@SrSSKJr SSKJr SSKJr SSKrSSKrSSKrSSKJ r SSK J r SSK J r SS K Jr SSKr"S S \R 5r"S S \5r"SS\5r"SS\5rSrSrSr"SS\R2"\R4\55r"SS\5r"SS\5r"SS\5r"SS\5r"SS \5r "S!S"\5r!"S#S$\5r""S%S&\#5r$g)'z'Generators for Credential Config Files.)absolute_import)division)unicode_literalsN)enterprise_certificate_config)log) properties)filesc\rSrSrSrSrSrg) ConfigType N)__name__ __module__ __qualname____firstlineno__WORKLOAD_IDENTITY_POOLSWORKFORCE_POOLS__static_attributes__rAlib/googlecloudsdk/command_lib/iam/byoid_utilities/cred_config.pyr r s /rr c8\rSrSrSrSSjr\S5rSrg)ByoidEndpoints%zBase class for BYOID endpoints.cU(aU(aUS:wa [S5eSUlSUlXlU(aSOSUlX0lX@lg)NglobalzGmTLS is not supported with locational Security Token Service endpoints.z"https://{service}.{mtls}{universe}z/https://{service}.{sts_location}.rep.{universe}zmtls.)GeneratorError_sts_global_template_sts_locational_template_service_mtls_universe_domain _sts_location)selfservice enable_mtlsuniverse_domain sts_locations r__init__ByoidEndpoints.__init__(sV| (@   !ED9 !M'RDJ+%rc(UR(aURS:Xa9URRURURUR S9$UR RURURUR S9$)Nr)r'mtlsuniverse)r'r*r/)r%r formatr"r#r$r!)r&s r _base_urlByoidEndpoints._base_url?s   !3!3x!?  & & - ---djj4;P;P.  ( ( / / ''&& 0 r)r#r"r r%r!r$N)Fzgoogleapis.comr) rrrr__doc__r+propertyr1rrrrrr%s)' & &.    rrc\^\rSrSrSrU4Sjr\S5r\S5r\S5r Sr U=r $) StsEndpointsLz$Simple class to build STS endpoints.c .>[[U] "S0UD6 g)N)sts)superr6r+)r&kwargs __class__s rr+StsEndpoints.__init__Os ,&77rc>SnSRURU5$)Nzv1/token{}/{}r0r1r&apis r token_urlStsEndpoints.token_urlRs C >>$..# ..rc>SnSRURU5$)Nz v1/oauthtokenr?r@rAs roauth_token_urlStsEndpoints.oauth_token_urlW C >>$..# ..rc>SnSRURU5$)Nz v1/introspectr?r@rAs rtoken_info_urlStsEndpoints.token_info_url\rHrr) rrrrr3r+r4rCrFrJr __classcell__r<s@rr6r6LsG,8 / / / / / /rr6c<^\rSrSrSrU4Sjr\S5rSrU=r $) IamEndpointsbz/Simple class to build IAM Credential endpoints.c :>Xl[[U]"S0UD6 g)N)iamcredentials)_service_accountr:rOr+)r&service_accountr;r<s rr+IamEndpoints.__init__es+ ,&B6BrcpSRUR5nSRURU5$)Nz4v1/projects/-/serviceAccounts/{}:generateAccessTokenr?)r0rSr1rAs rimpersonation_urlIamEndpoints.impersonation_urlis2 @ G G  C >>$..# ..r)rS) rrrrr3r+r4rWrrLrMs@rrOrObs 7C / /rrOzcredential configuration filec[USS5SLn[USS5n[USS5nU(a%U(d[US5(a [S5eSn[RR R n[US S5(a UR nOTUR5(aUR5nO.[RR R Rn[UUUS 9n[X5nUS S UR-URUR5URUR!U5S .n U["R$LaUR&U S'UR((aK[+UR(UUS9n U R,U S'0n UR.(aUR.U S'XS'OUR0U S'[2R4"UR6[8R:"U SS95 [<R>"UR6[@5 [CU[D5(aY[FRH"[FR"RJURLURNURPURRS9 gg![a8n [<R>"UR6[@U RTS9 Sn A gSn A ff=f)z;Creates the byoid credential config based on CLI arguments.credential_cert_pathNr(Fr*rz8Cannot disable mTLS when a certificate path is provided.Tr))r(r)r*external_accountz//iam.googleapis.com/)r)typeaudiencesubject_token_typerCcredential_sourceworkforce_pool_user_project)r(r)!service_account_impersonation_urltoken_lifetime_secondsservice_account_impersonationrJr)indent) cert_pathkey_path output_filetrust_chain_path)failed)+getattrhasattrrrVALUEScorer)IsExplicitlySetGetdefaultr6 get_generatorr]get_token_typer^rC get_sourcer rr`rTrOrW&service_account_token_lifetime_secondsrJr WriteFileContentsrgjsondumpsrCreatedResource RESOURCE_TYPE isinstanceX509CredConfigGeneratorr create_configWORKLOADrZ credential_cert_private_key_path)credential_cert_configuration_output_file credential_cert_trust_chain_pathmessage) args config_typeis_certr(r*universe_domain_propertyr)token_endpoint_builder generatoroutputsa_endpoint_builderrccces rcreate_credential_configrts D0$ 7t C'mU3+~r2, 7477  D K(..33CC T$d++**O//11.224O '',,<<DDO'% 1Md0I*"+dmm;'66t7N7NO+55&11$7 Fj000.2.N.Nf *+ (   !)  / / 01')# 4 4  7 7 &&>?3P./!7!F!Ff  D,,djj.JK((-8)455#11 ' 2 2 ; ;--88DD@@ 6 M((- LMs9F&J!! K#+.KK#cUR(a[XR5$UR(a [XRUR5$UR (a[ US5(aGUR(a6[XR URURUR5$[XR URUR5$UR(a [5$UR(a [UR UR"5$UR$(a6['UR$UR(UR*UR,5$g)z@Determines the type of credential output based on CLI arguments.%executable_interactive_timeout_millisN)credential_source_fileFileCredConfigGeneratorcredential_source_urlUrlCredConfigGeneratorcredential_source_headersexecutable_commandrkr(InteractiveExecutableCredConfigGeneratorexecutable_timeout_millisexecutable_output_fileExecutableCredConfigGeneratorawsAwsCredConfigGeneratorazureAzureCredConfigGenerator app_id_urir]rZr{r~rr)rrs rrqrqs1   ";0K0K LL  !+/I/I"&"@"@ BB t<>> 5 ..0N0N  % %  4 466 )6M6M)-)G)G)-)D)D FF XX ! ## ZZ #DOOT]] CC  " !! -- 66 --  rcT\rSrSrSrSrSrSrSr\ RS5r Sr g ) CredConfigGeneratorz2Base class for generating Credential Config files.cXlgNr)r&rs rr+CredConfigGenerator.__init__s"rcZSnUR[RLaSnU=(d U$)z;Returns the type of token that this credential config uses.$urn:ietf:params:oauth:token-type:jwtz)urn:ietf:params:oauth:token-type:id_token)rr r)r&r^default_token_types rrr"CredConfigGenerator.get_token_types1@ :555F  3!33rcU(dgUR5nUS;a [S5eSU0nUS:XaU(d [S5eX#S'U$)aReturns an optional dictionary indicating the format of the token. This is a shared method, that several different token types need access to. Args: credential_source_type: The format of the token, either 'json' or 'text'. credential_source_field_name: The field name of a JSON object containing the text version of the token. Raises: GeneratorError: if an invalid token format is specified, or no field name is specified for a json token. N)rvtextz8--credential-source-type must be either "json" or "text"r\rvzA--credential-source-field-name required for JSON formatted tokenssubject_token_field_name)lowerr)r&credential_source_typecredential_source_field_name token_formats r _get_formatCredConfigGenerator._get_formatsm " 399;%55  D FF23L' ) OQ Q1M-. rc(U(a [S5eg)Nz?--credential-source-type is not supported with --azure or --aws)r)r&rs r_format_already_defined+CredConfigGenerator._format_already_defineds  K MMrcg)z@Gets the credential source info used for this credential config.Nrr&rs rrsCredConfigGenerator.get_sources rrN) rrrrr3r+rrrrabcabstractmethodrsrrrrrrs5:#4@M   rrc2^\rSrSrSrU4SjrSrSrU=r$)ri!z0The generator for File-based credential configs.c8>[[U] U5 X lgr)r:rr+r)r&rrr<s rr+ FileCredConfigGenerator.__init__$s !41+>"8rcSUR0nURURUR5nU(aX2S'U$)Nfiler0)rrrrr&rr_rs rrs"FileCredConfigGenerator.get_source(sF![[U] U5 X lX0lgr)r:rr+rr)r&rrrr<s rr+UrlCredConfigGenerator.__init__4s $0=!6%>"rcSUR0nUR(aURUS'URURUR5nU(aX2S'U$)Nurlheadersr0)rrrrrrs rrs!UrlCredConfigGenerator.get_source:s` : :; %%%)%C%C "##D$?$?$($E$EGL$0! r)rrrrMs@rrr1s7? rrc2^\rSrSrSrU4SjrSrSrU=r$)riEz?The generator for executable-command-based credentials configs.c>U(a [U5n[[U]U5 X lU=(d SUlX@lg)Ni0u)intr:rr+commandtimeout_millisrg)r&rrrrgr<s rr+&ExecutableCredConfigGenerator.__init__Hs8>*n '7 DL(1ED"rc|URURS.nUR(aURUS'SU0$)N)rrrg executable)rrrgr&rexecutable_configs rrs(ExecutableCredConfigGenerator.get_sourceQsB<<--  )-)9)9 & + ,,r)rrgrrrMs@rrrEsG# - -rrc2^\rSrSrSrU4SjrSrSrU=r$)ri]zUThe generator for executable-command-based credentials configs with interactive mode.cN>[[U] XX45 [U5Ulgr)r:rr+rinteractive_timeout_millis)r&rrrrgrr<s rr+1InteractiveExecutableCredConfigGenerator.__init__`s' 2 $~K&)*D&ED#rcUR(d [S5eURURURURS.nSU0$)NzW--executable-output-file must be specified if --interactive-timeout-millis is provided.)rrrgrr)rgrrrrrs rrs3InteractiveExecutableCredConfigGenerator.get_sourcefsZ    G HH<<--''&*&E&E  + ,,r)rrrMs@rrr]s]F - -rrc8^\rSrSrSrU4SjrSrSrSrU=r $)riuz/The generator for AWS-based credential configs.cH>[[U] [R5 gr)r:rr+r r)r&r<s rr+AwsCredConfigGenerator.__init__xs #;;[[U] [R5 XlX lgr)r:rr+r rrr])r&rr]r<s rr+!AzureCredConfigGenerator.__init__s' " #;;< OMrcg)Nrrrs rrr'AzureCredConfigGenerator.get_token_types 1rcURUR5 SUR=(d SUR--SS0SSS.S.$) NzVhttp://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=zhttps://iam.googleapis.com/MetadataTruerv access_token)r\r)rrr0)rrrr]rs rrs#AzureCredConfigGenerator.get_sources[  ![[U] [R5 XlX lX0lX@lgr) r:r{r+r rcertificate_pathrfcert_config_pathrh)r&rrfrrhr<s rr+ X509CredConfigGenerator.__init__s6  ! #;;<,M,,rcg)Nz%urn:ietf:params:oauth:token-type:mtlsrrs rrr&X509CredConfigGenerator.get_token_types 2rc0nURc [S5eURbURUS'OSUS'URbURUS'SU0$)Nz[--credential-cert-private-key-path must be specified if --credential-cert-path is provided.certificate_config_locationTuse_default_certificate_configrh certificate)rfrrrh)r&rcertificate_configs rrs"X509CredConfigGenerator.get_sourcesz }}     (:>:O:O67=A9: (/3/D/D+, - ..r)rrrfrhrrMs@rr{r{s9 -3//rr{c(^\rSrSrU4SjrSrU=r$)ric6>[[U] 5 Xlgr)r:rr+r)r&rr<s rr+GeneratorError.__init__s .$(*Lr)r)rrrrr+rrLrMs@rrrs rr)%r3 __future__rrrrenumrvgooglecloudsdk.command_lib.authrgooglecloudsdk.corerrgooglecloudsdk.core.utilr sixEnumr objectrr6rOryrrqwith_metaclassABCMetarrrrrrrr{ Exceptionrrrrr s.&' I#**  $V$N/>/, /> /0 QMh>7 #,,S[[&A7 t 1  0(-$7-0-/L-00>2:%/1%/PYr