o .@s@dZddlmZddlmZddlmZddlZddlZddlZddlZddl Z ddl Z ddl m Z ddl Z ddlmZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZ ddl!m"Z"ddl!m#Z#ddl!m$Z$ddl%m&Z&ddl%m'Z'ddl%m(Z(ddl)mZ*ddl)m+Z+ddl,Z,ddl-m.Z.dZ/dZ0dZ1dZ2dZ3dZ4dZ5Gd d!d!ej6Z6Gd"d#d#e6Z7Gd$d%d%e6Z8Gd&d'd'e8Z9Gd(d)d)e6Z:Gd*d+d+e6Z;Gd,d-d-e6ZGd2d3d3e6Z?dZ@Gd4d5d5eAZBeBZCd6d7ZDGd8d9d9eAZEGd:d;d;eAZFGdd?ZHd@dAZIdBeJdCe eJfdDdEZKdFdGZLdHdIZM JddKdLZNdMdNZOddPdQZP   OddRdSZQ   T OddUdVZR   T OddWdXZS   T O OddYdZZTdd[d\ZUd]d^ZVGd_d`d`eAZW   a O O addbdcZXdddeZYdfdgZZdhdiZ[ O addjdkZ\ a a l addmdnZ] a a l addodpZ^ej_ addqdrZ`dsdtZa a a l addudvZb a a l a OddwdxZcdydzZdd{d|Zed}d~ZfddZgddZhdddZiddZjddZkdddZlde1dOfddZmdddZnGdddeAZodS)zIOne-line documentation for auth module. A detailed description of auth. )absolute_import)division)unicode_literalsN)Optionalexternal_accountutil)config)log) properties) transport) named_configscreds exceptions)gce)encoding)files)times)client)cryptservice_account) reauth_errors)urllibCLOUDSDK_AUTH_ACCESS_TOKENz)https://accounts.google.com/o/oauth2/authz+https://accounts.google.com/o/oauth2/revokez+urn:ietf:params:oauth:grant-type:jwt-bearer300szr table[title='Credentialed Accounts']( status.yesno(yes='*', no=''):label=ACTIVE, account )z table[title='Credentialed Accounts']( status.yesno(yes='*', no=''):label=ACTIVE, account, universe_domain )c@eZdZdZdS)Errorz&Exceptions for the credentials module.N__name__ __module__ __qualname____doc__r&r&B/tmp/google-cloud-sdk/lib/googlecloudsdk/core/credentials/store.pyr Pr c@r)NoImpersonationAccountErrorz2Exception when there is no account to impersonate.Nr!r&r&r&r'r)Tr(r)c eZdZdZfddZZS)!PrintTokenAuthenticationExceptionz1Exceptions that tell the users to run auth login.cs"tt|tdj|ddS)Nz {message} Please run: $ gcloud auth login to obtain new credentials. For service account, please activate it first: $ gcloud auth activate-service-account ACCOUNT)message)superr+__init__textwrapdedentformat)selfr, __class__r&r'r.[s z*PrintTokenAuthenticationException.__init__r"r#r$r%r. __classcell__r&r&r3r'r+Xr+cr*) NoCredentialsForAccountExceptionz;Exception for when no credentials are found for an account.cstt|dj|ddS)NzKYour current active account [{account}] does not have any valid credentialsaccount)r-r8r.r1)r2r:r3r&r'r.ms z)NoCredentialsForAccountException.__init__r5r&r&r3r'r8jr7r8cr*)InvalidCredentialFileExceptionzCException for when an external credential file could not be loaded.cs$tt|dj|t|ddS)Nz1Failed to load credential file: [{f}]. {message})fr,)r-r;r.r1six text_type)r2r<er3r&r'r.vs  z'InvalidCredentialFileException.__init__r5r&r&r3r'r;sr7r;c@r)AccountImpersonationErrorzEException for when attempting to impersonate a service account fails.Nr!r&r&r&r'r@|sr@c@r) FlowErrorz8Exception for when something goes wrong with a web flow.Nr!r&r&r&r'rAr(rAc@r) RevokeErrorz0Exception for when there was a problem revoking.Nr!r&r&r&r'rBr(rBc@r)InvalidCodeVerifierErrorz-Exception for invalid code verifier for pkce.Nr!r&r&r&r'rCr(rCc@r)UnsupportedCredentialsErrorz6Exception for when a credential type is not supported.Nr!r&r&r&r'rDr(rDc@s:eZdZdZddZddZddZdd d Zd d Zd S)StaticCredentialProvidersz'Manages a list of credential providers.cCs g|_dSN) _providersr2r&r&r'r.s z"StaticCredentialProviders.__init__cC|j|dSrF)rGappendr2providerr&r&r' AddProviderz%StaticCredentialProviders.AddProvidercCrIrF)rGremoverKr&r&r'RemoveProviderrNz(StaticCredentialProviders.RemoveProviderTcCs,|jD]}|||}|dur|SqdSrF)rGGetCredentials)r2r:use_google_authrLcredr&r&r'rQs  z(StaticCredentialProviders.GetCredentialscCs"t}|jD]}||O}q|SrF)setrG GetAccounts)r2accountsrLr&r&r'rUs z%StaticCredentialProviders.GetAccountsNT) r"r#r$r%r.rMrPrQrUr&r&r&r'rEs  rEcCsTtjjj}|s||dSt||||kr(t d||ddS)aHandles the universe domain from GCE metadata. If core/universe_domain property is not explicitly set, set it with the MDS universe_domain, but not persist it so it's only used in the current command invocation. If core/universe_domain property is explicitly set, but it's different from the MDS universe_domain, prompt the user to update and persist the core/universe_domain property. If the user chooses not to update, an error will be raised to avoid sending GCE credentials to a wrong universe domain. Args: mds_universe_domain: string, The universe domain from metadata server. account: string, The account. NaYour credentials are from "%(universe_from_mds)s", but your [core/universe_domain] property is set to "%(universe_from_property)s". Update your active account to an account from "%(universe_from_property)s" or update the [core/universe_domain] property to "%(universe_from_mds)s".)universe_from_mdsuniverse_from_property) r VALUEScoreuniverse_domainIsExplicitlySetSet auth_utilHandleUniverseDomainConflictGetc_credsInvalidCredentialsError)mds_universe_domainr:universe_domain_propertyr&r&r'_HandleGceUniverseDomains    rfc@sJeZdZdZdddZddZddZd d Zd d Zd dZ ddZ dS)GceCredentialProviderz=Provides account, project and credential data for gce vm env.TcCs4tjjjr|tvr| }t|||SdSrF) r rZr[check_gce_metadataGetBoolc_gceMetadataAccountsAcquireFromGCE)r2r:rRrefreshr&r&r'rQs  z$GceCredentialProvider.GetCredentialscCtjjjr tSdSrF)r rZr[rhrirjrkDefaultAccountrHr&r&r' GetAccount z GceCredentialProvider.GetAccountcCs$tjjjrttStSrF) r rZr[rhrirTrjrkrlrHr&r&r'rUsz!GceCredentialProvider.GetAccountscCstjjjr tSdS)zGets the universe domain from GCE metadata. Returns: str: The universe domain from metadata server. Returns None if core/check_gce_metadata property is False. N)r rZr[rhrirjrkUniverseDomainrHr&r&r'GetUniverseDomains z'GceCredentialProvider.GetUniverseDomaincCrorF)r rZr[rhrirjrkProjectrHr&r&r' GetProjectrrz GceCredentialProvider.GetProjectcCDtjjj|jtjjj|jtjjj|j t |dSrF) r rZr[r: AddCallbackrqprojectrvr\rtSTATIC_CREDENTIAL_PROVIDERSrMrHr&r&r'RegisterszGceCredentialProvider.RegistercCrwrF) r rZr[r:RemoveCallbackrqryrvr\rtrzrPrHr&r&r' UnRegisters  z GceCredentialProvider.UnRegisterNrW) r"r#r$r%rQrqrUrtrvr{r}r&r&r&r'rgs    rgc@eZdZdZddZdS)AcctInfozAn auth command resource list item. Attributes: account: str, The account name. status: str, The account status, one of ['ACTIVE', '']. cCs||_|r d|_dSd|_dSNACTIVE)r:status)r2r:activer&r&r'r.szAcctInfo.__init__Nr"r#r$r%r.r&r&r&r'rs rc@r~)AcctInfoWithUniverseDomainzAn auth command resource list item. Attributes: account: str, The account name. status: str, The account status, one of ['ACTIVE', '']. universe_domain: str, The universe domain. The default value is googleapis.com. cCs*||_|rdnd|_|ptjjjj|_dSr)r:rr rZr[r\default)r2r:rr\r&r&r'r.&sz#AcctInfoWithUniverseDomain.__init__Nrr&r&r&r'rs rcs"tjjjfddtDS)zGet all accounts for the auth command Run() method. Returns: List[AccInfo]: The list of account information for all accounts. csg|] }t||kqSr&)r).0r:active_accountr&r' 5s zAllAccounts..)r rZr[r:raAvailableAccountsr&r&rr' AllAccounts.s rc Cst}|}t}|D]}||vr*t|}t|dr!|jntj j jj g||<qt t |}tj j j}tj j j}g}|D]}||D]}||koT||k} |t|| |qKqE|S)zGet all accounts and universe domains for the auth command Run() method. Returns: List[AccInfoWithUniverseDomain]: The list of account and universe domain information for all accounts. r\)rbGetCredentialStoreGetAccountsWithUniverseDomainrzrUrQhasattrr\r rZr[rdictsorteditemsr:rarJr) store accounts_dictstatic_accountsr:rrreresultr\ is_activer&r&r'AllAccountsWithUniverseDomains;s:    rr:returncs,t}tfdd|Dd}|r|jSdS)zGet the universe domain of a credentialed account. Args: account: The account to get the universe domain for. Returns: The credentialed account's universe domain if exists. None otherwise. c3s|] }|jkr|VqdSrFr9)r cred_accountr9r&r' vs z7GetCredentialedAccountUniverseDomain..N)rnextr\)r:all_cred_accountsrr&r9r'$GetCredentialedAccountUniverseDomainks  rcCs t}|tB}t|S)zGet all accounts that have credentials stored for the CloudSDK. This function will also ping the GCE metadata server to see if GCE credentials are available. Returns: [str], List of the accounts. )rbrrUrzr)rrVr&r&r'rs rcCstjjjS)z1Returns True if google-auth is disabled globally.)r rZauthdisable_load_google_authrir&r&r&r'GoogleAuthDisabledGloballysrc Csztj|dd}|j|krtd|Wntjy2}zt|d}td||d}~wwtj |t j d}t tjt j d|}||kS)aDetermines if token_expiry_time is within expiry_window_duration. Calculates the amount of time between utcnow() and token_expiry_time and returns true, if that amount is less than the provided duration window. All calculations are done in number of seconds for consistency. Args: expiry_window: string, Duration representing the amount of time between now and token_expiry_time to compare against. token_expiry_time: datetime, The time when token expires. max_window_seconds: int, Maximum size of expiry window, in seconds. Raises: ValueError: If expiry_window is invalid or can not be parsed. Returns: True if token is expired or will expire with in the provided window, False otherwise. s)default_suffixz>Invalid expiry window duration [{}]: Must be between 0s and 1h.z-Error Parsing expiry window duration [{}]: {}N)tzinfo)r ParseDuration total_seconds ValueErrorr1r r=r>rstripLocalizeDateTimedateutiltztzutcGetDateTimePlusDurationNow) expiry_windowtoken_expiry_timemax_window_seconds min_expiryr?r, window_endr&r&r'_TokenExpiresWithinWindows* rcCs"|durdSt|r|jS|jSrF)rbIsGoogleAuthCredentialstoken access_tokenrr&r&r'_GetAccessTokenFromCredss  rTcCst||d|d}t|S)aOReturns the access token of the given account or the active account. GetAccessToken ignores whether credentials have been disabled via properties. Use this function when the caller absolutely requires credentials. Args: account: str, The account to get the access token for. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). FT)Loadr)r:scopesallow_account_impersonationrr&r&r'GetAccessTokensrcCstjjjr dSt|||S)aReturns the access token of the given account or the active account. If credentials have been disabled via properties, this will return None. Otherwise it return the access token of the account like normal. Use this function when credentials are optional for the caller, or the caller want to handle the situation of credentials being disabled by properties. Args: account: str, The account to get the access token for. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). N)r rZrdisable_credentialsrir)r:rrr&r&r'GetAccessTokenIfEnableds r1hcCst||||d}t|S)aReturns a fresh access token of the given account or the active account. Same as GetAccessToken except that the access token returned by this function is valid for at least min_expiry_duration. Args: account: str, The account to get the access token for. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. min_expiry_duration: Duration str, Refresh the token if they are within this duration from expiration. Must be a valid duration between 0 seconds and 1 hour (e.g. '0s' >x< '1h'). allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). T)LoadFreshCredentialr)r:rmin_expiry_durationrrr&r&r'GetFreshAccessTokensrcCs tjjjr dSt||||S)aReturns a fresh access token of the given account or the active account. Same as GetAccessTokenIfEnabled except that the access token returned by this function is valid for at least min_expiry_duration. Args: account: str, The account to get the access token for. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. min_expiry_duration: Duration str, Refresh the token if they are within this duration from expiration. Must be a valid duration between 0 seconds and 1 hour (e.g. '0s' >x< '1h'). allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). N)r rZrrrir)r:rrrr&r&r'GetFreshAccessTokenIfEnableds rcCst||||d}t|||S)apLoad credentials and force a refresh. Will always refresh loaded credential if it is expired or would expire within min_expiry_duration. Args: account: str, The account address for the credentials being fetched. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. min_expiry_duration: Duration str, Refresh the credentials if they are within this duration from expiration. Must be a valid duration between 0 seconds and 1 hour (e.g. '0s' >x< '1h'). allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). If False, the active user credentials will always be loaded. use_google_auth: bool, True to load credentials as google-auth credentials. False to load credentials as oauth2client credentials.. Returns: oauth2client.client.Credentials or google.auth.credentials.Credentials. When all of the following conditions are met, it returns google.auth.credentials.Credentials and otherwise it returns oauth2client.client.Credentials. * use_google_auth is True * google-auth is not globally disabled by auth/disable_load_google_auth. Raises: NoActiveAccountException: If account is not provided and there is no active account. NoCredentialsForAccountException: If there are no valid credentials available for the provided or active account. c_gce.CannotConnectToMetadataServerException: If the metadata server cannot be reached. TokenRefreshError: If the credentials fail to refresh. TokenRefreshReauthError: If the credentials fail to refresh due to reauth. AccountImpersonationError: If impersonation is requested but an impersonation provider is not configured. ValueError: )r:rrrR)rRefreshIfExpireWithinWindow)r:rrrrRrSr&r&r'r"s. rcCstjjjr dSt||dS)aiGet the credentials associated with the current account. If credentials have been disabled via properties, this will return None. Otherwise it will load credentials like normal. If credential loading fails for any reason (including the user not being logged in), the usual exception is raised. Args: allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). If False, the active user credentials will always be loaded. use_google_auth: bool, True to load credentials as google-auth credentials. False to load credentials as oauth2client credentials.. Returns: oauth2client.client.Credentials or google.auth.credentials.Credentials if credentials are enabled. When all of the following conditions are met, it returns google.auth.credentials.Credentials and otherwise it returns oauth2client.client.Credentials. * use_google_auth is True * google-auth is not globally disabled by auth/disable_load_google_auth. Raises: NoActiveAccountException: If account is not provided and there is no active account. c_gce.CannotConnectToMetadataServerException: If the metadata server cannot be reached. TokenRefreshError: If the credentials fail to refresh. TokenRefreshReauthError: If the credentials fail to refresh due to reauth. NrrR)r rZrrrirrr&r&r' LoadIfEnabledZs  rcCs<|d}dd|D}|std|d|ddpdfS)a6Finds the target impersonation principal and the delegates. Args: service_account_ids: str, A list of service account ids separated using comma. Returns: A tuple (target_principal, delegates). Raises: NoImpersonationAccountError: if the input does not contain service accounts. ,cSsg|]}|qSr&)strip)rsa_idr&r&r'rsz.ParseImpersonationAccounts..z"No service account to impersonate.N)splitr))service_account_idsr&r&r'ParseImpersonationAccountss rc@s>eZdZdZ        d ddZddZedd ZdS) CredentialInfozCredential information.FNc Cs4||_||_||_||_||_||_||_||_dSrF) auth_disabledaccess_token_env_var_setaccess_token_file_setcredential_file_override_setr: file_pathimpersonated_accountimpersonated_account_delegates) r2rrrrr:rrimpersonated_delegatesr&r&r'r.s  zCredentialInfo.__init__cCs|jr dS|jr d}n|jrd|j}n|jr"d|j|j}nd|j}|jrE|d|j}|jrA|dd |j}|d }|S) zZGet the credential information string. Returns: str: the cred info string. zXThis command is unauthenticated because the [auth/disable_credentials] property is True.zlThis command is authenticated with an access token from the CLOUDSDK_AUTH_ACCESS_TOKEN environment variable.znThis command is authenticated with an access token from {} specified by the [auth/access_token_file] property.z{This command is authenticated as {} using the credentials in {}, specified by the [auth/credential_file_override] property.ziThis command is authenticated as {} which is the active account specified by the [core/account] property.z( Impersonation is used to impersonate {}z via delegate chain: {}z, r) rrrr1rrr:rrjoin)r2 info_stringr&r&r' GetInfoStrings@ zCredentialInfo.GetInfoStringcCstjjjr tddSt}tjjj}|r t|\|_ |_ t t jtr,d|_|Stjjj}|r=d|_||_|Stjjj}|rdd|_||_t|dd}t|dd}|s_t|}||_|Stjjj|_|S)zWGet the credential information. Returns: CredentialInfo: the cred info. T)rNservice_account_email)r rZrrririmpersonate_service_accountrarrrrGetEncodedValueosenvironACCESS_TOKEN_ENV_VAR_NAMEraccess_token_filerrcredential_file_overrider_LoadFromFileOverridegetattrauth_external_accountGetExternalAccountIdr:r[) cred_info impersonationrcred_file_overriderr:r&r&r'GetCredentialInfos:    z CredentialInfo.GetCredentialInfo)FFFFNNNN)r"r#r$r%r.r staticmethodrr&r&r&r'rs 2rFc Cs|ot }tjjj}|rJ|rJt|\}}ts td |t d ||r?t |d||d} t | |||p;tj} | St||pFtj} | St|||||d} | S)a Get the credentials associated with the provided account. This loads credentials regardless of whether credentials have been disabled via properties. Only use this when the functionality of the caller absolutely requires credentials (like printing out a token) vs logically requiring credentials (like for an http request). Credential information may come from the stored credential file (representing the last gcloud auth command), or the credential cache (representing the last time the credentials were refreshed). If they come from the cache, the token_response field will be None, as the full server response from the cached request was not stored. Args: account: str, The account address for the credentials being fetched. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. prevent_refresh: bool, If True, do not refresh the access token even if it is out of date. (For use with operations that do not require a current access token, such as credential revocation.) allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). If False, the active user credentials will always be loaded. use_google_auth: bool, True to load credentials as google-auth credentials. False to load credentials as oauth2client credentials.. cache_only_rapt: bool, True to only cache RAPT token. Returns: oauth2client.client.Credentials or google.auth.credentials.Credentials. When all of the following conditions are met, it returns google.auth.credentials.Credentials and otherwise it returns oauth2client.client.Credentials. * use_google_auth is True * google-auth is not globally disabled by auth/disable_load_google_auth. Raises: NoActiveAccountException: If account is not provided and there is no active account. NoCredentialsForAccountException: If there are no valid credentials available for the provided or active account. c_gce.CannotConnectToMetadataServerException: If the metadata server cannot be reached. TokenRefreshError: If the credentials fail to refresh. TokenRefreshReauthError: If the credentials fail to refresh due to reauth. AccountImpersonationError: If impersonation is requested but an impersonation provider is not configured. zdgcloud is configured to impersonate service account [{}] but impersonation support is not available.z\This command is using service account impersonation. All API calls will be executed as [{}].F)r:rrRcache_only_raptr)rr rZrrrarIMPERSONATION_TOKEN_PROVIDERr@r1r warningr!GetElevationAccessTokenGoogleAuthr CLOUDSDK_SCOPESGetElevationAccessToken_Load) r:rprevent_refreshrrRrrtarget_principal delegatesgoogle_auth_source_credsrSr&r&r'rsT 9    rc Cstd||sVztj|}Wntjy"}zt||d}~ww|r3|dur.tj }| |}t j j j}|rOtj|}|tjjtjjfvrO||_t|}|St}ddlm}ddlm} ddlm} ddlm} z ||\}} Wn| jy}zt||d}~ww|durtj }|||}t || j!r|j"s|j} tj#| d<tj$| d <t%|j&| tj d }t || j!r|j} tj#| d<tj$| d <tj'| d <t%|&| }tj(|}|tj(jkrt j j j}|r||_)n|tj(j*krt+}||_)t,|t-|}|S) z)Load credentials from cred file override.z+Using alternate credentials from file: [%s]Nr credentialsrr external_account_authorized_user client_id client_secret)rr).r inforGoogleCredentials from_streamr r;create_scoped_requiredr r create_scopedr rZr token_hostrarbCredentialTypeFromCredentialsSERVICE_ACCOUNTP12_SERVICE_ACCOUNT token_uri MaybeAttachAccessTokenCacheStoreGetGoogleAuthDefault google.authrrrrload_credentials_from_fileDefaultCredentialsErrorwith_scopes_if_required isinstance CredentialsrCLOUDSDK_CLIENT_IDCLOUDSDK_CLIENT_NOTSOSECRETtype from_info CLOUDSDK_EXTERNAL_ACCOUNT_SCOPESCredentialTypeGoogleAuth _token_uri USER_ACCOUNTGetDefaultTokenUriEnableSelfSignedJwtIfApplicable*MaybeAttachAccessTokenCacheStoreGoogleAuth)rrrRrSr?token_uri_override cred_typegoogle_auth_defaultgoogle_auth_credsgoogle_auth_exceptionsgoogle_auth_external_account,google_auth_external_account_authorized_user_ json_infor&r&r'rws     C                 rcCsPtdt|stdt|}ddlm}||}t j j j |_|S)z2Loads an AccessTokenCredentials from access_token.z1Using access token from environment variable [%s]zYou may have passed an access token to gcloud using the environment variable {}. At the same time, google-auth is disabled by auth/disable_load_google_auth. They do not work together. Please unset auth/disable_load_google_auth and retry.rgoogle_auth_credentials)r rrrDr1rgooglecloudsdk.core.credentialsr(AccessTokenCredentialsr rZr[r\ra_universe_domain)rrR c_google_authrr&r&r'_LoadAccessTokenCredsFromValues  r-cCsPtd||s tdt|}ddlm}||}t j j j |_|S)z0Loads an AccessTokenCredentials from token_file.z"Using access token from file: [%s]zYou may have passed an access token to gcloud using --access-token-file or auth/access_token_file. At the same time, google-auth is disabled by auth/disable_load_google_auth. They do not work together. Please unset auth/disable_load_google_auth and retry.rr')r rrDrReadFileContentsrr)r(r*r rZr[r\rar+) token_filerRcontentr,rr&r&r'_LoadAccessTokenCredsFromFiles   r1c Csttjt}tjjj }tjjj }|rt ||}n[|r%t ||}nS|r.t |||}nJ|s7tjjj }|sBttdjtj|d} | ||}|sxt||}|s\t|t|rv| ||tj||d}t|j|j n|S|s~t!||S)zHelper for Load().Fr)"rrrrrr rZrrrarr-r1rr[r:creds_exceptionsNoActiveAccountExceptionr ActiveConfigrrbrrrzrQr8IsGoogleAuthGceCredentialsStorerrfr\rRefreshIfAlmostExpire) r:rrrRrrrrrSrr&r&r'r sJ       rstandardcCs2t|rt|||||dSt|||||dS)aRefresh credentials. Calls credentials.refresh(), unless they're SignedJwtAssertionCredentials. If the credentials correspond to a service account or impersonated credentials issue an additional request to generate a fresh id_token. Args: credentials: oauth2client.client.Credentials or google.auth.credentials.Credentials, The credentials to refresh. is_impersonated_credential: bool, True treat provided credential as an impersonated service account credential. If False, treat as service account or user credential. Needed to avoid circular dependency on IMPERSONATION_TOKEN_PROVIDER. include_email: bool, Specifies whether or not the service account email is included in the identity token. Only applicable to impersonated service account. gce_token_format: str, Specifies whether or not the project and instance details are included in the identity token. Choices are "standard", "full". gce_include_license: bool, Specifies whether or not license codes for images associated with GCE instance are included in their identity tokens. Raises: TokenRefreshError: If the credentials fail to refresh. TokenRefreshReauthError: If the credentials fail to refresh due to reauth. N)rbIsOauth2ClientCredentials_Refresh_RefreshGoogleAuth)ris_impersonated_credential include_emailgce_token_formatgce_include_licenser&r&r'RefreshJs r@c CsTddlm}ddlm}ddl}|jtjd}zR||d} |r:ts't dt |s3t d |t ||d} nt |tjrFt||} nt |tjrWtjtj||d } | rg|jra| |jd <| |_WdSWdStj|jfy} z|| rt| t t!"| d} ~ wt#j$yt%t#j&y} zt't(| d} ~ ww) z#Refreshes oauth2client credentials.r context_awarehttpN)response_encodingagcloud is configured to impersonate a service account but impersonation support is not available.,Invalid impersonation account for refresh {})r= token_formatinclude_licenseid_token))googlecloudsdk.corerBrDhttplib2Httpr ENCODINGrnrr@IsImpersonationCredentialr1"_RefreshImpersonatedAccountIdTokenrrServiceAccountCredentials_RefreshServiceAccountIdTokenoauth2client_gceAppAssertionCredentialsrjrk GetIdTokenr rtoken_response id_tokenb64rAccessTokenRefreshErrorServerNotFoundErrorIsContextAwareAccessDeniedErrorr2TokenRefreshDeniedByCAAErrorTokenRefreshErrorr=r>rReauthSamlLoginRequiredErrorWebLoginRequiredReauthError ReauthErrorTokenRefreshReauthErrorstr) rr<r=r>r?rBrDrM http_clientrKr?r&r&r'r:qsZ          r:c csddlm}ddlm}ddlm}zdVWdS|jy'tj|d|j y<}z tj t ||dd}~w|j y^}z| |rNt|tjt||||dd}~ww)z=Handles exceptions during refreshing google auth credentials.rrrAr'N)for_adc)rdr:is_service_account)r rrLrBr)r(ReauthSamlChallengeFailErrorr2r_ReauthRequiredErrorrarb RefreshErrorr[r\r]r=r>)rdr:rer"rBr,r?r&r&r''HandleGoogleAuthCredentialsRefreshErrors,       ricCsddlm}ddlm}trt|sdSt|drJt|rJz |j |j dd}Wn |j y6YdSwt j j |dt jjd }tt|sJdSdS) aDetermine if ID token refresh is needed. (1) we don't refresh ID token for non-default universe domain. (2) for service account with self signed jwt feature enabled, we only refresh ID token if it's about to expire Args: credentials: google.auth.credentials.Credentials, A google-auth credentials to refresh. Returns: bool, Whether ID token refresh is needed. rr)jwtF _id_token)verifyTexp)r)r rrjr IsDefaultUniverserbHasDefaultUniverseDomainrUseSelfSignedJwtdecoderkGoogleAuthErrordatetime fromtimestamptimezoneutcr_CREDENTIALS_EXPIRY_WINDOW)rr"rjpayloadexpiryr&r&r'_ShouldRefreshGoogleAuthIdTokens(     rzc Csd}d}t|r|j}d}ddlm}|}t||d!t|t|r2t |||||dd| |WddS1sBwYdS)a7Refreshes google-auth credentials. Args: credentials: google.auth.credentials.Credentials, A google-auth credentials to refresh. is_impersonated_credential: bool, True treat provided credential as an impersonated service account credential. If False, treat as service account or user credential. Needed to avoid circular dependency on IMPERSONATION_TOKEN_PROVIDER. include_email: bool, Specifies whether or not the service account email is included in the identity token. Only applicable to impersonated service account. gce_token_format: str, Specifies whether or not the project and instance details are included in the identity token. Choices are "standard", "full". gce_include_license: bool, Specifies whether or not license codes for images associated with GCE instance are included in their identity tokens. Raises: AccountImpersonationError: if impersonation support is not available for gcloud, or if the provided credentials is not google auth impersonation credentials. NFTrrequests)r:re)r<r=r>r? refresh_user_account_credentials) rbIsServiceAccountCredentialsrrLr|GoogleAuthRequestrirrz_RefreshGoogleAuthIdTokenrn) rr<r=r>r?r:rer|request_clientr&r&r'r;s,    "r;c Cs4ddlmm}ddlm}ddlm}|} ttd} t |r,|r,| | nL|r[t s4t dddlmm} t|| jsJt d|t |tj|} | | | j} nt||jrgt|| } nt||jrxtjtj||d} | r| |_| |_WddSWddS1swYdS)aRefreshes the ID token of google-auth credentials. Args: credentials: google.auth.credentials.Credentials, A google-auth credentials to refresh. is_impersonated_credential: bool, True treat provided credential as an impersonated service account credential. If False, treat as service account or user credential. Needed to avoid circular dependency on IMPERSONATION_TOKEN_PROVIDER. include_email: bool, Specifies whether or not the service account email is included in the identity token. Only applicable to impersonated service account. gce_token_format: str, Specifies whether or not the project and instance details are included in the identity token. Choices are "standard", "full". gce_include_license: bool, Specifies whether or not license codes for images associated with GCE instance are included in their identity tokens. refresh_user_account_credentials: bool, Specifies whether or not to refresh user account credentials. Note that when we refresh user account credentials access token, the ID token will be refreshed as well. Depending on where this function is called, we may not need to refresh user account credentials for ID token again. Raises: AccountImpersonationError: if impersonation support is not available for gcloud, or if the provided credentials is not google auth impersonation credentials. rNrr{rFrGrH)google.auth.compute_enginercompute_engine google.oauth2rrLr|rrirbIsUserAccountCredentialsrnrr@$google.auth.impersonated_credentialsimpersonated_credentialsrrr1GetElevationIdTokenGoogleAuthr rr'_RefreshServiceAccountIdTokenGoogleAuthrjrkrVrkrX) rr<r=r>r?r}google_auth_gcegoogle_auth_service_accountr|rrKgoogle_auth_impersonated_credsid_token_credsr&r&r'r=sZ'      %"rcCs<t|r |j}n|j}| pt||}|rt|dSdS)a-Refreshes credentials if they will expire within a time window. Args: credentials: google.auth.credentials.Credentials or client.OAuth2Credentials, the credentials to refresh. window: string, The threshold of the remaining lifetime of the token which can trigger the refresh. N)rbr9 token_expiryryrr@)rwindowry almost_expirer&r&r'rs  rcCst|tddS)N)r)rrwrr&r&r'r7rNr7cCs|j}t|tj|S)z@Get a fresh id_token for the given impersonated service account.)_service_account_idrGetElevationIdTokenr r)rSr=rr&r&r'rQsrQc Cs|j}tt}|j|||j|jtjd}tj |j ||j d}t j |td}||jdd||d\}}|jdkrJt|} | dd Sd S) aGGet a fresh id_token for the given oauth2client credentials. Args: cred: service_account.ServiceAccountCredentials, the credentials for which to refresh the id_token. http_client: httplib2.Http, the http transport to refresh with. Returns: str, The id_token if refresh was successful. Otherwise None. )audiatrmisstarget_audience)key_id) assertion grant_typeidnaPOST)methodbodyheadersrKN)requestinttimer MAX_TOKEN_LIFETIME_SECS_service_account_emailr rrmake_signed_jwt_signer_private_key_idrparse urlencode _GRANT_TYPEencode!_generate_refresh_request_headersrjsonloadsget) rSrc http_requestnowrxrrrespr0dr&r&r'rSs.     rSc Cs(tjjjr dSddlm}ddlm}ddlm }ddl m }|j |j |j|jtjtjjjd}|j|j||_z ||W|j S|jy}z>t|jdkra|jdd d nd }d |vrd |d vrd } td|d | WYd}~dSWYd}~|j SWYd}~|j Sd}~ww)a^Get a fresh id_token for the given google-auth credentials. Args: cred: google.oauth2.service_account.Credentials, the credentials for which to refresh the id_token. request_client: google.auth.transport.Request, the http transport to refresh with. Returns: str, The id_token if refresh was successful. Otherwise None. Nrr)iamrr)r\errorrr,z"iam.serviceAccounts.getOpenIdTokenzYou can find step-by-step instructions here: https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-oidc on how to resolve this error.z%s %s)!r rZr(service_account_disable_id_token_refreshrir rrrr%googlecloudsdk.api_lib.iamcredentialsr IDTokenCredentialssignerrrr rr[r\ra_IAM_IDTOKEN_ENDPOINTreplaceIAM_ENDPOINT_GDUGetEffectiveIamEndpointrnrhlenargsrr rr) rSrr"google_auth_iamriam_credentials_util id_token_credr?rstepsr&r&r'rsF       $     rcCst|rtj|}|jtjkrdSntj|}|jtjtjtj tj tj tj tjfvr/dS|s8t jjj}|s>tt}||||jtjkrXt|||dSdS)aStore credentials according for an account address. gcloud only stores user account credentials, external account credentials, external account authorized user credential, service account credentials, p12 service account credentials, and GCE google-auth credentials. GCE oauth2client credentials, IAM impersonation, and Devshell credentials are generated in runtime. External account credentials do not contain any sensitive credentials. They only provide hints on how to retrieve local external and exchange them for Google access tokens. Args: credentials: oauth2client.client.Credentials or google.auth.credentials.Credentials, The credentials to be stored. account: str, The account address of the account they're being stored for. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. Raises: NoActiveAccountException: If account is not provided and there is no active account. N)rbr9rrkeyGCE_CREDS_NAMErUSER_ACCOUNT_CREDS_NAMEEXTERNAL_ACCOUNT_CREDS_NAME EXTERNAL_ACCOUNT_USER_CREDS_NAME+EXTERNAL_ACCOUNT_AUTHORIZED_USER_CREDS_NAMESERVICE_ACCOUNT_CREDS_NAMEP12_SERVICE_ACCOUNT_CREDS_NAMEr rZr[r:rar2r3rr6_LegacyGenerator WriteTemplate)rr:rrrr&r&r'r6!s2       r6cCsRt|dr t|j|trt|rt|t ||t tj j j |dS)z?Validates, stores and activates credentials with given account.r\N)rr_r`r\r rnrbror@r6PersistPropertyrZr[r:)r:rr&r&r'ActivateCredentials\s   rcCslt|rt|st|rtdt|r'ddlm}|| dSddlm }|| dS)zRevokes the token on the server. Args: credentials: user account credentials from either google-auth or oauth2client. Raises: RevokeError: If credentials to revoke is not user account credentials. zSThe token cannot be revoked from server because it is not user account credentials.rrCr{N) rbr IsExternalAccountUserCredentials*IsExternalAccountAuthorizedUserCredentialsrBr9rLrDrevokerNr|r)rrDr|r&r&r'RevokeCredentialsls    rc CsBddlm}ddlm}ddlm}|stjjj }|s!t |t vr-tdt|ddd}|s:t|d}z|d sTt||jsTt||jsTt|d}Wn'tj|jfy|}z|jdd krin |jdd krqnWYd }~nd }~wwt}||t||t |}t!j"#|rt$%||S) aBRevoke credentials and clean up related files. Args: account: str, The account address for the credentials to be revoked. If None, the currently active account is used. Returns: True if this call revoked the account; False if the account was already revoked. Raises: NoActiveAccountException: If account is not provided and there is no active account. NoCredentialsForAccountException: If the provided account is not tied to any known credentials. RevokeError: If there was a more general problem revoking the account. rrrr'z'Cannot revoke GCE-provided credentials.T)rrRFz.gserviceaccount.com invalid_tokeninvalid_requestN)&r rrr)r(r rZr[r:rar2r3rjrkrlrBrr8endswithrrrrTokenRevokeErrorrrbrRemoverCleanr PathsLegacyCredentialsDirrpathisdirrRmTree) r:r#r$r,rrvr?rlegacy_creds_dirr&r&r'RevokesT        rc Cs|ot }|durt}|r7ddlm}|jd|d|tjjj j ddtjjj j ddd}t j |_|Stjdtjjj j ddtjjj j dd|t j |tj|d}|S)aGet credentials from an already-valid refresh token. Args: refresh_token: An oauth2 refresh token. token_uri: str, URI to use for refreshing. revoke_uri: str, URI to use for revoking. use_google_auth: bool, True to return google-auth credentials. False to return oauth2client credentials.. Returns: oauth2client.client.Credentials or google.auth.credentials.Credentials. When all of the following conditions are true, it returns google.auth.credentials.Credentials and otherwise it returns oauth2client.client.Credentials. * use_google_auth=True * google-auth is not globally disabled by auth/disable_load_google_auth. NrrT)required)r refresh_tokenrKr rr)rrrrrr  user_agent revoke_uri)rrbrrrrr rZrrrarrsutcnowryrOAuth2Credentialsr CLOUDSDK_USER_AGENT)rr rrRr!rSr&r&r'AcquireFromTokens4     rcCs`|r"ddlmm}|pd}|j|d}t}||_d|_nt j |d}|r.t ||S)aOGet credentials from a GCE metadata server. Args: account: str, The account name to use. If none, the default is used. use_google_auth: bool, True to load credentials of google-auth if it is supported in the current authentication scenario. False to load credentials of oauth2client. refresh: bool, Whether to refresh the credential or not. The default value is True. Returns: oauth2client.client.Credentials or google.auth.credentials.Credentials based on use_google_auth and whether google-auth is supported in the current authentication sceanrio. Raises: c_gce.CannotConnectToMetadataServerException: If the metadata server cannot be reached. TokenRefreshError: If the credentials fail to refresh. TokenRefreshReauthError: If the credentials fail to refresh due to reauth. rNr)rT)email) rrrrrjrkrsr+_universe_domain_cachedrTrUr@)r:rRrnrrrr\r&r&r'rms   rmc@sJeZdZdZdddZeddZeddZd d Zd d Z d dZ dS)raEA class to generate the credential file for other tools, like gsutil & bq. The supported credentials types are user account credentials, service account credentials, and p12 service account credentials. Gcloud supports two auth libraries - oauth2client and google-auth. Eventually, we will deprecate oauth2client. NcCs||_|jtjtjtjtjtjtjfvrt d t |j|dur(t j |_n||_t }|||_|||_|||_|||_dS)N Unsupported credentials type {0})r _cred_typerbrrrrrrCredentialFileSaveErrorr1rr rrrLegacyCredentialsBqPath_bq_pathLegacyCredentialsGSUtilPath _gsutil_pathLegacyCredentialsP12KeyPath _p12_key_pathLegacyCredentialsAdcPath _adc_path)r2r:rrpathsr&r&r'r.6s&    z_LegacyGenerator.__init__cCs t|jSrF)rbr9rrHr&r&r'_is_oauth2clientOs z!_LegacyGenerator._is_oauth2clientcCs&|jr tj|jjStj|jjSrF)rrbrrrrrrHr&r&r'rSsz_LegacyGenerator._cred_typec CsB|j|j|j|jg}|D]}zt|Wq tyYq wdS)zRemove the credential file.N)rrrrrrOOSError)r2rpr&r&r'r[s z_LegacyGenerator.CleancCst||jtjkr3|j}|j}|j}tj|j |dd| |j d gdj |jj|j |ddSt|jj|jd|jtjksJ|jtjkr]| |j d dd gj |jd dS|jtjkrv| |j d dd gj |jd dS|jtjkr| |j d gd j |jj|jj|jjd dS|jtjkr| |j d ddgj |jddStd t|j)zWrite the credential file.Tprivate ) [Credentials]z gs_service_client_id = {account} gs_service_key_file = {key_file}z-gs_service_key_file_password = {key_password})r:key_file key_passwordN)rrz2gs_external_account_file = {external_account_file})external_account_filezBgs_external_account_authorized_user_file = {external_account_file})z[OAuth2]zclient_id = {cid}zclient_secret = {secret}rrz!gs_oauth2_refresh_token = {token})cidsecretrr)rr)rrrbrr_private_key_pkcs12_private_key_passwordrWriteBinaryFileContentsr_WriteFileContentsrrr1rADC DumpADCToFilerrrrrrrrrrr)r2rSrpasswordr&r&r'rkst         z_LegacyGenerator.WriteTemplatecCs&tjt|}tj||dddS)zWrites contents to a path, ensuring mkdirs. Args: filepath: str, The path of the file to write. contents: str, The contents to write to the file. TrN)rrrealpathr ExpandHomeDirWriteFileContents)r2filepathcontents full_pathr&r&r'r sz#_LegacyGenerator._WriteFileContentsrF) r"r#r$r%r.propertyrrrrr r&r&r&r'r-s    Mr)r)NNT)NNrT)NNrTT)TT)NNFTTF)TF)FFr8F)FNF)FFr8FT)NNrF)NTT)pr% __future__rrr contextlibrsrrr/rtypingrrgooglecloudsdk.api_lib.authrrr r_rLr r r r "googlecloudsdk.core.configurationsrr)rrbrr2rrjgooglecloudsdk.core.utilrrr oauth2clientrrroauth2client.contribrTrr= six.movesrr(GOOGLE_OAUTH2_PROVIDER_AUTHORIZATION_URI!GOOGLE_OAUTH2_PROVIDER_REVOKE_URIrrwACCOUNT_TABLE_FORMAT)ACCOUNT_TABLE_WITH_UNIVERSE_DOMAIN_FORMATr r)r+r8r;r@rArBrCrDrobjectrErzrfrgrrrrrbrrrrrrrrrrrrrrrr-r1rr@r:contextmanagerrirzr;rrr7rQrSrr6rrrrrmrr&r&r&r's"                         '7  0 )     8' a_ B ( 5 / M [ ) A; E 8.