f^ UdZddlmZddlZddlZddlZddlZddlZddlZddl m Z m Z ddl m Z ddlmZmZmZmZmZmZmZmZddlmZddlmZdd lmZdd lmZmZmZm Z m!Z!m"Z"dd l#m$Z$m%Z%dd l&m'Z'er dd l(m)Z)ddl*m+Z+dZ,dZ- ddl.Z/e0e1e2e/jfjiddddk\rdZ-e6gdZ7 GddZ8e dgdZ9 e dgdZ: e ddgZ; dd Z> d?d!Z?d@d"Z@dAd#ZAdBd$ZBdCd%ZCdDd&ZDdDd'ZEdDd(ZFdDd)ZGdDd*ZHeDeGeFeeeEeje@d+,eje@d-,eHd. ZJd/eKd0<Gd1d2ZLGd3d4eLZMGd5d6eLZNGd7d8eLZOeNejeMd+,ejeMd-,eOejeMd-,d9ZPdeKd:< dE dFd;ZQy#e5$r ddl/Z/n #e5$rdZ,YnwxYwYLwxYw)GzAuthentication helpers.) annotationsN)standard_b64decodestandard_b64encode) namedtuple) TYPE_CHECKINGAnyCallableDictMappingMutableMappingOptionalcast)quote)Binary)_authenticate_aws)_authenticate_oidc_get_authenticator_OIDCAzureCallback_OIDCGCPCallback_OIDCProperties_OIDCTestCallback)ConfigurationErrorOperationFailure)saslprep)Hello) ConnectionTF.)r) GSSAPI MONGODB-CR MONGODB-OIDC MONGODB-X509 MONGODB-AWSPLAIN SCRAM-SHA-1 SCRAM-SHA-256DEFAULTc@eZdZdZedZddZddZddZd dZ y) _Cachedatacd|_yNr+selfs U/var/lib/jenkins/workspace/mettalog/venv/lib/python3.12/site-packages/pymongo/auth.py__init__z_Cache.__init__Zs  c0t|trytS)NT isinstancer*NotImplementedr0others r1__eq__z _Cache.__eq__]s eV $r3c0t|trytS)NFr5r8s r1__ne__z _Cache.__ne__cs eV $r3c|jSr.) _hash_valr/s r1__hash__z_Cache.__hash__hs ~~r3N)returnNone)r9objectr@bool)r@int) __name__ __module__ __qualname__ __slots__hashr>r2r:r<r?r3r1r*r*Us$IXI  r3r*MongoCredential) mechanismsourceusernamepasswordmechanism_propertiescacheGSSAPIProperties service_namecanonicalize_host_name service_realm_AWSPropertiesaws_session_tokenMapping[str, Any]c |dvr|t|d|dk(r||dk7r td|jdi}|jdd }t|jd d }|jd } t ||| } t |d||| dS|dk(r/| td||dk7r tdt |d|dddS|dk(r`| | td||dk7r td|jdi}|jd} t | } t |d||| dS|dk(rC|jdi}|jd} |jd}|jd}|jdd}gd}|jd|}d}| d}t|| s|r| t|| r|rd }t||m|d!k(r| d"}t|t} nY|d#k(rd}|s td$t|} n9|d%k(rd}|s td&t|} ntd'|t|t| |||||(}t |d|||tS|d)k(r|xs|xsd}t ||||ddS|xs|xsd*}| td+t ||||dtS),z8Build and return a mechanism specific credentials tuple.)r#r$r"Nz requires a username.r $externalz:authentication source must be $external or None for GSSAPIauthmechanismproperties SERVICE_NAMEmongodbCANONICALIZE_HOST_NAMEF SERVICE_REALMrSr#z+Passwords are not supported by MONGODB-X509z@authentication source must be $external or None for MONGODB-X509r$z;username without a password is not supported by MONGODB-AWSz?authentication source must be $external or None for MONGODB-AWSAWS_SESSION_TOKEN)rXr" OIDC_CALLBACKOIDC_HUMAN_CALLBACK ENVIRONMENTTOKEN_RESOURCE)z *.mongodb.netz*.mongodb-dev.netz*.mongodb-qa.netz*.mongodbgov.net localhostz 127.0.0.1z::1 ALLOWED_HOSTSzVauthentication with MONGODB-OIDC requires providing either a callback or a environmentz)password is not supported by MONGODB-OIDCz5cannot set both OIDC_CALLBACK and OIDC_HUMAN_CALLBACKtestz;test environment for MONGODB-OIDC does not support usernameazurezTAzure environment for MONGODB-OIDC requires a TOKEN_RESOURCE auth mechanism propertygcpzOGCP provider for MONGODB-OIDC requires a TOKEN_RESOURCE auth mechanism propertyz+unrecognized ENVIRONMENT for MONGODB-OIDC: )callbackhuman_callback environment allowed_hoststoken_resourcerNr%adminzA password is required.) r ValueErrorgetrCrRrKrWrrrrr*)mechrMuserpasswdextradatabase propertiesrT canonicalizerVpropsrX aws_propsrlrmenvironrpdefault_allowedromsg oidc_propssource_databases r1_build_credentials_tupler}sn BBt| D6)>!?@@ x  &K"7YZ ZYY8"= !~~ni@ JNN+CUKL "7  %#/'  t[$tLL    $%RS S  &K"7_` `t[$dDII    $%bc c  &K"7$Q YY8"= &NN+>?"5FG t[$ 4PP  YY8"= >>/2#(=>../#(8"= #H d   =C$S) ) ~"(--NM(--  & #WC,S11,.G#%,n.n=E!%,i,N;(+VW^V_)`aa$S) )$)')  t[$ FHUU  ;H; t_dFD$OO 7H7 >$%>? ?t_dFD&(SSr3c djt||Dcgc]\}}t||z gc}}Scc}}w)zXOR two byte strings together.r3)joinzipbytes)firsecxys r1_xorrs3 88C >1UAE7^> ??>s< cDtd|jdDS)z-Split a scram response into key, value pairs.c3K|]E}tjtjttf|j ddGyw)=N)typingrTuplersplit).0items r1 z(_parse_scram_response..s;   FLL. 40CDsA A ,)dictr)responses r1_parse_scram_responsers% NN4( r3c|j}|jdjddjdd}tt j d}d|zdz|z}d |t d |zd d d id }|||fS)Nutf-8rs=3Drs=2C sn=s,r=rsn,,skipEmptyExchangeT) saslStartrLpayload autoAuthorizeoptions)rNencodereplacerosurandomr) credentialsrLrNrunonce first_barecmds r1_authenticate_scram_startrs##H ??7 # + +D& 9 A A$ OD rzz"~ .E&.J&:-.'.  C *c !!r3cZ|j}|dk(r7d}tj}t|jj d}n7d}tj }t||jj d}|j}|j}tj} |j} | rL| jr*>?FFwO   F   E IIE --C s&&(#}---~~)))NNz**!:; !Rz3ll63' ??y>L "< 0FVD\"JDLMM $>@J-d:z.JKKL99m\:;L#E*h $J$Q$Q$STJ./,' C ,,vs #C "3y> 2F   vd|Z 8FGG v;!"23c{  ll63'6{"#JK K r3c6t|ts tdt|dk(r t dt|ts tdt j }|d|}|j|jd|jS)z0Get a password digest to use for authentication.z#password must be an instance of strrzpassword can't be emptyz#username must be an instance of strz:mongo:r) r6str TypeErrorlenrrrmd5updater hexdigest)rNrOmd5hashr,s r1rres h $=>> 8}233 h $=>>kkmGZwxj )D NN4;;w'(    r3ct||}tj}|||}|j|j d|j S)z*Get an auth key to use for authentication.r)rrrrrr)rrNrOrrr,s r1 _auth_keyrtsO h 1FkkmGWXJvh 'D NN4;;w'(    r3cBtj|dddtjtjd\}}}}} tj|tj }|djS#tj $r|jcYSwxYw)z2Canonicalize hostname following MIT-krb5 behavior.Nr)socket getaddrinfo IPPROTO_TCP AI_CANONNAME getnameinfo NI_NAMEREQDgaierrorlower)hostnameafsocktypeproto canonnamesockaddrnames r1_canonicalize_hostnamer}s06/A/A$1f00&2E2E00 ,B%H!!!(F,>,>? 7==? ??!  !s$A88#BBcts td |j}|j}|j}|j d}|j r t|}|jdz|z}|j|dz|jz}|trOdjt|t|f}tj||tj\}} nrd|vr|j!dd\} } n|d} } tj|tj| | |\}} n(tj|tj\}} |tj"k7r t%d  tj&| d dk7r t%d tj(| } dd | dd } |j+d| }t-dD]}}tj&| t/|d}|dk(r t%d tj(| xsd } d|d| d} |j+d| }|tj"k(s}n t%dtj0| t/|ddk7r t%dtj2| tj(| |dk7r t%dtj(| } d|d| d} |j+d| tj4| y#tj4| wxYw#tj6$r}t%t/|dd}~wwxYw)zAuthenticate using GSSAPI.zEThe "kerberos" module must be installed to use GSSAPI authentication.r@N:)gssflagsr)rrudomainrOz&Kerberos context failed to initialize.rfz*Unknown kerberos failure in step function.r rrLrrr[ rrrz+Kerberos authentication failed to complete.z0Unknown kerberos failure during GSS_Unwrap step.z.Unknown kerberos failure during GSS_Wrap step.) HAVE_KERBEROSrrNrOrPaddressrUrrTrV_USE_PRINCIPALrrkerberosauthGSSClientInitGSS_C_MUTUAL_FLAGrAUTH_GSS_COMPLETErauthGSSClientStepauthGSSClientResponserrangerauthGSSClientUnwrapauthGSSClientWrapauthGSSClientCleanKrbError)rrrNrOr{hostservice principalresultrrurrrr_excs r1_authenticate_gssapirs5  S  e3''''00||A  ' ')$/D$$s*T1    *me&9&99G   HHeHouX%GH &88Y1K1K (?#+>>#q#9LD&#+T&D&88%77!%  #44WxGaGabKFC X// /"#KL L: - ))#r2a7&'STT 44S9G%"!" C ||K5H2Y!33CXi=P9QRR<*+WXX"88=C%&&./?&@&  << S9X777"''TUU++CXi5H1IJaO&'YZZ))#x/M/Mc/RT\]abb&'WXX44S9G !"*+;"<"C LLc *  ' ' ,H ' ' ,   3s3x(d23s8E!L%5CL B&L 5L% L""L%%M8M  Mc|j}|j}|j}d|d|j}ddt |dd}|j ||y)z(Authenticate using SASL PLAIN (RFC 4616)rr%rN)rMrNrOrrr)rrrMrNrOrrs r1_authenticate_plainrse   F##H##HhZtH:.668G'?  C  LLr3c|j}|r|jryt||jj }|j d|y)z Authenticate using MONGODB-X509.Nr[)rr _X509Contextrspeculate_commandr)rrrrs r1_authenticate_x509r sC --C s&&( {DLL 1 C C ECLLc"r3c|j}|j}|j}|j|ddi}|d}t |||}d|||d}|j||y)zAuthenticate using MONGODB-CR.getnoncerr) authenticaterurkeyN)rMrNrOrr) rrrMrNrOrrrquerys r1_authenticate_mongo_crrsm   F##H##H||FZO4H W E E8X .C5 MELLr3cR|jdk\r|jr |j}nU|j}|j}|dz|jz|d<|j ||dj dg}d|vr t||dSt||dSt||dS)NrsaslSupportedMechsF)publish_eventsr'r&)max_wire_versionnegotiated_mechsrM hello_cmdrNrrsr)rrmechsrMrs r1_authenticate_defaultr($s !  ))E ''F.."C(. {7K7K(KC$ %LLULCGGH\^`aE e #&{D/J J&{D-H H";mDDr3r&)rLr') r r!r#r$r"r%r&r'r(z!Mapping[str, Callable[..., None]] _AUTH_MAPcJeZdZddZe ddZd dZd dZd dZy) _AuthContextc.||_d|_||_yr.)rrr)r0rrs r1r2z_AuthContext.__init__Cs&EI% r3cttj|j}|rtt|||Syr.)_SPECULATIVE_AUTH_MAPrsrLrr+)credsrspec_clss r1from_credentialsz_AuthContext.from_credentialsHs2),,U__=  hug&>? ?r3ctr.)NotImplementedErrorr/s r1rz_AuthContext.speculate_commandQs!!r3c&|j|_yr.)r)r0hellos r1parse_responsez_AuthContext.parse_responseTs(-(F(F%r3c,t|jSr.)rCrr/s r1rz _AuthContext.speculate_succeededWsD1122r3N)rrKrtuple[str, int]r@rA)r/rKrr8r@zOptional[_AuthContext]r@z"Optional[MutableMapping[str, Any]])r5zHello[Mapping[str, Any]]r@rA)r@rC) rErFrGr2 staticmethodr1rr6rrJr3r1r+r+BsC )8 "G3r3r+c8eZdZ dfd ZddZxZS)rcBt|||d|_||_yr.)superr2rrL)r0rrrL __class__s r1r2z_ScramContext.__init__\s" g.9="r3ct|j|j\}}}|jj|d<||f|_|SNdb)rrrLrMr)r0rrrs r1rz_ScramContext.speculate_commandcsE!:4;K;KT^^!\z3$$++D  *- r3)rrKrr8rLrr@rAr9)rErFrGr2r __classcell__)r>s@r1rr[s-#*#5D#QT# #r3rceZdZddZy)rcnddd}|jj|jj|d<|S)Nrr#)rrLru)rrN)r0rs r1rz_X509Context.speculate_commandms8 ~>    $ $ 0**33CK r3N)r@zMutableMapping[str, Any]rErFrGrrJr3r1rrlsr3rceZdZddZy) _OIDCContextct|j|j}|j}|y|jj|d<|Sr@)rrrget_spec_auth_cmdrM)r0 authenticatorrs r1rz_OIDCContext.speculate_commandusH*4+;+;T\\J --/ ;$$++D  r3Nr9rErJr3r1rGrGtsr3rG)r#r&r'r"r(r.cf|j}t|}|dk(rt|||y|||y)zAuthenticate connection.r"N)rLr)r)rrreauthenticaterL auth_funcs r1rrs7%%I)$IN";n=+t$r3)rtrrM Optional[str]rurrvrrwrYrxrNr@rK)rrrrr@r)rrr@zDict[bytes, bytes])rrKrLrr@z-tuple[bytes, bytes, MutableMapping[str, Any]])rrKrrrLrr@rA)rNrrOrr@r)rrrNrrOrr@r)rrr@r)rrKrrr@rA)F)rrKrrrLrCr@rA)R__doc__ __future__r functoolsrrrrrbase64rr collectionsrrrr r r r r r urllib.parser bson.binaryrpymongo.auth_awsrpymongo.auth_oidcrrrrrrpymongo.errorsrrpymongo.saslprepr pymongo.hellor pymongo.poolrrr winkerberosrtuplemaprD __version__r ImportError frozenset MECHANISMSr*rKrRrWrrrrrrrrrrrrr(partialr)__annotations__r+rrrGr.rrJr3r1res" 9"   .@%#'  " Sh**005bq9 :;vE   :.T?S6,/B.CD:sT sT sT sT  sT  sT  sTsTl@ " "-0"2"$PLf  l3^ #  E$#(&$& $9$$%8MR&Y&&':oV$ 0 , 332L"<<!$9$$]mL&Y&&}P  y  /J ,(LQ %  %(2 %DH %  %S  s64G,,H2G76H7H>HHHH