cFSrSSKJr SSKJr SSKJr SSKrSSKrSSKrSSKJ r SSK J r SSK J r SS KJr SSKr\R""S 5r\R""S 5r\R""S 5r\R""S 5rSr\R""S5r\R""S5rSrSrSrSrSrSr"SS\ R>5r Sr!Sr"Sr#Sr$Sr%Sr&g)z1Utility for configuring and parsing secrets args.)absolute_import)division)unicode_literalsN) arg_parsers)ArgumentTypeError)map_util)logzo^(/+[a-zA-Z0-9-_.]*[a-zA-Z0-9-_]+)+((/*:(/*[a-zA-Z0-9-_.]*[a-zA-Z0-9-_]+)+)|(/+[a-zA-Z0-9-_.]*[a-zA-Z0-9-_]+))$z<^(?P[a-zA-Z0-9-_]+):(?P[1-9][0-9]*|latest)$zI^projects/([^/]+)/secrets/([a-zA-Z0-9-_]+)/versions/([1-9][0-9]*|latest)$z`^projects/(?P[^/]+)/secrets/(?P[a-zA-Z0-9-_]+):(?P[1-9][0-9]*|latest)$*ze^(?Pprojects/[^/]+/secrets/[a-zA-Z0-9-_]+)/versions/(?P[1-9][0-9]*|latest)$z@^projects/(?P[^/]+)/secrets/(?P[a-zA-Z0-9-_]+)$c[R"SSU5nSU;aSOSnURU5up#n[R"SSU5n[R"SSU5nSRX$5$)a7Canonicalizes secret path to the form `/mount_path:/secret_file_path`. Gcloud secret path is more restrictive than the backend (shortn/_bwgb3xdRxL). Paths are reduced to their canonical forms before the request is made. Args: secret_path: Complete path to the secret. Returns: Canonicalized secret path. z/+/:z/$z^/z{}:/{})resub rpartitionformat) secret_path seperator mount_path_secret_file_paths :lib/googlecloudsdk/command_lib/functions/secrets_config.py_CanonicalizePathr;squc;/+K'cS)$/$:$:9$E!*!vveR,*VVE2'78  66cZUR5(d [S5eUn[RU5(a [ U5nU$SU;a%[ R "SRU55 URS5(dUS;a[SRU55eU$)zValidates and canonicalizes secrets key configuration. Args: key: Secrets key configuration. Returns: Canonicalized secrets key configuration. Raises: ArgumentTypeError: Secrets key configuration is not valid. z?Secret environment variable names/secret paths cannot be empty.r z'{}' will be interpreted as a secret environment variable name as it doesn't match the pattern for a secret path '/mount_path:/secret_file_path'. X_GOOGLE_)GOOGLE_ENTRYPOINTGOOGLE_FUNCTION_TARGETGOOGLE_RUNTIMEGOOGLE_RUNTIME_VERSIONzCSecret environment variable name '{}' is reserved for internal use.) stripr_SECRET_PATH_PATTERNsearchrr warningr startswith)keycanonicalized_keys r_SecretsKeyTyper(Rs  I   %%)#.$ ! cz kk --3VC[  ~~k""c.'    rc[RU5n[RU5n[RU5nU(a3SR [ UR S5UR S5S9$U(aU$U(a>SR UR S5UR S5UR S5S9$[SR U55e)aRCanonicalizes secret value reference to the secret version resource name. Output format: `projects/{project}/secrets/{secret}/versions/{version}`. The project in the above reference will be * if the user used a default project secret. Args: value: Secret value reference as a string. Returns: Canonicalized secret value reference. z6projects/{project}/secrets/{secret}/versions/{version}secretversion)projectr*r+r,zSecrets value configuration must match the pattern 'SECRET:VERSION' or 'projects/{{PROJECT}}/secrets/{{SECRET}}:{{VERSION}}' or 'projects/{{PROJECT}}/secrets/{{SECRET}}/versions/{{VERSION}}' where VERSION is a number or the label 'latest' [{}])#_DEFAULT_PROJECT_SECRET_REF_PATTERNr#$_SECRET_VERSION_RESOURCE_REF_PATTERN_SECRET_VERSION_REF_PATTERNr_DEFAULT_PROJECT_IDENTIFIERgroupr)valuedp_secret_ref_matchsecret_version_res_ref_matchsecret_version_ref_matchs r_CanonicalizeValuer6ys<BB5I!E!L!L "9??F C J J+"((2#)))4 K  $ L C J J(..y9'--h7(..y9 K  =>DVE]  rcXSU;a[SRU55e[U5$)aVValidates secrets value configuration. The restrictions for gcloud are strict when compared to GCF to accommodate future changes without making it confusing for the user. Args: value: Secrets value configuration. Returns: Secrets value configuration as a string. Raises: ArgumentTypeError: Secrets value configuration is not valid. =z3Secrets value configuration cannot contain '=' [{}])rrr6)r2s r_SecretsValueTyper9s3 E\ =DDUK  E ""rcX:g=(dL X:g=(aA UR5UR5:H=(a U[:g=(a U[:g$)aReturns true if the two secrets differ. The secrets can be considered as different if either the secret name is different or the project is different with the secret name being the same. If one project is represented using the project number and the other is represented using its project id, then it may not be possible to determine if the two projects are the same, so the validation is relaxed. Args: project1: Project ID or number of the first secret. secret1: Secret name of the first secret. project2: Project ID or number of the second secret. secret2: Secret name of the second secret. Returns: True if the two secrets differ, False otherwise. )isdigitr0)project1secret1project2secret2s r_SecretsDifferr@sW$   2     0 0 2 22 1 12 1 1 rc [R"[5n[R"U5GH7up#[ R U5(dM"URS5Sn[R U5RS5nXA;a[R U5nURS5nURS5nXHn [R U 5n U RS5n U RS5n [XxX5(dMM[SRUU[:XaUOUU [:XaU S95eU S95e GM$XRU5 GM: g) z|Additional secrets validations that require the entire dict. Args: secrets_dict: Secrets configuration dict to validate. r rsecret_resourcer,r*znMore than one secret is configured for the mount path '{mount_path}' [violating secrets: {secret1},{secret2}].)rr=r?N) collections defaultdictlistsix iteritemsr"r#split'_SECRET_VERSION_SECRET_RESOURCE_PATTERNr1_SECRET_RESOURCE_PATTERNr@rrr0append) secrets_dictmount_path_to_secretr&r2r secret_res1secret_res_match1r<r= secret_res2secret_res_match2r>r?s r_ValidateSecretsrRs` %006MM,/jc""3''99S>!$j;BB5IOO k  +4;;KH$**95#))(3/;K6==kJ &,,Y7(%++H5' Hx A A#K)#>>$$#>>$   %   <( (// [[U] UUUUUUUUS9 g)z:Initializes the base ArgDict by forwarding the parameters.)key_type value_typespec min_length max_lengthallow_key_only required_keys operatorsN)superrT__init__) selfrWrXrYrZr[r\r]r^ __class__s rr`ArgSecretsDict.__init__s1 .$( %#) rc >[R"[[R"[ [ U]U5555n[U5 U$)N) rC OrderedDictsortedrFrGr_rT__call__rR)ra arg_valuerLrbs rrgArgSecretsDict.__call__s@**s}}U>4A)LMNL\" r)NNNrNFNN) __name__ __module__ __qualname____firstlineno____doc__r`rg__static_attributes__ __classcell__)rbs@rrTrTs/= .rrTc SnSnUR5nURSU[R[ [ [ S9SS9 UR[R"S5S9nURS U[R[ [ [ S9S S9 URS U[R[R"[ S 9S S9 URSSSS9 g)zmAdd flags for configuring secret environment variables and secret volumes. Args: parser: Argument parser. zlSECRET_ENV_VAR=SECRET_VALUE_REF,/secret_path=SECRET_VALUE_REF,/mount_path:/secret_file_path=SECRET_VALUE_REFz9SECRET_ENV_VAR,/secret_path,/mount_path:/secret_file_path --set-secrets)rWrXa) List of secret environment variables and secret volumes to configure. Existing secrets configuration will be overwritten. You can reference a secret value referred to as `SECRET_VALUE_REF` in the help text in the following ways. * Use `${SECRET}:${VERSION}` if you are referencing a secret in the same project, where `${SECRET}` is the name of the secret in secret manager (not the full resource name) and `${VERSION}` is the version of the secret which is either a `positive integer` or the label `latest`. For example, use `SECRET_FOO:1` to reference version `1` of the secret `SECRET_FOO` which exists in the same project as the function. * Use `projects/${PROJECT}/secrets/${SECRET}/versions/${VERSION}` or `projects/${PROJECT}/secrets/${SECRET}:${VERSION}` to reference a secret version using the full resource name, where `${PROJECT}` is either the project number (`preferred`) or the project ID of the project which contains the secret, `${SECRET}` is the name of the secret in secret manager (not the full resource name) and `${VERSION}` is the version of the secret which is either a `positive integer` or the label `latest`. For example, use `projects/1234567890/secrets/SECRET_FOO/versions/1` or `projects/project_id/secrets/SECRET_FOO/versions/1` to reference version `1` of the secret `SECRET_FOO` that exists in the project `1234567890` or `project_id` respectively. This format is useful when the secret exists in a different project. To configure the secret as an environment variable, use `SECRET_ENV_VAR=SECRET_VALUE_REF`. To use the value of the secret, read the environment variable `SECRET_ENV_VAR` as you would normally do in the function's programming language. We recommend using a `numeric` version for secret environment variables as any updates to the secret value are not reflected until new clones start. To mount the secret within a volume use `/secret_path=SECRET_VALUE_REF` or `/mount_path:/secret_file_path=SECRET_VALUE_REF`. To use the value of the secret, read the file at `/secret_path` as you would normally do in the function's programming language. For example, `/etc/secrets/secret_foo=SECRET_FOO:latest` or `/etc/secrets:/secret_foo=SECRET_FOO:latest` will make the value of the `latest` version of the secret `SECRET_FOO` available in a file `secret_foo` under the directory `/etc/secrets`. `/etc/secrets` will be considered as the `mount path` and will `not` be available for any other volume. We recommend referencing the `latest` version when using secret volumes so that the secret's value changes are reflected immediately.)metavaractiontypehelpz Only `--update-secrets` and `--remove-secrets` can be used together. If both are specified, then `--remove-secrets` will be applied first.)rw--update-secretsz List of secret environment variables and secret volumes to update. Existing secrets configuration not specified in this list will be preserved.--remove-secrets) element_typea List of secret environment variable names and secret paths to remove. Existing secrets configuration of secret environment variable names and secret paths not specified in this list will be preserved. To remove a secret environment variable, use the name of the environment variable `SECRET_ENV_VAR`. To remove a file within a secret volume or the volume itself, use the secret path as the key (either `/secret_path` or `/mount_path:/secret_file_path`).--clear-secrets store_truez4Remove all secret environment variables and volumes.)rurwN) add_mutually_exclusive_group add_argumentr UpdateActionrTr(r9add_argument_grouptextwrapdedentArgList)parser kv_metavar k_metavar flag_groupupdate_remove_flag_groups rConfigureFlagsrs7 J)224*   % % "/@ 1 D9v(:: ?? L ;''  % % "/@  ( ''  % %   O < + (&   Arcp1Skn[UR55n[URU55$)zReturns true if at least one of the flags for secrets is specified. Args: args: Argparse namespace. Returns: True if at least one of the flags for secrets is specified. >rsr{ryrx)setGetSpecifiedArgNamesbool intersection)args secrets_flagsspecified_flagss rIsArgsSpecifiedrs4- 1134/ o**=9 ::rc[R"U5VVs0sH#up[RU5(dM!X_M% nnn[R"U5VVs0sHupX;dM X_M nnn[R "[ [R"U555[R "[ [R"U5554$s snnfs snnf)zSplits the secrets dict into sorted ordered dicts for each secret type. Args: secrets_dict: Secrets configuration dict. Returns: A tuple (secret_env_vars, secret_volumes) of sorted ordered dicts for each secret type. )rFrGr"r#rCrerf)rLkvsecret_volumessecret_env_varss rSplitSecretsDictrs-- --$!  $ $Q ' ad- }}\22tqa6Mdad2fS]]?%CDEfS]]>%BCD  s CC C$/C$cP[RU5(a [U5$U$)zCanonicalizes secrets configuration key. Args: key: Secrets configuration key. Returns: Canonicalized secrets configuration key. )r"r#r)r&s rCanonicalizeKeyrs%  %% S !! *rcf[R"SRUS9SRUS9U5$)aReplaces the default project number in place of * or project ID. Args: secret_version_ref: Secret value reference. default_project_id: The project ID of the project to which the function is deployed. default_project_number: The project number of the project to which the function is deployed. Returns: Secret value reference with * or project ID replaced by the default project. zprojects/([*]|{project_id})/) project_idzprojects/{project_number}/)project_number)rrr)secret_version_refdefault_project_iddefault_project_numbers r_SubstituteDefaultProjectrsB %,,8J,K"))/*  rc T[R"SU5n[R"U40UD6n[R"U5VVs0sHupgU[ XrU5_M nnn[ R"[[R"U555n[U5 U$s snnf)a3Applies the current flags to existing secrets configuration. Args: old_secrets: Existing combined secrets configuration dict. args: Argparse namespace. default_project_id: The project ID of the project to which the function is deployed. default_project_number: The project number of the project to which the function is deployed. Returns: new_secrets: A new combined secrets configuration dict generated by applying the flags to the existing secrets configuration. Raises: ArgumentTypeError: Generated secrets configuration is invalid. secrets) rGetMapFlagsFromArgs ApplyMapFlagsrFrGrrCrerfrR) old_secretsrrr secret_flags new_secrets secrets_key secrets_values r ApplyFlagsrs$--i>,&&{ClC+ ), k(B )C $+, -C)C  ''s}}[/I(JK+; sB$)'ro __future__rrrrCrrgooglecloudsdk.callioper#googlecloudsdk.calliope.arg_parsersr$googlecloudsdk.command_lib.util.argsrgooglecloudsdk.corer rFcompiler"r-r.r/r0rIrJrr(r6r9r@rRArgDictrTrrrrrrrjrrrs8&' /A9# zz+ ')jjB'#(*zzO($!jj( "*,**1+'::F 7.$N&R#,4'=T[((Dsl;&0  0 r