9i}jddlZddlZddlZddlZddlZddlZddlZddlmZddl m Z ddl m Z m Z mZddlmZddlmZddlmZmZdd lmZej2eZGd d eZGd d e ZGddeZGddeZ GddeZ!Gdde"Z#dZ$dZ%e"Z&e"Z'e"Z(e"Z)e"Z*e"Z+dZ,dddde e-de e e-fdZ.d(dZ/dZ0dZ1d Z2dddde-de e e-fd!Z3d"ejhjkd#d$Z6Gd%d&eZ7d'Z8y))N)urlparse)UserDict)ListOptionalUnion) TokenCache)_IndividualCache)ThrottledHttpClientBaseRetryAfterParser)_is_running_in_cloud_shellc eZdZy)ManagedIdentityErrorN__name__ __module__ __qualname__H/var/www/html/venv/lib/python3.12/site-packages/msal/managed_identity.pyrrrrc|eZdZdZdZdZdZdZdZdZ eded ed iZ e d Z e d Z e d Zdfd ZxZS)ManagedIdentityzFeed an instance of this class to :class:`msal.ManagedIdentityClient` to acquire token for the specified managed identity. ManagedIdentityIdTypeIdClientId ResourceIdObjectIdSystemAssigned client_id msi_res_id object_idcnt|txs$|j|xs|j|SN) isinstanceris_system_assignedis_user_assignedclsunknowns ris_managed_identityz#ManagedIdentity.is_managed_identity0s77O4-%%g.-##G, .rct|txs:t|txr(|j|j|j k(Sr$)r%SystemAssignedManagedIdentitydictgetID_TYPESYSTEM_ASSIGNEDr(s rr&z"ManagedIdentity.is_system_assigned6sD'#@AA w % @ CKK(C,?,?? Arct|txsVt|txrD|j|j|j vxr|j|j Sr$)r%UserAssignedManagedIdentityr.r/r0_types_mappingIDr(s rr'z ManagedIdentity.is_user_assigned<sV'#>?% w % $ CKK(C,>,>> $ CFF# %rc\tt| |j||j|iyr$)superr__init__r0r5)self identifierid_type __class__s rr8zManagedIdentity.__init__Cs) ot- LL' GGZ/  r)NN)rrr__doc__r0r5 CLIENT_ID RESOURCE_ID OBJECT_IDr1r4 classmethodr+r&r'r8 __classcell__r<s@rrrs&G BIKI&O ;\;N .. AA %%   rrc"eZdZdZfdZxZS)r-zRepresent a system-assigned managed identity. It is equivalent to a Python dict of:: {"ManagedIdentityIdType": "SystemAssigned", "Id": None} or a JSON blob of:: {"ManagedIdentityIdType": "SystemAssigned", "Id": null} cBtt| |jy)N)r;)r7r-r8r1)r9r<s rr8z&SystemAssignedManagedIdentity.__init__Vs +T;DDXDX;Yrrrrr=r8rBrCs@rr-r-Ks ZZrr-c,eZdZdZddddfd ZxZS)r3a9Represent a user-assigned managed identity. Depends on the id you provided, the outcome is equivalent to one of the below:: {"ManagedIdentityIdType": "ClientId", "Id": "foo"} {"ManagedIdentityIdType": "ResourceId", "Id": "foo"} {"ManagedIdentityIdType": "ObjectId", "Id": "foo"} N)r resource_idr"c|r$|s"|s tt| |j|y|s$|r"|s tt| |j|y|s$|s"|r tt| |j |yt d)N)r;r:zPYou shall specify one of the three parameters: client_id, resource_id, object_id)r7r3r8r>r?r@r)r9r rHr"r<s rr8z$UserAssignedManagedIdentity.__init__cs [ -t =9 > >{9 -t =(([ > B;9 -t =9 > >'45 5rrFrCs@rr3r3Zs%)dd 5 5rr3ceZdZfdZxZS)_ThrottledHttpClientctt |i|tjfdt dj j_y)Nc dj|djt|jdt|jdzS)Nz"REQ {} hash={} 429/5xx/Retry-Afterrparamsdata)format_hashstrr/)funcargskwargsr9s rz/_ThrottledHttpClient.__init__..xsM1U1\1\Q  8,-FJJv4F0GGI2r)mapping key_maker expires_in)r7rKr8IndividualCache_expiring_mappingr parser/)r9rTrUr<s` rr8z_ThrottledHttpClient.__init__tsT "D2DCFC ?**(*00 hh r)rrrr8rBrCs@rrKrKss   rrKc|eZdZdZd\ZZdZdZdZddddde e e e e fd eeefd Zd Zdd d edeefdZy)ManagedIdentityClienta*This API encapsulates multiple managed identity back-ends: VM, App Service, Azure Automation (Runbooks), Azure Function, Service Fabric, and Azure Arc. It also provides token cache support. .. note:: Cloud Shell support is NOT implemented in this class. Since MSAL Python 1.18 in May 2022, it has been implemented in :func:`PublicClientApplication.acquire_token_interactive` via calling pattern ``PublicClientApplication(...).acquire_token_interactive(scopes=[...], prompt="none")``. That is appropriate, because Cloud Shell yields a token with delegated permissions for the end user who has signed in to the Azure Portal (like what a ``PublicClientApplication`` does), not a token with application permissions for an app. )Nmanaged_identity token_sourceidentity_providercacheN) token_cache http_cacheclient_capabilitiesr`rfctj|std|||_t |||_|xs t |_||_y)a Create a managed identity client. :param managed_identity: It accepts an instance of :class:`SystemAssignedManagedIdentity` or :class:`UserAssignedManagedIdentity`. They are equivalent to a dict with a certain shape, which may be loaded from a JSON configuration file or an env var. :param http_client: An http client object. For example, you can use ``requests.Session()``, optionally with exponential backoff behavior demonstrated in this recipe:: import msal, requests from requests.adapters import HTTPAdapter, Retry s = requests.Session() retries = Retry(total=3, backoff_factor=0.1, status_forcelist=[ 429, 500, 501, 502, 503, 504]) s.mount('https://', HTTPAdapter(max_retries=retries)) managed_identity = ... client = msal.ManagedIdentityClient(managed_identity, http_client=s) :param token_cache: Optional. It accepts a :class:`msal.TokenCache` instance to store tokens. It will use an in-memory token cache by default. :param http_cache: Optional. It has the same characteristics as the :paramref:`msal.ClientApplication.http_cache`. :param list[str] client_capabilities: (optional) Allows configuration of one or more client capabilities, e.g. ["CP1"]. Client capability is meant to inform the Microsoft identity platform (STS) what this client is capable for, so STS can decide to turn on certain features. Implementation details: Client capability in Managed Identity is relayed as-is via ``xms_cc`` parameter on the wire. Recipe 1: Hard code a managed identity for your app:: import msal, requests client = msal.ManagedIdentityClient( msal.UserAssignedManagedIdentity(client_id="foo"), http_client=requests.Session(), ) token = client.acquire_token_for_client("resource") Recipe 2: Write once, run everywhere. If you use different managed identity on different deployment, you may use an environment variable (such as MY_MANAGED_IDENTITY_CONFIG) to store a json blob like ``{"ManagedIdentityIdType": "ClientId", "Id": "foo"}`` or ``{"ManagedIdentityIdType": "SystemAssigned", "Id": null}``. The following app can load managed identity configuration dynamically:: import json, os, msal, requests config = os.getenv("MY_MANAGED_IDENTITY_CONFIG") assert config, "An ENV VAR with value should exist" client = msal.ManagedIdentityClient( json.loads(config), http_client=requests.Session(), ) token = client.acquire_token_for_client("resource") zIncorrect managed_identity: )reN) rr+r_managed_identityrK _http_clientr _token_cache_client_capabilities)r9r` http_clientrdrerfs rr8zManagedIdentityClient.__init__se`223CD&./?.@AC C!10 !  (7:<$7!rcd|jtj|_|jSr$) _ManagedIdentityClient__instancesocketgetfqdn)r9s r _get_instancez#ManagedIdentityClient._get_instances$ ?? "$nn.DOr)claims_challengeresourcerrc d}d}|jjtjd}t j} |j j |j jj|gt||j|jd}|D]}t|d|z } | dkr|r |s|d}n|tjdd |dd |jd d d t| |j|j i}d |vr$t|d |d <t|d |krn|cS t#|j$|j||r2t'j(|j+dj-nd|j.} d | vr| jd d} d| vr| dk\rt| dz | d<|j j1t||gdj3|j|j| iid| vrt|| dz| d <|j4| |j<| rd| vs|s| S |S#|sY|SxYw)aEAcquire token for the managed identity. The result will be automatically cached. Subsequent calls will automatically search from cache first. :param resource: The resource for which the token is acquired. :param claims_challenge: Optional. It is a string representation of a JSON object (which contains lists of claims being requested). The tenant admin may choose to revoke all Managed Identity tokens, and then a *claims challenge* will be returned by the target resource, as a `claims_challenge` directive in the `www-authenticate` header, even if the app developer did not opt in for the "CP1" client capability. Upon receiving a `claims_challenge`, MSAL will attempt to acquire a new token. .. note:: Known issue: When an Azure VM has only one user-assigned managed identity, and your app specifies to use system-assigned managed identity, Azure VM may still return a token for your user-assigned identity. This is a service-side behavior that cannot be changed by this library. `Azure VM docs `_ N SYSTEM_ASSIGNED_MANAGED_IDENTITY)r environmentrealmhome_account_id)targetquery expires_oni,secretzCache hit an AT access_token token_typeBearerrZ refresh_onzutf-8access_token_sha256_to_refreshrfi refresh_ini z https://{}/{})r scopetoken_endpointresponserNrOerror)rhr/rr5timerjsearchCredentialType ACCESS_TOKENr.rq_tenantintloggerdebug _TOKEN_SOURCE_TOKEN_SOURCE_CACHE _obtain_tokenrihashlibsha256encode hexdigestrkaddrP_TOKEN_SOURCE_IDP) r9rsrraccess_token_to_refreshaccess_token_from_cacheclient_id_in_cachenowmatchesentryrZresults racquire_token_for_clientz.ManagedIdentityClient.acquire_token_for_clientsB#'"&!3377    BDiik ''..!!00== z0 $ 2 2 4,,$( / G! / |!45; $#,C/4Ho+ ./"E(O %))L("C #j/&&(@(@ +'  5(F<(!!%%d0#*#2#9#9**,dll$<#' 6)+.sVL5I/I+JF<(-1-C-Ct))*7&0:Q ;R '&  *+&&s DI--I5)rrrr=rnrrrrrr.rr-r3rrrRr8rqrrrrr_r_s"3J"M+!37c8   ) ' )c8&d3i0c8J+/ e'e'#3- e'rr_ct|}|jr&dj|j|jS|S)Nz{}://{})rschemerPnetloc)rus r_scope_to_resourcerls2Axx!((33 Lrcxdtjvr%dtjvrtjdStjdk(rtjj dsOtjdk(r>tjj tjj dryyy)NIDENTITY_ENDPOINT IMDS_ENDPOINTlinuxz/opt/azcmagent/bin/himdswin32z4${ProgramFiles}\AzureConnectedMachineAgent\himds.exez5http://localhost:40342/metadata/identity/oauth2/token)osenvironsysplatformpathexists expandvarsrrr_get_arc_endpointrssbjj(_ -Jzz-.. BGGNN3M$N <<7 "rww~~bgg6H6H C7 ( G ( "rcndtjvr*dtjvrdtjvrtSdtjvrdtjvrtSdtjvrdtjvrtSt rt StrtStS)zDetect the current environment and return the likely identity source. When this function returns ``CLOUD_SHELL``, you should use :func:`msal.PublicClientApplication.acquire_token_interactive` with ``prompt="none"`` to obtain a token. rIDENTITY_HEADERIDENTITY_SERVER_THUMBPRINT MSI_ENDPOINT MSI_SECRET) rrSERVICE_FABRIC APP_SERVICEMACHINE_LEARNINGr AZURE_ARCr CLOUD_SHELL DEFAULT_TO_VMrrrget_managed_identity_sourcers rzz).?2::.M, :bjj(->"**-L#  (B!# rrrrfc dtjvrdtjvrndtjvr\|rtjdt |tjdtjdtjd|||SdtjvrCdtjvr1t |tjdtjd||SdtjvrCdtjvr1t |tjdtjd||St}|r-tj|r tdt|||St|||S) NrrrzIgnoring managed_identity parameter. Managed Identity in Service Fabric is configured in the cluster, not during runtime. See also https://learn.microsoft.com/en-us/azure/service-fabric/configure-existing-cluster-enable-managed-identity-token-servicerrrzInvalid managed_identity parameter. Azure Arc supports only system-assigned managed identity, See also https://learn.microsoft.com/en-us/azure/service-fabric/configure-existing-cluster-enable-managed-identity-token-service) rrrr_obtain_token_on_service_fabric_obtain_token_on_app_service!_obtain_token_on_machine_learningrrr'r_obtain_token_on_arc_obtain_token_on_azure_vm)rlr`rsrrf arc_endpoints rrrsc rzz).?2::.M, :  LLJ K /  JJ* + JJ( ) JJ3 4 +I 3  bjj(->"**-L+  JJ* + JJ( )     #  (B0  JJ~ & JJ| $     %&L  + +,< =&JK K $KxHH $[2BH MMrc|xstjj|jtj}|r|tj||<yyr$)rr4r/r0r5)rNr` types_mappingid_names r _adjust_paramrsM> > >CC_4457G*?+=+=>wrc<tjdd|d}t|||jt j ddj ddz|dd i } tj|j}|jd rF|jd r5|d t|d |jd |jdddS|S#tjj$r"tjd|jwxYw)Nz0Obtaining token via managed identity on Azure VMz 2018-02-01 api-versionrs!AZURE_POD_IDENTITY_AUTHORITY_HOSTzhttp://169.254.169.254/z/metadata/identity/oauth2/tokenMetadatatruerNheadersr}rZrsr~rr}rZrsr~!IMDS emits unexpected payload: %s) rrrr/rgetenvstripjsonloadstextrdecoderJSONDecodeError)rlr`rsrNresppayloads rrrs  LLCD# F&*+ ?? /1I eCj< =V$  D **TYY' ;;~ &7;;|+D ' 7!',"78#KK 3%kk,A    << ' ' 8$))D s$A5CC?Dc tjdd|d}t||tjdtj dtj di|j|||dd  } tj|j}|jd rd|jd rS|d t|d ttjz |jd |jdddSddj|jd|jddS#tjj$r"tjd|jwxYw)zObtains token for `App Service `_, Azure Functions, and Azure Automation. z9Obtaining token via managed identity on Azure App Servicez 2019-08-01rr mi_res_idr")rr)zX-IDENTITY-HEADERrrr}r{rsr~rr invalid_scopez{}, {} statusCodemessagererror_descriptionr)rrrrr>r?r@r/rrrrrrPrr)rlendpointidentity_headerr`rsrNrrs rrrsT LLLM# F&*!!;##[!!;; ??!0  D**TYY' ;;~ &7;;|+D ' 7!',"783tyy{;KK#KK 3%kk,A  %!) L)7;;y+A"C  << ' ' 8$))D s1BD82D88?E7ctjdd|d}t|||ddk(rd|vr|jd|d<|j ||d|i} t j |j}|j d rd|j d rS|d t|d ttjz |j d |j d d dSddj|dS#t jj$r"tjd|jwxYw)Nz>Obtaining token via managed identity on Azure Machine Learningz 2017-09-01rrr clientidr|rr}r{rsr~rrrz{}rr) rrrpopr/rrrrrrPrr)rlrr|r`rsrNrrs rrr's1  LLQR)x @F&*+ m ,1F#ZZ 4z ??6"  D **TYY' ;;~ &7;;|+D ' 7!',"783tyy{;KK#KK 3%kk,A  %!%W!5  << ' ' 8$))D sBD2D?Ec tjd|j|d|||rdj|nddj Dcic] \}}||| c}}d|i} t j | j} | jdrW| jd rF| dt| d ttjz | jd | d d S| jd i} dddd} | j| jdd| jdScc}}w#t jj$r"tjd| jwxYw)zfObtains token for `Service Fabric `_ zrsy   ! ((#AL2   8 $ : , h, ^ ZO Z5/52 2  f'Ff'R Gh H h 8 259/3 2N%-SM2N"$s), 2Nj?:/bJ+//3 .%(."$s), .d) WW   R S/+  #7 1 r