U dJY @sUdZddlmZddlZddlZddlZddlZddlZddlZddl m Z m Z ddl m Z ddlmZmZmZmZmZmZddlmZddlmZdd lmZdd lmZdd lmZmZmZdd l m!Z!m"Z"dd l#m$Z$erddl%m&Z&ddl'm(Z(dZ)dZ*z4ddl+Z,e-e.e/e,j01ddddkr4dZ*Wn>e2k rtz ddl,Z,Wne2k rndZ)YnXYnXe3dddddddddg Z4GdddZ5e d d!d"d#d$d%d&gZ6e d'd(d)d*gZ7e d+d,gZ8d-d.d-d-d/d.d d0d1d2Z9d3d3d3d4d5d6Z:d3d7d8d9d:Z;d d-d;d<d=d>Zd-d-d-d-dGdHdIZ?d-d-dJdKdLZ@d d?d@dMdNdOZAd d?d@dMdPdQZBd d?d@dMdRdSZCd d?d@dMdTdUZDd d?d@dMdVdWZEeAeDeCeeBejFe=ddXejFe=ddXeEdYZGdZeHd[<Gd\d]d]ZIGd^d_d_eIZJGd`dadaeIZKGdbdcdceIZLeKejFeJddXejFeJddXeLejFeJddXddZMdZeHde<djd d?dfd@dgdhdiZNdS)kzAuthentication helpers.) annotationsN)standard_b64decodestandard_b64encode) namedtuple) TYPE_CHECKINGAnyCallableMappingMutableMappingOptional)quote)Binary)SON)_authenticate_aws)_authenticate_oidc_get_authenticator_OIDCProperties)ConfigurationErrorOperationFailure)saslprep)Hello) ConnectionTF.)rGSSAPI MONGODB-CR MONGODB-OIDC MONGODB-X509 MONGODB-AWSPLAIN SCRAM-SHA-1 SCRAM-SHA-256DEFAULTc@sTeZdZdZedZddddZdddd d Zdddd d Zd dddZ dS)_CachedataNonereturncCs d|_dSNr%selfr-0/tmp/pip-unpacked-wheel-oblwsawz/pymongo/auth.py__init__Ksz_Cache.__init__objectbool)otherr)cCst|trdStS)NT isinstancer$NotImplementedr,r2r-r-r.__eq__Ns z _Cache.__eq__cCst|trdStS)NFr3r6r-r-r.__ne__Ts z _Cache.__ne__intcCs|jSr*) _hash_valr+r-r-r.__hash__Ysz_Cache.__hash__N) __name__ __module__ __qualname__ __slots__hashr:r/r7r8r;r-r-r-r.r$Fs r$MongoCredential mechanismsourceusernamepasswordmechanism_propertiescacheGSSAPIProperties service_namecanonicalize_host_name service_realm_AWSPropertiesaws_session_tokenstrz Optional[str]zMapping[str, Any])mechrCuserpasswdextradatabaser)cCs2|dkr|dkrt|d|dkr|dk r>|dkr>td|di}|dd }|d d }|d } t||| d } t|d||| dS|dkr|dk rtd|dk r|dkrtdt|d|dddS|dkr>|dk r|dkrtd|dk r |dkr td|di}|d} t| d} t|d||| dS|dkr|di}|d} |dd}|dd}dddddd g}|d!|}| s|d"krtd#t| |||d$}t|d|||dS|d%kr|p|pd}t||||ddS|p|pd&}|dkrtd't||||dtSdS)(z8Build and return a mechanism specific credentials tuple.)rrrNz requires a username.r $externalz:authentication source must be $external or None for GSSAPIZauthmechanismpropertiesZ SERVICE_NAMEZmongodbZCANONICALIZE_HOST_NAMEFZ SERVICE_REALM)rIrJrKrz+Passwords are not supported by MONGODB-X509z@authentication source must be $external or None for MONGODB-X509rz;username without a password is not supported by MONGODB-AWSz?authentication source must be $external or None for MONGODB-AWSZAWS_SESSION_TOKEN)rMrrequest_token_callbackrefresh_token_callbackZ PROVIDER_NAMEz *.mongodb.netz*.mongodb-dev.netz*.mongodbgov.net localhostz 127.0.0.1z::1 allowed_hostsZawsziauthentication with MONGODB-OIDC requires providing an request_token_callback or a provider_name of 'aws')rUrV provider_namerYr ZadminzA password is required.)r ValueErrorgetrHrArLrr$)rOrCrPrQrRrSZ propertiesrI canonicalizerKpropsrMZ aws_propsrUrVrZZdefault_allowedrYZ oidc_propsZsource_databaser-r-r._build_credentials_tuplens~                 r_bytes)firsecr)cCsdddt||DS)zXOR two byte strings together.cSsg|]\}}t||AgqSr-)r`).0xyr-r-r. sz_xor..)joinzip)rarbr-r-r._xorsrjdict)responser)cCstdd|dDS)z-Split a scram response into key, value pairs.css,|]$}ttjttf|ddVqdS)=N)typingcastTuplerNsplit)rditemr-r-r. sz(_parse_scram_response..,)rkrr)rlr-r-r._parse_scram_responsesrvz-tuple[bytes, bytes, MutableMapping[str, Any]]) credentialsrBr)cCsr|j}|ddddd}ttd}d|d|}td d |fd td |fd dddifg}|||fS)Nutf-8rms=3Drus=2C sn=s,r=Z saslStartrnrBpayloadsn,,Z autoAuthorizernoptionsZskipEmptyExchangeT)rDencodereplacerosurandomrr )rwrBrDrPnonce first_barecmdr-r-r._authenticate_scram_starts  rrr')rwconnrBr)c Cs|j}|dkr*d}tj}t|jd}nd}tj}t||jd}|j}|j }t j } |j } | r| rt| tsxt| jdk st| j\} } | j} nt||\} } }|||} | dk st| d}t|}t|d}|dkrtd |d }|d }|| std d |}|jr0|j\}}}}n d\}}}}|rV||ksV||krt||t||}| |d|}| |d|}||||f|_||}d| ||f}| |||}dtt||}d||f}t| |||}t dd| dfdt!|fg}|||} t| d}t "|d|sHtd| dst dd| dfdt!dfg}|||} | dstddS)zAuthenticate using SCRAM.r"sha256rxsha1Nr{iiz+Server returned an invalid iteration count.srz!Server returned an invalid nonce.s c=biws,r=)NNNNs Client Keys Server Keyrusp=Z saslContinuernconversationIdvz%Server returned an invalid signature.donercz%SASL conversation failed to complete.)#rDhashlibrrrEr~r_password_digestrCrGhmacHMACauth_ctxspeculate_succeededr4 _ScramContextAssertionError scram_dataspeculative_authenticatercommandrvr9r startswithr& pbkdf2_hmacrdigestrhrrjrr compare_digest) rwrrBrDr digestmodr&rCrGZ_hmacctxrrresrZ server_firstparsedZ iterationsZsaltZrnonceZ without_proofZ client_keyZ server_keyZcsaltZ citerationsZ salted_passZ stored_keyZauth_msgZ client_sigZ client_proofZ client_finalZ server_sigr-r-r._authenticate_scrams                 r)rDrEr)cCsft|tstdt|dkr&tdt|ts8tdt}|d|}||d| S)z0Get a password digest to use for authentication.z#password must be an instance of strrzpassword can't be emptyz#username must be an instance of strz:mongo:rx) r4rN TypeErrorlenr[rmd5updater~ hexdigest)rDrEmd5hashr&r-r-r.r6s   r)rrDrEr)cCs:t||}t}|||}||d|S)z*Get an auth key to use for authentication.rx)rrrrr~r)rrDrErrr&r-r-r. _auth_keyEs  r)hostnamer)cCsdt|dddtjtjd\}}}}}zt|tj}Wntjk rV|YSX|dS)z2Canonicalize hostname following MIT-krb5 behavior.Nr)socket getaddrinfo IPPROTO_TCP AI_CANONNAME getnameinfo NI_NAMEREQDgaierrorlower)rafsocktypeproto canonnameZsockaddrnamer-r-r._canonicalize_hostnameNsr)rwrr)c Csts tdzH|j}|j}|j}|jd}|jr:t|}|jd|}|j dk r`|d|j }|dk rt rd t |t |f}t j||t jd\}} qd|kr|dd\} } n |d} } t j|t j| | |d\}} nt j|t jd\}} |t jkrtd zBt | d dkr td t | } td d d| fdg} |d| }tdD]t}t | t|d}|dkr|td t | pd } tdd|dfd| fg} |d| }|t jkrRqАqRtdt | t|ddkrtdt | t | |dkrtdt | } tdd|dfd| fg} |d| W5t | XWn2t jk r}ztt|W5d}~XYnXdS)zAuthenticate using GSSAPI.zEThe "kerberos" module must be installed to use GSSAPI authentication.r@N:)gssflagsrn)rrPdomainrEz&Kerberos context failed to initialize.rWz*Unknown kerberos failure in step function.rz)rBrr{r|rT rrz+Kerberos authentication failed to complete.z0Unknown kerberos failure during GSS_Unwrap step.z.Unknown kerberos failure during GSS_Wrap step.) HAVE_KERBEROSrrDrErFaddressrJrrIrK_USE_PRINCIPALrhr kerberosZauthGSSClientInitZGSS_C_MUTUAL_FLAGrrZAUTH_GSS_COMPLETErZauthGSSClientCleanZauthGSSClientStepZauthGSSClientResponserrrangerNZauthGSSClientUnwrapZauthGSSClientWrapZKrbError)rwrrDrEr^hostZserviceZ principalresultrrPrr{rrl_excr-r-r._authenticate_gssapi]s                rcCsN|j}|j}|j}d|d|}tdddt|fdg}|||dS)z(Authenticate using SASL PLAIN (RFC 4616)rz)rBr r{r|N)rCrDrEr~rr r)rwrrCrDrEr{rr-r-r._authenticate_plains rcCs6|j}|r|rdSt||j}|d|dS)z Authenticate using MONGODB-X509.NrT)rr _X509Contextrspeculate_commandr)rwrrrr-r-r._authenticate_x509s  rc Csb|j}|j}|j}||ddi}|d}t|||}tdd|fd|fd|fg}|||dS)zAuthenticate using MONGODB-CR.Zgetnoncernr authenticaternrPkeyN)rCrDrErrr) rwrrCrDrErlrrqueryr-r-r._authenticate_mongo_crs rcCs|jdkrr|jr|j}n8|j}|}|d|j|d<|j||dddg}d|krdt||dSt||dSn t||dSdS)NrZsaslSupportedMechsF)Zpublish_eventsr"r!)Zmax_wire_versionZnegotiated_mechsrCZ hello_cmdrDrr\r)rwrZmechsrCrr-r-r._authenticate_defaults  r)rB)rrrrr r!r"r#zMapping[str, Callable] _AUTH_MAPc@s`eZdZddddddZeddddd d Zd d d dZdddddZdd ddZdS) _AuthContextrAtuple[str, int]r')rwrr)cCs||_d|_||_dSr*)rwrr)r,rwrr-r-r.r/sz_AuthContext.__init__zOptional[_AuthContext])credsrr)cCst|j}|r|||SdSr*)_SPECULATIVE_AUTH_MAPr\rB)rrZspec_clsr-r-r.from_credentials s  z_AuthContext.from_credentials"Optional[MutableMapping[str, Any]]r(cCstdSr*)NotImplementedErrorr+r-r-r.r)sz_AuthContext.speculate_commandr)hellor)cCs |j|_dSr*)r)r,rr-r-r.parse_response,sz_AuthContext.parse_responser1cCs t|jSr*)r1rr+r-r-r.r/sz _AuthContext.speculate_succeededN) r<r=r>r/ staticmethodrrrrr-r-r-r.rs rcs6eZdZdddddfdd Zdd d d ZZS) rrArrNr')rwrrBr)cst||d|_||_dSr*)superr/rrB)r,rwrrB __class__r-r.r/4sz_ScramContext.__init__rr(cCs.t|j|j\}}}|jj|d<||f|_|S)Ndb)rrwrBrCr)r,rrrr-r-r.r;s  z_ScramContext.speculate_command)r<r=r>r/r __classcell__r-r-rr.r3src@seZdZddddZdS)rzMutableMapping[str, Any]r(cCs(tddg}|jjdk r$|jj|d<|S)Nr)rBrrP)rrwrD)r,rr-r-r.rEs   z_X509Context.speculate_commandNr<r=r>rr-r-r-r.rDsrc@seZdZddddZdS) _OIDCContextrr(cCs4t|j|j}|d}|dkr$dS|jj|d<|S)NFr)rrwrZauth_start_cmdrC)r,Z authenticatorrr-r-r.rMs   z_OIDCContext.speculate_commandNrr-r-r-r.rLsr)rr!r"rr#rr1)rwrreauthenticater)cCs2|j}t|}|dkr$t|||n |||dS)zAuthenticate connection.rN)rBrr)rwrrrBZ auth_funcr-r-r.r_s r)F)O__doc__ __future__r functoolsrrrrrobase64rr collectionsrrrrr r r urllib.parser Z bson.binaryr Zbson.sonrZpymongo.auth_awsrZpymongo.auth_oidcrrrZpymongo.errorsrrZpymongo.saslpreprZ pymongo.hellorZ pymongo.poolrrrZ winkerberosrtuplemapr9 __version__rr ImportError frozensetZ MECHANISMSr$rArHrLr_rjrvrrrrrrrrrrpartialr__annotations__rrrrrrr-r-r-r.s          $  QW u