o PI@sdZddlmZddlmZddlmZddlZddlZddlZddlZddl m Z ddl m Z ddlmZdd lmZdd lmZddlm Z dd lmZdd lmZdd lmZddlmZddlZdZdZdZdZdZddZej e!ddZ"ddZ#GdddZ$Gddde j%Z&Gddde j%Z'd d!Z(d"d#Z)d$d%Z*d&d'Z+d(d)Z,d*e-fd+d,Z.d-d.Z/Gd/d0d0ej0Z1Gd1d2d2e2Z3Gd3d4d4e3Z4Gd5d6d6e3Z5da6d7d8Z7dS)9z'Helper module for context aware access.)absolute_import)division)unicode_literalsN) exceptions) _mtls_helper)enterprise_certificate_config) argv_utils)config)log) properties)files) platforms access_deniedzAccount restricteda Access was blocked by Context Aware Access. If you are using gcloud on a remote machine via SSH and your organization requires gcloud from a company managed device, please first CRD (Chrome Remote Desktop) or RDP (Remote Desktop Protocol) into your remote machine and log into Chrome using your credentials to register your remote machine. After that, you may need to wait for a few minutes before retrying. If you are using cloud shell, you don't need to run `gcloud auth login` and can run your gcloud commands directly.agAccess was blocked by Context Aware Access. Possible solutions: 1. Please restart your terminal if you haven't already and try again. 2. If you are using gcloud on Cloudtop or other remote machines via SSH and your organization requires gcloud from a company managed device, please first CRD (Chrome Remote Desktop) or RDP (Remote Desktop Protocol) into your remote machine and log into Chrome using your credentials to register your remote machine. After that, you may need to wait for a few minutes before retrying. 3. Please do not use gcloud in Cloud Shell as it is not a Google managed device. Choose corp machines instead, for example, gMac, gLinux, gWindows, or Cloudtop. If you are not able to do any of the above, please apply for policy exemption via go/gcloud-cba-exemption. If you have any questions, please reach out to go/gcloud-cba-investigation.aAccess was blocked by Context Aware Access. You can try to fix this by updating the context_aware/use_client_certificate flag to true. To do that, run `gcloud config set context_aware/use_client_certificate true` and try running your command again. If your device has the env variable CLOUDSDK_CONTEXT_AWARE_USE_CLIENT_CERTIFICATE configured, ensure it is set to true as that overrides the gcloud properties flag.cCst|}t|vo t|vSN)six text_type!CONTEXT_AWARE_ACCESS_DENIED_ERROR-CONTEXT_AWARE_ACCESS_DENIED_ERROR_DESCRIPTION)excexc_textr>/tmp/google-cloud-sdk/lib/googlecloudsdk/core/context_aware.pyIsContextAwareAccessDeniedErrorUs rz.secureConnectzcontext_aware_metadata.jsoncCstjjj}|dur |StS)z=Return the file path of the context aware configuration file.N)r VALUES context_awareauto_discovery_file_pathGet DEFAULT_AUTO_DISCOVERY_FILE_PATH)cfg_filerrr_AutoDiscoveryFilePathbsrc@seZdZdZeddZdS)ContextAwareAccessErrorzpassphrase_bytes cert_pathfr@rAerrrEncryptedSSLCredentialss0      rPcCst}d|vr dSd|vrdSt|ddkrdSd|vr"dStgd}tjjj r8t r8| dt|d}||krFdSdS) zVCheck if ECP binaries should be installed and the ECP config updated to point to them.initF cert_configslibs)ecp ecp_client tls_offloadecp_http_proxyT) rGetDecodedArgvlenkeyssetr rruse_ecp_http_proxyr#r!add) cert_configargs expected_keys actual_keysrrr_ShouldRepairECPs&   rccCs>tj}|jtjjkr|jtjjkrtj rtjj |_|Sr) r PlatformCurrentoperating_systemOperatingSystemMACOSX architecture Architecturex86_64IsActuallyM1ArmArchitecturearm)platformrrr _GetPlatforms   roc Cstjjjdddlm}t}|jdd|d}z | dgd}Wnt j y<}z t dj tjd |d}~ww|rStjt||d tjjjd dSdS) zInstall ECP and update the ecp config to include the new binaries. Args: cert_config_file_path: The filepath of the active certificate config. See go/gcloud-ecp-repair. Fr)update_managerN)sdk_rooturlplatform_filterzenterprise-certificate-proxyzDevice appears to be enrolled in Certificate Based Access but is missing critical components. Installing enterprise-certificate-proxy and restarting gcloud.aEnterprise Certificate Proxy cannot be repaired because you do not have permission to modify the Google Cloud SDK installation directory [{sdk_root}]. Please reinstall Google Cloud SDK in a location where you have write permissions, such as your home directory.)rq) output_fileT)r rrr"Setgooglecloudsdk.core.updaterrpro UpdateManagerEnsureInstalledAndRestartrRequiresAdminRightsErrorrJformatr rFrqr update_configplatform_to_config)cert_config_file_pathrprnupdateralready_installedrOrrr _RepairECPs:  rcertificate_config_file_pathc Csz t|}t|WSty)}ztd|}t||WYd}~dSd}~wtjyG}ztd|}t||WYd}~dSd}~ww)aLLoads and returns the enterprise certificate configuration from the given file path. Args: certificate_config_file_path: The path to the JSON configuration file. Returns: A dictionary representing the parsed JSON configuration. Raises: CertProvisionException: If the file cannot be read or is not valid JSON. z?The enterprise certificate config file is not a valid JSON fileNz1Failed to read enterprise certificate config file) r ReadFileContentsjsonloads ValueErrorr3rr:rJ)rcontentr@rArrrGetCertificateConfig's"  rcCstjjj}|durt}tj |sdSt |}d|vr6d|dvr6tj |dds6t d |d|vr\d|dvr\tj |dds\tjjj r\tr\t d |t|rdt||S)a>Finds, loads, validates, and potentially repairs the enterprise certificate config file. This function determines the path to the config file by first checking the `context_aware.certificate_config_file_path` property. If that is not set, it falls back to the default path from `config.CertConfigDefaultFilePath()`. If the file exists, it's read and parsed as JSON. It then performs validations, such as ensuring that if an ECP binary path is specified, that binary file actually exists on the filesystem. Lastly, it may also trigger an in-place repair of the ECP configuration by installing missing components if needed. Returns: str: The path to the config file if found and valid. Returns None if the config file does not exist. Raises: CertProvisionException: - If the config file fails to be read (e.g., file permissions). - If the config file content is not valid JSON. - If an 'ecp' or 'ecp_http_proxy' (if enabled) binary path is specified in the config but the file is not found. NrTrUaEnterprise certificate provider (ECP) binary path (cert_config["libs"]["ecp"]) specified in enterprise certificate config file was not found. Cannot use mTLS with ECP if the ECP binary does not exist. Please check the ECP configuration. See `gcloud topic client-certificate` to learn more about ECP. If this error is unexpected either delete {} or generate a new configuration with `$ gcloud auth enterprise-certificate-config create --help` rXaEnterprise certificate provider (ECP) HTTP proxy binary path (cert_config["libs"]["ecp_http_proxy"]) specified in enterprise certificate config file was not found. Cannot use mTLS with ECP if the ECP HTTP proxy binary does not exist. Please check the ECP configuration. See `gcloud topic client-certificate` to learn more about ECP. If this error is unexpected either delete {} or generate a new configuration with `$ gcloud auth enterprise-certificate-config create --help` )r rrrrr CertConfigDefaultFilePathrCrDexistsrr3rzr]r#r!rcr) file_pathr_rrr_GetCertificateConfigFileDsB     rc@seZdZdZdZdS) ConfigTyperSN)r'r(r)ENTERPRISE_CERTIFICATEON_DISK_CERTIFICATErrrrrsrc@s$eZdZdZeddZddZdS) _ConfigImplaRepresents the configurations associated with context aware access. Both the encrypted and unencrypted certs need to be generated to support HTTP API clients and gRPC API clients, respectively. Only one instance of Config can be created for the program. cCsftjjjs dSt}|rtdt|Stdt }t |\}}t |\}}t |||||S)zLoads the context aware config.Nz'enterprise certificate is used for mTLSz$on disk certificate is used for mTLS) r rrr"r#rr rK_EnterpriseCertConfigImplrrBrP_OnDiskCertConfigImpl)clsrr;r=r>encrypted_cert_pathpasswordrrrLoads     z_ConfigImpl.LoadcCs ||_dSr) config_type)r/rrrrr.s z_ConfigImpl.__init__N)r'r(r)r* classmethodrr.rrrrrs   rcs2eZdZdZfddZedefddZZS)rz{Represents the configurations associated with context aware access through a enterprise certificate on TPM or OS key store.cstt|tj||_dSr)r-rr.rrr)r/rr0rrr.s  z"_EnterpriseCertConfigImpl.__init__returncCstjjj}|o tS)zHReturns True if the necessary conditions to use the local proxy are met.)r rrr]r#r!)r/r]rrruse_local_proxys  z)_EnterpriseCertConfigImpl.use_local_proxy) r'r(r)r*r.propertyboolrr2rrr0rrs  rcs(eZdZdZfddZddZZS)ra&Represents the configurations associated with context aware access through a certificate on disk. Both the encrypted and unencrypted certs need to be generated to support HTTP API clients and gRPC API clients, respectively. Only one instance of Config can be created for the program. cs@tt|tj||_||_||_||_||_ t |j dSr) r-rr.rrr;client_cert_bytesclient_key_bytesencrypted_client_cert_pathencrypted_client_cert_passwordatexitregisterCleanUp)r/r;rrrrr0rrr.sz_OnDiskCertConfigImpl.__init__c Csv|jdur7tj|jr9zt|jtd|jWdStjy6}z t d|WYd}~dSd}~wwdSdS)z=Cleanup any files or resource provisioned during config init.Nzunprovisioned client cert - %sz(failed to remove client certificate - %s) rrCrDrremover rKr rJerror)r/rOrrrrs  z_OnDiskCertConfigImpl.CleanUp)r'r(r)r*r.rr2rrr0rrs rcCststatS)zCRepresents the configurations associated with context aware access.)singleton_configrrrrrrConfigsr)8r* __future__rrrrenumrrC google.authrr8google.auth.transportrgooglecloudsdk.command_lib.authrgooglecloudsdk.corerr r r googlecloudsdk.core.utilr r rrrr&r%r$rrDrE GetHomeDirrrr rJr,r3rBrPrcrorstrrrEnumrobjectrrrrrrrrrs`                  %! -V$'