kCin&"SrSSKrSSKrSSKrSSKrSSKrSSKrSSKJrJ r SSK J r SSK J r SSK Jr \R"\5rSrSS /rS rS rS rS rSr\"\\\-- \- 5r\/\-\/\--rSrSrSrSrSr Sr!Sr"Sr#Sr$g)z'Helpers for Agent Identity credentials.N)quoteurlparse)environment_vars) exceptions) _mtls_helperzThe cryptography library is required for certificate-based authentication.Please install it with `pip install google-auth[cryptography]`.z+^agents\.global\.org-\d+\.system\.id\.goog$z,^agents\.global\.proj-\d+\.system\.id\.goog$z=/var/run/secrets/workload-spiffe-credentials/certificates.pem2g?g?cU=(aH [RRU5=(a" [RRU5S:$)z)Checks if a file exists and is not empty.r)ospathexistsgetsize)r s ]/var/www/html/land-ocr/venv/lib/python3.13/site-packages/google/auth/_agent_identity_utils.py_is_certificate_file_readyr=s1  FBGGNN4( FRWW__T-BQ-FFcSSKn[RR[R 5nU(dgSn[ Hn[US5nURU5nURS05RS05RS5n[U5(a UsSSS5 s $SSS5 [[ 5(a[ s $["R$"U5 M [&R("S [R*S 35e!,(df  Nl=f![[[4a6 U(d,[RSU[R [5 S nNf=f) aGets the certificate path from the certificate config file. The path to the certificate config file is read from the GOOGLE_API_CERTIFICATE_CONFIG environment variable. This function implements a retry mechanism to handle cases where the environment variable is set before the files are available on the filesystem. Returns: str: The path to the leaf certificate file. Raises: google.auth.exceptions.RefreshError: If the certificate config file or the certificate file cannot be found after retries. rNFr cert_configsworkload cert_pathzfCertificate config file not found at %s (from %s environment variable). Retrying for up to %s seconds.TzCertificate config or certificate file not found after multiple retries. Token binding protection is failing. You can turn off this protection by setting z) to false to fall back to unbound tokens.)jsonr environgetrGOOGLE_API_CERTIFICATE_CONFIG_POLLING_INTERVALSopenloadrIOError ValueErrorKeyError_LOGGERwarning_TOTAL_TIMEOUT_WELL_KNOWN_CERT_PATHtimesleepr RefreshError7GOOGLE_API_PREVENT_AGENT_TOKEN_SHARING_FOR_GCP_SERVICES)rcert_config_pathhas_logged_warningintervalf cert_configrs r#get_agent_identity_certificate_pathr.BsGzz~~&6&T&TU & &,"iil OONB7SR(S% .i88$-,9-, &&; < <( ( 8A'D  ! ! \  S S TU* * A-,X. %@$$BB" &*"  s8 D*AD& D*3D* D' #D*'D**AE54E5c6[RR[RS5R 5S:HnU(ag[ 5nU(dg[US5nUR5nSSS5 [W5$!,(df  N=f)aGets and parses the agent identity certificate if not opted out. Checks if the user has opted out of certificate-bound tokens. If not, it gets the certificate path, reads the file, and parses it. Returns: The parsed certificate object if found and not opted out, otherwise None. truefalseNrb) r rrrr(lowerr.rreadparse_certificate) is_opted_outr cert_file cert_bytess r(get_and_parse_agent_identity_certificater9s   T T   %'   35I  i )^^%   Z ((  s &B  BcvSSKJn URU5$![an[[5UeSnAff=f)zParses a PEM-encoded certificate. Args: cert_bytes (bytes): The PEM-encoded certificate bytes. Returns: cryptography.x509.Certificate: The parsed certificate object. rx509N) cryptographyr<load_pem_x509_certificate ImportErrorCRYPTOGRAPHY_NOT_FOUND_ERROR)r8r<es rr5r5s9?%--j99 ?67Q>?s 838cSSKJn SSKJn URR UR 5nURRUR5nUHWn[U5nURS:XdM URn[H!n[R "X5(dM g MY g!URa gf=f!["an [#[$5U eSn A ff=f)azChecks if a certificate is an Agent Identity certificate. This is determined by checking the Subject Alternative Name (SAN) for a SPIFFE ID with a trust domain matching Agent Identity patterns. Args: cert (cryptography.x509.Certificate): The parsed certificate object. Returns: bool: True if the certificate is an Agent Identity certificate, False otherwise. rr;) ExtensionOIDFspiffeTN)r=r<cryptography.x509.oidrC extensionsget_extension_for_oidSUBJECT_ALTERNATIVE_NAMEExtensionNotFoundvalueget_values_for_typeUniformResourceIdentifierrschemenetloc,_AGENT_IDENTITY_SPIFFE_TRUST_DOMAIN_PATTERNSrematchr?r@) certr<rCexturisuri parsed_uri trust_domainpatternrAs r_is_agent_identity_certificaterYs?%6 //7755C yy,,T-K-KLC!#J  H,)00 KGxx66# L %%   ?67Q>?sL C %B7AC ;.C -C 0C 7C C C  C C,C''C,chSSKJn URURR5n[ R "U5R5n[R"U5RS5nURS5n[U5$![an[[5UeSnAff=f)aCalculates the URL-encoded, unpadded, base64-encoded SHA256 hash of a DER-encoded certificate. Args: cert (cryptography.x509.Certificate): The parsed certificate object. Returns: str: The URL-encoded, unpadded, base64-encoded SHA256 fingerprint. r) serializationzutf-8=N)cryptography.hazmat.primitivesr[ public_bytesEncodingDERhashlibsha256digestbase64 b64encodedecoderstriprr?r@)rRr[der_cert fingerprintbase64_fingerprintunpadded_base64_fingerprintrAs r!calculate_certificate_fingerprintrls?@$$]%;%;%?%?@nnX.557 $--k:AA'J&8&?&?&D#011 ?67Q>?sBB B1B,,B1c[U5n[RR[R S5R 5S:HnU=(a U$)akDetermines if a bound token should be requested. This is based on the GOOGLE_API_PREVENT_AGENT_TOKEN_SHARING_FOR_GCP_SERVICES environment variable and whether the certificate is an agent identity cert. Args: cert (cryptography.x509.Certificate): The parsed certificate object. Returns: bool: True if a bound token should be requested, False otherwise. r0)rYr rrrr(r3)rR is_agent_cert is_opted_ins rshould_request_bound_tokenrpsM348M   T T   %'     ([(rc6[R"SS9upp#X4$)zCCalls the client cert callback and returns the certificate and key.T)generate_encrypted_key)rget_client_ssl_credentials)_r8 key_bytes passphrases rcall_client_cert_callbackrw s%+7+R+R#,(A9   rcVU(a[U5n[U5nU$[S5e)z2Returns the fingerprint of the cached certificate.z"mTLS connection is not configured.)r5rlr) cached_certcert_objcached_cert_fingerprints rget_cached_cert_fingerprintr|s0$[1"CH"M #"=>>r)%__doc__rdraloggingr rPr% urllib.parserr google.authrrgoogle.auth.transportr getLogger__name__r!r@rOr$_FAST_POLL_CYCLES_FAST_POLL_INTERVAL_SLOW_POLL_INTERVALr#int_SLOW_POLL_CYCLESrrr.r9r5rYrlrprwr|rrrs.  ((".   H %F330, X(+>>?CVV++.??-- G >B)>?""?J?6).!#r