dZddlmZddlmZddlmZddlZddlmZddlm Z ddl Z ddl m Z d Z Gd d e Zd Zd ZdZdZdZdZdZdZdZy)z,Utilities for Binary Authorization commands.)absolute_import)division)unicode_literalsN) docker_name)Error)urllibz/binaryauthorization.googleapis.com/attestationsceZdZdZy)BadImageUrlErrorz@Raised when a container image URL cannot be parsed successfully.N)__name__ __module__ __qualname____doc__9lib/googlecloudsdk/command_lib/container/binauthz/util.pyr r !sHrr c|xsd}tjj|}|jr'|jst dj ||js.tjjdj |}|j|jjdS)azReturns the passed `image_url` with the scheme replaced. Args: image_url: The URL to replace (or strip) the scheme from. (string) scheme: The scheme of the returned URL. If this is an empty string or `None`, the scheme is stripped and the leading `//` of the resulting URL will be stripped off. Raises: BadImageUrlError: `image_url` isn't valid. zMImage URL '{image_url}' is invalid because it does not have a host component.) image_urlz//{}scheme/) rparseurlparsernetlocr format_replacegeturllstrip)rr parsed_urls rReplaceImageUrlSchemer %s     % % 1 sAA>. A99A>ct|}tj|dddd}dj|j dS)aCreates a JSON bytestring representing a signature object to sign. Args: container_image_url: See `containerregistry.client.docker_name.Digest` for artifact URL validation and parsing details. `container_image_url` must be a fully qualified image URL with a valid sha256 digest. Returns: A bytestring representing a JSON-encoded structure of nested dictionaries and strings. T),z: ) ensure_asciiindent separators sort_keysz{} utf-8)r0jsondumpsrencode)r, payload_dictpayloads rMakeSignaturePayloadr>esJ**=>, JJ   ' w  & &w //rct|d} tj||S#tj$r}t |d}~wwxYw)zEnsures the given URL has no scheme (e.g. replaces "https://gcr.io/foo/bar" with "gcr.io/foo/bar" and leaves "gcr.io/foo/bar" unchanged). Args: artifact_url: A URL string. Returns: The URL with the scheme removed. rrN)r rr&r'r ) artifact_urlurl_without_schemer/s rRemoveArtifactUrlSchemerBsR-\"E)*   % % 1 s&A  AA ct|d} tj|}|j S#tj$r}t |d}~wwxYw)zReturns the digest of an image given its url. Args: artifact_url: An image url. e.g. "https://gcr.io/foo/bar@sha256:123" Returns: The image digest. e.g. "sha256:123" rrN)r rr&r'r r+)r@rAr+r/s rGetImageDigestrDsX-\"E   2 3F   % % 1 s0A AAc |jd}|jd}djddt|z|dt|z|gS)zPae encode input using the specified dsse type. Args: dsse_type: DSSE envelope type. body: payload string. Returns: Pae-encoded payload byte string. r8 sDSSEv1s%d)r;joinlen) dsse_typebodydsse_type_bytes body_bytess r PaeEncoderMsZ$$W-/{{7#*  c/"" c*o  rc Fddddid|Dcgc]}d|ic}id}|Scc}w)zCreates a minimal PodSpec from a list of images. Args: images: list of images being evaluated. Returns: PodSpec object in JSON form. v1Podnamer containersr$) apiVersionkindmetadataspecr)imagesr$rVs rGeneratePodSpecFromImagesrXsG " v>ve'5)v> $ + ?s  c|djdi}|jtd}|rdj|g|z|t<ndj||t<||dd<|S)aInlines attestations into a Kubernetes PodSpec. Args: pod_spec: The PodSpec provided by the user. attestations: List of attestations returned by the policy evaluator in comma separated DSSE form. Returns: Modified PodSpec with attestations inlined. rU annotationsNr3)get$_BINAUTHZ_ATTESTATION_ANNOTATION_KEYrG)pod_spec attestationsrZexisting_attestationss rAddInlineAttestationsToPodSpecr`s}$((;+%//*D8; ,.9K459<8NK45(3(:}% /rc^|ddk7rt|dd||dd<|St||S)a,Inlines attestations into a Kubernetes resource. Args: resource: The Kubernetes resource provided by the user. attestations: List of attestations returned by the policy evaluator in comma separated DSSE form. Returns: Modified Kubernetes resource with attestations inlined. rTrPrVtemplate)r`)resourcer^s rAddInlineAttestationsToResourcerdsHf#A$l$HVZ  O ', ??r)r __future__rrrr9containerregistry.clientrgooglecloudsdk.core.exceptionsrr( six.movesrr\r r r0r>rBrDrMrXr`rdrrrrisj3&' 00 6% IuIAD<08*(*.2@r