3 L(Y)@sfdZddlZddlZddlmZddlmZddlmZddlmZdZ e dZ Gd d d ej Z dS) zTools for using the Google `Cloud Identity and Access Management (IAM) API`_'s auth-related functionality. .. _Cloud Identity and Access Management (IAM) API: https://cloud.google.com/iam/docs/ N) http_client)_helpers)crypt) exceptionszhttps://iam.googleapis.com/v1z0/projects/-/serviceAccounts/{}:signBlob?alt=jsonc@s@eZdZdZddZddZeddZej e j dd Z d S) SigneraSigns messages using the IAM `signBlob API`_. This is useful when you need to sign bytes but do not have access to the credential's private key file. .. _signBlob API: https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts /signBlob cCs||_||_||_dS)a Args: request (google.auth.transport.Request): The object used to make HTTP requests. credentials (google.auth.credentials.Credentials): The credentials that will be used to authenticate the request to the IAM API. The credentials must have of one the following scopes: - https://www.googleapis.com/auth/iam - https://www.googleapis.com/auth/cloud-platform service_account_email (str): The service account email identifying which service account to use to sign bytes. Often, this can be the same as the service account email in the given credentials. N)_request _credentials_service_account_email)selfrequest credentialsZservice_account_emailr >/private/tmp/pip-build-nl73fm5q/google-auth/google/auth/iam.py__init__/szSigner.__init__cCstj|}d}tj|j}i}tjdtj|j di}|j j |j ||||j ||||d}|j tjkr|tjdj|jtj|jj dS)z(Makes a request to the API signBlob API.POSTZ bytesToSignzutf-8)urlmethodbodyheadersz'Error calling the IAM signBytes API: {})rto_bytes_SIGN_BLOB_URIformatr jsondumpsbase64 b64encodedecoderZbefore_requestrstatusrOKrZTransportErrordataloads)r messagerrrrresponser r r_make_signing_requestCs    zSigner._make_signing_requestcCsdS)zOptional[str]: The key ID used to identify this private key. .. warning:: This is always ``None``. The key ID used by IAM can not be reliably determined ahead of time. Nr )r r r rkey_idYsz Signer.key_idcCs|j|}tj|dS)N signature)r#r b64decode)r r!r"r r rsigncs z Signer.signN) __name__ __module__ __qualname____doc__rr#propertyr$rZcopy_docstringrrr'r r r rr$s   r) r+rrZ six.movesrZ google.authrrrZ_IAM_API_ROOT_URIrrr r r rs