o ni2@sddlmZddlZddlZddlmZmZmZmZddl m Z ddl m Z m Z ddlZddlmZmZmZddlmZd Zd Zd Zd d dZGdddeZGdddeZ d1d2ddZ d3dddddddd4d(d)Z *d5ddd+d6d-d.ZGd/d0d0ZdS)7) annotationsN)AnyCallable TypedDictcast)Path)Literal NotRequired) OAuthError OpenAIErrorSubjectTokenProviderError) to_threadz/urn:ietf:params:oauth:grant-type:token-exchangez#https://auth.openai.com/oauth/tokeniz$urn:ietf:params:oauth:token-type:jwtz)urn:ietf:params:oauth:token-type:id_token)jwtidc@seZdZUded<ded<dS)SubjectTokenProviderzLiteral['jwt', 'id'] token_typezCallable[[], str] get_tokenN)__name__ __module__ __qualname____annotations__rrU/var/www/html/arapca_proje/venv/lib/python3.10/site-packages/openai/auth/_workload.pyrs  rc@sBeZdZUdZded< ded< ded< ded< ded <d S) WorkloadIdentityz+A unique string that identifies the client.str client_ididentity_provider_idservice_account_idrproviderzNotRequired[float]refresh_buffer_secondsN)rrr__doc__rrrrrrs  r3/var/run/secrets/kubernetes.io/serviceaccount/tokentoken_file_path str | Pathreturncsdfdd }d|dS) aK Get a subject token provider for Kubernetes clusters with Workload Identity configured. Cloud providers typically mount the subject token as a file in the container. Args: token_file_path: path to the mounted service account token file. Defaults to `/var/run/secrets/kubernetes.io/serviceaccount/token`. r%rc sz+td}|}|stdd|WdWS1s$wYWdStyB}z tdd||d}~ww)NrzThe token file at z is empty.z!Failed to read the token file at z: )openreadstripr Exception)ftokener#rrr;s  (z5k8s_service_account_token_provider..get_tokenrrrNr%rr)r#rrr.r"k8s_service_account_token_provider/s r1https://management.azure.com/z 2018-02-01$@) object_idr msi_res_id api_versiontimeout http_clientresourcerr4 str | Nonerr5r6r7floatr8httpx.Client | Nonecs$dfdd }d|dS) a Get a subject token provider for Azure Managed Identities. See: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http Args: resource: the resource URI to request a token for. Defaults to `https://management.azure.com/` (Azure Resource Manager). object_id: the object ID of the managed identity to use, when multiple are assigned. client_id: the client ID of the managed identity to use, when multiple are assigned. msi_res_id: the ARM resource ID of the managed identity to use, when multiple are assigned. api_version: the Azure IMDS API version. Defaults to `2018-02-01`. timeout: the request timeout in seconds. Defaults to 10.0. http_client: optional httpx.Client instance to use for requests. If not provided, a new client will be created for each request. r%rc szrd}d}dur|d<dur|d<dur |d<dur0j||ddid}nt}|j||ddid}Wdn1sJwY|jr\td |j|d |}|d }|smtd |d tt|WSt y}ztd ||d}~ww)Nz5http://169.254.169.254/metadata/identity/oauth2/token)z api-versionr9r4rr5Metadatatrueparamsheadersr7z4Failed to fetch Azure subject token from IMDS: HTTP response access_tokenz3Azure IMDS response did not include an access_tokenz/Failed to fetch Azure subject token from IMDS: ) gethttpxClientis_errorr status_codejsonrrr*)urlr@rCclientdatar,r-r6rr8r5r4r9r7rrras<     z8azure_managed_identity_token_provider..get_tokenrr/Nr0r)r9r4rr5r6r7r8rrrNr%azure_managed_identity_token_providerHs rOhttps://api.openai.com/v1)r7r8audiencecsdfdd }d|dS) a5 Get a subject token provider for GCP VM instances using the instance metadata server. See: https://cloud.google.com/compute/docs/instances/verifying-instance-identity Args: audience: the unique URI agreed upon by both the instance and the system verifying the instance's identity. Defaults to `https://api.openai.com/v1`. timeout: the request timeout in seconds. Defaults to 10.0. http_client: optional httpx.Client instance to use for requests. If not provided, a new client will be created for each request. r%rc szRd}di}durj||ddid}nt}|j||ddid}Wdn1s1wY|jrCtd|j|d|j}|sPtd|d|WStyf}ztd ||d}~ww) Nz]http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identityrQzMetadata-FlavorGoogler?z=Failed to fetch GCP subject token from metadata server: HTTP rBz+GCP metadata server returned an empty tokenz8Failed to fetch GCP subject token from metadata server: ) rErFrGrHr rItextr)r*)rKr@rCrLr,r-rQr8r7rrrs*    z(gcp_id_token_provider..get_tokenrr/Nr0r)rQr7r8rrrTrgcp_id_token_providers rUc@seZdZedd'ddZd(d d Zd(d d Zd)ddZd)ddZd*ddZ d+ddZ d(ddZ d,ddZ d,ddZ d,d d!Zd-d$d%Zd&S).WorkloadIdentityAuth)token_exchange_urlworkload_identityrrWrcCs@||_||_d|_d|_d|_d|_t|_t |j|_ dSNF) rXrW _cached_token"_cached_token_expires_at_monotonic"_cached_token_refresh_at_monotonic _refreshing threadingLock_lock Condition _condition)selfrXrWrrr__init__s zWorkloadIdentityAuth.__init__r%cCs|jX|jr|r|j|jr|s |s,|s,tt|jWdS|jrQ|jr:|j|js2|j}|rEt dtt|WdSd|_Wdn1s^wYz`| |j2|rtt dtt|jWdW|jd|_|j WdS1swYS1swYW|jd|_|j WddS1swYdS|jd|_|j Wdw1swYw)Nz)Token is unusable after refresh completedTF) r`r]_token_unusablerbwait_needs_refreshrrrZ RuntimeError_perform_refresh notify_all)rcr,rrrrsJ      * zWorkloadIdentityAuth.get_tokencst|jIdHSN)rrrcrrrget_token_asyncsz$WorkloadIdentityAuth.get_token_asyncNonecCs>|jd|_d|_d|_WddS1swYdSrk)r`rZr[r\rlrrrinvalidate_tokens "z%WorkloadIdentityAuth.invalidate_tokencCsh|}t}|d}|j|d|_|||_||||_WddS1s-wYdS)N expires_inrD)_fetch_token_from_exchangetime monotonicr`rZr[_refresh_delay_secondsr\)rc token_datanowrprrrris  "z%WorkloadIdentityAuth._perform_refreshdict[str, Any]c Cs|}|jdd}t|}|dur#td|ddtt&}|j |j t |jd|||jd|jdd d d }| |WdS1sPwYdS) NrrzUnsupported token type: z. Supported types: z, rrr) grant_typer subject_tokensubject_token_typerrr3)rJr7) _get_subject_tokenrXSUBJECT_TOKEN_TYPESrEr joinkeysrFrGpostrWTOKEN_EXCHANGE_GRANT_TYPE_handle_token_response)rcryrrzrLrCrrrrqs*   $z/WorkloadIdentityAuth._fetch_token_from_exchangerChttpx.ResponsecCsz |jr|nd}Wn tyd}Ynw|jdvr"t||d|jrT|dur-td|d}|d}t|t r>|sBtdt|t t fsMtd|t |dStd |j) N)iii)rCbodyz4Token exchange succeeded but response body was emptyrDrpzThe workload identity provider returned an empty subject token)rXr )rcrryrrrr{"s  z'WorkloadIdentityAuth._get_subject_tokenboolcCs|jdup|Srk)rZ_token_expiredrlrrrre)sz$WorkloadIdentityAuth._token_unusablecC|jdurdSt|jkS)NT)r[rrrsrlrrrr, z#WorkloadIdentityAuth._token_expiredcCrrY)r\rrrsrlrrrrg1rz#WorkloadIdentityAuth._needs_refreshrpr;cCs*|jdt}t||d}t||dS)Nr r g)rXrEDEFAULT_REFRESH_BUFFER_SECONDSminmax)rcrpconfigured_buffereffective_bufferrrrrt6sz+WorkloadIdentityAuth._refresh_delay_secondsN)rXrrWrr0)r%rn)r%rw)rCrr%rw)r%r)rpr;r%r;)rrrDEFAULT_TOKEN_EXCHANGE_URLrdrrmrorirqrr{rerrgrtrrrrrVs         rV)r")r#r$r%r)r2)r9rr4r:rr:r5r:r6rr7r;r8r<r%r)rP)rQrr7r;r8r<r%r) __future__rrrr^typingrrrrpathlibrtyping_extensionsrr rF _exceptionsr r r _utils._syncrrrrr|rrr1rOrUrVrrrrsD    =,