U ncii@sdZddlmZmZddlZddlZddlZddlmZddl Z ddl m Z m Z ddl Z ddlmZddlmZmZeeZdZed Zed Zd d Zd dZeGdddZedddZGdddejZddZefedddZ GdddeZ!dS)z5Mutual TLS for Google Compute Engine metadata server.) dataclassfieldN)Path)urlparse urlunparse) HTTPAdapter)environment_vars exceptionsntz#C:/ProgramData/Google/ComputeEnginez/run/google-mds-mtlscCstjtkrtdStdSdS)Nzmds-mtls-root.crtzroot.crtosname_WINDOWS_OS_NAME"_WINDOWS_MTLS_COMPONENTS_BASE_PATH_MTLS_COMPONENTS_BASE_PATHrrD/tmp/pip-unpacked-wheel-fpe1mg0e/google/auth/compute_engine/_mtls.py_get_mds_root_crt_path,s rcCstjtkrtdStdSdS)Nzmds-mtls-client.keyz client.keyr rrrr"_get_mds_client_combined_cert_path3s rc@s2eZdZUeedZeed<eedZ eed<dS) MdsMtlsConfig)default_factory ca_cert_pathclient_combined_cert_pathN) __name__ __module__ __qualname__rrrr__annotations__rrrrrrr:s rmds_mtls_configcCstj|jotj|jS)z&Checks if the mTLS certificates exist.)r pathexistsrrrrrr _certs_existDsr!c@seZdZdZdZdZdZdS) MdsMtlsModeaGMDS mTLS mode. Used to configure connection behavior when connecting to MDS. STRICT: Always use HTTPS/mTLS. If certificates are not found locally, an error will be returned. NONE: Never use mTLS. Requests will use regular HTTP. DEFAULT: Use mTLS if certificates are found locally, otherwise use regular HTTP. strictnonedefaultN)rrr__doc__STRICTNONEDEFAULTrrrrr"Ksr"cCs@tjtjd}z t|WStk r:tdYnXdS)z7Parses the GCE_METADATA_MTLS_MODE environment variable.r%zXInvalid value for GCE_METADATA_MTLS_MODE. Must be one of 'strict', 'none', or 'default'.N)r environgetrZGCE_METADATA_MTLS_MODElowerr" ValueError)Zmode_strrrr_parse_mds_modeXs r.cCs@t}|tjkr&t|s"tddS|tjkr4dSt|SdS)z:Determines if mTLS should be used for the metadata server.z+mTLS certificates not found in strict mode.TFN)r.r"r'r!r ZMutualTLSChannelErrorr()rmoderrrshould_use_mds_mtlses  r0csPeZdZdZefedfdd ZfddZfddZfd d ZZ S) MdsMtlsAdapterz7An HTTP adapter that uses mTLS for the metadata server.rcs@t|_|jj|jd|jj|jdtt|j ||dS)N)cafile)certfile) sslcreate_default_context ssl_contextload_verify_locationsrload_cert_chainrsuperr1__init__)selfrargskwargs __class__rrr:ws  zMdsMtlsAdapter.__init__cs|j|d<tt|j||SNr6)r6r9r1init_poolmanagerr;r<r=r>rrrAs zMdsMtlsAdapter.init_poolmanagercs|j|d<tt|j||Sr@)r6r9r1proxy_manager_forrBr>rrrCs z MdsMtlsAdapter.proxy_manager_forc sttjkr tt|j|f|Sz"tt|j|f|}||WStjt j jt j j fk r}zHt d|t|j}t|jdd}||_t}|j|f|WYSd}~XYnXdS)NzcmTLS connection to Compute Engine Metadata server failed. Falling back to standard HTTP. Reason: %shttp)scheme)r.r"r'r9r1sendraise_for_statusr4SSLErrorrequestsr HTTPError_LOGGERwarningrurlr_replacer)r;requestr=responseeZparsed_original_urlZhttp_fallback_urlZ http_adapterr>rrrFs(  zMdsMtlsAdapter.send) rrrr&rr:rArCrF __classcell__rrr>rr1ts  r1)"r&Z dataclassesrrenumloggingr pathlibrr4 urllib.parserrrIZrequests.adaptersrZ google.authrr getLoggerrrKrrrrrrr!Enumr"r.r0r1rrrrs.