o i;@sddlZzddlmZWneyddlmZYnwddlZeeZdZdZ dZ dZ e e e degZ egdZgdZd ZGd d d eZGd d d eZddZddZddZdS)N)urlparselogin.microsoftonline.uslogin.chinacloudapi.cnlogin.microsoftonline.comlogin-us.microsoftonline.com) rzlogin.microsoft.comzlogin.windows.netzsts.windows.netrz login.partner.microsoftonline.cnzlogin.microsoftonline.derzlogin.usgovcloudapi.netrz"https://login.sovcloud-identity.frz"https://login.sovcloud-identity.dez"https://login.sovcloud-identity.sg)z b2clogin.comz b2clogin.cnz b2clogin.usz b2clogin.dez ciamlogin.comz.ciamlogin.comc@seZdZddZddZdS)AuthorityBuildercCs|d|_|d|_dS)zA helper to save caller from doing string concatenation. Usage is documented in :func:`application.ClientApplication.__init__`. /N)rstrip _instancestrip_tenant)selfinstancetenantrE/home/app/Keep/.python/lib/python3.10/site-packages/msal/authority.py__init__8s zAuthorityBuilder.__init__cCsd|j|jS)Nz https://{}/{})formatr r r rrr__str__@szAuthorityBuilder.__str__N)__name__ __module__ __qualname__rrrrrrr7s rc@sJeZdZdZegZ   dddZddZdd Zdd d Z d d Z dS) AuthorityzThis class represents an (already-validated) authority. Once constructed, it contains members named "*_endpoint" for this instance. TODO: It will also cache the previously-validated authority instances. TNc Cs||_||_|rtd|||}n||||}zt||j}Wnty=|r2dj|dnd|d}t|w| d|_ |d|_ |d|_ | d |_ t|j \} } |_|jrn|sptd j|j |d d Sd S) a`Creates an authority instance, and also validates it. :param validate_authority: The Authority validation process actually checks two parts: instance (a.k.a. host) and tenant. We always do a tenant discovery. This parameter only controls whether an instance discovery will be performed. z$Initializing with OIDC authority: %szUnable to get OIDC authority configuration for {url} because its OIDC Discovery endpoint is unavailable at {url}/.well-known/openid-configuration )urlzUnable to get authority configuration for {}. Authority would typically be in a format of https://login.microsoftonline.com/your_tenant or https://tenant_name.ciamlogin.com or https://tenant_name.b2clogin.com/tenant.onmicrosoft.com/policy. z> Also please double check your tenant name or GUID is correct.Zissuerauthorization_endpointtoken_endpointdevice_authorization_endpointavThe issuer '{iss}' does not match the authority '{auth}' or a known pattern. When using the 'oidc_authority' parameter in ClientApplication, the authority will be validated against the issuer from {auth}/.well-known/openid-configuration .If using a known Entra authority (e.g. login.microsoftonline.com) the 'authority' parameter should be used instead of 'oidc_authority'. )ZissauthN) _http_client_oidc_authority_urlloggerdebug_initialize_oidc_authority_initialize_entra_authoritytenant_discovery ValueErrorrget_issuerrrr canonicalizerhas_valid_issuer) r authority_url http_clientvalidate_authorityinstance_discoveryoidc_authority_urltenant_discovery_endpointZ openid_config error_message_rrrrLsJ       zAuthority.__init__cCs2t|\}|_}|dk|_d|_d|_|dS)NadfsTz!/.well-known/openid-configuration)r)rloweris_adfs_is_b2c_is_known_to_developer)r r/ authorityrrrrr#s z$Authority._initialize_oidc_authorityc sFt|tr t|}t|\}_}jt}|dko| _|j d}t fddt Dp@t |dko@|dd_jpJjpJ| _jtv}|dvrZd tn|} | r|sjstd j|j j| } | d d kr}td || d} | S|jdj|rt |j dkr|n|j jrdnddd} | S)Nr3rc3s |] }jd|VqdS).N)rendswith).0drrr s z8Authority._initialize_entra_authority..Zb2c_)NTz$https://{}/common/discovery/instancez"https://{}{}/oauth2/v2.0/authorizeerrorZinvalid_instancezinvalid_instance: The authority you provided, %s, is not whitelisted. If it is indeed your legit customized domain name, you can turn off this check by passing in instance_discovery=Falser0z2{prefix}{version}/.well-known/openid-configurationz/v2.0)prefixversion)path) isinstancerstrr)rr:_CIAM_DOMAIN_SUFFIXr4r5rEsplitanyWELL_KNOWN_B2C_HOSTSlen startswithr6r7WELL_KNOWN_AUTHORITY_HOSTSr WORLD_WIDE_instance_discoveryrr'r&_replacegeturl) r r+r-r.r8rZis_ciampartsZis_known_to_microsoftinstance_discovery_endpointpayloadr0rrrr$sb       z%Authority._initialize_entra_authoritycCsf|j|jjvr1|p|jjdj|j|dd|dd}|jdkr)|t |j S|jj |jiS)Nz.) r(r r rhostnamer4TRUSTED_ISSUER_HOSTSfindschemerVrJrK)r Z issuer_parsedZauthority_parsedZ dot_indexZpotential_baseZauthority_hostrrfrr*s4      zAuthority.has_valid_issuer)TNN)NN) rrr__doc__setr[rr#r$rdr*rrrrrDs 9 1 rcCst|}|jdkrP|jrP|jd}t|dkr |dr |dnd}|jtr>|r,|n d|j tdd}||j|fSt|dkrP|drP||j|dfSt d|)Nhttpsrr?rAz{}.onmicrosoft.comraYour given address (%s) should consist of an https url with hostname and a minimum of one segment in a path: e.g. https://login.microsoftonline.com/{tenant} or https://{tenant_name}.ciamlogin.com/{tenant} or https://{tenant_name}.b2clogin.com/{tenant_name}.onmicrosoft.com/policy) rrjrgrErIrLr:rHrrsplitr&)Zauthority_or_auth_endpointr8rSZ first_partrrrrr)s      r)cKs(|j|fd|ddi|}t|jS)Nparamsz1.0)rz api-version)r'r^r_r`)rr,rTkwargsrcrrrrPs rPcKst|j|fi|}|jdkrt|jSd|jkrdkr,nn td||j|j|td|j|jf)Niiz7OIDC Discovery failed on {}. HTTP status: {}, Error: {}z)Unable to complete OIDC Discovery: %d, %s) r'r\r^r_r`r&rr] RuntimeError)r0r,rprcrrrr%$s  r%)r^ urllib.parser ImportErrorlogging getLoggerrr!ZAZURE_US_GOVERNMENTZ AZURE_CHINAZ AZURE_PUBLICrOrlrN frozensetrhrKrHobjectrrr)rPr%rrrrs6    C