i2"ddlmZddlZddlZddlmZmZmZmZddl m Z ddl m Z m Z ddlZddlmZmZmZddlmZd Zd Zd Zd d dZGddeZGddeZ d.d/dZ d0dddddddd1d'Z d2ddd)d3d+ZGd,d-ZdS)4) annotationsN)AnyCallable TypedDictcast)Path)Literal NotRequired) OAuthError OpenAIErrorSubjectTokenProviderError) to_threadz/urn:ietf:params:oauth:grant-type:token-exchangez#https://auth.openai.com/oauth/tokeniz$urn:ietf:params:oauth:token-type:jwtz)urn:ietf:params:oauth:token-type:id_token)jwtidc$eZdZUded<ded<dS)SubjectTokenProviderzLiteral['jwt', 'id'] token_typezCallable[[], str] get_tokenN)__name__ __module__ __qualname____annotations__\/home/ubuntu/.hermes/hermes-agent/venv/lib/python3.11/site-packages/openai/auth/_workload.pyrrs*$$$$      rrcNeZdZUdZded< ded< ded< ded< ded <d S) WorkloadIdentityz+A unique string that identifies the client.str client_ididentity_provider_idservice_account_idrproviderzNotRequired[float]refresh_buffer_secondsN)rrr__doc__rrrrrrs]55NNN2GE""""......rr3/var/run/secrets/kubernetes.io/serviceaccount/tokentoken_file_path str | Pathreturncdfd }d|dS)aK Get a subject token provider for Kubernetes clusters with Workload Identity configured. Cloud providers typically mount the subject token as a file in the container. Args: token_file_path: path to the mounted service account token file. Defaults to `/var/run/secrets/kubernetes.io/serviceaccount/token`. r)rc$ td5}|}|stdd|cdddS#1swxYwYdS#t$r}tdd||d}~wwxYw)NrzThe token file at z is empty.z!Failed to read the token file at z: )openreadstripr Exception)ftokener's rrz5k8s_service_account_token_provider..get_token;s oos++ q((f34d4d4d4deee                     o o o+,fP_,f,fcd,f,fggmn n os:A*=A A*A!!A*$A!%A** B4B  Brrrr)rr)r'rs` r"k8s_service_account_token_providerr6/s7oooooo i 8 88rhttps://management.azure.com/z 2018-02-01$@) object_idr msi_res_id api_versiontimeout http_clientresourcerr9 str | Noner r:r;r<floatr=httpx.Client | Nonec2dfd }d|dS)a Get a subject token provider for Azure Managed Identities. See: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http Args: resource: the resource URI to request a token for. Defaults to `https://management.azure.com/` (Azure Resource Manager). object_id: the object ID of the managed identity to use, when multiple are assigned. client_id: the client ID of the managed identity to use, when multiple are assigned. msi_res_id: the ARM resource ID of the managed identity to use, when multiple are assigned. api_version: the Azure IMDS API version. Defaults to `2018-02-01`. timeout: the request timeout in seconds. Defaults to 10.0. http_client: optional httpx.Client instance to use for requests. If not provided, a new client will be created for each request. r)rc2 d} d}  |d<|d<  |d<  ||ddi }nFtj5}|||ddi }dddn #1swxYwY|jrt d |j| |}|d }|st d | tt|S#t$r}t d ||d}~wwxYw)Nz5http://169.254.169.254/metadata/identity/oauth2/token)z api-versionr>r9r r:Metadatatrueparamsheadersr<z4Failed to fetch Azure subject token from IMDS: HTTP response access_tokenz3Azure IMDS response did not include an access_tokenz/Failed to fetch Azure subject token from IMDS: ) gethttpxClientis_errorr status_codejsonrrr0)urlrGrJclientdatar2r3r;r r=r:r9r>r<s rrz8azure_managed_identity_token_provider..get_tokenas jIC5@h%W%WF$&/{#$&/{#%'1|$&&??3v TZG[el?mm\^^mv%zz#fzSYFZdkzllHmmmmmmmmmmmmmmm  /a8K_aa%==??DHH^,,E /IT\U## # j j j+,a^_,a,abbhi i js=A C4A8, C48A<<C4?A<A3C44 D>DDrr4r5r)r>r9r r:r;r<r=rs``````` r%azure_managed_identity_token_providerrUHsb2jjjjjjjjjjjj@ i 8 88rhttps://api.openai.com/v1)r<r=audiencec"dfd }d|dS)a5 Get a subject token provider for GCP VM instances using the instance metadata server. See: https://cloud.google.com/compute/docs/instances/verifying-instance-identity Args: audience: the unique URI agreed upon by both the instance and the system verifying the instance's identity. Defaults to `https://api.openai.com/v1`. timeout: the request timeout in seconds. Defaults to 10.0. http_client: optional httpx.Client instance to use for requests. If not provided, a new client will be created for each request. r)rc d}di}||ddi}nFtj5}|||ddi}dddn #1swxYwY|jrt d|j||j}|st d||S#t$r}t d ||d}~wwxYw) Nz]http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identityrWzMetadata-FlavorGooglerFz=Failed to fetch GCP subject token from metadata server: HTTP rIz+GCP metadata server returned an empty tokenz8Failed to fetch GCP subject token from metadata server: ) rLrMrNrOrrPtextr/r0) rRrGrJrSr2r3rWr=r<s rrz(gcp_id_token_provider..get_tokens| sqC (+F&&??3vHY[cGdnu?vv\^^vv%zz#fGXZbFcmtzuuHvvvvvvvvvvvvvvv  /jT\Thjj%M''))E r/0]hpqqqqL s s s+,jgh,j,jkkqr r ss;7B;A" B;"A&&B;)A&*AB;; CCCrr4r5r)rWr<r=rs``` rgcp_id_token_providerr\sE$ssssssss.Y 7 77rcteZdZedddZddZdd Zdd Zdd ZddZ ddZ ddZ d dZ d dZ d dZd!dZdS)"WorkloadIdentityAuth)token_exchange_urlworkload_identityrr_rc||_||_d|_d|_d|_d|_t j|_t j |j|_ dSNF) r`r_ _cached_token"_cached_token_expires_at_monotonic"_cached_token_refresh_at_monotonic _refreshing threadingLock_lock Condition _condition)selfr`r_s r__init__zWorkloadIdentityAuth.__init__s[ "3"4)-@D/@D/!&^%% #-dj99rr)c|j5|jrH|r4|j|jr|4|s:|s&t t|jcdddS|jrr|jr |j|j |j}|rtdt t|cdddSd|_dddn #1swxYwY | |j5|rtdt t|jcddd|j5d|_|j dddS#1swxYwYS#1swxYwY |j5d|_|j ddddS#1swxYwYdS#|j5d|_|j dddw#1swxYwYwxYw)Nz)Token is unusable after refresh completedTF) rirf_token_unusablerkwait_needs_refreshrrrc RuntimeError_perform_refresh notify_all)rlr2s rrzWorkloadIdentityAuth.get_tokens Z $ $" 't';';'='= '$$&&&" 't';';'='= ''')) 5$2E2E2G2G 5C!344  $ $ $ $ $ $ $ $ (&+O((***&+*''))T&'RSSSC'' $ $ $ $ $ $ $ $ $D  $ $ $ $ $ $ $ $ $ $ $ $ $ $ $" -  ! ! # # # 5 5''))T&'RSSSC!344 5 5 5 5 5 5 5  - -#( **,,, - - - - - - - - - - - - - - - -  5 5 5 5 5 5 5 5 5  - -#( **,,, - - - - - - - - - - - - - - - - - - - -#( **,,, - - - - - - - - - - - - - - - -sBD2&A,D2D22D69D6>H0=G" H0)!GG G "G&&H0)G&*H05!H##H'*H'0I18!I% I1%I) )I1,I) -I1c:Kt|jd{VSN)rrrls rget_token_asyncz$WorkloadIdentityAuth.get_token_asyncs(t~.........rNonecp|j5d|_d|_d|_ddddS#1swxYwYdSrv)rircrdrerws rinvalidate_tokenz%WorkloadIdentityAuth.invalidate_tokens Z ; ;!%D 6:D 36:D 3 ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;s +//c |}tj}|d}|j5|d|_||z|_|||z|_ddddS#1swxYwYdS)N expires_inrK)_fetch_token_from_exchangetime monotonicrircrd_refresh_delay_secondsre)rl token_datanowr}s rrsz%WorkloadIdentityAuth._perform_refreshs4466 n - Z d d!+N!;D 69J6FD 369DThe workload identity provider returned an empty subject token)r`r )rlr#rs rrz'WorkloadIdentityAuth._get_subject_token"s?)*5--//  `^__ _rboolc<|jdup|Srv)rc_token_expiredrws rroz$WorkloadIdentityAuth._token_unusable)s!!T)BT-@-@-B-BBrcL|jdStj|jkS)NT)rdrrrws rrz#WorkloadIdentityAuth._token_expired,s&  2 :4~4#JJJrcL|jdStj|jkSrb)rerrrws rrqz#WorkloadIdentityAuth._needs_refresh1s&  2 :5~4#JJJrr}r@c|jdt}t||dz }t ||z dS)Nr$r g)r`rLDEFAULT_REFRESH_BUFFER_SECONDSminmax)rlr}configured_buffereffective_buffers rrz+WorkloadIdentityAuth._refresh_delay_seconds6sH 2667OQopp0*q.AA: 00#666rN)r`rr_rr5)r)ry)r)r)rJrr)r)r)r)r}r@r)r@)rrrDEFAULT_TOKEN_EXCHANGE_URLrmrrxr{rsr~rrrorrqrrrrr^r^s# #= :::::: ----:////;;;; dddd99992    0CCCCKKKK KKKK 777777rr^)r&)r'r(r)r)r7)r>rr9r?r r?r:r?r;rr<r@r=rAr)r)rV)rWrr<r@r=rAr)r) __future__rrrgtypingrrrrpathlibrtyping_extensionsr r rM _exceptionsr r r _utils._syncrrrrrrrr6rUr\r^rrrrs"""""" 11111111111122222222 LLLLLLLLLL$$$$$$MB!% 2 5 !!!!!9!!! /////y///&#X999994499! !#'+999999999999z0)8'+ )8)8)8)8)8)8XI7I7I7I7I7I7I7I7I7I7r