h` jdZddlZddlZddlZddlZddlZ ddlmZdZ dZ ddl Z eeee j"j%ddddk\rdZ dd lmZmZdd lmZdd lmZdd lmZmZmZdd lmZddl m!Z!ddl"m#Z#m$Z$ddl%m&Z&e'gdZ( Gdde)Z*edgdZ+ edgdZ, eddgZ- dZ.erdZ/ej`Z1ejdZ3nddl4m5Z6m7Z8dZ/ee6fdZ1e8fdZ3 dd l9m:Z; dd"lmZRy#e$r ddl mZYwxYw#e$r ddl Z n #e$rdZ YnwxYwYwxYw#e$r dd lm:Z;n#e$rd!Z;YnwxYwYwxYw#e$rerd#Z=ne>fd$Z=e=fd%ZF "7  l8D/<>t[$tLL    $=? ?  &K"756 6t[$dDII    $MO O  &K"7$45 5YY8"= &NN+>?1BCt[$tLL  ;H; t_dFD$OO 7H7 >$%>? ? /4vxA Ar%c djt||Dcgc]\}}t||z gc}}Scc}}w)z+XOR two byte strings together (python 3.x).r%)joinzipbytesfirsecxys r#_xorres3xxCSMBDAqAwBCCBs< )hexlify unhexlifyc djt||Dcgc]%\}}tt|t|z 'c}}Scc}}w)z+XOR two byte strings together (python 2.x).r%)r]r^chrordr`s r#reres:xx#c3-H$!QSVc!f_-HIIHs*A c |||dS)z3An implementation of int.from_bytes for python 2.x.r7)valuedummy_int_hexlifys r# _from_bytesrqsHUOR((r%c*dd|zfz}|||zS)z1An implementation of int.to_bytes for python 2.x.z%%0%dxrr7)rmlengthrn _unhexlifyfmts r# _to_bytesrvs!!f*&#+&&r%) pbkdf2_hmacc tj|dtt|}|fd}t}t }||dz}||d} t |dz D]} ||}| ||dz} || |jdS)z'A simple implementation of PBKDF2-HMAC.Ncd|j}|j||jS)zGet a digest for msg.)copyupdatedigest)msgmac_macs r#_digestz_hi.._digests%xxz C {{}$r%sbig)hmacHMACgetattrhashlibrqrvrange digest_size) hash_namersalt iterationsr~r from_bytesto_bytes_u1_ui_s r#_hirs))D$(CDC!$ % %J H$!445CS%(C:>* .clz#u-- .C%8 8r%)compare_digestc ||z Sr r7)abs r# _xor_bytesrs q5Lr%c$||||z Sr r7)rr_ords r#rrs7T!W$ $r%cd}|}t|t|k(r|}d}t|t|k7r|}d}t||D]\}}|||z}dk(S)Nrr)lenr^)rrrleftrightresultrcrds r#rrsu q6SV DF q6SV DFe$ 'DAq jA& &F '{r%cDtd|jdDS)z-Split a scram response into key, value pairs.c3@K|]}|jddyw)=rN)split).0items r# z(_parse_scram_response..sE 4#Es,)dictr)responses r#_parse_scram_responsers Et0DE EEr%c  |j}|jdjddjdd}tt j d}d|zdz|z}t d d |fd td |zfd dddifg}|||fS)Nutf-8rs=3Drs=2C sn=s,r= saslStartrr9payloadsn,, autoAuthorizeroptionsskipEmptyExchangeT)r;encodereplacerosurandomrr ) credentialsr9r;rSnonce first_barecmds r#_authenticate_scram_startrs##H ??7 # + +D& 9 A A$ OD rzz"~ .E&.J Y'6&:"567#/67 9 :C *c !!r%c8|j}|dk(r7d}tj}t|jj d}n7d}tj }t||jj d}|j}|j}tj} |jj|} | r,| jr| j\} } | j } n"t#||\} } }|j%||} | d}t'|}t)|d}|dkr t+d|d }|d }|j-| s t+d d |z}|j.r|j.\}}}}nd \}}}}|r ||k7s||k7rRt1||t3||}| |d|j5}| |d|j5}||||f|_||j5}dj7| ||f}| |||j5}dt9t;||z}dj7||f}t9| |||j5}t=dd| dfdt?|fg}|j%||} t'| d}tA|d|s t+d| dsAt=dd| dfdt?dfg}|j%||} | ds t+dyy)zAuthenticate using SCRAM.rsha256rsha1riiz+Server returned an invalid iteration count.srz!Server returned an invalid nonce.s c=biws,r=)NNNNs Client Keys Server Keyrsp= saslContinuerconversationIdvz%Server returned an invalid signature.doner%z%SASL conversation failed to complete.N)!r;rrrr<rr_password_digestr:r>rrauth_ctxrPspeculate_succeeded scram_dataspeculative_authenticatercommandrintr startswithrrrr|r]rrerr r) r sock_infor9r;r| digestmodrr:r>_hmacctxrrresr server_firstparsedrrrnonce without_proof client_key server_keycsalt citerations salted_pass stored_keyauth_msg client_sig client_proof client_final server_sigs r#_authenticate_scramrsD##HO#NN  ,,-44W=LL +*>*>?FFwO   F   E IIE     -C s&&(NNz**!: "$z3,y>L "< 0FVD\"JDLMM $>@J-d:z.JKKL99m\:;L# j(I.5579J " #&6"786,/02 3C   FC (C "3y> 2F &, 3FGG v;&$c*:&;<vc{+-.,6{"#JK K r%ct|tstdtjt |dk(r t dt|tstdtjt j}|d|}|j|jdt|jS)z5Get a password digest to use for authentication. z password must be an instance of rzpassword can't be emptyz!password must be an instance of z:mongo:r) r(r TypeErrorr2rrOrmd5r{rr hexdigest)r;r<md5hashrs r#rr^s h ,,7,@,@CD D 8}233 h ,-8-A-ADE EkkmG$h /D NN4;;w'( G%%' ((r%ct||}tj}|||}|j|j dt |j S)z/Get an auth key to use for authentication. r)rrrr{rr r)rr;r<r|rrs r# _auth_keyrpsPh 1FkkmGh /D NN4;;w'( G%%' ((r%cBtj|dddtjtjd\}}}}} tj|tj }|djS#tj $r|jcYSwxYw)z2Canonicalize hostname following MIT-krb5 behavior.Nr)socket getaddrinfo IPPROTO_TCP AI_CANONNAME getnameinfo NI_NAMEREQDgaierrorlower)hostnameafsocktypeproto canonnamesockaddrnames r#_canonicalize_hostnamerzs06/A/A$1f00&2E2E0GGH0J,B%H!!!(F,>,>? 7==? ??!  !s$A88#BBcts td |j}|j}|j}|j d}|j r t|}|jdz|z}|j|dz|jz}|trOdjt|t|f}tj||tj\}} nrd|vr|j!dd\} } n|d} } tj|tj| | |\}} n(tj|tj\}} |tj"k7r t%d  tj&| d dk7r t%d tj(| } t+d d d| fdg} |j-d| }t/dD]}tj&| t1|d}|dk(r t%d tj(| xsd } t+dd|dfd| fg} |j-d| }|tj"k(sn t%dtj2| t1|ddk7r t%dtj4| tj(| |dk7r t%dtj(| } t+dd|dfd| fg} |j-d| tj6| y#tj6| wxYw#tj8$r}t%t1|d}~wwxYw)zAuthenticate using GSSAPI. zEThe "kerberos" module must be installed to use GSSAPI authentication.r@N:)gssflagsr)rrSdomainr<z&Kerberos context failed to initialize.z*Unknown kerberos failure in step function.r)r9rrrrG rrz+Kerberos authentication failed to complete.z0Unknown kerberos failure during GSS_Unwrap step.z.Unknown kerberos failure during GSS_Wrap step.) HAVE_KERBEROSrr;r<r=addressrBrrArC_USE_PRINCIPALr]rkerberosauthGSSClientInitGSS_C_MUTUAL_FLAGrAUTH_GSS_COMPLETErauthGSSClientStepauthGSSClientResponserrrstrauthGSSClientUnwrapauthGSSClientWrapauthGSSClientCleanKrbError)rrr;r<rYhostservice principalrrrSrrrrrexcs r#_authenticate_gssapirs  "KL Ld)''''00  #  ' ')$/D$$s*T1    *me&9&99G   HHeHouX%GH &88Y1K1KM (?#+>>#q#9LD&#+T&D&88h&@&@fxA #44("<"<>KFC X// /"#KL L= - ))#r2a7&(CDD44S9G'.!7++-.C!((c:H2Y M!33C478K4LNR<*,GHH#88=C.,h7G.HI%w/12%,,[#>X777 M"'(LMM ++C,/0C,DFIJK&(IJJ))#*2*H*H*M*24789'(GHH44S9G*((3C*DE!7+-.C   k3 /  ' ' ,H ' ' ,   )s3x(()s8E!M5C/L-%B2L-M-MMM3M..M3c|j}|j}|j}d|d|jd}t dddt |fdg}|j ||y)z-Authenticate using SASL PLAIN (RFC 4616) rr)r9rrrN)r:r;r<rrr r)rrr:r;r<rrs r#_authenticate_plainrsp  F##H##H!)84<ris # " Sh**005bq9 :;vE:"55.?% :V0?0016O.A-BC:2AjD ..K I3J (+X) 4>' 936#>F "LL^)$) k)\ ##2 ( %&>.'"(&$ $9$$}6&Y&&8$  363, L  <!$9$$]mL&Y&&}1@B y  /J &-W#""#  @99. 9 99 98  #& %)3 sG4GG7H GGG4G#"G4#G-*G4,G--G43G47H=HHH HHHHH21H2