ɯeiCFddlmZddlZddlZddlZddlmZddlmZddl m Z m Z ddl Z ddl mZmZmZerBej"j$Zej&j(Zej*j,ZddlmZmZdd lmZmZdd lmZmZej@e!Z"d Z#d Z$d Z%e Gdde Z&eGddZ'ddZ(ddZ)d dZ*d!d"dZ+ d! d#dZ,d$dZ- d%dZ.d$dZ/ d! d&dZ0 d! d'dZ1d(dZ2 d) d*dZ3y)+) annotationsN) b64encode) dataclass)Enumunique)boto3botocoreinstalled_boto)ER_INVALID_WIF_SETTINGSER_WIF_CREDENTIALS_NOT_FOUND)MissingDependencyErrorProgrammingError)SessionManagerSessionManagerFactoryzsnowflakecomputing.comz*api://fd3f753b-eed3-462c-b6a7-a4b5bb650aadzKhttp://169.254.169.254/computeMetadata/v1/instance/service-accounts/defaultcLeZdZdZdZ dZ dZ dZ ed dZ ed dZ y) AttestationProviderz>A WIF provider implementation that can produce an attestation.AWSAZUREGCPOIDCc  t|jS#t$r9td|ddj tj t wxYw)zHConverts a string to a strongly-typed enum value of AttestationProvider.%Unknown workload_identity_provider: 'z'. Expected one of: z, msgerrno)rupperKeyErrorrjoinall_string_valuesr providers ^/var/www/html/glpi_dashboard/venv/lib/python3.12/site-packages/snowflake/connector/wif_util.py from_stringzAttestationProvider.from_string,sw &x~~'78 8 ";H:EYZ^ZcZcdweJeJeL[MZNO-  s AAcHtDcgc]}|jc}Scc}w)zDReturns a list of all string values of the AttestationProvider enum.)rvaluer!s r#r z%AttestationProvider.all_string_values7s0CC8CCCsN)r"strreturnr)r( list[str]) __name__ __module__ __qualname____doc__rrrr staticmethodr$r r#rrsMH Cu E[ CY D3DDr0rc,eZdZUded<ded<ded<y)WorkloadIdentityAttestationrr"r' credentialdictuser_identifier_componentsN)r*r+r,__annotations__r/r0r#r2r2=s!!O $$r0r2c tj|ddi}d|vrd|vstd t |d|dfS#tj$r}td|td}~wwxYw) aExtracts the 'iss' and 'sub' claims from the given JWT, without verifying the signature. Note: the real token verification (including signature verification) happens on the Snowflake side. The driver doesn't have the keys to verify these JWTs, and in any case that's not where the security boundary is drawn. We only decode the JWT here to get some basic claims, which will be used for a) a quick smoke test to ensure the token is well-formed, and b) to find the unique user being asserted and populate assertion_content. The latter may be used for logging and possibly caching. Any errors during token parsing will be bubbled up. Missing 'iss' or 'sub' claims will also raise an error. verify_signatureF)optionszInvalid JWT token: rNisssubz'Token is missing 'iss' or 'sub' claims.)jwtdecodeInvalidTokenErrorrr r )jwt_strclaimses r#2extract_iss_and_sub_without_signature_verificationrBDs G.@%-HI VO9.  %=&- ''   %aS))   s>A*A%%A*ctjjdxstjjd}|stj }|st dt |S)zJGet the current AWS workload's region, or raises an error if it's missing. AWS_REGIONAWS_DEFAULT_REGIONzBNo AWS region was found. Ensure the application is running on AWS.r)osenvirongetInstanceMetadataRegionFetcherretrieve_regionrr )regions r#get_aws_regionrLas\ZZ^^L ) QRZZ^^>%(44)F5 '--''#M2"'(9":#N3(    Nr0cntstdtt|}|j }|st dtt }|j|}t||}tdd|d|td}t|d |j||j|jt|j j#d }t%t'j(|j+d j-d }t/t0j2|||d S) zTries to create a workload identity attestation for AWS. If the application isn't running on AWS or no credentials were found, raises an error. zAWS Workload Identity Federation can't be used because boto3 or botocore optional dependency is not installed. Try installing missing dependencies.rzbNo AWS credentials were found. Ensure the application is running on AWS with an IAM role attached.POSTzhttps://z-/?Action=GetCallerIdentity&Version=2011-06-15)HostzX-Snowflake-AudiencemethodurlheadersrT)rlrkrmutf-8rP)r rr rfget_credentialsrrLget_partition_for_regionrR AWSRequestSNOWFLAKE_AUDIENCE SigV4Authadd_authrlrkr4rmitemsrjsondumpsencoder=r2rr) rbr^ aws_credsrKrQ sts_hostnamerequestassertion_dictr3s r#create_aws_attestationr}s* $f.  01G'')I t.   F008I' :L|n$Q R $6 Gi'009{{..--/0N 4::n5<rs"  ! 44 ''I$$//J$,NN$P$P!L<B   8 $-#O Q& D$DD: %% % (:&" J,,0.(. .b ,# !# 4B# # L 0,0#(!..2:!:*:!:z&"&+/-1  !    )  +  !  r0