fSrSSKrSSKJr SSKJr SSKrSSKJr Sr "SS\5r S r S r S r S rS rSrSrSrSrg)z,Utilities for Binary Authorization commands.N) docker_name)Error)urllibz/binaryauthorization.googleapis.com/attestationsc\rSrSrSrSrg)BadImageUrlErrorz@Raised when a container image URL cannot be parsed successfully.N)__name__ __module__ __qualname____firstlineno____doc____static_attributes__r 9lib/googlecloudsdk/command_lib/container/binauthz/util.pyrrsHrrcU=(d Sn[RRU5nUR(a)UR(d[ SR US95eUR(d.[RRSR U55nURUS9R5RS5$)ajReturns the passed `image_url` with the scheme replaced. Args: image_url: The URL to replace (or strip) the scheme from. (string) scheme: The scheme of the returned URL. If this is an empty string or `None`, the scheme is stripped and the leading `//` of the resulting URL will be stripped off. Raises: BadImageUrlError: `image_url` isn't valid. zMImage URL '{image_url}' is invalid because it does not have a host component.) image_urlz//{}scheme/) rparseurlparsernetlocrformat_replacegeturllstrip)rr parsed_urls rReplaceImageUrlSchemer "s     % % 1 sAA>. A99A>c[U5n[R"USSSSS9nSRU5R S5$)aCreates a JSON bytestring representing a signature object to sign. Args: container_image_url: See `containerregistry.client.docker_name.Digest` for artifact URL validation and parsing details. `container_image_url` must be a fully qualified image URL with a valid sha256 digest. Returns: A bytestring representing a JSON-encoded structure of nested dictionaries and strings. T),z: ) ensure_asciiindent separators sort_keysz{} utf-8)r0jsondumpsrencode)r, payload_dictpayloads rMakeSignaturePayloadr>bsJ**=>, JJ   ' w  & &w //rc[USS9n[R"U5 U$![Ran[ U5eSnAff=f)zEnsures the given URL has no scheme (e.g. replaces "https://gcr.io/foo/bar" with "gcr.io/foo/bar" and leaves "gcr.io/foo/bar" unchanged). Args: artifact_url: A URL string. Returns: The URL with the scheme removed. rrN)r rr&r'r) artifact_urlurl_without_schemer/s rRemoveArtifactUrlSchemerB~sR-\"E)*   % % 1 s$A AAc[USS9n[R"U5nUR $![Ran[ U5eSnAff=f)zReturns the digest of an image given its url. Args: artifact_url: An image url. e.g. "https://gcr.io/foo/bar@sha256:123" Returns: The image digest. e.g. "sha256:123" rrN)r rr&r'rr+)r@rAr+r/s rGetImageDigestrDsX-\"E   2 3F   % % 1 s.A A  Ac URS5nURS5nSRSS[U5-US[U5-U/5$)zPae encode input using the specified dsse type. Args: dsse_type: DSSE envelope type. body: payload string. Returns: Pae-encoded payload byte string. r8 sDSSEv1s%d)r;joinlen) dsse_typebodydsse_type_bytes body_bytess r PaeEncoderMsZ$$W-/{{7#*  c/"" c*o  rc LSSSS0SUVs/sHnSU0PM sn0S.nU$s snf)zCreates a minimal PodSpec from a list of images. Args: images: list of images being evaluated. Returns: PodSpec object in JSON form. v1Podnamer containersr$) apiVersionkindmetadataspecr )imagesr$rVs rGeneratePodSpecFromImagesrXsG " v>ve'5)v> $ + ?s! cUSRS05nUR[S5nU(aSRU/U-5U['OSRU5U['X SS'U$)aInlines attestations into a Kubernetes PodSpec. Args: pod_spec: The PodSpec provided by the user. attestations: List of attestations returned by the policy evaluator in comma separated DSSE form. Returns: Modified PodSpec with attestations inlined. rU annotationsNr3)get$_BINAUTHZ_ATTESTATION_ANNOTATION_KEYrG)pod_spec attestationsrZexisting_attestationss rAddInlineAttestationsToPodSpecr`s{$((;+%//*D8; ,.9K459<8NK45(3:}% /rc^USS:wa[USSU5USS'U$[X5$)aInlines attestations into a Kubernetes resource. Args: resource: The Kubernetes resource provided by the user. attestations: List of attestations returned by the policy evaluator in comma separated DSSE form. Returns: Modified Kubernetes resource with attestations inlined. rTrPrVtemplate)r`)resourcer^s rAddInlineAttestationsToResourcerdsFf#A$l$HVZ  O ' ??r)rr9containerregistry.clientrgooglecloudsdk.core.exceptionsrr( six.movesrr\rr r0r>rBrDrMrXr`rdr rrrhsc3 00 6% IuIAD<08*(*.2@r