LdZddlmZddlmZddlmZddlZddlmZddlm Z ddl m Z dd l mZdd l mZdd lmZd Zd ZGddej(ZGddeZGddeZGdde j.e j0ZGdde j4ZddZy)z,google-auth p12 service account credentials.)absolute_import)division)unicode_literalsN)_helpers)base)service_account) exceptions)log)encoding notasecretz2.5ceZdZdZy)Errorz!Base Error class for this module.N__name__ __module__ __qualname____doc__:lib/googlecloudsdk/core/credentials/p12_service_account.pyrr#s)rrceZdZdZy)MissingRequiredFieldsErrorzDError when required fields are missing to construct p12 credentials.Nrrrrrr'sLrrceZdZdZy)MissingDependencyErrorz7Error when missing a dependency to use p12 credentials.Nrrrrrr+s?rrc>eZdZdZdZedZdZeddZ y) PKCS12Signerz@Signer for a p12 service account key based on pyca/cryptography.c||_yN)_key)selfkeys r__init__zPKCS12Signer.__init__2s DIrcyrrr s rkey_idzPKCS12Signer.key_id6s rctj|}ddlm}|jj ||j |jS)Nr)_cryptography_rsa)rto_bytesgoogle.auth.cryptr'rsign_PADDING_SHA256)r messager's rr*zPKCS12Signer.sign:s?(G3 99>>""!! ##rNc~d|D\}}ddlm}ddlm}|j |||j \}}}||S)Nc3FK|]}tj|ywr)rr().0ks r z+PKCS12Signer.from_string..EsF+QH--a0+s!r)pkcs12)backends)backend),cryptography.hazmat.primitives.serializationr3cryptography.hazmatr4load_key_and_certificatesdefault_backend) cls key_stringsr% key_stringpasswordr3r4r!_s r from_stringzPKCS12Signer.from_stringBsOF+FJC,00Hh&>&>&@1BICA s8Orr) rrrrr"propertyr%r* classmethodr?rrrrr/s7H  #rrcHeZdZdZdZedZedZe ddZ y) Credentialsagoogle-auth service account credentials using p12 keys. p12 keys are not supported by the google-auth service account credentials. gcloud uses oauth2client to support p12 key users. Since oauth2client was deprecated and bundling it is security concern, we decided to support p12 in gcloud codebase. We prefer not adding it to the google-auth library because p12 is not supported from the beginning by google-auth. GCP strongly suggests users to use the JSON format. gcloud has to support it to not break users. oauth2client uses PyOpenSSL to handle p12 keys. PyOpenSSL deprecated p12 support from version 20.0.0 and encourages to use pyca/cryptography for anything other than TLS connections. )service_account_email token_uriscopesc|jSr)_private_key_pkcs12r$s rprivate_key_pkcs12zCredentials.private_key_pkcs12_s  # ##rc|jSr)_private_key_passwordr$s rprivate_key_passwordz Credentials.private_key_passwordcs  % %%rNc |xst}tj||f}|jDcgc] }||vs| }}|r)t dj dj |||fi|}||_||_|Scc}w)NzMissing fields: {}.z, ) _DEFAULT_PASSWORDrr?_REQUIRED_FIELDSrformatjoinrHrK)r:r<r=kwargssignerfmissing_fieldscredss r%from_service_account_pkcs12_keystringz1Credentials.from_service_account_pkcs12_keystringgs ,,H  % %z8&< =F!$!5!5I!5A&a!5NI &'<'C'C ))N #(% &&  !& !E !+E"*E LJs BBr) rrrrrOr@rIrLrArWrrrrCrCMsO F $ $ & &6:rrCc 6tjd tj||fi|S#t$rat j tjdstdjttdjtwxYw)zCCreates a service account from a p12 key and handles import errors.z.p12 service account keys are not recommended unless it is necessary for backwards compatibility. Please switch to a newer .json service account key for this account.CLOUDSDK_PYTHON_SITEPACKAGESapyca/cryptography is not available. Please install or upgrade it to a version >= {} and set the environment variable CLOUDSDK_PYTHON_SITEPACKAGES to 1. If that does not work, see https://developers.google.com/cloud/sdk/crypto for details or consider using .json private key instead.zpyca/cryptography is not available or the version is < {}. Please install or upgrade it to a newer version. See https://developers.google.com/cloud/sdk/crypto for details or consider using .json private key instead.) r warningrCrW ImportErrorr GetEncodedValueosenvironrrP_PYCA_CRYPTOGRAPHY_MIN_VERSION)r<r=rRs rCreateP12ServiceAccountr`~s++DE4  < <H ( & (( 4  # #BJJ0N O " : F1 2  44 # : F1 2  444s .A*Br)r __future__rrrr] google.authrr)r crypt_base google.oauth2rgooglecloudsdk.corer r googlecloudsdk.core.utilr rNr_rrrSignerFromServiceAccountMixinrrCr`rrrris3&' 0)*#- !&*J  *MM@U@:$$j&H&H<./--.b4r