(ph IXSrSSKrSSKJr SSKrSSKJrJr SSKJr SSKJ r SSK J r SSK J r S r"S S \ 5r"S S \5r"SS\5r"SS\5r"SS\5r"SS\R(S9r"SS\5rSSjr"SS\R(S9r"SS\5rg)zInterfaces for credentials.N)Enum)_helpersenvironment_vars) exceptions)metrics)_BaseCredentials)RefreshThreadManagerzgoogleapis.comc^\rSrSrSrU4Sjr\S5r\S5r\S5r \S5r \S5r S r \ RS 5rS rSS jrS rSrSrSrSrU=r$) CredentialsaBase class for all credentials. All credentials have a :attr:`token` that is used for authentication and may also optionally set an :attr:`expiry` to indicate when the token will no longer be valid. Most credentials will be :attr:`invalid` until :meth:`refresh` is called. Credentials can do this automatically before the first HTTP request in :meth:`before_request`. Although the token and expiration will change as the credentials are :meth:`refreshed ` and used, credentials should be considered immutable. Various credentials will accept configuration such as private keys, scopes, and other options. These options are not changeable after construction. Some classes will provide mechanisms to copy the credentials with modifications such as :meth:`ScopedCredentials.with_scopes`. c>[[U] 5 SUlSUlSUl[ UlSUl[5Ul gNF) superr __init__expiry_quota_project_id_trust_boundaryDEFAULT_UNIVERSE_DOMAIN_universe_domain_use_non_blocking_refreshr _refresh_workerself __class__s J/var/www/html/venv/lib/python3.13/site-packages/google/auth/credentials.pyrCredentials.__init__2sY k4)+  B!%K# !8 */&35cUR(dgUR[R- n[R"5U:$)zChecks if the credentials are expired. Note that credentials can be invalid but not expired because Credentials with :attr:`expiry` set to None is considered to never expire. .. deprecated:: v2.24.0 Prefer checking :attr:`token_state` instead. F)rrREFRESH_THRESHOLDutcnow)r skewed_expirys rexpiredCredentials.expiredEs6{{ h&@&@@  M11rcNURSL=(a UR(+$)zChecks the validity of the credentials. This is True if the credentials have a :attr:`token` and the token is not :attr:`expired`. .. deprecated:: v2.24.0 Prefer checking :attr:`token_state` instead. N)tokenr"rs rvalidCredentials.validWszz%:dll*::rcURc[R$URc[R$[ R "5UR:nU(a[R$[ R "5UR[ R- :nU(a[R$[R$)z See `:obj:`TokenState` ) r% TokenStateINVALIDrFRESHrr rSTALE)rr"is_stales r token_stateCredentials.token_statecs :: %% % ;; ## #//#t{{2 %% %??$x7Q7Q)QR ## #rcUR$)z.Project to use for quota and billing purposes.)rr&s rquota_project_idCredentials.quota_project_idys%%%rcUR$)zThe universe domain value.)rr&s runiverse_domainCredentials.universe_domain~s$$$rcg)zThe credential information JSON. The credential information will be added to auth related error messages by client library. Returns: Mapping[str, str]: The credential information JSON. Nr&s r get_cred_infoCredentials.get_cred_infosrc[S5e)zRefreshes the access token. Args: request (google.auth.transport.Request): The object used to make HTTP requests. Raises: google.auth.exceptions.RefreshError: If the credentials could not be refreshed. zRefresh must be implementedNotImplementedErrorrrequests rrefreshCredentials.refreshs""?@@rcg)aThe x-goog-api-client header for token usage metric. This header will be added to the API service requests in before_request method. For example, "cred-type/sa-jwt" means service account self signed jwt access token is used in the API service request authorization header. Children credentials classes need to override this method to provide the header value, if the token usage metric is needed. Returns: str: The x-goog-api-client header value. Nr8r&s r_metric_header_for_usage$Credentials._metric_header_for_usagesrcURXS9 URbURSUS'UR(aURUS'gg)zApply the token to the authentication header. Args: headers (Mapping): The HTTP request headers. token (Optional[str]): If specified, overrides the current access token. )r%Nencoded_locationszx-allowed-locationszx-goog-user-project)_applyrr2rheadersr%s rapplyCredentials.applys[ G )     +-1-A-ABU-VG) *  -1-B-BG) * !rcJUR(dURU5 ggN)r'r@r>s r_blocking_refreshCredentials._blocking_refreshszz LL !rc&SnUR[R:Xa URR X5(+nUR[R :XdU(a,UR U5 URR5 ggr)r/r*r-r start_refreshr+r@ clear_error)rr?use_blocking_refresh_fallbacks r_non_blocking_refresh!Credentials._non_blocking_refreshsz(-%   z// /040D0D0R0R1- )   z11 15R LL !  , , . 6SrcUR(aURU5 OURU5 [R"X@R 55 UR U5 g)aPerforms credential-specific before request logic. Refreshes the credentials if necessary, then calls :meth:`apply` to apply the token to the authentication header. Args: request (google.auth.transport.Request): The object used to make HTTP requests. method (str): The request's HTTP method or the RPC method being invoked. url (str): The request's URI or the RPC service's URI. headers (Mapping): The request's headers. N)rrTrNradd_metric_headerrCrJrr?methodurlrIs rbefore_requestCredentials.before_requestsL"  ) )  & &w /  " "7 +!!'+H+H+JK 7rcSUlg)NT)rr&s rwith_non_blocking_refresh%Credentials.with_non_blocking_refreshs )-&r)rrrrrrrM)__name__ __module__ __qualname____firstlineno____doc__rpropertyr"r'r/r2r5r9abcabstractmethodr@rCrJrNrTr[r^__static_attributes__ __classcell__rs@rr r s$6&22" ; ;  *&&%%   A A C6" /2..rr c$\rSrSrSrSrSrSrg)CredentialsWithQuotaProjectzGAbstract base for credentials supporting ``with_quota_project`` factoryc[S5e)zReturns a copy of these credentials with a modified quota project. Args: quota_project_id (str): The project to use for quota and billing purposes Returns: google.auth.credentials.Credentials: A new credentials instance. z/This credential does not support quota project.r<)rr2s rwith_quota_project.CredentialsWithQuotaProject.with_quota_projects""STTrc[RR[R5nU(aUR U5$U$rM)osenvirongetrGOOGLE_CLOUD_QUOTA_PROJECTro)rquota_from_envs r#with_quota_project_from_environment?CredentialsWithQuotaProject.with_quota_project_from_environments4(8(S(ST **>: : rr8N)r`rarbrcrdrorwrhr8rrrlrlsQ Urrlc\rSrSrSrSrSrg)CredentialsWithTokenUriizCAbstract base for credentials supporting ``with_token_uri`` factoryc[S5e)zReturns a copy of these credentials with a modified token uri. Args: token_uri (str): The uri to use for fetching/exchanging tokens Returns: google.auth.credentials.Credentials: A new credentials instance. z'This credential does not use token uri.r<)r token_uris rwith_token_uri&CredentialsWithTokenUri.with_token_uris""KLLrr8N)r`rarbrcrdr}rhr8rrrzrzs M Mrrzc\rSrSrSrSrSrg)CredentialsWithUniverseDomainizIAbstract base for credentials supporting ``with_universe_domain`` factoryc[S5e)zReturns a copy of these credentials with a modified universe domain. Args: universe_domain (str): The universe domain to use Returns: google.auth.credentials.Credentials: A new credentials instance. z6This credential does not support with_universe_domain.r<)rr5s rwith_universe_domain2CredentialsWithUniverseDomain.with_universe_domain s" D  rr8N)r`rarbrcrdrrhr8rrrrs S  rrcN\rSrSrSr\S5r\S5rSrS Sjr Sr S r g) AnonymousCredentialsi.zCredentials that do not provide any authentication information. These are useful in the case of services that support anonymous access or local service emulators that do not use credentials. cg)z4Returns `False`, anonymous credentials never expire.Fr8r&s rr"AnonymousCredentials.expired5srcg)z7Returns `True`, anonymous credentials are always valid.Tr8r&s rr'AnonymousCredentials.valid:src.[R"S5e)zNRaises :class:``InvalidOperation``, anonymous credentials cannot be refreshed.z*Anonymous credentials cannot be refreshed.)rInvalidOperationr>s rr@AnonymousCredentials.refresh?s))*VWWrNc6Ub[R"S5eg)zAnonymous credentials do nothing to the request. The optional ``token`` argument is not supported. Raises: google.auth.exceptions.InvalidValue: If a token was specified. Nz+Anonymous credentials don't support tokens.)r InvalidValuerHs rrJAnonymousCredentials.applyDs!  ))*WX X rcg)z0Anonymous credentials do nothing to the request.Nr8rXs rr[#AnonymousCredentials.before_requestOsrr8rM) r`rarbrcrdrer"r'r@rJr[rhr8rrrr.s@ X Y?rrcv^\rSrSrSrU4Sjr\S5r\S5r\ RS5r Sr Sr U=r$) ReadOnlyScopediSaInterface for credentials whose scopes can be queried. OAuth 2.0-based credentials allow limiting access using scopes as described in `RFC6749 Section 3.3`_. If a credential class implements this interface then the credentials either use scopes in their implementation. Some credentials require scopes in order to obtain a token. You can check if scoping is necessary with :attr:`requires_scopes`:: if credentials.requires_scopes: # Scoping is required. credentials = credentials.with_scopes(scopes=['one', 'two']) Credentials that require scopes must either be constructed with scopes:: credentials = SomeScopedCredentials(scopes=['one', 'two']) Or must copy an existing instance using :meth:`with_scopes`:: scoped_credentials = credentials.with_scopes(scopes=['one', 'two']) Some credentials have scopes but do not allow or require scopes to be set, these credentials can be used as-is. .. _RFC6749 Section 3.3: https://tools.ietf.org/html/rfc6749#section-3.3 cF>[[U] 5 SUlSUlgrM)rrr_scopes_default_scopesrs rrReadOnlyScoped.__init__ps nd,. #rcUR$)z6Sequence[str]: the credentials' current set of scopes.)rr&s rscopesReadOnlyScoped.scopesus||rcUR$)z>Sequence[str]: the credentials' current set of default scopes.)rr&s rdefault_scopesReadOnlyScoped.default_scopeszs###rcg)zLTrue if these credentials require scopes to obtain an access token. Fr8r&s rrequires_scopesReadOnlyScoped.requires_scopessrcURb URO URn[U5R[U=(d /55$)a'Checks if the credentials have the given scopes. .. warning: This method is not guaranteed to be accurate if the credentials are :attr:`~Credentials.invalid`. Args: scopes (Sequence[str]): The list of scopes to check. Returns: bool: True if the credentials have the given scopes. )rrsetissubset)rrcredential_scopess r has_scopesReadOnlyScoped.has_scopessC!LL4DLL$:N:N 6{##C(9(?R$@AAr)rr)r`rarbrcrdrrerrrfabstractpropertyrrrhrirjs@rrrSs[8$ $$  BBrr) metaclassc@\rSrSrSr\R SSj5rSrg)ScopediaInterface for credentials whose scopes can be replaced while copying. OAuth 2.0-based credentials allow limiting access using scopes as described in `RFC6749 Section 3.3`_. If a credential class implements this interface then the credentials either use scopes in their implementation. Some credentials require scopes in order to obtain a token. You can check if scoping is necessary with :attr:`requires_scopes`:: if credentials.requires_scopes: # Scoping is required. credentials = credentials.create_scoped(['one', 'two']) Credentials that require scopes must either be constructed with scopes:: credentials = SomeScopedCredentials(scopes=['one', 'two']) Or must copy an existing instance using :meth:`with_scopes`:: scoped_credentials = credentials.with_scopes(scopes=['one', 'two']) Some credentials have scopes but do not allow or require scopes to be set, these credentials can be used as-is. .. _RFC6749 Section 3.3: https://tools.ietf.org/html/rfc6749#section-3.3 Nc[S5e)aWCreate a copy of these credentials with the specified scopes. Args: scopes (Sequence[str]): The list of scopes to attach to the current credentials. Raises: NotImplementedError: If the credentials' scopes can not be changed. This can be avoided by checking :attr:`requires_scopes` before calling this method. z$This class does not require scoping.r<)rrrs r with_scopesScoped.with_scopess""HIIrr8rM) r`rarbrcrdrfrgrrhr8rrrrs#8  J Jrrcp[U[5(a UR(aURXS9$U$)a{Creates a copy of the credentials with scopes if scoping is required. This helper function is useful when you do not know (or care to know) the specific type of credentials you are using (such as when you use :func:`google.auth.default`). This function will call :meth:`Scoped.with_scopes` if the credentials are scoped credentials and if the credentials require scoping. Otherwise, it will return the credentials as-is. Args: credentials (google.auth.credentials.Credentials): The credentials to scope if necessary. scopes (Sequence[str]): The list of scopes to use. default_scopes (Sequence[str]): Default scopes passed by a Google client library. Use 'scopes' for user-defined scopes. Returns: google.auth.credentials.Credentials: Either a new set of scoped credentials, or the passed in credentials instance if no scoping was required. )r) isinstancerrr) credentialsrrs rwith_scopes_if_requiredrs3,+v&&;+F+F&&v&MMrc\rSrSrSr\R S5r\RS5r \RS5r Sr g)SigningizCInterface for credentials that can cryptographically sign messages.c[S5e)zSigns the given message. Args: message (bytes): The message to sign. Returns: bytes: The message's cryptographic signature. zSign bytes must be implemented.r<)rmessages r sign_bytesSigning.sign_bytess""CDDrc[S5e)z;Optional[str]: An email address that identifies the signer.z!Signer email must be implemented.r<r&s r signer_emailSigning.signer_emails ""EFFrc[S5e)z8google.auth.crypt.Signer: The signer used to sign bytes.zSigner must be implemented.r<r&s rsignerSigning.signers ""?@@rr8N) r`rarbrcrdrfrgrrrrrhr8rrrrsWM E E GG  AArrc$\rSrSrSrSrSrSrSrg)r*ia6 Tracks the state of a token. FRESH: The token is valid. It is not expired or close to expired, or the token has no expiry. STALE: The token is close to expired, and should be refreshed. The token can be used normally. INVALID: The token is expired or invalid. The token cannot be used for a normal operation. r8N) r`rarbrcrdr,r-r+rhr8rrr*r*s E EGrr*rM)rdrfenumrrr google.authrrrrgoogle.auth._credentials_basergoogle.auth._refresh_workerr rr rlrzrrABCMetarrrrr*r8rrrs "  2":<*V."V.r+, Mk M K ""?;"?JABs{{ABH*J^*JZ8A A@  r