o ëɶdR+ã@sddlmZddlmZddlmZmZddlmZddl m Z ddl Z ddl Z ddlZddlZddlZGdd „d eƒZGd d „d e jjƒZdS) é)Ú auth_utils)ÚSecurityTokenContaineré)ÚEncodingÚ PublicFormat)ÚSHA1)ÚrequestsNc@s<eZdZgd¢Zdd„Zdd„Zdd„Zdd „Zd d „Zd S) ÚX509FederationClient)Úfederation_endpointÚ tenancy_idÚsession_key_supplierÚleaf_certificate_retrievercKs^| ¡}g}|jD]}||vr| |¡q ||s| |¡q |r+td d |¡¡ƒ‚|d|_|d|_|d|_|d|_ d|_ d|vrQ|ddurQ|d|_ t   d  t t|ƒ¡¡|_|j t  ¡¡| d ¡rvd |j_|j t j¡nd |j_d |vrˆ|d rˆ|d |_ng|_| dd¡|_t ¡|_| dd¡}|r£||_ntjj|_t  ¡|_!dS)a A client which can be used to retrieve a token from Auth Service. It needs the following supplied to it: - The endpoint for Auth Service - Our tenancy OCID - A session key supplier so that we can send its public key as part of the token request. The private key in the session key supplier should be used to sign all requests made with the token - The certificate (via leaf_certificate_retriever) which will be used to sign the requests to Auth Service. Optionally, intermediate certificates (if present) can be supplied as part of the request to Auth Service. The client has knowledge of its last requested token and can re-request the token if it is expired (otherwise it will vend the last requested token if it is not expired). :param str federation_endpoint: The Auth Service endpoint from which to retrieve the token. :param str tenancy_id: The OCID of the tenancy whose resources will be interacted with by users of the token. :param SessionKeySupplier session_key_supplier: A SessionKeySupplier that can vend a public and private key. The public key will be sent as part of the token request and the private key should be used to sign all requests made with the token vended by this client. :param CertificateRetriever leaf_certificate_retriever: The certificate which will be used to sign requests to Auth Service. :param list[CertificateRetriever] intermediate_certificate_retrievers: (optional) A list of retrievers which can be used to fetch intermediate certificates which can be sent as part of the Auth Service request. This is an optional parameter :param cert_bundle_verify: (optional) If we need a specific cert bundle in order to perform verification against the federation endpoint, this parameter is the path to that bundle. Alternatively, False can be passed to disable verification. :type cert_bundle_verify: str or Boolean :param obj retry_strategy: (optional) A retry strategy to apply to calls made by this client. This should be one of the strategies available in the :py:mod:`~oci.retry` module. A convenience :py:data:`~oci.retry.DEFAULT_RETRY_STRATEGY` is also available and will be used if no explicit retry strategy is specified. The specifics of the default retry strategy are described `here `__. To have this operation explicitly not perform any retries, pass an instance of :py:class:`~oci.retry.NoneRetryStrategy`. :param bool log_requests: (optional) log_request if set to True, will log the request url and response data when retrieving the token from the federation endpoint. z6The following required arguments were not provided: {}z, r r r r NÚpurposez{}.{}Z log_requestsFTÚ#intermediate_certificate_retrieversÚcert_bundle_verifyÚretry_strategy)"ÚkeysÚREQUIRED_INIT_KWARGSÚappendÚ TypeErrorÚformatÚjoinr r r r rÚloggingÚ getLoggerÚ__name__ÚidÚloggerÚ addHandlerÚ NullHandlerÚgetÚdisabledÚsetLevelÚDEBUGrrÚ threadingÚLockÚ _refresh_lockrÚociÚretryZDEFAULT_RETRY_STRATEGYrZSessionÚrequests_session)ÚselfÚkwargsZ kwarg_keysZ missing_keysÚrequiredr©r,ú>usr/lib/python3.10/site-packages/oci/auth/federation_client.pyÚ__init__sB2   €          zX509FederationClient.__init__cCs| ¡S)N)Ú_refresh_security_token_inner©r)r,r,r-Úrefresh_security_token{sz+X509FederationClient.refresh_security_tokencCs$t|dƒr|j ¡r|jjS| ¡S)NÚsecurity_token)Úhasattrr2Zvalid_with_jitterr/r0r,r,r-Úget_security_token~s  z'X509FederationClient.get_security_tokencCs˜|j ¡z@|j ¡|j ¡|jdur+t |j ¡¡}||j kr+t d  |j |¡ƒ‚|j D]}| ¡q.|j  |j¡|jjW|j ¡S|j ¡w)Nz\Unexpected update of tenancy OCID in the leaf certificate. Previous tenancy: {}, Updated: {})r%Úacquirer Zrefreshr rrZget_tenancy_id_from_certificateÚget_certificate_as_certificater Ú RuntimeErrorrrrZmake_retrying_callÚ%_get_security_token_from_auth_servicer2Úrelease)r)Zupdated_tenancy_idÚ retrieverr,r,r-r/…s       z2X509FederationClient._refresh_security_token_innerc CsÆt |j ¡¡t |j ¡d tjt j ¡¡dœ}|j dur#|j |d<|j r©s€zMX509FederationClient._get_security_token_from_auth_service..zRequesting token from : %s )é é<)ÚjsonZauthZverifyÚtimeoutz"Receiving token response...... {} )Ú status_codeÚurlÚheaderÚreasoné)Úindentz3Unable to parse response from auth service ({}): {}ÚcodeÚmessageÚtokenz;Could not find token in response from auth service ({}): {})/rZsanitize_certificate_stringr Zget_certificate_rawr Z get_key_pairZ public_bytesrZPEMrZSubjectPublicKeyInforrrr6rÚ bytearrayÚ fingerprintrÚAuthTokenRequestSignerr rÚdebugr r(ÚpostrrÚpprintÚpformatrErFÚdictÚheadersÚitemsrHrCÚ ValueErrorÚtextÚokr7r&Ú exceptionsZ ServiceErrorrrr2) r)Zrequest_payloadZretrieved_certsr:r<rOÚsignerÚresponseZparsed_responseZ error_textr,r,r-r8˜sZþ     ÿ þ  üöüz:X509FederationClient._get_security_token_from_auth_serviceN) rÚ __module__Ú __qualname__rr.r1r4r/r8r,r,r,r-r s` r c@seZdZdZdd„ZdS)rPz~ A signer intended for X509FederationClient's use to request a token from Auth Service. Not intended for general use. cCs@d ||¡|_||_ddg}gd¢}| |j|j ¡||¡dS)Nz{}/fed-x509/{}Údatez(request-target))zcontent-lengthz content-typezx-content-sha256)rZapi_keyÚ!private_key_certificate_retrieverZcreate_signersZget_private_key)r)r rOraZgeneric_headersZ body_headersr,r,r-r.Ùs zAuthTokenRequestSigner.__init__N)rr^r_Ú__doc__r.r,r,r,r-rPÔs rP)ÚrZsecurity_token_containerrZ,cryptography.hazmat.primitives.serializationrrZ%cryptography.hazmat.primitives.hashesrZ oci._vendorrZ oci.retryr&Z oci.signerr#rrSÚobjectr r\ZAbstractBaseSignerrPr,r,r,r-Ús    B