gCdZ ddlmZddlZddlZddlZddlZddl Z ddl m Z ddl m Z ddl m Z dZdZd Zd ZdZd ZGd d e j(Zy#e$r ddlmZYUwxYw)aPluggable Credentials. Pluggable Credentials are initialized using external_account arguments which are typically loaded from third-party executables. Unlike other credentials that can be initialized with a list of explicit arguments, secrets or credentials, external account clients use the environment and hints/guidelines provided by the external_account JSON file to retrieve credentials and exchange them for Google access tokens. Example credential_source for pluggable credential: { "executable": { "command": "/path/to/get/credentials.sh --arg1=value1 --arg2=value2", "timeout_millis": 5000, "output_file": "/path/to/generated/cached/credentials" } } )MappingN)_helpers) exceptions)external_accounti0uiii@wceZdZdZfdZej ejdZ dZ e dZ e fdZe fdZdZd Zd Zd Zd Zfd ZxZS) Credentialsz6External account credentials sourced from executables.c|jdd|_tt||||||d|t |t sd|_tjd|jd|_|jstjd|jjd|_ |jjd |_ |jjd |_ |jjd |_d |_|jstjd |js t |_ n;|jt"ks|jt$kDrtj&d|jr<|jt(ks|jt*kDrtj&dyy)adInstantiates an external account credentials object from a executables. Args: audience (str): The STS audience field. subject_token_type (str): The subject token type. token_url (str): The STS endpoint URL. credential_source (Mapping): The credential source dictionary used to provide instructions on how to retrieve external credential to be exchanged for Google access tokens. Example credential_source for pluggable credential: { "executable": { "command": "/path/to/get/credentials.sh --arg1=value1 --arg2=value2", "timeout_millis": 5000, "output_file": "/path/to/generated/cached/credentials" } } args (List): Optional positional arguments passed into the underlying :meth:`~external_account.Credentials.__init__` method. kwargs (Mapping): Optional keyword arguments passed into the underlying :meth:`~external_account.Credentials.__init__` method. Raises: google.auth.exceptions.RefreshError: If an error is encountered during access token retrieval logic. google.auth.exceptions.InvalidValue: For invalid parameters. google.auth.exceptions.MalformedError: For invalid parameters. .. note:: Typically one of the helper constructors :meth:`from_file` or :meth:`from_info` are used instead of calling the constructor directly. interactiveF)audiencesubject_token_type token_urlcredential_sourceNz?Missing credential_source. The credential_source is not a dict. executablezInteractive timeout must be between 30 seconds and 30 minutes.)popr superr __init__ isinstancer_credential_source_executablerMalformedErrorget%_credential_source_executable_command,_credential_source_executable_timeout_millis8_credential_source_executable_interactive_timeout_millis)_credential_source_executable_output_file_tokeninfo_username!EXECUTABLE_TIMEOUT_MILLIS_DEFAULT%EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND%EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND InvalidValue1EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_LOWER_BOUND1EXECUTABLE_INTERACTIVE_TIMEOUT_MILLIS_UPPER_BOUND)selfr r rrargskwargs __class__s r/var/www/html/FastMealFinder_FlaskServer-InitialRelease/venv/lib/python3.12/site-packages/google/auth/pluggable.pyrzCredentials.__init__>sT"::mU; k4)  1/    +W515D .++Q .?-B-B<-P*11++N 6:5W5W5[5[ 6 2=A<^<^9[9[9_9_ : 6 $& 99++M @@1  =  = =3 4@@34))*VW W  H HMMCDPPCD!--TD Ic|j|j_ t|jd5}tj|}ddd |j }d|vrt j |Stjst jdtjj}|j!|d|d<|j"r|j$dz n|j&dz }|j"rt(j*nd}|j"rt(j,nt.j0}|j"rt(j,nt.j2} t/j4|j6j9|||| |} | j:d k7r9t jd j=| j:| j,| j,r.tj>| j,jAdnd}|s6|j*tjt|jd}|j |}|S#1swY2xYw#t jt jf$rt j$rYEwxYw#t$rYUwxYw) Nutf-8)encodingexpiration_time0Pluggable auth is only supported for python 3.7+0GOOGLE_EXTERNAL_ACCOUNT_REVOKE)timeoutstdinstdoutstderrenvrz9Executable exited with non-zero return code {}. Error: {})!_validate_running_moder openjsonload_parse_subject_tokenr RefreshErrorrr% Exceptionr is_python_3osenvironcopy_inject_env_variablesr rrsysr7r8 subprocessPIPESTDOUTrunrsplit returncodeformatloadsdecode) r(requestrresponse subject_tokenr: exe_timeout exe_stdin exe_stdout exe_stderrresults r,retrieve_subject_tokenz"Credentials.retrieve_subject_tokensv ##%  9 9 E )BBW6 #yy5H6 )$($=$=h$GM)9(555:)(##%))B  jjoo ""3'03 ,-   I ID PBBTI  "&!1!1CIIt #'#3#3SZZ #'#3#3SZZ9J9J   6 6 < < >      !))KRR%%v}} AG 4::fmm227;QQ??$$      !))`gg%%v}}  ::fmm227;< &&x0r-c6|jxs |jS)a1Returns the external account identifier. When service account impersonation is used the identifier is the service account email. Without service account impersonation, this returns None, unless it is being used by the Google Cloud CLI which populates this field. )service_account_emailr!)r(s r,external_account_idzCredentials.external_account_ids))ET-E-EEr-c ,tt| |fi|S)a'Creates a Pluggable Credentials instance from parsed external account info. Args: info (Mapping[str, str]): The Pluggable external account info in Google format. kwargs: Additional arguments to pass to the constructor. Returns: google.auth.pluggable.Credentials: The constructed credentials. Raises: google.auth.exceptions.InvalidValue: For invalid parameters. google.auth.exceptions.MalformedError: For invalid parameters. )rr from_info)clsinfor*r+s r,rbzCredentials.from_info+s"[#0@@@r-c ,tt| |fi|S)ajCreates an Pluggable Credentials instance from an external account json file. Args: filename (str): The path to the Pluggable external account json file. kwargs: Additional arguments to pass to the constructor. Returns: google.auth.pluggable.Credentials: The constructed credentials. )rr from_file)rcfilenamer*r+s r,rfzCredentials.from_file>s[#0DVDDr-c|j|d<|j|d<|j|d<|jrdnd|d<|j|j |d<|j |j |d<yy) N GOOGLE_EXTERNAL_ACCOUNT_AUDIENCE"GOOGLE_EXTERNAL_ACCOUNT_TOKEN_TYPEGOOGLE_EXTERNAL_ACCOUNT_IDr[r3#GOOGLE_EXTERNAL_ACCOUNT_INTERACTIVE*GOOGLE_EXTERNAL_ACCOUNT_IMPERSONATED_EMAIL#GOOGLE_EXTERNAL_ACCOUNT_OUTPUT_FILE) _audience_subject_token_typer`r "_service_account_impersonation_urlr_r )r(r:s r,rFz!Credentials._inject_env_variablesLs26.. ./484L4L 01,0,D,D ()<@** <   9 9 E>> 5  Fr-c|j||dsHd|vsd|vrtjdtjdj |d|dd|vr/|dt j krtjdd|vrtjd |dd k(s|dd k(r|d S|dd k(r|dStjd)Nsuccesscodemessagez;Error code and message fields are required in the response.zAExecutable returned unsuccessful response: code: {}, message: {}.r1z0The token returned by the executable is expired. token_typez8The executable response is missing the token_type field.z$urn:ietf:params:oauth:token-type:jwtz)urn:ietf:params:oauth:token-type:id_tokenid_tokenz&urn:ietf:params:oauth:token-type:saml2 saml_responsez+Executable returned unsupported token type.)_validate_response_schemarrr@rNtimer(rRs r,r?z Credentials._parse_subject_token[s &&x0 "X%()B //Q))SZZV$hy&9   (X6G-H499;-V))B  x '++J  \ "&L L %)TTJ' ' l #'O OO, ,))*WX Xr-cZ|j||dstjdy)Nrsz)Revoke failed with unsuccessful response.)ryrr@r{s r,r\z%Credentials._validate_revoke_responseys/ &&x0 "))*UV V#r-cd|vrtjd|dtkDr'tjdj |dd|vrtjdy)Nversionz5The executable response is missing the version field.z+Executable returned unsupported version {}.rsz5The executable response is missing the success field.)rr EXECUTABLE_SUPPORTED_MAX_VERSIONr@rNr{s r,ryz%Credentials._validate_response_schema~s~ H $++G  I !A A))=DDY'  H $++G  %r-ctjjd}|dk7rtjd|j r!|j stjd|j r!|jstjd|j r"|jstjdyy)N)GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLESr[zhExecutables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') to run.zVAn output_file must be specified in the credential configuration for interactive mode.z;Interactive mode cannot run without an interactive timeout.z4Interactive mode is only enabled for workforce pool.) rCrDrrrr r rInvalidOperationis_workforce_poolr%)r(env_allow_executabless r,r;z"Credentials._validate_running_modes "  7!  !C '++z    D$R$R++h    QQ--M    D$:$:))F %; r-c6tt| }d|d<|S)Nrsource)rr _create_default_metrics_options)r(metrics_optionsr+s r,rz+Credentials._create_default_metrics_optionss" TRT$0!r-)__name__ __module__ __qualname____doc__rrcopy_docstringrr rYr]propertyr` classmethodrbrfrFr?r\ryr;r __classcell__)r+s@r,r r ;s@fPX-99:F;FP-1^ F FAA$ E E ?Y<W "6r-r )rcollections.abcr ImportError collectionsr=rCrHrGrz google.authrrrrr"r#r$r&r'r r-r,rs{$$'  "($% $-!(0%(2%4=14B1r"..r/$#$sA A A