@dZddlmZddlmZddlmZddlZddlZddlZddlm Z ddl m Z ddl m Z dd l mZddlZGd d ej ZGd d eZGddeZGddeZdZdZdZGddej2ej4eZGddeZGddeZGddeZGddeZGdd eZ Gd!d"eZ!Gd#d$eZ"Gd%d&e#Z$y)'z'Generators for Credential Config Files.)absolute_import)division)unicode_literalsN)enterprise_certificate_config)log) properties)filesceZdZdZdZy) ConfigTypeN)__name__ __module__ __qualname__WORKLOAD_IDENTITY_POOLSWORKFORCE_POOLSAlib/googlecloudsdk/command_lib/iam/byoid_utilities/cred_config.pyr r s /rr c.eZdZdZ ddZedZy)ByoidEndpointszBase class for BYOID endpoints.c|r|r|dk7r tdd|_d|_||_|rdnd|_||_||_y)NglobalzGmTLS is not supported with locational Security Token Service endpoints.z"https://{service}.{mtls}{universe}z/https://{service}.{sts_location}.rep.{universe}zmtls.)GeneratorError_sts_global_template_sts_locational_template_service_mtls_universe_domain _sts_location)selfservice enable_mtlsuniverse_domain sts_locations r__init__zByoidEndpoints.__init__(s\| (@   !ED9 !DM'RDJ+D%Drc(|jr|jdk(r<|jj|j|j|j S|j j|j|j|j S)Nr)r#mtlsuniverse)r#r&r*)r!rformatrrr r)r"s r _base_urlzByoidEndpoints._base_url?s   !3!3x!?  & & - ---djj4;P;P.  ( ( / / ''&& 0 rN)Fzgoogleapis.comr)rrr__doc__r'propertyr,rrrrr%s)' & &.    rrcReZdZdZfdZedZedZedZxZ S) StsEndpointsz$Simple class to build STS endpoints.c ,tt| di|y)N)sts)superr0r')r"kwargs __class__s rr'zStsEndpoints.__init__Os ,&77rc>d}dj|j|S)Nzv1/token{}/{}r+r,r"apis r token_urlzStsEndpoints.token_urlRs C >>$..# ..rc>d}dj|j|S)Nz v1/oauthtokenr7r8r9s roauth_token_urlzStsEndpoints.oauth_token_urlW C >>$..# ..rc>d}dj|j|S)Nz v1/introspectr7r8r9s rtoken_info_urlzStsEndpoints.token_info_url\r>r) rrrr-r'r.r;r=r@ __classcell__r5s@rr0r0LsG,8 / / / / / /rr0c2eZdZdZfdZedZxZS) IamEndpointsz/Simple class to build IAM Credential endpoints.c :||_tt|di|y)N)iamcredentials)_service_accountr3rDr')r"service_accountr4r5s rr'zIamEndpoints.__init__es+D ,&B6Brcpdj|j}dj|j|S)Nz4v1/projects/-/serviceAccounts/{}:generateAccessTokenr7)r+rGr,r9s rimpersonation_urlzIamEndpoints.impersonation_urlis2 @ G G  C >>$..# ..r)rrrr-r'r.rJrArBs@rrDrDbs 7C / /rrDzcredential configuration filect|dddu}t|dd}t|dd}|r|st|dr tdd}tjj j }t|d dr |j }nO|jr|j}n.tjj j j}t||| } t||}|d d |jz|j|j|j|j!|d } |t"j$ur|j&| d<|j(rJt+|j(||} | j,| d<i} |j.r$|j.| d<| | d<n|j0| d<t3j4|j6t9j:| dt=j>|j6t@tC|tDr[tGjHtFj"jJ|jL|jN|jP|jRyy#t$r:} t=j>|j6t@| jTYd} ~ yd} ~ wwxYw)z;Creates the byoid credential config based on CLI arguments.credential_cert_pathNr$Fr&rz8Cannot disable mTLS when a certificate path is provided.Tr%)r$r%r&external_accountz//iam.googleapis.com/)r%typeaudiencesubject_token_typer;credential_sourceworkforce_pool_user_project)r$r%!service_account_impersonation_urltoken_lifetime_secondsservice_account_impersonationr@r )indent) cert_pathkey_path output_filetrust_chain_path)failed)+getattrhasattrrrVALUEScorer%IsExplicitlySetGetdefaultr0 get_generatorrOget_token_typerPr; get_sourcer rrRrHrDrJ&service_account_token_lifetime_secondsr@r WriteFileContentsrYjsondumpsrCreatedResource RESOURCE_TYPE isinstanceX509CredConfigGeneratorr create_configWORKLOADrL credential_cert_private_key_path)credential_cert_configuration_output_file credential_cert_trust_chain_pathmessage) args config_typeis_certr$r&universe_domain_propertyr%token_endpoint_builder generatoroutputsa_endpoint_builderrUcces rcreate_credential_configr}ts D0$ 7t C'mU3+~r2, 747  D K(..33CC T$d+**O//1.224O '',,<<DDO'% 1MdK0I*"+dmm;'66t7N7NO+55&11$7 Fj000.2.N.Nf *+ (   !)  / / 01')# 4 4  7 7 &&>?3P./!7!F!Ff  D,,djj.JK((-8)45#11 ' 2 2 ; ;--88DD@@ 6 M((- LLMs#FJ K 0KKc|jrt||jS|jr!t||j|jS|j r{t |drC|jr7t||j |j|j|jSt||j |j|jS|jr tS|jr t|j |j"S|j$r6t'|j$|j(|j*|j,Sy)z@Determines the type of credential output based on CLI arguments.%executable_interactive_timeout_millisN)credential_source_fileFileCredConfigGeneratorcredential_source_urlUrlCredConfigGeneratorcredential_source_headersexecutable_commandr]r(InteractiveExecutableCredConfigGeneratorexecutable_timeout_millisexecutable_output_fileExecutableCredConfigGeneratorawsAwsCredConfigGeneratorazureAzureCredConfigGenerator app_id_urirOrLrmrprqrr)rtrus rrcrcs4   ";0K0K LL  !+t/I/I"&"@"@ BB t<>> 5 t..0N0N  % %  4 466 )d6M6M)-)G)G)-)D)D FF XX ! ## ZZ #DOOT]] CC  " !! -- 66 --  rcLeZdZdZdZdZdZdZejdZ y)CredConfigGeneratorz2Base class for generating Credential Config files.c||_yN)ru)r"rus rr'zCredConfigGenerator.__init__s "DrcNd}|jtjurd}|xs|S)z;Returns the type of token that this credential config uses.$urn:ietf:params:oauth:token-type:jwtz)urn:ietf:params:oauth:token-type:id_token)rur r)r"rPdefault_token_types rrdz"CredConfigGenerator.get_token_types1@ :555F  3!33rc|sy|j}|dvr tdd|i}|dk(r|s td||d<|S)aReturns an optional dictionary indicating the format of the token. This is a shared method, that several different token types need access to. Args: credential_source_type: The format of the token, either 'json' or 'text'. credential_source_field_name: The field name of a JSON object containing the text version of the token. Raises: GeneratorError: if an invalid token format is specified, or no field name is specified for a json token. N)rhtextz8--credential-source-type must be either "json" or "text"rNrhzA--credential-source-field-name required for JSON formatted tokenssubject_token_field_name)lowerr)r"credential_source_typecredential_source_field_name token_formats r _get_formatzCredConfigGenerator._get_formatso " 399;%55  D FF23L' ) OQ Q1Ml-. rc|r tdy)Nz?--credential-source-type is not supported with --azure or --aws)r)r"rs r_format_already_definedz+CredConfigGenerator._format_already_defineds  K MMrcy)z@Gets the credential source info used for this credential config.Nrr"rts rrezCredConfigGenerator.get_sources rN) rrrr-r'rdrrabcabstractmethodrerrrrrs5:#4@M   rrc(eZdZdZfdZdZxZS)rz0The generator for File-based credential configs.c:tt| |||_yr)r3rr'r)r"rurr5s rr'z FileCredConfigGenerator.__init__$s !41+>"8Drc|d|ji}|j|j|j}|r||d<|S)Nfiler+)rrrrr"rtrQrs rrez"FileCredConfigGenerator.get_source(sI!D"rcd|ji}|jr|j|d<|j|j|j}|r||d<|S)Nurlheadersr+)rrrrrrs rrez!UrlCredConfigGenerator.get_source:sc : :; %%%)%C%C "##D$?$?$($E$EGL$0! rrrBs@rrr1s7? rrc(eZdZdZfdZdZxZS)rz?The generator for executable-command-based credentials configs.cx|r t|}tt||||_|xsd|_||_y)Ni0u)intr3rr'commandtimeout_millisrY)r"rurrrYr5s rr'z&ExecutableCredConfigGenerator.__init__Hs<>*n '7 DDL(1ED"Drcr|j|jd}|jr|j|d<d|iS)N)rrrY executable)rrrYr"rtexecutable_configs rrez(ExecutableCredConfigGenerator.get_sourceQsB<<--  )-)9)9 & + ,,rrrBs@rrrEsG# -rrc(eZdZdZfdZdZxZS)rzUThe generator for executable-command-based credentials configs with interactive mode.cRtt| ||||t||_yr)r3rr'rinteractive_timeout_millis)r"rurrrYrr5s rr'z1InteractiveExecutableCredConfigGenerator.__init__`s+ 2 $g~{K&)*D&ED#rc|js td|j|j|j|jd}d|iS)NzW--executable-output-file must be specified if --interactive-timeout-millis is provided.)rrrYrr)rYrrrrrs rrez3InteractiveExecutableCredConfigGenerator.get_sourcefsZ    G HH<<--''&*&E&E  + ,,rrrBs@rrr]s]F -rrc.eZdZdZfdZdZdZxZS)rz/The generator for AWS-based credential configs.cHtt| tjyr)r3rr'r r)r"r5s rr'zAwsCredConfigGenerator.__init__xs #;;  ! #;;<,DDM,D,Drcy)Nz%urn:ietf:params:oauth:token-type:mtlsrrs rrdz&X509CredConfigGenerator.get_token_types 2rci}|j td|j|j|d<nd|d<|j|j|d<d|iS)Nz[--credential-cert-private-key-path must be specified if --credential-cert-path is provided.certificate_config_locationTuse_default_certificate_configrZ certificate)rXrrrZ)r"rtcertificate_configs rrez"X509CredConfigGenerator.get_sourcesz }}     (:>:O:O67=A9: (/3/D/D+, - ..rrrBs@rrmrms9 -3/rrmceZdZfdZxZS)rc8tt| ||_yr)r3rr'rs)r"rsr5s rr'zGeneratorError.__init__s .$(*DLr)rrrr'rArBs@rrrs rr)%r- __future__rrrrenumrhgooglecloudsdk.command_lib.authrgooglecloudsdk.corerrgooglecloudsdk.core.utilr sixEnumr objectrr0rDrkr}rcwith_metaclassABCMetarrrrrrrrm Exceptionrrrrrs.&' I#**  $V$N/>/, /> /0 QMh>7 ,#,,S[[&A7 t 1  0(-$7-0-/L-00>2:%/1%/PYr