o RDi@sddlmZddlZddlZddlmZmZejrddlm Z ddl m Z ddl m Z mZmZdd lmZmZeGd d d eZGd d d eZdS)) annotationsN)Enumunique)SnowflakeConnection)WORKLOAD_IDENTITY_AUTHENTICATOR)AttestationProviderWorkloadIdentityAttestationcreate_attestation) AuthByPluginAuthTypec@s.eZdZdZdZdZdZdZed d d Z d S) ApiFederatedAuthenticationTypez4An API-specific enum of the WIF authentication type.AWSAZUREGCPOIDC attestationr returncCsZ|jtjkr tjS|jtjkrtjS|jtjkrtjS|jtjkr$tjStd|jd)aMaps the internal / driver-specific attestation providers to API authenticator types. The AttestationProvider is related to how the driver fetches the credential, while the API authenticator type is related to how the credential is verified. In most current cases these may be the same, though in the future we could have, for example, multiple AttestationProviders that all fetch an OIDC ID token. zUnknown attestation provider '')providerrrrrrr ValueErrorrrc/var/www/Datamplify/venv/lib/python3.10/site-packages/snowflake/connector/auth/workload_identity.pyfrom_attestations    z/ApiFederatedAuthenticationType.from_attestationN)rr rr) __name__ __module__ __qualname____doc__rrrr staticmethodrrrrrrsrcsneZdZdZdddddd$fd dZd%ddZd&ddZd'ddZd(ddZd)dd Z e d*d"d#Z Z S)+AuthByWorkloadIdentityz-Plugin to authenticate via workload identity.N)rtokenentra_resourceimpersonation_pathrAttestationProvider | Noner" str | Noner#r$list[str] | NonerNonec s4tjdi|||_||_||_||_d|_dS)Nr)super__init__rr"r#r$r)selfrr"r#r$kwargs __class__rrr*4s   zAuthByWorkloadIdentity.__init__r cCstjSN)r WORKLOAD_IDENTITYr+rrrtype_EszAuthByWorkloadIdentity.type_cCs d|_dSr/rr1rrr reset_secretsHs z$AuthByWorkloadIdentity.reset_secretsbodydict[typing.Any, typing.Any]cCsTt|dd<t|jj|dd<|jj|dd<t|jpg|ddid<dS)Ndata AUTHENTICATORPROVIDERTOKENCLIENT_ENVIRONMENT+WORKLOAD_IDENTITY_IMPERSONATION_PATH_LENGTH) rrrrvalue credentiallenr$ setdefault)r+r4rrr update_bodyKs   z"AuthByWorkloadIdentity.update_bodyconnSnowflakeConnection | Noner, typing.AnycKs2t|j|j|j|j|r|jjddndd|_dS)zFetch the token.r) max_retriesN)session_manager)r rr#r"r$_session_managercloner)r+rAr,rrrprepareUs zAuthByWorkloadIdentity.preparedict[str, bool]cKsddiS)zThis is only relevant for AuthByIdToken, which uses a web-browser based flow. All other auth plugins just call authenticate() again.successFr)r+r,rrrreauthenticatecsz%AuthByWorkloadIdentity.reauthenticatestrcCs0|jsdS|jj}|jjj|d<tj|dddS)zKReturns the CSP provider name and an identifier. Used for logging purposes. _providerT),:) sort_keys separators)ruser_identifier_componentsrr<jsondumps)r+ propertiesrrrassertion_contentgs z(AuthByWorkloadIdentity.assertion_content) rr%r"r&r#r&r$r'rr()rr )rr()r4r5rr()rArBr,rCrr()r,rCrrI)rrL) rrrrr*r2r3r@rHrKpropertyrW __classcell__rrr-rr!1s    r!) __future__rrTtypingenumrr TYPE_CHECKINGsnowflake.connector.connectionrnetworkrwif_utilrr r by_pluginr r rr!rrrrs