o i/@sRddlZddlZddlZddlZddlmZmZmZmZddl m Z m Z m Z ddl mZddlmZddlmZdd lmZmZmZmZmZmZdd lmZeeZd Zd Z d Z!dZ"dZ#dZ$dZ%GdddZ&dee'de(de'fddZ)dee'ddfddZ*de'de fddZ+d ee'd!fd"e'dee'fd#d$Z,d%e(d&e'd'e'ddfd(d)Z-dS)*N)AnyListTupleOptional) AccessTokenAccessTokenInfoTokenRequestOptions)ClientAuthenticationError)get_safe_working_dir)CredentialUnavailableError)_scopes_to_resource encode_base64resolve_tenant within_dacvalidate_tenant_idvalidate_scope) log_get_tokenz+Az.Account module >= 2.2.0 is not installedz4Execution policy prevented invoking Azure PowerShellNO_AZ_ACCOUNT_MODULEzPowerShell is not installedz0Please run "Connect-AzAccount" to set up accountzThis credential doesn't support claims challenges. To authenticate with the required claims, please run the following command (requires Az.Accounts module version 5.2.0 or later): Connect-AzAccount -ClaimsChallenge {claims_value}a$ErrorActionPreference = 'Stop' [version]$minimumVersion = '2.2.0' $m = Import-Module Az.Accounts -MinimumVersion $minimumVersion -PassThru -ErrorAction SilentlyContinue if (! $m) {{ Write-Output {} exit }} $params = @{{ 'ResourceUrl' = '{}'; 'WarningAction' = 'Ignore' }} $tenantId = '{}' if ($tenantId.Length -gt 0) {{ $params['TenantId'] = $tenantId }} if ($m.Version -ge [version]'2.17.0' -and $m.Version -lt [version]'5.0.0') {{ $params['AsSecureString'] = $true }} $token = Get-AzAccessToken @params $tokenValue = $token.Token if ($tokenValue -is [System.Security.SecureString]) {{ if ($PSVersionTable.PSVersion.Major -lt 7) {{ $ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($tokenValue) try {{ $tokenValue = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr) }} finally {{ [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr) }} }} else {{ $tokenValue = $tokenValue | ConvertFrom-SecureString -AsPlainText }} }} Write-Output "`nazsdk%$($tokenValue)%$($token.ExpiresOn.ToUnixTimeSeconds())`n" c @seZdZdZdddddedeeeded dfd d Zdd d Z de d dfddZ d ddZ e ddddedeedeede d ef ddZe dddedeed efddZdddedeede d efddZdS)!AzurePowerShellCredentialaAuthenticates by requesting a token from Azure PowerShell. This requires previously logging in to Azure via "Connect-AzAccount", and will use the currently logged in identity. :keyword str tenant_id: Optional tenant to include in the token request. :keyword List[str] additionally_allowed_tenants: Specifies tenants in addition to the specified "tenant_id" for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application can access. :keyword int process_timeout: Seconds to wait for the Azure PowerShell process to respond. Defaults to 10 seconds. .. admonition:: Example: .. literalinclude:: ../samples/credential_creation_code_snippets.py :start-after: [START create_azure_power_shell_credential] :end-before: [END create_azure_power_shell_credential] :language: python :dedent: 4 :caption: Create an AzurePowerShellCredential. N ) tenant_idadditionally_allowed_tenantsprocess_timeoutrrrreturncCs&|rt|||_|p g|_||_dSN)rr_additionally_allowed_tenants_process_timeout)selfrrrr!c/home/app/Keep/.python/lib/python3.10/site-packages/azure/identity/_credentials/azure_powershell.py__init__es   z"AzurePowerShellCredential.__init__cCs|Srr!r r!r!r" __enter__rz#AzurePowerShellCredential.__enter__argscGsdSrr!)r r'r!r!r"__exit__ur&z"AzurePowerShellCredential.__exit__cCsdS)z#Calling this method is unnecessary.Nr!r$r!r!r"closexszAzurePowerShellCredential.close)claimsrscopesr*kwargscOs>i}|r||d<|r||d<|j|d|i|}t|j|jS)aDRequest an access token for `scopes`. This method is called automatically by Azure SDK clients. Applications calling this method directly must also handle token caching because this credential doesn't cache the tokens it acquires. :param str scopes: desired scope for the access token. This credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. :keyword str claims: not used by this credential; any value provided will be ignored. :keyword str tenant_id: optional tenant to include in the token request. :return: An access token with the desired scopes. :rtype: ~azure.core.credentials.AccessToken :raises ~azure.identity.CredentialUnavailableError: the credential was unable to invoke Azure PowerShell, or no account is authenticated :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked Azure PowerShell but didn't receive an access token rr*options)_get_token_basertoken expires_on)r r*rr+r,r-Z token_infor!r!r" get_token{sz#AzurePowerShellCredential.get_token)r-r-cGs|j|d|iS)aRequest an access token for `scopes`. This is an alternative to `get_token` to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. Applications calling this method directly must also handle token caching because this credential doesn't cache the tokens it acquires. :param str scopes: desired scopes for the access token. TThis credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. :keyword options: A dictionary of options for the token request. Unknown options will be ignored. Optional. :paramtype options: ~azure.core.credentials.TokenRequestOptions :rtype: ~azure.core.credentials.AccessTokenInfo :return: An AccessTokenInfo instance containing information about the token. :raises ~azure.identity.CredentialUnavailableError: the credential was unable to invoke Azure PowerShell, or no account is authenticated :raises ~azure.core.exceptions.ClientAuthenticationError: the credential invoked Azure PowerShell but didn't receive an access token r-)r.)r r-r+r!r!r"get_token_infosz(AzurePowerShellCredential.get_token_infoc Os|r(d|vr(|dr(tjt|dd}|dr#|d|d7}t|d|r/|dnd}|r7t||D]}t|q9td|j||j d|}t ||}t ||j }t |} | S)Nr*)Z claims_valuerz -Tenant message)Zdefault_tenantrrr!)CLAIMS_UNSUPPORTED_ERRORformatrgetr rrrrrget_command_linerun_command_liner parse_token) r r-r+r, error_messagerscope command_lineoutputr/r!r!r"r.s*     z)AzurePowerShellCredential._get_token_base)rr)rN)__name__ __module__ __qualname____doc__strrrintr#r%rr(r)rrr1rrr2r.r!r!r!r"rPsV    #"rr=timeoutrc Csd}}d}d|i}z8t|}|jd i|\}}tjdrAd|vs(|jdkrA|dddd |d<t|}|jd i|\}}Wnty_}z|rS|jsS|t d d }||d}~wwt |j|||S) NrrEwin' is not recognizedi1#pwsh powershellr zFailed to invoke PowerShell. To mitigate this issue, please refer to the troubleshooting guidelines here at https://aka.ms/azsdk/python/identity/powershellcredential/troubleshoot.r3r!) start_process communicatesysplatform startswith returncodereplace Exceptionkillr raise_for_error)r=rEstdoutstderrprocr,exerrorr!r!r"r9s,  r9r'zsubprocess.PopencCs&t}tj||tjtjtjdd}|S)NT)cwdrUrVstdinuniversal_newlines)r subprocessPopenPIPEDEVNULL)r'Zworking_directoryrWr!r!r"rKsrKr>cCsb|D]}|dr|d\}}}t|t|Sqtr)td|dtd|d)Nzazsdk%%z.Unexpected output from Get-AzAccessToken: "{}"r3) splitrOrrDrr7r r6r )r>line_r/r0r!r!r"r:s  r:r+.rcCsb|r|nd}t|}tt||}t|d}d|}tj dr,dd|dgSdd |gS) Nrz utf-16-lez0pwsh -NoProfile -NonInteractive -EncodedCommand rFcmdz/cz & exitz/bin/shz-c) rSCRIPTr6rbase64 b64encodeencodedecoderMrNrO)r+rZtenant_argumentresourcescriptZencoded_scriptcommandr!r!r"r8 s   r8 return_coderUrVcCsx|dkrt|vr ttdS|dksd|vrttdd|vr$ttdd|vr-ttd|r7tdtj |tdd) NrrGr3zRun Connect-AzAccount to loginz!AuthorizationManager check failedz0%s received an error from Azure PowerShell: "%s"zMFailed to invoke PowerShell. Enable debug logging for additional information.) rr AZ_ACCOUNT_NOT_INSTALLEDPOWERSHELL_NOT_INSTALLEDRUN_CONNECT_AZ_ACCOUNTBLOCKED_BY_EXECUTION_POLICY_LOGGERdebugrr?)rnrUrVr!r!r"rTs&   rT).rgloggingr]rMtypingrrrrZazure.core.credentialsrrrZazure.core.exceptionsr Z azure_clir rr _internalrrrrrrZ_internal.decoratorsr getLoggerr?rtrprsrrqrrr5rfrrCrDr9rKr:r8rTr!r!r!r"s6      ) "