o i8@sdZddlZddlZddlZddlZddlZddlmZmZm Z m Z ddl m Z ddl mZmZmZddlmZddlmZd d lmZd d lmZd d lmZmZd d lmZejZee Z!dej"ddej#ddej$diZ%de&fddZ'ddZ(GdddeeZ)dS)zIBase class for credentials using MSAL for interactive user authenticationN)AnyOptionalIterableDict)urlparse) AccessTokenAccessTokenInfoTokenRequestOptions)ClientAuthenticationError)MsalCredential)AuthenticationRecord)KnownAuthorities)AuthenticationRequiredErrorCredentialUnavailableError)wrap_exceptionszhttps://)z2https://management.core.chinacloudapi.cn//.default)z3https://management.core.usgovcloudapi.net//.default)z-https://management.core.windows.net//.defaultreturncCs.|dt| d7}t|}t|dS)zDecode client info. Taken from msal.oauth2cli.oidc. :param str raw: base64-encoded client info :return: decoded client info :rtype: str =zutf-8)lenstrbase64urlsafe_b64decodedecode)rawr[/home/app/Keep/.python/lib/python3.10/site-packages/azure/identity/_internal/interactive.py_decode_client_info#src CszE|d}d|vrtt|d}djdi|}n|d}t|d}|dp/|jd}|dp8|d }t|j |d |||d WSt t fy[}zt d d }||d}~ww)a~Build an AuthenticationRecord from the result of an MSAL ClientApplication token request. :param response: The result of a token request :type response: dict[str, typing.Any] :return: An AuthenticationRecord :rtype: ~azure.identity.AuthenticationRecord :raises ~azure.core.exceptions.ClientAuthenticationError: If the response doesn't contain expected data Zid_token_claims client_infoz {uid}.{utid}subZisstid/Zpreferred_usernameZupnZaud) authority client_idhome_account_id tenant_idusernamezCFailed to build AuthenticationRecord from unexpected identity tokenmessageNr) jsonloadsrformatrgetpathstriprnetlocKeyError ValueErrorr ) responseZid_tokenrr%Zissuerr&r'exZ auth_errorrrr_build_auth_record0s.  r5c s$eZdZddddeedededdffdd Zdddd d ed eed eededede f ddZ ddd edee de fddZ dddd edee dedede f ddZdddddd eeed eed eedededef ddZed edede fddZejdefdd ZZS)!InteractiveCredentialNF)authentication_record disable_automatic_authenticationr7r8kwargsrc sv||_||_|jr.|dd|ddp|jj}tt|jd|jj|jj|d|dStt|jdi|dS)Nr$r&)r$r#r&r) !_disable_automatic_authentication _auth_recordpopr&superr6__init__r$r#)selfr7r8r9r& __class__rrr>\s   zInteractiveCredential.__init__claimsr& enable_caescopesrCr&rDcOsHi}|r||d<|r||d<||d<|j||dd|}t|j|jS)aRequest an access token for `scopes`. This method is called automatically by Azure SDK clients. :param str scopes: desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. :keyword str claims: additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure :keyword str tenant_id: optional tenant to include in the token request. :keyword bool enable_cae: indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False. :return: An access token with the desired scopes. :rtype: ~azure.core.credentials.AccessToken :raises CredentialUnavailableError: the credential is unable to attempt authentication because it lacks required data, state, or platform support :raises ~azure.core.exceptions.ClientAuthenticationError: authentication failed. The error's ``message`` attribute gives a reason. :raises AuthenticationRequiredError: user interaction is necessary to acquire a token, and the credential is configured not to begin this automatically. Call :func:`authenticate` to begin interactive authentication. rCr&rD get_tokenoptionsbase_method_name)_get_token_basertokenZ expires_on)r?rCr&rDrEr9rHZ token_inforrrrFqszInteractiveCredential.get_token)rHrHcGs|j||ddS)a&Request an access token for `scopes`. This is an alternative to `get_token` to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. :param str scopes: desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. :keyword options: A dictionary of options for the token request. Unknown options will be ignored. Optional. :paramtype options: ~azure.core.credentials.TokenRequestOptions :rtype: AccessTokenInfo :return: An AccessTokenInfo instance containing information about the token. :raises CredentialUnavailableError: the credential is unable to attempt authentication because it lacks required data, state, or platform support :raises ~azure.core.exceptions.ClientAuthenticationError: authentication failed. The error's ``message`` attribute gives a reason. :raises AuthenticationRequiredError: user interaction is necessary to acquire a token, and the credential is configured not to begin this automatically. Call :func:`authenticate` to begin interactive authentication. get_token_inforG)rJ)r?rHrErrrrLsz$InteractiveCredential.get_token_inforLrGrIc Os|sd|d}td|jj||t||d|j }|p!i}|d}|d}|dd} |D]} | tj vrC| | || q4z|j |||| d |} t d |jj|| WSt y} zt| trk|s|tjd|jj|| ttjd WYd} ~ nd} ~ wwtt} z0|j|||| d |}d |vrd |dp|d}|j|}t||dt||_Wnt y} ztjd|jj|| ttjd d} ~ wwt d |jj|d|vrt|dnd}t|d | t|d|dd|dS)N'z' requires at least one scopez%s.%s failed: %s _allow_promptrCr&rDFrBz%s.%s succeeded)exc_info access_tokenzAuthentication failed: {}Zerror_descriptionerror)r)r3 refresh_on expires_in token_typeBearerrTrR)_LOGGERwarningrA__name__r2r<r:r-r __annotations__ setdefault_acquire_token_silentinfo Exception isinstancer isEnabledForloggingDEBUGinttime_request_tokenr,_clientget_error_responser r5r;r)r?rHrIrEr9r)Z allow_promptrCr&rDkeyrKr4nowresultr3rRrrrrJsz             z%InteractiveCredential._get_token_base)rErCr&rDcKsB|s|jtvr tddt|j}|j|d|||d|}|jS)aiInteractively authenticate a user. This method will always generate a challenge to the user. :keyword Iterable[str] scopes: scopes to request during authentication, such as those provided by :func:`AuthenticationRequiredError.scopes`. If provided, successful authentication will cache an access token for these scopes. :keyword str claims: additional claims required in the token, such as those provided by :func:`AuthenticationRequiredError.claims` :keyword str tenant_id: optional tenant to include in the token request. :keyword bool enable_cae: indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Access tokens retrieved with CAE enabled will be cached separately from other tokens. Defaults to False. :return: An AuthenticationRecord containing the authenticated user's information. :rtype: ~azure.identity.AuthenticationRecord :raises ~azure.core.exceptions.ClientAuthenticationError: authentication failed. The error's ``message`` attribute gives a reason. zVAuthenticating in this environment requires a value for the 'scopes' keyword argument.r(T)rNrCr&rD)Z _authority_DEFAULT_AUTHENTICATE_SCOPESrrFr;)r?rErCr&rDr9_rrr authenticates   z"InteractiveCredential.authenticatec Osd}|d}|jrc|jd i|}|j|jjdD]H}|d|jjkr&qtt}|jt |||d}|rbd|vrbd|vrbd|vrJt|dnd}t |d|t|d|dd |d Sq|rr|j |} t ||| d t ||d )NrC)r'r%)accountZclaims_challengerPrSrRrTrUrV)rCr3)rCr)r-r;Z_get_appZ get_accountsr'r%rcrdZacquire_token_silent_with_errorlistrrfrgr) r?rEr9rjrCapprnrirRr3rrrr\s,      z+InteractiveCredential._acquire_token_silentcOsdS)Nr)r?rEr9rrrre9sz$InteractiveCredential._request_token)rY __module__ __qualname__rrboolrr>rrrFr rrLrJrrmrr\abcabstractmethodrre __classcell__rrr@rr6[s~ ' J  (r6)*__doc__rtrr*rardtypingrrrr urllib.parserZazure.core.credentialsrrr Zazure.core.exceptionsr Zmsal_credentialsr r;r _constantsr _exceptionsrr _internalrABC getLoggerrYrWZ AZURE_CHINAZAZURE_GOVERNMENTZAZURE_PUBLIC_CLOUDrkrrr5r6rrrrs0           +