o ~j6h-@sdZddlZddlmZddlmZddlmZddlmZddlmZ ddd Z d d Z d d Z ddZ dddZ   dddZdS)aA module that provides functions for handling rapt authentication. Reauth is a process of obtaining additional authentication (such as password, security token, etc.) while refreshing OAuth 2.0 credentials for a user. Credentials that use the Reauth flow must have the reauth scope, ``https://www.googleapis.com/auth/accounts.reauth``. This module provides a high-level function for executing the Reauth process, :func:`refresh_grant`, and lower-level helpers for doing the individual steps of the reauth process. Those steps are: 1. Obtaining a list of challenges from the reauth server. 2. Running through each challenge and sending the result back to the reauth server. 3. Refreshing the access token using the returned rapt token. N) exceptions)_client) _client_async) challenges)reauthcs6d|i}|r ||d<tj|tjd||ddIdHS)aDoes initial request to reauth API to get the challenges. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. This must be an aiohttp request. supported_challenge_types (Sequence[str]): list of challenge names supported by the manager. access_token (str): Access token with reauth scopes. requested_scopes (Optional(Sequence[str])): Authorized scopes for the credentials. Returns: dict: The response from the reauth API. supportedChallengeTypes oauthScopesForDomainPolicyLookupz:startT access_tokenuse_jsonN)r_token_endpoint_requestr _REAUTH_API)requestsupported_challenge_typesr requested_scopesbodyrj/var/www/html/chefvision.cloud.itp360.com/venv/lib/python3.10/site-packages/google/oauth2/_reauth_async.py_get_challenges,s rcs6||d|d}tj|tjd|||ddIdHS)azAttempt to refresh access token by sending next challenge result. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. This must be an aiohttp request. session_id (str): session id returned by the initial reauth call. challenge_id (str): challenge id returned by the initial reauth call. client_input: dict with a challenge-specific client input. For example: ``{'credential': password}`` for password challenge. access_token (str): Access token with reauth scopes. Returns: dict: The response from the reauth API. RESPOND) sessionId challengeIdactionproposalResponsez /{}:continueTr N)rr rr format)r session_id challenge_id client_inputr rrrr_send_challenge_resultIs rc s|dD]N}|ddkrqtj|dd}|s,td|ddttj|j s9td|d| |}|sCdSt ||d |d ||IdHSdS) aGet the next challenge from msg and run it. Args: msg (dict): Reauth API response body (either from the initial request to https://reauth.googleapis.com/v2/sessions:start or from sending the previous challenge response to https://reauth.googleapis.com/v2/sessions/id:continue) request (google.auth.transport.Request): A callable used to make HTTP requests. This must be an aiohttp request. access_token (str): reauth access token Returns: dict: The response from the reauth API. Raises: google.auth.exceptions.ReauthError: if reauth failed. rstatusREADY challengeTypeNz4Unsupported challenge type {0}. Supported types: {1},z%Challenge {0} is not locally eligiblerr) rAVAILABLE_CHALLENGESgetrReauthFailErrorrjoinlistkeysis_locally_eligibleobtain_challenge_inputr)msgrr challengecrrrr_run_next_challengejs:   r.cst|ttj||IdH}|dtjkr|dStdtjD]9}|dtj ks;|dtj ks;t d |dtsDt dt|||IdH}|dtjkrZ|dSq!t d)aGiven an http request method and reauth access token, get rapt token. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. This must be an aiohttp request. access_token (str): reauth access token requested_scopes (Sequence[str]): scopes required by the client application Returns: str: The rapt token. Raises: google.auth.exceptions.ReauthError: if reauth failed NrencodedProofOfReauthTokenrz6Reauthentication challenge failed due to API error: {}z_Reauthentication challenge could not be answered because you are not in an interactive session.zFailed to obtain rapt token.)rr'rr#r(r_AUTHENTICATEDrangeRUN_CHALLENGE_RETRY_LIMIT_CHALLENGE_REQUIRED_CHALLENGE_PENDINGrr%ris_interactiver.)rr rr+_rrr _obtain_rapts4    r7c sNtjdtj|||||tjgdIdH\}}}}t|||dIdH}|S)aGiven an http request method and refresh_token, get rapt token. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. This must be an aiohttp request. client_id (str): client id to get access token for reauth scope. client_secret (str): client secret for the client_id refresh_token (str): refresh token to refresh access token token_uri (str): uri to refresh access token scopes (Optional(Sequence[str])): scopes required by the client application Returns: str: The rapt token. Raises: google.auth.exceptions.RefreshError: If reauth failed. zReauthentication required. )r client_id client_secret refresh_token token_uriscopesN)r)sysstderrwriter refresh_grantr _REAUTH_SCOPEr7) rr8r9r:r;r<r r6 rapt_tokenrrrget_rapt_tokens  rCFc stj|||d}|rd||d<|r||d<t|||IdH\} } } | sd| dtjkrd| dtjks?| dtj krd|sFt dt ||||||d IdH}||d<t|||IdH\} } } | slt | | t| |} | |fS) avImplements the reauthentication flow. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. This must be an aiohttp request. token_uri (str): The OAuth 2.0 authorizations server's token endpoint URI. refresh_token (str): The refresh token to use to get a new access token. client_id (str): The OAuth 2.0 application's client ID. client_secret (str): The Oauth 2.0 appliaction's client secret. scopes (Optional(Sequence[str])): Scopes to request. If present, all scopes must be authorized for the refresh token. Useful if refresh token has a wild card scope (e.g. 'https://www.googleapis.com/auth/any-api'). rapt_token (Optional(str)): The rapt token for reauth. enable_reauth_refresh (Optional[bool]): Whether reauth refresh flow should be used. The default value is False. This option is for gcloud only, other users should use the default value. Returns: Tuple[str, Optional[str], Optional[datetime], Mapping[str, str], str]: The access token, new refresh token, expiration, the additional data returned by the token endpoint, and the rapt token. Raises: google.auth.exceptions.RefreshError: If the token endpoint returned an error. ) grant_typer8r9r: scoperaptNerror error_subtypezaReauthentication is needed. Please run `gcloud auth application-default login` to reauthenticate.)r<)r_REFRESH_GRANT_TYPEr&r _token_endpoint_request_no_throwr$r_REAUTH_NEEDED_ERROR!_REAUTH_NEEDED_ERROR_INVALID_RAPT"_REAUTH_NEEDED_ERROR_RAPT_REQUIREDr RefreshErrorrC_handle_error_response_handle_refresh_grant_response) rr;r:r8r9r<rBenable_reauth_refreshrresponse_status_ok response_dataretryable_errorrefresh_responserrrr@sV(    r@)N)NNF)__doc__r= google.authr google.oauth2rrrrrrr.r7rCr@rrrrs$      !14 +