o  iK@sdZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddl Z ddl Z ddl Z ddlmZddlmZdd lmZd Zd Zd Zd ZeejddZeejddZeejddZdZegdZdZdZ dZ!dZ"Gddde j#j$j%Z&GdddZ'GdddZ(Gd d!d!e j)Z*Gd"d#d#Z+Gd$d%d%Z,Gd&d'd'ej-Z.Gd(d)d)ej-Z/Gd*d+d+ej0Z1Gd,d-d-ej0Z2Gd.d/d/ej3Z4Gd0d1d1e4Z5Gd2d3d3e4Z6dS)4z1Firebase token minting and validation sub module.N) credentials)iam)jwt) transport) exceptions) _auth_utils) _http_clientzhttps://securetoken.google.com/zXhttps://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.comz$https://session.firebase.google.com/zEhttps://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys)minutes)days)hourszYhttps://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit)acramrat_hashaud auth_timeazpcnfc_hashexpfirebaseiatissjtinbfnoncesubzZhttp://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/emailRS256nonez"firebase-auth-emulator@example.comc@s eZdZdZddZddZdS)_EmulatedSignerNcCsdSNselfr#r#y/var/www/snowflake_co_dev_github/snow_flake_back_end_deploy/env/lib/python3.10/site-packages/firebase_admin/_token_gen.py__init__Bz_EmulatedSigner.__init__cCsdS)Nr#r%messager#r#r&signEr(z_EmulatedSigner.sign)__name__ __module__ __qualname__key_idr'r,r#r#r#r&r!?s r!c@sdeZdZdZefddZeddZeddZedd Z e d d Z e d d Z e ddZ dS)_SigningProviderz2Stores a reference to a google.auth.crypto.Signer.cCs||_||_||_dSr")_signer _signer_email_alg)r%signer signer_emailalgr#r#r&r'Ls z_SigningProvider.__init__cC|jSr")r2r$r#r#r&r5Qz_SigningProvider.signercCr8r")r3r$r#r#r&r6Ur9z_SigningProvider.signer_emailcCr8r")r4r$r#r#r&r7Yr9z_SigningProvider.algcCst|j|jSr")r1r5r6)cls google_credr#r#r&from_credential]z _SigningProvider.from_credentialcCst|||}t||Sr")rSignerr1)r:requestr;service_accountr5r#r#r&from_iamas z_SigningProvider.from_iamcCsttttSr")r1r!AUTH_EMULATOR_EMAILALGORITHM_NONE)r:r#r#r& for_emulatorfr=z_SigningProvider.for_emulatorN)r-r.r/__doc__ALGORITHM_RS256r'propertyr5r6r7 classmethodr<rArDr#r#r#r&r1Is      r1c@sDeZdZdZdZdddZddZedd Zdd d Z d d Z dS)TokenGeneratorz,Generates custom tokens and session cookies.z)https://identitytoolkit.googleapis.com/v1NcCs>||_||_tj|_|p|j}|d|j|_d|_ dS)Nz /projects/) app http_clientrrequestsRequestr?ID_TOOLKIT_URL project_idbase_url_signing_provider)r%rJrK url_override url_prefixr#r#r&r'ps    zTokenGenerator.__init__cCstrtS|jj}t|tj j j rt |S|jj d}|r,t|j||St|tjr7t |S|jtddid}|jdkrPtd|jd|j}t|j||S)zPInitializes a signing provider by following the go/firebase-admin-sign protocol.serviceAccountIdzMetadata-FlavorGoogle)urlheadersz.Failed to contact the local metadata service: .)r is_emulatedr1rDrJ credentialget_credential isinstancegoogleoauth2r@ Credentialsr<optionsgetrAr?rSigningMETADATA_SERVICE_URLstatus ValueErrordatadecode)r%r;r@respr#r#r&_init_signing_providerxs"      z%TokenGenerator._init_signing_providerc CsT|js'z ||_W|jSty&}zd}td|d|d|d}~ww|jS)z@Initializes and returns the SigningProvider instance to be used.z@https://firebase.google.com/docs/auth/admin/create-custom-tokensz%Failed to determine service account: z. Make sure to initialize the SDK with service account credentials or specify a service account ID with iam.serviceAccounts.signBlob permission. Please refer to z, for more details on creating custom tokens.N)rQrj Exceptionrf)r%errorrVr#r#r&signing_providers  zTokenGenerator.signing_providerc Cs,|dur7t|ts tdt|t@}|r7t|dkr*dd|d}t|dd|d}t||rDt|trDt|d krHtd |j }t t }|j |j t |||td }|rd||d <|durl||d <d|ji} z tj|j|| dWStjjjy} z d| } t| | | d} ~ ww)z.Builds and signs a Firebase custom auth token.Nz%developer_claims must be a dictionaryr zDeveloper claims z, z& are reserved and cannot be specified.zDeveloper claim z% is reserved and cannot be specified.z2uid must be a string between 1 and 128 characters.)rrruidrr tenant_idclaimsr7)headerzFailed to sign custom token. )r]dictrfsetkeysRESERVED_CLAIMSlenjoinstrrminttimer6FIREBASE_AUDIENCEMAX_TOKEN_LIFETIME_SECONDSr7rencoder5r^authrTransportErrorTokenSignError) r%rodeveloper_claimsrpdisallowed_keys error_messagermnowpayloadrrrlmsgr#r#r&create_custom_tokensF      z"TokenGenerator.create_custom_tokenc Cs,t|tr |dn|}t|tr|std|dt|tjr't|}t|t s1t|ts9td|d|t krHtd|dt d|t krWtd|dt d|j d }||d }z |j jd ||d \}}Wntjjy}zt|d }~ww|r|dstjd|d|dS)z4Creates a session cookie from the provided ID token.utf-8zIllegal ID token provided: z&. ID token must be a non-empty string.zIllegal expiry duration: rYz. Duration must be at least z seconds.z. Duration must be at most z:createSessionCookie)idToken validDurationpost)jsonN sessionCookiez Failed to create session cookie.) http_response)r]bytesrhryrfdatetime timedeltarz total_secondsbool#MIN_SESSION_COOKIE_DURATION_SECONDS#MAX_SESSION_COOKIE_DURATION_SECONDSrPrKbody_and_responserLrRequestExceptionrhandle_auth_backend_errorrbUnexpectedResponseError)r%id_token expires_inrVrbody http_resprlr#r#r&create_session_cookiesH      z$TokenGenerator.create_session_cookier")NN) r-r.r/rErNr'rjrGrmrrr#r#r#r&rIks    -rIc@s<eZdZdZd ddZeddZeddZd d d ZdS)CertificateFetchRequestzyA google-auth transport that supports HTTP cache-control. Also injects a timeout to each outgoing HTTP request. NcCs*tt|_tj|j|_||_ dSr") cachecontrol CacheControlrLSession_sessionrrMsession _delegate_timeout_seconds)r%timeout_secondsr#r#r&r's z CertificateFetchRequest.__init__cCr8r")rr$r#r#r&rr9zCertificateFetchRequest.sessioncCr8r")rr$r#r#r&rr9z'CertificateFetchRequest.timeout_secondsGETcKs&|p|j}|j|f||||d|S)N)methodrrWtimeout)rr)r%rVrrrWrkwargsr#r#r&__call__s z CertificateFetchRequest.__call__r")rNNN) r-r.r/rEr'rGrrrr#r#r#r&rs   rc@s,eZdZdZddZd ddZd ddZd S) TokenVerifierz'Verifies ID tokens and session cookies.c CsX|jdtj}t||_t|jdddtt t j t d|_ t|jdddttttd|_dS)N httpTimeoutzID tokenzverify_id_token()zr!r1rIrMrrrrrrrrrrrrrr#r#r#r&sT         " y