o iv!@sddlZddlmZmZddlmZddlmZmZm Z ddl m Z m Z ddl mZdd lmZdd lmZdd lmZd Zd ZdZdedede fddZddZGdddZdS)N)AnyOptional)ClientAuthenticationError) AccessTokenAccessTokenInfoTokenRequestOptions) HttpRequest HttpResponse)ClientAssertionCredential)CredentialUnavailableError)validate_tenant_id)build_pipelineSYSTEM_OIDCREQUESTURIz7.1zJhttps://aka.ms/azsdk/python/identity/azurepipelinescredential/troubleshootservice_connection_id access_tokenreturncCsDtjtd}|dtd|}dd|dd}td||d S) N/z ?api-version=z&serviceConnectionId=zapplication/jsonzBearer Suppress)z Content-Type AuthorizationzX-TFS-FedAuthRedirectPOST)headers)osenvironrrstripOIDC_API_VERSIONr)rrZbase_uriurlrrb/home/app/Keep/.python/lib/python3.10/site-packages/azure/identity/_credentials/azure_pipelines.pybuild_oidc_requestsr cCs,ttjvrtdtdtdtdddS)NzMissing value for the za environment variable. AzurePipelinesCredential is intended for use in Azure Pipelines where the zK environment variable is set. Please refer to the troubleshooting guide at .message)rrrr TROUBLESHOOTING_GUIDErrrrvalidate_env_vars$s r%c @seZdZdZdedededededdf d d Zddd d d edeedeededede f ddZ ddd edee de fddZ defddZddZddZdddZdS)AzurePipelinesCredentialaaAuthenticates using Microsoft Entra Workload ID in Azure Pipelines. This credential enables authentication in Azure Pipelines using workload identity federation for Azure service connections. :keyword str tenant_id: The tenant ID for the service connection. Required. :keyword str client_id: The client ID for the service connection. Required. :keyword str service_connection_id: The service connection ID for the service connection associated with the pipeline. From the service connection's configuration page URL in the Azure DevOps web portal, the ID is the value of the "resourceId" query parameter. Required. :keyword str system_access_token: The pipeline's System.AccessToken value. It is recommended to assign the value of System.AccessToken to a secure variable in the Azure Pipelines environment. See https://learn.microsoft.com/azure/devops/pipelines/build/variables#systemaccesstoken for more info. Required. :keyword str authority: Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). :class:`~azure.identity.AzureAuthorityHosts` defines authorities for other clouds. :keyword List[str] additionally_allowed_tenants: Specifies tenants in addition to the specified "tenant_id" for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application can access. .. admonition:: Example: .. literalinclude:: ../samples/credential_creation_code_snippets.py :start-after: [START create_azure_pipelines_credential] :end-before: [END create_azure_pipelines_credential] :language: python :dedent: 4 :caption: Create an AzurePipelinesCredential. tenant_id client_idrsystem_access_tokenkwargsrNcKsb|r|r|r|stdtdt|||_||_td|||jd||_tdi||_ dS)Nz'tenant_id', 'client_id', 'service_connection_id', and 'system_access_token' must be passed in as keyword arguments. Please refer to the troubleshooting guide at r!)r'r(funcr) ValueErrorr$r_system_access_token_service_connection_idr _get_oidc_token_client_assertion_credentialr _pipeline)selfr'r(rr)r*rrr__init__Ms z!AzurePipelinesCredential.__init__Fclaimsr' enable_caescopesr5r6cOs t|jj||||d|S)aRequest an access token for `scopes`. This method is called automatically by Azure SDK clients. :param str scopes: desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. :keyword str claims: additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure. :keyword str tenant_id: optional tenant to include in the token request. :keyword bool enable_cae: indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False. :return: An access token with the desired scopes. :rtype: ~azure.core.credentials.AccessToken :raises CredentialUnavailableError: the credential is unable to attempt authentication because it lacks required data, state, or platform support :raises ~azure.core.exceptions.ClientAuthenticationError: authentication failed. The error's ``message`` attribute gives a reason. r4)r%r0 get_token)r2r5r'r6r7r*rrrr8ds z"AzurePipelinesCredential.get_token)optionsr9cGst|jj|d|iS)aRequest an access token for `scopes`. This is an alternative to `get_token` to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. :param str scopes: desired scope for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. :keyword options: A dictionary of options for the token request. Unknown options will be ignored. Optional. :paramtype options: ~azure.core.credentials.TokenRequestOptions :rtype: ~azure.core.credentials.AccessTokenInfo :return: An AccessTokenInfo instance containing information about the token. :raises ~azure.core.exceptions.ClientAuthenticationError: authentication failed. The error's ``message`` attribute gives a reason. r9)r%r0get_token_info)r2r9r7rrrr:sz'AzurePipelinesCredential.get_token_infocCs`t|j|j}|jj||jgd}|j}|jdvrtd|d| }d|vr,tdd|dS)N)Zretry_on_methods)z-Unexpected response from OIDC token endpoint.)r#responseZ oidcTokenz!OIDC token not found in response.r") r r.r-r1runmethod http_response status_coderjson)r2requestr<r?Z json_responserrrr/s  z(AzurePipelinesCredential._get_oidc_tokencCs|j|j|SN)r0 __enter__r1r2rrrrDs  z"AzurePipelinesCredential.__enter__cGs|jj||jj|dSrC)r0__exit__r1)r2argsrrrrFs z!AzurePipelinesCredential.__exit__cCs |dS)z)Close the credential's transport session.N)rFrErrrcloses zAzurePipelinesCredential.close)rN)__name__ __module__ __qualname____doc__strrr3rboolrr8rrr:r/rDrFrHrrrrr&.sH  ! r&)rtypingrrZazure.core.exceptionsrZazure.core.credentialsrrrZazure.core.restrr Zclient_assertionr r _internalrZ_internal.pipelinerrrr$rMr r%r&rrrrs