9QdSrSSKJr SSKJr SSKJr SSKJr SSKrSSKrSSKrSSK r SSK r SSK r SSK r SSK Jr SSK Jr SS KJr SS KJr SS KJr SS KJr SS KJr SSKJr SSKJr SSKJr SSKJ r SSKJ!r! SSKJ"r" SSK#J$r$ SSK%J&r& SSK'J(r( SSK)J*r+ SSK,J-r- SSK.J/r/ SSK0r0SSK1J2r2 SSK3J4r4 SSK5J6r6 SSK7J8r8 SSK3J9r9 SSK J:r: S r;S!r<\RzR|\RzR~\RzR\RzR\RzR/rCS"rDS#rE"S$S%\+R\+R5rH"S&S'\/R5rJS9S(jrKS)rLS9S*jrMS+rNS,rOS-rPS.rQS/rRS0rSS1rTS2rUS3rVS4rWS5rXS6rYS7rZS8r[g):z3Credentials logic for JSON CloudApi implementation.)absolute_import)print_function)division)unicode_literalsN)credentials_lib) exceptions)config) CredTypes)CommandException)ImpersonationCredentials)NoOpCredentials) constants) system_util)GetFriendlyConfigFilePaths)GetCredentialStoreFilename)GetGceCredentialCacheFilename)GetGcsJsonApiVersion)UTF8)WrappedCredentials)_helpers)baseAuthorizedHttp)service_account) HAS_CRYPTO)devshell)ServiceAccountCredentials) reauth_creds)multiprocess_file_storage)BytesIOz)https://accounts.google.com/o/oauth2/authz#https://oauth2.googleapis.com/token notasecretc"[U[5$N) isinstanceP12Credentials) credentialss -platform/gsutil/gslib/gcs_json_credentials.pyisP12Credentialsr(Os K 00cH\rSrSrSrSr\S5rSr\ S Sj5r Sr g) PKCS12SignerRz%Signer for a p12 service account key.cXlgr#_key)selfkeys r'__init__PKCS12Signer.__init__UsIr)cgr#)r0s r'key_idPKCS12Signer.key_idZs r)c[R"U5nSSKJn URR UUR UR5$)Nr)_cryptography_rsa)rto_bytesgoogle.auth.cryptr9r/sign_PADDING_SHA256)r0messager9s r'r<PKCS12Signer.sign^s?(G3 99>>""!! ##r)NcASU5up4SSKJn URX45un nU"U5$! [S5e=f)Nc3N# UHn[R"U5v M g7fr#)rr:).0ks r' +PKCS12Signer.from_string..isF+QH--a00+s#%r)pkcs12zr.r#) __name__ __module__ __qualname____firstlineno____doc__r2propertyr6r< classmethodrO__static_attributes__r5r)r'r+r+Rs9-   # ] ]r)r+c8\rSrSrSrSrSr\SSj5rSr g) r%sagoogle-auth service account credentials for p12 keys. p12 keys are not supported by the google-auth service account credentials. gsutil uses oauth2client to support p12 key users. Since oauth2client was deprecated and bundling it is security concern, we decided to support p12 in gsutil codebase. We prefer not adding it to the google-auth library because p12 is not supported from the beginning by google-auth. GCP strongly suggests users to use the JSON format. gsutil has to support it to not break users. )service_account_email token_uriscopesc[XS9$)N)httpr)r0r_s r' authorizeP12Credentials.authorizes $ **r)Nc U=(d [n[RX45nURVs/sH oUU;dM UPM nnU(a)[ SR SR U555eU"U40UD6nU$s snf)NzMissing fields: {}.z, )#GOOGLE_OAUTH2_DEFAULT_FILE_PASSWORDr+rO_REQUIRED_FIELDSr formatjoin)rJrLrMkwargssignerfmissing_fieldscredss r'%from_service_account_pkcs12_keystring4P12Credentials.from_service_account_pkcs12_keystrings >>H  % %z&< =F!$!5!5I!5A&a!5NI 299 ))N #% &&  !& !E L Js BBr5r#) rQrRrSrTrUrdr`rWrlrXr5r)r'r%r%ss.F+6:  r)r%c d[R"X40UD6$![a [S5ef=f)zCCreates a service account from a p12 key and handles import errors.zapyca/cryptography is not available. Either install it, or please consider using the .json keyfile)r%rl ImportErrorr )rLrMrgs r'CreateP12ServiceAccountrpsIq  ? ? ( & (( q  n qqqs/cU/n[U[R5(aURUR5 GO>[U[ 5(aURUR 5 [USS5(aURUR5 O[USS5(a2UR[R"UR5SS5 O[U[RR5(arUR(a,URS:waURUR5 OURS5 URUR =(d S5 [USS5(aURUR"5 UVs/sHn[$R&"U5PM nnS R)U5$s snf) aDisambiguates a credential for caching in a credential store. Different credential types have different fields that identify them. This function assembles relevant information in a string to be used as the key for accessing a credential. Note that in addition to uniquely identifying the entity to which a credential corresponds, we must differentiate between two or more of that entity's credentials that have different attributes such that the credentials should not be treated as interchangeable, e.g. if they target different API versions (happens for developers targeting different test environments), have different private key IDs (for service account JSON keyfiles), or target different provider token (refresh) URIs. Args: credentials: An OAuth2Credentials object. api_version: JSON API version being used. Returns: A string that can be used as the key to identify a credential, e.g. "v1-909320924072.apps.googleusercontent.com-1/rEfrEshtOkEn-https://..." _private_key_idN_private_key_pkcs12null noclientidnorefreshtokenr\-)r$rDevshellCredentialsappend user_emailr_service_account_emailgetattrrrbase64 b64encoders oauth2clientclientOAuth2Credentials client_id refresh_tokenr\six ensure_textrf)r& api_version key_partsparts r'GetCredentialStoreKeyrst6m) X99:: [++,+899 [778{-t44{223 3T : : v'' (G(GH"MN+|22DDEE!6!6&!@{,,-|$ [..B2BC  [+t,, [**+1:;st$); )  @AK coo 7 7OO))--/k  [\00BBB#o C 3 +r)c/nSn[5(aUR[R5 [ 5(aUR[R 5 [ U5S:a[SU<S[5<S35e[Rn[5n[R n[5n[Rn[5n[Rn[5n[Rn[!5n[R"n[%5nU=(d& U=(d U=(d U=(d U=(d Un ['5(a"U (a[R(n[+X5$U $![,an U(aUR/[0R25(a$UR5[6R8"55 U[R(:XaU e[:R<"5(aUR?SU5 eUR?SU5 eSn A ff=f)zReturns credentials from the configuration file, if any are present. Args: logger: logging.Logger instance for outputting messages. Returns: OAuth2Credentials object if any valid ones are found, otherwise None. Nz3You have multiple types of configured credentials (z), which is not supported. One common way this happens is if you run gsutil config to create credentials and later run gcloud auth, and create a second set of credentials. Your boto config path is: z). For more help, see "gsutil help creds".zCYour "%s" credentials are invalid. Please run $ gcloud auth loginzYour "%s" credentials are invalid. For more help, see "gsutil help creds", or re-run the gsutil config command (see "gsutil help config").) _HasOauth2UserAccountCredsrzr OAUTH2_USER_ACCOUNT_HasOauth2ServiceAccountCredsOAUTH2_SERVICE_ACCOUNTlenr r _GetOauth2UserAccountCredentials#_GetOauth2ServiceAccountCredentialsEXTERNAL_ACCOUNT_GetExternalAccountCredentials EXTERNAL_ACCOUNT_AUTHORIZED_USER,_GetExternalAccountAuthorizedUserCredentialsGCE _GetGceCredsDEVSHELL_GetDevshellCreds_HasImpersonateServiceAccount IMPERSONATION_GetImpersonationCredentials Exception isEnabledForloggingDEBUGdebug traceback format_excrInvokedViaCloudSdkr) rconfigured_cred_typesfailed_cred_type user_credsservice_account_credsexternal_account_creds&external_account_authorized_user_creds gce_credsdevshell_credsrkes r'rrsE !##""9#@#@A$&&""9#C#CD !A%  !"<">  @ AA!4413J 77?A 11;= AA-Y.* }}I ))&(N  S/ S9 S@V S[A SESE%&&5"00 )% 88 l     W]] + + Y))+, Y44 4  ) ) + +  $%5 7    %&6 8 1 sFF F H?B%H::H?c:[R"SS[5$)NOAuth2provider_token_uri)r r(DEFAULT_GOOGLE_OAUTH2_PROVIDER_TOKEN_URIr5r)r'_GetProviderTokenUrirUs H2< >>r)c0[R"SS5$)N Credentialsgs_service_key_filer has_optionr5r)r'rrZs   =*? @@r)c0[R"SS5$)Nrgs_oauth2_refresh_tokenrr5r)r'rr^s   =*C DDr)c0[R"SS5$)N GoogleComputerrr5r)r' _HasGceCredsrbs   ?,= >>r)c[5S;$)N)N)rr5r)r'rrfs & ( ::r)cn[R"SSS5nU(dg[R"U5$)Nrgs_external_account_file)r rrfor_external_account)external_account_filenames r'rrjs1$jj)CTK "   0 01J KKr)cn[R"SSS5nU(dg[R"U5$)Nr(gs_external_account_authorized_user_file)r rr$for_external_account_authorized_user))external_account_authorized_user_filenames r'rrss6.4jj?/G+ 2   @ @/ 11r)c[R=(d5 [R"SS[R RS55$)Nrgs_impersonate_service_account)CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT)rIMPERSONATE_SERVICE_ACCOUNTr rosenvironr5r)r'rr}s:  / / C6::5jjnn@A4CDr)c[5(dg[5n[R"SSS5n[R"SSS5n[R "US5nUR 5nSSS5 SnWR[5nSnU(aR[R"W5nS HnXv;dM [S U<S U<35e [R"U[ US 9$[R"SS["5n[%WU[ XS9$!,(df  N=f![a Nf=f![a [S U-5ef=f)zDRetrieves OAuth2 service account credentials for a private key file.Nrgs_service_client_idrrrbFTz/Could not parse JSON keyfile "%s" as valid JSON)r client_emailprivate_key_id private_keyzThe JSON private key file at z% did not contain the required entry: )r]r\gs_service_key_file_password)r]r[r\)rrr rioopenreaddecoderUnicodeDecodeErrorjsonloads ValueErrorrrfrom_json_keyfile_dictDEFAULT_SCOPESrcrp) rservice_client_idprivate_key_filenameprivate_key_filerkeyfile_is_utf8 json_key_dict json_entry key_file_passs r'rrsZ & ( ( +-jj0FKM3H"M ww#T*.>"'')K+/ $$T*KO,jj-m &  (-z;< <& % ; ;n8J LLJJ}.L!DFM "; nl} ]]=+*   , G*+ ,,,s*"D>D+D; D(+ D87D8;Ec [5(dg[5n[R"5up[R "SS[ RR SU55n[R "SS[ RR SU55n[RR[RR/n[R"SUU[R "SS5SUSUS 9$) zARetrieves OAuth2 service account credentials for a refresh token.NrrOAUTH2_CLIENT_ID client_secretOAUTH2_CLIENT_SECRETrr)r])rrrGetGsutilClientIdAndSecretr rrrrScopesCLOUD_PLATFORMREAUTHrOauth2WithReauthCredentials)rgsutil_client_idgsutil_client_secretrrscopes_for_reauth_challenges r'rrs # % % +-,,.)jj;(:'>!  1 1  jj 9:  ( **r)c [5(dg[R"[R"SSS5[ 5S9$![ Ra)nS[U5;aS[U5;aSnAgeSnAff=f)Nrrdefault)service_account_namecache_filenamezservice accountzdoes not exist) rrGceAssertionCredentialsr rrapitools_exceptionsResourceUnavailableErrorstr)rs r'rrst    2 2#ZZ9J(1346 88  5 5 CF"'73q6'A   s2ABA=<A==Bcd[R"5$![Ra g e=fr#)rryNoDevshellServerr5r)r'rrs1  ' ' ))  " "   s //c[U[5(ag[[5[RR /X5$)z?Retrieves temporary credentials impersonating a service accountN)r$r rrrr)r&rs r'rrs= 566 !"?"A#,#3#3#B#B"C"- 77r)r#)\rU __future__rrrrr~rrrrrrapitools.base.pyrrrbotor gslib.cred_typesr gslib.exceptionr gslib.impersonation_credentialsr gslib.no_op_credentialsr gslib.utilsrrgslib.utils.boto_utilrrrrgslib.utils.constantsrgslib.utils.wrapped_credentialsr google.authrr;r crypt_basegoogle_auth_httplib2r google.oauth2rroauth2client.clientroauth2client.contribroauth2client.service_accountr google_reauthrrr 0DEFAULT_GOOGLE_OAUTH2_PROVIDER_AUTHORIZATION_URIrrrCLOUD_PLATFORM_READ_ONLY FULL_CONTROL READ_ONLY READ_WRITErrcr(SignerFromServiceAccountMixinr+rr%rprrrrrrrrrrrrrrrrr5r)r'r&s:'%'  ->&,D3!#<<?6&> 0/)*)B&:01*)## -- !!   '3#1]:$$j&H&H]B_00>q:z'$TP f> AE?;L1D ']T*<    7r)