� J�gB��dZddlZddlmZddlZddlmZddlmZddlm Z ddlm Z ddlmZejej ejejhZdgZd Zd ZdZdZGd �de j��ZdS)z�Tools for using the Google `Cloud Identity and Access Management (IAM) API`_'s auth-related functionality. .. _Cloud Identity and Access Management (IAM) API: https://cloud.google.com/iam/docs/ �N)�_exponential_backoff)�_helpers)�credentials)�crypt)� exceptionsz#https://www.googleapis.com/auth/iamzZhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{}:generateAccessTokenzOhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{}:signBlobzNhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{}:signJwtzVhttps://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{}:generateIdTokenc�p�eZdZdZd�Zd�Zed��Zej e j��d��ZdS)�SigneraSigns messages using the IAM `signBlob API`_. This is useful when you need to sign bytes but do not have access to the credential's private key file. .. _signBlob API: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts /signBlob c�0�||_||_||_dS)a� Args: request (google.auth.transport.Request): The object used to make HTTP requests. credentials (google.auth.credentials.Credentials): The credentials that will be used to authenticate the request to the IAM API. The credentials must have of one the following scopes: - https://www.googleapis.com/auth/iam - https://www.googleapis.com/auth/cloud-platform service_account_email (str): The service account email identifying which service account to use to sign bytes. Often, this can be the same as the service account email in the given credentials. N)�_request�_credentials�_service_account_email)�self�requestr�service_account_emails �_/home/asafur/pinokio/api/open-webui.git/app/env/lib/python3.11/site-packages/google/auth/iam.py�__init__zSigner.__init__Is!�� '��&;��#�#�#�c�(�tj|��}d}t�tj|jj��|j ��}ddi}tjdtj |��d��i��d��}t!j��}|D]�}|j�|j|||��|�||||��}|jt*vr�L|jt,jkr,t1jd�|j��tj|j�d��cSt1jd��) z(Makes a request to the API signBlob API.�POSTzContent-Typezapplication/json�payloadzutf-8)�url�method�body�headersz&Error calling the IAM signBlob API: {}z#exhausted signBlob endpoint retries)r�to_bytes�_IAM_SIGN_ENDPOINT�replacer�DEFAULT_UNIVERSE_DOMAINr�universe_domain�formatr �json�dumps�base64� b64encode�decode�encoder�ExponentialBackoff�before_requestr�status�IAM_RETRY_CODES�http_client�OKr�TransportError�data�loads) r�messagerrrr�retries�_�responses r�_make_signing_requestzSigner._make_signing_request]ss��#�G�,�,�� (�(��/��1B�1R� � � �&��,� -� -� �"�#5�6��z� ��(��1�1�8�8��A�A�B� � � �&��/�/� �'�9�;�;�� =� =�A��,�,�T�]�F�C��Q�Q�Q��}�}��V�$�PW�}�X�X�H��/�1�1��+�.�0�0� �/�<�C�C�H�M�R�R��:�h�m�2�2�7�;�;�<�<�<�<�<��'�(M�N�N�Nrc��dS)z�Optional[str]: The key ID used to identify this private key. .. warning:: This is always ``None``. The key ID used by IAM can not be reliably determined ahead of time. N�)rs r�key_idz Signer.key_id{s ��trc�`�|�|��}tj|d��S)N� signedBlob)r4r#� b64decode)rr0r3s r�signzSigner.sign�s+��-�-�g�6�6�� 6�7�7�7rN) �__name__� __module__�__qualname__�__doc__rr4�propertyr7r�copy_docstringrr r;r6rrr r >s��<�<�<�(O�O�O�<��X��X��U�\�*�*�8�8�+�*�8�8�8rr )r?r#�http.client�clientr+r!�google.authrrrrr�INTERNAL_SERVER_ERROR�BAD_GATEWAY�SERVICE_UNAVAILABLE�GATEWAY_TIMEOUTr*� _IAM_SCOPE� _IAM_ENDPOINTr�_IAM_SIGNJWT_ENDPOINT�_IAM_IDTOKEN_ENDPOINTr r6rr�<module>rMs"�� !�!�!�!�!�!��,�,�,�,�,�,� � � � � � �#�#�#�#�#�#��"�"�"�"�"�"��%��#�� 4� 4� �0��%��$��6��J8�J8�J8�J8�J8�U�\�J8�J8�J8�J8�J8r