U h-j@sdZddlZddlZddlmZddlmZddlZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z dd lmZdd lmZdd lmZd Zd ZdZdZdZdZdZe jdfddZGddde je je je jZGddde jZ gfddZ!dS)aGoogle Cloud Impersonated credentials. This module provides authentication for applications where local credentials impersonates a remote service account using `IAM Credentials API`_. This class can be used to impersonate a service account as long as the original Credential object has the "Service Account Token Creator" role on the target service account. .. _IAM Credentials API: https://cloud.google.com/iam/credentials/reference/rest/ N)datetime)_exponential_backoff)_helpers credentials) exceptions)iam)jwt)metrics)_clientz*Unable to acquire impersonated credentialsiz#https://oauth2.googleapis.com/tokenzKhttps://iamcredentials.{}/v1/projects/-/serviceAccounts/{}/allowedLocationsZauthorized_userservice_account external_account_authorized_userc Cs|ptjtj||}t|d}||d||d}t |j drR|j dn|j }|j t jkrptt|z,t|} | d} t| dd} | | fWSttfk r} ztdt|} | | W5d } ~ XYnXd S) aMakes a request to the Google Cloud IAM service for an access token. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. body (Mapping[str, str]): JSON Payload body for the iamcredentials API call. iam_endpoint_override (Optiona[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned utf-8POSTurlmethodheadersbodydecodeZ accessTokenZ expireTimez%Y-%m-%dT%H:%M:%SZz6{}: No access token or invalid expiration in response.N)rZ _IAM_ENDPOINTreplacerDEFAULT_UNIVERSE_DOMAINformatjsondumpsencodehasattrdatarstatus http_clientOKr RefreshError_REFRESH_ERRORloadsrstrptimeKeyError ValueError)request principalrruniverse_domainiam_endpoint_override iam_endpointresponse response_bodyZtoken_responsetokenexpiry caught_excnew_excr2H/tmp/pip-unpacked-wheel-p8k_kup9/google/auth/impersonated_credentials.py_make_iam_token_request<s6      r4cseZdZdZddedddffdd ZddZddZd d Zd d Z e d dZ e ddZ e ddZ e ddZeejddZddZeejddZeejddZeejd!ddZed"dd ZZS)# Credentialsar This module defines impersonated credentials which are essentially impersonated identities. Impersonated Credentials allows credentials issued to a user or service account to impersonate another. The target service account must grant the originating credential principal the `Service Account Token Creator`_ IAM role: For more information about Token Creator IAM role and IAMCredentials API, see `Creating Short-Lived Service Account Credentials`_. .. _Service Account Token Creator: https://cloud.google.com/iam/docs/service-accounts#the_service_account_token_creator_role .. _Creating Short-Lived Service Account Credentials: https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials Usage: First grant source_credentials the `Service Account Token Creator` role on the target account to impersonate. In this example, the service account represented by svc_account.json has the token creator role on `impersonated-account@_project_.iam.gserviceaccount.com`. Enable the IAMCredentials API on the source project: `gcloud services enable iamcredentials.googleapis.com`. Initialize a source credential which does not have access to list bucket:: from google.oauth2 import service_account target_scopes = [ 'https://www.googleapis.com/auth/devstorage.read_only'] source_credentials = ( service_account.Credentials.from_service_account_file( '/path/to/svc_account.json', scopes=target_scopes)) Now use the source credentials to acquire credentials to impersonate another service account:: from google.auth import impersonated_credentials target_credentials = impersonated_credentials.Credentials( source_credentials=source_credentials, target_principal='impersonated-account@_project_.iam.gserviceaccount.com', target_scopes = target_scopes, lifetime=500) Resource access is granted:: client = storage.Client(credentials=target_credentials) buckets = client.list_buckets(project='your_project') for bucket in buckets: print(bucket.name) **IMPORTANT**: This class does not validate the credential configuration. A security risk occurs when a credential configuration configured with malicious urls is used. When the credential configuration is accepted from an untrusted source, you should validate it before using. Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details. Nc stt|t||_t|jtjrX|jt j |_t |jdrX|jj rX|j d|j|_||_||_||_||_|p~t|_d|_t|_||_||_d|_| |_dS)ap Args: source_credentials (google.auth.Credentials): The source credential used as to acquire the impersonated credentials. target_principal (str): The service account to impersonate. target_scopes (Sequence[str]): Scopes to request during the authorization grant. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. lifetime (int): Number of seconds the delegated credential should be valid for (upto 3600). quota_project_id (Optional[str]): The project ID used for quota and billing. This project may be different from the project used to create the credentials. iam_endpoint_override (Optional[str]): The full IAM endpoint override with the target_principal embedded. This is useful when supporting impersonation with regional endpoints. subject (Optional[str]): sub field of a JWT. This field should only be set if you wish to impersonate as a user. This feature is useful when using domain wide delegation. trust_boundary (Mapping[str,str]): A credential trust boundary. _create_self_signed_jwtN)superr5__init__copy_source_credentials isinstancerScoped with_scopesrZ _IAM_SCOPErZ_always_use_jwt_accessr6r)Z_universe_domain_target_principal_target_scopes _delegates_subject_DEFAULT_TOKEN_LIFETIME_SECS _lifetimer.rutcnowr/_quota_project_id_iam_endpoint_override_cred_file_path_trust_boundary) selfsource_credentialstarget_principal target_scopes delegatessubjectlifetimequota_project_idr*trust_boundary __class__r2r3r8s.,     zCredentials.__init__cCstjSN)r ZCRED_TYPE_SA_IMPERSONATErIr2r2r3_metric_header_for_usagesz$Credentials._metric_header_for_usagecCs|jjtjjks |jjtjjkr,|j||j|jt |j dd}ddt j t i}|j||jr|jtjkrtdt}|jt|jpd|jtt|t|td}t||j|||jd}t|t|\|_|_}d St ||j|||j|j!d \|_|_d S) zUpdates credentials with a new access_token representing the impersonated account. Args: request (google.auth.transport.requests.Request): Request object to use for refreshing credentials. s)rMscoperO Content-Typeapplication/jsonzNDomain-wide delegation is not supported in universes other than googleapis.comr2)ZissrXsubZaudZiatexp)r'r(rpayloadrMN)r'r(rrr)r*)"r:Z token_staterZ TokenStateZSTALEINVALIDrefreshr@r?strrCr API_CLIENT_HEADERZ&token_request_access_token_impersonateapplyrAr)rrGoogleAuthErrorrrDr>Zscopes_to_string_GOOGLE_OAUTH2_TOKEN_ENDPOINTZdatetime_to_secsrB_sign_jwt_requestr Z jwt_grantr.r/r4rF)rIr'rrnowr]Z assertion_r2r2r3_refresh_tokensb       zCredentials._refresh_tokencCs|jstdt|j|jS)aBuilds and returns the URL for the trust boundary lookup API. This method constructs the specific URL for the IAM Credentials API's `allowedLocations` endpoint, using the credential's universe domain and service account email. Raises: ValueError: If `self.service_account_email` is None or an empty string, as it's required to form the URL. Returns: str: The URL for the trust boundary lookup endpoint. zIService account email is required to build the trust boundary lookup URL.)service_account_emailr&_TRUST_BOUNDARY_LOOKUP_ENDPOINTrr)rUr2r2r3 _build_trust_boundary_lookup_url[sz,Credentials._build_trust_boundary_lookup_urlc Csddlm}tjtj|j|j }t | d|j d}ddi}||j}zlt}|D]Z}|j|||d} | jtjkrq^| jtjkrtd| t | d WSW5|Xtd dS) NrAuthorizedSessionr)r]rMrYrZ)rrrzError calling sign_bytes: {}Z signedBlobz#exhausted signBlob endpoint retries)google.auth.transport.requestsrmrZ_IAM_SIGN_ENDPOINTrrrr)rr>base64 b64encoderr@r:closerZExponentialBackoffpost status_codeZIAM_RETRY_CODESrr rZTransportErrorr b64decode) rImessagermiam_sign_endpointrrauthed_sessionretriesrgr,r2r2r3 sign_bytesqs:      zCredentials.sign_bytescCs|jSrTr>rUr2r2r3 signer_emailszCredentials.signer_emailcCs|jSrTrzrUr2r2r3risz!Credentials.service_account_emailcCs|SrTr2rUr2r2r3signerszCredentials.signercCs|j SrT)r?rUr2r2r3requires_scopesszCredentials.requires_scopescCs|jr|jd|jdSdS)Nzimpersonated credentials)Zcredential_sourceZcredential_typer()rGr>rUr2r2r3 get_cred_infos zCredentials.get_cred_infoc Cs6|j|j|j|j|j|j|j|j|jd}|j |_ |S)N)rKrLrMrOrPr*rQ) rSr:r>r?r@rCrErFrHrG)rIcredr2r2r3 _make_copys zCredentials._make_copycCs|}||_|SrT)rrH)rIrQrr2r2r3with_trust_boundaryszCredentials.with_trust_boundarycCs|}||_|SrT)rrE)rIrPrr2r2r3with_quota_projectszCredentials.with_quota_projectcCs|}|p||_|SrT)rr?)rIscopesZdefault_scopesrr2r2r3r=s zCredentials.with_scopescCs|d}|d}|tkr6ddlm}|j|}nT|tkrXddlm}|j|}n2|t krzddl m }|j |}nt d||d} | d } | d } | d ks| d ks| | krt d | | | d | } |d} |d}||| || |dS)aCreates a Credentials instance from parsed impersonated service account credentials info. **IMPORTANT**: This method does not validate the credential configuration. A security risk occurs when a credential configuration configured with malicious urls is used. When the credential configuration is accepted from an untrusted source, you should validate it before using with this method. Refer https://cloud.google.com/docs/authentication/external/externally-sourced-credentials for more details. Args: info (Mapping[str, str]): The impersonated service account credentials info in Google format. scopes (Sequence[str]): Optional list of scopes to include in the credentials. Returns: google.oauth2.credentials.Credentials: The constructed credentials. Raises: InvalidType: If the info["source_credentials"] are not a supported impersonation type InvalidValue: If the info["service_account_impersonation_url"] is not in the expected format. ValueError: If the info is not in the expected format. rJtyperr)r )r z.source credential of type {} is not supported.Z!service_account_impersonation_url/z:generateAccessTokenz'Cannot extract target principal from {}rMrP)rP)get'_SOURCE_CREDENTIAL_AUTHORIZED_USER_TYPE google.oauth2rr5Zfrom_authorized_user_info'_SOURCE_CREDENTIAL_SERVICE_ACCOUNT_TYPEr Zfrom_service_account_info8_SOURCE_CREDENTIAL_EXTERNAL_ACCOUNT_AUTHORIZED_USER_TYPE google.authr Z from_inforZ InvalidTyperrfindfindZ InvalidValue)clsinforZsource_credentials_infoZsource_credentials_typerrJr r Zimpersonation_url start_indexZ end_indexrKrMrPr2r2r3&from_impersonated_service_account_infosT          z2Credentials.from_impersonated_service_account_info)N)N)__name__ __module__ __qualname____doc__rBr8rVrhrkrypropertyr{rir|r}rcopy_docstringrr5r~rCredentialsWithTrustBoundaryrCredentialsWithQuotaProjectrr<r= classmethodr __classcell__r2r2rRr3r5zs>JKH"            r5csdeZdZdZdfdd ZdddZdd Zd d Ze e j d d Z e e j ddZZS)IDTokenCredentialsz;Open ID Connect ID Token-based service account credentials.NFcs>tt|t|ts"td||_||_||_ ||_ dS)a Args: target_credentials (google.auth.Credentials): The target credential used as to acquire the id tokens for. target_audience (string): Audience to issue the token for. include_email (bool): Include email in IdToken quota_project_id (Optional[str]): The project ID used for quota and billing. z4Provided Credential must be impersonated_credentialsN) r7rr8r;r5rrc_target_credentials_target_audience_include_emailrE)rItarget_credentialstarget_audience include_emailrPrRr2r3r8s zIDTokenCredentials.__init__cCs|j|||j|jdSN)rrrrP)rSrrE)rIrrr2r2r3from_credentials9s z#IDTokenCredentials.from_credentialscCs|j|j||j|jdSr)rSrrrE)rIrr2r2r3with_target_audienceAs z'IDTokenCredentials.with_target_audiencecCs|j|j|j||jdSr)rSrrrE)rIrr2r2r3with_include_emailIs z%IDTokenCredentials.with_include_emailcCs|j|j|j|j|dSr)rSrrr)rIrPr2r2r3rQs z%IDTokenCredentials.with_quota_projectc Csddlm}tjtj|jj |jj }|j |jj |j d}ddtjti}||jj|d}z |j||t|dd}W5|X|jtjkrtd ||d }||_ttj |d d d |_!dS)Nrrl)ZaudiencerMZ includeEmailrYrZ)Z auth_requestr)rrrzError getting ID token: {}r.F)verifyr\)"rnrmrZ_IAM_IDTOKEN_ENDPOINTrrrrr)rr{rr@rr raZ"token_request_id_token_impersonater:rqrrrrrrsrr rr!r.rutcfromtimestampr rr/) rIr'rmrvrrrwr,Zid_tokenr2r2r3r_ZsH      zIDTokenCredentials.refresh)NFN)N)rrrrr8rrrrrrrrr5r_rr2r2rRr3rs    rc Cstj|}|t|d}t|d}||d||d}t|jdrT|jdn|j}|j t j krrt t|zt|} | d} | WSttfk r} zt dt|} | | W5d} ~ XYnXdS) aMakes a request to the Google Cloud IAM service to sign a JWT using a service account's system-managed private key. Args: request (Request): The Request object to use. principal (str): The principal to request an access token for. headers (Mapping[str, str]): Map of headers to transmit. payload (Mapping[str, str]): The JWT payload to sign. Must be a serialized JSON object that contains a JWT Claims Set. delegates (Sequence[str]): The chained list of delegates required to grant the final access_token. If set, the sequence of identities must have "Service Account Token Creator" capability granted to the prceeding identity. For example, if set to [serviceAccountB, serviceAccountC], the source_credential must have the Token Creator role on serviceAccountB. serviceAccountB must have the Token Creator on serviceAccountC. Finally, C must have Token Creator on target_principal. If left unset, source_credential must have that role on target_principal. Raises: google.auth.exceptions.TransportError: Raised if there is an underlying HTTP connection error google.auth.exceptions.RefreshError: Raised if the impersonated credentials are not available. Common reasons are `iamcredentials.googleapis.com` is not enabled or the `Service Account Token Creator` is not assigned )rMr]rrrrZ signedJwtz{}: No signed JWT in response.N)rZ_IAM_SIGNJWT_ENDPOINTrrrrrrrrrr rr!r"r#r%r&) r'r(rr]rMr+rr,r-Z jwt_responseZ signed_jwtr0r1r2r2r3res(     re)"rror9r http.clientclientrrrrrrrrr r rr r"rBrdrjrrrrr4r<rZSigningrr5rrer2r2r2r3sH             > $l