o M@sdZddlmZddlmZddlmZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlmZddlmZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddl Z ddlZddl!Z!ddl"m#Z$ddl"m%Z%ddl&Z&ddl'm(Z(zddl)m*Z+Wn e,yddl%Z+YnwdZ-da.       dHddZ/Gddde0dgdZ1ddZ2Gdddej3j4Z4dd Z5d!Z6Gd"d#d#e7Z8Gd$d%d%ej3j4Z9d&ej:d'ej3j;fd(d)Z  dJd.d/Z?d0d1Z@Gd2d3d3ejAZAGd4d5d5ejBZBGd6d7d7ejCZCd8d9ZDGd:d;d;ZEdKdd?d?e!GejHZIGd@dAdAZJdBdCZKdDdEZLdFdGZMdS)Lz;A module to get an unauthenticated requests.Session object.)absolute_import)division)unicode_literalsN)requests)_MutualTlsOffloadAdapter) context_aware)execution_utils)log) properties) transport)encoding)http_proxy_types) platforms) http_client)urllibcreate_urllib3_contextahIt appears that the current proxy configuration is using an HTTPS scheme for contacting the proxy server, which likely indicates an error in your HTTPS_PROXY environment variable setting. This can usually be resolved by setting HTTPS_PROXY=http://... instead of HTTPS_PROXY=https://... See https://cloud.google.com/sdk/docs/proxy-settings for more information.FunsetcCs&t|||||}tj|||d}|S)a3Get a requests.Session that is properly configured for use by gcloud. This method does not add credentials to the client. For a requests.Session that has been authenticated, use core.credentials.requests.GetSession(). Args: timeout: double, The timeout in seconds. This is the socket level timeout. If timeout is None, timeout is infinite. If default argument 'unset' is given, a sensible default is selected using transport.GetDefaultTimeout(). ca_certs: str, absolute filename of a ca_certs file that overrides the default. The gcloud config property for ca_certs, in turn, overrides this argument. session: requests.Session instance streaming_response_body: bool, True indicates that the response body will be a streaming body. redact_request_body_reason: str, the reason why the request body must be redacted if --log-http is used. If None, the body is not redacted. client_certificate: str, absolute filename of a client_certificate file that is set explicitly for client certificate authentication client_key: str, absolute filename of a client_key file that is set explicitly for client certificate authentication Returns: A requests.Session object configured with all the required settings for gcloud. )streaming_response_bodyredact_request_body_reason)_CreateRawSessionRequestWrapperWrapWithDefaults)timeoutca_certssessionrrclient_certificate client_keyrr9/tmp/google-cloud-sdk/lib/googlecloudsdk/core/requests.py GetSessionEs"r c"eZdZdZdfdd ZZS)ClientSideCertificatezHolds information about a client side certificate. Attributes: certfile: str, path to a cert file. keyfile: str, path to a key file. password: str, password to the private key. Ncstt|||||SN)superr"__new__)clscertfilekeyfilepassword __class__rrr%{s zClientSideCertificate.__new__r#)__name__ __module__ __qualname____doc__r% __classcell__rrr*rr"psr")r'r(r)cCstS)zReturns a urrlib3 SSL context.rrrrrCreateSSLContextsr1cs@eZdZdZfddZfddZfddZdd ZZS) HTTPAdaptera=Transport adapter for requests. Transport adapters provide an interface to extend the default behavior of the requests library using the full power of the underlying urrlib3 library. See https://requests.readthedocs.io/en/master/user/advanced/ #transport-adapters for more information about adapters. cs ||_tt|j|i|dSr#) _cert_infor$r2__init__)selfclient_side_certificateargskwargsr*rrr4szHTTPAdapter.__init__c ||tt|j|i|Sr#)_add_ssl_contextr$r2init_poolmanagerr5r7r8r*rrr; zHTTPAdapter.init_poolmanagercr9r#)r:r$r2proxy_manager_forr<r*rrr>r=zHTTPAdapter.proxy_manager_forcCsf|jsdSt}|i}|jjr|jj|d<|jjr"|jj|d<|j|jjfi|||d<dS)Nr(r) ssl_context)r3r1load_default_certsr(r)load_cert_chainr')r5r8contextcert_chain_kwargsrrrr:s   zHTTPAdapter._add_ssl_context) r,r-r.r/r4r;r>r:r0rrr*rr2s   r2c Cs$tjjj}tjjj}tjjj}tdd|||fD}|dkr.|dkr.t d|s2dStjjj }tjjj }tjjj }tj|}|tjkrX|rUdnd}n|tjkrd|rad nd }n|tjkrld }ntd ||sw|rd dd||fD} | d7} nd} d|| ||S)zReturns the proxy string for use by requests from gcloud properties. See https://requests.readthedocs.io/en/master/user/advanced/#proxies. cSsg|]}|r|qSrr).0frrr sz GetProxyInfo..rz\Please set all or none of the following properties: proxy/type, proxy/address and proxy/portNsocks4asocks4socks5hsocks5httpzUnsupported proxy type: {}:css |] }tj|p dVqdS)N)rparsequote)rDxrrr s zGetProxyInfo..@rNz {}://{}{}:{})r VALUESproxy proxy_typeGetaddressportGetIntlenInvalidValueErrorrdnsGetBoolusernamer)r PROXY_TYPE_MAPsocksPROXY_TYPE_SOCKS4PROXY_TYPE_SOCKS5PROXY_TYPE_HTTP ValueErrorformatjoin) rV proxy_address proxy_portproxy_prop_set proxy_rdns proxy_user proxy_passhttp_proxy_type proxy_scheme proxy_authrrr GetProxyInfos@       rqaPlease use the installed gcloud CLI (`apt install google-cloud-cli`) This version of gcloud you are currently using will encounter issues due to changes in internal security policy enforcement in the near future. If this is not possible due to dev requirements, please apply for policy exemption at go/gcloud-cba-exemption-internal-version-gcloud using this error message to self-exempt or reach out to go/gcloud-cba-investigation for investigation. cr!) ECPProxyErrorzCustom exception for errors related to the ECP proxy communication. For example, startup failures or receiving a specific proxy error header. Ncs.||_t|r|d|dS|dS)N: )original_exceptionr$r4)r5messagertr*rrr4s zECPProxyError.__init__r#)r,r-r.r/r4r0rrr*rrrsrrcseZdZdZ  ddededeffdd Zd efd d Z dd eded efddZdeded dfddZ ded ed dfddZ fddZ ddZ fddZ ZS)_LocalECPProxyAdaptera+A requests adapter that routes HTTPS requests through a local ECP proxy. This adapter starts the ECP proxy as a background process upon instantiation and manages its lifecycle, terminating it when the adapter is closed. This avoids the overhead of starting a new process for every request. Ncertificate_config_file_pathgcloud_proxy_urlstartup_timeoutc sV||_||_tjdi|t|jd|_d|_t d|_ |j |dd|_ dS)abInitializes the adapter and starts the local ECP proxy process. Args: certificate_config_file_path: Path to the JSON certificate config file. gcloud_proxy_url: Optional URL for proxy chaining. startup_timeout: Seconds to wait for the proxy to become available. **kwargs: Additional arguments for the HTTPAdapter. N localhost) max_retriesr)rxryr$r4atexitregisterclose proxy_process proxy_hostsecrets token_hex nonce_token_start_ecp_proxy_with_retriesri)r5rxryrzr8r*rrr4s   z_LocalECPProxyAdapter.__init__returncCsBt}|d|dWdS1swYdS)z4Dynamically finds and returns an available TCP port.)rNrr}N)socketbind getsockname)r5srrr_find_free_ports   $z%_LocalECPProxyAdapter._find_free_portr}rr~c Cst|j}|did}|std|jt|dD]U}|}|j||dz |j ||d|WStyt}z0|j rO|j durO|j ||krdt d|d |WYd}~qt d |d |d}~wwdS) aAttempts to start the ECP Proxy, retrying on failure. This method orchestrates the proxy startup by finding an available port, launching the proxy process, and waiting for it to become responsive. If the proxy fails to start, it retries the process until either succeeds or the maximum number of retries is reached. Args: timeout: The maximum time in seconds to wait for the proxy to start max_retries: The maximum number of times to retry starting the proxy. Returns: The port number on which the proxy successfully started. Raises: ECPProxyError: If the proxy fails to start after all retry attempts. libsecp_http_proxyaECP HTTP proxy binary path is not specified in enterprise certificate config file. Cannot use mTLS with ECP if the ECP HTTP proxy binary does not exist. Please check the ECP configuration. See `gcloud topic client-certificate` to learn more about ECP. If this error is unexpected either delete {} or generate a new configuration with `$ gcloud auth enterprise-certificate-config create --help` r})rri)rirNz"ECP proxy failed to start on port rsz ECP proxy failed to start after z retries: )rGetCertificateConfigrxgetrrrfranger_start_ecp_proxy_wait_for_proxyrpoll terminater warningerror)r5rr~ cert_configrattemptrierrrrs8    z3_LocalECPProxyAdapter._start_ecp_proxy_with_retriesrric Cstd|d|jdt|d|jg}|jr|d|jgtj|g|R}z t j |ddd|_ WdSt t fyQ}ztd|td |d |d}~ww) a Launches the local ECP proxy executable as a subprocess. Constructs the necessary command-line arguments, including the ECP config path, port, nonce token, and an optional upstream proxy URL. It then uses subprocess.Popen to start the proxy process in the background. Args: ecp_http_proxy: The path to the ECP HTTP proxy binary. proxy_port: The TCP port for the proxy to listen on. Raises: ECPProxyError: If the subprocess fails to start due to OSError or ValueError. z(Starting local ECP proxy server on port z!-enterprise_certificate_file_pathz-portz -nonce_tokenz%-gcloud_configured_upstream_proxy_urlN)stdoutstderrz&Failed to start ECP proxy executable: z!Failed to start ECP proxy processrt)r debugrxstrrryextendrArgsForExecutableTool subprocessPopenrOSErrorrerrr)r5rrir7 proxy_argsrrrrrTs8 z&_LocalECPProxyAdapter._start_ecp_proxyc Csntd|dt}t||kr[|jdur&td|jjdztj |j |fdd  WdWn31s>wYWnt yRt dYq wt||ks| td|j d |d |d z3d |j d |d }tj|dd}|jdkrtd|jd|j}||jkrtdtdWdStjjy}ztd|d|d}~ww)aWaits for the proxy to become available and verifies its identity. This method first waits for the proxy's TCP port to accept connections. Once the port is open, it sends a request to the `/readyz` endpoint to confirm that the proxy is fully operational and to verify a security nonce, ensuring that gcloud is communicating with the correct proxy instance. Args: proxy_port: The port where the proxy is expected to be listening. timeout: The maximum time in seconds to wait for the proxy. Raises: ECPProxyError: If the proxy process terminates unexpectedly, fails to respond within the timeout, or returns an invalid nonce. z*Waiting for the proxy to be ready on port z...Nz0Proxy process terminated unexpectedly with code z while waiting for it to start.g?rz ECP Proxy on rMz did not become ready in z seconds.http://z/readyzr}z'Proxy /readyz endpoint returned status .z+Nonce mismatch from proxy /readyz endpoint.z"Proxy is ready and nonce verified.z6Failed to verify proxy readiness via /readyz endpoint.r)r rtime monotonicrrrr returncodercreate_connectionrrsleeprrr status_codetextr exceptionsRequestException)r5rir start_time readyz_urlresponse server_noncerrrrrs\ $     z%_LocalECPProxyAdapter._wait_for_proxyc stj|j}|j|jd<tjdd|j|jdf}d|j d|j ||_d|d<t d| d|jz tj|fi|}WntjjyZ}ztd |d |d }~ww||S) aIntercepts an outgoing request and reroutes it through the local ECP proxy. This method modifies the request's URL to point to the local proxy and adds a custom header (`x-goog-ecpproxy-target-host`) to inform the proxy of the original destination. It then sends the modified request and passes the response to `_handle_proxy_response` for inspection. Args: request: The `requests.PreparedRequest` object to send. **kwargs: Additional arguments passed to the underlying `send` method. Returns: The `requests.Response` object from the proxy. Raises: ECPProxyError: If the proxy returns an error or fails to send the request. zx-goog-ecpproxy-target-hostrNrrMFverifyzRedirecting request for z to proxy at zFailed to send request to proxyrN)rrOurlspliturlhostnameheaders urlunsplitpathqueryrrir rgeturlr$sendrrrrr_handle_proxy_response)r5requestr8 original_url proxy_pathrrr*rrrs.   z_LocalECPProxyAdapter.sendcCsj|jd}|r3tdz|dd}d|}Wt|tjy2d|j}Yt|w|S)aSInspects the proxy's response for custom error headers. If the `x-goog-ecpproxy-error` header is present in the response, this method assumes the proxy encountered an internal error. It attempts to parse a detailed error message from the JSON response body and raises an `ECPProxyError` with the relevant information. Args: response: The `requests.Response` object received from the proxy. Returns: The original `requests.Response` object if no error header is found. Raises: ECPProxyError: If the `x-goog-ecpproxy-error` header is present. zx-goog-ecpproxy-errorzECP Proxy returned an errorruzNo message in body.z'ECP Proxy indicated an internal error: z6ECP Proxy indicated an internal error. Response body: )rrr rjsonJSONDecodeErrorrrr)r5rproxy_error_header error_detailsrurrrrs   z,_LocalECPProxyAdapter._handle_proxy_responsecsrtd|jr2|jdur2|jz |jjddWntjy1td|j Ynwt dS)aTerminates the background ECP proxy process to clean up resources. This method ensures that the local proxy subprocess is properly shut down when the session is closed. It first attempts a graceful termination and waits briefly, then forcefully kills the process if it does not exit in time. Finally, it calls the parent class's `close` method to complete the cleanup. z:Closing ECP Proxy Adapter and terminating proxy process...Ng?rz7Proxy process did not terminate gracefully, killing it.) r rrrrwaitrTimeoutExpiredrkillr$r)r5r*rrrs   z_LocalECPProxyAdapter.close)Nrw)r})r,r-r.r/rintr4rrrrrrrr0rrr*rrvs2   6, E0!rv ca_configrcCs.|r|js td|jrt|jdSt|jS)aCreates a requests adapter for mTLS offloading via ECP. This function decides which adapter to use based on the provided configuration: - If `ca_config.use_local_proxy` is True, it returns a `_LocalECPProxyAdapter`, which routes traffic through a local ECP proxy subprocess. - Otherwise, it returns a `_MutualTlsOffloadAdapter` from the google-auth library, which uses the ECP binary for TLS offloading without a local proxy. Args: ca_config: The enterprise certificate configuration object. Returns: An instance of a requests adapter for mTLS offloading. Raises: ValueError: If the certificate configuration file path is not provided. z.Certificate config file path must be provided.)rx)rxreuse_local_proxyrvr)rrrr_CreateMutualTlsOffloadAdapter+s  rcCsHtjtjjk}tjodtjv}t}|r"|s"|r"t t dSdS)aiWarn users if running non-bundled Python on Linux and is a Googler. Checks if the current OS is Linux, running Python that is not bundled and if the user is a Googler. If all conditions are true, a warning message will be emitted, along with returning true to bypass the mTLS code path. Returns: True if the conditions are met, False otherwise. bundledTF) rOperatingSystemCurrentLINUXsys executabler IsInternalUserCheckr r_GOOGLER_BUNDLED_PYTHON_WARNING)is_linuxis_bundled_pythonis_internal_userrrr%_LinuxNonbundledPythonAndGooglerCheckLs   rc s8|pt}t|jfdd}||_r#d|_d|_n tr/ts/dat t d}|durO|durO|durOt d|||t ||}t |}n:t} | rt| jtjjkrdt| }n%| jtjjkrt d| jt | j| j| j}t |}n t d}nt d}|rd|_n|r||_|d ||S) aReturns a requests.Session subclass. Args: timeout: float, Request timeout, in seconds. ca_certs: str, absolute filename of a ca_certs file disable_ssl_certificate_validation: bool, If true, disable ssl certificate validation. session: requests.Session instance. Otherwise, a new requests.Session will be initialized. client_certificate: str, absolute filename of a client_certificate file client_key: str, absolute filename of a client_key file Returns: A requests.Session subclass. csNd|vr|d<tr d|vr ttg|Ri||d<|i|S)Nrproxies) _HasBpo42627_AdjustProxiesKwargForBpo42627urllib_requestgetproxies_environmentr7r8orig_request_method proxy_inforrrWrappedRequestzs zSession..WrappedRequestF)rLhttpsTNzVUsing provided server certificate %s, client certificate %s, client certificate key %szUsing client certificate %shttps://)rSessionrqr trust_envr!_HasInvalidHttpsProxyEnvVarScheme*_invalid_https_proxy_env_var_warning_shownr r$_INVALID_HTTPS_PROXY_ENV_VAR_WARNINGrr"r2rConfigr config_type ConfigTypeENTERPRISE_CERTIFICATErON_DISK_CERTIFICATEencrypted_client_cert_pathencrypted_client_cert_passwordrmount) rr"disable_ssl_certificate_validationrrrrr6adapterrrrrras^         rcCsZ|dkr|}nt}tjjjpd}tjjj }|r|}|r#d}t ||||||dS)zECreate a requests.Session matching the appropriate gcloud properties.rFN)rrrrrr) r GetDefaultTimeoutr rTauthdisable_ssl_validationr^corecustom_ca_certs_filerWr)rrrrreffective_timeout no_validateca_certs_propertyrrrrs rcCsftj|}tjj|jdd}t|piD]\}}|||<qt|}tjj|dd|d<tj |S)zFGets the complete URI by merging url and params from the request args.T)keep_blank_values)doseqrG) rrOrparse_qsrsix iteritemslist urlencoder)rparams url_parts query_paramsparamvaluerrr_GetURIFromRequestArgss   r cs6eZdZdZeddZd fdd ZddZZS) RequestaEncapsulates parameters for making a general HTTP request. This implementation does additional manipulation to ensure that the request parameters are specified in the same way as they were specified by the caller. That is, if the user calls: request('URI', 'GET', None, {'header': '1'}) After modifying the request, we will call request using positional parameters, instead of transforming the request into: request('URI', method='GET', body=None, headers={'header': '1'}) cOs||i|Sr#r)r&r7r8rrrFromRequestArgsszRequest.FromRequestArgsNc s.||_t||}tt||||pi|dSr#)_kwargsr r$r r4)r5methodrrdatarr8urir*rrr4s zRequest.__init__cCs8|j|jg}t|j}|j|d<|jr|j|d<||fS)Nrr)rrdictrrbodyr<rrr ToRequestArgss    zRequest.ToRequestArgs)NNN) r,r-r.r/ classmethodrr4rr0rrr*rr s  r c@seZdZdZeddZdS)Responsez:Encapsulates responses from making a general HTTP request.cCs||j|j|jSr#)rrcontent)r&rrrr FromResponse szResponse.FromResponseN)r,r-r.r/rrrrrrrsrc@s eZdZdZeZeZddZdS)rz,Class for wrapping request.Session requests.cCs~|S)z&Returns the response without decoding.r)r5rresponse_encodingrrrDecodeResponseszRequestWrapper.DecodeResponseN) r,r-r.r/r  request_classrresponse_classrrrrrrs  rc Cs^t}ttjdttjdd}ttjdd}|jd|dd|ditj|dS) zGReturns a gcloud's requests session to refresh google-auth credentials.GCE_METADATA_HOSTGCE_METADATA_ROOTzmetadata.google.internalGCE_METADATA_IPz169.254.169.254rrN)r) r r GetEncodedValueosenvironrupdategoogle_auth_requestsr )r metadata_rootmetadata_ip_rootrrrGoogleAuthRequests$   r(c@seZdZddZddZdS)_GoogleAuthApitoolsCredentialscCs ||_dSr#) credentials)r5r*rrrr4;s z'_GoogleAuthApitoolsCredentials.__init__cCs~t}|j|dSr#)r(r*refresh)r5r auth_requestrrrr+>sz&_GoogleAuthApitoolsCredentials.refreshN)r,r-r.r4r+rrrrr)9s r)csJt|||}t|dr#t|j}|jfdd}||_t|jd||S)zGReturns an authenticated httplib2.Http-like object for use by apitools._googlecloudsdk_credentialscs|i|Sr#rrrrr HttpRequestOsz(GetApitoolsRequests..HttpRequestr*)_ApitoolsRequestshasattrr)r-rsetattr)rresponse_handlerrrcredsr/rr.rGetApitoolsRequestsDs    r5c@s&eZdZdZddZejddZdS)ResponseHandlerzHandler to process the Http Response. Attributes: use_stream: bool, if True, the response body gets returned as a stream of data instead of returning the entire body at once. cCs ||_dS)zInitializes ResponseHandler. Args: use_stream: bool, if True, the response body gets returned as a stream of data instead of returning the entire body at once. N) use_stream)r5r7rrrr4`s zResponseHandler.__init__cCsdS)zHandles the http response.Nr)r5response_streamrrrhandleiszResponseHandler.handleN)r,r-r.r/r4abcabstractmethodr9rrrrr6Xs  r6c@s6eZdZdZd ddZddZ     d d d ZdS) r0z0A httplib2.Http-like object for use by apitools.NcCs2||_i|_|rt|tstd||_||_dS)Nz3response_handler should be of type ResponseHandler.)r connections isinstancer6re_response_handler_response_encoding)r5rr3rrrrr4qs  z_ApitoolsRequests.__init__cOsl~~|jtjtjfvrtddS|jjr+tj j j r+tj j j r+t|j}n|j}|j|dS)z:Response hook to be used if response_handler has been set.z1Skipping response_handler as response is invalid.N)rhttplibOKPARTIAL_CONTENTr rr>r7r rTrlog_httpr^log_http_streaming_bodyioBytesIOrrawr9)r5rr7r8streamrrr ResponseHook|s   z_ApitoolsRequests.ResponseHookGETrc Cs~|dkr ||j_i}|jdur|j|d<|jj}nd}|jj||||||d} t| j}| j|d<|r7d} n|j durD|j | _ | j } n| j } t || fS)z/Makes an HTTP request using httplib2 semantics.rNrF)rrrHhooksstatus)r max_redirectsr>rIr7rrrrr?r rrhttplib2r) r5rrrr redirectionsconnection_typerKr7rrrrrrs(        z_ApitoolsRequests.requestNN)rJNNrN)r,r-r.r/r4rIrrrrrr0ns  r0cCst}|dddS)zAReturns whether the HTTPS proxy env var is using an HTTPS scheme.rrNr)rrr startswith) env_proxiesrrrrsrcCs2tjtjjkottdotdddS)aReturns whether Python is affected by https://bugs.python.org/issue42627. Due to a bug in Python's standard library, urllib.request misparses the Windows registry proxy settings and assumes that HTTPS URLs should use an HTTPS proxy, when in fact they should use an HTTP proxy. This bug affects PY<3.9, as well as lower patch versions of 3.9, 3.10, and 3.11. Returns: True if proxies read from the Windows registry are being parsed incorrectly. getproxies_registryrrNr) rrrWINDOWSr1rrUrrSrrrrrsrcOsf|s|rdStj|g|Ri|d}tj|}|d}|s#dS|ds*dSd|dddiS)a/Returns proxies to workaround https://bugs.python.org/issue42627 if needed. Args: gcloud_proxy_info: str, Proxy info from gcloud properties. environment_proxies: dict, Proxy config from http/https_proxy env vars. orig_request_method: function, The original requests.Session.request method. *args: Positional arguments to the original request method. **kwargs: Keyword arguments to the original request method. Returns: Optional[dict], Adjusted proxies to pass to the request method, or None if no adjustment is necessary. Nrrrrr})inspect getcallargsrutilsget_environ_proxiesrrSreplace)gcloud_proxy_infoenvironment_proxiesrr7r8rr https_proxyrrrrs   r)rNNFNNN)NNFNNN)rNNNNrR)Nr/ __future__rrrr:r collectionsrWrErr"rrrrrgoogle.auth.transportrr%google.auth.transport.requestsrgooglecloudsdk.corerrr r r googlecloudsdk.core.utilr r rrOr six.movesrr@rraurllib3.util.ssl_rurllib.requestrr ImportErrorrrr namedtupler"r1adaptersr2rqr Exceptionrrrv_EnterpriseCertConfigImpl BaseAdapterrrrrr r rrr(r)r5with_metaclassABCMetar6r0rrrrrrrs                   +(,  = ! ]    L