U d,@sBUdZddlmZddlZddlZddlmZmZddlmZm Z m Z ddl m Z m Z mZmZmZmZmZmZmZddlZddlmZddlmZdd lmZmZdd lmZe rdd lm Z dd l!m"Z"eGd ddZ#dZ$dZ%dZ&dZ'iZ(de)d<ddddddZ*ddddZ+eGdddZ,dddd d!d"d#Z-dS)$z$MONGODB-OIDC Authentication helpers.) annotationsN) dataclassfield)datetime timedeltatimezone) TYPE_CHECKINGAnyCallableDictListMappingMutableMappingOptionalTuple)Binary)SON)ConfigurationErrorOperationFailure)_REAUTHENTICATION_REQUIRED_CODE)MongoCredential) Connectionc@s.eZdZUded<ded<ded<ded<dS) _OIDCPropertieszOptional[Callable[..., Dict]]request_token_callbackrefresh_token_callback Optional[str] provider_namez List[str] allowed_hostsN)__name__ __module__ __qualname____annotations__r"r"5/tmp/pip-unpacked-wheel-oblwsawz/pymongo/auth_oidc.pyr-s ri,zDict[str, '_OIDCAuthenticator']_CACHErzTuple[str, int]_OIDCAuthenticator) credentialsaddressreturncCsttj}g}tD]&\}}|jdk r|j|kr||q|D] }t|=qD|j}|j }|j }|j } |j sd} |j } | D]:} | |dkrd} q|| dr||d| ddr|d} q|| std|dd| ||d|dt|t| } t| t||dt| S) NFrTz*.zRefusing to connect to z(, which is not in authOIDCAllowedHosts: )username properties)rnowrutcr%items cache_exp_utcappendr+Zmechanism_propertiesrrrr startswithendswithrid setdefaultr&)r'r(now_utcZ to_removekeyvalueprincipal_namer, request_cb refresh_cbfoundrpatt cache_keyr"r"r#_get_authenticator?s4    (r?rr)cCsttjttdS)Nminutes)rr-rr.rCACHE_TIMEOUT_MINUTESr"r"r"r#_get_cache_expfsrDc@seZdZUded<ded<eddZded<eddZded <ed dZd ed <ed dZd ed <ed dZ d ed<eddZ ded<ee dZ ded<ee jdZded<d-dddddZd.dddddZdd d!d"Zd#d$d%d&d'd(Zd/d#dd%d*d+d,ZdS)0r&strr+rr,N)defaultzOptional[Dict]idp_infoidp_resprint reauth_gen_ididp_info_gen_id token_gen_idzOptional[datetime] token_exp_utc)default_factoryrr0zthreading.LocklockTboolr) use_callbacksr)c Cs|j}|j}|j}|sd}d}d}|jdk rZttj}|j}td}|| |krZd}t } |sj|sjdS|sX|dk rX|j r|j dnd} |j |j r|j dnd} | | kr| W5QRS|j o|j d} | pd} | t| d} |j dks|dkr ||j| |_ n|dk r$||j| |_ ttjttd}||_|jd 7_W5QRX|j }t|tsrtd d|krtd dd d g}|D] }||krtd|dq|d}d |krt|d }td}||krttj}|t|d}||_|S)NF<TZ access_token refresh_token)Ztimeout_secondsversionrSrAr*z%OIDC callback returned invalid resultz,OIDC callback did not return an access_tokenZexpires_in_secondsZ refesh_tokenz%Unexpected field in callback result "")seconds)r,rrrMrr-rr.TOKEN_BUFFER_MINUTES total_secondsCALLBACK_TIMEOUT_SECONDSrHrOgetCALLBACK_VERSIONrGrrCr0rL isinstancedict ValueErrorrI)selfrQr,r:r;Zcurrent_valid_tokenr6Zexp_utcZbuffer_secondstimeout prev_token new_tokenrScontextr0Z token_resultexpectedr7tokenZ expires_inr"r"r#get_current_tokenwsn            z$_OIDCAuthenticator.get_current_tokenzOptional[SON[str, Any]]c Cs|j}|jdkrbtjd}t|}|}W5QRXd|i}tdddtt |fg}|S|j }|j dk rt tjttd|_|j dkrt|_|j dkri}|r||d<tdddtt |fd g}|S||}|sdStt d|i} tddd| fgS) NZawsZAWS_WEB_IDENTITY_TOKEN_FILEjwt)Z saslStartr*)Z mechanismz MONGODB-OIDCpayloadrAn)Z autoAuthorizer*)r,rosenvironopenreadstriprrbsonencoder+rGrr-rr.rrCr0rDrg) r`rQr,Zaws_identity_fileZfidrfricmdr9 bin_payloadr"r"r#auth_start_cmdsT         z!_OIDCAuthenticator.auth_start_cmdNoner@cCsd|_d|_d|_dS)N)rGrHrM)r`r"r"r#clearsz_OIDCAuthenticator.clearrzMutableMapping[str, Any]Optional[Mapping[str, Any]])connrrr)c Csz|jd|ddWStk r~}zN||jtkrldt|dkrl|j|jkrV|j |ddWYSW5d}~XYnXdS)Nz $externalT)Z no_reauthrhrireauthenticate) commandrrvcoderrpdecoderKrJ authenticate)r`rxrrexcr"r"r# run_commands  z_OIDCAuthenticator.run_commandF)rxrzr)c Cs8|r8t|dd}||jkr8|j|_d|_|jjs8||j}d}|rV| rV|j }n | }|dk sjt | ||}|dk st |dr|j|_dSt|d}d|kr||_|jd7_|d}|} |j|_ttd| i} tdd|fd| fg}| ||}|dk st |ds4|td |S) Noidc_token_gen_iddoneriZissuerr*ZconversationIdrh)Z saslContinuer*z%SASL conversation failed to complete.)getattrrLrKrJrMr,rrvZauth_ctxZspeculate_succeededZspeculative_authenticatertAssertionErrorrrrpr}rGrgrrqrr) r`rxrzZprev_idctxrrrespZ server_respZconversation_idrfrsr"r"r#r~ sL        z_OIDCAuthenticator.authenticate)T)T)F)rrr r!rrGrHrJrKrLrMrDr0 threadingLockrOrgrtrvrr~r"r"r"r#r&js J9rrPrw)r'rxrzr)cCst||j}|j||dS)z Authenticate using MONGODB-OIDC.ry)r?r(r~)r'rxrzZ authenticatorr"r"r#_authenticate_oidc@s r).__doc__ __future__rrkrZ dataclassesrrrrrtypingrr r r r r rrrrpZ bson.binaryrZbson.sonrZpymongo.errorsrrZpymongo.helpersrZ pymongo.authrZ pymongo.poolrrrXrZrCr\r%r!r?rDr&rr"r"r"r#s6 ,        'V