+3VdZddlmZddlmZddlmZddlZddlZddlmZ ddlm Z ddl m Z ddl mZddl mZdd l mZdd l mZdd l mZdd lmZd ZGddej*ZGddeZGddeZdZddZdZGddeZGddej:Zy)z%Utilities for the iamcredentials API.)absolute_import)division)unicode_literalsN exceptions) http_wrapper) apis_internal) properties) resources) transport)clientz&https://iamcredentials.googleapis.com/ceZdZdZy)Errorz*Exception that are defined by this module.N__name__ __module__ __qualname____doc__1lib/googlecloudsdk/api_lib/iamcredentials/util.pyrr's2rrceZdZdZy)InvalidImpersonationAccountz1Exception when the service account id is invalid.Nrrrrrr+s9rrceZdZdZy)&ImpersonatedCredGoogleAuthRefreshErrorzAException for google auth impersonated credentials refresh error.Nrrrrrr/sIrrc~ddlm}tjj |dd|d}|j dt jd}tjd d | } |jj|jj|j|jj|  }|S#t j"$r7}t%j&|dj)|j*|d}~wt j,$r}t%j&|d}~wwxYw)z8Generates an access token for the given service account.r transportsiamcredentials.serviceAccounts- projectsIdserviceAccountsId collectionparamsFenable_resource_quotaresponse_encodingallow_account_impersonationiamcredentialsv1 http_client)scope)namegenerateAccessTokenRequestzError {code} (Forbidden) - failed to impersonate [{service_acc}]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.)code service_acc error_formatN)googlecloudsdk.core.credentialsrr REGISTRYParseGetApitoolsTransportr ENCODINGr _GetClientInstanceprojects_serviceAccountsGenerateAccessTokenMESSAGES_MODULE?IamcredentialsProjectsServiceAccountsGenerateAccessTokenRequest RelativeNameGenerateAccessTokenRequestapitools_exceptionsHttpForbiddenErrorr HttpExceptionformat status_code HttpError)service_account_idscopesrservice_account_refr. iam_clientresponsees rr=r=3sC9!**00%E6H I1K//!!**"'0)+ //+7*&22FF"" H H$113'1'A'A ' 'f ' 5 I H O  / /N  " " $Vmm9K$M  NN  & &&  " "1 %%&s%'ACD<2D  D<"D77D<c ddlm}tjj |dd|d}|j dt jd}tjd d | }|jj|jj|j|jj||  }|j S)z4Generates an id token for the given service account.rrrr r!r$Fr'r+r,r-)audience includeEmail)r0generateIdTokenRequest)r6rr r7r8r9r r:r r;r<GenerateIdTokenr>;IamcredentialsProjectsServiceAccountsGenerateIdTokenRequestr@GenerateIdTokenRequesttoken)rHrO include_emailrrJr.rKrLs rrRrR[s9!**00%E6H I1K//!!**"'0)+ //+7* 0 0 @ @  BB"//1!+!;!; ! !8- ! PC( rctjjjj r2tjjjj Stjj j}|j |jk7r$tjd|j StS)aReturns the effective IAM endpoint. (1) If the [api_endpoint_overrides/iamcredentials] property is explicitly set, return the property value. (2) Otherwise if [core/universe_domain] value is not default, return "https://iamcredentials.{universe_domain_value}/". (3) Otherise return "https://iamcredentials.googleapis.com/" Returns: str: The effective IAM endpoint. zgoogleapis.com) r VALUESapi_endpoint_overridesr+IsExplicitlySetGetcoreuniverse_domaindefaultIAM_ENDPOINT_GDUreplace)universe_domain_propertys rGetEffectiveIamEndpointrbws--<<LLN    3 3 B B F F HH'..33CC!!#'?'G'GG  # #2668  rcHeZdZdZdZdZdZdZedZ edZ y) ImpersonationAccessTokenProviderzzA token provider for service account elevation. This supports the interface required by the core/credentials module. c|d|vr tdt||}t||j|j|S)N,zMore than one service accounts were specified, which is not supported. If being set, please unset the auth/disable_load_google_auth property and retry.)rr=ImpersonationCredentials accessToken expireTime)selfrHrIrLs rGetElevationAccessTokenz8ImpersonationAccessTokenProvider.GetElevationAccessTokensP   ' > ??##5v>H #H00(2E2Ev OOrct|||SN)rR)rjrHrOrVs rGetElevationIdTokenz4ImpersonationAccessTokenProvider.GetElevationIdTokens -x GGrcddlm}ddlm}ddlm}|j }|j ||j||||} |j | j || S#|j$r} dj|} d} tj| jd } | d z| d d z| d d <tjd | d ditj | d}t"j$j'|} n#t($rYnwxYw| rtj*| dt-| d} ~ wwxYw)zCCreates a fresh impersonation credential using google-auth library.rrimpersonated_credentialsrequests)source_credentialstarget_principal target_scopes delegateszFailed to impersonate [{service_acc}]. Make sure the account that's trying to impersonate it has access to the service account itself and the "roles/iam.serviceAccountTokenCreator" role.)r3N errormessagestatusr2)infocontent request_urlz{message} {details? {?}}r4) google.authrrqgooglecloudsdk.corersGoogleAuthRequestrefresh CredentialsPerformIamEndpointsOverride RefreshErrorrEjsonloadsargsrResponsedumpsrBrG FromResponse ExceptionrDr)rjrtrurwrIgoogle_auth_exceptions$google_auth_impersonated_credentials core_requestsrequest_clientcredrMoriginal_message http_errorr~ http_responses r!GetElevationAccessTokenGoogleAuthzBImpersonationAccessTokenProvider.GetElevationAccessTokenGoogleAuthsA\=#446N~. / ; ;-) < D  $$&-E ll>"\ K[ " . .+E BBH&*CIC j **QVVAY' s "WW%5i%@ @ # %--GG,V45JJw' )22?? N     && %@  33C DDW+Es=A--E<E BDE  D&#E %D&&'E  Ecddlm}ddlm}|j |||}|j }|j |j||S)z=Creates an ID token credentials for impersonated credentials.rrprr)target_audiencerV)rrqrrsIDTokenCredentialsrrr)rj%google_auth_impersonation_credentialsrOrVrrrrs rGetElevationIdTokenGoogleAuthz>ImpersonationAccessTokenProvider.GetElevationIdTokenGoogleAuthsW]= / B B- # C D #446N$$&LL Krc^ddlm}t|txst||jS)Nrrp)rrq isinstancergr)clsrrs rIsImpersonationCredentialz:ImpersonationAccessTokenProvider.IsImpersonationCredentials0] d4 5  2>>:rcddlm}t}|jj t ||_|j j t ||_|jj t ||_y)a.Perform IAM endpoint override if needed. We will override IAM generateAccessToken, signBlob, and generateIdToken endpoint under the following conditions. (1) If the [api_endpoint_overrides/iamcredentials] property is explicitly set, we replace "https://iamcredentials.googleapis.com/" with the given property value in these endpoints. (2) If the property above is not set, and the [core/universe_domain] value is not default, we replace "googleapis.com" with the [core/universe_domain] property value in these endpoints. r)iamN)rrrb _IAM_ENDPOINTr`r__IAM_SIGN_ENDPOINT_IAM_IDTOKEN_ENDPOINT)rgoogle_auth_iameffective_iam_endpoints rrz&M&M OOr) rrrrrrrr __classcell__)rs@rrgrg*s'.Q EOrrg)F)r __future__rrrrrapitools.base.pyrrBrgooglecloudsdk.api_lib.utilr rcore_exceptionsr r r oauth2clientr r_rrrr=rRrbobjectrdOAuth2Credentialsrgrrrrs ,&' >)52=*))<3O ! !3:%:JUJ%&P8.YvYxOv77Or