AahxTdZddlZddlZddlZddlmZddlmZddlm Z m Z m Z m Z ddl mZddlmZmZdd lmZe rdd lmZ ddlZn$#e$rdZejd kr ed dYnwxYw ddlZddlZn#e$rdZdZYnwxYwd dlmZejd krdndZGddeZGddeZGddeZdS)zKerberos Authentication Plugin.N)abstractmethod)Path) TYPE_CHECKINGAnyOptionalTuple) ERR_STATUS)InterfaceErrorProgrammingError)logger) MySQLSocketntzwModule gssapi is required for GSSAPI authentication mechanism but was not found. Unable to authenticate with the server)MySQLAuthPluginMySQLSSPIKerberosAuthPluginMySQLKerberosAuthPluginceZdZdZedefdZedefdZe de e de e e effdZ ddd e d ede fd Zd S) MySQLBaseKerberosAuthPluginz8Base class for the MySQL Kerberos authentication plugin.returncdS)zPlugin official name.authentication_kerberos_clientselfs h/var/www/lms/venv/lib/python3.11/site-packages/mysql/connector/plugins/authentication_kerberos_client.pynamez MySQLBaseKerberosAuthPlugin.nameLs 0/cdS)z'Signals whether or not SSL is required.Frrs r requires_sslz(MySQLBaseKerberosAuthPlugin.requires_sslQs urtgt_auth_challengecdS)!Continue with the Kerberos TGT service request. With the TGT authentication service given response generate a TGT service request. This method must be invoked sequentially (in a loop) until the security context is completed and an empty response needs to be send to acknowledge the server. Args: tgt_auth_challenge: the challenge for the negotiation. Returns: tuple (bytearray TGS service request, bool True if context is completed otherwise False). Nr)rr!s r auth_continuez)MySQLBaseKerberosAuthPlugin.auth_continueVsrsockr auth_datakwargsc tjd||j|fddi|}|tdtjd|t ||||}tjd||tkrd}tjd tjd |d|d ztjd t |tjd d}d}|s|dkrtjdd|d zdtjd|tjd|d|d z|||d\} }| r|| |rn6|}tjd| |d z }|s|dk|std|d|tjd|t ||}tjd|t|S)aSHandles server's `auth switch request` response. Args: sock: Pointer to the socket connection. auth_data: Plugin provided data (extracted from a packet representing an `auth switch request` response). kwargs: Custom configuration to be passed to the auth plugin when invoked. The parameters defined here will override the ones defined in the auth plugin itself. Returns: packet: Last server's response after back-and-forth communication. z# auth_data: %signore_auth_dataFNzGot a NULL auth responsez# request: %s size: %sz# server response packet: %sz%# Continue with GSSAPI authenticationz# Response header: %srz# Response size: %sz# Negotiate a service requestrz%s Attempt %s %sz--------------------z<< Server response: %sz# Response code: %sz>> Response to server: %sz'Unable to fulfill server request after z! attempts. Last server response: z(Last response from server: %s length: %dz<< Ok packet from server: %s) r debug auth_responser lensendrecvr r$bytes) rr%r&r'responsepacket rcode_sizecompletetriestokens rauth_switch_responsez0MySQLBaseKerberosAuthPlugin.auth_switch_responseis"  & 222%4%iRR%R6RR   !;<< < -xXGGG ( 3V<<< Z  J L@ A A A L0&9I:>9I2J K K K L.F < < < L8 9 9 9HE 5199 /519hOOO 5v>>> 2F;KZ!^;K4LMMM"&"4"4VJKK5H"I"Ix%IIe$$$ 8%@@@  5199 $@e@@7=@@ L:F    YY[[F L7 @ @ @V}}rN)__name__ __module__ __qualname____doc__propertystrrboolr rrr0rr$rr7rrrrrIsBB 0c000X0dX "*5/ x$ %   ^ $C!C.3C?BC CCCCCCrrcFeZdZUdZdZeejed<e de fdZ e de fdZ de dejjjfdZe d edee e ffd Z dd eed edeefd ZdeedeeeeffdZdedefdZdS)rz3Implement the MySQL Kerberos authentication plugin.Ncontextrc" tjd}t|j}|ddkr|dd\}}|S#tjjj$rtj cYSwxYw)z(Get user from credentials without realm.initiateusage@r) gssapi Credentialsr=rfindsplitrawmiscGSSErrorgetpassgetuser)credsuser_s rget_user_from_credentialsz1MySQLKerberosAuthPlugin.get_user_from_credentialss %&Z888Euz??Dyy~~##**S!,,aKz' % % %?$$ $ $ $ %sAA,B BcRtjdtjdkrdtjn!t dd}|stdtj d|dd | d i}|S) zGet a credentials store dictionary. Returns: dict: Credentials store dictionary with the krb5 ccache name. Raises: InterfaceError: If 'KRB5CCNAME' environment variable is empty. KRB5CCNAMEposixz /tmp/krb5cc_z%TEMP%krb5ccz5The 'KRB5CCNAME' environment variable is set to emptyzUsing krb5 ccache name: FILE:%ssccachezFILE:utf-8) osenvirongetrgetuidrjoinpathr r r+encode) krb5ccnamestores r get_storez!MySQLKerberosAuthPlugin.get_storesZ^^ 7g%%-ry{{,,,(^^,,X66     G   6 CCC0J0077@@A rupnctjdtj|tjj}|jd} tj ||d}|j }tj | |tj jddn4#tjjj$r}t#d||d}~wwxYw|S) zAcquire and store credentials through provided password. Args: upn (str): User Principal Name. Returns: gssapi.raw.creds.Creds: GSSAPI credentials. z8Attempt to acquire credentials through provided passwordrXrBrCT)rPmech overwrite set_defaultz7Unable to acquire credentials with the given password: N)r r+rGNameNameTyperQ _passwordr^rKacquire_cred_with_passwordrPstore_cred_intoraMechTypekerberosrLrMr )rrbrQpasswordacquire_cred_resultrPerrs r_acquire_cred_with_passwordz3MySQLKerberosAuthPlugin._acquire_cred_with_passwords  OPPP{3 455>((11 "(*"G"Ghj#H## (-E J & &  _- '    z'   "O#OO   sA.CC4C//C4r2ctjd|ddd}|dd}tjd|d|d|d}||d}tjd|ddd}tjd|d|ddd}||fSaYParse authentication data. Get the SPN and REALM from the authentication data packet. Format: SPN string length two bytes + SPN string + UPN realm string length two bytes + UPN realm string Returns: tuple: With 'spn' and 'realm'. zzz||U\\^^++rr&r'c d}d}|rZ|ddsD ||\}}n*#tj$r}t d||d}~wwxYw||jdzS|jr |jd|nd}tj d|tj d| tj d }t|j }tj d tj d ||dd kr|dd\} } n|} d} |jr |jd|n|}|jr;|j| kr0tj d|j||}| r"| |kr|j||}n#tjjj$r<}|r|j||}nt)d||Yd}~n[d}~wtjjj$r<}|r|j||}nt)d||Yd}~nd}~wwxYwtjjtjjtjjf} tj|tjj} | tjj } tj!| |tE| d |_# |j#$}n4#tjjj$r}t)d||d}~wwxYwtj d||S)z(Prepare the first message to the server.Nr)TInvalid authentication data: rEService Principal: %s Realm: %srBrCzCached credentials foundzCached credentials UPN: %srFrzBThe user from cached credentials doesn't match with the given userzCredentials has expired: z-Unable to retrieve cached credentials error: ) name_type)rrPflagsrD%Unable to initiate security context: Initial client token: %s)%r[rrwerrorInterruptedErrorrir^ _usernamer r+rGrHr=rrIrJrqrK exceptionsExpiredCredentialsErrorr rLrMRequirementFlagmutual_authenticationextended_errordelegate_to_peerrgrhkerberos_principal canonicalizerlrmSecurityContextsumr@step)rr&r'r|r~rprbrP creds_upn creds_user creds_realmrrcnameinitial_client_tokens rr,z%MySQLKerberosAuthPlugin.auth_responses  WVZZ(:DAA W W!229== UU< W W W&'Ls'L'LMMSVV W ;>((**W4 4-1^E))%))) ,c222 [%(((& +*===EEJI L3 4 4 4 L5y A A A~~c""b((*3//#q*A*A' KK& " 15NT^--e---YC~ B$.J">"> !>- <{e338R88==z$< Q Q Q Qt~188==$%F%F%FGGSPz'    t~188==$ICII   " 8  " 1  " 3  {3&/*LMMM!!&/":;;-e3u::Z     Y48L4E4E4G4G z' Y Y Y !N!N!NOOUX X Y  /1EFFF##sR7AAA?DGI,2HI,02I''I,L//M MM r!ctjd||j|}tjd|tjd|jj||jjfS)r#tgt_auth challenge: %szContext step response: %sContext completed?: %s)r r+r@rr4)rr!resps rr$z%MySQLKerberosAuthPlugin.auth_continuedsi"  -/ABBB $ 1 12D E E 0$777 -t|/DEEET\***rmessagec|jjstdtjd|tjd|jj |j|}tjd|nI#tjj j $r-}tjd|td||d}~wwxYwtjd|td }tjd ||j |d }tjd |dt|d|jS)a_Accept handshake and generate closing handshake message for server. This method verifies the server authenticity from the given message and included signature and generates the closing handshake for the server. When this method is invoked the security context is already established and the client and server can send GSSAPI formated secure messages. To finish the authentication handshake the server sends a message with the security layer availability and the maximum buffer size. Since the connector only uses the GSSAPI authentication mechanism to authenticate the user with the server, the server will verify clients message signature and terminate the GSSAPI authentication and send two messages; an authentication acceptance b'' and a OK packet (that must be received after sent the returned message from this method). Args: message: a wrapped gssapi message from the server. Returns: bytearray (closing handshake message to be send to the server). z!Security context is not completedzServer message: %szGSSAPI flags in use: %sz Unwraped: %sz#Unable to unwrap server message: %sz!Unable to unwrap server message: NzUnwrapped server message: %sszMessage response: %sF)encryptz(Wrapped message response: %s, length: %dr)r@r4r r r+ actual_flagsunwraprGrKr BadMICErrorr bytearraywrapr-r)rrunwrapedrpr1wrapeds rauth_accept_close_handshakez3MySQLKerberosAuthPlugin.auth_accept_close_handshake~s[4|$ H"#FGG G )7333 . 0IJJJ U|**733H L 2 2 2 2z$0 U U U L> D D D !JS!J!JKKQT T U  3X>>> /00 +X666""8U";; 6 1I q NN   ~s/BC(CCN)r8r9r:r;r@rrGr__annotations__ staticmethodr=rSdictrarKrPCredsrqr0rrrr,r>r$rrrrrrs==04GXf, -444 %s % % %\ %t\2svz7G7M>,,5c?,,,\,4,0N$N$!%N$;>N$ %N$N$N$N$`+"*5/+ x$ %++++4454U444444rceZdZUdZdZeed<dZeed<ede de e e ffdZ d de e d ede e fd Zd e e de e e effd ZdS)rzDImplement the MySQL Kerberos authentication plugin with Windows SSPINr@ clientauthr2rctjd|ddd}|dd}tjd|d|d|d}||d}tjd|ddd}tjd|d|ddd}||fSrsrvrzs rrz,MySQLSSPIKerberosAuthPlugin._parse_auth_datarrr&r'c Rtjdd}d}|rZ|ddsD ||\}}n*#tj$r}t d||d}~wwxYwtjd|tjd|tttdtj tj f}|j r|j r|j ||j f}nd}|}tjd |tjd |dutjd ||t|tj |_ d} |j| \}} tjd |tjd| tjd|jj| dj} tjd|jjn%#t,$r}t/d||d}~wwxYwtjd| | S)zPrepare the first message to the server. Args: kwargs: ignore_auth_data (bool): if True, the provided auth data is ignored. zauth_response for sspiNr)TrrrzKPackage "pywin32" (Python for Win32 (pywin32) extensions) is not installed.z targetspn: %sz_auth_info is None: %s Negotiate) targetspn auth_infoscflagsdatarepContext step err: %sContext step out_buf: %srrz pkg_info: %srr)r r+r[rrwrrsspiconsspir ISC_REQ_MUTUAL_AUTHISC_REQ_DELEGATErri ClientAuthrSECURITY_NETWORK_DREPr authorize authenticatedBufferpkg_info Exceptionr ) rr&r'r|r~rpr _auth_infordataout_bufrs rr,z)MySQLSSPIKerberosAuthPlugin.auth_responsesc  -...  WVZZ(:DAA W W!229== UU< W W W&'Ls'L'LMMSVV W  ,c222 [%((( ?dl"%  ,g.FG > dn .%@JJJ  _i000 -zT/ABBB*/  JJ1     YD?44T::LC L/ 5 5 5 L3W = = = L14?3P Q Q Q#*1:#4 L)A B B B B Y Y Y !N!N!NOOUX X Y  /1EFFF##s0A A2A--A2BG-- H7H  Hr!cXtjd||j|\}}tjd|tjd||dj}tjd|tjd|jj||jjfS)r#rrrrzContext step resp: %sr)r r+rrrr)rr!rprrs rr$z)MySQLSSPIKerberosAuthPlugin.auth_continue%s"  -/ABBB001CDD W +S111 /999qz  ,d333 -t/LMMMT_222rr)r8r9r:r;r@rrrrr0rr=rrr,r>r$rrrrrsNNGSJ,,5c?,,,\,4,0N$N$!%N$;>N$ %N$N$N$N$`3"*5/3 x$ %333333r) r;rNrYrwabcrpathlibrtypingrrrrauthenticationr errorsr r r networkrrG ImportErrorrrrrAUTHENTICATION_PLUGIN_CLASSrrrrrrrs>>&% 666666666666''''''55555555&%%%%%% MMMM F w$     KKKNNNN DGGG&(W__!!:S ccccc/cccNBBBBB9BBBJK3K3K3K3K3"=K3K3K3K3K3s$A A*)A*.A77 BB