+ ‡åºi/#ãó¶€Rt^RIt^RIHt^RIHt^RIHt^RIHt^RIHt^RIH t Rt R t R t ]P!R R 7t!R R]P4tR#)z'Experimental GDCH credentials support. N)Ú_helpers)Ú_service_account_info)Ú credentials)Ú exceptions)Újwt)Ú_clientz/urn:ietf:params:oauth:token-type:token-exchangez-urn:ietf:params:oauth:token-type:access_tokenz.urn:k8s:params:oauth:token-type:serviceaccounti)Úsecondscó¶aa€]tRt^"toRtV3RltRt]P!] P4R4t Rt ] R4t] R4t] R4tR tVtV;t#) ÚServiceAccountCredentialsaÊCredentials for GDCH (`Google Distributed Cloud Hosted`_) for service account users. .. _Google Distributed Cloud Hosted: https://cloud.google.com/blog/topics/hybrid-cloud/ announcing-google-distributed-cloud-edge-and-hosted To create a GDCH service account credential, first create a JSON file of the following format:: { "type": "gdch_service_account", "format_version": "1", "project": "", "private_key_id": "", "private_key": "-----BEGIN EC PRIVATE KEY----- -----END EC PRIVATE KEY----- ", "name": "", "ca_cert_path": "", "token_uri": "https://service-identity./authenticate" } The "format_version" field stands for the format of the JSON file. For now it is always "1". The `private_key_id` and `private_key` is used for signing. The `ca_cert_path` is used for token server TLS certificate verification. After the JSON file is created, set `GOOGLE_APPLICATION_CREDENTIALS` environment variable to the JSON file path, then use the following code to create the credential:: import google.auth credential, _ = google.auth.default() credential = credential.with_gdch_audience("") We can also create the credential directly:: from google.oauth import gdch_credentials credential = gdch_credentials.ServiceAccountCredentials.from_service_account_file("") credential = credential.with_gdch_audience("") The token is obtained in the following way. This class first creates a self signed JWT. It uses the `name` value as the `iss` and `sub` claim, and the `token_uri` as the `aud` claim, and signs the JWT with the `private_key`. It then sends the JWT to the `token_uri` to exchange a final token for `audience`. c ót<€\\V` 4WnW nW0nW@nWPnW`nR#)a Args: signer (google.auth.crypt.Signer): The signer used to sign JWTs. service_identity_name (str): The service identity name. It will be used as the `iss` and `sub` claim in the self signed JWT. project (str): The project. audience (str): The audience for the final token. token_uri (str): The token server uri. ca_cert_path (str): The CA cert path for token server side TLS certificate verification. If the token server uses well known CA, then this parameter can be `None`. N) Úsuperr Ú__init__Ú_signerÚ_service_identity_nameÚ_projectÚ _audienceÚ _token_uriÚ _ca_cert_path)ÚselfÚsignerÚservice_identity_nameÚprojectÚaudienceÚ token_uriÚ ca_cert_pathÚ __class__s&&&&&&&€Úq/Users/igloo/.openclaw/workspace/scratch/fb_ad_env/lib/python3.14/site-packages/google/oauth2/gdch_credentials.pyr Ú"ServiceAccountCredentials.__init__Ss3ø€ô Ô'¨Ñ7Ô9ØŒ Ø&;Ô#ØŒ Ø!ŒØ#ŒØ)Öóc óx€\P!4pV\,pRPVPVP 4pRVRVRVP R\P!V4R\P!V4/p\P!\P!VPV44#)zsystem:serviceaccount:{}:{}ÚissÚsubÚaudÚiatÚexp) rÚutcnowÚ JWT_LIFETIMEÚformatrrrÚdatetime_to_secsÚ from_bytesrÚencoder)rÚnowÚexpiryÚ iss_sub_valueÚpayloads& rÚ _create_jwtÚ%ServiceAccountCredentials._create_jwtjs•€ÜoŠoӈؔ|Õ#ˆØ5×<Ñ<Ø M‰M˜4×6Ñ6ó ˆ ð =Ø =Ø 4—?‘?Ø ”8×,Ò,¨SÓ1Ø ”8×,Ò,¨VÓ4ð  ˆô×"Ò"¤3§:¢:¨d¯l©l¸GÓ#DÓEÐErc óº€^RIp\WPPPP 4'g\ P!R4hVP4pR\RVPR\RVR\/p\P!VVPVRRVP R 7p\P"!VR4wVnq`npR#) éNzeFor GDCH service account credentials, request must be a google.auth.transport.requests.Request objectÚ grant_typerÚrequested_token_typeÚ subject_tokenÚsubject_token_typeT)Ú access_tokenÚuse_jsonÚverify)Úgoogle.auth.transport.requestsÚ isinstanceÚauthÚ transportÚrequestsÚRequestrÚ RefreshErrorr/ÚTOKEN_EXCHANGE_TYPErÚACCESS_TOKEN_TOKEN_TYPEÚSERVICE_ACCOUNT_TOKEN_TYPErÚ_token_endpoint_requestrrÚ_handle_refresh_grant_responseÚtokenr,)rÚrequestÚgoogleÚ jwt_tokenÚ request_bodyÚ response_dataÚ_s&& rÚrefreshÚ!ServiceAccountCredentials.refresh{sÀã-ä˜'§;¡;×#8Ñ#8×#AÑ#A×#IÑ#I×JÒJÜ×)Ò)Øwóð ð ×$Ñ$Ó&ˆ à Ô-Ø ˜Ÿ™Ø "Ô$;Ø ˜YØ Ô"<ð  ˆ ô ×7Ò7Ø Ø O‰OØ ØØØ×%Ñ%ô  ˆ ô)0×(NÒ(NØ ˜4ó) Ñ%ˆŒ A”{¢Arc ó’€VPVPVPVPVVPVP 4#)z†Create a copy of GDCH credentials with the specified audience. Args: audience (str): The intended audience for GDCH credentials. )rrrrrr)rrs&&rÚwith_gdch_audienceÚ,ServiceAccountCredentials.with_gdch_audiencešs?€ð ~‰~Ø L‰LØ × 'Ñ 'Ø M‰MØ Ø O‰OØ × Ñ ó  ð rc  ó˜€VR,R8wd \R4hV!VVR,VR,RVR,VPRR44#) a|Creates a Credentials instance from a signer and service account info. Args: signer (google.auth.crypt.Signer): The signer used to sign JWTs. info (Mapping[str, str]): The service account info. Returns: google.oauth2.gdch_credentials.ServiceAccountCredentials: The constructed credentials. Raises: ValueError: If the info is not in the expected format. Úformat_versionÚ1z"Only format version 1 is supportedÚnamerNrr)Ú ValueErrorÚget)ÚclsrÚinfos&&&rÚ_from_signer_and_infoÚ/ServiceAccountCredentials._from_signer_and_info©sU€ð Ð Õ ! SÔ (ÜÐAÓBÐ BáØ Ø LØ OØ Ø Õ Ø H‰H^ TÓ *ó  ð rc óZ€\P!V.RORR7pVPW!4#)a‡Creates a Credentials instance from parsed service account info. Args: info (Mapping[str, str]): The service account info in Google format. kwargs: Additional arguments to pass to the constructor. Returns: google.oauth2.gdch_credentials.ServiceAccountCredentials: The constructed credentials. Raises: ValueError: If the info is not in the expected format. F©ÚrequireÚuse_rsa_signer©rSÚprivate_key_idÚ private_keyrUrr)rÚ from_dictrZ)rXrYrs&& rÚfrom_service_account_infoÚ3ServiceAccountCredentials.from_service_account_infoÅs4€ô '×0Ò0Ø òð!ô  ˆð×(Ñ(¨Ó6Ð6rc ó^€\P!V.RORR7wr#VPW24#)a1Creates a Credentials instance from a service account json file. Args: filename (str): The path to the service account json file. kwargs: Additional arguments to pass to the constructor. Returns: google.oauth2.gdch_credentials.ServiceAccountCredentials: The constructed credentials. Fr]r`)rÚ from_filenamerZ)rXÚfilenamerYrs&& rÚfrom_service_account_fileÚ3ServiceAccountCredentials.from_service_account_fileãs6€ô-×:Ò:Ø òð!ô  ‰ ˆð×(Ñ(¨Ó6Ð6r)rrrrrrr,rF)Ú__name__Ú __module__Ú __qualname__Ú__firstlineno__Ú__doc__r r/rÚcopy_docstringrÚ CredentialsrMrPÚ classmethodrZrdriÚ__static_attributes__Ú__classdictcell__Ú __classcell__)rÚ __classdict__s@@rr r "sù‡€ñ.õ`*ò.Fð"×Ò˜[×4Ñ4Ó5ñ ó6ð ò<  ðñ óð ð6ñ7óð7ð:ñ7ó÷7ð7rr )roÚdatetimeÚ google.authrrrrrÚ google.oauth2rrArBrCÚ timedeltar&rqr ©rrÚr|sZðñóå Ý-Ý#Ý"ÝÝ!ðHÐØIÐØMÐØ×!Ò!¨$Ô/€ ôY7  × 7Ñ 7öY7r