idZddlZddlmZddlZddlmZddlmZddlm Z ddlm Z ddlm Z ddl m Z ejejejejhZd gZee d re jr d e jZn d e jZd edZedzZedzZedzZedzZd edZd edZd edZGdde j Z dS)zTools for using the Google `Cloud Identity and Access Management (IAM) API`_'s auth-related functionality. .. _Cloud Identity and Access Management (IAM) API: https://cloud.google.com/iam/docs/ N)_exponential_backoff)_helpers) credentials)crypt) exceptions) _mtls_helperz#https://www.googleapis.com/auth/iamcheck_use_client_certziamcredentials.mtls.ziamcredentials.zhttps://z!/v1/projects/-/serviceAccounts/{}z:generateAccessTokenz :signBlobz:signJwtz:generateIdTokenzG/v1/projects/-/serviceAccounts/{service_account_email}/allowedLocationsz>/v1/locations/global/workforcePools/{pool_id}/allowedLocationsz_/v1/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/allowedLocationscpeZdZdZdZdZedZej e j dZ dS)SigneraSigns messages using the IAM `signBlob API`_. This is useful when you need to sign bytes but do not have access to the credential's private key file. .. _signBlob API: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts /signBlob c0||_||_||_dS)a Args: request (google.auth.transport.Request): The object used to make HTTP requests. credentials (google.auth.credentials.Credentials): The credentials that will be used to authenticate the request to the IAM API. The credentials must have of one the following scopes: - https://www.googleapis.com/auth/iam - https://www.googleapis.com/auth/cloud-platform service_account_email (str): The service account email identifying which service account to use to sign bytes. Often, this can be the same as the service account email in the given credentials. N)_request _credentials_service_account_email)selfrequestrservice_account_emails P/usr/local/lib/hermes-agent/venv/lib/python3.11/site-packages/google/auth/iam.py__init__zSigner.__init__Ps!   '&;###c(tj|}d}ttj|jj|j }ddi}tj dtj |did}t!j}|D]}|j|j||||||||}|jt*vrL|jt,jkr,t1jd|jtj|jdcSt1jd) z(Makes a request to the API signBlob API.POSTz Content-Typezapplication/jsonpayloadzutf-8)urlmethodbodyheadersz&Error calling the IAM signBlob API: {}z#exhausted signBlob endpoint retries)rto_bytes_IAM_SIGN_ENDPOINTreplacerDEFAULT_UNIVERSE_DOMAINruniverse_domainformatrjsondumpsbase64 b64encodedecodeencoderExponentialBackoffbefore_requestr statusIAM_RETRY_CODES http_clientOKrTransportErrordataloads) rmessagerrrrretries_responses r_make_signing_requestzSigner._make_signing_requestdss#G,, ((  /1B1R  &, - - "#56z (1188AA B  &// '9;; = =A   , ,T]FC Q Q Q}}V$PW}XXH/11+.00 /<CCHMRR:hm227;;<< < < <'(MNNNrcdS)zOptional[str]: The key ID used to identify this private key. .. warning:: This is always ``None``. The key ID used by IAM can not be reliably determined ahead of time. N)rs rkey_idz Signer.key_ids trc`||}tj|dS)N signedBlob)r6r% b64decode)rr2r5s rsignz Signer.signs+--g66 6777rN) __name__ __module__ __qualname____doc__rr6propertyr9rcopy_docstringrr r=r8rrr r Es<<<(OOO<XXU\**88+*888rr )!rAr% http.clientclientr-r# google.authrrrrrgoogle.auth.transportrINTERNAL_SERVER_ERROR BAD_GATEWAYSERVICE_UNAVAILABLEGATEWAY_TIMEOUTr, _IAM_SCOPEhasattrr r _IAM_DOMAIN _IAM_BASE_URL _IAM_ENDPOINTr_IAM_SIGNJWT_ENDPOINT_IAM_IDTOKEN_ENDPOINT9_SERVICE_ACCOUNT_REGIONAL_ACCESS_BOUNDARY_LOOKUP_ENDPOINT8_WORKFORCE_POOL_REGIONAL_ACCESS_BOUNDARY_LOOKUP_ENDPOINT@_WORKLOAD_IDENTITY_POOL_REGIONAL_ACCESS_BOUNDARY_LOOKUP_ENDPOINTr r8rrrVs !!!!!! ,,,,,, ######""""""......%# 4 4  GL122J* *,,J O)LNNKKIK$GIIKL;KKK  66 "[0% 2%(::=^{=^=^=^9