h^ rdZddlZddlZddlZddlZddlZ ddlmZdZ dZ ddl Z eeee j"j%ddddk\rdZ dd lmZmZdd lmZdd lmZdd lmZmZmZdd lmZddl m!Z!ddl"m#Z#m$Z$ddl%m&Z&e'gdZ( Gdde)Z*edgdZ+ edgdZ, eddgZ- dZ.erdZ/ej`Z1ejdZ3nddl4m5Z6ddl4m7Z8dZ/ee6fdZ1e8fd Z3 dd!l9m:Z; dd#lmZQd?ZRy#e$r ddl mZYwxYw#e$r ddl Z n #e$rdZ YnwxYwYwxYw#e$r dd!lm:Z;n#e$rd"Z;YnwxYwYwxYw#e$rerd$Z=ne>fd%Z=e=fd&ZF "7  %#/'  t[$tLL    $%RS S  &K"7bc ct[$dDII    $%bc c  &K"7$T YY8"= &NN+>?1BCt[$tLL  ;H; t_dFD$OO 7H7 >$%>? ?t_dFD&(SSr%c djt||Dcgc]\}}t||z gc}}Scc}}w)z+XOR two byte strings together (python 3.x).r%)joinzipbytesfirsecxys r#_xorres3xxCSMBDAqAwBCCBs< )hexlify) unhexlifyc djt||Dcgc]%\}}tt|t|z 'c}}Scc}}w)z+XOR two byte strings together (python 2.x).r%)r]r^chrordr`s r#reres:xx#c3-H$!QSVc!f_-HIIHs*A c |||dS)z3An implementation of int.from_bytes for python 2.x.r7)valuedummy_int_hexlifys r# _from_bytesrqsHUOR((r%c*dd|zfz}|||zS)z1An implementation of int.to_bytes for python 2.x.z%%0%dxrr7)rmlengthrn _unhexlifyfmts r# _to_bytesrvs!!f*&#+&&r%) pbkdf2_hmacc tj|dtt|}|fd}t}t }||dz}||d} t |dz D]} ||}| ||dz} || |jdS)z'A simple implementation of PBKDF2-HMAC.Ncd|j}|j||jS)zGet a digest for msg.)copyupdatedigest)msgmac_macs r#_digestz_hi.._digests%xxz C {{}$r%sbig)hmacHMACgetattrhashlibrqrvrange digest_size) hash_namersalt iterationsr~r from_bytesto_bytes_u1_ui_s r#_hirs))D$(CDC!$ % %J H$!445CS%(C:>* .clz#u-- .C%8 8r%)compare_digestc ||z Sr r7)abs r# _xor_bytesrs q5Lr%c$||||z Sr r7)rr_ords r#rrs7T!W$ $r%cd}|}t|t|k(r|}d}t|t|k7r|}d}t||D]\}}|||z}dk(S)Nrr)lenr^)rrrleftrightresultrcrds r#rrsu q6SV DF q6SV DFe$ 'DAq jA& &F '{r%cDtd|jdDS)z-Split a scram response into key, value pairs.c3@K|]}|jddyw)=rN)split).0items r# z(_parse_scram_response..sE 4#Es,)dictr)responses r#_parse_scram_responsers Et0DE EEr%c  |j}|jdjddjdd}tt j d}d|zdz|z}t d d |fd td |zfd dddifg}|||fS)Nutf-8rs=3Drs=2C sn=s,r= saslStartrr9payloadsn,, autoAuthorizeroptionsskipEmptyExchangeT)r;encodereplacerosurandomrr ) credentialsr9r;rSnonce first_barecmds r#_authenticate_scram_startrs##H ??7 # + +D& 9 A A$ OD rzz"~ .E&.J  ) $ v 23 4 ,d3 4   C *c !!r%c8|j}|dk(r7d}tj}t|jj d}n7d}tj }t||jj d}|j}|j}tj} |jj|} | r,| jr| j\} } | j } n"t#||\} } }|j%||} | d}t'|}t)|d}|dkr t+d|d }|d }|j-| s t+d d |z}|j.r|j.\}}}}nd \}}}}|r ||k7s||k7rRt1||t3||}| |d|j5}| |d|j5}||||f|_||j5}dj7| ||f}| |||j5}dt9t;||z}dj7||f}t9| |||j5}t=dd| dfdt?|fg}|j%||} t'| d}tA|d|s t+d| dsAt=dd| dfdt?dfg}|j%||} | ds t+dyy)zAuthenticate using SCRAM.rsha256rsha1riiz+Server returned an invalid iteration count.srz!Server returned an invalid nonce.s c=biws,r=)NNNNs Client Keys Server Keyrsp= saslContinuerconversationIdvz%Server returned an invalid signature.doner%z%SASL conversation failed to complete.N)!r;rrrr<rr_password_digestr:r>rrauth_ctxrPspeculate_succeeded scram_dataspeculative_authenticatercommandrintr startswithrrrr|r]rrerr r) r sock_infor9r;r| digestmodrr:r>_hmacctxrrresr server_firstparsedrrrnonce without_proof client_key server_keycsalt citerations salted_pass stored_keyauth_msg client_sig client_proof client_final server_sigs r#_authenticate_scramr s8##HO#NN  ,,-44W=LL +*>*>?FFwO   F   E IIE     -C s&&(NNz**!:; !Rz3,y>L "< 0FVD\"JDLMM $>@J-d:z.JKKL99m\:;L#E*h $J$Q$Q$STJ  s#34 5 |, -  C   FC (C "3y> 2F &, 3FGG v;#!3'7#89F3K(  ,6{"#JK K r%ct|tstdtjt |dk(r t dt|tstdtjt j}|d|}|j|jdt|jS)z0Get a password digest to use for authentication.z password must be an instance of rzpassword can't be emptyz!password must be an instance of z:mongo:r) r(r TypeErrorr2rrOrmd5r{rr hexdigest)r;r<md5hashrs r#rr`s h ,;CWCWYZZ 8}233 h ,KDXDXZ[[kkmG$h /D NN4;;w'( G%%' ((r%ct||}tj}|||}|j|j dt |j S)z*Get an auth key to use for authentication.r)rrrr{rr r)rr;r<r|rrs r# _auth_keyrosN h 1FkkmGh /D NN4;;w'( G%%' ((r%cBtj|dddtjtjd\}}}}} tj|tj }|djS#tj $r|jcYSwxYw)z2Canonicalize hostname following MIT-krb5 behavior.Nr)socket getaddrinfo IPPROTO_TCP AI_CANONNAME getnameinfo NI_NAMEREQDgaierrorlower)hostnameafsocktypeproto canonnamesockaddrnames r#_canonicalize_hostnamerxs06/A/A$1f00&2E2E00 ,B%H!!!(F,>,>? 7==? ??!  !s$A88#BBcts td |j}|j}|j}|j d}|j r t|}|jdz|z}|j|dz|jz}|trOdjt|t|f}tj||tj\}} nrd|vr|j!dd\} } n|d} } tj|tj| | |\}} n(tj|tj\}} |tj"k7r t%d  tj&| d dk7r t%d tj(| } t+d d d| fdg} |j-d| }t/dD]}tj&| t1|d}|dk(r t%d tj(| xsd } t+dd|dfd| fg} |j-d| }|tj"k(sn t%dtj2| t1|ddk7r t%dtj4| tj(| |dk7r t%dtj(| } t+dd|dfd| fg} |j-d| tj6| y#tj6| wxYw#tj8$r}t%t1|d}~wwxYw)zAuthenticate using GSSAPI.zEThe "kerberos" module must be installed to use GSSAPI authentication.r@N:)gssflagsr)rrSdomainr<z&Kerberos context failed to initialize.z*Unknown kerberos failure in step function.r)r9rrrrG rrz+Kerberos authentication failed to complete.z0Unknown kerberos failure during GSS_Unwrap step.z.Unknown kerberos failure during GSS_Wrap step.) HAVE_KERBEROSrr;r<r=addressrBrrArC_USE_PRINCIPALr]rkerberosauthGSSClientInitGSS_C_MUTUAL_FLAGrAUTH_GSS_COMPLETErauthGSSClientStepauthGSSClientResponserrrstrauthGSSClientUnwrapauthGSSClientWrapauthGSSClientCleanKrbError)rrr;r<rYhostservice principalrrrSrrrrrexcs r#_authenticate_gssapirss  V  k)''''00  #  ' ')$/D$$s*T1    *me&9&99G   HHeHouX%GH &88Y1K1K (?#+>>#q#9LD&#+T&D&88%77!%  #44WxGaGabKFC X// /"#KL L@ - ))#r2a7&'VWW 44S9G$+(( C!((c:H2Y Y!33CXi=P9QRR<*+Z[["88=C+)84D+EF"G,%,,[#>X777# Y&''WXX++CXi5H1IJaO&'\]]))#x/M/Mc/RT\]abb&'Z[[44S9G'%x0@'AB(C   k3 /  ' ' ,H ' ' ,   )s3x(()s8E!M5C/L-%B2L-M-MMM3M..M3c|j}|j}|j}d|d|jd}t dddt |fdg}|j ||y)z(Authenticate using SASL PLAIN (RFC 4616)rr)r9rrrN)r:r;r<rrr r)rrr:r;r<rrs r#_authenticate_plainrsn   F##H##H!)84<rjs #  " Sh**005bq9 :;vE:"55.?%    :V.T?S6O.A-BC:-T`D..K I,0J(+X)4>' 938 #DF "$QLh )) r)j#"#@ ( %>,'"(&$ $9$$%8MR&Y&&':oV$  363, L <!$9$$]mL&Y&&}P y  /J &-c#""#  h99. 9 99 9:   #& %)3 %sG 4GG; H GGG8"G'&G8'G1.G80G11G87G8;HHHHHHHHH65H6