o i1@s8ddlmZddlZddlZddlZddlZddlZddlZddlZddlm Z m Z m Z m Z ddl mZmZmZddlmZddlmZddlmZmZmZmZmZmZmZdd lmZee Z!d Z"gd Z#d Z$d Z%dZ&GdddZ'de efddZ(de)fddZ*de)de)fddZ+de e)de,de)fddZ-dS))datetimeN)ListOptionalAnyDict) AccessTokenAccessTokenInfoTokenRequestOptions)ClientAuthenticationError)CredentialUnavailableError)_scopes_to_resource encode_base64resolve_tenant within_dacvalidate_tenant_idvalidate_scopevalidate_subscription) log_get_tokenzAzure CLI not found on path)accountzget-access-tokenz--outputjsonazz*Please run 'az login' to set up an accountzThis credential doesn't support claims challenges. To authenticate with the required claims, please run the following command (requires Azure CLI version 2.76.0 or later): az login --claims-challenge {claims_value}c @seZdZdZddddddedeedeeed ed df d d Zd d dZ de d dfddZ d!ddZ e ddddedeedeede d ef ddZe dddedeed efddZdddedeede d efddZdS)"AzureCliCredentialazAuthenticates by requesting a token from the Azure CLI. This requires previously logging in to Azure via "az login", and will use the CLI's currently logged in identity. :keyword str tenant_id: Optional tenant to include in the token request. :keyword str subscription: The name or ID of a subscription. Set this to acquire tokens for an account other than the Azure CLI's current account. :keyword List[str] additionally_allowed_tenants: Specifies tenants in addition to the specified "tenant_id" for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application can access. :keyword int process_timeout: Seconds to wait for the Azure CLI process to respond. Defaults to 10 seconds. .. admonition:: Example: .. literalinclude:: ../samples/credential_creation_code_snippets.py :start-after: [START create_azure_cli_credential] :end-before: [END create_azure_cli_credential] :language: python :dedent: 4 :caption: Create an AzureCliCredential. N ) tenant_id subscriptionadditionally_allowed_tenantsprocess_timeoutrrrrreturncCs8|rt||r t|||_||_|pg|_||_dSN)rrrr_additionally_allowed_tenants_process_timeout)selfrrrrr$\/home/app/Keep/.python/lib/python3.10/site-packages/azure/identity/_credentials/azure_cli.py__init__Ds  zAzureCliCredential.__init__cCs|Sr r$r#r$r$r% __enter__VzAzureCliCredential.__enter__argscGsdSr r$)r#r*r$r$r%__exit__Yr)zAzureCliCredential.__exit__cCsdS)z#Calling this method is unnecessary.Nr$r'r$r$r%close\szAzureCliCredential.close)claimsrscopesr-kwargscOs>i}|r||d<|r||d<|j|d|i|}t|j|jS)arRequest an access token for `scopes`. This method is called automatically by Azure SDK clients. Applications calling this method directly must also handle token caching because this credential doesn't cache the tokens it acquires. :param str scopes: desired scope for the access token. This credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. :keyword str claims: additional claims required in the token. This credential does not support claims challenges. :keyword str tenant_id: optional tenant to include in the token request. :return: An access token with the desired scopes. :rtype: ~azure.core.credentials.AccessToken :raises ~azure.identity.CredentialUnavailableError: the credential was either unable to invoke the Azure CLI or a claims challenge was provided. :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked the Azure CLI but didn't receive an access token. rr-options)_get_token_basertoken expires_on)r#r-rr.r/r0Z token_infor$r$r% get_token_szAzureCliCredential.get_token)r0r0cGs|j|d|iS)aRequest an access token for `scopes`. This is an alternative to `get_token` to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. Applications calling this method directly must also handle token caching because this credential doesn't cache the tokens it acquires. :param str scopes: desired scopes for the access token. This credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. :keyword options: A dictionary of options for the token request. Unknown options will be ignored. Optional. :paramtype options: ~azure.core.credentials.TokenRequestOptions :rtype: ~azure.core.credentials.AccessTokenInfo :return: An AccessTokenInfo instance containing information about the token. :raises ~azure.identity.CredentialUnavailableError: the credential was either unable to invoke the Azure CLI or a claims challenge was provided. :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked the Azure CLI but didn't receive an access token. r0)r1)r#r0r.r$r$r%get_token_infosz!AzureCliCredential.get_token_infocOs4|r3d|vr3|dr3tjt|dd}|dr#|d|d7}|r.|d|d7}t|d|r:|dnd}|rBt||D]}t|qDt|}td|g}t d|j ||j d |} | rj|d | g7}|j rt|d |j g7}t ||j} t| } | st| } d | d } trt| dt| d| S)Nr-)Z claims_valuerz --tenant z --scope rmessagez --resource)Zdefault_tenantrrz--tenantz--subscriptionz#Unexpected output from Azure CLI: 'z'. To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/azclicredential/troubleshoot.r$)CLAIMS_UNSUPPORTED_ERRORformatrgetr rrr COMMAND_LINErrr!r _run_commandr" parse_tokensanitize_outputrr )r#r0r.r/ error_messagerscoperesource command_argsZtenantoutputr2Zsanitized_outputr7r$r$r%r1sF         z"AzureCliCredential._get_token_base)rr)rN)__name__ __module__ __qualname____doc__strrrintr&r(rr+r,rrr4r rr5r1r$r$r$r%r-s\    $"rrc Cspz+t|}d|vrt|dt|dWSt|dd}|}t|dt|WSttfy7YdSw)aParse output of 'az account get-access-token' to an AccessToken. In particular, convert the "expiresOn" value to epoch seconds. This value is a naive local datetime as returned by datetime.fromtimestamp. :param str output: Output of 'az' command. :return: An AccessToken or None if the output isn't valid. :rtype: azure.core.credentials.AccessToken or None r3Z accessTokenZ expiresOnz%Y-%m-%d %H:%M:%S.%fN) rloadsrrIrstrptime timestampKeyError ValueError)rCr2dtr3r$r$r%r=s r=cCs.tjdrtjd}|stdd|SdS)zInvoke 'az' from a directory controlled by the OS, not the executing program's directory. :return: The path to the directory. :rtype: str winZ SYSTEMROOTz.Environment variable 'SYSTEMROOT' has no valuer6z/bin)sysplatform startswithosenvironr:r )pathr$r$r%get_safe_working_dirs   rWrCcCstdd|S)zRedact access tokens from CLI output to prevent error messages revealing them. :param str output: The output of the Azure CLI. :return: The output with access tokens redacted. :rtype: str z\"accessToken\": \"(.*?)(\"|$)z****)resub)rCr$r$r%r>sr>rBtimeoutc Cstjdrttdptt}ntt}|sttd|g|}z#t}t j t j |d|t t jddd}td|t j|fi|WSt jy}zK|jd ks`|jdurf|jd rfttd||jdurd |jvsud |jvrd |jvrttd||jrt|j}nd}trt|d|t|d|d}~wty}z td|dd}||d}~wty}ztdd}||d}~ww)NrPz.cmdr6Ttrue)ZAZURE_CORE_NO_COLOR)stderrstdincwduniversal_newlinesrZenvz4Executing subprocess with the following arguments %sz'az' is not recognizedzaz loginzaz account setZAADSTSzFailed to invoke Azure CLIzFailed to execute '{}'rzFailed to invoke the Azure CLI)rQrRrSshutilwhichEXECUTABLE_NAMEr CLI_NOT_FOUNDrW subprocessPIPEDEVNULLdictrTrU_LOGGERdebug check_outputCalledProcessError returncoder\ NOT_LOGGED_INr>rr:r OSErrorr9 Exception) rBrZZaz_pathr*Zworking_directoryr/exr7errorr$r$r%r<sN              r<).rrrTrXloggingrbrfrQtypingrrrrZazure.core.credentialsrrr Zazure.core.exceptionsr rr _internalr rrrrrrZ_internal.decoratorsr getLoggerrDrjrer;rdror8rr=rHrWr>rIr<r$r$r$r%s6   $ $