&g/#dZddlZddlmZddlmZddlmZddlmZddlmZddlm Z d Z d Z d Z ej d ZGddejZdS)z'Experimental GDCH credentials support. N)_helpers)_service_account_info) credentials) exceptions)jwt)_clientz/urn:ietf:params:oauth:token-type:token-exchangez-urn:ietf:params:oauth:token-type:access_tokenz.urn:k8s:params:oauth:token-type:serviceaccounti)secondsceZdZdZfdZdZejej dZ dZ e dZ e dZe dZxZS) ServiceAccountCredentialsaCredentials for GDCH (`Google Distributed Cloud Hosted`_) for service account users. .. _Google Distributed Cloud Hosted: https://cloud.google.com/blog/topics/hybrid-cloud/ announcing-google-distributed-cloud-edge-and-hosted To create a GDCH service account credential, first create a JSON file of the following format:: { "type": "gdch_service_account", "format_version": "1", "project": "", "private_key_id": "", "private_key": "-----BEGIN EC PRIVATE KEY----- -----END EC PRIVATE KEY----- ", "name": "", "ca_cert_path": "", "token_uri": "https://service-identity./authenticate" } The "format_version" field stands for the format of the JSON file. For now it is always "1". The `private_key_id` and `private_key` is used for signing. The `ca_cert_path` is used for token server TLS certificate verification. After the JSON file is created, set `GOOGLE_APPLICATION_CREDENTIALS` environment variable to the JSON file path, then use the following code to create the credential:: import google.auth credential, _ = google.auth.default() credential = credential.with_gdch_audience("") We can also create the credential directly:: from google.oauth import gdch_credentials credential = gdch_credentials.ServiceAccountCredentials.from_service_account_file("") credential = credential.with_gdch_audience("") The token is obtained in the following way. This class first creates a self signed JWT. It uses the `name` value as the `iss` and `sub` claim, and the `token_uri` as the `aud` claim, and signs the JWT with the `private_key`. It then sends the JWT to the `token_uri` to exchange a final token for `audience`. ctt|||_||_||_||_||_||_dS)af Args: signer (google.auth.crypt.Signer): The signer used to sign JWTs. service_identity_name (str): The service identity name. It will be used as the `iss` and `sub` claim in the self signed JWT. project (str): The project. audience (str): The audience for the final token. token_uri (str): The token server uri. ca_cert_path (str): The CA cert path for token server side TLS certificate verification. If the token server uses well known CA, then this parameter can be `None`. N) superr __init___signer_service_identity_name_project _audience _token_uri _ca_cert_path)selfsignerservice_identity_nameprojectaudience token_uri ca_cert_path __class__s P/var/www/api/venv/lib/python3.11/site-packages/google/oauth2/gdch_credentials.pyrz"ServiceAccountCredentials.__init__SsT '..77999 &;# !#)c6tj}|tz}d|j|j}|||jtj|tj|d}tjtj |j |S)Nzsystem:serviceaccount:{}:{})isssubaudiatexp) rutcnow JWT_LIFETIMEformatrrrdatetime_to_secs from_bytesrencoder)rnowexpiry iss_sub_valuepayloads r _create_jwtz%ServiceAccountCredentials._create_jwtjso|#5<< M46  ! ?,S11,V44   "3:dlG#D#DEEErcnddl}t||jjjjst jd|}t|j t|td}tj||j|dd|j}tj|d\|_}|_}dS)NrzeFor GDCH service account credentials, request must be a google.auth.transport.requests.Request object) grant_typerrequested_token_type subject_tokensubject_token_typeT) access_tokenuse_jsonverify)google.auth.transport.requests isinstanceauth transportrequestsRequestr RefreshErrorr/TOKEN_EXCHANGE_TYPErACCESS_TOKEN_TOKEN_TYPESERVICE_ACCOUNT_TOKEN_TYPEr_token_endpoint_requestrr_handle_refresh_grant_responsetokenr,)rrequestgoogle jwt_token request_body response_data_s rrefreshz!ServiceAccountCredentials.refresh{s----'6;#8#A#IJJ )w  $$&& -$;&"<    7  O %    )0(N 4) ) % At{AAArch||j|j|j||j|jS)zCreate a copy of GDCH credentials with the specified audience. Args: audience (str): The intended audience for GDCH credentials. )rrrrrr)rrs rwith_gdch_audiencez,ServiceAccountCredentials.with_gdch_audiences8 ~~ L  ' M  O      rc |ddkrtd|||d|dd|d|ddS) aCreates a Credentials instance from a signer and service account info. Args: signer (google.auth.crypt.Signer): The signer used to sign JWTs. info (Mapping[str, str]): The service account info. Returns: google.oauth2.gdch_credentials.ServiceAccountCredentials: The constructed credentials. Raises: ValueError: If the info is not in the expected format. format_version1z"Only format version 1 is supportednamerNrr) ValueErrorget)clsrinfos r_from_signer_and_infoz/ServiceAccountCredentials._from_signer_and_infose  !S ( (ABB Bs  L O    HH^T * *    rc`tj|gdd}|||S)aCreates a Credentials instance from parsed service account info. Args: info (Mapping[str, str]): The service account info in Google format. kwargs: Additional arguments to pass to the constructor. Returns: google.oauth2.gdch_credentials.ServiceAccountCredentials: The constructed credentials. Raises: ValueError: If the info is not in the expected format. rOprivate_key_id private_keyrQrrFrequireuse_rsa_signer)r from_dictrV)rTrUrs rfrom_service_account_infoz3ServiceAccountCredentials.from_service_account_infosJ '0 !    ((666rcftj|gdd\}}|||S)aiCreates a Credentials instance from a service account json file. Args: filename (str): The path to the service account json file. kwargs: Additional arguments to pass to the constructor. Returns: google.oauth2.gdch_credentials.ServiceAccountCredentials: The constructed credentials. rXFr[)r from_filenamerV)rTfilenamerUrs rfrom_service_account_filez3ServiceAccountCredentials.from_service_account_filesN-: !    f((666r)__name__ __module__ __qualname____doc__rr/rcopy_docstringr CredentialsrKrM classmethodrVr_rc __classcell__)rs@rr r "s..`*****.FFF"X[455  65 <      [ 677[7:77[77777rr )rgdatetime google.authrrrrr google.oauth2rr?r@rA timedeltar&rir rrrqs ------######""""""!!!!!!HIM!x!$/// Y7Y7Y7Y7Y7 7Y7Y7Y7Y7Y7r