o ~j6h+@sJdZddlmZddlZddlZddlmZddiZGdddej Z dS)aOAuth 2.0 Token Exchange Spec. This module defines a token exchange utility based on the `OAuth 2.0 Token Exchange`_ spec. This will be mainly used to exchange external credentials for GCP access tokens in workload identity pools to access Google APIs. The implementation will support various types of client authentication as allowed in the spec. A deviation on the spec will be for additional Google specific options that cannot be easily mapped to parameters defined in the RFC. The returned dictionary response will be based on the `rfc8693 section 2.2.1`_ spec JSON response. .. _OAuth 2.0 Token Exchange: https://tools.ietf.org/html/rfc8693 .. _rfc8693 section 2.2.1: https://tools.ietf.org/html/rfc8693#section-2.2.1 N)utilsz Content-Typez!application/x-www-form-urlencodedcsLeZdZdZd fdd ZddZ        d ddZd d ZZS) ClientzcImplements the OAuth 2.0 token exchange spec based on https://tools.ietf.org/html/rfc8693. Ncstt||||_dS)a5Initializes an STS client instance. Args: token_exchange_endpoint (str): The token exchange endpoint. client_authentication (Optional(google.oauth2.oauth2_utils.ClientAuthentication)): The optional OAuth client authentication credentials if available. N)superr__init___token_exchange_endpoint)selftoken_exchange_endpointclient_authentication __class__`/var/www/html/chefvision.cloud.itp360.com/venv/lib/python3.10/site-packages/google/oauth2/sts.pyr1s zClient.__init__c Cst}|rt|D]\}}|||<q |||||jd|tj| dd}t |j dr7|j dn|j }|j tjkrEt|t|} | S)NPOSTzutf-8)urlmethodheadersbodydecode)_URLENCODED_HEADERScopydictitems#apply_client_authentication_optionsrurllibparse urlencodeencodehasattrdatarstatus http_clientOKrhandle_error_responsejsonloads) rrequestr request_bodyrequest_headerskvresponse response_body response_datar r r _make_request<s&      zClient._make_requestc  Csx|||d|pg|||| | dd } | rtjt| | d<t| D]\}}|dus1|dkr4| |=q%||| | S)aTExchanges the provided token for another type of token based on the rfc8693 spec. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. grant_type (str): The OAuth 2.0 token exchange grant type. subject_token (str): The OAuth 2.0 token exchange subject token. subject_token_type (str): The OAuth 2.0 token exchange subject token type. resource (Optional[str]): The optional OAuth 2.0 token exchange resource field. audience (Optional[str]): The optional OAuth 2.0 token exchange audience field. scopes (Optional[Sequence[str]]): The optional list of scopes to use. requested_token_type (Optional[str]): The optional OAuth 2.0 token exchange requested token type. actor_token (Optional[str]): The optional OAuth 2.0 token exchange actor token. actor_token_type (Optional[str]): The optional OAuth 2.0 token exchange actor token type. additional_options (Optional[Mapping[str, str]]): The optional additional non-standard Google specific options. additional_headers (Optional[Mapping[str, str]]): The optional additional headers to pass to the token exchange endpoint. Returns: Mapping[str, str]: The token exchange JSON-decoded response data containing the requested token and its expiration time. Raises: google.auth.exceptions.OAuthError: If the token endpoint returned an error.  N) grant_typeresourceaudiencescoperequested_token_type subject_tokensubject_token_type actor_tokenactor_token_typeoptionsr8) joinrrquoter#dumpsrrr-)rr%r/r4r5r0r1scopesr3r6r7additional_optionsadditional_headersr&r(r)r r r exchange_token_s$.  zClient.exchange_tokencCs||dd|dS)aExchanges a refresh token for an access token based on the RFC6749 spec. Args: request (google.auth.transport.Request): A callable used to make HTTP requests. subject_token (str): The OAuth 2.0 refresh token. N refresh_token)r/rA)r-)rr%rAr r r rAs  zClient.refresh_token)N)NNNNNNNN) __name__ __module__ __qualname____doc__rr-r@rA __classcell__r r r r r,s ) Cr) rE http.clientclientr r#r google.oauth2rrOAuthClientAuthHandlerrr r r r s