/j2PSSKJr SSKrSSKrSSKJrJrJrJr SSK J r SSK J r J r SSKrSSKJrJrJr SSKJr S rS rS rS S S.r"SS\5r"SS\5rSSSjjrSSSSSSSS.SSjjjrS SSS.S!Sjjjr"SS5rg)") annotationsN)AnyCallable TypedDictcast)Path)Literal NotRequired) OAuthError OpenAIErrorSubjectTokenProviderError) to_threadz/urn:ietf:params:oauth:grant-type:token-exchangez#https://auth.openai.com/oauth/tokeniz$urn:ietf:params:oauth:token-type:jwtz)urn:ietf:params:oauth:token-type:id_token)jwtidc*\rSrSr%S\S'S\S'Srg)SubjectTokenProviderzLiteral['jwt', 'id'] token_typezCallable[[], str] get_tokenN)__name__ __module__ __qualname____firstlineno____annotations____static_attributes__rF/app/agent/.venv/lib/python3.13/site-packages/openai/auth/_workload.pyrrs$$  rrcT\rSrSr%SrS\S'S\S'S\S'S\S'S \S 'S rg ) WorkloadIdentityz+A unique string that identifies the client.str client_ididentity_provider_idservice_account_idrproviderzNotRequired[float]refresh_buffer_secondsrN)rrrr__doc__rrrrrr!r!s.5N2GE""..rr!c^SU4SjjnSUS.$)a7 Get a subject token provider for Kubernetes clusters with Workload Identity configured. Cloud providers typically mount the subject token as a file in the container. Args: token_file_path: path to the mounted service account token file. Defaults to `/var/run/secrets/kubernetes.io/serviceaccount/token`. c>[TS5nUR5R5nU(d[STS35eUsSSS5 $!,(df  g=f![an[STSU35UeSnAff=f)NrzThe token file at z is empty.z!Failed to read the token file at z: )openreadstripr Exception)ftokenetoken_file_paths rr5k8s_service_account_token_provider..get_token;s oos+q(36HHYYc4dee ,++  o+.OP_O``bcdbe,fgmn n os4 A 6A A  AA A B*A<<Brrrreturnr#r)r4rs` r"k8s_service_account_token_providerr9/so i 88rz 2018-02-01$@) object_idr$ msi_res_id api_versiontimeout http_clientc6^^^^^^^SUUUUUUU4SjjnSUS.$)ab Get a subject token provider for Azure Managed Identities. See: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http Args: resource: the resource URI to request a token for. Defaults to `https://management.azure.com/` (Azure Resource Manager). object_id: the object ID of the managed identity to use, when multiple are assigned. client_id: the client ID of the managed identity to use, when multiple are assigned. msi_res_id: the ARM resource ID of the managed identity to use, when multiple are assigned. api_version: the Azure IMDS API version. Defaults to `2018-02-01`. timeout: the request timeout in seconds. Defaults to 10.0. http_client: optional httpx.Client instance to use for requests. If not provided, a new client will be created for each request. c >SnTT S.nT bT US'TbTUS'T bT US'T bT RXSS0T S9nO1[R"5nURXSS0T S9nSSS5 WR(a[ S UR 3US 9eUR 5nURS 5nU(d [ S US 9e[[U5$!,(df  Nx=f![an[ S U35UeSnAff=f)Nz5http://169.254.169.254/metadata/identity/oauth2/token)z api-versionresourcer;r$r<Metadatatrueparamsheadersr>z4Failed to fetch Azure subject token from IMDS: HTTP response access_tokenz3Azure IMDS response did not include an access_tokenz/Failed to fetch Azure subject token from IMDS: ) gethttpxClientis_errorr status_codejsonrr#r0)urlrFrIclientdatar2r3r=r$r?r<r;rBr>s rr8azure_managed_identity_token_provider..get_tokenas3 jIC5@h%WF$&/{#$&/{#%'1|$&&??3 TZG[el?m\\^v%zz#zSYFZdkzlH$  /J8K_K_J`a%==?DHH^,E/IT\U# #$^ j+.]^_]`,abhi i js1A C%C"A1C% C"C%% D/C>>Drr6r7r)rBr;r$r<r=r>r?rs``````` r%azure_managed_identity_token_providerrUHs2jj@ i 88r)r>r?c&^^^SUUU4SjjnSUS.$)a Get a subject token provider for GCP VM instances using the instance metadata server. See: https://cloud.google.com/compute/docs/instances/verifying-instance-identity Args: audience: the unique URI agreed upon by both the instance and the system verifying the instance's identity. Defaults to `https://api.openai.com/v1`. timeout: the request timeout in seconds. Defaults to 10.0. http_client: optional httpx.Client instance to use for requests. If not provided, a new client will be created for each request. c>SnST0nTbTRXSS0TS9nO1[R"5nURXSS0TS9nSSS5 WR(a[ SUR 3US9eUR R5nU(d [ SUS9eU$!,(df  Nc=f![an[ S U35UeSnAff=f) Nz]http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identityaudiencezMetadata-FlavorGooglerEz=Failed to fetch GCP subject token from metadata server: HTTP rHz+GCP metadata server returned an empty tokenz8Failed to fetch GCP subject token from metadata server: ) rKrLrMrNrrOtextr/r0) rQrFrIrRr2r3rXr?r>s rr(gcp_id_token_provider..get_tokens sqC (+F&&??3HY[cGdnu?v\\^v%zz#GXZbFcmtzuH$  /ST\ThThSij%MM'')E/0]hpqqL$^ s+.fghfi,jkqr r ss/2B7B& AB7& B40B77 CCCrr6r7r)rXr>r?rs``` rgcp_id_token_providerr\s$ss.Y 77rc\rSrSr\S.SSjjrSSjrSSjrSSjrSSjr SSjr SS jr SS jr SS jr SS jrSS jrSSjrSrg)WorkloadIdentityAuth)token_exchange_urlcXlX lSUlSUlSUlSUl[ R"5Ul[ R"UR5Ul gNF) workload_identityr` _cached_token"_cached_token_expires_at_monotonic"_cached_token_refresh_at_monotonic _refreshing threadingLock_lock Condition _condition)selfrcr`s r__init__WorkloadIdentityAuth.__init__sT "3"4)-@D/@D/!&^^% #--djj9rcUR UR(aWUR5(aBURR 5 UR(aUR5(aMBUR5(d8UR 5(d#[ [UR5sSSS5 $UR(aUR(a-URR 5 UR(aM-URnUR5(a [S5e[ [U5sSSS5 $SUlSSS5 UR5 UR UR5(a [S5e[ [UR5sSSS5 UR SUlURR5 SSS5 $!,(df  N=f!,(df  $=f!,(df  O=fUR SUlURR5 SSS5 g!,(df  g=f!UR SUlURR5 SSS5 f!,(df  f=f=f)Nz)Token is unusable after refresh completedTF) rjrg_token_unusablerlwait_needs_refreshrr#rd RuntimeError_perform_refresh notify_all)rmr2s rrWorkloadIdentityAuth.get_tokens ZZ""t';';'='=$$&""t';';'='=''))$2E2E2G2GC!3!34 Z&&OO((*&&&**''))&'RSSC'Z $D " -  ! ! #''))&'RSSC!3!34 #( **,1Z0  #( **,#( **,szA'G=6AG=A G=;G=G='I9:H= I9"H= H  H  H-)I9="I(( I69 K"J1( K1 J? ;KcH# [UR5IShvN $N7fN)rrrms rget_token_async$WorkloadIdentityAuth.get_token_asyncst~~....s " "czUR SUlSUlSUlSSS5 g!,(df  g=fry)rjrdrerfrzs rinvalidate_token%WorkloadIdentityAuth.invalidate_tokens+ ZZ!%D 6:D 36:D 3ZZs, :cUR5n[R"5nUSnUR USUlX#-UlX R U5-UlSSS5 g!,(df  g=f)N expires_inrJ)_fetch_token_from_exchangetime monotonicrjrdre_refresh_delay_secondsrf)rm token_datanowrs rru%WorkloadIdentityAuth._perform_refreshsf446 nn - ZZ!+N!;D 696FD 369) _get_subject_tokenrcSUBJECT_TOKEN_TYPESrKr joinkeysrLrMpostr`TOKEN_EXCHANGE_GRANT_TYPE_handle_token_response)rmrrrrRrIs rr/WorkloadIdentityAuth._fetch_token_from_exchanges//1 ++J7 E 044Z@  %*:.8KDIIViVnVnVpLqKrs \\^v{{''";!%!7!7 !D%2*<,0,B,BCY,Z*.*@*@AU*V # H..x8^^s AC++ C9cUR(aUR5OSnURS;a [ XS9eUR (aUc [ S5eURS5nURS5n[U[5(aU(d [ S5e[U[[45(d [ S5eU[U5S.$[ S UR35e![a SnNf=f) N)iii)rIbodyz4Token exchange succeeded but response body was emptyrJrzThe workload identity provider returned an empty subject token)rcr )rmr'rs rr'WorkloadIdentityAuth._get_subject_token"s4))*5 -/ ^_ _rcLURSL=(d UR5$ry)rd_token_expiredrzs rrq$WorkloadIdentityAuth._token_unusable)s!!!T)BT-@-@-BBrcbURcg[R"5UR:$)NT)rerrrzs rr#WorkloadIdentityAuth._token_expired,s)  2 2 :~~4#J#JJJrcbURcg[R"5UR:$rb)rfrrrzs rrs#WorkloadIdentityAuth._needs_refresh1s)  2 2 :~~4#J#JJJrczURRS[5n[X!S- 5n[ X- S5$)Nr(r g)rcrKDEFAULT_REFRESH_BUFFER_SECONDSminmax)rmrconfigured_buffereffective_buffers rr+WorkloadIdentityAuth._refresh_delay_seconds6s= 22667OQop0q.A:0#66r)rdrerfrlrjrgr`rcN)rcr!r`r#r7)r8None)r8dict[str, Any])rIzhttpx.Responser8r)r8bool)rrr8r)rrrrDEFAULT_TOKEN_EXCHANGE_URLrnrr{r~rurrrrqrrsrrrrrr^r^s[ #= :,: : -:/; d92 0CK K 7rr^)z3/var/run/secrets/kubernetes.io/serviceaccount/token)r4z str | Pathr8r)zhttps://management.azure.com/)rBr#r; str | Noner$rr<rr=r#r>rr?httpx.Client | Noner8r)zhttps://api.openai.com/v1)rXr#r>rr?rr8r) __future__rrrhtypingrrrrpathlibrtyping_extensionsr r rL _exceptionsr r r _utils._syncrrrrrrr!r9rUr\r^rrrrs7" 112 LL$MB!% 2 5 !9! /y/&#X9994499! !#'+999999 99  99  9999%9999z0)8'+ )8)8)8% )8  )8XI7I7r