l8'hA HUdZddlmZddlZddlZddlZddlZddlmZm Z ddl m Z m Z m Z mZmZmZmZddlmZddlmZddlmZmZmZmZdd lmZmZdd lmZdd l m!Z!dd l"m#Z#m$Z$e r dd l%m&Z&ddl'm(Z(dZ)dZ* ddl+Z,e-e.e/e,j`jcddddk\rdZ*dZ3d/dZ4d0dZ5d1dZ6d2dZ7d3dZ8d3dZ9d3dZ:d3dZ;d3dZd!e?d"<Gd#d$Z@Gd%d&e@ZAGd'd(e@ZBGd)d*e@ZCeBejzeAdejzeAdeCejzeAdd+ZDd,e?d-< d4 d5d.ZEy#e2$r ddl,Z,n #e2$rdZ)YnwxYwYwxYw)6zAuthentication helpers.) annotationsN)standard_b64decodestandard_b64encode) TYPE_CHECKINGAnyCallableMappingMutableMappingOptionalcast)quote)Binary)MongoCredential_authenticate_scram_start_parse_scram_response_xor)ConfigurationErrorOperationFailure)saslprep)_authenticate_aws)_authenticate_oidc_get_authenticator)Hello) ConnectionTF.)rcZ|j}|dk(r7d}tj}t|jj d}n7d}tj }t||jj d}|j}|j}tj} |j} | rL| jr*>?FFwO   F   E IIE --C s&&(#}---~~)))NNz**!:; !Rz3ll63' ??y>L "< 0FVD\"JDLMM $>@J-d:z.JKKL99m\:;L#E*h $J$Q$Q$STJ./,' C ,,vs #C "3y> 2F   vd|Z 8FGG v;!"23c{  ll63'6{"#JK K r.c6t|ts tdt|dk(r t dt|ts tdt j }|d|}|j|jd|jS)z0Get a password digest to use for authentication.z#password must be an instance of strrzpassword can't be emptyz#username must be an instance of strz:mongo:r!) r:str TypeErrorlen ValueErrorr0md5updater2 hexdigest)r/r1md5hashrAs rar3r3s h $=>> 8}233 h $=>>kkmGZwxj )D NN4;;w'(    r.ct||}tj}|||}|j|j d|j S)z*Get an auth key to use for authentication.r!)r3r0rhrir2rj)rLr/r1rCrkrAs ra _auth_keyrmsO h 1FkkmGWXJvh 'D NN4;;w'(    r.cBtj|dddtjtjd\}}}}} tj|tj }|djS#tj $r|jcYSwxYw)z2Canonicalize hostname following MIT-krb5 behavior.Nr)socket getaddrinfo IPPROTO_TCP AI_CANONNAME getnameinfo NI_NAMEREQDgaierrorlower)hostnameafsocktypeproto canonnamesockaddrnames ra_canonicalize_hostnamer~s06/A/A$1f00&2E2E00 ,B%H!!!(F,>,>? 7==? ??!  !s$A88#BBcts td |j}|j}|j}|j d}|j r t|}|jdz|z}|j|dz|jz}|trOdjt|t|f}tj||tj\}} nrd|vr|j!dd\} } n|d} } tj|tj| | |\}} n(tj|tj\}} |tj"k7r t%d  tj&| d dk7r t%d tj(| } dd | dd } |j+d| }t-dD]}}tj&| t/|d}|dk(r t%d tj(| xsd } d|d| d} |j+d| }|tj"k(s}n t%dtj0| t/|ddk7r t%dtj2| tj(| |dk7r t%dtj(| } d|d| d} |j+d| tj4| y#tj4| wxYw#tj6$r}t%t/|dd}~wwxYw)zAuthenticate using GSSAPI.zEThe "kerberos" module must be installed to use GSSAPI authentication.r@N:)gssflagsr()ruserdomainr1z&Kerberos context failed to initialize.z*Unknown kerberos failure in step function.GSSAPI saslStartrHr# autoAuthorize $external r#r)r*z+Kerberos authentication failed to complete.z0Unknown kerberos failure during GSS_Unwrap step.z.Unknown kerberos failure during GSS_Wrap step.) HAVE_KERBEROSrr/r1mechanism_propertiesaddresscanonicalize_host_namer~ service_name service_realm_USE_PRINCIPALrDr kerberosauthGSSClientInitGSS_C_MUTUAL_FLAGsplitAUTH_GSS_COMPLETErauthGSSClientStepauthGSSClientResponser>rangerdauthGSSClientUnwrapauthGSSClientWrapauthGSSClientCleanKrbError)rFrGr/r1propshostservice principalresultrKrrr#rOresponse_excs ra_authenticate_gssapirs<  S  e3''''00||A  ' ')$/D$$s*T1    *me&9&99G   HHeHouX%GH &88Y1K1K (?#+>>#q#9LD&#+T&D&88%77!%  #44WxGaGabKFC X// /"#KL L: - ))#r2a7&'STT 44S9G%"!" C ||K5H2Y V!33CXi=P9QRR<*+WXX"88=C%&&./?&@&  << S9X777 V"''TUU++CXi5H1IJaO&'YZZ))#x/M/Mc/RT\]abb&'WXX44S9G !"*+;"<"C LLc *  ' ' ,H ' ' ,   3s3x(d23s8E!L%5CL B&L 5L% L""L%%M8M  Mc|j}|j}|j}d|d|j}ddt |dd}|j ||y)z(Authenticate using SASL PLAIN (RFC 4616)r(PLAINrN)r4r/r1r2rr>)rFrGr4r/r1r#rOs ra_authenticate_plainr/se   F##H##HhZtH:.668G'?  C  LLr.c|j}|r|jryt||jj }|j d|y)z Authenticate using MONGODB-X509.Nr)r8r9 _X509Contextrspeculate_commandr>)rFrGrKrOs ra_authenticate_x509r>sC --C s&&( {DLL 1 C C ECLLc"r.c|j}|j}|j}|j|ddi}|d}t |||}d|||d}|j||y)zAuthenticate using MONGODB-CR.getnoncer(rL) authenticaterrLkeyN)r4r/r1r>rm) rFrGr4r/r1rrLrquerys ra_authenticate_mongo_crrIsm   F##H##H||FZO4H W E E8X .C5 MELLr.cR|jdk\r|jr |j}nU|j}|j}|dz|jz|d<|j ||dj dg}d|vr t||dSt||dSt||dS)NrsaslSupportedMechsF)publish_eventsr SCRAM-SHA-1)max_wire_versionnegotiated_mechsr4 hello_cmdr/r>getrb)rFrGmechsr4rOs ra_authenticate_defaultrXs !  ))E ''F.."C(. {7K7K(KC$ %\\&#e\DIIJ^`bcE e #&{D/J J&{D-H H";mDDr.r)rHr) rz MONGODB-CR MONGODB-X509z MONGODB-AWS MONGODB-OIDCrrrDEFAULTz!Mapping[str, Callable[..., None]] _AUTH_MAPcJeZdZddZe ddZd dZd dZd dZy) _AuthContextc.||_d|_||_yN)rFr=r)selfrFrs ra__init__z_AuthContext.__init__ws&EI% r.cttj|j}|rtt|||Syr)_SPECULATIVE_AUTH_MAPrrHr r)credsrspec_clss rafrom_credentialsz_AuthContext.from_credentials|s2),,U__=  hug&>? ?r.ctr)NotImplementedErrorrs rarz_AuthContext.speculate_commands!!r.c&|j|_yr)r=)rhellos raparse_responsez_AuthContext.parse_responses(-(F(F%r.c,t|jSr)boolr=rs rar9z _AuthContext.speculate_succeededsD1122r.N)rFrrtuple[str, int]returnNone)rrrrrzOptional[_AuthContext]rz"Optional[MutableMapping[str, Any]])rzHello[Mapping[str, Any]]rr)rr) __name__ __module__ __qualname__r staticmethodrrrr9r.rarrvsC )8 "G3r.rc8eZdZ dfd ZddZxZS)r;cBt|||d|_||_yr)superrr<rH)rrFrrH __class__s rarz_ScramContext.__init__s" g.9="r.ct|j|j\}}}|jj|d<||f|_|SNdb)rrFrHr4r<)rrLrMrOs rarz_ScramContext.speculate_commandsE!:4;K;KT^^!\z3$$++D  *- r.)rFrrrrHrdrrr)rrrrr __classcell__)rs@rar;r;s-#*#5D#QT# #r.r;ceZdZddZy)rcnddd}|jj|jj|d<|S)Nr(r)rrHr)rFr/)rrOs rarz_X509Context.speculate_commands8 ~>    $ $ 0**33CK r.N)rzMutableMapping[str, Any]rrrrrr.rarrsr.rceZdZddZy) _OIDCContextct|j|j}|j}|y|jj|d<|Sr)rrFrget_spec_auth_cmdr4)r authenticatorrOs rarz_OIDCContext.speculate_commandsH*4+;+;T\\J --/ ;$$++D  r.Nrrrr.rarrsr.r)rrrrrzMapping[str, Any]rcf|j}t|}|dk(rt|||y|||y)zAuthenticate connection.rN)rHrr)rFrGreauthenticaterH auth_funcs rarrs7%%I)$IN";n=+t$r.)rFrrGrrHrdrr)r/rdr1rdrrd)rLrdr/rdr1rdrrd)rwrdrrd)rFrrGrrr)F)rFrrGrrrrr)F__doc__ __future__r functoolsr0r6robase64rrtypingrrrr r r r urllib.parser bson.binaryrpymongo.auth_sharedrrrrpymongo.errorsrrpymongo.saslpreprpymongo.synchronous.auth_awsrpymongo.synchronous.auth_oidcrr pymongo.hellorpymongo.synchronous.poolrrr winkerberosrtuplemapr? __version__r ImportError_IS_SYNCrbr3rmr~rrrrrpartialr__annotations__rr;rrrrrr.rar s" 9 @%: #3  " Sh**005bq9 :;vE PLf  l3^ #  E$#(&$& $9$$%8MR&Y&&':oV$ 0 , 332L"<<!$9$$]mL&Y&&}P  y  /J ,(LQ %  %(2 %DH %  %   s6;4FF! FF!FF!FF! F!