o h@ @stUdZddlmZddlZddlZddlZddlZddlmZm Z ddl m Z m Z m Z mZmZmZmZddlmZddlmZddlmZmZmZmZdd lmZmZdd lmZdd l m!Z!dd l"m#Z#m$Z$dd l%m&Z&e r{ddl'm(Z(ddl)m*Z*dZ+dZ,zddl-Z.e/e0e1e.j23ddddkrdZ,Wne4yzddl.Z.Wn e4ydZ+YnwYnwdZ5dHddZ6dId!d"Z7dJd$d%Z8dKd)d*Z9dLd+d,Z:dLd-d.Z;dLd/d0Ze6d3d4ej>e6d5d4e=d6Z?d7e@d8<Gd9d:d:ZAGd;d<dd>eAZCGd?d@d@eAZDeCej>eBd3d4ej>eBd5d4eDej>eBd5d4dAZEdBe@dC< dMdNdFdGZFdS)OzAuthentication helpers.) annotationsN)standard_b64decodestandard_b64encode) TYPE_CHECKINGAnyCallableMappingMutableMappingOptionalcast)quote)Binary)MongoCredential_authenticate_scram_start_parse_scram_response_xor)ConfigurationErrorOperationFailure)saslprep)_authenticate_aws)_authenticate_oidc_get_authenticator) _getaddrinfo)Hello) ConnectionTF.)r credentialsrconnr mechanismstrreturnNonec Csx|j}|dkrd}tj}t|jd}nd}tj}t||jd}|j}|j }t j } |j } | rL| rLt| tsr! TypeErrorlen ValueErrortyper4md5updater6 hexdigest)r3r5md5hashrErSrSrTr7s   r7rMcCs:t||}t}|||}||d|S)z*Get an auth key to use for authentication.r&)r7r4rZr[r6r\)rMr3r5rGr]rErSrSrT _auth_keys r^hostnameoption str | boolcCs~|dvr|St|dddtjtjdd\}}}}}|dkr!|Sz t|tj}Wntjy8|YSw|dS)z2Canonicalize hostname following MIT-krb5 behavior.)FnoneNr)familyrYprotoflagsforward)rsocket IPPROTO_TCP AI_CANONNAMElower getnameinfo NI_NAMEREQDgaierror)r_r`afsocktyperd canonnameZsockaddrnamerSrSrT_canonicalize_hostnames(   rrc Csbtstdz|j}|j}|j}|jp|jd}t||j}|j d|}|j dur2|d|j }|durot rOd t |t |f}tj||tjd\}} n*d|vr\|dd\} } n|d} } tj|tj| | |d\}} n tj|tjd\}} |tjkrtd zt| d dkrtd t| } dd | dd } |d| }tdD]0}t| t|d}|dkrtd t| pd } d|d| d} |d| }|tjkrnqtdt| t|ddkrtdt| t| |dkrtdt| } d|d| d} |d| Wt| WdSt| wtjy0}ztt|dd}~ww)zAuthenticate using GSSAPI.zEThe "kerberos" module must be installed to use GSSAPI authentication.r@N:)gssflagsr-)ruuserdomainr5z&Kerberos context failed to initialize.z*Unknown kerberos failure in step function.GSSAPIZ saslStartr r(Z autoAuthorize $external r(r.r/z+Kerberos authentication failed to complete.z0Unknown kerberos failure during GSS_Unwrap step.z.Unknown kerberos failure during GSS_Wrap step.) HAVE_KERBEROSrr3r5Zmechanism_propertiesZ service_hostaddressrrZcanonicalize_host_name service_nameZ service_realm_USE_PRINCIPALrHr kerberosZauthGSSClientInitZGSS_C_MUTUAL_FLAGsplitZAUTH_GSS_COMPLETErZauthGSSClientStepZauthGSSClientResponserBranger!ZauthGSSClientUnwrapZauthGSSClientWrapZauthGSSClientCleanZKrbError)rrr3r5propshostZserviceZ principalresultrLrvrwr(rPresponse_excrSrSrT_authenticate_gssapis            rcCsH|j}|j}|j}d|d|}ddt|dd}|||dS)z(Authenticate using SASL PLAIN (RFC 4616)r-PLAINrzN)r8r3r5r6r rB)rrr8r3r5r(rPrSrSrT_authenticate_plain=srcCs6|j}|r |r dSt||j}|d|dS)z Authenticate using MONGODB-X509.Nr{)r<r= _X509Contextrspeculate_commandrB)rrrLrPrSrSrT_authenticate_x509Ls  rcCs||jdkr8|jr |j}n|j}|}|d|j|d<|j||dddg}d|vr2t||dSt||dSt||dS)NrZsaslSupportedMechsF)Zpublish_eventsr$ SCRAM-SHA-1)Zmax_wire_versionZnegotiated_mechsr8Z hello_cmdr3rBgetrU)rrZmechsr8rPrSrSrT_authenticate_defaultWs    rr)r r$)ry MONGODB-X509z MONGODB-AWS MONGODB-OIDCrrr$DEFAULTz!Mapping[str, Callable[..., None]] _AUTH_MAPc@sBeZdZdddZedd d ZdddZdddZdddZdS) _AuthContextrrrtuple[str, int]r"r#cCs||_d|_||_dSN)rrAr)selfrrrSrSrT__init__us z_AuthContext.__init__credsOptional[_AuthContext]cCs$t|j}|rtt|||SdSr)_SPECULATIVE_AUTH_MAPrr r r)rrZspec_clsrSrSrTfrom_credentialszs z_AuthContext.from_credentials"Optional[MutableMapping[str, Any]]cCstr)NotImplementedErrorrrSrSrTrsz_AuthContext.speculate_commandhelloHello[Mapping[str, Any]]cCs |j|_dSr)rA)rrrSrSrTparse_responses z_AuthContext.parse_responseboolcCs t|jSr)rrArrSrSrTr=s z _AuthContext.speculate_succeededN)rrrrr"r#)rrrrr"rr"r)rrr"r#)r"r) __name__ __module__ __qualname__r staticmethodrrrr=rSrSrSrTrts    rcs(eZdZdfd d Zdd d ZZS)r?rrrrr r!r"r#cst||d|_||_dSr)superrr@r )rrrr  __class__rSrTrs z_ScramContext.__init__rcCs.t|j|j\}}}|jj|d<||f|_|SNdb)rrr r8r@)rrMrNrPrSrSrTrs  z_ScramContext.speculate_command)rrrrr r!r"r#r)rrrrr __classcell__rSrSrrTr?sr?c@eZdZdddZdS)rr"MutableMapping[str, Any]cCs&ddd}|jjdur|jj|d<|S)Nr-r) authenticater rv)rr3)rrPrSrSrTrs   z_X509Context.speculate_commandN)r"rrrrrrSrSrSrTrrc@r) _OIDCContextr"rcCs2t|j|j}|}|durdS|jj|d<|Sr)rrrZget_spec_auth_cmdr8)rZ authenticatorrPrSrSrTrs  z_OIDCContext.speculate_commandNrrrSrSrSrTrrr)rrr$rrzMapping[str, Any]rreauthenticatercCs4|j}t|}|dkrt|||dS|||dS)zAuthenticate connection.rN)r rr)rrrr Z auth_funcrSrSrTrs r)rrrrr r!r"r#)r3r!r5r!r"r!)rMr!r3r!r5r!r"r!)r_r!r`rar"r!)rrrrr"r#)F)rrrrrrr"r#)G__doc__ __future__r functoolsr4r:rgbase64rrtypingrrrrr r r urllib.parser Z bson.binaryr Zpymongo.auth_sharedrrrrZpymongo.errorsrrZpymongo.saslpreprZpymongo.synchronous.auth_awsrZpymongo.synchronous.auth_oidcrrZpymongo.synchronous.helpersrZ pymongo.hellorZpymongo.synchronous.poolrr~rZ winkerberosrtuplemaprC __version__r ImportErrorZ_IS_SYNCrUr7r^rrrrrrpartialr__annotations__rr?rrrrrSrSrSrTs $      "     S   n