o i# @s.ddlmZddlmZmZmZmZmZmZddl m Z ddl m Z m Z ddlmZddlmZddlmZdd lmZGd d d eZd ed efddZedd efddefgZd dedeed efddZd dedeed efddZ    d!deedeeeefdeededed ef ddZdS)")hexlify)cast NamedTupleUnionDictAnyOptional)x509)hashes serialization) RSAPrivateKey)default_backend)validate_tenant_id)ClientCredentialBasec s<eZdZdZd dededeededdf fdd ZZS) CertificateCredentiala Authenticates as a service principal using a certificate. The certificate must have an RSA private key, because this credential signs assertions using RS256. See `Microsoft Entra ID documentation `__ for more information on configuring certificate authentication. :param str tenant_id: ID of the service principal's tenant. Also called its "directory" ID. :param str client_id: The service principal's client ID :param str certificate_path: Optional path to a certificate file in PEM or PKCS12 format, including the private key. If not provided, **certificate_data** is required. :keyword str authority: Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). :class:`~azure.identity.AzureAuthorityHosts` defines authorities for other clouds. :keyword bytes certificate_data: The bytes of a certificate in PEM or PKCS12 format, including the private key :keyword password: The certificate's password. If a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass appropriately encoded bytes instead. :paramtype password: str or bytes :keyword bool send_certificate_chain: If True, the credential will send the public certificate chain in the x5c header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication. Defaults to False. :keyword cache_persistence_options: Configuration for persistent token caching. If unspecified, the credential will cache tokens in memory. :paramtype cache_persistence_options: ~azure.identity.TokenCachePersistenceOptions :keyword bool disable_instance_discovery: Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to **True**, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy. :keyword List[str] additionally_allowed_tenants: Specifies tenants in addition to the specified "tenant_id" for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application can access. .. admonition:: Example: .. literalinclude:: ../samples/credential_creation_code_snippets.py :start-after: [START create_certificate_credential] :end-before: [END create_certificate_credential] :language: python :dedent: 4 :caption: Create a CertificateCredential. N tenant_id client_idcertificate_pathkwargsreturnc s:t|t|fi|}tt|jd|||d|dS)N)rclient_credentialr)rget_client_credentialsuperr__init__)selfrrrrr __class__r^/home/app/Keep/.python/lib/python3.10/site-packages/azure/identity/_credentials/certificate.pyr@s  zCertificateCredential.__init__N) __name__ __module__ __qualname____doc__strrrr __classcell__rrrrrs0.r pem_bytesrcCs>|d}d}||}|||t|d}d|S)zExtract a certificate chain from a PEM file's bytes, removing line breaks. :param bytes pem_bytes: The PEM file's bytes :return: The certificate chain :rtype: bytes s-----BEGIN CERTIFICATE-----s-----END CERTIFICATE-----)indexrindexlenjoin splitlines)r'startfooterendchainrrrextract_cert_chainJs  r3_Cert) private_keyr fingerprintNcertificate_datapasswordcCs:tj||td}t|t}|t}t|||S)Nbackend) r Zload_pem_private_keyr r Zload_pem_x509_certificater6r SHA1r4)r7r8r5certr6rrrload_pem_certificate^s r=c sddlmm}m}m}z|j||td\}}}Wnty+}ztd|d}~ww|s2td|s8td|j |j |} | gfdd|g|D} d | } | t } t| || S) Nr)Encoding NoEncryptionpkcs12 PrivateFormatr9z9Failed to deserialize certificate in PEM or PKCS12 formatz,The certificate must include its private keycsg|]}|jqSr) public_bytesPEM).0cr>rr xsz+load_pkcs12_certificate..r))Z,cryptography.hazmat.primitives.serializationr>r?r@rAZload_key_and_certificatesr ValueErrorZ private_bytesrCZPKCS8r-r6r r;r4) r7r8r?r@rAr5r<Zadditional_certsex key_bytesZ pem_sectionsr'r6rrFrload_pkcs12_certificatees$   rKFrsend_certificate_chain_c Ks|r"|rtdt|d }|}Wdn1swYn|s(td|r4t|tr4|d}td|}d|vrCt||}nt||}d}t|j t sTtd|j t |j dd }|rf||d <|rzt|j }|d|d <W|Sty} ztd | d} ~ ww|S) aLoad a certificate from a filesystem path or bytes, return it as a dict suitable for msal.ClientApplication. :param str certificate_path: Path to a PEM or PKCS12 certificate file. :param bytes password: The certificate's password, if any. :param bytes certificate_data: The PEM or PKCS12 certificate's bytes. :param bool send_certificate_chain: Whether to send the certificate chain. Defaults to False. :return: The certificate as a dict :rtype: dict zHPlease specify either "certificate_path" or "certificate_data", not bothrbNzZCertificateCredential requires a value for either "certificate_path" or "certificate_data"zutf-8zOptional[bytes]s -----BEGINzNThe certificate must have an RSA private key because RS256 is used for signing)r5Z thumbprintZ passphraseZpublic_certificatezMalformed certificate)rHopenread isinstancer%encoderr=rKr5r r'rr6decoder3) rr8r7rLrMfr<rr2rIrrrrs@          rr )NNNF)binasciirtypingrrrrrrZ cryptographyr Zcryptography.hazmat.primitivesr r Z-cryptography.hazmat.primitives.asymmetric.rsar Zcryptography.hazmat.backendsr _internalrZ _internal.client_credential_baserrbytesr3r4r=rKr%boolrrrrrs<       9