o RDiAA@s4ddlmZddlZddlZddlZddlZddlmZm Z ddl m Z m Z ddl mZmZddlmZmZmZmZddlmZmZdd lmZdd lmZdd lmZdd lmZm Z m!Z!dd l"m#Z#ddl$m%Z%m&Z&ddl'm(Z(ddl)m*Z*m+Z+e rddl,m-Z-e.e/Z0GdddZ1Gddde*e1eZ2dS)) annotationsN)ABCabstractmethod) TYPE_CHECKINGAny) HTTPErrorURLError)ER_FAILED_TO_REQUESTER_IDP_CONNECTION_ERRORER_NO_CLIENT_IDER_NO_CLIENT_SECRET)ErrorProgrammingError)OAUTH_AUTHENTICATOR) get_proxy_url)SecretDetector) TokenCacheTokenKey TokenType)urllib3)get_environ_proxies select_proxy) ProxyManager) AuthByPluginAuthType)SnowflakeConnectionc@seZdZdZd(d d Zd)d dZd*ddZd*ddZd+ddZd,ddZ d,ddZ d-ddZ d.d/d!d"Z d.d0d$d%Z d1d&d'ZdS)2_OAuthTokensMixina]Manages OAuth token caching to avoid repeated browser authentication flows. Access tokens: Short-lived (typically 10 minutes), cached to avoid immediate re-auth. Refresh tokens: Long-lived (hours/days), used to obtain new access tokens silently. Tokens are cached per (user, IDP host) to support multiple OAuth providers/accounts. token_cacheTokenCache | Nonerefresh_token_enabledboolidp_hoststrreturnNonecCsRd|_||_|jr d|_||_|jr%td||_d|_|jr'd|_dSdSdS)Nz)token cache is going to be used if needed) _access_token_refresh_token_enabled_refresh_token _token_cacheloggerdebug _idp_host_access_token_key_refresh_token_key)selfrr!r#r1]/var/www/Datamplify/venv/lib/python3.10/site-packages/snowflake/connector/auth/_oauth_base.py__init__.s  z_OAuthTokensMixin.__init__usercCs|jr||_dSdSN)r*_user)r0r4r1r1r2_update_cache_keys@s z$_OAuthTokensMixin._update_cache_keysTokenKey | NonecCs"|jr|jrt|j|jtjSdSr5)r*r6rr-rOAUTH_ACCESS_TOKENr0r1r1r2_get_access_token_cache_keyDsz-_OAuthTokensMixin._get_access_token_cache_keycCs(|jr|jr|jrt|j|jtjSdSr5)r(r*r6rr-rOAUTH_REFRESH_TOKENr:r1r1r2_get_refresh_token_cache_keyKsz._OAuthTokensMixin._get_refresh_token_cache_keykey str | NonecCs"|jdus |dur dS|j|Sr5)r*retrieve)r0r>r1r1r2_pop_cached_tokenRs z#_OAuthTokensMixin._pop_cached_tokencCs|||_|jduS)zRetrieves OAuth access token from the token cache if enabled, available and still valid. Returns True if cached token found, allowing authentication to skip OAuth flow. N)rAr;r'r:r1r1r2_pop_cached_access_tokenWs z*_OAuthTokensMixin._pop_cached_access_tokencCs$|jr|||_|jduSdS)zRetrieves OAuth refresh token from the token cache (if enabled) to silently obtain new access token. Returns True if refresh token found, enabling automatic token renewal without user interaction. NF)r(rAr=r)r:r1r1r2_pop_cached_refresh_token_s  z+_OAuthTokensMixin._pop_cached_refresh_tokentokencCs<|jdus |dur dS|r|j||dS|j|dSr5)r*storeremove)r0r>rDr1r1r2_reset_cached_tokenks z%_OAuthTokensMixin._reset_cached_tokenN access_tokencCs8td|r dt|nd||_|||jdS)zKUpdates OAuth access token both in memory and in the token cache if enabledzresetting access token to %s*N)r+r,lenr'rGr;)r0rHr1r1r2_reset_access_tokenss z%_OAuthTokensMixin._reset_access_token refresh_tokencCsB|jrtd|rdt|nd||_|||jdSdS)zNUpdates OAuth refresh token both in memory and in the token cache if necessaryzresetting refresh token to %srIN)r(r+r,rJr)rGr=)r0rLr1r1r2_reset_refresh_token|s z&_OAuthTokensMixin._reset_refresh_tokencCs&d|_|jr d|_|jrd|_dSdSr5)r'r(r)r*r6r:r1r1r2_reset_temporary_states  z(_OAuthTokensMixin._reset_temporary_state)rr r!r"r#r$r%r&)r4r$r%r&)r%r8)r>r8r%r?)r%r")r>r8rDr?r%r&r5)rHr?r%r&)rLr?r%r&r%r&)__name__ __module__ __qualname____doc__r3r7r;r=rArBrCrGrKrMrNr1r1r1r2r%s          rcseZdZdZd@fd d ZedAddZedBddZdCddZe dDd!d"Z e dBd#d$Z e dEd'd(Z dFd*d+ZdGd,d-ZdHd0d1ZdId2d3ZdJd5d6ZdKd9d:ZdLd;d<Ze dMd>d?ZZS)NAuthByOAuthBasez.A base abstract class for OAuth authenticators client_idr$ client_secrettoken_request_urlscoperr r!r"r%r&c sxtjdi|tj|||tj|jd||_||_||_ ||_ |r:t d|j |j r2dndd7_ dSdS)N)rr!r#z1oauth refresh token is going to be used if needed offline_accessr1) superr3rurllibparseurlparsehostname _client_id_client_secret_token_request_url_scoper+r,)r0rUrVrWrXrr!kwargs __class__r1r2r3s    zAuthByOAuthBase.__init__connr authenticator service_namer?accountr4passwordrer(str | None, str | None)cKt)zRequest new access and optionally refresh tokens from IdP. This function should implement specific tokens querying flow. NotImplementedError)r0rhrirjrkr4rlrer1r1r2_request_tokensszAuthByOAuthBase._request_tokenscCrn)zGet OAuth specific authenticator id to be passed to Snowflake. This function should return a unique OAuth authenticator id. ror:r1r1r2_get_oauth_type_idsz"AuthByOAuthBase._get_oauth_type_idcCstd|dS)Nzresetting secrets)r+r,rNr:r1r1r2 reset_secretss  zAuthByOAuthBase.reset_secretsrcCstjSr5)rOAUTHr:r1r1r2type_szAuthByOAuthBase.type_cCs |jpdS)zReturns the token.rZ)r'r:r1r1r2assertion_contents z!AuthByOAuthBase.assertion_content connectiontuple[str, str]cCsT|dus|dkrt|dtdtd|dus|dkr&t|dtdtd||fS)NrZz0Oauth code flow requirement 'client_id' is empty)msgerrnoz4Oauth code flow requirement 'client_secret' is empty)rerrorhandler_wrapperrr r )rUrVrwr1r1r2$_validate_client_credentials_presents&  z4AuthByOAuthBase._validate_client_credentials_presentdict[str, bool]cKs8||rtd|j|d||ddiS)NzJOAuth refresh token is available, try to use it and get a new access token)rhsuccessT)rKrCr+r,_do_refresh_tokenauthenticate_with_retry)r0rhrer1r1r2reauthenticates  zAuthByOAuthBase.reauthenticatec Ksdtd|j|d|rtddS|jd|||||d|\}}||||dS)z!Web Browser based Authentication.z1authenticating with OAuth authorization code flow)r4zJOAuth access token is already available in cache, no need to authenticate.N)rhrirjrkr4r1)r+r,r7rBinforqrKrM) r0rhrirjrkr4rerHrLr1r1r2prepares$  zAuthByOAuthBase.preparebodydict[Any, Any]cCsJt|dd<|j|dd<d|dvri|dd<||ddd<dS)zUsed by Auth to update the request that gets sent to /v1/login-request. Args: body: existing request dictionary data AUTHENTICATORTOKENCLIENT_ENVIRONMENT OAUTH_TYPEN)rr'rr)r0rr1r1r2 update_bodys   zAuthByOAuthBase.update_bodyc Cs|js tddS||}|std|dSz t|j }| |dd|vr:||dWdSWdStj t fy^t dtdtt|j|YdSw)zIf a refresh token is available exchanges it with a new access token. Updates self as a side-effect. Needs at lest self._refresh_token and client_id set. z!refresh_token feature is disabledNz@failed to exchange the refresh token on a new OAuth access tokenrHrLz>refresh token exchange response did not contain 'access_token'zFreceived the following response body when exchanging refresh token: %s)r(r+r,_get_refresh_token_responserrMjsonloadsrdecoderKJSONDecodeErrorKeyErrorerrorr mask_secretsr$)r0rhresp json_respr1r1r2r&s:   z!AuthByOAuthBase._do_refresh_tokenurllib3.BaseHTTPResponse | Nonec Csd|jd}|jr|j|d<z |||j}|rt|dnt}|jd|jd||dWSt yW}z|j |t d|j d |j d |jd d WYd}~dSd}~wtyw}z|j |t d |jd d WYd}~dSd}~wty|j |t dd d YdSw)NrL) grant_typerLrX proxy_urlPOSTF)encode_multipartheadersfieldszCFailed to request new OAuth access token with a refresh token, url=z, code=z , reason=codemessagerhretzGFailed to request new OAuth access token with a refresh token, reason: zOFailed to request new OAuth access token with a refresh token by unknown reason)r)rd_resolve_proxy_urlrcrr PoolManagerrequest_encode_body_create_token_request_headersr_handle_failurer urlrreasonr Exception)r0rhrr http_clienter1r1r2rHsf    z+AuthByOAuthBase._get_refresh_token_responserdict[str, str]c Cs|||j}|rt|dnt}|jd|j|d|d}ztdt |j }|d}| d}||fWSt j tfy`tdtd tt|j |j|td d d Yd Sw)NrrF)rrrz,OAuth IdP response received, try to parse itrHrLz7oauth response invalid, does not contain 'access_token'zDreceived the following response body when requesting oauth token: %szLInvalid HTTP request from web browser. Idp authentication could have failed.rr)NN)rrcrrrrrr+r,rrrgetrrrrrr$rr ) r0rwrrrrrrHrLr1r1r2_get_request_token_response{sB     z+AuthByOAuthBase._get_request_token_responsecCs,dt|jd|jdddS)NzBasic :zapplication/jsonz0application/x-www-form-urlencoded; charset=UTF-8) AuthorizationAcceptz Content-Type)base64 b64encoderarbencoderr:r1r1r2rsz-AuthByOAuthBase._create_token_request_headers request_urlcCs0t|j|j|j|j}|r|St|}t||S)zIResolve proxy URL from explicit config first, then environment variables.)r proxy_host proxy_port proxy_userproxy_passwordrr)rwrrproxiesr1r1r2rs z"AuthByOAuthBase._resolve_proxy_url)rUr$rVr$rWr$rXr$rr r!r"r%r&)rhrrir$rjr?rkr$r4r$rlr?rerr%rm)r%r$rO)r%r)rUr$rVr$rwrr%rx)rhrrerr%r})rhrrir$rjr?rkr$r4r$rerr%r&)rrr%r&)rhrr%r&)rhrr%r)rwrrrr%rm)r%r)rwrrr$r%r?)rPrQrRrSr3rrqrrrspropertyrurv staticmethodr|rrrrrrrr __classcell__r1r1rfr2rTs.          " 3 * rT)3 __future__rrrlogging urllib.parser]abcrrtypingrr urllib.errorrr errorcoder r r r errorsrrnetworkrproxyrsecret_detectorrrrrrvendoredrvendored.requests.utilsrrvendored.urllib3.poolmanagerr by_pluginrrrZr getLoggerrPr+rrTr1r1r1r2s.        k