g6dZddlZddlZddlZddlmZddlmZddlmZddlm Z ddlm Z dZ Gd d ejejejZy) aExternal Account Authorized User Credentials. This module provides credentials based on OAuth 2.0 access and refresh tokens. These credentials usually access resources on behalf of a user (resource owner). Specifically, these are sourced using external identities via Workforce Identity Federation. Obtaining the initial access and refresh token can be done through the Google Cloud CLI. Example credential: { "type": "external_account_authorized_user", "audience": "//iam.googleapis.com/locations/global/workforcePools/$WORKFORCE_POOL_ID/providers/$PROVIDER_ID", "refresh_token": "refreshToken", "token_url": "https://sts.googleapis.com/v1/oauth/token", "token_info_url": "https://sts.googleapis.com/v1/instrospect", "client_id": "clientId", "client_secret": "clientSecret" } N)_helpers) credentials) exceptions)sts)utils external_account_authorized_userc heZdZdZdddddddddddej f fd ZedZdZ edZ edZ edZ ed Z ed Zed Zed Zed ZedZedZedZddZddZdZdZej4ej6dZdZej4ej<dZej4ej@dZ!ej4ejDdZ#e$dZ%e$dZ&xZ'S) CredentialsaCredentials for External Account Authorized Users. This is used to instantiate Credentials for exchanging refresh tokens from authorized users for Google access token and authorizing requests to Google APIs. The credentials are considered immutable. If you want to modify the quota project, use `with_quota_project` and if you want to modify the token uri, use `with_token_uri`. Nc rtt| ||_||_||_||_||_||_||_ ||_ | |_ | |_ | |_ | xstj|_d|_|j$s!|j&st)j*dd|_|jrHt/j0t.j2j4|j|j|_t7j8|j|j,|_y)aInstantiates a external account authorized user credentials object. Args: token (str): The OAuth 2.0 access token. Can be None if refresh information is provided. expiry (datetime.datetime): The optional expiration datetime of the OAuth 2.0 access token. refresh_token (str): The optional OAuth 2.0 refresh token. If specified, credentials can be refreshed. audience (str): The optional STS audience which contains the resource name for the workforce pool and the provider identifier in that pool. client_id (str): The OAuth 2.0 client ID. Must be specified for refresh, can be left as None if the token can not be refreshed. client_secret (str): The OAuth 2.0 client secret. Must be specified for refresh, can be left as None if the token can not be refreshed. token_url (str): The optional STS token exchange endpoint for refresh. Must be specified for refresh, can be left as None if the token can not be refreshed. token_info_url (str): The optional STS endpoint URL for token introspection. revoke_url (str): The optional STS endpoint URL for revoking tokens. quota_project_id (str): The optional project ID used for quota and billing. This project may be different from the project used to create the credentials. universe_domain (Optional[str]): The universe domain. The default value is googleapis.com. Returns: google.auth.external_account_authorized_user.Credentials: The constructed credentials. NzToken should be created with fields to make it valid (`token` and `expiry`), or fields to allow it to refresh (`refresh_token`, `token_url`, `client_id`, `client_secret`).)superr __init__tokenexpiry _audience_refresh_token _token_url_token_info_url _client_id_client_secret _revoke_url_quota_project_id_scopesrDEFAULT_UNIVERSE_DOMAIN_universe_domain_cred_file_pathvalid can_refreshrInvalidOperation _client_authrClientAuthenticationClientAuthTypebasicrClient _sts_client)selfrr refresh_tokenaudience client_id client_secret token_urltoken_info_url revoke_urlscopesquota_project_iduniverse_domain __class__s /var/www/html/FastMealFinder_FlaskServer-InitialRelease/venv/lib/python3.12/site-packages/google/auth/external_account_authorized_user.pyr zCredentials.__init__AsX k4)+  !+#-#+%!1 / V;3V3V#zz$"2"2-->  ! ?? % : :$$**DOOT=P=P!D ::doot7H7HIc|j}|jt|dr|djdz|d<|j Dcic] \}}| || c}}Scc}}w)aGenerates the serializable dictionary representation of the current credentials. Returns: Mapping: The dictionary representation of the credentials. This is the reverse of the "from_info" method defined in this class. It is useful for serializing the current credentials so it can deserialized later. )typerZ)constructor_argsupdate+_EXTERNAL_ACCOUNT_AUTHORIZED_USER_JSON_TYPE isoformatitems)r% config_infokeyvalues r1infozCredentials.infoss++-  KL x $/$9$C$C$E$KK !-8->->-@VzsEEDUU VVVs  A,#A,c |j|j|j|j|j|j |j |j|j|j|j|jd S)N) r'r&r*r+r(r)rrr,r-r.r/) rrrrrrrrrrrrr%s r1r6zCredentials.constructor_argssl!00"22!00ZZkk**ll $ 6 6#44  r2c|jS)z/Optional[str]: The OAuth 2.0 permission scopes.)rr@s r1r-zCredentials.scopess||r2cy)zw False: OAuth 2.0 credentials have their scopes set when the initial token is requested and can not be changed.Fr@s r1requires_scopeszCredentials.requires_scopessr2c|jS)z'Optional[str]: The OAuth 2.0 client ID.)rr@s r1r(zCredentials.client_idr2c|jS)z+Optional[str]: The OAuth 2.0 client secret.)rr@s r1r)zCredentials.client_secret"""r2c|jS)zOptional[str]: The STS audience which contains the resource name for the workforce pool and the provider identifier in that pool.)rr@s r1r'zCredentials.audiences~~r2c|jS)z+Optional[str]: The OAuth 2.0 refresh token.)rr@s r1r&zCredentials.refresh_tokenrHr2c|jS)z;Optional[str]: The STS token exchange endpoint for refresh.)rr@s r1r*zCredentials.token_urlrFr2c|jS)z/Optional[str]: The STS endpoint for token info.)rr@s r1r+zCredentials.token_info_urls###r2c|jS)z5Optional[str]: The STS endpoint for token revocation.)rr@s r1r,zCredentials.revoke_urlsr2cy)z0 True: This credential always represents a user.TrCr@s r1is_userzCredentials.is_usersr2cpt|j|j|j|jfSN)allrrrrr@s r1rzCredentials.can_refreshs/  $//4??DDWDW X  r2cy)aRetrieves the project ID corresponding to the workload identity or workforce pool. For workforce pool credentials, it returns the project ID corresponding to the workforce_pool_user_project. When not determinable, None is returned. Args: request (google.auth.transport.requests.Request): Request object. Unused here, but passed from _default.default(). Return: str: project ID is not determinable for this credential type so it returns None NrCr%requests r1get_project_idzCredentials.get_project_idsr2c|r|ng}tj|jjDcic] \}}||vs ||c}}Scc}}w)aUtility function that creates a JSON representation of this credential. Args: strip (Sequence[str]): Optional list of members to exclude from the generated JSON. Returns: str: A JSON representation of this instance. When converted into a dictionary, it can be passed to from_info() to create a new instance. )jsondumpsr>r:)r%stripkvs r1to_jsonzCredentials.to_jsonsCBzzdiioo.?RFQ1E>1a4RSSRs A A c8|jstjdtj}|j |}|j d|_tj|j d}||z|_ d|vr |d|_ yy)aRefreshes the access token. Args: request (google.auth.transport.Request): The object used to make HTTP requests. Raises: google.auth.exceptions.RefreshError: If the credentials could not be refreshed. zThe credentials do not contain the necessary fields need to refresh the access token. You must specify refresh_token, token_url, client_id, and client_secret. access_token expires_in)secondsr&N) rr RefreshErrorrutcnow_make_sts_requestgetrdatetime timedeltarr)r%rUnow response_datalifetimes r1refreshzCredentials.refreshs));  oo..w7 "&&~6 %%m.?.? .MNHn m +"/"@D  ,r2cN|jj||jSrQ)r$r&rrTs r1rdzCredentials._make_sts_request#s!--gt7J7JKKr2c:|jr|jddSy)Nz,external account authorized user credentials)credential_sourcecredential_type)rr@s r1 get_cred_infozCredentials.get_cred_info&s&   %)%9%9#Q r2cl|j}|jdi|}|j|_|S)NrC)r6r0r)r%kwargscreds r1 _make_copyzCredentials._make_copy/s6&&(t~~''#33 r2c4|j}||_|SrQ)rtr)r%r.rss r1with_quota_projectzCredentials.with_quota_project5s !1 r2c4|j}||_|SrQ)rtr)r% token_urirss r1with_token_urizCredentials.with_token_uri;s # r2c4|j}||_|SrQ)rtr)r%r/rss r1with_universe_domainz Credentials.with_universe_domainAs  / r2c <|jd}|rAtjj|jdj ddd}|d|jd|jd|jd|jd |jd |jd |jd ||jd |jd|jd|jdt j d |S)aCreates a Credentials instance from parsed external account info. Args: info (Mapping[str, str]): The external account info in Google format. kwargs: Additional arguments to pass to the constructor. Returns: google.auth.external_account_authorized_user.Credentials: The constructed credentials. Raises: ValueError: For invalid parameters. rr5.rz%Y-%m-%dT%H:%M:%Sr'r&r*r+r(r)rr,r.r-r/) r'r&r*r+r(r)rrr,r.r-r/rC)rerfstrptimerstripsplitrr)clsr>rrrs r1 from_infozCredentials.from_infoGs (# &&// c"((-a02EF XXj)((?3hh{+88$45hh{+((?3((7#xx -!XX&8988H% HH!;#F#F   r2c tj|dd5}tj|}|j|fi|cdddS#1swYyxYw)alCreates a Credentials instance from an external account json file. Args: filename (str): The path to the external account json file. kwargs: Additional arguments to pass to the constructor. Returns: google.auth.external_account_authorized_user.Credentials: The constructed credentials. rzutf-8)encodingN)ioopenrXloadr)rfilenamerr json_filedatas r1 from_filezCredentials.from_filensLWWXsW 5 199Y'D 3==00 1 1 1s (A  ArQ)(__name__ __module__ __qualname____doc__rrr propertyr>r6r-rDr(r)r'r&r*r+r,rOrrVr]rkrdrcopy_docstringr rprtCredentialsWithQuotaProjectrvCredentialsWithTokenUriryCredentialsWithUniverseDomainr{ classmethodrr __classcell__)r0s@r1r r 1s #;;HJTWW"  ## ##$$    " TA:LX[4456 X[DDEF X[@@AB X[FFGH $ $ L 1 1r2r )rrfrrX google.authrrr google.oauth2rrr8rReadOnlyScopedrr rCr2r1rsQ* #".P+K1++''K1r2