NSrSSKJr SSKJr SSKJr SSKrSSKJr SSKJ r SSK J r SS K Jr SS K Jr SS KJr S rS r"SS\R(5r"SS\5r"SS\5r"SS\ R.\ R05r"SS\ R45rSSjrg)z,google-auth p12 service account credentials.)absolute_import)division)unicode_literalsN)_helpers)base)service_account) exceptions)log)encoding notasecretz2.5c\rSrSrSrSrg)Error#z!Base Error class for this module.N__name__ __module__ __qualname____firstlineno____doc____static_attributes__r:lib/googlecloudsdk/core/credentials/p12_service_account.pyrr#s)rrc\rSrSrSrSrg)MissingRequiredFieldsError'zDError when required fields are missing to construct p12 credentials.rNrrrrrr'sLrrc\rSrSrSrSrg)MissingDependencyError+z7Error when missing a dependency to use p12 credentials.rNrrrrrr+s?rrcH\rSrSrSrSr\S5rSr\ S Sj5r Sr g) PKCS12Signer/z@Signer for a p12 service account key based on pyca/cryptography.cXlgN_key)selfkeys r__init__PKCS12Signer.__init__2sIrcgr$rr's rkey_idPKCS12Signer.key_id6s rc[R"U5nSSKJn URR UUR UR5$)Nr)_cryptography_rsa)rto_bytesgoogle.auth.cryptr0r&sign_PADDING_SHA256)r'messager0s rr3PKCS12Signer.sign:s?(G3 99>>""!! ##rNcASU5up4SSKJn SSKJn UR X4UR 5S9un nU"U5$)Nc3N# UHn[R"U5v M g7fr$)rr1).0ks r +PKCS12Signer.from_string..EsF+QH--a00+s#%r)pkcs12)backends)backend),cryptography.hazmat.primitives.serializationr>cryptography.hazmatr?load_key_and_certificatesdefault_backend) cls key_stringsr- key_stringpasswordr>r?r(_s r from_stringPKCS12Signer.from_stringBsKF+FJC,00h&>&>&@1BICA s8Orr%r$) rrrrrr)propertyr-r3 classmethodrJrrrrr!r!/s7H  #rr!cR\rSrSrSrSr\S5r\S5r\ S Sj5r Sr g) CredentialsMagoogle-auth service account credentials using p12 keys. p12 keys are not supported by the google-auth service account credentials. gcloud uses oauth2client to support p12 key users. Since oauth2client was deprecated and bundling it is security concern, we decided to support p12 in gcloud codebase. We prefer not adding it to the google-auth library because p12 is not supported from the beginning by google-auth. GCP strongly suggests users to use the JSON format. gcloud has to support it to not break users. oauth2client uses PyOpenSSL to handle p12 keys. PyOpenSSL deprecated p12 support from version 20.0.0 and encourages to use pyca/cryptography for anything other than TLS connections. )service_account_email token_uriscopescUR$r$)_private_key_pkcs12r,s rprivate_key_pkcs12Credentials.private_key_pkcs12_s  # ##rcUR$r$)_private_key_passwordr,s rprivate_key_password Credentials.private_key_passwordcs  % %%rNc *U=(d [n[RX45nURVs/sH oUU;dM UPM nnU(a)[ SR SR U555eU"U40UD6nXlX'lU$s snf)NzMissing fields: {}.z, ) _DEFAULT_PASSWORDr!rJ_REQUIRED_FIELDSrformatjoinrUrY)rErGrHkwargssignerfmissing_fieldscredss r%from_service_account_pkcs12_keystring1Credentials.from_service_account_pkcs12_keystringgs ,,H  % %z&< =F!$!5!5I!5A&a!5NI &'<'C'C ))N #(% &&  !& !E !+"* LJs BBrr$) rrrrrr^rLrVrZrMrfrrrrrOrOMsO F $ $ & &6:rrOc F[R"S5 [R"X40UD6$![ag [ R "[RS5(d[SR[55e[SR[55ef=f)zCCreates a service account from a p12 key and handles import errors.z.p12 service account keys are not recommended unless it is necessary for backwards compatibility. Please switch to a newer .json service account key for this account.CLOUDSDK_PYTHON_SITEPACKAGESapyca/cryptography is not available. Please install or upgrade it to a version >= {} and set the environment variable CLOUDSDK_PYTHON_SITEPACKAGES to 1. If that does not work, see https://developers.google.com/cloud/sdk/crypto for details or consider using .json private key instead.zpyca/cryptography is not available or the version is < {}. Please install or upgrade it to a newer version. See https://developers.google.com/cloud/sdk/crypto for details or consider using .json private key instead.) r warningrOrf ImportErrorr GetEncodedValueosenvironrr__PYCA_CRYPTOGRAPHY_MIN_VERSION)rGrHras rCreateP12ServiceAccountrp~s++DE4  < < ( & (( 4  # #BJJ0N O O " : F1 2  44 # : F1 2  444s /A1B r$)r __future__rrrrm google.authrr2r crypt_base google.oauth2rgooglecloudsdk.corer r googlecloudsdk.core.utilr r]rorrrSignerFromServiceAccountMixinr!rOrprrrrys3&' 0)*#- !&*J  *MM@U@:$$j&H&H<./--.b4r