U %FZhM@sdZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z ddl Z ddl Z ddl Z ddlmZddlmZdd lmZd Zd Zd Zd ZeejddZeejddZeejddZdZedddddddddddd d!d"d#d$gZd%Zd&Z d'Z!d(Z"Gd)d*d*e j#j$j%Z&Gd+d,d,Z'Gd-d.d.Z(Gd/d0d0e j)Z*Gd1d2d2Z+Gd3d4d4Z,Gd5d6d6ej-Z.Gd7d8d8ej-Z/Gd9d:d:ej0Z1Gd;d<dd>ej3Z4Gd?d@d@e4Z5GdAdBdBe4Z6dS)Cz1Firebase token minting and validation sub module.N) credentials)iam)jwt) transport) exceptions) _auth_utils) _http_clientzhttps://securetoken.google.com/zXhttps://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.comz$https://session.firebase.google.com/zEhttps://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys)minutes)days)hourszYhttps://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkitZacrZamrZat_hashaudZ auth_timeZazpZcnfZc_hashexpZfirebaseiatissZjtiZnbfnoncesubzZhttp://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/emailRS256nonez"firebase-auth-emulator@example.comc@s eZdZdZddZddZdS)_EmulatedSignerNcCsdSNselfrr`/home/aprabhat/apps/x.techxrdev.in/venv/lib/python3.8/site-packages/firebase_admin/_token_gen.py__init__Bsz_EmulatedSigner.__init__cCsdS)NrrmessagerrrsignEsz_EmulatedSigner.sign)__name__ __module__ __qualname__Zkey_idrr!rrrrr?src@sdeZdZdZefddZeddZeddZedd Z e d d Z e d d Z e ddZ dS)_SigningProviderz2Stores a reference to a google.auth.crypto.Signer.cCs||_||_||_dSr)_signer _signer_email_alg)rsigner signer_emailalgrrrrLsz_SigningProvider.__init__cCs|jSr)r&rrrrr)Qsz_SigningProvider.signercCs|jSr)r'rrrrr*Usz_SigningProvider.signer_emailcCs|jSr)r(rrrrr+Ysz_SigningProvider.algcCst|j|jSr)r%r)r*)cls google_credrrrfrom_credential]sz _SigningProvider.from_credentialcCst|||}t||Sr)rSignerr%)r,requestr-service_accountr)rrrfrom_iamasz_SigningProvider.from_iamcCsttttSr)r%rAUTH_EMULATOR_EMAILALGORITHM_NONE)r,rrr for_emulatorfsz_SigningProvider.for_emulatorN)r"r#r$__doc__ALGORITHM_RS256rpropertyr)r*r+ classmethodr.r2r5rrrrr%Is      r%c@sDeZdZdZdZdddZddZedd Zdd d Z d d Z dS)TokenGeneratorz,Generates custom tokens and session cookies.z)https://identitytoolkit.googleapis.com/v1NcCs<||_||_tj|_|p |j}d||j|_ d|_ dS)Nz{0}/projects/{1}) app http_clientrrequestsRequestr0ID_TOOLKIT_URLformat project_idbase_url_signing_provider)rr;r<Z url_overrideZ url_prefixrrrrps   zTokenGenerator.__init__cCstrtS|jj}t|tj j j r6t |S|jj d}|rXt|j||St|tjrnt |S|jtddid}|jdkrtd|j|j}t|j||S)zPInitializes a signing provider by following the go/firebase-admin-sign protocol.ZserviceAccountIdzMetadata-FlavorZGoogle)urlheadersz2Failed to contact the local metadata service: {0}.)r is_emulatedr%r5r;Z credentialget_credential isinstancegoogleoauth2r1 Credentialsr.optionsgetr2r0rZSigningMETADATA_SERVICE_URLstatus ValueErrorr@datadecode)rr-r1resprrr_init_signing_providerxs"      z%TokenGenerator._init_signing_providerc CsR|jsLz||_Wn6tk rJ}zd}td||W5d}~XYnX|jS)z@Initializes and returns the SigningProvider instance to be used.z@https://firebase.google.com/docs/auth/admin/create-custom-tokenszFailed to determine service account: {0}. Make sure to initialize the SDK with service account credentials or specify a service account ID with iam.serviceAccounts.signBlob permission. Please refer to {1} for more details on creating custom tokens.N)rCrU ExceptionrQr@)rerrorrDrrrsigning_providerszTokenGenerator.signing_providerc Cs0|dk rdt|tstdt|t@}|rdt|dkrLdd|}ndd|}t||r~t|t r~t|dkrtd|j }t t }|j |j t|||td }|r||d <|dk r||d <d |ji} ztj|j|| d WStjjjk r*} zd| } t| | W5d} ~ XYnXdS)z.Builds and signs a Firebase custom auth token.Nz%developer_claims must be a dictionaryr z:Developer claims {0} are reserved and cannot be specified.z, z8Developer claim {0} is reserved and cannot be specified.z2uid must be a string between 1 and 128 characters.)rrruidrr tenant_idZclaimsr+)headerz Failed to sign custom token. {0})rIdictrQsetkeysRESERVED_CLAIMSlenr@joinstrrXinttimer*FIREBASE_AUDIENCEMAX_TOKEN_LIFETIME_SECONDSr+rencoder)rJauthrTransportErrorTokenSignError) rrZZdeveloper_claimsr[Zdisallowed_keys error_messagerXnowpayloadr\rWmsgrrrcreate_custom_tokensD     z"TokenGenerator.create_custom_tokenc Cs.t|tr|dn|}t|tr&|s4td|t|tjrLt| }t|t s`t|tsntd||t krtd|t |t krtd|t d|j }||d}z|jjd||d \}}Wn0tjjk r}zt|W5d }~XYn,X|r|d s tjd |d |d Sd S)z4Creates a session cookie from the provided ID token.utf-8zDIllegal ID token provided: {0}. ID token must be a non-empty string.zIllegal expiry duration: {0}.zDIllegal expiry duration: {0}. Duration must be at least {1} seconds.zCIllegal expiry duration: {0}. Duration must be at most {1} seconds.z{0}:createSessionCookie)ZidTokenZ validDurationpost)jsonNZ sessionCookiez Failed to create session cookie.) http_response)rIbytesrSrcrQr@datetime timedeltard total_secondsbool#MIN_SESSION_COOKIE_DURATION_SECONDS#MAX_SESSION_COOKIE_DURATION_SECONDSrBr<Zbody_and_responser=rRequestExceptionrZhandle_auth_backend_errorrNZUnexpectedResponseError)rid_tokenZ expires_inrDrnbodyZ http_resprWrrrcreate_session_cookiesF   z$TokenGenerator.create_session_cookie)N)NN) r"r#r$r6r?rrUr8rXrprrrrrr:ks   -r:c@s<eZdZdZd ddZeddZeddZd d d ZdS)CertificateFetchRequestzyA google-auth transport that supports HTTP cache-control. Also injects a timeout to each outgoing HTTP request. NcCs*tt|_tj|j|_||_ dSr) cachecontrol CacheControlr=Session_sessionrr>session _delegate_timeout_seconds)rtimeout_secondsrrrrsz CertificateFetchRequest.__init__cCs|jSr)rrrrrrszCertificateFetchRequest.sessioncCs|jSr)rrrrrrsz'CertificateFetchRequest.timeout_secondsGETcKs&|p|j}|j|f||||d|S)N)methodr~rEtimeout)rr)rrDrr~rErkwargsrrr__call__s z CertificateFetchRequest.__call__)N)rNNN) r"r#r$r6rr8rrrrrrrrs   rc@s,eZdZdZddZd ddZd ddZd S) TokenVerifierz'Verifies ID tokens and session cookies.c CsX|jdtj}t||_t|jdddtt t j t d|_ t|jdddttttd|_dS)NZ httpTimeoutzID tokenzverify_id_token()z| ddkr>d| dikr>d|j|j} n d|j} n| sz| ddkrzd|j| d| } n||jkrd|j|j|| | } nx|| krd|j| || | } nX|d kst|tsd|j| } n2|sd|j| } nt|dkrd|j| } | r&|| z:| r4|}ntjjj|||j|j|d}|d |d<|WStjjjk r}ztt||dW5d }~XYnVtk r}z6d t|kr|jt||d|jt||dW5d }~XYnXd S)!z5Verifies the signature and data for the provided JWT.rqz:Illegal {0} provided: {1}. {0} must be a non-empty string.aFailed to ascertain project ID from the credential or the environment. Project ID is required to call {0}. Initialize the app with a credentials.Certificate or set your Firebase project ID as an app option. Alternatively set the GOOGLE_CLOUD_PROJECT environment variable.r<zKIllegal clock_skew_seconds value: {0}. Must be between 0 and 60, inclusive.rrrzlMake sure the {0} comes from the same Firebase project as the service account used to authenticate this SDK.z+See {0} for details on how to retrieve {1}.Nz.{0} expects {1}, but was given a custom token.kidr+ZHS256vrZdz5{0} expects {1}, but was given a legacy custom token.z Firebase {0} has no "kid" claim.rzIFirebase {0} has incorrect algorithm. Expected "RS256" but got "{1}". {2}zXFirebase {0} has incorrect "aud" (audience) claim. Expected "{1}" but got "{2}". {3} {4}zVFirebase {0} has incorrect "iss" (issuer) claim. Expected "{1}" but got "{2}". {3} {4}z.Firebase {0} has no "sub" (subject) claim. {1}z;Firebase {0} has an empty string "sub" (subject) claim. {1}rYzHFirebase {0} has a "sub" (subject) claim longer than 128 characters. {1})r0audienceZ certs_urlZclock_skew_in_secondscausez Token expired)rIrcrhrurQr@rrAr_decode_unverifiedrNrrDrrGrfrrarrJrKr}Z verify_tokenrrirrjCertificateFetchErrorr)rtokenr0rr\rnrrsubjectZexpected_issuerZproject_id_match_msgZverify_id_token_msgZemulatedrlZverified_claimsrWrrrr<s         z_JWTVerifier.verifyc Cs\z"t|}tj|dd}||fWStk rV}z|jt||dW5d}~XYnXdS)NF)rr)r decode_headerrSrQrrc)rrr\rnrWrrrrs   z_JWTVerifier._decode_unverifiedN)r)r"r#r$r6rrrrrrrr+s `rc@seZdZdZddZdS)rkz7Unexpected error while signing a Firebase custom token.cCstj|||dSrr UnknownErrorrrr rrrrrszTokenSignError.__init__Nr"r#r$r6rrrrrrksrkc@seZdZdZddZdS)rzHFailed to fetch some public key certificates required to verify a token.cCstj|||dSrrrrrrrszCertificateFetchError.__init__Nrrrrrrsrc@seZdZdZddZdS)rz!The provided ID token is expired.cCstj|||dSrrrrrrrrrszExpiredIdTokenError.__init__Nrrrrrrsrc@seZdZdZddZdS)RevokedIdTokenErrorz'The provided ID token has been revoked.cCstj||dSrrrrrrrszRevokedIdTokenError.__init__Nrrrrrrsrc@seZdZdZdddZdS)rz;The provided string is not a valid Firebase session cookie.NcCstj|||dSr)rInvalidArgumentErrorrrrrrrsz"InvalidSessionCookieError.__init__)Nrrrrrrsrc@seZdZdZddZdS)rz'The provided session cookie is expired.cCst|||dSrrrrrrrrsz"ExpiredSessionCookieError.__init__Nrrrrrrsrc@seZdZdZddZdS)RevokedSessionCookieErrorz-The provided session cookie has been revoked.cCst||dSrrrrrrrsz"RevokedSessionCookieError.__init__Nrrrrrrsr)7r6rvrerr=Z google.authrrrrZgoogle.auth.exceptionsrJZgoogle.oauth2.id_tokenZgoogle.oauth2.service_accountZfirebase_adminrrrrrrrrdrwrxrzr{rgrfr^r`rOr7r4r3riZcryptr/rr%r:r>rrrrrkrrrrrrrrrrrrst        " z