gye@dZddlZddlZddlmZddlZddlZddlZddlZddl Z ddl m Z ddl m Z ddl m Z ddl mZddl mZdd lmZdd lmZd Zd Zd ZdZdZeGddZGdde j2e j4e j6ej8Zy)aExternal Account Credentials. This module provides credentials that exchange workload identity pool external credentials for Google access tokens. This facilitates accessing Google Cloud Platform resources from on-prem and non-Google Cloud platforms (e.g. AWS, Microsoft Azure, OIDC identity providers), using native credentials retrieved from the current environment without the need to copy, save and manage long-lived service account credentials. Specifically, this is intended to use access tokens acquired using the GCP STS token exchange endpoint following the `OAuth 2.0 Token Exchange`_ spec. .. _OAuth 2.0 Token Exchange: https://tools.ietf.org/html/rfc8693 N) dataclass)_helpers) credentials) exceptions)impersonated_credentials)metrics)sts)utilsexternal_accountz/urn:ietf:params:oauth:grant-type:token-exchangez-urn:ietf:params:oauth:token-type:access_tokenz8https://cloudresourcemanager.googleapis.com/v1/projects/z&https://sts.{universe_domain}/v1/tokenc&eZdZUdZeed<eed<y)SupplierContextuA context class that contains information about the requested third party credential that is passed to AWS security credential and subject token suppliers. Attributes: subject_token_type (str): The requested subject token type based on the Oauth2.0 token exchange spec. Expected values include:: “urn:ietf:params:oauth:token-type:jwt” “urn:ietf:params:oauth:token-type:id-token” “urn:ietf:params:oauth:token-type:saml2” “urn:ietf:params:aws:token-type:aws4_request” audience (str): The requested audience for the subject token. subject_token_typeaudienceN)__name__ __module__ __qualname____doc__str__annotations__y/var/www/html/FastMealFinder_FlaskServer-InitialRelease/venv/lib/python3.12/site-packages/google/auth/external_account.pyr r ;s Mrr c eZdZdZdddddddddej df fd ZedZdZ edZ edZ edZ ed Z ed Zed Zej"ej$d Zej"ej(dd Zej.dZdZej"ej$dZdZej"ej8dZej"ej<dZej"ej@dZ!dZ"dZ#dZ$dZ%dZ&e'dZ(e'dZ)xZ*S) CredentialsaLBase class for all external account credentials. This is used to instantiate Credentials for exchanging external account credentials for Google access token and authorizing requests to Google APIs. The base class implements the common logic for exchanging external account credentials for Google access tokens. Nctt| ||_||_||_||_|j tk(r+|j jd|j |_| |_ ||_ ||_ |xsi|_ ||_ ||_| |_| |_| |_| |_gdd|_|jrIt)j*t(j,j.|j|j|_nd|_t3j4|j |j0|_|j9|_d|_d|_tA|j|j|_!d|_"|jFs"|j$rtIjJdyy)u6Instantiates an external account credentials object. Args: audience (str): The STS audience field. subject_token_type (str): The subject token type based on the Oauth2.0 token exchange spec. Expected values include:: “urn:ietf:params:oauth:token-type:jwt” “urn:ietf:params:oauth:token-type:id-token” “urn:ietf:params:oauth:token-type:saml2” “urn:ietf:params:aws:token-type:aws4_request” token_url (str): The STS endpoint URL. credential_source (Mapping): The credential source dictionary. service_account_impersonation_url (Optional[str]): The optional service account impersonation generateAccessToken URL. client_id (Optional[str]): The optional client ID. client_secret (Optional[str]): The optional client secret. token_info_url (str): The optional STS endpoint URL for token introspection. quota_project_id (Optional[str]): The optional quota project ID. scopes (Optional[Sequence[str]]): Optional scopes to request during the authorization grant. default_scopes (Optional[Sequence[str]]): Default scopes passed by a Google client library. Use 'scopes' for user-defined scopes. workforce_pool_user_project (Optona[str]): The optional workforce pool user project number when the credential corresponds to a workforce pool and not a workload identity pool. The underlying principal must still have serviceusage.services.use IAM permission to use the project for billing/quota. universe_domain (str): The universe domain. The default universe domain is googleapis.com. trust_boundary (str): String representation of trust boundary meta. Raises: google.auth.exceptions.RefreshError: If the generateAccessToken endpoint returned an error. z{universe_domain}0x0) locationsencoded_locationsNzPworkforce_pool_user_project should not be set for non-workforce pool credentials)&superr__init__ _audience_subject_token_type_universe_domain _token_url_DEFAULT_TOKEN_URLreplace_token_info_url_credential_source"_service_account_impersonation_url&_service_account_impersonation_options _client_id_client_secret_quota_project_id_scopes_default_scopes_workforce_pool_user_project_trust_boundaryr ClientAuthenticationClientAuthTypebasic _client_authr Client _sts_client_create_default_metrics_options_metrics_options_impersonated_credentials _project_idr _supplier_context_cred_file_pathis_workforce_poolr InvalidValue)selfrr token_urlcredential_source!service_account_impersonation_url%service_account_impersonation_options client_id client_secrettoken_info_urlquota_project_idscopesdefault_scopesworkforce_pool_user_projectuniverse_domaintrust_boundary __class__s rr zCredentials.__init__^sl k4)+!#5 /# ??0 0"oo55#T%:%:DO ."32S/ 1 7R 3$+!1 -,G)!&  ?? % : :$$**DOOT=P=P!D !%D ::doot7H7HI $ D D F)-&!0  $ $dnn"  $%%$*K*K)) +L%rc|j}|jt|jdd|jdd|jdd|j Dcic] \}}| || c}}Scc}}w)atGenerates the dictionary representation of the current credentials. Returns: Mapping: The dictionary representation of the credentials. This is the reverse of "from_info" defined on the subclasses of this class. It is useful for serializing the current credentials so it can deserialized later. rDN)typeservice_account_impersonationrIrJ)_constructor_argsupdate_EXTERNAL_ACCOUNT_JSON_TYPEpopitems)r@ config_infokeyvalues rinfozCredentials.infos,,. ,*5//7+  $'($/-8->->-@VzsEEDUU VVVs / B:Bc|j|j|j|j|jt j |jxsdt j |j|j|j|j|j|j|j|jd}|j s|j#d|S)N)rrrArGrCrDrBrHrErFrKrIrJrLrK)r!r"r$r'r)copydeepcopyr*r(r-r+r,r0r.r/r#r>rU)r@argss rrRzCredentials._constructor_argss"&":":"22151X1X59]];;66!%t/F/F!G $ 6 6!00+/+L+Lll"22#44# &%% HH2 3 rc|jrG|j}|jd}|jd}|dk7r|dk7r||kr |dz}|||Sy)zReturns the service account email if service account impersonation is used. Returns: Optional[str]: The service account email if impersonation is used. Otherwise None is returned. /z:generateAccessTokenN)r)rfindfind)r@url start_index end_indexs rservice_account_emailz!Credentials.service_account_emailsd  2 299C))C.K!78Ib Y"_y9P)Ao ;y11rc4|jry|jS)a%Returns whether the credentials represent a user (True) or workload (False). Workloads behave similarly to service accounts. Currently workloads will use service account impersonation but will eventually not require impersonation. As a result, this property is more reliable than the service account email property in determining if the credentials represent a user or workload. Returns: bool: True if the credentials represent a user. False if they represent a workload. F)r)r>r@s ris_userzCredentials.is_users  2 2%%%rcntjd}|j|jxsdduS)agReturns whether the credentials represent a workforce pool (True) or workload (False) based on the credentials' audience. This will also return True for impersonated workforce pool credentials. Returns: bool: True if the credentials represent a workforce pool. False if they represent a workload. z6//iam\.googleapis\.com/locations/[^/]+/workforcePools/N)recompilematchr!)r@ps rr>zCredentials.is_workforce_pools0 JJP Qwwt~~+,D88rc:|j xr |j S)zChecks if the credentials requires scopes. Returns: bool: True if there are no scopes set otherwise False. )r.r/rjs rrequires_scopeszCredentials.requires_scopes(s<<<(<(<$<#5#5< M'**>:DJ&**<8J*c* _ ))*=H.DKrc|j}|jdi|}|j|_|j|_|S)Nr)rRrNr=r9)r@rnew_creds r _make_copyzCredentials._make_copysD'')!4>>+F+#'#7#7 $($9$9!rc4|j}||_|SN)rr-)r@rHcreds rwith_quota_projectzCredentials.with_quota_projects !1 rc4|j}||_|Sr)rr$)r@ token_urirs rwith_token_urizCredentials.with_token_uris # rc4|j}||_|Sr)rr#)r@rLrs rwith_universe_domainz Credentials.with_universe_domains  / rc>|jduxr|jduSr)r)r:rjs rrz7Credentials._should_initialize_impersonated_credentialss(  3 34 ? 7..$6 rc |j}|jdi|jdi|}|j|_|j}|st j d|j |jn |j}tj||||j|j|jjdS)a(Generates an impersonated credentials. For more details, see `projects.serviceAccounts.generateAccessToken`_. .. _projects.serviceAccounts.generateAccessToken: https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateAccessToken Returns: impersonated_credentials.Credential: The impersonated credentials object. Raises: google.auth.exceptions.RefreshError: If the generateAccessToken endpoint returned an error. N)rCrDzLUnable to determine target principal from service account impersonation URL.token_lifetime_seconds)source_credentialstarget_principal target_scopesrHiam_endpoint_overriderr)rRrSrNr9rhr RefreshErrorr.r/rrr-r)r*r)r@rrrrIs rrz0Credentials._initialize_impersonated_credentialss '') .224  ,T^^5f5.2.C.C+ 55))^ "&!9t?S?S'331- !33"&"I"I@@DD(  rci}|jrd|d<nd|d<|jjdrd|d<|Sd|d<|S)Ntruezsa-impersonationfalserzconfig-lifetime)r)r*r)r@metrics_optionss rr8z+Credentials._create_default_metrics_optionssa  2 228O. /29O. /  6 6 : :;S T17O- .29O- .rcy)a>Returns a boolean representing whether the current credential is configured for mTLS and should add a certificate to the outgoing calls to the sts and service account impersonation endpoint. Returns: bool: True if the credential is configured for mTLS, False if it is not. Frrjs rrzCredentials._mtls_required$srctd)aGets the file locations for a certificate and private key file to be used for configuring mTLS for the sts and service account impersonation calls. Currently only expected to return a value when using X509 workload identity federation. Returns: Tuple[str, str]: The cert and key file locations as strings in a tuple. Raises: NotImplementedError: When the current credential is not configured for mTLS. z4_get_mtls_cert_and_key_location must be implemented.rrjs rrz(Credentials._get_mtls_cert_and_key_paths.s" B  rc |d|jd|jd|jd|jd|jd|jdxsi|jd|jd|jd |jd |jd |jd tjd |S)aCreates a Credentials instance from parsed external account info. Args: info (Mapping[str, str]): The external account info in Google format. kwargs: Additional arguments to pass to the constructor. Returns: google.auth.identity_pool.Credentials: The constructed credentials. Raises: InvalidValue: For invalid parameters. rrrArGrCrQrErFrBrHrKrL) rrrArGrCrDrErFrBrHrKrLr)rrDEFAULT_UNIVERSE_DOMAIN)clsrZrs r from_infozCredentials.from_info?s  XXj)#xx(<=hh{+88$45.2hh3/37((/33hh{+((?3"hh':;!XX&89(,1N(O HH!;#F#F# ()  rc tj|dd5}tj|}|j|fi|cdddS#1swYyxYw)aYCreates a Credentials instance from an external account json file. Args: filename (str): The path to the external account json file. kwargs: Additional arguments to pass to the constructor. Returns: google.auth.identity_pool.Credentials: The constructed credentials. rr)encodingN)ioopenrloadr)rfilenamer json_filers r from_filezCredentials.from_filefsLWWXsW 5 199Y'D 3==00 1 1 1s (A  Ar)+rrrrrrr propertyrZrRrhrkr>rsr|rGrcopy_docstringrrScopedrabcabstractmethodrrrrCredentialsWithQuotaProjectrCredentialsWithTokenUrirCredentialsWithUniverseDomainrrrr8rr classmethodrr __classcell__)rNs@rrrPs# +/.2$(#;;!fPWW(0$&&" 9 9==  $$ X[445 6 X[//01  P P.`X[4450)60)dX[DDEF X[@@AB X[FFGH  * X  "$ $ L 1 1rr) metaclass)rrr\ dataclassesrrrrrrn google.authrrrrr google.oauth2r r rTrrrr%r rrrABCMetarrrrrs  ! #"01CKT=  (d1++''kk d1r