U /2iv@sdZddlZddlmZddlZddlZddlmZddlm Z ddlm Z ddlm Z ddlm Z ddl mZejejejejhZd gZeed reZned d d kZerde jZn de jZdedZedZedZedZedZ Gddde j!Z!dS)zTools for using the Google `Cloud Identity and Access Management (IAM) API`_'s auth-related functionality. .. _Cloud Identity and Access Management (IAM) API: https://cloud.google.com/iam/docs/ N)_exponential_backoff)_helpers) credentials)crypt) exceptions)mtlsz#https://www.googleapis.com/auth/iamshould_use_client_certZ!GOOGLE_API_USE_CLIENT_CERTIFICATEfalsetrueziamcredentials.mtls.ziamcredentials.zhttps://z!/v1/projects/-/serviceAccounts/{}z:generateAccessTokenz :signBlobz:signJwtz:generateIdTokenc@s@eZdZdZddZddZeddZe e j dd Z d S) SigneraSigns messages using the IAM `signBlob API`_. This is useful when you need to sign bytes but do not have access to the credential's private key file. .. _signBlob API: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts /signBlob cCs||_||_||_dS)a Args: request (google.auth.transport.Request): The object used to make HTTP requests. credentials (google.auth.credentials.Credentials): The credentials that will be used to authenticate the request to the IAM API. The credentials must have of one the following scopes: - https://www.googleapis.com/auth/iam - https://www.googleapis.com/auth/cloud-platform service_account_email (str): The service account email identifying which service account to use to sign bytes. Often, this can be the same as the service account email in the given credentials. N)_request _credentials_service_account_email)selfrequestrZservice_account_emailr3/tmp/pip-unpacked-wheel-t7lbbs2b/google/auth/iam.py__init__SszSigner.__init__c Cst|}d}ttj|jj|j }ddi}t dt |did}t}|D]h}|j|j||||j||||d}|jtkrq\|jtjkrtd|jt |jdStdd S) z(Makes a request to the API signBlob API.POSTz Content-Typezapplication/jsonpayloadzutf-8)urlmethodbodyheadersz&Error calling the IAM signBlob API: {}z#exhausted signBlob endpoint retriesN)rto_bytes_IAM_SIGN_ENDPOINTreplacerDEFAULT_UNIVERSE_DOMAINr Zuniverse_domainformatrjsondumpsbase64 b64encodedecodeencoderZExponentialBackoffZbefore_requestr statusIAM_RETRY_CODES http_clientOKrZTransportErrordataloads) rmessagerrrrretries_responserrr_make_signing_requestgs4    zSigner._make_signing_requestcCsdS)zOptional[str]: The key ID used to identify this private key. .. warning:: This is always ``None``. The key ID used by IAM can not be reliably determined ahead of time. Nr)rrrrkey_idsz Signer.key_idcCs||}t|dS)NZ signedBlob)r/r! b64decode)rr+r.rrrsigns z Signer.signN) __name__ __module__ __qualname____doc__rr/propertyr0rZcopy_docstringrr r2rrrrr Hs  r )"r6r! http.clientclientr'rosZ google.authrrrrrZgoogle.auth.transportrINTERNAL_SERVER_ERROR BAD_GATEWAYSERVICE_UNAVAILABLEGATEWAY_TIMEOUTr&Z _IAM_SCOPEhasattrrZuse_client_certgetenvlowerrZ _IAM_DOMAINZ _IAM_BASE_URLZ _IAM_ENDPOINTrZ_IAM_SIGNJWT_ENDPOINTZ_IAM_IDTOKEN_ENDPOINTr rrrrs: