aProvision FeatureSpec GoogleConfig from the parsed configuration file. Args: auth_method: YamlConfigFile, The data loaded from the yaml file given by the user. YamlConfigFile is from googlecloudsdk.command_lib.anthos.common.file_parsers. msg: The gkehub messages package. Returns: member_config: A MemberConfig configuration containing a single Google auth method for the IdentityServiceFeatureSpec. rMz/Google Authentication method must contain name.rIrNdisablezAThe "disable" field is not set for the authentication method "{}") rr rrMIdentityServiceGoogleConfig googleConfigrNr)r)r`rr google_configs rrQrQzs ;   L MM335&v.h'-#&#B#B#D  )'2m#   K  F# $ &&,9+C  ( rcRSU;a[R"S5eUR5nUSUlUR 5UlSU;a USUlUSnSU;d SU;dSU;a*SRUS5n[R"U5eUSUR lUSUR l USUR l S U;aUS UR l S U;aUS UR l S U;aUS UR l U$) aProvision FeatureSpec AzureADConfig from the parsed yaml file. Args: auth_method: YamlConfigFile, The data loaded from the yaml file given by the user. YamlConfigFile is from googlecloudsdk.command_lib.anthos.common.file_parsers. msg: The gkehub messages package. Returns: member_config: A MemberConfig configuration containing a single Azure AD auth method for the IdentityServiceFeatureSpec. rMz0AzureAD Authentication method must contain name.rNrJrrtenantzQAuthentication method [{}] must contain clientID, kubectlRedirectURI, and tenant.rr groupFormat)rr rrMIdentityServiceAzureADConfig azureadConfigrNr)rrrrrr)r`rrazuread_configrYs rrRrRsU ;   M NN335&v.$'$D$D$F! )'2y).& ^ 3  ' 4 f[ !    7 ##-;J-G!!*7E8!!4,:(+C!!(~%3A4##0N"0>{0K##-n$2@2O##/ rc4[RRU5nURS:wa%[R "SR U55eURb7SUR;a&[R "SR US55egg)zValidates Issuer URI field of OIDC config. Args: issuer_uri: issuer uri to be validated auth_method_name: auth method name that has this field httpsz:issuerURI is invalid for method [{}]. Scheme is not https.Nz .well-known/openid-configurationzHissuerURI is invalid for method [{}]. issuerURI should not contain [{}].)urllib3util parse_urlschemerr r)path) issuer_uriauth_method_nameurls rrrs  z*#ZZ7   DKK     XX@CHHL    (*LM Mr)__doc__ __future__rrrr>googlecloudsdk.corerrrOr4r5rrrr&r'rrrrjrtr}rrTrPrSrQrRrrrrs3&'*%P($(N *7$t 2j=B,^D@5pOdM` F3lr