o ~j6h(@sdZddlZddlZddlZddlZddlmZddlmZddlm Z ddl m Z m Z m Z dZdZd Zd d ZGd d d ejdZGdddeZGdddeZGdddeZddeeefDZdS)z" Challenges for reauthentication. N)_helpers) exceptions)webauthn_handler_factory)$AuthenticationExtensionsClientInputs GetRequestPublicKeyCredentialDescriptorzhttps://accounts.google.comzFPlease run `gcloud auth login` to complete reauthentication with SAML.icCs t|S)zGet password from user. Override this function with a different logic if you are using this library outside a CLI. Args: text (str): message for the password prompt. Returns: str: password string. )getpass)textr g/var/www/html/chefvision.cloud.itp360.com/venv/lib/python3.10/site-packages/google/oauth2/challenges.pyget_user_password(s r c@sBeZdZdZeejddZeejddZejddZ dS) ReauthChallengez!Base class for reauth challenges.cCtd)z"Returns the name of the challenge.z!name property must be implementedNotImplementedErrorselfr r r name:zReauthChallenge.namecCr)zAReturns true if a challenge is supported locally on this machine.z0is_locally_eligible property must be implementedrrr r r is_locally_eligible@rz#ReauthChallenge.is_locally_eligiblecCr)acPerforms logic required to obtain credentials and returns it. Args: metadata (Mapping): challenge metadata returned in the 'challenges' field in the initial reauth request. Includes the 'challengeType' field and other challenge-specific fields. Returns: response that will be send to the reauth service as the content of the 'proposalResponse' field in the request body. Usually a dict with the keys specific to the challenge. For example, ``{'credential': password}`` for password challenge. z1obtain_challenge_input method must be implementedrrmetadatar r r obtain_challenge_inputFsz&ReauthChallenge.obtain_challenge_inputN) __name__ __module__ __qualname____doc__propertyabcabstractmethodrrrr r r r r 7s  r ) metaclassc@s:eZdZdZeddZeddZee ddZ dS) PasswordChallengez(Challenge that asks for user's password.cCdS)NPASSWORDr rr r r r[zPasswordChallenge.namecCr"NTr rr r r r_r$z%PasswordChallenge.is_locally_eligiblecCstd}|sd}d|iS)NzPlease enter your password: credential)r )runused_metadatapasswdr r r rcsz(PasswordChallenge.obtain_challenge_inputN) rrrrrrrrcopy_docstringr rr r r r r!Xs  r!c@sJeZdZdZeddZeddZee ddZ dd Z d d Z d S) SecurityKeyChallengez2Challenge that asks for user's security key touch.cCr")N SECURITY_KEYr rr r r rnr$zSecurityKeyChallenge.namecCr"r%r rr r r rrr$z(SecurityKeyChallenge.is_locally_eligiblec CsNzt}|}|durtjd|||WSWn ty$Ynwzddl}ddl }ddl }Wn t y?t dw|d}|d}|d}|d}||krY||g} n|g} g} |D](} | dd } |jtt| } | d d }t|}| | |d q`d}| D]}z|d 7}|jjt}|j|| tjjd }d|iWS|jjy}z;|j|jjjkr|t| krtjdWYd}~dSWYd}~q|j|jjjkrtjdn|WYd}~dSd}~w|jj y}ztjd!|WYd}~qd}~w|jj"y$tjdYdSwdS)Nz*Please insert and touch your security key rzpyu2f dependency is required to use Security key reauth feature. It can be installed via `pip install pyu2f` or `pip install google-auth[reauth]`. securityKey challenges applicationIdrelyingPartyId keyHandleascii challenge)keyr3)print_callbackzIneligible security key. z0Timed out while waiting for security key touch. zPlugin error: {}. zNo security key found. )#rWebauthnHandlerFactory get_handlersysstderrwrite _obtain_challenge_input_webauthn Exceptionpyu2f.convenience.authenticator pyu2f.errors pyu2f.model ImportErrorrReauthFailErrorencodemodel RegisteredKey bytearraybase64urlsafe_b64decodeappend convenience authenticatorCreateCompositeAuthenticator REAUTH_ORIGIN AuthenticateerrorsU2FErrorcodeDEVICE_INELIGIBLElenTIMEOUT PluginErrorformatNoDeviceFoundError)rrfactorywebauthn_handlerpyu2fskr.application_idrelying_party_idapplication_parameterschallenge_datackhr4r3triesapp_idapiresponseer r r rvs             z+SecurityKeyChallenge.obtain_challenge_inputc Csl|d}|durtd|d}|d}|d}|dus't|dkr,td|dur5td|dur>td g}|D]}|d } | durRtd || } |t| d qBt|d } |dd}|durutdtt |||t |d| d} z|| } Wnt y}z t j d||d}~ww| jj| jj| jj|| jdd}d|iS)Nr-zsecurityKey is Noner.r/r0r5zchallenges is None or emptyzapplication_id is Nonezrelying_party_id is Noner1zkeyHandle is None)id)appidrr3zchallenge is Nonerequired)originrpidr3 timeout_msallow_credentialsuser_verification extensionszWebauthn Error: {}. ) clientDataauthenticatorData signatureDatar/r1securityKeyReplyType)getr InvalidValuerS_unpadded_urlsafe_b64recoderIrrrrMWEBAUTHN_TIMEOUT_MSr=r9r:r;rVreclient_data_jsonauthenticator_data signaturerg)rrrYr[r.r\r]rmr3ra key_handle extension get_request get_responserfrer r r r<s^              z5SecurityKeyChallenge._obtain_challenge_input_webauthncCst|}t|dS)z\Converts standard b64 encoded string to url safe b64 encoded string with no padding.=)rGrHurlsafe_b64encodedecoderstrip)rsbr r r rws z0SecurityKeyChallenge._unpadded_urlsafe_b64recodeN) rrrrrrrrr*r rr<rwr r r r r+ks   K 6r+c@s0eZdZdZeddZeddZddZdS) SamlChallengezChallenge that asks the users to browse to their ID Providers. Currently SAML challenge is not supported. When obtaining the challenge input, exception will be raised to instruct the users to run `gcloud auth login` for reauthentication. cCr")NSAMLr rr r r rr$zSamlChallenge.namecCr"r%r rr r r r r$z!SamlChallenge.is_locally_eligiblecCs tt)N)rReauthSamlChallengeFailErrorSAML_CHALLENGE_MESSAGErr r r rs z$SamlChallenge.obtain_challenge_inputN)rrrrrrrrr r r r rs   rcCsi|]}|j|qSr )r).0r3r r r sr)rrrGrr9 google.authrr google.oauth2rgoogle.oauth2.webauthn_typesrrrrMrrxr ABCMetar r!r+rAVAILABLE_CHALLENGESr r r r s,   !