p!lSrSSKJr SSKJr SSKJr SSKJr SSKrSSKrSSKrSSK J r SSK r SSK J r SS K Jr SS K Jr Sq\R"R%\R"R'S S S 55rSrSr"SS\5r"SS\5rSrSrSrSrSr"SS\5r Sr!Sr"g)z)Manages device context mTLS certificates.)absolute_import)print_function)division)unicode_literalsN)config) exception) boto_util)execution_util~z.secureConnectzcontext_aware_metadata.jsoncert_provider_commandz--with_passphrasec\rSrSrSrSrg)CertProvisionError+z9Represents errors when provisioning a client certificate.N__name__ __module__ __qualname____firstlineno____doc____static_attributes__r'platform/gsutil/gslib/context_config.pyrr+sArrc\rSrSrSrSrg)(ContextConfigSingletonAlreadyExistsError0z>Error for when create_context_config is called multiple times.rNrrrrrr0sFrrcURS5(aURS5(aSSUSS4$URS5(aURS5(aSSUSS4$g ) z)Returns (begin:bool, end:bool, name:str).z -----BEGIN z-----TF z -----END )FF) startswithendswith)lines r_is_pem_section_markerr%5se __]## g(>(> R ## {## g(>(> $Qr "" rc\0n/nSnUR5HnUR5nU(dM[U5upgnU(aGU(aURSU-5 XR 5;aURSU-5 Un/nOCU(a<U(dURSU-5 O XH:waURSU<SU<35 SnU(dMUR U5 U(dMSR U5S-X('SnM U(aURSU-5 U$) aReturns dict with {name: section} by parsing contents in PEM format. A simple parser for PEM file. Please see RFC 7468 for the format of PEM file. Not using regex to improve performance catching nested matches. Note: This parser requires the post-encapsulation label of a section to match its pre-encapsulation label. It ignores a section without a matching label. Args: contents (str): Contents of a PEM file. logger (logging.logger): gsutil logger. Returns: A dict of the PEM file sections. Nz0Section %s missing end line and will be ignored.zASection %s already exists, and the older section will be ignored.z8Section %s missing a beginning line and will be ignored.zSection z% missing a matching end line. Found:  zSection %s missing an end line.) splitlinesstripr%warningkeysappendjoin) contentsloggerresult pem_linespem_section_namer$beginendnames r_split_pem_into_sectionsr6?s" &)!!#d ::ws5''$$%;<-  & &  rc[U5n[R"U5sSSS5 $!,(df  g=f![an[ U5eSnAff=f)zLoads context aware metadata from the given path. Returns: dict: The metadata JSON. Raises: CertProvisionError: If failed to parse metadata as JSON. N)openjsonload ValueErrorr)r=fes r_read_metadata_filerFsB m  YYq\     Q  s) >- > ;>> A AAc[5nU(d [S5e[U5n[U;a [S5eU[n[U;aUR [5 U$)zLoads default cert provider command. Returns: str: The default command. Raises: CertProvisionError: If command cannot be found. z+Client certificate provider file not found.z.Client certificate provider command not found.)r>rrF_CERT_PROVIDER_COMMAND(_CERT_PROVIDER_COMMAND_PASSPHRASE_OPTIONr,)r= metadata_jsoncommands r_default_commandrLs]--  J KK%m4-=0 M NN 0 1'.g= NN;< .rc*\rSrSrSrSrSrSrSrg)_ContextConfigzRepresents the configurations associated with context aware access. Only one instance of Config can be created for the program. cXl[R"SS5UlSUlUR(dg[ R "UR5 [RR[R"5S5UlURUR5 g![a(nURRSU-5 SnAgSnAff=f)zEInitializes config. Args: logger (logging.logger): gsutil logger. Credentialsuse_client_certificateNz caa_cert.pemz*Failed to provision client certificate: %s)r/rgetboolrRclient_cert_pathatexitregister_unprovision_client_certr8r9r-r GetGsutilStateDir_provision_client_certrerror)selfr/rEs r__init___ContextConfig.__init__s K"(..1I#KD D  & &  OOD112GGLL)D)D)F)79DJ !!$"7"78 J kkDqHIIJsB11 C#;CC#c|[R"SSS5nU(aURS5nO [5n[R "U5upE[ X@R5n[US5nURUS5 SU;a0URUS5 USR5S Ul OURUS 5 SUl SSS5 g!,(df  g=f![R[4an[U5eSnAf[ an[S U-5eSnAff=f) zDExecutes certificate provider to obtain client certificate and keys.rQr N zw+ CERTIFICATEzENCRYPTED PRIVATE KEY PASSPHRASEz PRIVATE KEYz6Invalid output format from certificate provider, no %s)rgetsplitrLr ExecuteExternalCommandr6r/r@writer(client_cert_passwordrExternalBinaryErrorOSErrorrKeyError) r[ cert_pathcert_command_string cert_commandcommand_stdout_string_sectionsrDrEs rrY%_ContextConfig._provision_client_certs$ **]4K%)+(..s3l&'lH!/!F!F "**?Mh  4 A '( "h . ''(23 4&.|&<&G&G&I!&L$ # ''(=) *&*$ # !   ) )7 3" q !! H  BQ F HHHsB9C66A&C%C6% C3/C63C66D; D D;(D66D;cURbJ[R"UR5 URR SUR-5 gg![ a(nURR SU-5 SnAgSnAff=f)z@Cleans up any files or resources provisioned during config init.NzUnprovisioned client cert: %sz'Failed to remove client certificate: %s)rTr8remover/debugrirZ)r[rEs rrW'_ContextConfig._unprovision_client_certs} (I $''( 9//0 1) I CaGHHIsAA B #BB )rgrTr/rRN) rrrrrr\rYrWrrrrrNrNs J4H:IrrNcF[(d[U5q[$[e)zShould be run once at gsutil startup. Creates global singleton. Args: logger (logging.logger): For logging during config functions. Returns: New ContextConfig singleton. Raises: Exception if singleton already exists. )_singleton_configrNr)r/s rcreate_context_configrxs!  &v. 00rc[$)zoRetrieves ContextConfig global singleton. Returns: ContextConfig or None if global singleton doesn't exist. )rwrrrget_context_configrz s r)#r __future__rrrrrUrAr8botorgslibr gslib.utilsr r rwr9r:r-r;rHrI Exceptionrrr%r6r>rFrLobjectrNrxrzrrrrs0&%'  !&++GGLL&(EFH0+>( y 5p   2EIVEIP1&r