o iP@s$ddlZddlZddlmZmZmZmZddlmZm Z m Z m Z m Z ddl mZddlmZddlmZmZmZmZdd lmZdd lmZdd lmZdd lmZdd lmZddl m!Z!ddl"m#Z#ddl$m%Z%ddl&m'Z'ddl(m)Z)ddl*m+Z+e,e-Z.GdddZ/GdddeZ0dS)N)ListAnyOptionalcast) AccessTokenAccessTokenInfoTokenRequestOptionsSupportsTokenInfoTokenCredential)CredentialUnavailableError)EnvironmentVariables)get_default_authoritynormalize_authority within_dacprocess_credential_exclusions)AzurePowerShellCredential)BrokerCredential)InteractiveBrowserCredential)ChainedTokenCredential)EnvironmentCredential)ManagedIdentityCredential)SharedTokenCacheCredential)AzureCliCredential)AzureDeveloperCliCredential)VisualStudioCodeCredential)WorkloadIdentityCredentialc@seZdZdZdededdfddZded edefd d Zdd d e e d ede fddZ dddZ deddfddZdddZdS)FailedDACCredentialzThis acts as a substitute for a credential that has failed to initialize in the DAC chain. This allows instantiation errors to be reported in ChainTokenCredential if all token requests fail. credential_nameerrorreturnNcCs||_||_dSN)_errorZ_credential_name)selfrr r%Z/home/app/Keep/.python/lib/python3.10/site-packages/azure/identity/_credentials/default.py__init__(s zFailedDACCredential.__init__scopeskwargscO t|jr"r r#)r$r(r)r%r%r& get_token, zFailedDACCredential.get_tokenoptionsr/cOr*r"r+)r$r/r(r)r%r%r&get_token_info/r-z"FailedDACCredential.get_token_infocCs|Sr"r%r$r%r%r& __enter__2zFailedDACCredential.__enter__argscGdSr"r%)r$r4r%r%r&__exit__5r3zFailedDACCredential.__exit__cCr5r"r%r1r%r%r&close8r3zFailedDACCredential.close)r!r)r!N)__name__ __module__ __qualname____doc__strr'rrr,rrrr0r2r6r7r%r%r%r&r"s  rc seZdZdZdeddffdd Zdddded eed eededef fd d Z dd dedee de ffddZ Z S)DefaultAzureCredentialaA credential capable of handling most Azure SDK authentication scenarios. For more information, See `Usage guidance for DefaultAzureCredential <"https://aka.ms/azsdk/python/identity/credential-chains#usage-guidance-for-defaultazurecredential">`__. The identity it uses depends on the environment. When an access token is needed, it requests one using these identities in turn, stopping when one provides a token: 1. A service principal configured by environment variables. See :class:`~azure.identity.EnvironmentCredential` for more details. 2. WorkloadIdentityCredential if environment variable configuration is set by the Azure workload identity webhook. 3. An Azure managed identity. See :class:`~azure.identity.ManagedIdentityCredential` for more details. 4. On Windows only: a user who has signed in with a Microsoft application, such as Visual Studio. If multiple identities are in the cache, then the value of the environment variable ``AZURE_USERNAME`` is used to select which identity to use. See :class:`~azure.identity.SharedTokenCacheCredential` for more details. 5. The identity logged in to Visual Studio Code with the Azure Resources extension. 6. The identity currently logged in to the Azure CLI. 7. The identity currently logged in to Azure PowerShell. 8. The identity currently logged in to the Azure Developer CLI. 9. Brokered authentication. On Windows and WSL only, this uses the default account logged in via Web Account Manager (WAM) if the `azure-identity-broker` package is installed. This default behavior is configurable with keyword arguments. :keyword str authority: Authority of a Microsoft Entra endpoint, for example 'login.microsoftonline.com', the authority for Azure Public Cloud (which is the default). :class:`~azure.identity.AzureAuthorityHosts` defines authorities for other clouds. Managed identities ignore this because they reside in a single cloud. :keyword bool exclude_workload_identity_credential: Whether to exclude the workload identity from the credential. Defaults to **False**. :keyword bool exclude_developer_cli_credential: Whether to exclude the Azure Developer CLI from the credential. Defaults to **False**. :keyword bool exclude_cli_credential: Whether to exclude the Azure CLI from the credential. Defaults to **False**. :keyword bool exclude_environment_credential: Whether to exclude a service principal configured by environment variables from the credential. Defaults to **False**. :keyword bool exclude_managed_identity_credential: Whether to exclude managed identity from the credential. Defaults to **False**. :keyword bool exclude_powershell_credential: Whether to exclude Azure PowerShell. Defaults to **False**. :keyword bool exclude_visual_studio_code_credential: Whether to exclude stored credential from VS Code. Defaults to **False**. :keyword bool exclude_shared_token_cache_credential: Whether to exclude the shared token cache. Defaults to **False**. :keyword bool exclude_interactive_browser_credential: Whether to exclude interactive browser authentication (see :class:`~azure.identity.InteractiveBrowserCredential`). Defaults to **True**. :keyword bool exclude_broker_credential: Whether to exclude the broker credential from the credential chain. Defaults to **False**. :keyword str interactive_browser_tenant_id: Tenant ID to use when authenticating a user through :class:`~azure.identity.InteractiveBrowserCredential`. Defaults to the value of environment variable AZURE_TENANT_ID, if any. If unspecified, users will authenticate in their home tenants. :keyword str broker_tenant_id: The tenant ID to use when using brokered authentication. Defaults to the value of environment variable AZURE_TENANT_ID, if any. If unspecified, users will authenticate in their home tenants. :keyword str managed_identity_client_id: The client ID of a user-assigned managed identity. Defaults to the value of the environment variable AZURE_CLIENT_ID, if any. If not specified, a system-assigned identity will be used. :keyword str workload_identity_client_id: The client ID of an identity assigned to the pod. Defaults to the value of the environment variable AZURE_CLIENT_ID, if any. If not specified, the pod's default identity will be used. :keyword str workload_identity_tenant_id: Preferred tenant for :class:`~azure.identity.WorkloadIdentityCredential`. Defaults to the value of environment variable AZURE_TENANT_ID, if any. :keyword str interactive_browser_client_id: The client ID to be used in interactive browser credential. If not specified, users will authenticate to an Azure development application. :keyword str broker_client_id: The client ID to be used in brokered authentication. If not specified, users will authenticate to an Azure development application. :keyword str shared_cache_username: Preferred username for :class:`~azure.identity.SharedTokenCacheCredential`. Defaults to the value of environment variable AZURE_USERNAME, if any. :keyword str shared_cache_tenant_id: Preferred tenant for :class:`~azure.identity.SharedTokenCacheCredential`. Defaults to the value of environment variable AZURE_TENANT_ID, if any. :keyword str visual_studio_code_tenant_id: Tenant ID to use when authenticating with :class:`~azure.identity.VisualStudioCodeCredential`. Defaults to the tenant specified in the authentication record file used by the Azure Resources extension. :keyword int process_timeout: The timeout in seconds to use for developer credentials that run subprocesses (e.g. AzureCliCredential, AzurePowerShellCredential). Defaults to **10** seconds. :keyword bool require_envvar: If **True**, require that the AZURE_TOKEN_CREDENTIALS environment variable be set to a value denoting the credential type or credential group to use. If unset or empty, DefaultAzureCredential will raise a `ValueError`. Defaults to **False**. .. admonition:: Example: .. literalinclude:: ../samples/credential_creation_code_snippets.py :start-after: [START create_default_credential] :end-before: [END create_default_credential] :language: python :dedent: 4 :caption: Create a DefaultAzureCredential. r)r!Nc$ s d|vrtd|dd}|rt|nt}|dd}|dtjtj}|dtjtj }|d|}|dtjtj}|d d}|d tjtj} |d d} |d tjtj } |d tjtj} |dd} |dd}tjtj d }|r|stdddddddddddddddddddddd ddd!d"ddd#d$ddd%d&d'dd(ddd) }i}i}|D]\}}tt|d*}||d||<|d+||<qt|||}|d,}|d-}|d.}|d/}|d0}|d1}|d2}|d3}|d4}|d5}g} td'|s+| td@|d'd6||sez| td@tt||tjtjd7|Wntyd}!z| td8t|!d9WYd}!~!nd}!~!ww|sx| td@|||dkd:||strtd@| | |d;|}"| |"|s| t|d<|s| t| d=|s| t| d=|s| t | d=|s|r| t!d@||d>|n | t!d@d|i||sd| i|}#| r| |#d?<| t"d@i|#tdt#t$|j%| dS)AN tenant_idz7'tenant_id' is not supported in DefaultAzureCredential. authorityZvisual_studio_code_tenant_idinteractive_browser_tenant_idmanaged_identity_client_idworkload_identity_client_idworkload_identity_tenant_idinteractive_browser_client_idbroker_tenant_idbroker_client_idshared_cache_usernameshared_cache_tenant_idprocess_timeout require_envvarFzAZURE_TOKEN_CREDENTIALS environment variable is required but is not set or is empty. Set it to 'dev', 'prod', or a specific credential name.exclude_environment_credentialZenvironmentcredential) exclude_paramenv_namedefault_exclude$exclude_workload_identity_credentialZworkloadidentitycredential#exclude_managed_identity_credentialZmanagedidentitycredential%exclude_shared_token_cache_credential)rNrP%exclude_visual_studio_code_credentialZvisualstudiocodecredentialexclude_cli_credentialZazureclicredential exclude_developer_cli_credentialZazuredeveloperclicredentialexclude_powershell_credentialZazurepowershellcredential&exclude_interactive_browser_credentialZinteractivebrowsercredentialTexclude_broker_credential) environmentworkload_identitymanaged_identityshared_token_cachevisual_studio_codecli developer_cli powershellinteractive_browserbrokerrNrPrZr[r\r]r^r_r`rarbrc)r?Z _within_dac) client_idr>Ztoken_file_pathr)r )rdZ%_exclude_workload_identity_credentialZ_enable_imds_probe)usernamer>r?)r>)rI)r>rdrdr%)& TypeErrorpoprrosenvirongetr ZAZURE_TENANT_IDZAZURE_CLIENT_IDZAZURE_USERNAMEZAZURE_TOKEN_CREDENTIALSstriplower ValueErroritemsrr<rrsetappendrrZAZURE_FEDERATED_TOKEN_FILErrr supportedrrrrrrsuperr=r')$r$r)r?Zvscode_tenant_idr@rArBrCrDrErFrGrHrIrKZtoken_credentials_envZcredential_configZ exclude_flagsZ user_excludesZcred_keyconfig param_namerMrQrRrSrTrUrVrWrXrY credentialsex shared_cacheZbroker_credential_args __class__r%r&r's$       4   "   zDefaultAzureCredential.__init__claimsr>r(r{r>c s|jr tt|jj|||d|}td|jj|jjj|St dzt j|||d|}Wt d|St dw)aRequest an access token for `scopes`. This method is called automatically by Azure SDK clients. :param str scopes: desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. :keyword str claims: additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure. :keyword str tenant_id: optional tenant to include in the token request. :return: An access token with the desired scopes. :rtype: ~azure.core.credentials.AccessToken :raises ~azure.core.exceptions.ClientAuthenticationError: authentication failed. The exception has a `message` attribute listing each authentication attempt and its error message. rz%s acquired a token from %sTF) _successful_credentialrr r,_LOGGERinforyr8rrorr)r$r{r>r(r)tokenrxr%r&r,;s     z DefaultAzureCredential.get_tokenr.r/c sz|jrtt|jj|d|i}td|jj|jjj|St dzttt j|d|i}Wt d|St dw)aRequest an access token for `scopes`. This is an alternative to `get_token` to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. :param str scopes: desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. :keyword options: A dictionary of options for the token request. Unknown options will be ignored. Optional. :paramtype options: ~azure.core.credentials.TokenRequestOptions :rtype: ~azure.core.credentials.AccessTokenInfo :return: An AccessTokenInfo instance containing information about the token. :raises ~azure.core.exceptions.ClientAuthenticationError: authentication failed. The exception has a `message` attribute listing each authentication attempt and its error message. r/r|TF) r}rr r0r~rryr8rrorr)r$r/r(Z token_inforxr%r&r0^s   z%DefaultAzureCredential.get_token_info)r8r9r:r;rr'r<rrr,rrr0 __classcell__r%r%rxr&r=<s"S-,#r=)1loggingrhtypingrrrrZazure.core.credentialsrrrr r rLr _constantsr Z_internal.utilsrrrrZazure_powershellrrcrZbrowserrZchainedrrZrr\rrwrZ azure_clirZazd_clirZvscoderr[r getLoggerr8r~rr=r%r%r%r&s*