xivdZddlZddlmZddlZddlZddlmZddlm Z ddlm Z ddlm Z ddlm Z ddl mZejej ej"ej$hZd gZeed rej,Zn$ej0d d j3d k(Zerde j4Znde j4ZdedZedzZedzZedzZedzZ Gdde jBZ!y)zTools for using the Google `Cloud Identity and Access Management (IAM) API`_'s auth-related functionality. .. _Cloud Identity and Access Management (IAM) API: https://cloud.google.com/iam/docs/ N)_exponential_backoff)_helpers) credentials)crypt) exceptions)mtlsz#https://www.googleapis.com/auth/iamshould_use_client_cert!GOOGLE_API_USE_CLIENT_CERTIFICATEfalsetrueziamcredentials.mtls.ziamcredentials.zhttps://z!/v1/projects/-/serviceAccounts/{}z:generateAccessTokenz :signBlobz:signJwtz:generateIdTokencpeZdZdZdZdZedZeje jdZ y)SigneraSigns messages using the IAM `signBlob API`_. This is useful when you need to sign bytes but do not have access to the credential's private key file. .. _signBlob API: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts /signBlob c.||_||_||_y)a Args: request (google.auth.transport.Request): The object used to make HTTP requests. credentials (google.auth.credentials.Credentials): The credentials that will be used to authenticate the request to the IAM API. The credentials must have of one the following scopes: - https://www.googleapis.com/auth/iam - https://www.googleapis.com/auth/cloud-platform service_account_email (str): The service account email identifying which service account to use to sign bytes. Often, this can be the same as the service account email in the given credentials. N)_request _credentials_service_account_email)selfrequestrservice_account_emails [/var/www/html/chatbot/card-advisor-bot/venv/lib/python3.12/site-packages/google/auth/iam.py__init__zSigner.__init__Ss   '&;#c^tj|}d}tjtj |j jj|j}ddi}tjdtj|jdijd}t!j"}|D]}|j j%|j&||||j'||||}|j(t*vrS|j(t,j.k7r.t1j2dj|j4tj6|j4jdcSt1j2d) z(Makes a request to the API signBlob API.POSTz Content-Typezapplication/jsonpayloadzutf-8)urlmethodbodyheadersz&Error calling the IAM signBlob API: {}z#exhausted signBlob endpoint retries)rto_bytes_IAM_SIGN_ENDPOINTreplacerDEFAULT_UNIVERSE_DOMAINruniverse_domainformatrjsondumpsbase64 b64encodedecodeencoderExponentialBackoffbefore_requestrstatusIAM_RETRY_CODES http_clientOKrTransportErrordataloads) rmessagerrrrretries_responses r_make_signing_requestzSigner._make_signing_requestgsb##G, ((  / /1B1B1R1R &,, - "#56zz ((188A B &/ '99; =A    , ,T]]FC Q}}V$PW}XH/1+..0 //<CCHMMR::hmm227;< < =''(MNNrcy)zOptional[str]: The key ID used to identify this private key. .. warning:: This is always ``None``. The key ID used by IAM can not be reliably determined ahead of time. N)rs rkey_idz Signer.key_idsrcT|j|}tj|dS)N signedBlob)r9r( b64decode)rr5r8s rsignz Signer.signs(--g6 677rN) __name__ __module__ __qualname____doc__rr9propertyr<rcopy_docstringrrr@r;rrrrHsK<(O<XU\\*8+8rr)"rDr( http.clientclientr0r&os google.authrrrrrgoogle.auth.transportrINTERNAL_SERVER_ERROR BAD_GATEWAYSERVICE_UNAVAILABLEGATEWAY_TIMEOUTr/ _IAM_SCOPEhasattrr use_client_certgetenvlowerr# _IAM_DOMAIN _IAM_BASE_URL _IAM_ENDPOINTr!_IAM_SIGNJWT_ENDPOINT_IAM_IDTOKEN_ENDPOINTrr;rrrZs!! , #"&%%## 4 4  4)*1d113O  5w?EEG6Q ()L)L(MNK#K$G$G#HIK;-'JK  66 "[0% 2%(::J8U\\J8r