&g9RdZddlZddlZddlmZmZddlZddlZddlm Z dZ dZ dZ dZ ejd ejZejd ejZejeZejd ejZd Zd ZddZddZdZdZdZdZddZde e fdZddZ dZ!dS)z/Helper functions for getting mTLS cert and key.N)environpath) exceptionsz,~/.secureConnect/context_aware_metadata.jsonz(~/.config/gcloud/certificate_config.jsonGOOGLE_API_CERTIFICATE_CONFIGcert_provider_commands:-----BEGIN CERTIFICATE-----.+-----END CERTIFICATE----- ? ?sH-----BEGIN [A-Z ]*PRIVATE KEY-----.+-----END [A-Z ]*PRIVATE KEY----- ? ?s6-----BEGIN PASSPHRASE-----(.+)-----END PASSPHRASE-----ctj|}tj|std|dS|S)aJChecks for config file path. If it exists, returns the absolute path with user expansion; otherwise returns None. Args: config_path (str): The config file path for either context_aware_metadata.json or certificate_config.json for example Returns: str: absolute path if exists and None otherwise. z%s is not found.N)r expanduserexists_LOGGERdebug) config_paths T/var/www/api/venv/lib/python3.11/site-packages/google/auth/transport/_mtls_helper.py_check_config_pathr3sE/+..K ;{ # # (+666t c t|5}tj|}dddn #1swxYwYn)#t$r}t j|}||d}~wwxYw|S)a\Reads and loads JSON from the given path. Used to read both X509 workload certificate and secure connect configurations. Args: path (str): the path to read from. Returns: Dict[str, str]: The JSON stored at the file. Raises: google.auth.exceptions.ClientCertError: If failed to parse the file as JSON. N)openjsonload ValueErrorrClientCertError)rf json_data caught_excnew_excs r_load_json_filerDs& $ZZ %1 ! I % % % % % % % % % % % % % % % &&&,Z88:%& s->2 >6>6> A$AA$cRt|\}}||dSt||S)aRead the workload identity cert and key files specified in the certificate config provided. If no config path is provided, check the environment variable: "GOOGLE_API_CERTIFICATE_CONFIG" first, then the well known gcloud location: "~/.config/gcloud/certificate_config.json". Args: certificate_config_path (string): The certificate config path. If no path is provided, the environment variable will be checked first, then the well known gcloud location. Returns: Tuple[Optional[bytes], Optional[bytes]]: client certificate bytes in PEM format and key bytes in PEM format. Raises: google.auth.exceptions.ClientCertError: if problems occurs when retrieving the certificate or key information. NNN) _get_workload_cert_and_key_paths_read_cert_and_key_files)certificate_config_path cert_pathkey_paths r_get_workload_cert_and_keyr#[s7$;;RSSIxX-z #Ix 8 88rc|,tjtd}| |dkr|}nt}t j|}t j|sdS|S)aGet the certificate configuration path based on the following order: 1: Explicit override, if set 2: Environment variable, if set 3: Well-known location Returns "None" if the selected config file does not exist. Args: certificate_config_path (string): The certificate config path. If provided, the well known location and environment variable will be ignored. Returns: The absolute path of the certificate config file, and None if the file does not exist. N)rget_CERTIFICATE_CONFIGURATION_ENV&CERTIFICATE_CONFIGURATION_DEFAULT_PATHrr r )r env_paths r_get_cert_config_pathr*ush"&;=tDD  HNN&. # #&L #"o.EFF ;. / /t ""rct|}|dSt|}d|vr'tjd||d}d|vr'tjd||d}d|vr'tjd||d}d|vr'tjd ||d}||fS) Nr cert_configszWCertificate config file {} is in an invalid format, a "cert configs" object is expectedworkloadzXCertificate config file {} is in an invalid format, a "workload" cert config is expectedr!ziCertificate config file {} is in an invalid format, a "cert_path" is expected in the workload cert configr"zhCertificate config file {} is in an invalid format, a "key_path" is expected in the workload cert config)r*rrrformat)r absolute_pathdatar,r-r!r"s rrrs:)+66Mz = ) )DT!!( e l l     'L%%( f m m     J'H(""( w ~ ~     %I!!( v } }      #H h rcFt|}t|}||fSN)_read_cert_file_read_key_file)r!r" cert_datakey_datas rrrs' **Ih''H h rc2t|d5}|}dddn #1swxYwYtjt|}t |dkr't jd||dS)Nrbz[Certificate file {} is in an invalid format, a single PEM formatted certificate is expectedr) rreadrefindall _CERT_REGEXlenrrr.)r! cert_filer5 cert_matchs rr3r3s i  %)NN$$ %%%%%%%%%%%%%%%K33J :!( i p p     a= 266c2t|d5}|}dddn #1swxYwYtjt|}t |dkr't jd||dS)Nr8r9z[Private key file {} is in an invalid format, a single PEM formatted private key is expectedr) rr:r;r< _KEY_REGEXr>rrr.)r"key_filer6 key_matchs rr4r4s h  #==??############### :x00I 9~~( i p p     Q<rAFc tj|tjtj}|\}}n)#t$r}t j|}||d}~wwxYw|jdkrt jd|jztj t|}t|dkrt jdtj t|}t|dkrt jdtj t|} |rnt| dkrt jdd |dvrt jd |d|d| dfSd |dvrt jd t| dkrt jd |d|ddfS) a!Run the provided command, and return client side mTLS cert, key and passphrase. Args: command (List[str]): cert provider command. expect_encrypted_key (bool): If encrypted private key is expected. Returns: Tuple[bytes, bytes, bytes]: client certificate bytes in PEM format, key bytes in PEM format and passphrase bytes. Raises: google.auth.exceptions.ClientCertError: if problems occurs when running the cert provider command or generating cert, key and passphrase. )stdoutstderrNrz5Cert provider command returns non-zero status code %sr9z,Client SSL certificate is missing or invalidz$Client SSL key is missing or invalidz Passphrase is missing or invalids ENCRYPTEDz!Encrypted private key is expectedz%Encrypted private key is not expectedzPassphrase is not expected) subprocessPopenPIPE communicateOSErrorrr returncoder;r<r=r>rC_PASSPHRASE_REGEXstrip) commandexpect_encrypted_keyprocessrGrHrrr@rEpassphrase_matchs r_run_cert_provider_commandrUs &" JOJO   !,,.. &&&,Z88:%& Q( CgFX X   K00J :!()WXXX :v..I 9~~()OPPPz"3V<<H  A % %,-OPP P y| + +,-PQQ Q!}il,**ABB)./?@@ c  )C )sD( (''BCCM+' 66 ! 6 6,-QRR R 67 ! 0&9&H&H NN. / / /!; *@! ! ! c:T3 ** " "rc^|r|\}}d||fStd\}}}}|||fS)aReturns the client side certificate and private key. The function first tries to get certificate and key from client_cert_callback; if the callback is None or doesn't provide certificate and key, the function tries application default SSL credentials. Args: client_cert_callback (Optional[Callable[[], (bytes, bytes)]]): An optional callback which returns client certificate bytes and private key bytes both in PEM format. Returns: Tuple[bool, bytes, bytes]: A boolean indicating if cert and key are obtained, the cert bytes and key bytes both in PEM format. Raises: google.auth.exceptions.ClientCertError: if problems occurs when getting the cert and key. TF)rY)ra)client_cert_callbackr\r]has_cert_s rget_client_cert_and_keyrfTsP(((** cT37uUUUHdC T3 rc~ddlm}||j||}||j|S)a#A helper function to decrypt the private key with the given passphrase. google-auth library doesn't support passphrase protected private key for mutual TLS channel. This helper function can be used to decrypt the passphrase protected private key in order to estalish mutual TLS channel. For example, if you have a function which produces client cert, passphrase protected private key and passphrase, you can convert it to a client cert callback function accepted by google-auth:: from google.auth.transport import _mtls_helper def your_client_cert_function(): return cert, encrypted_key, passphrase # callback accepted by google-auth for mutual TLS channel. def client_cert_callback(): cert, encrypted_key, passphrase = your_client_cert_function() decrypted_key = _mtls_helper.decrypt_private_key(encrypted_key, passphrase) return cert, decrypted_key Args: key (bytes): The private key bytes in PEM format. passphrase (bytes): The passphrase bytes. Returns: bytes: The decrypted private key in PEM format. Raises: ImportError: If pyOpenSSL is not installed. OpenSSL.crypto.Error: If there is any problem decrypting the private key. r)crypto)r`)OpenSSLrhload_privatekey FILETYPE_PEMdump_privatekey)r]r`rhpkeys rdecrypt_private_keyrnpsQB  ! !&"5sz ! R RD  ! !&"5t < <rys65  """"""L)S&!@0bjCRY RZQI ' H % %BJ=ry ".99994####<'''T      3-3-3-3-n! ;B:#:#:#:#z8'='='='='=r