o %@sdZddlZddlZddlZddlZddlZddlmZddlm Z ddlm Z ddl m Z ddlmZdZd Zd ZeeZd d Zd dZddZddZGdddeZGdddeZGdddeZGdddeZGdddeZddZ d!dd Z!dS)"zBA module that provides functions for handling rapt authentication.N) reauth_errors)errors)model) authenticator)urllibz)https://reauth.googleapis.com/v2/sessionsz/https://www.googleapis.com/auth/accounts.reauthzhttps://accounts.google.comcCsd|vr t|dd|S)Nerrormessage)rReauthAPIError)msgr D/tmp/google-cloud-sdk/lib/third_party/oauth2client/contrib/reauth.py HandleErrors(sr cCs t|S)zGet password from user. Override this function with a different logic if you are using this library outside a CLI. Returns the password.)getpass)textr r r GetUserPassword.s rcCs tjS)a Check if we are in an interractive environment. If the rapt token needs refreshing, the user needs to answer the challenges. If the user is not in an interractive environment, the challenges can not be answered and we just wait for timeout for no reason.)sysstdinisattyr r r r InteractiveCheck7s rcCstjjS)zGet preferred output function.)rstderrwriter r r r GetPrintCallbackAsrc@s8eZdZdZddZddZddZdd Zd d Zd S) ReauthChallengez!Base class for reauth challenges.cCs||_||_dSN) http_request access_tokenselfrrr r r __init__Js zReauthChallenge.__init__cCt)z"Returns the name of the challenge.NotImplementedErrorrr r r GetNameNzReauthChallenge.GetNamecCr)zAReturns true if a challenge is supported locally on this machine.r r"r r r IsLocallyEligibleRr$z!ReauthChallenge.IsLocallyEligiblecCsh||}|s dS||dd|d}|jdt|dt|dd|jid \}}t|}t||S) z;Execute challenge logic and pass credentials to reauth API.N challengeIdRESPOND) sessionIdr&actionproposalResponsez{0}/{1}:continuePOST AuthorizationBearer methodbodyheaders) InternalObtainCredentialsrformat REAUTH_APIjsondumpsrloadsr )rmetadata session_id client_inputr0_contentresponser r r ExecuteVs"    zReauthChallenge.ExecutecCr)z=Performs logic required to obtain credentials and returns it.r )rr8r r r r2mr$z)ReauthChallenge.InternalObtainCredentialsN) __name__ __module__ __qualname____doc__rr#r%r>r2r r r r rGs rc@(eZdZdZddZddZddZdS) PasswordChallengez(Challenge that asks for user's password.cCdS)NPASSWORDr r"r r r r#uzPasswordChallenge.GetNamecCrENTr r"r r r r%xrGz#PasswordChallenge.IsLocallyEligiblecCstd}|sd}d|iS)NzPlease enter your password: credential)r)runused_metadatapasswdr r r r2{sz+PasswordChallenge.InternalObtainCredentialsNr?r@rArBr#r%r2r r r r rDr  rDc@rC) SecurityKeyChallengez2Challenge that asks for user's security key touch.cCrE)N SECURITY_KEYr r"r r r r#rGzSecurityKeyChallenge.GetNamecCrErHr r"r r r r%rGz&SecurityKeyChallenge.IsLocallyEligiblec Cs$|d}|d}|d}g}|D]'}|dd}ttt|}|dd} t| } ||| dqztt } | j ||t d} d| iWSt j y} z*| jt j jkrat d n| jt j jkrnt d n | WYd} ~ dSWYd} ~ dSd} ~ wt jyt d YdSw) N securityKey challenges applicationId keyHandleascii challenge)keyrV)print_callbackzIneligible security key. z0Timed out while waiting for security key touch. zNo security key found. )encoder RegisteredKey bytearraybase64urlsafe_b64decodeappendrCreateCompositeAuthenticator REAUTH_ORIGIN Authenticater u2ferrorsU2FErrorcodeDEVICE_INELIGIBLETIMEOUTNoDeviceFoundError) rr8skrRapp_idchallenge_datackhrWrVapir=er r r r2sB       z.SecurityKeyChallenge.InternalObtainCredentialsNrMr r r r rOrNrOc@rC) SamlChallengez6Challenge that asks SAML users to complete SAML login.cCrE)NSAMLr r"r r r r#rGzSamlChallenge.GetNamecCrErHr r"r r r r%rGzSamlChallenge.IsLocallyEligiblecCstr)rReauthSamlLoginRequiredError)rrKr r r r2sz'SamlChallenge.InternalObtainCredentialsNrMr r r r rorNroc@s:eZdZdZddZddZddZdd Zd d d Zd S) ReauthManagerz4Reauth manager class that handles reauth challenges.cCs||_||_||_dSr)rrInternalBuildChallengesrRrr r r rszReauthManager.__init__cCsJi}t|j|jt|j|jt|j|jfD] }|r"|||<q|Sr)rOrrrDror%r#)routrkr r r rss    z%ReauthManager.InternalBuildChallengescCs`dt|ji}|r||d<|jdtdt|dd|jid\}}t |}t ||S)zADoes initial request to reauth API and initialize the challenges.supportedChallengeTypes oauthScopesForDomainPolicyLookupz {0}:startr+r,r-r.) listrRkeysrr3r4r5r6rr7r )rrequested_scopesr0r;r<r=r r r InternalStarts  zReauthManager.InternalStartcCsBd}|dD]}|ddkrq|j|d}|||d}q|S)NrRstatusREADY challengeTyper()rRr>)rr next_msgrVrkr r r DoOneRoundOfChallengess  z$ReauthManager.DoOneRoundOfChallengesNcCsd}d}|r?|d8}|s||}|ddkr|dS|ddks1|ddks1td |dts8t||}|st) z$Obtain proof of reauth (rapt token).Nr{ AUTHENTICATEDencodedProofOfReauthTokenCHALLENGE_REQUIREDCHALLENGE_PENDINGzChallenge status {0})rzrr r3rReauthUnattendedErrorrReauthFailError)rryr max_challenge_countr r r ObtainProofOfReauths$      z!ReauthManager.ObtainProofOfReauthr) r?r@rArBrrsrzrrr r r r rrs  rrcCst||}|j|d}|S)Nry)rrr)rrryrmraptr r r ObtainRapts  rc Csxtd|||tdd}||dtj|ddid\}}z t|d} Wn ttfy2t j wt || |d } | S) z?Given an http request method and refresh_token, get rapt token.zReauthentication required. refresh_token) client_id client_secretrscope grant_typer+z Content-Typez!application/x-www-form-urlencodedr.rr) r REAUTH_SCOPErparse urlencoder5r7 ValueErrorKeyErrorrReauthAccessTokenRefreshErrorr) rrrr token_uriscopes query_paramsr;r<reauth_access_token rapt_tokenr r r GetRaptTokens0   rr)"rBr\rr5loggingroauth2client.contribrpyu2frrbrpyu2f.conveniencer six.movesrr4rr` getLoggerr?loggerr rrrobjectrrDrOrorrrrr r r r s6        +(F