.SrSSKJr SSKJr SSKJr SSKrSSKrSSKrSSKrSSK r SSK r SSK J r SSK r SSKJr SSKJr SS KJr SS KJr SS KJr SS KJr SS KJr SSKJr SSKJr SSKJr SSK!J"r" SSK!J#r# SSK!J$r$ SSK%J&r& SSK%J'r' SSK%J(r( SSK)Jr* SSK)J+r+ SSK,r,SSK-J.r. Sr/Sr0Sr1Sr2Sr3Sr4Sr5"S S!\Rl5r6"S"S#\65r7"S$S%\65r8"S&S'\85r9"S(S)\65r:"S*S+\65r;"S,S-\65r<"S.S/\65r="S0S1\65r>"S2S3\65r?Sr@"S4S5\A5rB\B"5rCS6rD"S7S8\A5rE"S9S:\A5rF"S;S<\A5rGS=rHS>rIS?\JS@\ \J4SAjrKSBrLSCrMShSDjrNSErOSiSGjrPSiSHjrQSjSIjrRSjSJjrSSkSKjrTSlSLjrUSMrV"SNSO\A5rWSmSPjrXSQrYSRrZSSr[SnSTjr\SoSUjr]SoSVjr^\RSpSWj5r`SXraSoSYjrbSqSZjrcS[rdS\reS]rfS^rgS_rhSrS`jriSarjSbrkSsScjrlS\1SF4SdjrmStSejrn"SfSg\A5rog)uzIOne-line documentation for auth module. A detailed description of auth. )absolute_import)division)unicode_literalsN)Optionalexternal_accountutil)config)log) properties) transport) named_configscreds exceptions)gce)encoding)files)times)client)cryptservice_account) reauth_errors)urllibCLOUDSDK_AUTH_ACCESS_TOKENz)https://accounts.google.com/o/oauth2/authz+https://accounts.google.com/o/oauth2/revokez+urn:ietf:params:oauth:grant-type:jwt-bearer300szr table[title='Credentialed Accounts']( status.yesno(yes='*', no=''):label=ACTIVE, account )z table[title='Credentialed Accounts']( status.yesno(yes='*', no=''):label=ACTIVE, account, universe_domain )c\rSrSrSrSrg)ErrorPz&Exceptions for the credentials module.N__name__ __module__ __qualname____firstlineno____doc____static_attributes__r#,lib/googlecloudsdk/core/credentials/store.pyr!r!Ps.r+r!c\rSrSrSrSrg)NoImpersonationAccountErrorTz2Exception when there is no account to impersonate.r#Nr$r#r+r,r.r.Ts:r+r.c,^\rSrSrSrU4SjrSrU=r$)!PrintTokenAuthenticationExceptionXz1Exceptions that tell the users to run auth login.cn>[[U] [R"SR US955 g)Nz {message} Please run: $ gcloud auth login to obtain new credentials. For service account, please activate it first: $ gcloud auth activate-service-account ACCOUNT)message)superr1__init__textwrapdedentformat)selfr4 __class__s r,r6*PrintTokenAuthenticationException.__init__[s: +T;HOO M<=CF=C= = !r+r#r%r&r'r(r)r6r* __classcell__r;s@r,r1r1Xs9 ! !r+r1c,^\rSrSrSrU4SjrSrU=r$) NoCredentialsForAccountExceptionjz;Exception for when no credentials are found for an account.cF>[[U] SRUS95 g)NzKYour current active account [{account}] does not have any valid credentialsaccount)r5rAr6r9)r:rEr;s r,r6)NoCredentialsForAccountException.__init__ms$ *D: #VGV46r+r#r=r?s@r,rArAjsC66r+rAc,^\rSrSrSrU4SjrSrU=r$)InvalidCredentialFileExceptionszCException for when an external credential file could not be loaded.cp>[[U] SRU[R "U5S95 g)Nz1Failed to load credential file: [{f}]. {message})fr4)r5rHr6r9six text_type)r:rKer;s r,r6'InvalidCredentialFileException.__init__vs- ($8; !S]]1- .0r+r#r=r?s@r,rHrHssK00r+rHc\rSrSrSrSrg)AccountImpersonationError|zEException for when attempting to impersonate a service account fails.r#Nr$r#r+r,rQrQ|sMr+rQc\rSrSrSrSrg) FlowErrorz8Exception for when something goes wrong with a web flow.r#Nr$r#r+r,rTrTs@r+rTc\rSrSrSrSrg) RevokeErrorz0Exception for when there was a problem revoking.r#Nr$r#r+r,rWrWs8r+rWc\rSrSrSrSrg)InvalidCodeVerifierErrorz-Exception for invalid code verifier for pkce.r#Nr$r#r+r,rZrZs5r+rZc\rSrSrSrSrg)UnsupportedCredentialsErrorz6Exception for when a credential type is not supported.r#Nr$r#r+r,r]r]s>r+r]c:\rSrSrSrSrSrSrS SjrSr Sr g ) StaticCredentialProvidersz'Manages a list of credential providers.c/UlgN _providersr:s r,r6"StaticCredentialProviders.__init__s DOr+c:URRU5 grc)reappendr:providers r, AddProvider%StaticCredentialProviders.AddProviderOO8$r+c:URRU5 grc)reremoverjs r,RemoveProvider(StaticCredentialProviders.RemoveProviderrnr+cZURHnURX5nUcMUs $ grc)reGetCredentials)r:rEuse_google_authrkcreds r,rt(StaticCredentialProviders.GetCredentialss0OO  $ $W >d  $ r+cd[5nURHnXR5-nM U$rc)setre GetAccounts)r:accountsrks r,rz%StaticCredentialProviders.GetAccountss-uHOO&&((h$ Or+rdNT) r%r&r'r(r)r6rlrqrtrzr*r#r+r,r`r`s/%%r+r`cB[RRRnUR 5(dUR U5 g[ R"X5 UR5U:wa*[R"SUUR5S.-5eg)akHandles the universe domain from GCE metadata. If core/universe_domain property is not explicitly set, set it with the MDS universe_domain, but not persist it so it's only used in the current command invocation. If core/universe_domain property is explicitly set, but it's different from the MDS universe_domain, prompt the user to update and persist the core/universe_domain property. If the user chooses not to update, an error will be raised to avoid sending GCE credentials to a wrong universe domain. Args: mds_universe_domain: string, The universe domain from metadata server. account: string, The account. NaYour credentials are from "%(universe_from_mds)s", but your [core/universe_domain] property is set to "%(universe_from_property)s". Update your active account to an account from "%(universe_from_property)s" or update the [core/universe_domain] property to "%(universe_from_mds)s".)universe_from_mdsuniverse_from_property) r VALUEScoreuniverse_domainIsExplicitlySetSet auth_utilHandleUniverseDomainConflictGetc_credsInvalidCredentialsError)mds_universe_domainrEuniverse_domain_propertys r,_HandleGceUniverseDomainrs(..33CC ! 1 1 3 3  !45  (()<F!!#'::  ) ) G "5&>&B&B&D    ;r+cF\rSrSrSrS SjrSrSrSrSr Sr S r S r g ) GceCredentialProviderz=Provides account, project and credential data for gce vm env.c[RRRR 5(a:U[ R "5R5;aU(+n[XU5$grc) r rrcheck_gce_metadataGetBoolc_gceMetadataAccountsAcquireFromGCE)r:rErurefreshs r,rt$GceCredentialProvider.GetCredentialssU0088:: ENN$--/ / &%g@@ r+c[RRRR 5(a#[ R "5R5$grc)r rrrrrrDefaultAccountrfs r, GetAccount GceCredentialProvider.GetAccounts<0088:: ^^  , , .. r+c[RRRR 5(a,[ [ R"5R55$[ 5$rc) r rrrrryrrrrfs r,rz!GceCredentialProvider.GetAccountssE0088:: !**, -- 5Lr+c[RRRR 5(a#[ R "5R5$g)zGets the universe domain from GCE metadata. Returns: str: The universe domain from metadata server. Returns None if core/check_gce_metadata property is False. N)r rrrrrrUniverseDomainrfs r,GetUniverseDomain'GceCredentialProvider.GetUniverseDomains>0088:: ^^  , , .. r+c[RRRR 5(a#[ R "5R5$grc)r rrrrrrProjectrfs r, GetProject GceCredentialProvider.GetProjects<0088:: ^^  % % '' r+c[RRRR UR 5 [RRR R UR5 [RRRR UR5 [RU5 grc) r rrrE AddCallbackrprojectrrrSTATIC_CREDENTIAL_PROVIDERSrlrfs r,RegisterGceCredentialProvider.Registers~""..t?""..t?**66t7M7MN++D1r+c[RRRR UR 5 [RRR R UR5 [RRRR UR5 [RU5 grc) r rrrERemoveCallbackrrrrrrrqrfs r, UnRegister GceCredentialProvider.UnRegisters""11$//B""11$//B**99  ..t4r+r#Nr}) r%r&r'r(r)rtrrzrrrrr*r#r+r,rrs(E    2 5r+rc\rSrSrSrSrSrg)AcctInfoizAn auth command resource list item. Attributes: account: str, The account name. status: str, The account status, one of ['ACTIVE', '']. c<XlU(aSUlgSUlgNACTIVErEstatus)r:rEactives r,r6AcctInfo.__init__sL$(DK"DKr+rNr%r&r'r(r)r6r*r#r+r,rrs -r+rc\rSrSrSrSrSrg)AcctInfoWithUniverseDomainizAn auth command resource list item. Attributes: account: str, The account name. status: str, The account status, one of ['ACTIVE', '']. universe_domain: str, The universe domain. The default value is googleapis.com. cXlU(aSOSUlU=(d. [RRR R Ulgr)rErr rrrdefault)r:rErrs r,r6#AcctInfoWithUniverseDomain.__init__&s:L$("DKI:,,11AAII r+)rErrNrr#r+r,rrs r+rc[RRRR 5n[ 5Vs/sHn[ XU:H5PM sn$s snf)zGet all accounts for the auth command Run() method. Returns: List[AccInfo]: The list of account information for all accounts. )r rrrErAvailableAccountsr)active_accountrEs r, AllAccountsr.sX $$))11557.'( ('w>12(  sAc [R"5nUR5n[R 5nUHmnX1;dM [R U5n[ US5(a URO-[RRRR/X'Mo [[UR555n[RRRR!5n[RRRR!5n/nUH9nXH.nX5:H=(a Xh:Hn UR#[%UU U55 M0 M; U$)zGet all accounts and universe domains for the auth command Run() method. Returns: List[AccInfoWithUniverseDomain]: The list of account and universe domain information for all accounts. r)rGetCredentialStoreGetAccountsWithUniverseDomainrrzrthasattrrr rrrdictsorteditemsrErrir) store accounts_dictstatic_accountsrErrrresultr is_actives r,AllAccountsWithUniverseDomainsr;sE  $ $ &%557- 0;;=/ g#)88AeU- . .     %%55== m !vm11345-$$))11557.'..33CCGGI &g(1  # :&9 mm $  2 -r+rEreturncn^[5n[U4SjU5S5nU(a UR$S$)zGet the universe domain of a credentialed account. Args: account: The account to get the universe domain for. Returns: The credentialed account's universe domain if exists. None otherwise. c3L># UHnURT:XdMUv M g7frcrD).0 cred_accountrEs r, 7GetCredentialedAccountUniverseDomain..vs(/l  ! !W , ,/s$ $N)rnextr)rEall_cred_accountsrs` r,$GetCredentialedAccountUniverseDomainrks?56/  ,*6 % %?4?r+c[R"5nUR5[R5-n[ U5$)zGet all accounts that have credentials stored for the CloudSDK. This function will also ping the GCE metadata server to see if GCE credentials are available. Returns: [str], List of the accounts. )rrrzrr)rr{s r,rrs:  $ $ &%    #>#J#J#L L(  r+cf[RRRR 5$)z1Returns True if google-auth is disabled globally.)r rauthdisable_load_google_authrr#r+r,GoogleAuthDisabledGloballyrs#      8 8 @ @ BBr+c.[R"USS9nURU:a[SR U55e[R"U[RR5S9n[R"[R"[RR5S9U5nX:*$![R aDn[ R"U5RS5n[SR X55eSnAff=f)aDetermines if token_expiry_time is within expiry_window_duration. Calculates the amount of time between utcnow() and token_expiry_time and returns true, if that amount is less than the provided duration window. All calculations are done in number of seconds for consistency. Args: expiry_window: string, Duration representing the amount of time between now and token_expiry_time to compare against. token_expiry_time: datetime, The time when token expires. max_window_seconds: int, Maximum size of expiry window, in seconds. Raises: ValueError: If expiry_window is invalid or can not be parsed. Returns: True if token is expired or will expire with in the provided window, False otherwise. s)default_suffixz>Invalid expiry window duration [{}]: Must be between 0s and 1h.z-Error Parsing expiry window duration [{}]: {}N)tzinfo)r ParseDuration total_seconds ValueErrorr9r!rLrMrstripLocalizeDateTimedateutiltztzutcGetDateTimePlusDurationNow) expiry_windowtoken_expiry_timemax_window_seconds min_expiryrNr4 window_ends r,_TokenExpiresWithinWindowrs.@$$]3GJ"44 3396-3H JJ5,,->4 @@@s?B<<D?DDcpUcg[R"U5(a UR$UR$rc)rIsGoogleAuthCredentialstoken access_tokenrs r,_GetAccessTokenFromCredsrs1 ]  $$U++ ;;   r+Tc4[XSUS5n[U5$)a;Returns the access token of the given account or the active account. GetAccessToken ignores whether credentials have been disabled via properties. Use this function when the caller absolutely requires credentials. Args: account: str, The account to get the access token for. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). FT)Loadr)rEscopesallow_account_impersonationrs r,GetAccessTokenrs  w'BD I% !% ((r+c[RRRR 5(ag[ XU5$)aReturns the access token of the given account or the active account. If credentials have been disabled via properties, this will return None. Otherwise it return the access token of the account like normal. Use this function when credentials are optional for the caller, or the caller want to handle the situation of credentials being disabled by properties. Args: account: str, The account to get the access token for. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). N)r rrdisable_credentialsrr)rErrs r,GetAccessTokenIfEnabledrs6$//7799  )D EEr+c4[XUUS5n[U5$)aReturns a fresh access token of the given account or the active account. Same as GetAccessToken except that the access token returned by this function is valid for at least min_expiry_duration. Args: account: str, The account to get the access token for. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. min_expiry_duration: Duration str, Refresh the token if they are within this duration from expiration. Must be a valid duration between 0 seconds and 1 hour (e.g. '0s' >x< '1h'). allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). T)LoadFreshCredentialr)rErmin_expiry_durationrrs r,GetFreshAccessTokenrs$( g/B94 A% !% ((r+c[RRRR 5(ag[ XUU5$)aReturns a fresh access token of the given account or the active account. Same as GetAccessTokenIfEnabled except that the access token returned by this function is valid for at least min_expiry_duration. Args: account: str, The account to get the access token for. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. min_expiry_duration: Duration str, Refresh the token if they are within this duration from expiration. Must be a valid duration between 0 seconds and 1 hour (e.g. '0s' >x< '1h'). allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). N)r rrrrr)rErrrs r,GetFreshAccessTokenIfEnabledr s=(//7799  W.A8 ::r+c4[UUUUS9n[XR5 U$)a*Load credentials and force a refresh. Will always refresh loaded credential if it is expired or would expire within min_expiry_duration. Args: account: str, The account address for the credentials being fetched. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. min_expiry_duration: Duration str, Refresh the credentials if they are within this duration from expiration. Must be a valid duration between 0 seconds and 1 hour (e.g. '0s' >x< '1h'). allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). If False, the active user credentials will always be loaded. use_google_auth: bool, True to load credentials as google-auth credentials. False to load credentials as oauth2client credentials.. Returns: oauth2client.client.Credentials or google.auth.credentials.Credentials. When all of the following conditions are met, it returns google.auth.credentials.Credentials and otherwise it returns oauth2client.client.Credentials. * use_google_auth is True * google-auth is not globally disabled by auth/disable_load_google_auth. Raises: NoActiveAccountException: If account is not provided and there is no active account. NoCredentialsForAccountException: If there are no valid credentials available for the provided or active account. c_gce.CannotConnectToMetadataServerException: If the metadata server cannot be reached. TokenRefreshError: If the credentials fail to refresh. TokenRefreshReauthError: If the credentials fail to refresh due to reauth. AccountImpersonationError: If impersonation is requested but an impersonation provider is not configured. ValueError: )rErrru)rRefreshIfExpireWithinWindow)rErrrrurvs r,rr"s*\  "=%  '$ d8 +r+c[RRRR 5(ag[ UUS9$)a7Get the credentials associated with the current account. If credentials have been disabled via properties, this will return None. Otherwise it will load credentials like normal. If credential loading fails for any reason (including the user not being logged in), the usual exception is raised. Args: allow_account_impersonation: bool, True to allow use of impersonated service account credentials (if that is configured). If False, the active user credentials will always be loaded. use_google_auth: bool, True to load credentials as google-auth credentials. False to load credentials as oauth2client credentials.. Returns: oauth2client.client.Credentials or google.auth.credentials.Credentials if credentials are enabled. When all of the following conditions are met, it returns google.auth.credentials.Credentials and otherwise it returns oauth2client.client.Credentials. * use_google_auth is True * google-auth is not globally disabled by auth/disable_load_google_auth. Raises: NoActiveAccountException: If account is not provided and there is no active account. c_gce.CannotConnectToMetadataServerException: If the metadata server cannot be reached. TokenRefreshError: If the credentials fail to refresh. TokenRefreshReauthError: If the credentials fail to refresh due to reauth. Nrru)r rrrrrr s r, LoadIfEnabledrZs<@//7799  "=% ''r+cURS5nUVs/sHoR5PM nnU(d [S5eUSUSS=(d S4$s snf)a&Finds the target impersonation principal and the delegates. Args: service_account_ids: str, A list of service account ids separated using comma. Returns: A tuple (target_principal, delegates). Raises: NoImpersonationAccountError: if the input does not contain service accounts. ,z"No service account to impersonate.N)splitstripr.)service_account_idssa_ids r,ParseImpersonationAccountsrsb,11#64GH4G54GH  %&J KK R #6s#;#Ct DDIsAcH\rSrSrSrSSjrSr\S5rSr g) CredentialInfoizCredential information.Nc dXlX lX0lX@lXPlX`lXplXlgrc) auth_disabledaccess_token_env_var_setaccess_token_file_setcredential_file_override_setrE file_pathimpersonated_accountimpersonated_account_delegates) r:rrrrrErrimpersonated_delegatess r,r6CredentialInfo.__init__s2'$<!!6(D%LN 4*@'r+c8UR(agUR(aSnOUR(aSRUR5nOSUR (a'SRUR UR5nOSRUR 5nUR(aaUSRUR5-nUR(a-USRSRUR55-nUS -nU$) zNGet the credential information string. Returns: str: the cred info string. zXThis command is unauthenticated because the [auth/disable_credentials] property is True.zlThis command is authenticated with an access token from the CLOUDSDK_AUTH_ACCESS_TOKEN environment variable.znThis command is authenticated with an access token from {} specified by the [auth/access_token_file] property.z{This command is authenticated as {} using the credentials in {}, specified by the [auth/credential_file_override] property.ziThis command is authenticated as {} which is the active account specified by the [core/account] property.z( Impersonation is used to impersonate {}z via delegate chain: {}z, r) rrrr9rrrErr join)r: info_strings r, GetInfoStringCredentialInfo.GetInfoStrings    :  $$ >  # # 77=vdnn7M  * * HHNllDNNI  77=vdll7K     6 = =''    , ,!$=$D$D IId99 :%   #%k r+c[RRRR 5(a [ SS9$[ 5n[RRR R5nU(a[U5uUl Ul [R"[R[5(a SUlU$[RRR"R5nU(aSUlX lU$[RRR(R5nU(aLSUlX0l[-USS5n[/USS5nU(d[0R2"U5nXPlU$[RR6R4R5UlU$)zKGet the credential information. Returns: CredentialInfo: the cred info. T)rNservice_account_email)r rrrrrimpersonate_service_accountrrrr rGetEncodedValueosenvironACCESS_TOKEN_ENV_VAR_NAMEraccess_token_filerrcredential_file_overrider_LoadFromFileOverridegetattrauth_external_accountGetExternalAccountIdrEr) cred_info impersonationr/cred_file_overriderrEs r,GetCredentialInfo CredentialInfo.GetCredentialInfosz1199;; $ // I%%**FFJJLM %] 3  (  2 ,EFF+/i( #))..@@DDF(,i%- $**//HHLLN/3i,.$$6dCe6=g '< %@"<##% ' ' % 44:F5  !!KK $$*F+;$<>!%&+)) " * K K "iB!  "d +* A A %'G1G1GId + '  D +r+cp[R"SU5 U(Gd[RR U5nUR5(a$Uc[RnURU5n[RRRR5nU(a][ R"R%U5nU[ R"R&[ R"R(4;aXSl[ R,"U5nU$[ R."5nSSKJn SSKJn SSKJn SSKJn UR;U5up>@((88>i w--==--AAC C+  3 3D 9DF +C"668 =@LlB#>> gd ~%%f  4 4T BD4AABB  & &))i%88i #)#E#Ei $Z ! !)F4J4J ! Kd4?KK M M))i%88i #)#E#Ei "CCi $Z ! !) ,d00@@FIG44DDD%,,11<<@@B , g66CC C"557*o  ++D1  = =d CD +k <<B *+= AABJ " 9 9B *+= AABs/M.N.N N  NN5% N00N5cB[R"S[5 U(d[SR [55eUR 5nSSKJn URU5n[RRRR5UlU$)z2Loads an AccessTokenCredentials from access_token.z1Using access token from environment variable [%s]zYou may have passed an access token to gcloud using the environment variable {}. At the same time, google-auth is disabled by auth/disable_load_google_auth. They do not work together. Please unset auth/disable_load_google_auth and retry.rgoogle_auth_credentials)r rOr.r]r9rgooglecloudsdk.core.credentialsrxAccessTokenCredentialsr rrrr_universe_domain)rru c_google_authrs r,_LoadAccessTokenCredsFromValuer}s(( > $&  % 9:@ %:'  ##%,W  . .| <%&,,11AAEEG% ,r+c<[R"SU5 U(d [S5e[R"U5R 5nSSKJn URU5n[RRRR5UlU$)z0Loads an AccessTokenCredentials from token_file.z"Using access token from file: [%s]zYou may have passed an access token to gcloud using --access-token-file or auth/access_token_file. At the same time, google-auth is disabled by auth/disable_load_google_auth. They do not work together. Please unset auth/disable_load_google_auth and retry.rrw)r rOr]rReadFileContentsrryrxrzr rrrrr{) token_filerucontentr|rs r,_LoadAccessTokenCredsFromFilers(( /<  % 3   " ": . 4 4 6'W  . .w 7%%,,11AAEEG% ,r+c[R"[R[5n[ R RRR5n[ R RRR5nU(a [XS5nGOSU(a [Xc5nGO?U(a[XqU5nGO*U(d2[ R RRR5nU(d4[ R""[$R&"S5R(5e[*R,"US9n U R/X5nU(d[0R3X5nU(d [5U5e[*R6"U5(aFU R9X5 [*R:"XS9n[=UR>UR@5 OU$U(d [CU5 U$)zHelper for Load().Fr=)"rr+r,r-r.r rrr/rr0r}rr1rrEcreds_exceptionsNoActiveAccountExceptionr ActiveConfigrrrrrrtrAIsGoogleAuthGceCredentialsStorerlrrr)RefreshIfAlmostExpire) rErrDrur<rr/r7rvrs r,rCrC s))"**6OP, '',,>>BBD!((--FFJJL ), HD (): LD !3_ MD !!&&..224g   5 5  $ $U + 5 5 77  & &' E ::g /D  ( 7 7 d.w77  + +D 1 1 G"AA   !  $"<"<  $ +r+cp[R"U5(a[XX#U5 g[XX#U5 g)aRefresh credentials. Calls credentials.refresh(), unless they're SignedJwtAssertionCredentials. If the credentials correspond to a service account or impersonated credentials issue an additional request to generate a fresh id_token. Args: credentials: oauth2client.client.Credentials or google.auth.credentials.Credentials, The credentials to refresh. is_impersonated_credential: bool, True treat provided credential as an impersonated service account credential. If False, treat as service account or user credential. Needed to avoid circular dependency on IMPERSONATION_TOKEN_PROVIDER. include_email: bool, Specifies whether or not the service account email is included in the identity token. Only applicable to impersonated service account. gce_token_format: str, Specifies whether or not the project and instance details are included in the identity token. Choices are "standard", "full". gce_include_license: bool, Specifies whether or not license codes for images associated with GCE instance are included in their identity tokens. Raises: TokenRefreshError: If the credentials fail to refresh. TokenRefreshReauthError: If the credentials fail to refresh due to reauth. N)rIsOauth2ClientCredentials_Refresh_RefreshGoogleAuth)rJis_impersonated_credential include_emailgce_token_formatgce_include_licenses r,RefreshrJs9> &&{33 [ .AC{$8KMr+cFSSKJn SSKJn SSKnUR [ R S9nURU5 Sn U(aT[(d [S5e[RU5(d[SRU55e[XS9n O|[U[R5(a [!X5n OQ[U["R$5(a2[&R("5R+[,R.UUS 9n U (a&UR0(aXR0S 'Xlgg![4R6UR84a[n UR;U 5(a[<R>"U 5e[<R@"[BRD"U 55eSn A f[FRHa [<RJ"5e[FRLa$n [<RN"[QU 55eSn A ff=f) z#Refreshes oauth2client credentials.r context_awarehttpN)response_encodingagcloud is configured to impersonate a service account but impersonation support is not available.,Invalid impersonation account for refresh {})r token_formatinclude_licenseid_token))googlecloudsdk.corerrhttplib2HttprENCODINGrr>rQIsImpersonationCredentialr9"_RefreshImpersonatedAccountIdTokenr`rServiceAccountCredentials_RefreshServiceAccountIdTokenoauth2client_gceAppAssertionCredentialsrr GetIdTokenr rbtoken_response id_tokenb64rAccessTokenRefreshErrorServerNotFoundErrorIsContextAwareAccessDeniedErrorrTokenRefreshDeniedByCAAErrorTokenRefreshErrorrLrMrReauthSamlLoginRequiredErrorWebLoginRequiredReauthError ReauthErrorTokenRefreshReauthErrorstr) rJrrrrrrr http_clientrrNs r,rrqs0& I,>,> ?+$; $H! ) )' 67 7* C C ' : A A+ NP P3 4h K!J!J K K.{Hh K!1!I!I J J!,,  # #'--/h   # #19"":. (  ( ((*F*F G?44Q77  9 9! <<  , ,S]]1-= >>  3 39  6 6 88  " ";  2 23q6 ::;s%DE H 'AF==?H <HH c## SSKJn SSKJn SSKJn Sv g!UR a [R"US9eURa#n[R"[U5US9eSnAfURa\nURU5(a[R"U5e[R"[ R""U5UUUS9eSnAff=f7f)z=Handles exceptions during refreshing google auth credentials.rrrrwN)for_adc)rrEis_service_account)r\rrrryrxReauthSamlChallengeFailErrorrrReauthRequiredErrorrr RefreshErrorrrrrLrM)rrErrqrr|rNs r,'HandleGoogleAuthCredentialsRefreshErrorrs?/V  < <H  6 6w GG  * *L  2 23q67 KK  , ,44Q77  9 9! <<  , , a-  s2CC3CA,,C?ACCCcSSKJn SSKJn [R"5(a[ R "U5(dg[US5(a[ R"U5(ajURURSS9n[RRUS[RRS 9n[!["U5(dgg!URa gf=f) asDetermine if ID token refresh is needed. (1) we don't refresh ID token for non-default universe domain. (2) for service account with self signed jwt feature enabled, we only refresh ID token if it's about to expire Args: credentials: google.auth.credentials.Credentials, A google-auth credentials to refresh. Returns: bool, Whether ID token refresh is needed. rr)jwtF _id_token)verifyTexp)r)r\rrr IsDefaultUniverserHasDefaultUniverseDomainrUseSelfSignedJwtdecoderGoogleAuthErrordatetime fromtimestamptimezoneutcr_CREDENTIALS_EXPIRY_WINDOW)rJrqrpayloadexpirys r,_ShouldRefreshGoogleAuthIdTokenrs?  % % ' 'w/O/O00  [+&&7+C+C,, ;00 ?g    , ,8,,00-F %%? H H   " 1 1 s0CC-,C-c ZSnSn[R"U5(aURnSnSSKJn UR 5n[ XVS9 [R"U5 [U5(a[UUUUUSS9 URU5 SSS5 g!,(df  g=f)aRefreshes google-auth credentials. Args: credentials: google.auth.credentials.Credentials, A google-auth credentials to refresh. is_impersonated_credential: bool, True treat provided credential as an impersonated service account credential. If False, treat as service account or user credential. Needed to avoid circular dependency on IMPERSONATION_TOKEN_PROVIDER. include_email: bool, Specifies whether or not the service account email is included in the identity token. Only applicable to impersonated service account. gce_token_format: str, Specifies whether or not the project and instance details are included in the identity token. Choices are "standard", "full". gce_include_license: bool, Specifies whether or not license codes for images associated with GCE instance are included in their identity tokens. Raises: AccountImpersonationError: if impersonation support is not available for gcloud, or if the provided credentials is not google auth impersonation credentials. NFTrrequests)rEr)rrrr refresh_user_account_credentials) rIsServiceAccountCredentialsr)rrGoogleAuthRequestrrkr_RefreshGoogleAuthIdTokenr) rJrrrrrErrrequest_clients r,rrs8 ' ((55//G+--/.. ++K8&{33  %?%+1+0 'Es AB B*cJSSKJs Jn SSKJn SSKJn UR5n [5 Sn [R"U5(aU(aURU 5 GOU(a[(d [S5eSSKJs Jn [!UU R"5(d[SR%U55e[R'U[(R*U5n U RU 5 U R,n Or[!XR"5(a [/X 5n OL[!XR"5(a2[0R2"5R5[(R*UUS9n U (a XlXlSSS5 g!,(df  g=f)atRefreshes the ID token of google-auth credentials. Args: credentials: google.auth.credentials.Credentials, A google-auth credentials to refresh. is_impersonated_credential: bool, True treat provided credential as an impersonated service account credential. If False, treat as service account or user credential. Needed to avoid circular dependency on IMPERSONATION_TOKEN_PROVIDER. include_email: bool, Specifies whether or not the service account email is included in the identity token. Only applicable to impersonated service account. gce_token_format: str, Specifies whether or not the project and instance details are included in the identity token. Choices are "standard", "full". gce_include_license: bool, Specifies whether or not license codes for images associated with GCE instance are included in their identity tokens. refresh_user_account_credentials: bool, Specifies whether or not to refresh user account credentials. Note that when we refresh user account credentials access token, the ID token will be refreshed as well. Depending on where this function is called, we may not need to refresh user account credentials for ID token again. Raises: AccountImpersonationError: if impersonation support is not available for gcloud, or if the provided credentials is not google auth impersonation credentials. rNrrrrr)google.auth.compute_enginercompute_engine google.oauth2rrrrrrIsUserAccountCredentialsrr>rQ$google.auth.impersonated_credentialsimpersonated_credentialsr`rar9GetElevationIdTokenGoogleAuthr rbr'_RefreshServiceAccountIdTokenGoogleAuthrrrrr) rJrrrrrgoogle_auth_gcegoogle_auth_service_accountrrrgoogle_auth_impersonated_credsid_token_credss r,rr=saN76J*--/..0H((55 ,.) # ) )' 67 7TS  6BBDD' : A A+ NP P ' D D644m E^,%%h K!H!H I I8 'h K!GetElevationIdTokenr rb)rvrr)s r,rrs222 % 9 9V66  GGr+c6URn[[R"55nURUX0R-UR [ RS.n[R"URX@RS9n[RRU[S.5nU"URR!S5SUUR#5S9upxUR$S:Xa([&R("U5n U R+SS 5$g ) a9Get a fresh id_token for the given oauth2client credentials. Args: cred: service_account.ServiceAccountCredentials, the credentials for which to refresh the id_token. http_client: httplib2.Http, the http transport to refresh with. Returns: str, The id_token if refresh was successful. Otherwise None. )audiatrisstarget_audience)key_id) assertion grant_typeidnaPOST)methodbodyheadersrN)requestinttimerYMAX_TOKEN_LIFETIME_SECS_service_account_emailr rbrmake_signed_jwt_signer_private_key_idrparse urlencode _GRANT_TYPEencode!_generate_refresh_request_headersrjsonloadsget) rvr http_requestnowrrrresprds r,rrs$$, DIIK#^^  // /  ( (22  '## llG$8$8:)   ! $  nnF#F4468-$ [[C 7A 55T "" r+cT[RRRR 5(agSSKJn SSKJn SSKJ n SSK J n URURURUR[ R"[RR$R&R)5S9nUR*R-UR.UR155UlUR3U5 UR@$!UR4an[7UR85S:aUR8SR;S S 5OS nS U;a+S US ;a"S n [<R>"SUS U 5 SnAgSnAUR@$SnAff=f)aNGet a fresh id_token for the given google-auth credentials. Args: cred: google.oauth2.service_account.Credentials, the credentials for which to refresh the id_token. request_client: google.auth.transport.Request, the http transport to refresh with. Returns: str, The id_token if refresh was successful. Otherwise None. Nrr)iamrr )rerrorrr4z"iam.serviceAccounts.getOpenIdTokenzYou can find step-by-step instructions here: https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-oidc on how to resolve this error.z%s %s)!r rr(service_account_disable_id_token_refreshrr\rrrr%googlecloudsdk.api_lib.iamcredentialsr IDTokenCredentialssignerr)rhr rbrrr_IAM_IDTOKEN_ENDPOINTreplaceIAM_ENDPOINT_GDUGetEffectiveIamEndpointrrlenargsr r rr) rvrrqgoogle_auth_iamriam_credentials_util id_token_credrNrstepss r,rrshDDLLNN  ?0JP.@@ kk    oo  '',,<<@@B A-++33  / /  6 6 8'.).   - , ,+.aff+/AFF1IMM'2 &rEU 0E)4D D +  iiy)51    -s:DF''A&F""F'cR[R"U5(a?[RRU5nUR[R :XagO[R RU5nUR[R[R[R[R[R[R[R 4;agU(d2[RRR R#5nU(d[$R&"5e[R("5nUR+X5 UR[R :wa[-XU5R/5 gg)aStore credentials according for an account address. gcloud only stores user account credentials, external account credentials, external account authorized user credential, service account credentials, p12 service account credentials, and GCE google-auth credentials. GCE oauth2client credentials, IAM impersonation, and Devshell credentials are generated in runtime. External account credentials do not contain any sensitive credentials. They only provide hints on how to retrieve local external and exchange them for Google access tokens. Args: credentials: oauth2client.client.Credentials or google.auth.credentials.Credentials, The credentials to be stored. account: str, The account address of the account they're being stored for. If None, the account stored in the core.account property is used. scopes: tuple, Custom auth scopes to request. By default CLOUDSDK_SCOPES are requested. Raises: NoActiveAccountException: If account is not provided and there is no active account. N)rrrUrVkeyGCE_CREDS_NAMErgUSER_ACCOUNT_CREDS_NAMEEXTERNAL_ACCOUNT_CREDS_NAME EXTERNAL_ACCOUNT_USER_CREDS_NAME+EXTERNAL_ACCOUNT_AUTHORIZED_USER_CREDS_NAMESERVICE_ACCOUNT_CREDS_NAMEP12_SERVICE_ACCOUNT_CREDS_NAMEr rrrErrrrr_LegacyGenerator WriteTemplate)rJrErrnrs r,rr!s/2 &&{33&&66{CI}}... /00@@MI]] %% )) .. 99 (( ,,  $$,,002G   3 3 55  $ $ &%++g#]]g,,,W62@@B-r+cp[US5(a![R"URU5 [R "5(a&[ R"U5(a [U5 [X5 [R"[RRRU5 g)z?Validates, stores and activates credentials with given account.rN)rrrrr rrrrrPersistPropertyrrrE)rErJs r,ActivateCredentialsr.\s~ [+,, **;+F+FP!!##(H(H)) K  Z..33;;WEr+c[R"U5(a6[R"U5(d"U5(a [ S5e[R "U5(a&SSKJn URUR55 gSSKJ n URUR55 g)zRevokes the token on the server. Args: credentials: user account credentials from either google-auth or oauth2client. Raises: RevokeError: If credentials to revoke is not user account credentials. zSThe token cannot be revoked from server because it is not user account credentials.rrrN) rr IsExternalAccountUserCredentials*IsExternalAccountAuthorizedUserCredentialsrWrrrrevokerrr)rJrrs r,RevokeCredentialsr3ls  * *; 7 7 ..{;; 88EE 6 77 &&{33(tyy{#,x1134r+cSSKJn SSKJn SSKJn U(d2[ R RRR5nU(d[R"5eU[R"5R5;a [S5e[!USSS9nU(d [#U5eSnUR%S 5(dB['XAR(5(d(['UUR(5(d [+U5 Sn[2R4"5nUR7U5 [9X5R;5 [<R>"5RAU5n[BRDRGU5(a[HRJ"U5 U$![,R.UR.4a6nUR0SS :XaS nANUR0SS :XaS nANeS nAff=f) a(Revoke credentials and clean up related files. Args: account: str, The account address for the credentials to be revoked. If None, the currently active account is used. Returns: True if this call revoked the account; False if the account was already revoked. Raises: NoActiveAccountException: If account is not provided and there is no active account. NoCredentialsForAccountException: If the provided account is not tied to any known credentials. RevokeError: If there was a more general problem revoking the account. rrrKrwz'Cannot revoke GCE-provided credentials.T)rDruFz.gserviceaccount.com invalid_tokeninvalid_requestN)&r\rrLryrxr rrrErrrrrrrWrrAendswithr`rar3rTokenRevokeErrorrrrRemover*Cleanr PathsLegacyCredentialsDirr,pathisdirrRmTree) rErrrsr|rJrvrNrlegacy_creds_dirs r,RevokerBs*KjV $$,,002G   3 3 55  ))++ ? @@ tT;+  *7 33 "   3 4 4 {$L$L M M  8 D DFF $ b  $ $ &%,,w7(..0\\^88AWW]]#$$ LL!" )#  ! !=#A#A B vvayO# ' '   s%:AF11 HH)HHHc U=(a [5(+nUc[R"5nU(aSSKJn UR SUSU[ RRRRSS9[ RRRRSS9S9n[RR5UlU$[R "S[ RRRRSS9[ RRRRSS9U[RR5U["R$US9nU$)aGet credentials from an already-valid refresh token. Args: refresh_token: An oauth2 refresh token. token_uri: str, URI to use for refreshing. revoke_uri: str, URI to use for revoking. use_google_auth: bool, True to return google-auth credentials. False to return oauth2client credentials.. Returns: oauth2client.client.Credentials or google.auth.credentials.Credentials. When all of the following conditions are true, it returns google.auth.credentials.Credentials and otherwise it returns oauth2client.client.Credentials. * use_google_auth=True * google-auth is not globally disabled by auth/disable_load_google_auth. NrrIT)required)r refresh_tokenrrYrMrN)rrMrNrErrY user_agent revoke_uri)rrrjrrJrar rrrMrrNrutcnowrrOAuth2Credentialsr CLOUDSDK_USER_AGENT)rErYrGrurprvs r,AcquireFromTokenrKs>,$J-G-I)I/**,I?  ( (###((22666E '',,::>>>M ) OD##**,DK +  # ###((22666E '',,::>>>M#&&--/-- D +r+c U(aUSSKJs Jn U=(d SnURUS9n[R "5R 5nUUlSUlO[R"US9nU(a [U5 U$)a-Get credentials from a GCE metadata server. Args: account: str, The account name to use. If none, the default is used. use_google_auth: bool, True to load credentials of google-auth if it is supported in the current authentication scenario. False to load credentials of oauth2client. refresh: bool, Whether to refresh the credential or not. The default value is True. Returns: oauth2client.client.Credentials or google.auth.credentials.Credentials based on use_google_auth and whether google-auth is supported in the current authentication sceanrio. Raises: c_gce.CannotConnectToMetadataServerException: If the metadata server cannot be reached. TokenRefreshError: If the credentials fail to refresh. TokenRefreshReauthError: If the credentials fail to refresh due to reauth. rNr)r)T)email) rrrrarrrr{_universe_domain_cachedrrr)rErurrrMrJrs r,rrsw,88  yE!--E-JK nn&557O +/K'"::IK  K r+cT\rSrSrSrS Sjr\S5r\S5rSr Sr S r S r g) r*i-a;A class to generate the credential file for other tools, like gsutil & bq. The supported credentials types are user account credentials, service account credentials, and p12 service account credentials. Gcloud supports two auth libraries - oauth2client and google-auth. Eventually, we will deprecate oauth2client. NclX lUR[R[R[R [R [R[R4;a8[R"SR[UR555eUc[RUlOX0l[R"5nUR!U5UlUR%U5UlUR)U5UlUR-U5Ulg)N Unsupported credentials type {0})rJ _cred_typerr$r(r%r&r'r)CredentialFileSaveErrorr9rdr rArr;LegacyCredentialsBqPath_bq_pathLegacyCredentialsGSUtilPath _gsutil_pathLegacyCredentialsP12KeyPath _p12_key_pathLegacyCredentialsAdcPath _adc_path)r:rErJrpathss r,r6_LegacyGenerator.__init__6s" '')K)K++00;;.. 00  + + , 3 3D9I9I4J K MM ~**dkk LLNE 11':DM99'BD::7CD33G>r+cUR(a3[RRUR5R $[R RUR5R $rc)r_rrUrVrJr"rgrfs r,rR_LegacyGenerator._cred_typeSsU   # # 3 3D4D4D E I II  - - = =   C r+cURURURUR/nUHn[R "U5 M g![ a M,f=f)zRemove the credential file.N)rUrWrYr[r,rpOSError)r:r\ps r,r:_LegacyGenerator.Clean[s[      E   !    sA AAc 6UR5 UR[R:XaURnUR nUR n[R"URUSS9 URURSR/SQ5RURRURUS95 g[R"UR5R!UR"S9 UR[R$:XdUR[R&:XaEURURSRSS /5RUR"S 95 gUR[R(:XaEURURSRSS /5RUR"S 95 gUR[R*:XayURURSR/S Q5RURR,URR.URR0S 95 gUR[R2:XaEURURSRSS/5RUR"S95 g[R4"SRR555e)zWrite the credential file.Tprivate ) [Credentials]z gs_service_client_id = {account} gs_service_key_file = {key_file}z-gs_service_key_file_password = {key_password})rEkey_file key_passwordN)rrkz2gs_external_account_file = {external_account_file})external_account_filezBgs_external_account_authorized_user_file = {external_account_file})z[OAuth2]zclient_id = {cid}zclient_secret = {secret}rrkz!gs_oauth2_refresh_token = {token})cidsecretrrl)rmrQ)r:rRrr)rJ_private_key_pkcs12_private_key_passwordrWriteBinaryFileContentsrY_WriteFileContentsrWr$r9r)ADC DumpADCToFiler[r%r&r'r$rMrNrEr(rSrd)r:rvr"passwords r,r+_LegacyGenerator.WriteTemplateks JJL '@@@   d  $ $c++h ##D$6$6TJ    TYY(  VD,,BB!//!)+ ,  KK '-$..-A 7>>> 7CCC    TYYB(  V$..V 9 ; GOO O d//  N<2  dnn 57 G;; ;      ))  V"",,%%33$$22  G>> >    TYY0(  VT^^V , .  + + , 3 3D9I9I4J K MMr+c[RR[R"U55n[R "X2SS9 g)zWrites contents to a path, ensuring mkdirs. Args: filepath: str, The path of the file to write. contents: str, The contents to write to the file. TrhN)r,r=realpathr ExpandHomeDirWriteFileContents)r:filepathcontents full_paths r,ru#_LegacyGenerator._WriteFileContentss3  !4!4X!>?I I>r+)r[rUrWrYrJrrc) r%r&r'r(r)r6propertyr_rRr:r+rur*r#r+r,r*r*-sF=2 ? ?     KMZ ?r+r*)i)NNT)NN1hT)NNrTT)TT)NNFTTF)TF)FFstandardF)FNF)FFrFT)NNrc)NTT)pr) __future__rrr contextlibrrr,r7rtypingrrgooglecloudsdk.api_lib.authrr3r rrr r r r"googlecloudsdk.core.configurationsrryrrrrrrgooglecloudsdk.core.utilrrr oauth2clientrrroauth2client.contribrrrL six.movesrr.(GOOGLE_OAUTH2_PROVIDER_AUTHORIZATION_URI!GOOGLE_OAUTH2_PROVIDER_REVOKE_URIrrACCOUNT_TABLE_FORMAT)ACCOUNT_TABLE_WITH_UNIVERSE_DOMAIN_FORMATr!r.r1rArHrQrTrWrZr]r>objectr`rrrrrrrrrrrrrrrrr rrrrrr1r}rrCrrcontextmanagerrrrrr rrrrrr.r3rBrKrr*r#r+r,rs*  ''  Q9&#*)<<J8-**(8. !0)2"; #  - )/  " "/;%;!!$6'H60U0 AA9%96u6?%? $489$N45F45n -v -$ -`@#@(3-@* C26&)R)$%)#'8<F.!%#,048)2*.(,59=A:4!%#,048(, 5p$'NE(~V~D   $ ^B\~68 >D(-' % $MP). (!& 2;j 49:+^38%*(2+0 H(Z %%) X)v$NG&R>B8Cv F 5.A J $ A%)5p+\T?vT?r+