o ~j6hC@sdZddlZddlmZddlZddlZddlmZddlm Z ddlm Z ddlm Z ddlm Z ddlm Z dd lmZd Zd Zd Zd ZddZddZddZ    d$ddZ    d$ddZd%ddZe jfddZd%ddZd d!Z   d&d"d#ZdS)'aOAuth 2.0 client. This is a client for interacting with an OAuth 2.0 authorization server's token endpoint. For more information about the token endpoint, see `Section 3.1 of rfc6749`_ .. _Section 3.1 of rfc6749: https://tools.ietf.org/html/rfc6749#section-3.2 N)_exponential_backoff)_helpers) credentials) exceptions)jwt)metrics) transportz!application/x-www-form-urlencodedzapplication/jsonz+urn:ietf:params:oauth:grant-type:jwt-bearer refresh_tokenc Csp|r|nd}t|trtj||dz d|d|d}Wnttfy/t |}Ynwtj|||d)aXTranslates an error response into an exception. Args: response_data (Mapping | str): The decoded response data. retryable_error Optional[bool]: A boolean indicating if an error is retryable. Defaults to False. Raises: google.auth.exceptions.RefreshError: The errors contained in response_data. F retryablez{}: {}errorerror_description) isinstancestrr RefreshErrorformatgetKeyError ValueErrorjsondumps) response_dataretryable_error error_detailsrd/var/www/html/chefvision.cloud.itp360.com/venv/lib/python3.10/site-packages/google/oauth2/_client.py_handle_error_response-s rcs|tjvrdSz2|dpd}|dpd}t|tr t|ts#WdShdtfdd||fDr7WdSWdStyCYdSw) a;Checks if a request can be retried by inspecting the status code and response body of the request. Args: status_code (int): The response status code. response_data (Mapping | str): The decoded response data. Returns: bool: True if the response is retryable. False otherwise. Tr r F> server_errorinternal_failuretemporarily_unavailablec3s|]}|vVqdS)Nr).0eretryable_error_descriptionsrr hsz_can_retry..)rDEFAULT_RETRYABLE_STATUS_CODESrrranyAttributeError) status_coder error_desc error_coderr#r _can_retryJs  r,cCs>|dd}|durt|trt|}ttj|dSdS)zParses the expiry field from a response into a datetime. Args: response_data (Mapping): The JSON-parsed response data. Returns: Optional[datetime]: The expiration or ``None`` if no expiration was specified. expires_inN)seconds)rrrintrutcnowdatetime timedelta)rr-rrr _parse_expiryqs  r3FTc Ks|rdti}t|d}n dti}tj|d}|r%d||d<|r,| |i} d} t } | D]O} |d d|||d|} t | j drP| j dn| j }zt|} Wn tye|} Ynw| jtjkrsd | d fSt| j| d } |r~| sd| | fSq6d| | fS) aMakes a request to the OAuth 2.0 authorization server's token endpoint. This function doesn't throw on response errors. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. token_uri (str): The OAuth 2.0 authorizations server's token endpoint URI. body (Mapping[str, str]): The parameters to send in the request body. access_token (Optional(str)): The access token needed to make the request. use_json (Optional(bool)): Use urlencoded format or json format for the content type. The default value is False. can_retry (bool): Enable or disable request retry behavior. headers (Optional[Mapping[str, str]]): The headers for the request. kwargs: Additional arguments passed on to the request method. The kwargs will be passed to `requests.request` method, see: https://docs.python-requests.org/en/latest/api/#requests.request. For example, you can use `cert=("cert_pem_path", "key_pem_path")` to set up client side SSL certificate, and use `verify="ca_bundle_path"` to set up the CA certificates for sever side SSL certificate verification. Returns: Tuple(bool, Mapping[str, str], Optional[bool]): A boolean indicating if the request is successful, a mapping for the JSON-decoded response data and in the case of an error a boolean indicating if the error is retryable. z Content-Typezutf-8z Bearer {} AuthorizationFPOST)methodurlheadersbodydecodeTN)r)rr)_JSON_CONTENT_TYPErrencode_URLENCODED_CONTENT_TYPEurllibparse urlencoderupdaterExponentialBackoffhasattrdatar:loadsrstatus http_clientOKr,)request token_urir9 access_tokenuse_json can_retryr8kwargsheaders_to_userrretries_response response_bodyrrr _token_endpoint_request_no_throwsH&     rTc Ks6t|||f||||d|\}} } |st| | | S)alMakes a request to the OAuth 2.0 authorization server's token endpoint. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. token_uri (str): The OAuth 2.0 authorizations server's token endpoint URI. body (Mapping[str, str]): The parameters to send in the request body. access_token (Optional(str)): The access token needed to make the request. use_json (Optional(bool)): Use urlencoded format or json format for the content type. The default value is False. can_retry (bool): Enable or disable request retry behavior. headers (Optional[Mapping[str, str]]): The headers for the request. kwargs: Additional arguments passed on to the request method. The kwargs will be passed to `requests.request` method, see: https://docs.python-requests.org/en/latest/api/#requests.request. For example, you can use `cert=("cert_pem_path", "key_pem_path")` to set up client side SSL certificate, and use `verify="ca_bundle_path"` to set up the CA certificates for sever side SSL certificate verification. Returns: Mapping[str, str]: The JSON-decoded response data. Raises: google.auth.exceptions.RefreshError: If the token endpoint returned an error. )rKrLrMr8)rTr) rIrJr9rKrLrMr8rNresponse_status_okrrrrr_token_endpoint_requests'  rVc Cst|td}t||||tjtid}z|d}Wnty0}z tjd|dd}||d}~wwt|} || |fS)aImplements the JWT Profile for OAuth 2.0 Authorization Grants. For more details, see `rfc7523 section 4`_. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. token_uri (str): The OAuth 2.0 authorizations server's token endpoint URI. assertion (str): The OAuth 2.0 assertion. can_retry (bool): Enable or disable request retry behavior. Returns: Tuple[str, Optional[datetime], Mapping[str, str]]: The access token, expiration, and additional data returned by the token endpoint. Raises: google.auth.exceptions.RefreshError: If the token endpoint returned an error. .. _rfc7523 section 4: https://tools.ietf.org/html/rfc7523#section-4  assertion grant_typerMr8rKNo access token in response.Fr N) _JWT_GRANT_TYPErVrAPI_CLIENT_HEADER'token_request_access_token_sa_assertionrrrr3) rIrJrXrMr9rrK caught_excnew_excexpiryrrr jwt_grants(    rbc Cs|ddd}t||tj||||dd}z|d}Wnty4} z tjd|dd} | | d } ~ wwtj |dd } t j | d } || fS) a!Call iam.generateIdToken endpoint to get ID token. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. iam_id_token_endpoint (str): The IAM ID token endpoint to use. signer_email (str): The signer email used to form the IAM generateIdToken endpoint. audience (str): The audience for the ID token. access_token (str): The access token used to call the IAM endpoint. Returns: Tuple[str, datetime]: The ID token and expiration. true)audience includeEmail useEmailAzpT)rKrLtokenNo ID token in response.Fr Nverifyexp) rVreplacerDEFAULT_UNIVERSE_DOMAINrrrrrr:r1utcfromtimestamp) rIiam_id_token_endpoint signer_emailrdrKuniverse_domainr9rid_tokenr_r`payloadrarrr#call_iam_generate_id_token_endpointBs.  rtc Cs|td}t||||tjtid}z|d}Wnty0}z tjd|dd}||d}~wwtj |dd} t j | d } || |fS) a:Implements the JWT Profile for OAuth 2.0 Authorization Grants, but requests an OpenID Connect ID Token instead of an access token. This is a variant on the standard JWT Profile that is currently unique to Google. This was added for the benefit of authenticating to services that require ID Tokens instead of access tokens or JWT bearer tokens. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. token_uri (str): The OAuth 2.0 authorization server's token endpoint URI. assertion (str): JWT token signed by a service account. The token's payload must include a ``target_audience`` claim. can_retry (bool): Enable or disable request retry behavior. Returns: Tuple[str, Optional[datetime], Mapping[str, str]]: The (encoded) Open ID Connect ID Token, expiration, and additional data returned by the endpoint. Raises: google.auth.exceptions.RefreshError: If the token endpoint returned an error. rWrZrrrhFr Nrirk) r\rVrr]#token_request_id_token_sa_assertionrrrrr:r1rn) rIrJrXrMr9rrrr_r`rsrarrrid_token_jwt_grantrs*    rvc Cs\z|d}Wnty}z tjd|dd}||d}~ww|d|}t|}||||fS)aWExtract tokens from refresh grant response. Args: response_data (Mapping[str, str]): Refresh grant response data. refresh_token (str): Current refresh token. Returns: Tuple[str, str, Optional[datetime], Mapping[str, str]]: The access token, refresh token, expiration, and additional data returned by the token endpoint. If response_data doesn't have refresh token, then the current refresh token will be returned. Raises: google.auth.exceptions.RefreshError: If the token endpoint returned an error. rKr[Fr Nr )rrrrr3)rr rKr_r`rarrr_handle_refresh_grant_responses   rwc CsFt|||d}|rd||d<|r||d<t||||d} t| |S)a&Implements the OAuth 2.0 refresh token grant. For more details, see `rfc678 section 6`_. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. token_uri (str): The OAuth 2.0 authorizations server's token endpoint URI. refresh_token (str): The refresh token to use to get a new access token. client_id (str): The OAuth 2.0 application's client ID. client_secret (str): The Oauth 2.0 appliaction's client secret. scopes (Optional(Sequence[str])): Scopes to request. If present, all scopes must be authorized for the refresh token. Useful if refresh token has a wild card scope (e.g. 'https://www.googleapis.com/auth/any-api'). rapt_token (Optional(str)): The reauth Proof Token. can_retry (bool): Enable or disable request retry behavior. Returns: Tuple[str, str, Optional[datetime], Mapping[str, str]]: The access token, new or current refresh token, expiration, and additional data returned by the token endpoint. Raises: google.auth.exceptions.RefreshError: If the token endpoint returned an error. .. _rfc6748 section 6: https://tools.ietf.org/html/rfc6749#section-6 )rY client_id client_secretr  scoperapt)rM)_REFRESH_GRANT_TYPEjoinrVrw) rIrJr rxryscopes rapt_tokenrMr9rrrr refresh_grants* r)NFTN)T)NNT)__doc__r1 http.clientclientrGrr> google.authrrrrrrrr=r;r\r}rr,r3rTrVrbrmrtrvrwrrrrrsL        ' X 66 04%