Xif#NSrSSKrSSKrSSKJr SSKrSSKrSSKJr Sr Sr \R"S\R5r \R"S\R5r\R"\5r\R"S \R5rS rS rSS jrS \ 4SjrSSjrSrg)z/Helper functions for getting mTLS cert and key.N)path) exceptionsz,~/.secureConnect/context_aware_metadata.jsoncert_provider_commands:-----BEGIN CERTIFICATE-----.+-----END CERTIFICATE----- ? ?sH-----BEGIN [A-Z ]*PRIVATE KEY-----.+-----END [A-Z ]*PRIVATE KEY----- ? ?s6-----BEGIN PASSPHRASE-----(.+)-----END PASSPHRASE-----c[R"U5n[R"U5(d[R SU5 gU$)zChecks for context aware metadata. If it exists, returns the absolute path; otherwise returns None. Args: metadata_path (str): context aware metadata path. Returns: str: absolute path if exists and None otherwise. z0%s is not found, skip client SSL authentication.N)r expanduserexists_LOGGERdebug) metadata_paths M/app/.venv/lib/python3.13/site-packages/google/auth/transport/_mtls_helper.py_check_dca_metadata_pathr 1s9OOM2M ;;} % % H-X c[U5n[R"U5nSSS5 U$!,(df  W$=f![an[R "U5nXCeSnAff=f)zLoads context aware metadata from the given path. Args: metadata_path (str): context aware metadata path. Returns: Dict[str, str]: The metadata. Raises: google.auth.exceptions.ClientCertError: If failed to parse metadata as JSON. N)openjsonload ValueErrorrClientCertError)r fmetadata caught_excnew_excs r _read_dca_metadata_filerBsa& - Ayy|H! O ! O &,,Z8%&s. A.A =AA A' A""A'Fc[R"U[R[RS9nUR5up4URS:wa#[ R "SUR-5e[R"[U5n[U5S:wa[ R "S5e[R"[U5n[U5S:wa[ R "S5e[R"[U5n U(a`[U 5S:wa[ R "S5eS US;a[ R "S 5eUSUSU SR54$S US;a[ R "S 5e[U 5S:a[ R "S 5eUSUSS4$![an[ R "U5nXeeSnAff=f) aRun the provided command, and return client side mTLS cert, key and passphrase. Args: command (List[str]): cert provider command. expect_encrypted_key (bool): If encrypted private key is expected. Returns: Tuple[bytes, bytes, bytes]: client certificate bytes in PEM format, key bytes in PEM format and passphrase bytes. Raises: google.auth.exceptions.ClientCertError: if problems occurs when running the cert provider command or generating cert, key and passphrase. )stdoutstderrNrz5Cert provider command returns non-zero status code %sz,Client SSL certificate is missing or invalidz$Client SSL key is missing or invalidz Passphrase is missing or invalids ENCRYPTEDz!Encrypted private key is expectedz%Encrypted private key is not expectedzPassphrase is not expected) subprocessPopenPIPE communicateOSErrorrr returncoderefindall _CERT_REGEXlen _KEY_REGEX_PASSPHRASE_REGEXstrip) commandexpect_encrypted_keyprocessrrrr cert_match key_matchpassphrase_matchs r _run_cert_provider_commandr1Xs &"" JOOJOO !,,. Q(( CgFXFX X  K0J :!(()WXX :v.I 9~(()OPPzz"3V<  A %,,-OP P y| +,,-PQ Q!}il, ! 6,,-QR R 67 !&9&H NN. /!; ! :T ** "rcJU(a U"5upSX4$[SS9up1p$X1U4$)aReturns the client side certificate and private key. The function first tries to get certificate and key from client_cert_callback; if the callback is None or doesn't provide certificate and key, the function tries application default SSL credentials. Args: client_cert_callback (Optional[Callable[[], (bytes, bytes)]]): An optional callback which returns client certificate bytes and private key bytes both in PEM format. Returns: Tuple[bool, bytes, bytes]: A boolean indicating if cert and key are obtained, the cert bytes and key bytes both in PEM format. Raises: google.auth.exceptions.ClientCertError: if problems occurs when getting the cert and key. TF)r5)r;)client_cert_callbackr8r9has_cert_s r get_client_cert_and_keyr@s5((* T7uUHC 3 rczSSKJn URURXS9nUR URU5$)aA helper function to decrypt the private key with the given passphrase. google-auth library doesn't support passphrase protected private key for mutual TLS channel. This helper function can be used to decrypt the passphrase protected private key in order to estalish mutual TLS channel. For example, if you have a function which produces client cert, passphrase protected private key and passphrase, you can convert it to a client cert callback function accepted by google-auth:: from google.auth.transport import _mtls_helper def your_client_cert_function(): return cert, encrypted_key, passphrase # callback accepted by google-auth for mutual TLS channel. def client_cert_callback(): cert, encrypted_key, passphrase = your_client_cert_function() decrypted_key = _mtls_helper.decrypt_private_key(encrypted_key, passphrase) return cert, decrypted_key Args: key (bytes): The private key bytes in PEM format. passphrase (bytes): The passphrase bytes. Returns: bytes: The decrypted private key in PEM format. Raises: ImportError: If pyOpenSSL is not installed. OpenSSL.crypto.Error: If there is any problem decrypting the private key. r)crypto)r:)OpenSSLrBload_privatekey FILETYPE_PEMdump_privatekey)r9r:rBpkeys r decrypt_private_keyrHs@B  ! !&"5"5s ! RD  ! !&"5"5t <rSs6  "L0jjCRYY ZZQII   H %JJ=ryy ",3-n! ;(#V8'=r