hfUdZddlZddlZddlZddlZddlZ ddlmZddlm Z ddl m Z ddl m Z ddlmZdZdd lmZmZmZdd lmZdd lmZmZmZdd lmZddlm Z m!Z!m"Z"ddl#m$Z$ddl%m&Z&m'Z'm(Z(m)Z)ddl*m+Z+ddl,m-Z-m.Z.ddl/m0Z0ddl1m2Z2ddl3m4Z4ddl5m6Z6ddl7m8Z8dZ9dZ:dZ;ee$eZ<ee!eZ=ej|dZ?GddeZ@Gdd eZAGd!d"eZBGd#d$eZCy#e$rd ZeZYwxYw)%z8Support for explicit client-side field level encryption.N) AutoEncrypter)MongoCryptError)ExplicitEncrypter)MongoCryptOptions)MongoCryptCallbackTF) _dict_to_bsondecodeencode) CodecOptions)BinarySTANDARD UUID_SUBTYPE) BSONError)DEFAULT_RAW_BSON_OPTIONSRawBSONDocument _inflate_bson)SON)ConfigurationErrorEncryptionErrorInvalidOperationServerSelectionTimeoutError) MongoClient)_configured_socket PoolOptions) ReadConcern)get_ssl_context) parse_host) WriteConcern) _spawn_daemoni i)document_classuuid_representationc#`K dy#t$rt$r}t|d}~wwxYww)z2Context manager to wrap encryption related errors.N)r Exceptionr)excs U/var/www/html/ranktracker/api/venv/lib/python3.12/site-packages/pymongo/encryption.py_wrap_encryption_errorsr'Es5#   #c""#s. .+ &+.cBeZdZdZdZdZdZdZdZdZ dZ d Z y ) _EncryptionIOc|tj||_nd|_|jtt dt d|_||_||_ d|_ y)z8Internal class to perform I/O on behalf of pymongocrypt.Nmajority)level)w) codec_options read_concern write_concernF) weakrefref client_ref with_options_KEY_VAULT_OPTSrrkey_vault_collmongocryptd_clientopts_spawned)selfclientr6r7r8s r&__init__z_EncryptionIO.__init__Ssd  %kk&1DO"DO,99)$:6&4:6#5  c |j}|j}t|t\}}t dddddddd}t t t |}t||f|} |j||jdkDr<|j|j} |j| |jdkDr<|jy#|jwxYw)zComplete a KMS request. :Parameters: - `kms_context`: A :class:`MongoCryptKmsContext`. :Returns: None NT)connect_timeoutsocket_timeout ssl_contextr) endpointmessager _HTTPS_PORTrr_KMS_CONNECT_TIMEOUTrsendall bytes_neededrecvfeedclose) r: kms_contextrBrChostportctxr8conndatas r& kms_requestz_EncryptionIO.kms_requestbs''%%+6 ddD$dD$M+?*>'*,"4,5  LL !**Q.yy!9!9:  &**Q. JJLDJJLs #ACC"c|j|jt|5}|D]}t|dtccdddS dddy#1swYyxYw)aGet the collection info for a namespace. The returned collection info is passed to libmongocrypt which reads the JSON schema. :Parameters: - `database`: The database on which to run listCollections. - `filter`: The filter to pass to listCollections. :Returns: The first document from the listCollections command response as BSON. )filterFN)r3list_collectionsrr_DATA_KEY_OPTS)r:databaserScursordocs r&collection_infoz_EncryptionIO.collection_info{ss__ x ( 9 9&v.:0 A39 A$S%@@ A A A A A AsAAA#cd|_|jjxsdg}|j|jjt |y)z~Spawn mongocryptd. Note this method is thread safe; at most one mongocryptd will start successfully. T mongocryptdN)r9r8_mongocryptd_spawn_pathextend_mongocryptd_spawn_argsr)r:argss r&spawnz_EncryptionIO.spawns@   11B]C DII556dr=c|js&|jjs|jt |t } |j |j|t }|jS#t$rY|jjr|j|j |j|t }Y|jSwxYw)zMark a command for encryption. :Parameters: - `database`: The database on which to run this command. - `cmd`: The BSON command to run. :Returns: The marked command response from mongocryptd. r.) r9r8_mongocryptd_bypass_spawnr`rrr7commandrraw)r:rVcmd inflated_cmdress r& mark_commandz_EncryptionIO.mark_commands}}TYY%H%H JJL%S*BC  8))(3;;6<8Cww+ 8yy22 JJL))(3;;6<8Cww 8s$A44ACCc#K|jjt|5}|D]}|j dddy#1swYyxYww)zYields one or more keys from the key vault. :Parameters: - `filter`: The filter to pass to find. :Returns: A generator which yields the requested keys from the key vault. N)r6findrre)r:rSrWkeys r& fetch_keysz_EncryptionIO.fetch_keyssO % %of&= > & gg     s%AA AA Act|}|jd}t|tjs t d|j j|t|jtS)zInsert a data key into the key vault. :Parameters: - `data_key`: The data key document to insert. :Returns: The _id of the inserted data key document. _idzdata_key _id must be a UUID)subtype) rget isinstanceuuidUUID TypeErrorr6 insert_oner bytesr)r:data_keyraw_doc data_key_ids r&insert_data_keyz_EncryptionIO.insert_data_keys]"(+kk%( +tyy19: : &&w/k''>>r=ct|S)zEncode a document to BSON. A document can be any mapping type (like :class:`dict`). :Parameters: - `doc`: mapping type representing a document :Returns: The encoded BSON bytes. )r )r:rXs r& bson_encodez_EncryptionIO.bson_encodesc{r=c|d|_d|_|jr"|jjd|_yy)zjRelease resources. Note it is not safe to call this method from __del__ or any GC hooks. N)r3r6r7rJr:s r&rJz_EncryptionIO.closes; "  " "  # # ) ) +&*D # #r=N) __name__ __module__ __qualname__r<rQrYr`rirmr{r}rJr=r&r)r)Rs0 2A$ 8 ?"  +r=r)c:eZdZdZdZdZdZdZedZ y) _Encrypterc|jd}nt|jdt}t|t |j ||_|j|_d|_y)a1Encrypts and decrypts MongoDB commands. This class is used to support automatic encryption and decryption of MongoDB commands. :Parameters: - `io_callbacks`: A :class:`MongoCryptCallback`. - `opts`: The encrypted client's :class:`AutoEncryptionOpts`. NF) _schema_maprrUrr_kms_providers_auto_encrypter_bypass_auto_encryption_closed)r: io_callbacksr8 schema_maps r&r<z_Encrypter.__init__s`    #J&t'7'7OJ,\;L   <- .'+'C'C$ r=c|j|xr|jdd}t|||}t5|jj ||}t |t}|r||d<|cdddS#1swYyxYw)abEncrypt a MongoDB command. :Parameters: - `database`: The database for this command. - `cmd`: A command document. - `check_keys`: If True, check `cmd` for invalid keys. - `codec_options`: The CodecOptions to use while encoding `cmd`. :Returns: The encrypted command to execute. z $clusterTimeN) _check_closedpoprr'rencryptrr) r:rVrf check_keysr. cluster_time encoded_cmd encrypted_cmd encrypt_cmds r&rz_Encrypter.encrypts "Ccggnd&C #C]C $ &  0088;OM'79K.: N+   s 5A==Bc|jt5|jj|cdddS#1swYyxYw)zDecrypt a MongoDB command response. :Parameters: - `response`: A MongoDB command response as BSON. :Returns: The decrypted command response. N)rr'rdecrypt)r:responses r&rz_Encrypter.decrypts?  $ & :''//9 : : :s AA c2|jr tdy)Nz"Cannot use MongoClient after close)rrrs r&rz_Encrypter._check_closed&s <<"#GH H r=cFd|_|jjy)zCleanup resources.TN)rrrJrs r&rJz_Encrypter.close*s  ""$r=c|jxs|}|jjdd\}}|||}t|jdt }t ||||}t||S)a Create a _CommandEncyptor for a client. :Parameters: - `client`: The encrypted MongoClient. - `opts`: The encrypted client's :class:`AutoEncryptionOpts`. :Returns: A :class:`_CommandEncrypter` for this client. .F)connectserverSelectionTimeoutMS)_key_vault_client_key_vault_namespacesplitr_mongocryptd_uri_MONGOCRYPTD_TIMEOUT_MSr)r)r;r8key_vault_clientdbcollr6r7rs r&createz_Encrypter.create/s| 11;V,,223:D)"-d3(  ! !5%<>% N$6> ,--r=N) rrrr<rrrrJ staticmethodrrr=r&rrs0&4 :I% ..r=rceZdZdZdZdZy) Algorithmz9An enum that defines the supported encryption algorithms.z+AEAD_AES_256_CBC_HMAC_SHA_512-Deterministicz$AEAD_AES_256_CBC_HMAC_SHA_512-RandomN)rrr__doc__+AEAD_AES_256_CBC_HMAC_SHA_512_Deterministic$AEAD_AES_256_CBC_HMAC_SHA_512_Randomrr=r&rrGsC50 /)r=rcHeZdZdZdZ d dZd dZdZdZdZ d Z d Z y) ClientEncryptionz,Explicit client-side field level encryption.c>ts tdt|ts t d||_||_||_||_|jdd\}}|||}td|dd|_ t|jt|d|_y)a Explicit client-side field level encryption. The ClientEncryption class encapsulates explicit operations on a key vault collection that cannot be done directly on a MongoClient. Similar to configuring auto encryption on a MongoClient, it is constructed with a MongoClient (to a MongoDB cluster containing the key vault collection), KMS provider configuration, and keyVaultNamespace. It provides an API for explicitly encrypting and decrypting values, and creating data keys. It does not provide an API to query keys from the key vault collection, as this can be done directly on the MongoClient. See :ref:`explicit-client-side-encryption` for an example. :Parameters: - `kms_providers`: Map of KMS provider options. Two KMS providers are supported: "aws" and "local". The kmsProviders map values differ by provider: - `aws`: Map with "accessKeyId" and "secretAccessKey" as strings. These are the AWS access key ID and AWS secret access key used to generate KMS messages. - `azure`: Map with "tenantId", "clientId", and "clientSecret" as strings. Additionally, "identityPlatformEndpoint" may also be specified as a string (defaults to 'login.microsoftonline.com'). These are the Azure Active Directory credentials used to generate Azure Key Vault messages. - `gcp`: Map with "email" as a string and "privateKey" as `bytes` or a base64 encoded string (unicode on Python 2). Additionally, "endpoint" may also be specified as a string (defaults to 'oauth2.googleapis.com'). These are the credentials used to generate Google Cloud KMS messages. - `local`: Map with "key" as `bytes` (96 bytes in length) or a base64 encoded string (unicode on Python 2) which decodes to 96 bytes. "key" is the master key used to encrypt/decrypt data keys. This key should be generated and stored as securely as possible. - `key_vault_namespace`: The namespace for the key vault collection. The key vault collection contains all data keys used for encryption and decryption. Data keys are stored as documents in this MongoDB collection. Data keys are protected with encryption by a KMS provider. - `key_vault_client`: A MongoClient connected to a MongoDB cluster containing the `key_vault_namespace` collection. - `codec_options`: An instance of :class:`~bson.codec_options.CodecOptions` to use when encoding a value for encryption and decoding the decrypted BSON value. This should be the same CodecOptions instance configured on the MongoClient, Database, or Collection used to access application data. .. versionadded:: 3.9 zclient-side field level encryption requires the pymongocrypt library: install a compatible version with: python -m pip install 'pymongo[encryption]'zDcodec_options must be an instance of bson.codec_options.CodecOptionsrrN)_HAVE_PYMONGOCRYPTrrrr rurrr_codec_optionsrr) _io_callbacksrr _encryption)r: kms_providerskey_vault_namespacerr.rrr6s r&r<zClientEncryption.__init__Rsn"$>? ? -6>? ?,$7!!1+&,,S!4D)"-d3*4tL,    1- FHr=Nc|jt5|jj|||cdddS#1swYyxYw)a Create and insert a new data key into the key vault collection. :Parameters: - `kms_provider`: The KMS provider to use. Supported values are "aws" and "local". - `master_key`: Identifies a KMS-specific key used to encrypt the new data key. If the kmsProvider is "local" the `master_key` is not applicable and may be omitted. If the `kms_provider` is "aws" it is required and has the following fields:: - `region` (string): Required. The AWS region, e.g. "us-east-1". - `key` (string): Required. The Amazon Resource Name (ARN) to the AWS customer. - `endpoint` (string): Optional. An alternate host to send KMS requests to. May include port number, e.g. "kms.us-east-1.amazonaws.com:443". If the `kms_provider` is "azure" it is required and has the following fields:: - `keyVaultEndpoint` (string): Required. Host with optional port, e.g. "example.vault.azure.net". - `keyName` (string): Required. Key name in the key vault. - `keyVersion` (string): Optional. Version of the key to use. If the `kms_provider` is "gcp" it is required and has the following fields:: - `projectId` (string): Required. The Google cloud project ID. - `location` (string): Required. The GCP location, e.g. "us-east1". - `keyRing` (string): Required. Name of the key ring that contains the key to use. - `keyName` (string): Required. Name of the key to use. - `keyVersion` (string): Optional. Version of the key to use. - `endpoint` (string): Optional. Host with optional port. Defaults to "cloudkms.googleapis.com". - `key_alt_names` (optional): An optional list of string alternate names used to reference a key. If a key is created with alternate names, then encryption may refer to the key by the unique alternate name instead of by ``key_id``. The following example shows creating and referring to a data key by alternate name:: client_encryption.create_data_key("local", keyAltNames=["name1"]) # reference the key with the alternate name client_encryption.encrypt("457-55-5462", keyAltName="name1", algorithm=Algorithm.Random) :Returns: The ``_id`` of the created data key document as a :class:`~bson.binary.Binary` with subtype :data:`~bson.binary.UUID_SUBTYPE`. ) master_key key_alt_namesN)rr'rcreate_data_key)r: kms_providerrrs r&rz ClientEncryption.create_data_keysMr  $ & -##33+4- - - -s AA cN|j|.t|tr|jtk(s t dt d|i|j}t5|jj||||}t|dcdddS#1swYyxYw)aEncrypt a BSON value with a given key and algorithm. Note that exactly one of ``key_id`` or ``key_alt_name`` must be provided. :Parameters: - `value`: The BSON value to encrypt. - `algorithm` (string): The encryption algorithm to use. See :class:`Algorithm` for some valid options. - `key_id`: Identifies a data key by ``_id`` which must be a :class:`~bson.binary.Binary` with subtype 4 ( :attr:`~bson.binary.UUID_SUBTYPE`). - `key_alt_name`: Identifies a key vault document by 'keyAltName'. :Returns: The encrypted value, a :class:`~bson.binary.Binary` with subtype 6. Nz2key_id must be a bson.binary.Binary with subtype 4vrb)key_id key_alt_name) rrrr rprrur rr'rrr )r:value algorithmrrrX encrypted_docs r&rzClientEncryption.encrypts$   66*,.DF Fc5\1D1DE $ & . ,,44YvL5JM-(- . . .s $-BB$c:|jt|tr|jdk(s t dt 5t d|i}|jj|}t||jdcdddS#1swYyxYw)zDecrypt an encrypted value. :Parameters: - `value` (Binary): The encrypted value, a :class:`~bson.binary.Binary` with subtype 6. :Returns: The decrypted BSON value. zB*I$r=r)Dr contextlibos subprocessrsr1pymongocrypt.auto_encrypterrpymongocrypt.errorsrpymongocrypt.explicit_encrypterrpymongocrypt.mongocryptrpymongocrypt.state_machinerr ImportErrorobjectbsonrr r bson.codec_optionsr bson.binaryr r r bson.errorsr bson.raw_bsonrrrbson.sonrpymongo.errorsrrrrpymongo.mongo_clientr pymongo.poolrrpymongo.read_concernrpymongo.ssl_supportrpymongo.uri_parserrpymongo.write_concernrpymongo.daemonrrDrErrUr5contextmanagerr'r)rrrrr=r&rs?    93A9= /.+''"**99-8,/).( ShOo3;=  # #V+&V+rY.Y.x00\$v\$c   s C99 DD