(ph/#SrSSKrSSKJr SSKJr SSKJr SSKJr SSKJr SSKJ r S r S r S r \R"S S 9r"SS\R5rg)z'Experimental GDCH credentials support. N)_helpers)_service_account_info) credentials) exceptions)jwt)_clientz/urn:ietf:params:oauth:token-type:token-exchangez-urn:ietf:params:oauth:token-type:access_tokenz.urn:k8s:params:oauth:token-type:serviceaccounti)secondsc^\rSrSrSrU4SjrSr\R"\ R5S5r Sr \ S5r\ S5r\ S 5rS rU=r$) ServiceAccountCredentials"aCredentials for GDCH (`Google Distributed Cloud Hosted`_) for service account users. .. _Google Distributed Cloud Hosted: https://cloud.google.com/blog/topics/hybrid-cloud/ announcing-google-distributed-cloud-edge-and-hosted To create a GDCH service account credential, first create a JSON file of the following format:: { "type": "gdch_service_account", "format_version": "1", "project": "", "private_key_id": "", "private_key": "-----BEGIN EC PRIVATE KEY----- -----END EC PRIVATE KEY----- ", "name": "", "ca_cert_path": "", "token_uri": "https://service-identity./authenticate" } The "format_version" field stands for the format of the JSON file. For now it is always "1". The `private_key_id` and `private_key` is used for signing. The `ca_cert_path` is used for token server TLS certificate verification. After the JSON file is created, set `GOOGLE_APPLICATION_CREDENTIALS` environment variable to the JSON file path, then use the following code to create the credential:: import google.auth credential, _ = google.auth.default() credential = credential.with_gdch_audience("") We can also create the credential directly:: from google.oauth import gdch_credentials credential = gdch_credentials.ServiceAccountCredentials.from_service_account_file("") credential = credential.with_gdch_audience("") The token is obtained in the following way. This class first creates a self signed JWT. It uses the `name` value as the `iss` and `sub` claim, and the `token_uri` as the `aud` claim, and signs the JWT with the `private_key`. It then sends the JWT to the `token_uri` to exchange a final token for `audience`. cr>[[U] 5 XlX lX0lX@lXPlX`lg)a Args: signer (google.auth.crypt.Signer): The signer used to sign JWTs. service_identity_name (str): The service identity name. It will be used as the `iss` and `sub` claim in the self signed JWT. project (str): The project. audience (str): The audience for the final token. token_uri (str): The token server uri. ca_cert_path (str): The CA cert path for token server side TLS certificate verification. If the token server uses well known CA, then this parameter can be `None`. N) superr __init___signer_service_identity_name_project _audience _token_uri _ca_cert_path)selfsignerservice_identity_nameprojectaudience token_uri ca_cert_path __class__s Q/var/www/html/venv/lib/python3.13/site-packages/google/oauth2/gdch_credentials.pyr"ServiceAccountCredentials.__init__Ss3 '79 &;# !#)ch[R"5nU[-nSRURUR 5nUUUR [R"U5[R"U5S.n[R"[R"URU55$)Nzsystem:serviceaccount:{}:{})isssubaudiatexp) rutcnow JWT_LIFETIMEformatrrrdatetime_to_secs from_bytesrencoder)rnowexpiry iss_sub_valuepayloads r _create_jwt%ServiceAccountCredentials._create_jwtjsoo|#5<< MM466 ! ??,,S1,,V4  ""3::dllG#DEEr c SSKn[XRRRR 5(d[ R"S5eUR5n[UR[U[S.n[R"UURUSSUR S9n[R""US5uUlo`lng)NrzeFor GDCH service account credentials, request must be a google.auth.transport.requests.Request object) grant_typerrequested_token_type subject_tokensubject_token_typeT) access_tokenuse_jsonverify)google.auth.transport.requests isinstanceauth transportrequestsRequestr RefreshErrorr1TOKEN_EXCHANGE_TYPErACCESS_TOKEN_TOKEN_TYPESERVICE_ACCOUNT_TOKEN_TYPEr_token_endpoint_requestrr_handle_refresh_grant_responsetokenr.)rrequestgoogle jwt_token request_body response_data_s rrefresh!ServiceAccountCredentials.refresh{s-';;#8#8#A#A#I#IJJ))w  $$& -$;&"<   77  OO %%  )0(N(N 4) % A{Ar cURURURURUURUR 5$)zCreate a copy of GDCH credentials with the specified audience. Args: audience (str): The intended audience for GDCH credentials. )rrrrrr)rrs rwith_gdch_audience,ServiceAccountCredentials.with_gdch_audiences? ~~ LL  ' ' MM  OO      r c vUSS:wa [S5eU"UUSUSSUSURSS55$) a|Creates a Credentials instance from a signer and service account info. Args: signer (google.auth.crypt.Signer): The signer used to sign JWTs. info (Mapping[str, str]): The service account info. Returns: google.oauth2.gdch_credentials.ServiceAccountCredentials: The constructed credentials. Raises: ValueError: If the info is not in the expected format. format_version1z"Only format version 1 is supportednamerNrr) ValueErrorget)clsrinfos r_from_signer_and_info/ServiceAccountCredentials._from_signer_and_infosU  !S (AB B  L O    HH^T *   r cT[R"U/SQSS9nURX!5$)aCreates a Credentials instance from parsed service account info. Args: info (Mapping[str, str]): The service account info in Google format. kwargs: Additional arguments to pass to the constructor. Returns: google.oauth2.gdch_credentials.ServiceAccountCredentials: The constructed credentials. Raises: ValueError: If the info is not in the expected format. rTprivate_key_id private_keyrVrrFrequireuse_rsa_signer)r from_dictr[)rYrZrs rfrom_service_account_info3ServiceAccountCredentials.from_service_account_infos4 '00 !  ((66r cX[R"U/SQSS9up#URX25$)a1Creates a Credentials instance from a service account json file. Args: filename (str): The path to the service account json file. kwargs: Additional arguments to pass to the constructor. Returns: google.oauth2.gdch_credentials.ServiceAccountCredentials: The constructed credentials. r^Fra)r from_filenamer[)rYfilenamerZrs rfrom_service_account_file3ServiceAccountCredentials.from_service_account_files6-:: !  ((66r )rrrrrrr.rG)__name__ __module__ __qualname____firstlineno____doc__rr1rcopy_docstringr CredentialsrNrQ classmethodr[rerj__static_attributes__ __classcell__)rs@rr r "sz.`*.F"[445 6 <    677:77r r )rpdatetime google.authrrrrr google.oauth2rrBrCrD timedeltar(rrr r rr{sZ -#"!HIM!!$/ Y7 7 7Y7r