o i}@sddlZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z m Z m Z ddlmZddlmZddlmZmZdd lmZeeZGd d d eZGd d d e ZGdddeZGdddeZGdddeZ Gddde!Z"ddZ#ddZ$e!Z%e!Z&e!Z'e!Z(e!Z)e!Z*ddZ+dddde e,de e e,fdd Z-d2d!d"Z.d#d$Z/d%d&Z0d'd(Z1dddde,de e e,fd)d*Z2d+ej34d,d-Z5Gd.d/d/eZ6d0d1Z7dS)3N)urlparse)UserDict)ListOptionalUnion) TokenCache)_IndividualCache)ThrottledHttpClientBaseRetryAfterParser)_is_running_in_cloud_shellc@ eZdZdS)ManagedIdentityErrorN__name__ __module__ __qualname__rrL/home/app/Keep/.python/lib/python3.10/site-packages/msal/managed_identity.pyrrcsneZdZdZdZdZdZdZdZdZ eded ed iZ e d d Z e d dZ e ddZdfdd ZZS)ManagedIdentityzFeed an instance of this class to :class:`msal.ManagedIdentityClient` to acquire token for the specified managed identity. ZManagedIdentityIdTypeZIdZClientIdZ ResourceIdZObjectIdZSystemAssigned client_idZ msi_res_id object_idcCst|tp||p||SN) isinstanceris_system_assignedis_user_assignedclsunknownrrris_managed_identity/s z#ManagedIdentity.is_managed_identitycCs&t|tpt|to||j|jkSr)rSystemAssignedManagedIdentitydictgetID_TYPESYSTEM_ASSIGNEDrrrrr5s  z"ManagedIdentity.is_system_assignedcCs2t|tpt|to||j|jvo||jSr)rUserAssignedManagedIdentityr"r#r$_types_mappingIDrrrrr;s   z ManagedIdentity.is_user_assignedNcs tt||j||j|idSr)superr__init__r$r()self identifierid_type __class__rrr*Bs  zManagedIdentity.__init__)NN)rrr__doc__r$r( CLIENT_ID RESOURCE_ID OBJECT_IDr%r' classmethodr rrr* __classcell__rrr.rrs&   rcs eZdZdZfddZZS)r!zRepresent a system-assigned managed identity. It is equivalent to a Python dict of:: {"ManagedIdentityIdType": "SystemAssigned", "Id": None} or a JSON blob of:: {"ManagedIdentityIdType": "SystemAssigned", "Id": null} cstt|j|jddS)N)r-)r)r!r*r%r+r.rrr*Usz&SystemAssignedManagedIdentity.__init__rrrr0r*r5rrr.rr!Js r!cs*eZdZdZddddfdd ZZS)r&a9Represent a user-assigned managed identity. Depends on the id you provided, the outcome is equivalent to one of the below:: {"ManagedIdentityIdType": "ClientId", "Id": "foo"} {"ManagedIdentityIdType": "ResourceId", "Id": "foo"} {"ManagedIdentityIdType": "ObjectId", "Id": "foo"} N)r resource_idrcsz|r|s|stt|j|j|ddS|s&|r&|s&tt|j|j|ddS|s9|s9|r9tt|j|j|ddStd)N)r-r,zPYou shall specify one of the three parameters: client_id, resource_id, object_id)r)r&r*r1r2r3r)r+rr8rr.rrr*bs       z$UserAssignedManagedIdentity.__init__r7rrr.rr&Ysr&cseZdZfddZZS)_ThrottledHttpClientcs@ttj|i|tjfddtdjdj_dS)Nc s.d|dt|dt|dS)Nz"REQ {} hash={} 429/5xx/Retry-Afterrparamsdata)format_hashstrr#)funcargskwargsr6rrws z/_ThrottledHttpClient.__init__..)mappingZ key_maker expires_in)r)r9r*IndividualCacheZ_expiring_mappingr parser#)r+r@rAr.r6rr*ss  z_ThrottledHttpClient.__init__)rrrr*r5rrr.rr9rsr9c@speZdZdZdZdZdZdZdZddddde e e e e fd eeefd d Zdd d edeefddZdS)ManagedIdentityClienta*This API encapsulates multiple managed identity back-ends: VM, App Service, Azure Automation (Runbooks), Azure Function, Service Fabric, and Azure Arc. It also provides token cache support. .. note:: Cloud Shell support is NOT implemented in this class. Since MSAL Python 1.18 in May 2022, it has been implemented in :func:`PublicClientApplication.acquire_token_interactive` via calling pattern ``PublicClientApplication(...).acquire_token_interactive(scopes=[...], prompt="none")``. That is appropriate, because Cloud Shell yields a token with delegated permissions for the end user who has signed in to the Azure Portal (like what a ``PublicClientApplication`` does), not a token with application permissions for an app. localhostmanaged_identityZ token_sourceZidentity_providercacheN) token_cache http_cacheclient_capabilitiesrNcCsBt|s td|||_t||d|_|pt|_||_dS)a Create a managed identity client. :param managed_identity: It accepts an instance of :class:`SystemAssignedManagedIdentity` or :class:`UserAssignedManagedIdentity`. They are equivalent to a dict with a certain shape, which may be loaded from a JSON configuration file or an env var. :param http_client: An http client object. For example, you can use ``requests.Session()``, optionally with exponential backoff behavior demonstrated in this recipe:: import msal, requests from requests.adapters import HTTPAdapter, Retry s = requests.Session() retries = Retry(total=3, backoff_factor=0.1, status_forcelist=[ 429, 500, 501, 502, 503, 504]) s.mount('https://', HTTPAdapter(max_retries=retries)) managed_identity = ... client = msal.ManagedIdentityClient(managed_identity, http_client=s) :param token_cache: Optional. It accepts a :class:`msal.TokenCache` instance to store tokens. It will use an in-memory token cache by default. :param http_cache: Optional. It has the same characteristics as the :paramref:`msal.ClientApplication.http_cache`. :param list[str] client_capabilities: (optional) Allows configuration of one or more client capabilities, e.g. ["CP1"]. Client capability is meant to inform the Microsoft identity platform (STS) what this client is capable for, so STS can decide to turn on certain features. Implementation details: Client capability in Managed Identity is relayed as-is via ``xms_cc`` parameter on the wire. Recipe 1: Hard code a managed identity for your app:: import msal, requests client = msal.ManagedIdentityClient( msal.UserAssignedManagedIdentity(client_id="foo"), http_client=requests.Session(), ) token = client.acquire_token_for_client("resource") Recipe 2: Write once, run everywhere. If you use different managed identity on different deployment, you may use an environment variable (such as MY_MANAGED_IDENTITY_CONFIG) to store a json blob like ``{"ManagedIdentityIdType": "ClientId", "Id": "foo"}`` or ``{"ManagedIdentityIdType": "SystemAssigned", "Id": null}``. The following app can load managed identity configuration dynamically:: import json, os, msal, requests config = os.getenv("MY_MANAGED_IDENTITY_CONFIG") assert config, "An ENV VAR with value should exist" client = msal.ManagedIdentityClient( json.loads(config), http_client=requests.Session(), ) token = client.acquire_token_for_client("resource") zIncorrect managed_identity: )rMN) rr r_managed_identityr9 _http_clientr _token_cache_client_capabilities)r+rJ http_clientrLrMrNrrrr*s P   zManagedIdentityClient.__init__)claims_challengeresourcerTc Csd}d}|jtjd}t} |jj|jjj|gt ||j |j ddd}|D]K}t |d|} | dkr7q(|rA|sA|d}n3t d d |dd |d d d t | |j|ji}d|vrpt |d|d<t |d|krpn|Szit|j|j||rt|dnd|jd} d | vr| d d} d| vr| dkrt | d| d<|jt ||gd|j |j | iidd| vrt || d| d<|j| |j<| rd| vs|s| WSW|S|sY|S)aEAcquire token for the managed identity. The result will be automatically cached. Subsequent calls will automatically search from cache first. :param resource: The resource for which the token is acquired. :param claims_challenge: Optional. It is a string representation of a JSON object (which contains lists of claims being requested). The tenant admin may choose to revoke all Managed Identity tokens, and then a *claims challenge* will be returned by the target resource, as a `claims_challenge` directive in the `www-authenticate` header, even if the app developer did not opt in for the "CP1" client capability. Upon receiving a `claims_challenge`, MSAL will attempt to acquire a new token. .. note:: Known issue: When an Azure VM has only one user-assigned managed identity, and your app specifies to use system-assigned managed identity, Azure VM may still return a token for your user-assigned identity. This is a service-side behavior that cannot be changed by this library. `Azure VM docs `_ NZ SYSTEM_ASSIGNED_MANAGED_IDENTITYT)r environmentrealmZhome_account_id)targetquery expires_oni,secretzCache hit an AT access_token token_typeBearerrEZ refresh_onzutf-8access_token_sha256_to_refreshrNiZ refresh_ini z https://{}/{})rscopeZtoken_endpointresponser:r;error)rOr#rr(timerQsearchZCredentialTypeZ ACCESS_TOKENr" _ManagedIdentityClient__instance_tenantintloggerdebug _TOKEN_SOURCE_TOKEN_SOURCE_CACHE _obtain_tokenrPhashlibsha256encode hexdigestrRaddr<_TOKEN_SOURCE_IDP) r+rUrTZaccess_token_to_refreshZaccess_token_from_cacheZclient_id_in_cachenowmatchesentryrEresultrrracquire_token_for_clients!       z.ManagedIdentityClient.acquire_token_for_client)rrrr0rgrhrlrtrmrr"rr!r&rrr>r*ryrrrrrHs6  irHcCs"t|}|jrd|j|jS|S)Nz{}://{})rschemer<netloc)rburrr_scope_to_resourceisr}cCs^dtjvrdtjvrtjdStjdkrtjds)tjdkr+tjtjdr-dSdSdS)NIDENTITY_ENDPOINTZ IMDS_ENDPOINTlinuxz/opt/azcmagent/bin/himdswin32z4${ProgramFiles}\AzureConnectedMachineAgent\himds.exez5http://localhost:40342/metadata/identity/oauth2/token)osenvironsysplatformpathexists expandvarsrrrr_get_arc_endpointps rcCsjdtjvrdtjvrdtjvrtSdtjvrdtjvrtSdtjvr)dtjvr)tStr.tStr3tSt S)zDetect the current environment and return the likely identity source. When this function returns ``CLOUD_SHELL``, you should use :func:`msal.PublicClientApplication.acquire_token_interactive` with ``prompt="none"`` to obtain a token. r~IDENTITY_HEADERIDENTITY_SERVER_THUMBPRINT MSI_ENDPOINT MSI_SECRET) rrSERVICE_FABRIC APP_SERVICEMACHINE_LEARNINGr AZURE_ARCr CLOUD_SHELL DEFAULT_TO_VMrrrrget_managed_identity_sources rr_r`rNc Csdtjvr*dtjvr*dtjvr*|rtdt|tjdtjdtjd|||dSdtjvrBdtjvrBt|tjdtjd||SdtjvrZdtjvrZt|tjdtjd||St}|rnt |rht dt |||St |||S) Nr~rrzIgnoring managed_identity parameter. Managed Identity in Service Fabric is configured in the cluster, not during runtime. See also https://learn.microsoft.com/en-us/azure/service-fabric/configure-existing-cluster-enable-managed-identity-token-servicer_rrzInvalid managed_identity parameter. Azure Arc supports only system-assigned managed identity, See also https://learn.microsoft.com/en-us/azure/service-fabric/configure-existing-cluster-enable-managed-identity-token-service) rrrjrk_obtain_token_on_service_fabric_obtain_token_on_app_service!_obtain_token_on_machine_learningrrrr_obtain_token_on_arc_obtain_token_on_azure_vm)rSrJrUr`rNZ arc_endpointrrrrnsN     rncCs2|ptj|tj}|r|tj||<dSdSr)rr'r#r$r()r:rJ types_mappingZid_namerrr _adjust_params  rcCstdd|d}t|||jtdddd|dd id }z(t|j }|d rH|d rH|d t |d |d |dddWS|WStj j y[td|j w)Nz0Obtaining token via managed identity on Azure VMz 2018-02-01 api-versionrUZ!AZURE_POD_IDENTITY_AUTHORITY_HOSTzhttp://169.254.169.254/z/metadata/identity/oauth2/tokenMetadatatruer:headersr\rErUr]r^r\rErUr]!IMDS emits unexpected payload: %s) rjrkrr#rgetenvstripjsonloadstextridecoderJSONDecodeError)rSrJrUr:resppayloadrrrrs6     rc Cstdd|d}t||tjdtjdtjdid|j|||dd d }z;t |j }|d rQ|d rQ|d t |d t t |d |dddWSdd |d|ddWStjjyqtd|j w)zObtains token for `App Service `_, Azure Functions, and Azure Automation. z9Obtaining token via managed identity on Azure App Servicez 2019-08-01rrZ mi_res_idr)rr)zX-IDENTITY-HEADERrrr\rZrUr]r^r invalid_scopez{}, {}Z statusCodemessagerdZerror_descriptionr)rjrkrrr1r2r3r#rrrrirer<rr)rSendpointidentity_headerrJrUr:rrrrrrsB   rcCstdd|d}t|||ddkr d|vr |d|d<|j||d|id}z4t|j}|d rV|d rV|d t|d tt |d |d d dWSdd |dWStj j yotd|jw)Nz>Obtaining token via managed identity on Azure Machine Learningz 2017-09-01rrrZclientidr[rr\rZrUr]r^rrz{}rr) rjrkrpopr#rrrrirer<rr)rSrr[rJrUr:rrrrrr$s2     rc Cstd|j|ddd|||rd|nddDd|id }zCt|j}|d rL|d rL|d t|d tt |d |d dWS|di} dddd} | | dd|jdWStj j yvtd|jw)zfObtains token for `Service Fabric `_ zUs z3_obtain_token_on_service_fabric..z2019-07-01-preview,N)rrUZtoken_sha256_to_refreshZxms_ccZSecretrr\rZrUr]rrdZunauthorized_clientZinvalid_clientr)ZSecretHeaderNotFoundZManagedIdentityNotFoundZArgumentNullOrEmptycodeinvalid_requestrr) rjrkr#joinitemsrrrrirerr) rSrrZserver_thumbprintrUr`rNrrrdZ error_mappingrrrrFsJ    rz/var/opt/azcmagent/tokensz/%ProgramData%\AzureConnectedMachineAgent\Tokens)rrc@r )ArcPlatformNotSupportedErrorNrrrrrr|rrc std|j|d|dddid}dfdd |jDd d }t|d kr5|d dks=td |jt j t vrKt dt j dtjt t j tjtj|dd d}t|jdkrotdt| }|}Wdn1swY|j|d|ddd |dd}z't|j} | dr| dr| dt| d| dd| ddWSWn tjjyYnwd|jdS) Nz1Obtaining token via managed identity on Azure Arcz 2020-06-01rrrrzwww-authenticatecs&i|]\}}|kr||qSr)lowerrZwww_authrrrs z(_obtain_token_on_arc..=rarz basic realmz*Unrecognizable WWW-Authenticate header: {}z Platform z was undefined and unsupportedrz.keyiz+Local key file shall not be larger than 4KBzBasic {})r Authorizationr\rEr]r^rU)r\rEr]rUrr)rjrkr#rrsplitlenrrr<rr+_supported_arc_platforms_and_their_prefixesrrrrsplitextbasenamestatst_sizeopenreadrrrrirr) rSrrUr challengefilenamefr[rcrrrrrsb          rr)8rorloggingrrre urllib.parser collectionsrtypingrrrrLrZindividual_cacher rFZthrottled_http_clientr r Z cloudshellr getLoggerrrj ValueErrorrrr!r&r9objectrHr}rrrrrrrrr>rnrrrrrrrrrrrrrrsj      /h   51%  2