]jkdZddlZddlZddlmZddlmZddlZddlZddl m Z m Z ddl m Z ddl mZddl mZddl mZdd l mZdd l mZdd l mZdd lmZe rddlZej0eZd ZdZdZdZdZdZ ejBdfdZ"GddejFejHejJejLZ'GddejHZ(gfdZ)y)aGoogle Cloud Impersonated credentials. This module provides authentication for applications where local credentials impersonates a remote service account using `IAM Credentials API`_. This class can be used to impersonate a service account as long as the original Credential object has the "Service Account Token Creator" role on the target service account. .. _IAM Credentials API: https://cloud.google.com/iam/credentials/reference/rest/ N)datetime)Optional TYPE_CHECKING)_exponential_backoff)_helpers credentials) exceptions)iam)jwt)metrics)_clientz*Unable to acquire impersonated credentialsiz#https://oauth2.googleapis.com/tokenauthorized_userservice_account external_account_authorized_userc|xs=tjjtj|j |}t j|jd}||d||}t|jdr|jjdn |j}|jtjk7rtj t"| t j$|} | d} t'j(| dd} | | fS#t*t,f$r1} tj dj t"|} | | d } ~ wwxYw) aMakes a request to the Google Cloud IAM service for an access token. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. body (Mapping[str, str]): JSON Payload body for the iamcredentials API call. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned utf-8POSTurlmethodheadersbodydecode accessToken expireTimez%Y-%m-%dT%H:%M:%SZz6{}: No access token or invalid expiration in response.N)r _IAM_ENDPOINTreplacer DEFAULT_UNIVERSE_DOMAINformatjsondumpsencodehasattrdatarstatus http_clientOKr RefreshError_REFRESH_ERRORloadsrstrptimeKeyError ValueError)request principalrruniverse_domainiam_endpoint_override iam_endpointresponse response_bodytoken_responsetokenexpiry caught_excnew_excs N/root/env/lib/python3.12/site-packages/google/auth/impersonated_credentials.py_make_iam_token_requestr<As=6)C,=,=,E,E++_- fY ::d  " "7 +D<dSH 8==( +  W% ]] +..(%%nmDD&M2}-"">,#?AUVf} j !&)) D K K     :%&s'6DE-,EEcveZdZdZddedddffd ZdZdZ d ddZdZ e dZ e d Z e d Z e d Zej ej$d Zd Zej ej*dZej ej.ddZeddZxZS) Credentialsar This module defines impersonated credentials which are essentially impersonated identities. Impersonated Credentials allows credentials issued to a user or service account to impersonate another. The target service account must grant the originating credential principal the `Service Account Token Creator`_ IAM role: For more information about Token Creator IAM role and IAMCredentials API, see `Creating Short-Lived Service Account Credentials`_. .. _Service Account Token Creator: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role .. _Creating Short-Lived Service Account Credentials: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials Usage: First grant source_credentials the `Service Account Token Creator` role on the target account to impersonate. In this example, the service account represented by svc_account.json has the token creator role on `impersonated-account@_project_.iam.gserviceaccount.com`. Enable the IAMCredentials API on the source project: `gcloud services enable iamcredentials.googleapis.com`. Initialize a source credential which does not have access to list bucket:: from google.oauth2 import service_account target_scopes = [ 'https://www.googleapis.com/auth/devstorage.read_only'] source_credentials = ( service_account.Credentials.from_service_account_file( '/path/to/svc_account.json', scopes=target_scopes)) Now use the source credentials to acquire credentials to impersonate another service account:: from google.auth import impersonated_credentials target_credentials = impersonated_credentials.Credentials( source_credentials=source_credentials, target_principal='impersonated-account@_project_.iam.gserviceaccount.com', target_scopes = target_scopes, lifetime=500) Resource access is granted:: client = storage.Client(credentials=target_credentials) buckets = client.list_buckets(project='your_project') for bucket in buckets: print(bucket.name) **IMPORTANT**: This class does not validate the credential configuration. A security risk occurs when a credential configuration configured with malicious urls is used. When the credential configuration is accepted from an untrusted source, you should validate it before using. Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details. Nc tt| tj||_t |jt jru|jjtj|_t|jdr1|jjr|jjd|j|_||_||_||_||_|xst(|_d|_t/j0|_||_||_d|_| |_y)ap Args: source_credentials (google.auth.Credentials): The source credential used as to acquire the impersonated credentials. target_principal (str): The service account to impersonate. target_scopes (Sequence[str]): Scopes to request during the authorization grant. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. lifetime (int): Number of seconds the delegated credential should be valid for (upto 3600). quota_project_id (Optional[str]): The project ID used for quota and billing. This project may be different from the project used to create the credentials. iam_endpoint_override (Optional[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. subject (Optional[str]): sub field of a JWT. This field should only be set if you wish to impersonate as a user. This feature is useful when using domain wide delegation. trust_boundary (Mapping[str,str]): A credential trust boundary. _create_self_signed_jwtN)superr>__init__copy_source_credentials isinstancer Scoped with_scopesr _IAM_SCOPEr$_always_use_jwt_accessr@r1_universe_domain_target_principal_target_scopes _delegates_subject_DEFAULT_TOKEN_LIFETIME_SECS _lifetimer7rutcnowr8_quota_project_id_iam_endpoint_override_cred_file_path_trust_boundary) selfsource_credentialstarget_principal target_scopes delegatessubjectlifetimequota_project_idr2trust_boundary __class__s r;rBzCredentials.__init__sX k4)+#'99-?#@  d.. 0B0B C'+'?'?'K'K(D $ 002KL,,CC((@@F 2 B B!1+# !A%A oo' !1&;##-c"tjSN)r CRED_TYPE_SA_IMPERSONATErVs r;_metric_header_for_usagez$Credentials._metric_header_for_usages///r`cx|jjtjjk(s1|jjtjj k(r|jj ||j|jt|jdzd}ddtjtji}|jj||jr|j tj"k7rt%j&dt)j*}|j,t)j.|jxsd|jt0t)j2|t)j2|t4zd}t7||j,|||j}t9j:|t0|\|_|_}y tA||j,|||j |jB \|_|_y ) zUpdates credentials with a new access_token representing the impersonated account. Args: request (google.auth.transport.requests.Request): Request object to use for refreshing credentials. s)rZscoper\ Content-Typeapplication/jsonzNDomain-wide delegation is not supported in universes other than googleapis.com)issrhsubaudiatexp)r/r0rpayloadrZN)r/r0rrr1r2)"rD token_stater TokenStateSTALEINVALIDrefreshrMrLstrrPr API_CLIENT_HEADER&token_request_access_token_impersonateapplyrNr1rr GoogleAuthErrorrrQrKscopes_to_string_GOOGLE_OAUTH2_TOKEN_ENDPOINTdatetime_to_secsrO_sign_jwt_requestr jwt_grantr7r8r<rS)rVr/rrnowrq assertion_s r;_perform_refresh_tokenz"Credentials._perform_refresh_tokens  $ $ 0 0K4J4J4P4P P''33{7M7M7U7UU  $ $ , ,W 5((DNN+c1  .  % %w'U'U'W    &&w/ ==##{'J'JJ 00, //#C--!2243F3F3L"M}}40050058TT G*00// I*1):):6 * &DJ Q "9,, 00"&"="= #  DKr`c|jstjdytjj |jS)aBuilds and returns the URL for the Regional Access Boundary lookup API. This method constructs the specific URL for the IAM Credentials API's `allowedLocations` endpoint, using the credential's universe domain and service account email. Returns: Optional[str]: The URL for the Regional Access Boundary lookup endpoint, or None if the service account email is missing. zpService account email is required to build the Regional Access Boundary lookup URL for impersonated credentials.N)service_account_email)r_LOGGERerrorr 9_SERVICE_ACCOUNT_REGIONAL_ACCESS_BOUNDARY_LOOKUP_ENDPOINTr )rVr/s r;*_build_regional_access_boundary_lookup_urlz6Credentials._build_regional_access_boundary_lookup_urlasL)) MMC LLSS"&"<"<T  r`cZddlm}tjj t j |jj|j}tj|jd|jd}ddi}||j} tj }|D]}|j#|||} | j$tj&vr4| j$t(j*k7r2t-j.dj| j1tj2| j1d c|j5S |j5t-j.d #|j5wxYw) NrAuthorizedSessionr)rqrZrirj)rrr!zError calling sign_bytes: {} signedBlobz#exhausted signBlob endpoint retries)google.auth.transport.requestsrr _IAM_SIGN_ENDPOINTrr rr1r rKbase64 b64encoderrMrDrExponentialBackoffpost status_codeIAM_RETRY_CODESr'r(r TransportErrorr! b64decodeclose) rVmessageriam_sign_endpointrrauthed_sessionretriesrr4s r; sign_byteszCredentials.sign_byteswsqD22::  / /1E1E &'' (  ''077@  "#56*4+C+CD #*==?G G)..)7/''3+>+>>'';>>9$336==hmmoN''  (EFF  " G  "''(MNN  "s CF1FF*c|jSrbrKrds r; signer_emailzCredentials.signer_email%%%r`c|jSrbrrds r;rz!Credentials.service_account_emailrr`c|Srbrkrds r;signerzCredentials.signers r`c|j Srb)rLrds r;requires_scopeszCredentials.requires_scopess&&&&r`cP|jr|jd|jdSy)Nzimpersonated credentials)credential_sourcecredential_typer0)rTrKrds r; get_cred_infozCredentials.get_cred_infos/   %)%9%9#=!33  r`c |j|j|j|j|j|j |j |j|j}|j|_ |j||S)N)rXrYrZr\r]r2r^) r_rDrKrLrMrPrRrSrUrT&_copy_regional_access_boundary_manager)rVcreds r; _make_copyzCredentials._make_copys|~~  $ $!33--oo^^!33"&"="=//   $33 33D9 r`c4|j}||_|Srb)rrR)rVr]rs r;with_quota_projectzCredentials.with_quota_projects !1 r`c<|j}|xs||_|Srb)rrL)rVscopesdefault_scopesrs r;rGzCredentials.with_scopess  $6 r`c|jd}|jd}|tk(r"ddlm}|jj |}nz|t k(r"ddlm}|jj|}nO|tk(r"ddl m }|jj|}n$tjdj||jd} | j!d } | j#d } | d k(s | d k(s| | kDr$tj$d j| | | d z| } |jd} |jd}|xs|jd}|jd}||| || ||S)aCreates a Credentials instance from parsed impersonated service account credentials info. **IMPORTANT**: This method does not validate the credential configuration. A security risk occurs when a credential configuration configured with malicious urls is used. When the credential configuration is accepted from an untrusted source, you should validate it before using with this method. Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details. Args: info (Mapping[str, str]): The impersonated service account credentials info in Google format. scopes (Sequence[str]): Optional list of scopes to include in the credentials. Returns: google.oauth2.credentials.Credentials: The constructed credentials. Raises: InvalidType: If the info["source_credentials"] are not a supported impersonation type InvalidValue: If the info["service_account_impersonation_url"] is not in the expected format. ValueError: If the info is not in the expected format. rWtyperr)r)rz.source credential of type {} is not supported.!service_account_impersonation_url/z:generateAccessTokenz'Cannot extract target principal from {}rZr]rr^)r]r^)get'_SOURCE_CREDENTIAL_AUTHORIZED_USER_TYPE google.oauth2r r>from_authorized_user_info'_SOURCE_CREDENTIAL_SERVICE_ACCOUNT_TYPErfrom_service_account_info8_SOURCE_CREDENTIAL_EXTERNAL_ACCOUNT_AUTHORIZED_USER_TYPE google.authr from_infor InvalidTyper rfindfind InvalidValue)clsinforsource_credentials_infosource_credentials_typer rWrrimpersonation_url start_index end_indexrXrZr]r^s r;&from_impersonated_service_account_infoz2Credentials.from_impersonated_service_account_infos8#'((+?"@"9"="=f"E "&M M 1!,!8!8!R!R'" %(O O 5!0!rrCredentialsWithQuotaProjectrrFrG classmethodr __classcell__r_s@r;r>r>s- CT-"J.X0F RDH @ , OD&&&&''X[4456 X[DDEF X[//01 M M r`r>ceZdZdZ dfd Zd dZdZdZeje jdZ eje jdZxZS) IDTokenCredentialsz;Open ID Connect ID Token-based service account credentials.ctt| t|tst j d||_||_||_ ||_ y)a Args: target_credentials (google.auth.Credentials): The target credential used as to acquire the id tokens for. target_audience (string): Audience to issue the token for. include_email (bool): Include email in IdToken quota_project_id (Optional[str]): The project ID used for quota and billing. z4Provided Credential must be impersonated_credentialsN) rArrBrEr>r r{_target_credentials_target_audience_include_emailrR)rVtarget_credentialstarget_audience include_emailr]r_s r;rBzIDTokenCredentials.__init__"sV  $02,k:,,I $6 /+!1r`cT|j|||j|jSN)rrrr])r_rrR)rVrrs r;from_credentialsz#IDTokenCredentials.from_credentials=s0~~1+--!33   r`ch|j|j||j|jSr)r_rrrR)rVrs r;with_target_audiencez'IDTokenCredentials.with_target_audienceEs6~~#77+--!33   r`ch|j|j|j||jSr)r_rrrR)rVrs r;with_include_emailz%IDTokenCredentials.with_include_emailMs6~~#77 11'!33   r`ch|j|j|j|j|Sr)r_rrr)rVr]s r;rz%IDTokenCredentials.with_quota_projectUs6~~#77 11---   r`c*ddlm}tjj t j |jjj|jj}|j|jj|jd}ddtjtj i}||jj"|} |j%||t'j(|j+d}|j-|j.t0j2k7r2t5j6d j|j' |j'd }||_t?j@tCjD|d d|_#y#|j-wxYw#t8t:f$r,} t5j6d |j'} | | d} ~ wwxYw)Nrr)audiencerZ includeEmailrirj) auth_requestr)rrr%zError getting ID token: {}r7zNo ID token in response.F)verifyrp)$rrr _IAM_IDTOKEN_ENDPOINTrr rrr1r rrrMrr rx"token_request_id_token_impersonaterDrr!r"r#rrr'r(r r)r-r.r7rutcfromtimestampr rr8) rVr/rrrrrr4id_tokenr9r:s r;rvzIDTokenCredentials.refresh^sD55==  / /  $ $ 4 4  &))66 7  --11<< //  .  % %w'Q'Q'S  +  $ $ 8 8w  #%**%ZZ%,,W5+H  "   ;>> 1)),33HMMOD  *}}w/H // JJx .u 5  !  "*% * --*HMMOGz )  *s$6G5GGH&'H  H)NFNrb)rrrrrBrrrrrr rrr>rvrrs@r;rrstE  26   X[DDE F X[4450 60 r`rcxtjj|}|tj|d}tj|j d}||d||}t |jdr|jjdn |j}|jtjk7rtjt| tj|} | d} | S#t t"f$r1} tjdjt|} | | d} ~ wwxYw) aMakes a request to the Google Cloud IAM service to sign a JWT using a service account's system-managed private key. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. payload (Mapping[str, str]): The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned )rZrqrrrr signedJwtz{}: No signed JWT in response.N)r _IAM_SIGNJWT_ENDPOINTr r!r"r#r$r%rr&r'r(r r)r*r+r-r.) r/r0rrqrZr3rr4r5 jwt_response signed_jwtr9r:s r;rrs :,,33I>L"tzz'/B CD ::d  " "7 +D<dSH 8==( +  W% ]] +..(%%nmDD &zz-0 !+.  j !&)) , 3 3N C] :% &sC99D9,D44D9)*rrrCr http.clientclientr'r!loggingtypingrrrrrr r r r r rrgoogle.auth.transportgoogle getLoggerrrr*rOr}rrrrr<rFrSigning%CredentialsWithRegionalAccessBoundaryr>rrrkr`r;rs  ! *- #"! '  H %=# E+<'*;'&9 77 ;&|] ++55 ] @ p @@p fGI7&r`