}gUNdZddlZddlZddlmZddlmZddlZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z dd lmZdd lmZdd lmZd Zd ZdZe j*dfdZGdde j.e j0e j2ZGdde j0ZgfdZy)aGoogle Cloud Impersonated credentials. This module provides authentication for applications where local credentials impersonates a remote service account using `IAM Credentials API`_. This class can be used to impersonate a service account as long as the original Credential object has the "Service Account Token Creator" role on the target service account. .. _IAM Credentials API: https://cloud.google.com/iam/credentials/reference/rest/ N)datetime)_exponential_backoff)_helpers) credentials) exceptions)iam)jwt)metrics)_clientz*Unable to acquire impersonated credentialsiz#https://oauth2.googleapis.com/tokenc|xs=tjjtj|j |}t j|jd}||d||}t|jdr|jjdn |j}|jtjk7rtj t"| t j$|} | d} t'j(| dd} | | fS#t*t,f$r1} tj dj t"|} | | d } ~ wwxYw) aMakes a request to the Google Cloud IAM service for an access token. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. body (Mapping[str, str]): JSON Payload body for the iamcredentials API call. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned utf-8POSTurlmethodheadersbodydecode accessToken expireTimez%Y-%m-%dT%H:%M:%SZz6{}: No access token or invalid expiration in response.N)r _IAM_ENDPOINTreplacerDEFAULT_UNIVERSE_DOMAINformatjsondumpsencodehasattrdatarstatus http_clientOKr RefreshError_REFRESH_ERRORloadsrstrptimeKeyError ValueError)request principalrruniverse_domainiam_endpoint_override iam_endpointresponse response_bodytoken_responsetokenexpiry caught_excnew_excs a/var/www/html/Manimaran/venv/lib/python3.12/site-packages/google/auth/impersonated_credentials.py_make_iam_token_requestr63s=6)C,=,=,E,E++_- fY ::d  " "7 +D<dSH 8==( +  W% ]] +..(%%nmDD&M2}-"">,#?AUVf} j !&)) D K K     :%&s'6DE-,EEceZdZdZddeddffd ZdZeje jdZ dZ dZ edZed Zed Zed Zeje jd Zd Zeje j*dZeje j.ddZxZS) CredentialsaThis module defines impersonated credentials which are essentially impersonated identities. Impersonated Credentials allows credentials issued to a user or service account to impersonate another. The target service account must grant the originating credential principal the `Service Account Token Creator`_ IAM role: For more information about Token Creator IAM role and IAMCredentials API, see `Creating Short-Lived Service Account Credentials`_. .. _Service Account Token Creator: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role .. _Creating Short-Lived Service Account Credentials: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials Usage: First grant source_credentials the `Service Account Token Creator` role on the target account to impersonate. In this example, the service account represented by svc_account.json has the token creator role on `impersonated-account@_project_.iam.gserviceaccount.com`. Enable the IAMCredentials API on the source project: `gcloud services enable iamcredentials.googleapis.com`. Initialize a source credential which does not have access to list bucket:: from google.oauth2 import service_account target_scopes = [ 'https://www.googleapis.com/auth/devstorage.read_only'] source_credentials = ( service_account.Credentials.from_service_account_file( '/path/to/svc_account.json', scopes=target_scopes)) Now use the source credentials to acquire credentials to impersonate another service account:: from google.auth import impersonated_credentials target_credentials = impersonated_credentials.Credentials( source_credentials=source_credentials, target_principal='impersonated-account@_project_.iam.gserviceaccount.com', target_scopes = target_scopes, lifetime=500) Resource access is granted:: client = storage.Client(credentials=target_credentials) buckets = client.list_buckets(project='your_project') for bucket in buckets: print(bucket.name) Nc rtt| tj||_t |jt jru|jjtj|_t|jdr1|jjr|jjd|j|_||_||_||_||_|xst(|_d|_t/j0|_||_||_d|_y)a$ Args: source_credentials (google.auth.Credentials): The source credential used as to acquire the impersonated credentials. target_principal (str): The service account to impersonate. target_scopes (Sequence[str]): Scopes to request during the authorization grant. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. lifetime (int): Number of seconds the delegated credential should be valid for (upto 3600). quota_project_id (Optional[str]): The project ID used for quota and billing. This project may be different from the project used to create the credentials. iam_endpoint_override (Optional[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. subject (Optional[str]): sub field of a JWT. This field should only be set if you wish to impersonate as a user. This feature is useful when using domain wide delegation. _create_self_signed_jwtN)superr8__init__copy_source_credentials isinstancerScoped with_scopesr _IAM_SCOPEr_always_use_jwt_accessr:r+_universe_domain_target_principal_target_scopes _delegates_subject_DEFAULT_TOKEN_LIFETIME_SECS _lifetimer1rutcnowr2_quota_project_id_iam_endpoint_override_cred_file_path) selfsource_credentialstarget_principal target_scopes delegatessubjectlifetimequota_project_idr, __class__s r5r<zCredentials.__init__sT k4)+#'99-?#@  d.. 0B0B C'+'?'?'K'K(D $ 002KL,,CC((@@F 2 B B!1+# !A%A oo' !1&;##c"tjSN)r CRED_TYPE_SA_IMPERSONATErOs r5_metric_header_for_usagez$Credentials._metric_header_for_usages///rXc&|j|yrZ) _update_token)rOr)s r5refreshzCredentials.refreshs 7#rXcx|jjtjjk(s1|jjtjj k(r|jj ||j|jt|jdzd}ddtjtji}|jj||jr|j tj"k7rt%j&dt)j*}|j,t)j.|jxsd|jt0t)j2|t)j2|t4zd}t7||j,|||j}t9j:|t0|\|_|_}y tA||j,|||j |jB \|_|_y ) zUpdates credentials with a new access_token representing the impersonated account. Args: request (google.auth.transport.requests.Request): Request object to use for refreshing credentials. s)rSscoperU Content-Typeapplication/jsonzNDomain-wide delegation is not supported in universes other than googleapis.com)issrcsubaudiatexp)r)r*rpayloadrSN)r)r*rrr+r,)"r> token_stater TokenStateSTALEINVALIDr`rGrFstrrJr API_CLIENT_HEADER&token_request_access_token_impersonateapplyrHr+rrGoogleAuthErrorrrKrEscopes_to_string_GOOGLE_OAUTH2_TOKEN_ENDPOINTdatetime_to_secsrI_sign_jwt_requestr jwt_grantr1r2r6rM)rOr)rrnowrl assertion_s r5r_zCredentials._update_tokens  $ $ 0 0K4J4J4P4P P''33{7M7M7U7UU  $ $ , ,W 5((DNN+c1  .  % %w'U'U'W    &&w/ ==##{'J'JJ 00, //#C--!2243F3F3L"M}}40050058TT G*00// I*1):):6 * &DJ Q "9,, 00"&"="= #  DKrXcZddlm}tjj t j |jj|j}tj|jd|jd}ddi}||j} tj }|D]}|j#|||} | j$tj&vr4| j$t(j*k7r2t-j.dj| j1tj2| j1d c|j5S |j5t-j.d #|j5wxYw) NrAuthorizedSessionr )rlrSrdre)rrrzError calling sign_bytes: {} signedBlobz#exhausted signBlob endpoint retries)google.auth.transport.requestsrr_IAM_SIGN_ENDPOINTrrrr+rrEbase64 b64encoderrGr>rExponentialBackoffpost status_codeIAM_RETRY_CODESr!r"rTransportErrorr b64decodeclose) rOmessageriam_sign_endpointrrauthed_sessionretriesr}r.s r5 sign_byteszCredentials.sign_bytesHsjD22::  / /1E1E &'' (  ''077@  "#56*4+C+CD #*==?G)..)7/''3+>+>>'';>>9$336==hmmoN''  (EFF  "  "''(MNN  "s CF1FF*c|jSrZrEr\s r5 signer_emailzCredentials.signer_emailj%%%rXc|jSrZrr\s r5service_account_emailz!Credentials.service_account_emailnrrXc|SrZrfr\s r5signerzCredentials.signerrs rXc|j SrZ)rFr\s r5requires_scopeszCredentials.requires_scopesvs&&&&rXcP|jr|jd|jdSy)Nzimpersonated credentials)credential_sourcecredential_typer*)rNrEr\s r5 get_cred_infozCredentials.get_cred_infozs/   %)%9%9#=!33  rXc |j|j|j|j|j|j |j |j}|j|_|S)N)rQrRrSrUrVr,) rWr>rErFrGrJrLrMrN)rOcreds r5 _make_copyzCredentials._make_copyse~~  $ $!33--oo^^!33"&"="=  $33 rXc4|j}||_|SrZ)rrL)rOrVrs r5with_quota_projectzCredentials.with_quota_projects !1 rXc<|j}|xs||_|SrZ)rrF)rOscopesdefault_scopesrs r5rAzCredentials.with_scopess  $6 rXrZ)__name__ __module__ __qualname____doc__rIr<r]rcopy_docstringrr8r`r_rpropertyrrrrrrCredentialsWithQuotaProjectrr@rA __classcell__rWs@r5r8r8qs&;D-"F$P0X[445$6$F P OD&&&&''X[4456 X[DDEF X[//01rXr8ceZdZdZ dfd Zd dZdZdZeje jdZ eje jdZxZS) IDTokenCredentialszAOpen ID Connect ID Token-based service account credentials. ctt| t|tst j d||_||_||_ ||_ y)a Args: target_credentials (google.auth.Credentials): The target credential used as to acquire the id tokens for. target_audience (string): Audience to issue the token for. include_email (bool): Include email in IdToken quota_project_id (Optional[str]): The project ID used for quota and billing. z4Provided Credential must be impersonated_credentialsN) r;rr<r?r8rru_target_credentials_target_audience_include_emailrL)rOtarget_credentialstarget_audience include_emailrVrWs r5r<zIDTokenCredentials.__init__sV  $02,k:,,I $6 /+!1rXcT|j|||j|jSN)rrrrV)rWrrL)rOrrs r5from_credentialsz#IDTokenCredentials.from_credentialss0~~1+--!33   rXch|j|j||j|jSr)rWrrrL)rOrs r5with_target_audiencez'IDTokenCredentials.with_target_audiences6~~#77+--!33   rXch|j|j|j||jSr)rWrrrL)rOrs r5with_include_emailz%IDTokenCredentials.with_include_emails6~~#77 11'!33   rXch|j|j|j|j|Sr)rWrrr)rOrVs r5rz%IDTokenCredentials.with_quota_projects6~~#77 11---   rXcddlm}tjj t j |jjj|jj}|j|jj|jd}ddtjtj i}||jj"|} |j%||t'j(|j+d}|j-|j.t0j2k7r2t5j6d j|j'|j'd }||_t;j<t?j@|d d |_!y#|j-wxYw)Nrr)audiencerS includeEmailrdre) auth_requestr )rrrzError getting ID token: {}r1F)verifyrk)"rrr_IAM_IDTOKEN_ENDPOINTrrrrr+rrrrGrr rr"token_request_id_token_impersonater>rrrrrrr!r"rr#r1rutcfromtimestampr rr2) rOr)rrrrrr.id_tokens r5r`zIDTokenCredentials.refreshsD55==  / /  $ $ 4 4  &))66 7  --11<< //  .  % %w'Q'Q'S  +  $ $ 8 8w  #%**%ZZ%,,W5+H  "   ;>> 1)),33HMMOD ==?7+ // JJx .u 5    "s 6GG)NFNrZ)rrrrr<rrrrrrrrr8r`rrs@r5rrsv 26   X[DDE F X[445) 6) rXrcxtjj|}|tj|d}tj|j d}||d||}t |jdr|jjdn |j}|jtjk7rtjt| tj|} | d} | S#t t"f$r1} tjdjt|} | | d} ~ wwxYw) aMakes a request to the Google Cloud IAM service to sign a JWT using a service account's system-managed private key. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. payload (Mapping[str, str]): The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned )rSrlr rrr signedJwtz{}: No signed JWT in response.N)r_IAM_SIGNJWT_ENDPOINTrrrrrrrr r!r"rr#r$r%r'r() r)r*rrlrSr-rr.r/ jwt_response signed_jwtr3r4s r5ryry s :,,33I>L"tzz'/B CD ::d  " "7 +D<dSH 8==( +  W% ]] +..(%%nmDD &zz-0 !+.  j !&)) , 3 3N C] :% &sC99D9,D44D9)rrr=r http.clientclientr!r google.authrrrrrr r google.oauth2r r$rIrwrr6r@rSigningr8rryrfrXr5rs  ! , #"!># E 77 ;&|j ??ATATjZ k @@k \GI7&rX