$SrSSKJr SSKJr SSKJr SSKrSSKrSSKrSSKrSSK r SSK r SSK r SSK r SSK r SSKrSSKJr SSKJr SSKJr SS KJr SS KJr SS KJr SS KJr SSKJr SS KJr SSKJr SSK J!r" SSK Jr# SSK J$r% SSK&J'r' SSK(J)r) SSK(J*r* SSK+J,r- SSK.r.Sr/Sr0Sr1Sr2Sr3Sr4Sr5Sr6Sr7Sr8Sr9S r:"S!S"\Rv5r;"S#S$\;5r<"S%S&\;5r="S'S(\;5r>"S)S*\;5r?S+r@S,rAS-rBS.rCS/rDS0rES1rFS2rGS3rHS4rIS5rJS6rKS7rLS8rMSjS9jrNS:rOS;rPS<rQ"S=S>\R5rS\.R"\R5"S?S@\R55rVSArW"SBSC\R5rX"SDSE\V5rYSFrZ"SGSH\R5r["SISJ\)R5r]"SKSL\R5r^SkSMjr_SlSNjr`"SOSP\V5raSmSQjrb"SRSS\ R5rd"STSU\ R5reSVrfSWrgSXrhSYriSZrjS[rkS\rlSmS]jrmSkS^jrnS_roSnS`jrp"SaSb\R5rqScrrSdrsSertSkSfjruSgrvSqw\RShrySirzg)oz Utilities to manage credentials.)absolute_import)division)unicode_literalsN)compute_engine credentials) exceptions)external_account) external_account_authorized_user)impersonated_credentials)config)log) properties)devshell) introspect)files)clientservice_account)gcequota_project_idz$https://oauth2.googleapis.com/revokeunknownauthorized_userrservice_account_p12rrimpersonated_accountr external_account_userr c\rSrSrSrSrg)ErrorDzExceptions for this module.N__name__ __module__ __qualname____firstlineno____doc____static_attributes__r ,lib/googlecloudsdk/core/credentials/creds.pyrrDs#r(rc\rSrSrSrSrg)UnknownCredentialsTypeHzCAn error for when we fail to determine the type of the credentials.r Nr!r r(r)r+r+HsKr(r+c\rSrSrSrSrg)InvalidCredentialsErrorLzGException for when the provided credentials are invalid or unsupported.r Nr!r r(r)r.r.LsOr(r.c\rSrSrSrSrg)CredentialFileSaveErrorPz4An error for when we fail to save a credential file.r Nr!r r(r)r1r1Ps>FFo  %%q o  %%r(Nc[RRRnU(a[ US5(a URnOUR 5nX2R :XaU$US-U-$)aCalculate the formatted account id. If the universe_domain is GDU, return the account_id as is; otherwise, return "account_id#universe_domain". Here the universe_domain value comes from the credentials if it's provided, otherwise it comes from the core/universe_domain property. Args: account_id: str, the account id or principal string. credentials: google.auth.credentials.Credentials, The optional credentials provided to derive the universe_domain value. Returns: str: The formatted account id. rhr)rrirjrhhasattrrtrk) account_idruniverse_domain_propertyrhs r)GetFormattedAccountId)_AccountIdFormatter.GetFormattedAccountId/sg" *0055EEw{,=>>#33o0446o:::  #  //r(r r7) r"r#r$r%r& staticmethodrrr'r r(r)rrs/ &&"00r(rc\rSrSrSr\R S5r\R S5r\R S5r \R S5r Sr g) CredentialStoreiMz(Abstract definition of credential store.c[$)zdGet all accounts that have credentials stored for the CloudSDK. Returns: {str}, Set of accounts. NotImplementedselfs r) GetAccountsCredentialStore.GetAccountsQs  r(c[$r7rrrs r)LoadCredentialStore.LoadZ r(c[$r7r)rrrs r)StoreCredentialStore.Store^rr(c[$r7rrs r)RemoveCredentialStore.Removebrr(r N) r"r#r$r%r&abcabstractmethodrrrrr'r r(r)rrMsk0r(rrc0\rSrSrSrSrSrSrSrSr g) _SqlCursoriiz'Context manager to access sqlite store.c,XlSUlSUlgr7) _store_file _connection_cursor)r store_files r)__init___SqlCursor.__init__ls!DDLr(c[R"URS[RSSS9UlURR 5UlU$)Ng@T)timeout detect_typesisolation_levelcheck_same_thread)sqlite3connectrPARSE_DECLTYPESrcursorrrs r) __enter___SqlCursor.__enter__qsM ,, D##**,DL Kr(czU(dURR5 URR5 gr7)rcommitclose)rexc_type unused_valueunused_tracebacks r)__exit___SqlCursor.__exit__s)  r(c4URR"U6$r7)rexecute)rargss r)Execute_SqlCursor.Executes <<   &&r()rrrN) r"r#r$r%r&rrrrr'r r(r)rris/  'r(rcL\rSrSrSrSrSrSrSrSr S Sjr S r S r S r g )SqliteCredentialStoreiz Sqllite backed credential store.c[U5UlURSR[55 [ R "5nURS5(dUR5 gg)NzICREATE TABLE IF NOT EXISTS "{}" (account_id TEXT PRIMARY KEY, value BLOB)cred_token_store_formatted) rr_Executeformat_CREDENTIAL_TABLE_NAMEr GetConfigStorertFormatAccountIdColumn)rr config_stores r)rSqliteCredentialStore.__init__s]j)DLMM 4 & ')((*L   8 9 9   " :r(cnURnUR"U6sSSS5 $!,(df  g=fr7rrrrcurs r)rSqliteCredentialStore._Executes!  [[$  s& 4cURnURSR[55R 5nUHnUSUSpTSU;dM[ U5n[ RXF5nXG:wdM;URSR[5U45 URSR[5Xu45 M [R"5nURSS5 S S S 5 g !,(df  g =f) zFormat the account id column. Before we introduce the formatted account id concept, the existing table uses the account id value as the key. Therefore we need to load the table and replace these account ids with formatted account ids. z"SELECT account_id, value FROM "{}"rrr%DELETE FROM "{}" WHERE account_id = ?z1INSERT INTO "{}" (account_id, value) VALUES (?,?)rTN) rrrrfetchallFromJsonGoogleAuthrrr rSet) rrtablerowrr{r;rrs r)r+SqliteCredentialStore.FormatAccountIdColumns kk . 5 56L M  # #AAI j $Y/%!4!J!J"  / KK7>>*   KKCJJ*&1  #0**,l3T:= sAC=#C==A7C== D cURn[5nURSR[55H-un[ R U5upEURU5 M/ SSS5 U$!,(df  W$=f)z>Get all accounts. Returns: set[str], A set of account ids. *SELECT account_id FROM "{}" ORDER BY rowidN)rsetrrrrradd)rraccountsrr_s r)r!SqliteCredentialStore.GetAccountss| h%([[ 6 = =$ & !  ,II    Z &  O  Os A A77 Bc8[R"[5nURnUR SR [ 55H0n[RUS5upEXRU5 M2 SSS5 U$!,(df  U$=f)zGet all accounts and their corresponding universe domains. Returns: collections.defaultdict, A dictionary where the key is the account_id and the value is the universe domain list. rrN) collections defaultdictlistrrrrrrappend)r accounts_dictrrrrhs r)GetAccountsWithUniverseDomain3SqliteCredentialStore.GetAccountsWithUniverseDomains ++D1M "%++ 6 = =$ #  = =$Q'  $ !((9#    s AB  Bc *U(d[URnURSR[5U45R 5nSSS5 Wcg[ US5$URnURSR[5XS-45R 5nSSS5 W(dg[RRRn/nSnUHMup[RU 5upURU 5 XR5:XdMB[U5nMO U(d7[!SRUUR5SR#U5S95eU$!,(df  GN0=f!,(df  N=f) aLoad the credentials for the account_id. Args: account_id: str, The account_id of the credential to load. use_google_auth: bool, Whether google-auth lib should be used. Default is True. Returns: google.auth.credentials.Credentials or client.OAuth2Credentials, The loaded credentials. Raises: googlecloudsdk.core.credentials.creds.InvalidCredentialsError: If problem happens when loading credentials. z+SELECT value FROM "{}" WHERE account_id = ?NrzLSELECT account_id, value FROM "{}" WHERE account_id = ? OR account_id LIKE ?z#%a^The account [{account_id}] is available in the following universe domain(s): [{universe_domains}], but it is not available in [{universe_property}] which is specified by the [core/universe_domain] property. Update your active account to an account from {universe_property} or update the [core/universe_domain] property to one of [{universe_domains}].z, )runiverse_propertyuniverse_domains)rrrrfetchoneFromJsonrrrirjrhrrrrtrr.join) rruse_google_authrr{rrrr;rrrhs r)rSqliteCredentialStore.Loads{  <<3KK 9 @ @& M  (*     il ## kk %v&<= D( )      )0055EE E+0'.LL ao. 88: :"9- ,1  # M 6# 8 < < > ${{+;<     Lc < s5E2/8F2 F Fc[U5(a2[U5nURSR[5X45 g[ U5n[ RX5nURSR[5XC45 g)zStores the input credentials to the record of account_id in the cache. Args: account_id: string, the account ID of the input credentials. credentials: google.auth.credentials.Credentials or client.OAuth2Credentials, the credentials to be stored. z2REPLACE INTO "{}" (account_id, value) VALUES (?,?)N)r<ToJsonrrrToJsonGoogleAuthrr)rrrvaluers r)rSqliteCredentialStore.Store.s!--[!e mm > E E$    {+e0FF  mm > E E$  ' r(c|[RUS5nURSR[5U45 g)Nr)rrrrr)rrrs r)rSqliteCredentialStore.RemoveJs;.DDD MM/667MN r()rNT)r"r#r$r%r&rrrrrrrrr'r r(r)rrs0(# %;N&,BH8r(r access_tokensc:\rSrSrSrS SjrSrSrSrSr Sr g ) AccessTokenCacheiWaSqlite implementation of for access token cache. AccessTokenCache uses formatted_account_id instead of account_id in its APIs. The reason is that AccessTokenCache is used by AccessTokenStoreGoogleAuth, which is tied to a specific credential object. Either we let AccessTokenStoreGoogleAuth pass the credential's universe_domain to AccessTokenCache, or pass the formatted account id (which contains universe_domain). The latter is better since it is backward compatible and there is no need to introduce a new universe_domain parameter to all AccessTokenCache Load/Store/Remove APIs. See go/gcloud-multi-universe-auth-cache section 3.2, 3.3 for more details. c>X l[U5UlURSR [ 55 URSR [ 55 g![ Ra' URSR [ 55 gf=f)NzCREATE TABLE IF NOT EXISTS "{}" (account_id TEXT PRIMARY KEY, access_token TEXT, token_expiry TIMESTAMP, rapt_token TEXT, id_token TEXT)z!SELECT id_token FROM "{}" LIMIT 1z)ALTER TABLE "{}" ADD COLUMN id_token TEXT)_cache_only_raptrrrr_ACCESS_TOKEN_TABLErOperationalError)rrcache_only_rapts r)rAccessTokenCache.__init__es+j)DLMM    34 6  mm - 4 45H IK  # #  mm?FF   s$A!!8BBcnURnUR"U6 SSS5 g!,(df  g=fr7rrs r)rAccessTokenCache._Executeys!  kk4 s& 4cURnURSR[5U45R 5sSSS5 $!,(df  g=f)zLoad the tokens from the access token cache. Args: formatted_account_id: str, The formatted account id. Returns: tuple: The access_token, token_expiry, rapt_token, id_token tuple. zVSELECT access_token, token_expiry, rapt_token, id_token FROM "{}" WHERE account_id = ?N)rrrrr)rrrs r)rAccessTokenCache.Load}sB  [[ ++162E+F  !  s 4A  AcbUR(a$URU5nU(aUup#puOSnSnSnURSR[5UUUUU45 g![ R a8n[R"SR[U555 SnAgSnAff=f)a;Stores the tokens into the access token cache. Args: formatted_account_id: str, The formatted account id. access_token: str, The access token string to store. token_expiry: datetime.datetime, The token expiry. rapt_token: str, The rapt token string to store. id_token: str, The ID token string to store. NzcREPLACE INTO "{}" (account_id, access_token, token_expiry, rapt_token, id_token) VALUES (?,?,?,?,?)z)Could not store access token in cache: {}) rrrrrrrrwarningstr) rr access_token token_expiry rapt_tokenid_tokenresultres r)rAccessTokenCache.Stores( yy-.f 28/ Ax  N mm %v&9:"    # #N kk=DDSVLMMNs*A""B.6.B))B.cURSR[5U45 g![Ra8n[ R "SR[U555 SnAgSnAff=f)zxRemoves the tokens from the access token cache. Args: formatted_account_id: str, The formatted account id to remove. rz,Could not delete access token from cache: {}N)rrrrrrrr)rrr!s r)rAccessTokenCache.Removesb Q mm 1 8 89L M  !  # #Q kk@GGAOPPQs&)A5.A00A5)rrNF) r"r#r$r%r&rrrrrr'r r(r)rrWs#  ( ,N\ Qr(rc>^\rSrSrSrU4SjrSrSrSrSr U=r $)AccessTokenStoreiaOauth2client adapted for access token cache. This class works with Oauth2client model where access token is part of credential serialization format and get captured as part of that. By extending client.Storage this class pretends to serialize credentials, but only serializes access token. When fetching the more recent credentials from the cache, this does not return token_response, as it is now out of date. cL>[[U] SS9 XlX lX0lg)aSets up token store for given acount. Args: access_token_cache: AccessTokenCache, cache for access tokens. account_id: str, account for which token is stored. credentials: oauth2client.client.OAuth2Credentials, they are auto-updated with cached access token. N)lock)superr'r_access_token_cache _account_id _credentials)raccess_token_cacherr __class__s r)rAccessTokenStore.__init__s* D**51!#r(c$URRUR5nU(aYUup#pEX RlX0RlUbX@RlXPRlSURlUR$r7) r+rr,r-rrr id_tokenb64token_responser token_datarrrrs r) locked_getAccessTokenStore.locked_gets{))..t/?/?@J9C6l*'3$'3$  '1$&.#)-d&   r(c X[URS5(a'URRRSS5nOSnURR UR URRURR[URSS5U5 g)Nr3rr) getattrr-r3ryr+rr,rr)rrrs r) locked_putAccessTokenStore.locked_putst  "233""1155j$Ghh""  && &&!!<6 r(cNURRUR5 gr7)r+rr,rs r) locked_deleteAccessTokenStore.locked_deletes##D$4$45r()r+r,r-) r"r#r$r%r&rr6r:r=r' __classcell__)r/s@r)r'r's!  $  66r(r'c0\rSrSrSrSrSrSrSrSr g) AccessTokenStoreGoogleAuthizgoogle-auth adapted for access token cache. This class works with google-auth credentials and serializes its short lived tokens, including access token, token expiry, rapt token, id token into the access token cache. cPXl[RX#5UlX0lg)aSets up token store for given account. Args: access_token_cache: AccessTokenCache, cache for access tokens. account_id: str, account for which token is stored. credentials: google.auth.credentials.Credentials, credentials of account of account_id. N)r+rr_formatted_account_idr-)rr.rrs r)r#AccessTokenStoreGoogleAuth.__init__ s( 2!4!J!J"D$r(cURRUR5nU(aUup#pE[UR5(a4SURlSURlSURlO0X RlX0RlX@RlXPRlXPRl UR$)aGets credentials with short lived tokens from the internal cache. Retrieves the short lived tokens from the internal access token cache, populates the credentials with these tokens and returns the credentials. Returns: google.auth.credentials.Credentials N) r+rrCrr-tokenexpiry _rapt_token _id_tokenr2r4s r)rtAccessTokenStoreGoogleAuth.Gets))..t/I/IJJ9C6l* $++ , ,#'#' (,%".#/ (2% %-!&.#   r(c[URSS5=(d [URSS5n[URSS5n[URSS5n[URSS5n[UR5(a7SnSnSnURR UR 5nU(aUupBp6URR UR XBX15 g)zEPuts the short lived tokens of the credentials to the internal cache.r2NrIrGrrF)r9r-rr+rrCr)rrrGrrr5rs r)PutAccessTokenStoreGoogleAuth.Put6st((->' ;CHT&&$ 7F**L$?J4,,gt$>?r()r+r-rCN) r"r#r$r%r&rrtrLrOr'r r(r)rArAs $<8@r(rAcURbU$[USS5nU(dB[R"[R "UR 55R5n[U=(d [R"5R5n[X2U5nURU5 UR5$)aAttaches access token cache to given credentials if no store set. Note that credentials themselves will not be persisted only access token. Use this whenever access token caching is desired, yet credentials themselves should not be persisted. Args: credentials: oauth2client.client.OAuth2Credentials. access_token_file: str, optional path to use for access token storage. Returns: oauth2client.client.OAuth2Credentials, reloaded credentials. Nservice_account_email)storer9hashlibsha256six ensure_binary refresh_token hexdigestrr Pathsaccess_token_db_pathr' set_storery)raccess_token_filerr.rSs r) MaybeAttachAccessTokenCacheStorer^Ws" {$;TB*  1 1!!!#$$-IK(>6<<>>>@ -; G%  r(c>^^^[TSS5nU(dU[T[R5(d[T[R5(a[ R "T5nOIU(dB[R"[R"TR55R5n[U=(d [R"5R US9n[#XCT5mTR%5mTR&mUUU4SjnUTlT$)aAttaches access token cache to given credentials if no store set. Note that credentials themselves will not be persisted only access token. Use this whenever access token caching is desired, yet credentials themselves should not be persisted. For external account and external account authorized user non-impersonated credentials, the provided credentials should have been instantiated with the client_id and client_secret in order to retrieve the account ID from the 3PI token instrospection endpoint. Args: credentials: google.auth.credentials.Credentials. access_token_file: str, optional path to use for access token storage. cache_only_rapt: bool, True to only cache RAPT token. Returns: google.auth.credentials.Credentials, reloaded credentials. rRN)rcZ>T"U5 [TSS5TlTR5 g)NrI)r9r2rL)requestr orig_refreshrSs r)_WrappedRefreshCMaybeAttachAccessTokenCacheStoreGoogleAuth.._WrappedRefreshs'%k;EK IIKr()r9r8google_auth_external_accountr?,google_auth_external_account_authorized_user c_introspectGetExternalAccountIdrTrUrVrWrXrYrr rZr[rArtrefresh)rr]rrr.rcrbrSs` @@r)*MaybeAttachAccessTokenCacheStoreGoogleAuthrjts,{$;TB* :FFGG=IIKK22;?J  1 1!!!#$$-IK(>6<<>>>% %%7%0 2% +$$,(+ r(cF\rSrSrSrSrSrSrSrS Sjr Sr S r S r g ) CredentialStoreWithCacheiaImplements CredentialStore for caching credentials information. Static credentials information, such as client ID and service account email, are stored in credentials.db. The short lived credentials tokens, such as access token, are cached in access_tokens.db. cXlX lg)a2Sets up credentials store for caching credentials. Args: credential_store: SqliteCredentialStore, for caching static credentials information, such as client ID, service account email, etc. access_token_cache: AccessTokenCache, for caching short lived credentials tokens, such as access token. N)_credential_storer+)rcredential_storer.s r)r!CredentialStoreWithCache.__init__s.1r(c<^^URmUU4SjnX1lU$)aWraps the refresh method of credentials with auto caching logic. For auto caching short lived tokens of google-auth credentials, such as access token, on credentials refresh. Args: credentials: google.auth.credentials.Credentials, the credentials updated by this method. store: AccessTokenStoreGoogleAuth, the store that caches the tokens of the input credentials. Returns: google.auth.credentials.Credentials, the updated credentials. c6>T"U5 TR5 gr7)rL)rarbrSs r)rcXCredentialStoreWithCache._WrapCredentialsRefreshWithAutoCaching.._WrappedRefreshs7 iikr(ri)rrrSrcrbs ` @r)&_WrapCredentialsRefreshWithAutoCaching?CredentialStoreWithCache._WrapCredentialsRefreshWithAutoCachings#&&L * r(c6URR5$)z-Returns all the accounts stored in the cache.)rnrrs r)r$CredentialStoreWithCache.GetAccountss  ! ! - - //r(c6URR5$)zHReturns all the accounts stored in the cache with their universe domain.)rnrrs r)r6CredentialStoreWithCache.GetAccountsWithUniverseDomains  ! ! ? ? AAr(c@URRX5nUcg[U5(a8[URUU5nUR U5 UR 5$[URUU5nUR5nURX45$)aLoads the credentials of account_id from the cache. Args: account_id: string, ID of the account to load. use_google_auth: bool, True to load google-auth credentials if the type of the credentials is supported by the cache. False to load oauth2client credentials. Returns: 1. None, if credentials are not found in the cache. 2. google.auth.credentials.Credentials, if use_google_auth is true. 3. client.OAuth2Credentials. N) rnrr<r'r+r\ryrArtru)rrrrrSs r)rCredentialStoreWithCache.Loads((--jJK !--t77*,eE" YY[()A)A:)46eIIKk 8 8 LLr(c[U5(a:[URUU5nURU5 UR U5 O'[ URUU5nUR 5 URRX5 g)aStores credentials into the cache with account of account_id. Args: account_id: string, the account that will be associated with credentials in the cache. credentials: google.auth.credentials.Credentials or client.OAuth2Credentials, the credentials to be stored. N) r<r'r+r\putrArLrnr)rrrrSs r)rCredentialStoreWithCache.Storesv!--t77*,eE" ii ()A)A:)46e iik   9r(cURRU5 URR[R U55 g)z1Removes credentials of account_id from the cache.N)rnrr+rrrs r)rCredentialStoreWithCache.Removes8!!*-##11*=r()r+rnNr ) r"r#r$r%r&rrurrrrrr'r r(r)rlrls- 240B MD:.r(rlc[XU5$)aConstructs credential store. Args: store_file: str, optional path to use for storage. If not specified config.Paths().credentials_path will be used. access_token_file: str, optional path to use for access token storage. Note that some implementations use store_file to also store access_tokens, in which case this argument is ignored. cache_only_rapt: bool, True to only cache RAPT token. Returns: CredentialStore object. )_GetSqliteStoreWithCache)rr]rs r)GetCredentialStorer$s$ "_ r(c\rSrSrSrS\SS4rS\SS4rS\ SS4r S\ SS4r S \ SS4rS \SS4rS r\S 5r\S 5rSrg)rFi;z8Enum of oauth2client credential types managed by gcloud.rFrTc4XlX lX0lX@lgr7type_idr|is_serializablerHrrr|rrHs r)rCredentialType.__init__EsLH*Lr(cd[HnURU:XdMUs $ [R$r7)rFr|UNKNOWNr|rXs r) FromTypeKeyCredentialType.FromTypeKeyMs,# # $  ! !!r(cV[U[R5(a[R$[U[ R 5(a.[USS5b[R$[R$[USS5b[R$[R$)N_private_key_pkcs12rX) r8oauth2client_gceAppAssertionCredentialsrFrKrServiceAccountCredentialsr9rSrVrrr:s r)rGCredentialType.FromCredentialsTs%)AABB   %BBCC -t 4 @111  + ++uot,8  ( ((  ! !!r(rrHr|rN)r"r#r$r%r&UNKNOWN_CREDS_NAMErUSER_ACCOUNT_CREDS_NAMErSERVICE_ACCOUNT_CREDS_NAMErVP12_SERVICE_ACCOUNT_CREDS_NAMErSDEVSHELL_CREDS_NAMEDEVSHELLGCE_CREDS_NAMErKrrrrGr'r r(r)rFrF;s@ "E5 1',dD9,2D%@/:D%H$eT 2( NE5)#""  " "r(rFc\rSrSrSrS\SS4rS\SS4rS\ SS4r S\ SS4r S \ SS4rS \SS4rS \SS4rS \SS4rS \SS4rS\SS4rSr\S5r\S5rSrg)rNiaz7Enum of google-auth credential types managed by gcloud.rFrTrrrr c4XlX lX0lX@lg)aBuilds a credentials type instance given the credentials information. Args: type_id: string, ID for the credentials type, based on the enum constant value of the type. key: string, key of the credentials type, based on the enum constant value of the type. is_serializable: bool, whether the type of the credentials is serializable, based on the enum constant value of the type. is_user: bool, True if the credentials are of user account. False otherwise. Returns: CredentialTypeGoogleAuth, an instance of CredentialTypeGoogleAuth which is a gcloud internal representation of type of the google-auth credentials. Nrrs r)r!CredentialTypeGoogleAuth.__init__ys$LH*Lr(cd[HnURU:XdMUs $ [R$)z4Returns the credentials type based on the input key.)rNr|rrs r)r$CredentialTypeGoogleAuth.FromTypeKeys.. # . $ + ++r(c8[U[R5(a[R$[U[ R5(a[R $[U[R5(a!UR(d[R$[U[R5(a!UR(a[R$[U[R5(a[R$SSK Jn SSKJn [XR5(a[R"$[XR5(a[R$$['USS5b[R($[R*$)z> % : ::56BBCC MM % 6 6656BBCC % ; ;;5?KK M M % F FFMf%DDEE % 9 99%@@AA % 5 55uot,8 % 2 22 # + ++r(rN)r"r#r$r%r&rrrrrrVrrSrrrrKIMPERSONATED_ACCOUNT_CREDS_NAMEreEXTERNAL_ACCOUNT_CREDS_NAMEr\ EXTERNAL_ACCOUNT_USER_CREDS_NAMEr_+EXTERNAL_ACCOUNT_AUTHORIZED_USER_CREDS_NAMErbrrrrGr'r r(r)rNrNas? "E5 1',dD9,2D%@/:E5I$dD 1( ND%(#dK  4dD&B"2,,,,r(rNc[RU5nU[R:XarURURUR UR S.nSH<n[XS5nU(dM[U[5(a [U5nXBU'M> OU[R:Xa URnOrU[R:XaSURUR[R "UR"5R%S5UR&S.nO [)U5e[*R,"USSSS 9$) zFGiven Oauth2client credentials return library independent json for it.)type client_id client_secretrX)rinvalid revoke_uriscopesr3 token_uri user_agentrNascii) client_emailr private_keypasswordTr,z:  sort_keysindent separators)rFrGrr|rrrXr9r8rrrVserialization_datarS_service_account_emailbase64 b64encoderdecode_private_key_passwordr+jsondumps)r creds_type creds_dictfieldrs r)rrs--k:*>... **$22$22 JMk$/e  eS ! !u+%!5M^333//J^777$::(()H)HI55 J ! ,, J$ 66r(c[RU5nU[R:XaRURURUR UR URURURS.nGOU[R:XdU[R:Xa?URnUR(a [US5(aURUS'GO~U[R :XaRURUR"URUR$UR&UR(UR*S.nGOU[R,:XaKURURUR$UR&[.UR0UR2S.nOU[R4:XaSURUR[6R8"UR:5R=S5UR>S.nORU[R@:XaURURS.nO$[CS REUR55eURFUS '[HRJ"US S S S9$)zFGiven google-auth credentials, return library independent json for it.)rrprivate_key_idrrr project_id interactiveexternal_account_id)raudiencerrrX token_urltoken_info_url)rrrrXrrrr)rrrr)rrR=Google auth does not support serialization of {} credentials.rhTrrr)&rNrGrVr|rRrrr _token_urirr\r_infois_workforce_poolrrrbrrrXrrr _REVOKE_URI_scopesrrSrrprivate_key_pkcs12rprivate_key_passwordrKr+rrhrr)rrrs r)rrs,'77 D*+;;;#99%44".. **!++!,, J .???.DDD!!J$$m)L)L*5*I*Ij&'-NNN(( **$22$22 **%44J-::: **$22$22!%% **J-AAA#99   k<< = D DW M44 J-111!,!B!BJ !GNN NN   #."="=*  D{ DDr(cF[U5n[R"USSSS9$)aGiven google-auth credentials, return serialized json string. This method is added because google-auth credentials are not serializable natively. Args: credentials: google-auth credential object. Returns: Json string representation of the credential. Trrr)ToDictGoogleAuthrr)rrs r)SerializeCredsGoogleAuthr,s* ,* D{ DDr(c [RU5nUR(d$[SR UR 55eSUR 0n[ U5Vs/sH%nURS5(aMUS;dM#UPM' nnUVs/sH&nURS5(a USSU;dM$UPM( nn[U5nUHn[X5(dM[X5n[U5nU[R:XaURS5nOy[U[R 5(a [#U5nOMUbJ[%U[&R(5(d+U[*[,[.[0[2[4[64;aMXbU'M U$s snfs snf![a Mf=f) amGiven google-auth credentials, recursively return dict representation. This method is added because google-auth credentials are not serializable natively. Args: credentials: google-auth credential object. Returns: Dict representation of the credential. Raises: UnknownCredentialsType: An error for when we fail to determine the type of the credentials. rr__)signer_abc_negative_cache_versionrrNz%m-%d-%Y %H:%M:%S)rNrGrr+rr|dir startswithsortedrr9rdatetimestrftime issubclassr>r?rr8rV string_typesintfloatboolrrdicttuple)rrrattr filtered_list attr_listvalval_types r)rr=s (77 D*  # # GNN NN   '*%( $4J$4D//$/HH$4-J !.M ooc**d12hm.K )MY)d{!! K &cch X&& &ll./ h 1 = = > >  %# OJsC4D4D$E$E S%sD$F F!$ 5J M&   s0&F(F( F(#F-?F- F22 G?Gc[R"U5n[RUS5n[ U5US'U[R :XaJ[ RRU[RS9n[R=Ul Ul U$U[R:Xa[R "SUSUSUSSUR#S5UR#S5UR#S 5UR#S 5UR#S 5UR#S 5UR#S 5UR#S5S9 nU$U[R$:Xam[ RR'US[(R*"US5USUS[RS9n[R=Ul Ul U$[-US5e)zFReturns Oauth2client credentials from library independent json format.rrrNrrrXrrrr3rtoken_info_urir) rrrrXrrrrrr3rrrrrr)rRrrrr)rloadsrFrr}rVrrfrom_json_keyfile_dictr CLOUDSDK_SCOPESCLOUDSDK_USER_AGENTr _user_agentrrr9ryrS_from_p12_keyfile_contentsr b64decoder+) json_valuejson_keyrXcreds r)rrxs ZZ #(((&)9:)7A(;.000  4 4 K K// L 1D)/)C)CCDOd&8 +7N///  # #;'//,,{+<< -<< -j)||$45||H%||$45<< - D4 +N666  4 4 O O&~6!++H],CD%j1;'%% P 'D *0)C)CCDOd& + !&!1 22r(c, [R"U5n[RUS5nU[R:Xa[ U5US'SSKJn URRnU"U[RS9nURS5Ul URS5UlURS5Ul[!U5 U$U[R":XaW[ U5US'SS KJn UR)[*R,"US5US US US[RS 9nU$U[R.:XGaS U;a&[R0US'[R2US'URS5S:Xa0SSKJn URR9U[RS9nGOURS5bURS5RS5bSSKJn URS5RS5n URR9U[RS9nUR<(aBU RS5(a,SUl[AUSURS5=(d S5 O/SSKJ!n U RR9U[RS9n[OU5$U[RP:Xad[R0US'[R2US'[RRUS'[TRR9U5n[OU5$U[RV:XaH[ U5US'SSKJ,n U RR[XRS5S9nUSUl.U$U[R^:Xac[`R"USS 9nURS![bRdRfRhRj5Ul6SUl7U$[qS"RsUS55e![D[F[HRJ4a [MS5ef=f![D[F[HRJ4a [MS5ef=f)#aReturns google-auth credentials from library independent json format. The type of the credentials could be service account, external account (workload identity pool or workforce pool), external account authorized user (workforce), user account, p12 service account, or compute engine. Args: json_value: string, A string of the JSON representation of the credentials. Returns: google.auth.credentials.Credentials if the credentials type is supported by this method. Raises: UnknownCredentialsType: when the type of the credentials is not service account, user account or external account. InvalidCredentialsError: when the provided credentials are malformed or unsupported external account credentials. rrrrrrrrrrr)rRrr!service_account_impersonation_urlrsubject_token_typez+urn:ietf:params:aws:token-type:aws4_request)awscredential_source executable) pluggableinteractive_timeout_millisT_tokeninfo_usernamer) identity_poolzDThe provided external account credentials are invalid or unsupportedrzTThe provided external account authorized user credentials are invalid or unsupported)google_auth_credentialsrR)rRrhz?Google auth does not support deserialization of {} credentials.):rrrNrrVr}rrr?from_service_account_infor rryrrrrrSrrCreateP12ServiceAccountrrr\CLOUDSDK_CLIENT_IDCLOUDSDK_CLIENT_NOTSOSECRET google.authr from_inforrrsetattrr ValueError TypeErrorgoogle_auth_exceptions RefreshErrorr.$WrapGoogleAuthExternalAccountRefreshrb CLOUDSDK_EXTERNAL_ACCOUNT_SCOPESrfrrfrom_authorized_user_inforrKrBrrirjrhrk_universe_domain_universe_domain_cachedr+r) r r rXrservice_account_credentialsr rrrrr c_google_auths r)rrsI(ZZ #(&228F3CD)*:::9(CH[M $//II &x8N8N OD ||M2D",,'78D\\+.DN#D) K*>>>9(CH[C  6 6-01&~6;'%% 7 'D K*;;;+(:$77h{"("D"Dh * G H $(( V33)5 LL, - 9 LL, - 1 1, ? K)\\"56::<H $$.. V33/5  ! !jnn ('*'*!$  $-,,45; = .((22 V3335 0 55*KKK#55H[ & B BH_@@HX$ 9 E E O O d 0 55*7779(CH[Y  $ $ > >h/ ? 1D{+DO K*... % 1 1&'>? D%LL:,,11AAIID $(D KGNN 6  m  #9#F#F G #  ,  #9#F#F G$ # # $$$s&>AP:CP:.P: Q(:+Q%(+Rc8^URmU4SjnXlU$)aReturns a wrapped External Account credentials. We wrap the refresh method to make sure that any errors raised can be caught in a consistent way by downstream consumers. Args: cred: google.auth.credentials.Credentials Returns: google.auth.credentials.Credentials c>T"U5 g![[[R4an[R "U5eSnAff=fr7)rr r!r" c_exceptionsTokenRefreshError)rar!rbs r)rc=WrapGoogleAuthExternalAccountRefresh.._WrappedRefreshBs?.7  #9#F#F G.  * *1 --.s AAArt)r rcrbs @r)r#r#3s,. !, +r(c[U5nU=(d [R"5Rn[R "U5 [ X5n[X45$)z$Get a sqlite-based Credential Store.)_GetSqliteStorer rZr[r PrivatizeFilerrl)sqlite_credential_filesqlite_access_token_filerror.s r)rrLsX%%;<6B$llnAA./' ""2 GGr(cU=(d [R"5Rn[R"U5 [ U5nU$)zFGet a sqlite-based Credential Store with using the access token cache.)r rZcredentials_db_pathrr1r)r2ros r)r0r0^s?2?"LLN>>,-*+AB r(cU[RRR[RRR4;$r7)rribillingCURRENT_PROJECTCURRENT_PROJECT_WITH_FALLBACK) quota_projects r)_QuotaProjectIsCurrentProjectr;gs> //==? ??r(cUcg[RRRR 5n[ U5(aC[ U5(a2[RRRR 5$gU[RRR:Xa:U(a2[RRRR 5$gU$)aGets the value to use for the X-Goog-User-Project header. Args: credentials: The credentials that are going to be used for requests. force_resource_quota: bool, If true, resource project quota will be used even if gcloud is set to use legacy mode for quota. This should be set when calling newer APIs that would not work without resource quota. Returns: str, The project id to send in the header or None to not populate the header. N) rrir7r:rtr;rQrjprojectLEGACY)rforce_resource_quotar:s r)GetQuotaProjectr@ms ##++99==?-"=11 ,,    # # + + / / 11 ))11888    # # + + / / 11  r(cb\rSrSrSrS Sjr\S5r\S5rS Sjr S Sjr S r S r g)ADCiz&Application default credential object.Nc4XlX lX0lX@lgr7)r-_impersonated_service_account _delegatesr)rrimpersonated_service_account delegatesrs r)r ADC.__init__s $)E&OLr(cV[UR5=(a URSL$r7)rQr-rDrs r)rH ADC.is_users( $T%6%6 7 7  . .$ 68r(cn[URURURUR5$)z/Json representation of the credentials for ADC.)_ConvertCredentialsToADCr-rDrErrs r)adcADC.adcs0 $D$5$5$($F$F$(OO$(LL 22r(cjU=(d [R"5n[URU5$)z+Dumps the credentials to the ADC json file.)r ADCFilePath_DumpADCJsonToFilerM)r file_paths r) DumpADCToFileADC.DumpADCToFiles&1V//1I dhh 22r(cUR(d [S5eU=(d [R"5nU(d[ UR SS9nUR U5n[X15$)zADumps the credentials and the quota project to the ADC json file.zoThe credential is not a user credential, so we cannot insert a quota project to application default credential.T)r?)rHr1r rPr@r-_ExtendADCWithQuotaProjectrQ)rrRr: extended_adcs r)DumpExtendedADCToFileADC.DumpExtendedADCToFilesc << # = >>1V//1I %   $8m22=AL l 66r(c[R"UR5nU(a X['U$[R "S5 U$)z'Add quota_project_id field to ADC json.zCannot find a project to insert into application default credentials (ADC) as a quota project. Run $gcloud auth application-default set-quota-project to insert a quota project to ADC.)copydeepcopyrMADC_QUOTA_PROJECT_FIELD_NAMErr)rr:rWs r)rVADC._ExtendADCWithQuotaProjectsC==*L3@/0   kk "# r()r-rErDr)NNNr7)NN) r"r#r$r%r&rpropertyrHrMrSrXrVr'r r(r)rBrBsL.-1  8 8 2 23 7 r(rBc@[R"USSSS9n[R"XSS9 [RRU5$![Ra<n[ R "USS9 [S[R"U5-5eSnAff=f) zDumps ADC json object to file.Trrr)private)exc_infoz.Error saving Application Default Credentials: N) rrrWriteFileContentsrrdebugr1rV text_typeospathabspath)rMrRcontentsr!s r)rQrQsMzz#aKPH I>  ## MIIa$ !83==;KK MMMs,A B!7BBc [RU5nU[R[R4;a#[ SR [ U555eU[R:Xam[R"URURURURURURURUR 5nUR"$)zHConverts an oauth2client credentials to application default credentials.ICannot convert credentials of type {} to application default credentials.)rFrGrrVr4rrrGoogleCredentialsrrrrXrrrrr)rrs r)$_ConvertOauth2ClientCredentialsToADCrms--k:*33&6688 **0&k1B*C EE>...**  +"7"7!!;#<#<  +"7"79O9O  K  ' ''r(zNhttps://iamcredentials.{}/v1/projects/-/serviceAccounts/{}:generateAccessTokenc\[U5(a [U5nO [U5nU(dU$[US5(a URnO.[ R RRRnU[RUU5U=(d /SS.nU(aX6S'U$)zr r!r rer rfr rgooglecloudsdk.corer rrrrrIr,rrggooglecloudsdk.core.utilr oauth2clientrroauth2client.contribrrrVr]rrrrrrrrrrrrr+r.r1r4r<r@rCrLrOrQrTrYr]r`rcrfrlrvr}rrrobjectr add_metaclassABCMetarrrrrrStorager'rAr^rjrlrEnumrFrNrrrrrrr#rr0r;r@rBrQrmrqrLrpr~VALID_VERBOSITY_STRINGSrrr r(r)rs '&'    D8<HhL&*#*BFF*(8 14 +.!6 "80#: .P+$J  $LULPeP=e=BuB5:C6. G.@"6( (;0&;0|3;;f 0'''@HOHV&pQvpQf46v~~46nS@S@n8<<:?6rttp.#"TYY#"LU,tyyU,p&6RGDTD"8v$NQh4 !H$? <7&7t $ ( k04 !F#CL--f5 r(