o $@sdZddlmZddlmZddlmZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlmZddlmZddlmZdd lmZdd lmZdd lmZdd lmZddlmZdd lmZddlmZddl m!Z"ddl mZ#ddl m$Z%ddl&m'Z'ddl(m)Z)ddl(m*Z*ddl+m,Z-ddl.Z.dZ/dZ0dZ1dZ2dZ3dZ4dZ5dZ6dZ7dZ8dZ9d Z:Gd!d"d"ej;Z;Gd#d$d$e;ZGd)d*d*e;Z?d+d,Z@d-d.ZAd/d0ZBd1d2ZCd3d4ZDd5d6ZEd7d8ZFd9d:ZGd;d<ZHd=d>ZId?d@ZJdAdBZKdCdDZLdEdFZMddHdIZNdJdKZOdLdMZPdNdOZQGdPdQdQeRZSe.TejUGdRdSdSeRZVdTZWGdUdVdVeRZXGdWdXdXeVZYdYZZGdZd[d[eRZ[Gd\d]d]e)j\Z]Gd^d_d_eRZ^ dd`daZ_ bddcddZ`GdedfdfeVZa   bddgdhZbGdidjdje jcZdGdkdldle jcZedmdnZfdodpZgdqdrZhdsdtZidudvZjdwdxZkdydzZl   bdd{d|Zmdd}d~ZnddZodddZpGdddeRZqddZrddZsdZt dddZuddZvdawejxdZyddZzdS)z Utilities to manage credentials.)absolute_import)division)unicode_literalsN)compute_engine credentials) exceptions)external_account) external_account_authorized_user)impersonated_credentials)config)log) properties)devshell) introspect)files)clientservice_account)gcequota_project_idz$https://oauth2.googleapis.com/revokeunknownauthorized_userrservice_account_p12rrimpersonated_accountr external_account_userr c@eZdZdZdS)ErrorzExceptions for this module.N__name__ __module__ __qualname____doc__r#r#B/tmp/google-cloud-sdk/lib/googlecloudsdk/core/credentials/creds.pyrDrc@r)UnknownCredentialsTypezCAn error for when we fail to determine the type of the credentials.Nrr#r#r#r$r&Hr%r&c@r)InvalidCredentialsErrorzGException for when the provided credentials are invalid or unsupported.Nrr#r#r#r$r'Lr%r'c@r)CredentialFileSaveErrorz4An error for when we fail to save a credential file.Nrr#r#r#r$r(Pr%r(c@r)ADCErrorz9An error when processing application default credentials.Nrr#r#r#r$r)Tr%r)cC t|tjSN) isinstancerOAuth2Credentialscredsr#r#r$IsOauth2ClientCredentialsX r0cCr*r+)r,google_auth_creds Credentialsr.r#r#r$IsGoogleAuthCredentials\r1r4cCr*r+)r,google_auth_compute_enginer3r.r#r#r$IsGoogleAuthGceCredentials`r1r6cC,t|jrdStrt|tjkSdSNTF)CredentialTypeFromCredentialsis_user c_devshellIsDevshellEnvironmentGCEr.r#r#r$%_IsUserAccountCredentialsOauth2clientds r?cCr7r8)CredentialTypeGoogleAuthr:r;r<r=r>r.r#r#r$#_IsUserAccountCredentialsGoogleAuthms rAcCst|rt|St|Sr+)r0r?rAr.r#r#r$IsUserAccountCredentialswsrBcCst|tjkSr+)r9r:P12_SERVICE_ACCOUNTr.r#r#r$#IsOauth2clientP12AccountCredentials~srDcCs<t|rt|}|tjtjfvSt|}|tjtjfvSr+)r0r9r:SERVICE_ACCOUNTrCr@r/ cred_typer#r#r$IsServiceAccountCredentialss  rHcCt|r t|tjkSdSNF)r4r@r:EXTERNAL_ACCOUNTr.r#r#r$IsExternalAccountCredentials rLcCrIrJ)r4r@r:EXTERNAL_ACCOUNT_USERr.r#r#r$ IsExternalAccountUserCredentialsrMrOcCrIrJ)r4r@r: EXTERNAL_ACCOUNT_AUTHORIZED_USERr.r#r#r$*IsExternalAccountAuthorizedUserCredentialsrMrQcCrIrJ)r4r@r:IMPERSONATED_ACCOUNTr.r#r#r$ IsImpersonatedAccountCredentialsrMrScCst|r |jtjjjjkSdS)aCheck if the given credential has default universe domain. For google-auth credential, we check its universe_domain property. The deprecated oauth2client credentials only work in default universe domain so we return True (Note that they are no longer used in gcloud, but not yet removed from the code base). Args: credentials: google.auth.credentials.Credentials or client.OAuth2Credentials, the credentials to be checked. Returns: bool, Whether or not the given credential has default universe domain. T)r4universe_domainrVALUEScoredefaultrr#r#r$HasDefaultUniverseDomains  rXcCs2tjjjrtjjjjddStjjjjddS)zEGet default token URI for credential based on context aware settings.T)required) rrU context_awareuse_client_certificateGetBoolauthmtls_token_hostGet token_hostr#r#r#r$GetDefaultTokenUrisra token_uricCsbtjjjrtjjjS||r.||tjjjkr.||tjjjkr.||St S)z5Get the effective token URI for the given credential.) rrUr]r`IsExplicitlySetr_getDEFAULT_TOKEN_HOSTr^ra) cred_jsonkeyr#r#r$GetEffectiveTokenUriFromCredss rhcCsPt|}|tjkr dS|jtjjjjkrdStjjj r dSt s&dSdS)aCheck if self signed jwt should be used. Only use self signed jwt for google-auth service account creds, and only when service_account_use_self_signed_jwt property is true or the universe is not the default one. Args: creds: google.auth.credentials.Credentials, The credentials to check if self signed jwt should be used. Returns: bool, Whether or not self signed jwt should be used. FT) r@r:rErTrrUrVrWr]#service_account_use_self_signed_jwtr\IsDefaultUniverserFr#r#r$UseSelfSignedJwts  rkcCs t|rd|_|ddSdS)NT)rk_always_use_jwt_access_create_self_signed_jwtr.r#r#r$EnableSelfSignedJwtIfApplicablesrncCs"t|}|tjkr||}|S)aVAdd user account to credential. The user account field is used to determine ADC caching. Only User Account credential types will be modified. Args: creds: google.auth.credentials.Credentials, The credentials to add the account field account: str, the authorized user email Returns: google_auth_creds.Credential )r@r: USER_ACCOUNT with_account)r/accountrGr#r#r$ WithAccounts   rrc@s*eZdZdZeddZedddZdS)_AccountIdFormatteraAccount ID formatter. In this file, when we say "account id" or "account_id", it means principal; when we say "formatted_account_id" or "formatted account id", it means: - the account_id or principal, if the universe domain is GDU - the "account_id#universe_domain" string, otherwise In credentials and access token sqlite3 database, the account_id column saves the formatted account id. This class provides utility functions to handle the formatting. cCsB|d}|d}t|dkrtjjjj}||fS|d}||fS)zGet account_id/principal and universe domain from formatted account id. Args: formatted_account_id: str, the formatted account id string. Returns: tuple: The principal and universe domain tuple. #r)splitlenrrUrVrTrW)formatted_account_idsplits principalrTr#r#r$GetAccountIdAndUniverseDomains   z1_AccountIdFormatter.GetAccountIdAndUniverseDomainNcCsBtjjj}|rt|dr|j}n|}||jkr|S|d|S)a,Calculate the formatted account id. If the universe_domain is GDU, return the account_id as is; otherwise, return "account_id#universe_domain". Here the universe_domain value comes from the credentials if it's provided, otherwise it comes from the core/universe_domain property. Args: account_id: str, the account id or principal string. credentials: google.auth.credentials.Credentials, The optional credentials provided to derive the universe_domain value. Returns: str: The formatted account id. rTrt)rrUrVrThasattrr_rW) account_idruniverse_domain_propertyrTr#r#r$GetFormattedAccountId/s   z)_AccountIdFormatter.GetFormattedAccountIdr+)rr r!r" staticmethodr{rr#r#r#r$rss  rsc@sHeZdZdZejddZejddZejddZejdd Z d S) CredentialStorez(Abstract definition of credential store.cCtS)zpGet all accounts that have credentials stored for the CloudSDK. Returns: {str}, Set of accounts. NotImplementedselfr#r#r$ GetAccountsQszCredentialStore.GetAccountscCrr+rrr}r#r#r$LoadZzCredentialStore.LoadcCrr+r)rr}rr#r#r$Store^rzCredentialStore.StorecCrr+rrr#r#r$RemovebrzCredentialStore.RemoveN) rr r!r"abcabstractmethodrrrrr#r#r#r$rMs   rrc@0eZdZdZddZddZddZdd Zd S) _SqlCursorz'Context manager to access sqlite store.cCs||_d|_d|_dSr+) _store_file _connection_cursor)r store_filer#r#r$__init__ls z_SqlCursor.__init__cCs*tj|jdtjddd|_|j|_|S)Ng@T)timeout detect_typesisolation_levelcheck_same_thread)sqlite3connectrPARSE_DECLTYPESrcursorrrr#r#r$ __enter__qs z_SqlCursor.__enter__cCs|s|j|jdSr+)rcommitclose)rexc_type unused_valueunused_tracebackr#r#r$__exit__s z_SqlCursor.__exit__cGs |jj|Sr+)rexecute)rargsr#r#r$Executer1z_SqlCursor.ExecuteN)rr r!r"rrrrr#r#r#r$ris  rc@sReZdZdZddZddZddZdd Zd d Zdd dZ ddZ ddZ dS)SqliteCredentialStorez Sqllite backed credential store.cCs<t||_|dtt}|ds|dSdS)NzICREATE TABLE IF NOT EXISTS "{}" (account_id TEXT PRIMARY KEY, value BLOB)cred_token_store_formatted) rr_Executeformat_CREDENTIAL_TABLE_NAMEr GetConfigStorer_FormatAccountIdColumn)rr config_storer#r#r$rs   zSqliteCredentialStore.__init__cGs4|j }|j|WdS1swYdSr+rrrrcurr#r#r$rs$zSqliteCredentialStore._Executec Cs|jR}|dt}|D]2}|d|d}}d|vrBt|}t||}||krB|dt|f|dt||fqt }| ddWd d S1sXwYd S) zFormat the account id column. Before we introduce the formatted account id concept, the existing table uses the account id value as the key. Therefore we need to load the table and replace these account ids with formatted account ids. z"SELECT account_id, value FROM "{}"rrurt%DELETE FROM "{}" WHERE account_id = ?z1INSERT INTO "{}" (account_id, value) VALUES (?,?)rTN) rrrrfetchallFromJsonGoogleAuthrsrr rSet) rrtablerowr}rfr/rxrr#r#r$rs<"z+SqliteCredentialStore.FormatAccountIdColumncCsb|j$}t}|dtD]\}t|\}}||qWd|S1s*wY|S)zJGet all accounts. Returns: set[str], A set of account ids. *SELECT account_id FROM "{}" ORDER BY rowidN)rsetrrrrsr{add)rraccountsrxr}_r#r#r$rs      z!SqliteCredentialStore.GetAccountscCsltt}|j$}|dtD]}t|d\}}|| |qWd|S1s/wY|S)zGet all accounts and their corresponding universe domains. Returns: collections.defaultdict, A dictionary where the key is the account_id and the value is the universe domain list. rrN) collections defaultdictlistrrrrrsr{append)r accounts_dictrrxr}rTr#r#r$GetAccountsWithUniverseDomains"    z3SqliteCredentialStore.GetAccountsWithUniverseDomainTc Cs|s-|j}|dt|f}Wdn1swY|dur'dSt|dS|j}|dt||df}Wdn1sJwY|sSdStjj j }g}d}|D]\} }t | \} } | | | |krxt|}q^|stdj||d|d|S) aLoad the credentials for the account_id. Args: account_id: str, The account_id of the credential to load. use_google_auth: bool, Whether google-auth lib should be used. Default is True. Returns: google.auth.credentials.Credentials or client.OAuth2Credentials, The loaded credentials. Raises: googlecloudsdk.core.credentials.creds.InvalidCredentialsError: If problem happens when loading credentials. z+SELECT value FROM "{}" WHERE account_id = ?NrzLSELECT account_id, value FROM "{}" WHERE account_id = ? OR account_id LIKE ?z#%a^The account [{account_id}] is available in the following universe domain(s): [{universe_domains}], but it is not available in [{universe_property}] which is specified by the [core/universe_domain] property. Update your active account to an account from {universe_property} or update the [core/universe_domain] property to one of [{universe_domains}].z, )r}universe_propertyuniverse_domains)rrrrfetchoneFromJsonrrrUrVrTrsr{rr_rr'join) rr}use_google_authrrfrr~rr/rxrrTr#r#r$rs\      zSqliteCredentialStore.LoadcCsXt|rt|}|dt||fdSt|}t||}|dt||fdS)aStores the input credentials to the record of account_id in the cache. Args: account_id: string, the account ID of the input credentials. credentials: google.auth.credentials.Credentials or client.OAuth2Credentials, the credentials to be stored. z2REPLACE INTO "{}" (account_id, value) VALUES (?,?)N)r0ToJsonrrrToJsonGoogleAuthrsr)rr}rvaluerxr#r#r$r.s$zSqliteCredentialStore.StorecCs$t|d}|dt|fdS)Nr)rsrrrr)rr}rxr#r#r$rJszSqliteCredentialStore.RemoveNT) rr r!r"rrrrrrrrr#r#r#r$rs ' D r access_tokensc@s:eZdZdZdddZddZddZd d Zd d Zd S)AccessTokenCacheaSqlite implementation of for access token cache. AccessTokenCache uses formatted_account_id instead of account_id in its APIs. The reason is that AccessTokenCache is used by AccessTokenStoreGoogleAuth, which is tied to a specific credential object. Either we let AccessTokenStoreGoogleAuth pass the credential's universe_domain to AccessTokenCache, or pass the formatted account id (which contains universe_domain). The latter is better since it is backward compatible and there is no need to introduce a new universe_domain parameter to all AccessTokenCache Load/Store/Remove APIs. See go/gcloud-multi-universe-auth-cache section 3.2, 3.3 for more details. FcCs^||_t||_|dtz |dtWdStjy.|dtYdSw)NzCREATE TABLE IF NOT EXISTS "{}" (account_id TEXT PRIMARY KEY, access_token TEXT, token_expiry TIMESTAMP, rapt_token TEXT, id_token TEXT)z!SELECT id_token FROM "{}" LIMIT 1z)ALTER TABLE "{}" ADD COLUMN id_token TEXT)_cache_only_raptrrrr_ACCESS_TOKEN_TABLErOperationalError)rrcache_only_raptr#r#r$res    zAccessTokenCache.__init__cGs6|j}|j|WddS1swYdSr+rrr#r#r$rys "zAccessTokenCache._ExecutecCsB|j}|dt|fWdS1swYdS)zLoad the tokens from the access token cache. Args: formatted_account_id: str, The formatted account id. Returns: tuple: The access_token, token_expiry, rapt_token, id_token tuple. zVSELECT access_token, token_expiry, rapt_token, id_token FROM "{}" WHERE account_id = ?N)rrrrr)rrxrr#r#r$r}s $zAccessTokenCache.Loadc Cs|jr||}|r|\}}}}nd}d}d}z|dt|||||fWdStjyF}ztdt |WYd}~dSd}~ww)aWStores the tokens into the access token cache. Args: formatted_account_id: str, The formatted account id. access_token: str, The access token string to store. token_expiry: datetime.datetime, The token expiry. rapt_token: str, The rapt token string to store. id_token: str, The ID token string to store. NzcREPLACE INTO "{}" (account_id, access_token, token_expiry, rapt_token, id_token) VALUES (?,?,?,?,?)z)Could not store access token in cache: {}) rrrrrrrr warningstr) rrx access_token token_expiry rapt_tokenid_tokenresultrer#r#r$rs,   "zAccessTokenCache.Storec CsXz |dt|fWdStjy+}ztdt|WYd}~dSd}~ww)zRemoves the tokens from the access token cache. Args: formatted_account_id: str, The formatted account id to remove. rz,Could not delete access token from cache: {}N)rrrrrr rr)rrxrr#r#r$rs "zAccessTokenCache.RemoveNF) rr r!r"rrrrrr#r#r#r$rWs  .rcs8eZdZdZfddZddZddZdd ZZS) AccessTokenStoreaOauth2client adapted for access token cache. This class works with Oauth2client model where access token is part of credential serialization format and get captured as part of that. By extending client.Storage this class pretends to serialize credentials, but only serializes access token. When fetching the more recent credentials from the cache, this does not return token_response, as it is now out of date. cs(tt|jdd||_||_||_dS)a&Sets up token store for given acount. Args: access_token_cache: AccessTokenCache, cache for access tokens. account_id: str, account for which token is stored. credentials: oauth2client.client.OAuth2Credentials, they are auto-updated with cached access token. N)lock)superrr_access_token_cache _account_id _credentialsraccess_token_cacher}r __class__r#r$rs  zAccessTokenStore.__init__cCsT|j|j}|r'|\}}}}||j_||j_|dur||j_||j_d|j_|jSr+) rrrrrrr id_tokenb64token_responser token_datarrrrr#r#r$ locked_gets zAccessTokenStore.locked_getc CsNt|jdr|jjdd}nd}|j|j|jj|jjt|jdd|dS)Nrrr) getattrrrrdrrrrr)rrrr#r#r$ locked_puts  zAccessTokenStore.locked_putcCs|j|jdSr+)rrrrr#r#r$ locked_deleteszAccessTokenStore.locked_delete) rr r!r"rrrr __classcell__r#r#rr$rs    rc@r) AccessTokenStoreGoogleAuthzgoogle-auth adapted for access token cache. This class works with google-auth credentials and serializes its short lived tokens, including access token, token expiry, rapt token, id token into the access token cache. cCs||_t|||_||_dS)aSets up token store for given account. Args: access_token_cache: AccessTokenCache, cache for access tokens. account_id: str, account for which token is stored. credentials: google.auth.credentials.Credentials, credentials of account of account_id. N)rrsr_formatted_account_idrrr#r#r$r s   z#AccessTokenStoreGoogleAuth.__init__cCsp|j|j}|r5|\}}}}t|jr!d|j_d|j_d|j_n ||j_||j_||j_||j_||j_ |jS)aGets credentials with short lived tokens from the internal cache. Retrieves the short lived tokens from the internal access token cache, populates the credentials with these tokens and returns the credentials. Returns: google.auth.credentials.Credentials N) rrrrkrtokenexpiry _rapt_token _id_tokenrrr#r#r$r_s    zAccessTokenStoreGoogleAuth.GetcCst|jddp t|jdd}t|jdd}t|jdd}t|jdd}t|jr=d}d}d}|j|j}|r=|\}}}}|j|j||||dS)zEPuts the short lived tokens of the credentials to the internal cache.rNrrrr)rrrkrrrr)rrrrrrrr#r#r$Put6s     zAccessTokenStoreGoogleAuth.PutcCs|j|jdS)z:Removes the tokens of the account from the internal cache.N)rrrrr#r#r$DeleteRsz!AccessTokenStoreGoogleAuth.DeleteN)rr r!r"rr_rrr#r#r#r$rs  rcCsd|jdur|St|dd}|stt|j}t|p!t j }t |||}| ||S)aAttaches access token cache to given credentials if no store set. Note that credentials themselves will not be persisted only access token. Use this whenever access token caching is desired, yet credentials themselves should not be persisted. Args: credentials: oauth2client.client.OAuth2Credentials. access_token_file: str, optional path to use for access token storage. Returns: oauth2client.client.OAuth2Credentials, reloaded credentials. Nservice_account_email)storerhashlibsha256six ensure_binary refresh_token hexdigestrr Pathsaccess_token_db_pathr set_storerd)raccess_token_filer}rrr#r#r$ MaybeAttachAccessTokenCacheStoreWs     rFcstdd}|sttjsttjrt}n |s'tt j  }t |p.tj|d}t||jfdd}|_S)aAttaches access token cache to given credentials if no store set. Note that credentials themselves will not be persisted only access token. Use this whenever access token caching is desired, yet credentials themselves should not be persisted. For external account and external account authorized user non-impersonated credentials, the provided credentials should have been instantiated with the client_id and client_secret in order to retrieve the account ID from the 3PI token instrospection endpoint. Args: credentials: google.auth.credentials.Credentials. access_token_file: str, optional path to use for access token storage. cache_only_rapt: bool, True to only cache RAPT token. Returns: google.auth.credentials.Credentials, reloaded credentials. rN)rcs"|tdd_dS)Nr)rrrrequestr orig_refreshrr#r$_WrappedRefreshs zCMaybeAttachAccessTokenCacheStoreGoogleAuth.._WrappedRefresh)rr,google_auth_external_accountr3,google_auth_external_account_authorized_user c_introspectGetExternalAccountIdrrrrrrrr rrrr_refresh)rrrr}rr r#rr$*MaybeAttachAccessTokenCacheStoreGoogleAuthts6    rc@sJeZdZdZddZddZddZdd Zdd d Zd dZ ddZ dS)CredentialStoreWithCacheaImplements CredentialStore for caching credentials information. Static credentials information, such as client ID and service account email, are stored in credentials.db. The short lived credentials tokens, such as access token, are cached in access_tokens.db. cCs||_||_dS)aJSets up credentials store for caching credentials. Args: credential_store: SqliteCredentialStore, for caching static credentials information, such as client ID, service account email, etc. access_token_cache: AccessTokenCache, for caching short lived credentials tokens, such as access token. N)_credential_storer)rcredential_storerr#r#r$rs z!CredentialStoreWithCache.__init__cs|jfdd}||_|S)aWraps the refresh method of credentials with auto caching logic. For auto caching short lived tokens of google-auth credentials, such as access token, on credentials refresh. Args: credentials: google.auth.credentials.Credentials, the credentials updated by this method. store: AccessTokenStoreGoogleAuth, the store that caches the tokens of the input credentials. Returns: google.auth.credentials.Credentials, the updated credentials. cs|dSr+)rrrrr#r$r s zXCredentialStoreWithCache._WrapCredentialsRefreshWithAutoCaching.._WrappedRefreshr)rrrr r#rr$&_WrapCredentialsRefreshWithAutoCachingsz?CredentialStoreWithCache._WrapCredentialsRefreshWithAutoCachingcC |jS)z-Returns all the accounts stored in the cache.)rrrr#r#r$r z$CredentialStoreWithCache.GetAccountscCr)zHReturns all the accounts stored in the cache with their universe domain.)rrrr#r#r$rrz6CredentialStoreWithCache.GetAccountsWithUniverseDomainTcCsd|j||}|dur dSt|r!t|j||}|||St|j||}|}| ||S)aLoads the credentials of account_id from the cache. Args: account_id: string, ID of the account to load. use_google_auth: bool, True to load google-auth credentials if the type of the credentials is supported by the cache. False to load oauth2client credentials. Returns: 1. None, if credentials are not found in the cache. 2. google.auth.credentials.Credentials, if use_google_auth is true. 3. client.OAuth2Credentials. N) rrr0rrrrdrr_r)rr}rrrr#r#r$rs  zCredentialStoreWithCache.LoadcCsTt|rt|j||}||||n t|j||}||j||dS)a,Stores credentials into the cache with account of account_id. Args: account_id: string, the account that will be associated with credentials in the cache. credentials: google.auth.credentials.Credentials or client.OAuth2Credentials, the credentials to be stored. N) r0rrrputrrrr)rr}rrr#r#r$rs   zCredentialStoreWithCache.StorecCs"|j||jt|dS)z1Removes credentials of account_id from the cache.N)rrrrsrrr#r#r$rs zCredentialStoreWithCache.RemoveNr) rr r!r"rrrrrrrr#r#r#r$rs  " rcCs t|||S)aConstructs credential store. Args: store_file: str, optional path to use for storage. If not specified config.Paths().credentials_path will be used. access_token_file: str, optional path to use for access token storage. Note that some implementations use store_file to also store access_tokens, in which case this argument is ignored. cache_only_rapt: bool, True to only cache RAPT token. Returns: CredentialStore object. )_GetSqliteStoreWithCache)rrrr#r#r$GetCredentialStore$src@sxeZdZdZdeddfZdeddfZdeddfZ de ddfZ de ddfZ d eddfZd d Zed d ZeddZdS)r9z8Enum of oauth2client credential types managed by gcloud.rFruTcC||_||_||_||_dSr+type_idrgis_serializabler;rr!rgr"r;r#r#r$rEs zCredentialType.__init__cC"tD] }|j|kr |SqtjSr+)r9rgUNKNOWNrgrGr#r#r$ FromTypeKeyMs  zCredentialType.FromTypeKeycCsVt|tjr tjSt|tjrt|dddurtjStj St|dddur(tj Stj S)N_private_key_pkcs12r) r,oauth2client_gceAppAssertionCredentialsr9r>rServiceAccountCredentialsrrCrEror%r.r#r#r$r:Ts  zCredentialType.FromCredentialsN)rr r!r"UNKNOWN_CREDS_NAMEr%USER_ACCOUNT_CREDS_NAMEroSERVICE_ACCOUNT_CREDS_NAMErEP12_SERVICE_ACCOUNT_CREDS_NAMErCDEVSHELL_CREDS_NAMEDEVSHELLGCE_CREDS_NAMEr>rrr'r:r#r#r#r$r9;s       r9c@seZdZdZdeddfZdeddfZdeddfZ de ddfZ de ddfZ d eddfZd eddfZd eddfZd eddfZd eddfZddZeddZeddZdS)r@z7Enum of google-auth credential types managed by gcloud.rFruTrrrr cCs||_||_||_||_dS)aBuilds a credentials type instance given the credentials information. Args: type_id: string, ID for the credentials type, based on the enum constant value of the type. key: string, key of the credentials type, based on the enum constant value of the type. is_serializable: bool, whether the type of the credentials is serializable, based on the enum constant value of the type. is_user: bool, True if the credentials are of user account. False otherwise. Returns: CredentialTypeGoogleAuth, an instance of CredentialTypeGoogleAuth which is a gcloud internal representation of type of the google-auth credentials. Nr r#r#r#r$rys z!CredentialTypeGoogleAuth.__init__cCr$)z4Returns the credentials type based on the input key.)r@rgr%r&r#r#r$r's  z$CredentialTypeGoogleAuth.FromTypeKeycCst|tjr tjSt|tjrtjSt|tjr|jstj St|tjr*|jr*tj St|t jr3tj Sddl m}ddlm}t||jrHtjSt||jrQtjSt|dddur\tjStjS)zgoogle_auth_impersonatedrRr r;rKrNr rP google.oauth2rgooglecloudsdk.core.credentialsr8rCrError%)r/google_auth_service_accountgoogle_auth_p12_service_accountr#r#r$r:s2        z(CredentialTypeGoogleAuth.FromCredentialsN)rr r!r"r,r%r-ror.rEr/rCr0r1r2r>IMPERSONATED_ACCOUNT_CREDS_NAMErREXTERNAL_ACCOUNT_CREDS_NAMErK EXTERNAL_ACCOUNT_USER_CREDS_NAMErN+EXTERNAL_ACCOUNT_AUTHORIZED_USER_CREDS_NAMErPrrr'r:r#r#r#r$r@as$          r@cCst|}|tjkr0|j|j|j|jd}dD]}t||d}|r.t|t r*t |}|||<qn$|tj kr9|j }n|tj krP|j|jt|jd|jd}nt|tj|dddd S) zFGiven Oauth2client credentials return library independent json for it.)type client_id client_secretr)rinvalid revoke_uriscopesrrb user_agentrNascii) client_emailrB private_keypasswordTr,z:  sort_keysindent separators)r9r:rorgrCrDrrr,rrrEserialization_datarC_service_account_emailbase64 b64encoder(decode_private_key_passwordr&jsondumps)r creds_type creds_dictfieldrr#r#r$rs8        rcCs<t|}|tjkr|j|j|j|j|j|j|j d}nt|tj ks&|tj kr7|j }|j r6t|dr6|j|d<nY|tjkrN|j|j|j|j|j|j|jd}nB|tjkrd|j|j|j|jt|j|jd}n,|tjkr{|j|jt|jd|jd}n|tj kr|j|jd}nt!d "|j|j#|d <t$j%|d d d dS)zFGiven google-auth credentials, return library independent json for it.)rBrJprivate_key_idrKrCrb project_id interactiveexternal_account_id)rBaudiencerCrDr token_urltoken_info_url)rBrCrDrrFrGrbrI)rBrJrKrL)rBr=Google auth does not support serialization of {} credentials.rTTrrMrO)&r@r:rErgrr^rKrC _token_urir_rKrNinfois_workforce_poolr|rarPrbrDrrcrdro _REVOKE_URI_scopesrbrCrUrVprivate_key_pkcs12rWprivate_key_passwordr>r&rrTrYrZ)rr[r\r#r#r$rsj         rcCst|}tj|ddddS)aGiven google-auth credentials, return serialized json string. This method is added because google-auth credentials are not serializable natively. Args: credentials: google-auth credential object. Returns: Json string representation of the credential. TrrMrO)ToDictGoogleAuthrYrZ)rr\r#r#r$SerializeCredsGoogleAuth,s rnc st|}|jstd|jd|ji}ddt|DfddD}t|}|D]K}t||rxt ||}t |}|t j krH| d}n,t |tjr^zt|}Wnty]Yq-w|durtt|tjst|tttttttfvrtq-|||<q-|S)aGiven google-auth credentials, recursively return dict representation. This method is added because google-auth credentials are not serializable natively. Args: credentials: google-auth credential object. Returns: Dict representation of the credential. Raises: UnknownCredentialsType: An error for when we fail to determine the type of the credentials. rerBcSs"g|] }|ds|dvr|qS)__)signer_abc_negative_cache_version startswith.0attrr#r#r$ [s z$ToDictGoogleAuth..cs*g|]}|dr|ddvr|qS)rruNrrrt filtered_listr#r$rw`s z%m-%d-%Y %H:%M:%SN)r@r:r"r&rrgdirsortedr|rrBdatetimestrftime issubclassr2r3rmr,r string_typesintfloatboolrrdicttuple)rr[r\ attr_listrvvalval_typer#rxr$rm=s:         rmcCst|}t|d}t||d<|tjkr)tjj|t j d}t j |_ |_ |S|tjkr`tjd|d|d|dd|d|d|d |d |d |d |d |dd }|S|tjkrtjj|dt|d|d|dt j d}t j |_ |_ |St|d)zFReturns Oauth2client credentials from library independent json format.rBrbrGNrCrDrrHrFrrrGtoken_info_urir) rrCrDrrrbrHrFrrrGrrrJrKrL)rrkrlrbrG)rYloadsr9r'rhrErr+from_json_keyfile_dictr CLOUDSDK_SCOPESCLOUDSDK_USER_AGENTrH _user_agentrorr-rdrC_from_p12_keyfile_contentsrU b64decoder&) json_valuejson_keyrGcredr#r#r$rxsJ       rc Cst|}t|d}|tjkr@t||d<ddlm}|jj }||t j d}| d|_ | d|_| d|_t||S|tjkrit||d<dd lm}|jt|d|d |d |dt j d }|S|tjkrd |vr}t j|d<t j|d<zt| ddkrddlm}|jj|t j d}nS| ddur| d ddurddlm}| d d} |jj|t j d}|jr| drd|_t |d| dpdnddlm!} | jj|t j d}Wt'|SWt'|SWt'|St"t#t$j%fyt&dw|tj(kr3t j|d<t j|d<t j)|d<z t*j|}Wt'|St"t#t$j%fy2t&dw|tj+krWt||d<ddlm,} | jj-|| dd}|d|_.|S|tj/krut0j|d d!}| d"t1j2j3j4j5|_6d|_7|St8d#9|d)$aReturns google-auth credentials from library independent json format. The type of the credentials could be service account, external account (workload identity pool or workforce pool), external account authorized user (workforce), user account, p12 service account, or compute engine. Args: json_value: string, A string of the JSON representation of the credentials. Returns: google.auth.credentials.Credentials if the credentials type is supported by this method. Raises: UnknownCredentialsType: when the type of the credentials is not service account, user account or external account. InvalidCredentialsError: when the provided credentials are malformed or unsupported external account credentials. rBrbrrrrKr^rCr7rLrJ)rrbrG!service_account_impersonation_urlrDsubject_token_typez+urn:ietf:params:aws:token-type:aws4_request)awscredential_sourceN executable) pluggableinteractive_timeout_millisT_tokeninfo_usernamera) identity_poolzDThe provided external account credentials are invalid or unsupportedrGzTThe provided external account authorized user credentials are invalid or unsupported)google_auth_credentialsr)rrTz?Google auth does not support deserialization of {} credentials.):rYrr@r'rErhr:rr3from_service_account_infor rrdrKr^rCrnrCr;r8CreateP12ServiceAccountrUrrKCLOUDSDK_CLIENT_IDCLOUDSDK_CLIENT_NOTSOSECRET google.authr from_inforrhr`setattrr ValueError TypeErrorgoogle_auth_exceptions RefreshErrorr'$WrapGoogleAuthExternalAccountRefreshrP CLOUDSDK_EXTERNAL_ACCOUNT_SCOPESr rorfrom_authorized_user_inforfr>r5rrUrVrTrW_universe_domain_universe_domain_cachedr&r) rrrGr<service_account_credentialsrr8rrrr c_google_authr#r#r$rs                              rcs|jfdd}||_|S)aReturns a wrapped External Account credentials. We wrap the refresh method to make sure that any errors raised can be caught in a consistent way by downstream consumers. Args: cred: google.auth.credentials.Credentials Returns: google.auth.credentials.Credentials c s:z|WdStttjfy}zt|d}~wwr+)rrrr c_exceptionsTokenRefreshError)rrrr#r$r Bs  z=WrapGoogleAuthExternalAccountRefresh.._WrappedRefreshr)rr r#rr$r3s rcCs4t|}|p tj}t|t||}t||S)z$Get a sqlite-based Credential Store.)_GetSqliteStorer rrr PrivatizeFilerr)sqlite_credential_filesqlite_access_token_filerrrr#r#r$rLs  rcCs$|ptj}t|t|}|S)zFGet a sqlite-based Credential Store with using the access token cache.)r rcredentials_db_pathrrr)rrr#r#r$r^s  rcCs|tjjjtjjjfvSr+)rrUbillingCURRENT_PROJECTCURRENT_PROJECT_WITH_FALLBACK) quota_projectr#r#r$_QuotaProjectIsCurrentProjectgsrcCsd|durdStjjj}t|rt|rtjjjSdS|tjjj kr0|r.tjjjSdS|S)aGets the value to use for the X-Goog-User-Project header. Args: credentials: The credentials that are going to be used for requests. force_resource_quota: bool, If true, resource project quota will be used even if gcloud is set to use legacy mode for quota. This should be set when calling newer APIs that would not work without resource quota. Returns: str, The project id to send in the header or None to not populate the header. N) rrUrrr_rrBrVprojectLEGACY)rforce_resource_quotarr#r#r$GetQuotaProjectms rc@sTeZdZdZ   dddZeddZeddZdd d Zdd d Z d dZ dS)ADCz&Application default credential object.NcCrr+)r_impersonated_service_account _delegatesrj)rrimpersonated_service_account delegatesrGr#r#r$rs z ADC.__init__cCst|jo |jduSr+)rBrrrr#r#r$r;s z ADC.is_usercCst|j|j|j|jS)z/Json representation of the credentials for ADC.)_ConvertCredentialsToADCrrrrjrr#r#r$adcs zADC.adccCs|pt}t|j|S)z+Dumps the credentials to the ADC json file.)r ADCFilePath_DumpADCJsonToFiler)r file_pathr#r#r$ DumpADCToFiles  zADC.DumpADCToFilecCs@|jstd|p t}|st|jdd}||}t||S)zADumps the credentials and the quota project to the ADC json file.zoThe credential is not a user credential, so we cannot insert a quota project to application default credential.T)r)r;r(r rrr_ExtendADCWithQuotaProjectr)rrr extended_adcr#r#r$DumpExtendedADCToFiles   zADC.DumpExtendedADCToFilecCs*t|j}|r||t<|Std|S)z'Add quota_project_id field to ADC json.zCannot find a project to insert into application default credentials (ADC) as a quota project. Run $gcloud auth application-default set-quota-project to insert a quota project to ADC.)copydeepcopyrADC_QUOTA_PROJECT_FIELD_NAMEr r)rrrr#r#r$rs zADC._ExtendADCWithQuotaProject)NNNr+)NN) rr r!r"rpropertyr;rrrrr#r#r#r$rs      rc Csnztj|dddd}tj||ddWntjy0}ztj|ddtdt |d}~wwt j |S) zDumps ADC json object to file.TrrMrO)private)exc_infoz.Error saving Application Default Credentials: N) rYrZrWriteFileContentsrr debugr(r text_typeospathabspath)rrcontentsrr#r#r$rs  rc Csdt|}|tjtjfvrtdt||tjkr/t|j |j |j |j |j |j|j|j}|jS)zHConverts an oauth2client credentials to application default credentials.ICannot convert credentials of type {} to application default credentials.)r9r:rorEr)rrBrGoogleCredentialsrrCrDrrrbrHrFrS)rr[r#r#r$$_ConvertOauth2ClientCredentialsToADCs    rzNhttps://iamcredentials.{}/v1/projects/-/serviceAccounts/{}:generateAccessTokencCsjt|r t|}nt|}|s|St|dr|j}ntjjjj}|t |||p)gdd}|r3||d<|S)zr?r@rArr&r'r(r)r0r4r6r?rArBrDrHrLrOrQrSrXrarhrkrnrrobjectrs add_metaclassABCMetarrrrrrStoragerrrrrrEnumr9r@rrrnrmrrrrrrrrrrrrrrVALID_VERBOSITY_STRINGSrrr#r#r#r$s                         > Ls7W  9x &X)J;'  :  #&