o {gA @stUdZddlmZddlZddlZddlZddlZddlmZm Z ddl m Z m Z m Z mZmZmZmZddlmZddlmZddlmZmZmZmZdd lmZmZdd lmZdd l m!Z!dd l"m#Z#m$Z$e rudd l%m&Z&ddl'm(Z(dZ)dZ*zddl+Z,e-e.e/e,j01ddddkrdZ*Wne2yzddl,Z,Wn e2ydZ)YnwYnwdZ3dGddZ4dHd d!Z5dId#d$Z6dJd&d'Z7dKd(d)Z8dKd*d+Z9dKd,d-Z:dKd.d/Z;dKd0d1Zd6e?d7<Gd8d9d9Z@Gd:d;d;e@ZAGdd?d?e@ZCeBej=eAd2d3ej=eAd4d3eCej=eAd4d3d@ZDdAe?dB< dLdMdEdFZEdS)NzAuthentication helpers.) annotationsN)standard_b64decodestandard_b64encode) TYPE_CHECKINGAnyCallableMappingMutableMappingOptionalcast)quote)Binary)MongoCredential_authenticate_scram_start_parse_scram_response_xor)ConfigurationErrorOperationFailure)saslprep)_authenticate_aws)_authenticate_oidc_get_authenticator)Hello) ConnectionTF.)r credentialsrconnr mechanismstrreturnNonec Csx|j}|dkrd}tj}t|jd}nd}tj}t||jd}|j}|j }t j } |j } | rL| rLt| tsr TypeErrorlen ValueErrorr4md5updater6 hexdigest)r3r5md5hashrErbrbrcr7s   r7rMcCs:t||}t}|||}||d|S)z*Get an auth key to use for authentication.r%)r7r4rhrir6rj)rMr3r5rGrkrErbrbrc _auth_keys rlhostnamecCsbt|dddtjtjd\}}}}}z t|tj}Wntjy*|YSw|dS)z2Canonicalize hostname following MIT-krb5 behavior.Nr)socket getaddrinfo IPPROTO_TCP AI_CANONNAME getnameinfo NI_NAMEREQDgaierrorlower)rmafsocktypeproto canonnamesockaddrnamerbrbrc_canonicalize_hostnames  r|c Cs^tstdz|j}|j}|j}|jd}|jrt|}|jd|}|j dur0|d|j }|durmt rMd t |t |f}t j||t jd\}} n*d|vrZ|dd\} } n|d} } t j|t j| | |d\}} n t j|t jd\}} |t jkrtd zt | d dkrtd t | } dd | dd } |d| }tdD]0}t | t|d}|dkrtd t | pd } d|d| d} |d| }|t jkrnqtdt | t|ddkrtdt | t | |dkrtdt | } d|d| d} |d| Wt | WdSt | wt jy.}ztt|dd}~ww)zAuthenticate using GSSAPI.zEThe "kerberos" module must be installed to use GSSAPI authentication.r@N:)gssflagsr,)ruserdomainr5z&Kerberos context failed to initialize.z*Unknown kerberos failure in step function.GSSAPI saslStartrr' autoAuthorize $external r'r-r.z+Kerberos authentication failed to complete.z0Unknown kerberos failure during GSS_Unwrap step.z.Unknown kerberos failure during GSS_Wrap step.) HAVE_KERBEROSrr3r5mechanism_propertiesaddresscanonicalize_host_namer| service_name service_realm_USE_PRINCIPALrHr kerberosauthGSSClientInitGSS_C_MUTUAL_FLAGsplitAUTH_GSS_COMPLETErauthGSSClientStepauthGSSClientResponserBranger authGSSClientUnwrapauthGSSClientWrapauthGSSClientCleanKrbError)rrr3r5propshostservice principalresultrLrrr'rPresponse_excrbrbrc_authenticate_gssapis            rcCsH|j}|j}|j}d|d|}ddt|dd}|||dS)z(Authenticate using SASL PLAIN (RFC 4616)r,PLAINrN)r8r3r5r6r rB)rrr8r3r5r'rPrbrbrc_authenticate_plain/srcCs6|j}|r |r dSt||j}|d|dS)z Authenticate using MONGODB-X509.Nr)r<r= _X509Contextrspeculate_commandrB)rrrLrPrbrbrc_authenticate_x509>s  rc CsT|j}|j}|j}||ddi}|d}t|||}d|||d}|||dS)zAuthenticate using MONGODB-CR.getnoncer,rM) authenticaterrMkeyN)r8r3r5rBrl) rrr8r3r5rrMrqueryrbrbrc_authenticate_mongo_crIs rcCs||jdkr8|jr |j}n|j}|}|d|j|d<|j||dddg}d|vr2t||dSt||dSt||dS)NrsaslSupportedMechsF)publish_eventsr# SCRAM-SHA-1)max_wire_versionnegotiated_mechsr8 hello_cmdr3rBgetrd)rrmechsr8rPrbrbrc_authenticate_defaultXs    rr)rr#) rz MONGODB-CR MONGODB-X509z MONGODB-AWS MONGODB-OIDCrrr#DEFAULTz!Mapping[str, Callable[..., None]] _AUTH_MAPc@sBeZdZdddZedd d ZdddZdddZdddZdS) _AuthContextrrrtuple[str, int]r!r"cCs||_d|_||_dSN)rrAr)selfrrrbrbrc__init__ws z_AuthContext.__init__credsOptional[_AuthContext]cCs$t|j}|rtt|||SdSr)_SPECULATIVE_AUTH_MAPrrr r)rrspec_clsrbrbrcfrom_credentials|s z_AuthContext.from_credentials"Optional[MutableMapping[str, Any]]cCstr)NotImplementedErrorrrbrbrcrsz_AuthContext.speculate_commandhelloHello[Mapping[str, Any]]cCs |j|_dSr)rA)rrrbrbrcparse_responses z_AuthContext.parse_responseboolcCs t|jSr)rrArrbrbrcr=s z _AuthContext.speculate_succeededN)rrrrr!r")rrrrr!rr!r)rrr!r")r!r) __name__ __module__ __qualname__r staticmethodrrrr=rbrbrbrcrvs    rcs(eZdZdfd d Zdd d ZZS)r?rrrrrr r!r"cst||d|_||_dSr)superrr@r)rrrr __class__rbrcrs z_ScramContext.__init__rcCs.t|j|j\}}}|jj|d<||f|_|SNdb)rrrr8r@)rrMrNrPrbrbrcrs  z_ScramContext.speculate_command)rrrrrr r!r"r)rrrrr __classcell__rbrbrrcr?sr?c@eZdZdddZdS)rr!MutableMapping[str, Any]cCs&ddd}|jjdur|jj|d<|S)Nr,r)rrr)rr3)rrPrbrbrcrs   z_X509Context.speculate_commandN)r!rrrrrrbrbrbrcrrc@r) _OIDCContextr!rcCs2t|j|j}|}|durdS|jj|d<|Sr)rrrget_spec_auth_cmdr8)r authenticatorrPrbrbrcrs  z_OIDCContext.speculate_commandNrrrbrbrbrcrrr)rrr#rrzMapping[str, Any]rreauthenticatercCs4|j}t|}|dkrt|||dS|||dS)zAuthenticate connection.rN)rrr)rrrr auth_funcrbrbrcrs r)rrrrrr r!r")r3r r5r r!r )rMr r3r r5r r!r )rmr r!r )rrrrr!r")F)rrrrrrr!r")F__doc__ __future__r functoolsr4r:rnbase64rrtypingrrrrr r r urllib.parser bson.binaryr pymongo.auth_sharedrrrrpymongo.errorsrrpymongo.saslpreprpymongo.synchronous.auth_awsrpymongo.synchronous.auth_oidcrr pymongo.hellorpymongo.synchronous.poolrrr winkerberosrtuplemaprC __version__r ImportError_IS_SYNCrdr7rlr|rrrrrpartialr__annotations__rr?rrrrrbrbrbrcs $     "     S   o