3 i]dZddlZddlmZmZddlmZmZddlm Z m Z m Z m Z m Z mZddlmZddlmZdd lmZmZdd lmZdd lmZe rdd lmZ ddlZddlmZm Z!ddl"m#Z#dZ$Gdde#Z%y#e$r ed dwxYw)z LDAP SASL Authentication Plugin.N) b64decode b64encode)sha1sha256) TYPE_CHECKINGAnyCallableListOptionalTuple)uuid4) ERR_STATUS)InterfaceErrorProgrammingError)logger) StrOrBytes) MySQLSocketzwModule gssapi is required for GSSAPI authentication mechanism but was not found. Unable to authenticate with the server)normalize_unicode_string"validate_normalized_unicode_string)MySQLAuthPluginMySQLLdapSaslPasswordAuthPlugincxeZdZUdZgdZeeed<eZ e ed<dZ e eed<dZ eed<dZe eed<dZe eed <d Zeed <dZe eed <dZe ej,ed <dZej0ed<dZe eed<dZe eed<edededefdZdededefdZdedededefdZededefdZ defdZ!de efdZ"de ede#e ee$ffdZ%d edefd!Z&d"ed#ede efd$Z'defd%Z(deddfd&Z)d'edefd(Z*d)e+de$fd*Z,d+e+de$fd,Z-e.defd-Z/e.de$fd.Z0d/d0d"ed#edefd1Z1y)2ra5Class implementing the MySQL ldap sasl authentication plugin. The MySQL's ldap sasl authentication plugin support two authentication methods SCRAM-SHA-1 and GSSAPI (using Kerberos). This implementation only support SCRAM-SHA-1 and SCRAM-SHA-256. SCRAM-SHA-1 amd SCRAM-SHA-256 This method requires 2 messages from client and 2 responses from server. The first message from client will be generated by prepare_password(), after receive the response from the server, it is required that this response is passed back to auth_continue() which will return the second message from the client. After send this second message to the server, the second server respond needs to be passed to auth_finalize() to finish the authentication process. )z SCRAM-SHA-1z SCRAM-SHA-256GSSAPIsasl_mechanismsdef_digest_modeN client_nonce client_salt server_saltkrb_service_principalr iterationsserver_auth_var target_namectx servers_first server_noncebytes1bytes2returncdtt||Dcgc] \}}||z  c}}Scc}}wN)byteszip)r(r)b1b2s \D:\jyotish\venv\Lib\site-packages\mysql/connector/plugins/authentication_ldap_sasl_client.py_xorz$MySQLLdapSaslPasswordAuthPlugin._xoras0C,?@,?&"bb2g,?@AA@s, passwordsaltcdtj|||j}|jSr,)hmacnewrdigest)selfr3r4 digest_makers r1_hmacz%MySQLLdapSaslPasswordAuthPlugin._hmaces)xx$0D0DE ""$$countc|j}|j||dz}|}t|dz D]&}|j||}|j||}(|S)zPrepares Hi Hi(password, salt, iterations) where Hi(p,s,i) is defined as PBKDF2 (HMAC, p, s, i, output length of H). sr)encoder;ranger2)r9r3r4r=pwhiaux_s r1_hiz#MySQLLdapSaslPasswordAuthPlugin._hiise __  ZZD#66 7uqy!A**R%C2s#B" r<stringcRt|}t|}|td||S)Nz broken_rule: ) norm_ustr valid_normr)rFnorm_str broken_rules r1 _normalizez*MySQLLdapSaslPasswordAuthPlugin._normalizevs3V$ *  " = !>? ?r<cd}ttjdd|_|j |j |j |j}t|tr|jd}|S)aqThis method generates the first message to the server to start the The client-first message consists of a gs2-header, the desired username, and a randomly generated client nonce cnonce. The first message from the server has the form: b'n,a=,n=,r= Returns client's first message z.n,a={user_name},n={user_name},r={client_nonce}-) user_namerutf8) strr replacerformatrL _username isinstancer?)r9 cfm_fprnatcfms r1_first_messagez.MySQLLdapSaslPasswordAuthPlugin._first_message~srF L00b9$++oodnn5**,  c3 **V$C r<cVtjjj|jj dtj j} tj}tjd |j tj,j.tj,j0tj,j2f}|j4r |j4}nd }tjd|tj6|tj j8}||_tj<||t?|d |_ |j@jC} tjd| | S#tjjj$r;}tjd||j|t!d||d}~wwxYw#tjj"j$$r}|j&st!d|| tjdtjj)||j&j dd }|d }n>#tjj"j$$r}t+d ||d}~wwxYwYd}~Pd}~wwxYw#tjj"j$$r}t!d||d}~wwxYw)zGet a TGT Authentication request and initiates security context. This method will contact the Kerberos KDC in order of obtain a TGT. rQ) name_typezE# Stored credentials found, if password was given it will be ignored.z Credentials has expired: %szCredentials has expired: Nz-Unable to retrieve stored credentials error: z5# Attempt to retrieve credentials with given passwordinitiate)usagerz8Unable to retrieve credentials with the given password: z ldap/ldapauthz# service principal: %s)namecredsflagsr]z%Unable to initiate security context: z# initial client token: %s)"gssapirawnames import_namerUr?NameTypeuser Credentialsrdebuglifetime exceptionsExpiredCredentialsErrorwarningacquirermiscGSSError _passwordacquire_cred_with_passwordrRequirementFlagmutual_authenticationextended_errordelegate_to_peerr!Namekerberos_principalr$SecurityContextsumr%step) r9rPcrederracquire_cred_resulterr2flags_lservice_principalservkinitial_client_tokens r1_first_message_krbz2MySQLLdapSaslPasswordAuthPlugin._first_message_krbs JJ$$00 NN ! !& )V__5I5I1  **,D LLW  Q 0  " " 8 8  " " 1 1  " " 3 3   % % $ : :  /  .0AB )K)K !))d#g,j  Y $(88==?   13GH##g::((@@ Q=sC Y'$'@%FGSP Qzz'' >>$CC5I  TU&,jj&K&KNN))&1$'L'# +1-::??++ &NtfU  Vzz'' Y #H!NOUX X Yss)H F#1K-#'H 6HHH'K*/K% AJ! K%!'KKKK%%K*-'L(L##L(tgt_auth_challengectjd||jj|}tjd|tjd|jj||jjfS)a Continue with the Kerberos TGT service request. With the TGT authentication service given response generate a TGT service request. This method must be invoked sequentially (in a loop) until the security context is completed and an empty response needs to be send to acknowledge the server. Args: tgt_auth_challenge the challenge for the negotiation. Returns: tuple (bytearray TGS service request, bool True if context is completed otherwise False). ztgt_auth challenge: %sz# context step response: %sz# context completed?: %s)rrhr%rzcomplete)r9rresps r1auth_continue_krbz1MySQLLdapSaslPasswordAuthPlugin.auth_continue_krbsd  -/ABxx}}/0 2D9 /1B1BCTXX&&&&r<messagec|jjs tdtjd|tjd|jj  |jj |}tjd|tjd|td}tjd ||jj|d }tjd |d t|d |jS#tjjj$r}td||d}~wwxYw)aPAccept handshake and generate closing handshake message for server. This method verifies the server authenticity from the given message and included signature and generates the closing handshake for the server. When this method is invoked the security context is already established and the client and server can send GSSAPI formated secure messages. To finish the authentication handshake the server sends a message with the security layer availability and the maximum buffer size. Since the connector only uses the GSSAPI authentication mechanism to authenticate the user with the server, the server will verify clients message signature and terminate the GSSAPI authentication and send two messages; an authentication acceptance b'' and a OK packet (that must be received after sent the returned message from this method). Args: message a wrapped hssapi message from the server. Returns: bytearray closing handshake message to be send to the server. z"Security context is not completed.z# servers message: %sz# GSSAPI flags in use: %sz# unwraped: %sz!Unable to unwrap server message: Nz# unwrapped server message: %ssz# message response: %sF)encryptz*# wrapped message response: %s, length: %dr)r%rrrrh actual_flagsunwraprarbrj BadMICErrorr bytearraywraplenr)r9runwrapedr|responsewrapeds r1auth_accept_close_handshakez;MySQLLdapSaslPasswordAuthPlugin.auth_accept_close_handshakes2xx  "#GH H ,g6 0$((2G2GH Uxxw/H LL)8 4  5x@ /0 -x8x7 8 1I q N ~~%zz$$00 U #DSE!JKQT T Us#1D'EEE auth_datakwargsc ||_|jj}tjd|||jvr@dj |jdd}t d|d|d|jddd |jvr|jS|jd k(r t|_ |jS) zThis method will prepare the fist message to the server. Returns bytes to send to the server as the first message. z read_method_name_from_server: %sz", "Nz The sasl authentication method "z4" requested from the server is not supported. Only "z" and "z" are supportedGSSAPIs SCRAM-SHA-256) _auth_datadecoderrhrjoinrrrrrY)r9rrauth_mechanismauth_mechanismss r1 auth_responsez-MySQLLdapSaslPasswordAuthPlugin.auth_response)s$//1 7H !5!5 5$kk$*>*>s*CDO 2>2BC;;J:KL,,R01B   '**, , ??. .#)D ""$$r<c|js td|j|j}|j |t |j |j}tjdt|j|j|d}tjdt|j|j|j}tjdt|j|j|d}tjdt|jdjd |j|j d |j"g}tjd |td |j|j dj%j}dj||j&d |d |j(g}tjd||j||j%} tjdt| j|j+|| } tjdt| jt|j||j%j|_tjd|j,djd |d |j(dt| jg} tjd| | j%S)aThis method generates the second message to the server Second message consist on the concatenation of the client and the server nonce, and cproof. c=>,r=,p= where: : xor(, ) : hmac(salted_password, b"Client Key") : hmac(, ) : h() : ,, c=,r= : n=r= z"Missing authentication data (seed)zsalted_password: %ss Client Keyzclient_key: %szstored_key: %ss Server Keyzserver_key: %s,zn=r=zclient_first_no_header: %szn,a=zc=z auth_msg: %szclient_signature: %szclient_proof: %szserver_auth_var: %szp=zsecond_message: %s)rrrLrprErr r"rrhrrr;rr8rrUrr?r&r'r2r#) r9passwsalted_password client_key stored_key server_keyclient_first_no_header client_headerauth_msgclient_signature client_proofmsgs r1_second_messagez/MySQLLdapSaslPasswordAuthPlugin._second_messageGs" !EF F/((5)D4D4D*EtW *Io,F,M,M,OPZZ?  %y'<'C'C'EF))*5<<>  %y'<'C'C'EFZZ?  %y'<'C'C'EF!$T__T^^456T&&'( "   13IJ!4??4>>231 5 < < > &( 88&""]O$T&&'(     ^X.::j(//2CD +Y7G-H-O-O-QRyy-=>  '<)@)G)G)IJ( JJz8??#4 5 &(   *D,@,@Ahh]O$T&&'(Y|,33567    )3/zz|r<c|rt|ttfstdt | |j }||_|jd\}}}|jdr"|jdr|jdstd||j|vr+|dd|_ tjd |jntd ||dd|_tjd |jt|j |dd}tjd |t!||_y#t$rtddwxYw#t$$r}td ||d}~wwxYw)zValidates first message from the server. Extracts the server's salt and iterations from the servers 1st response. First message from the server is in the form: ,i= zUnexpected server message: rNrzs=zi=z$Incomplete reponse from the server: rzserver_nonce: %sz:Unable to authenticate response: response not well formed zserver_salt: %s length: %sziterations: %sz-Unable to authenticate: iterations not found )rVrr-rreprrr&split ValueError startswithrr'rrhr rintr" Exception)r9r&servers_first_strr_server_nonces_salt i_counterr|s r1_validate_first_reponsez7MySQLLdapSaslPasswordAuthPlugin._validate_first_reponsesJ}y%>P$Q #>tM?R>S!TU U  - 4 4 6 !2D 0A0G0G0L -NFI ))$/$$T*''- 67H6IJ     . .qr 2D  LL+T->-> ? L$%' "!": (      !  !!" I LL)9 5!)nDO;  -.?-@A  <  ?@Q?RS  s#,E$+E,E), F 5FF servers_first_responsecD|j||jS)zwreturn the second message from the client. Returns bytes to send to the server as the second message. )rr)r9rs r1 auth_continuez-MySQLLdapSaslPasswordAuthPlugin.auth_continues" $$%;<##%%r<servers_secondc|r/t|trt|dks|jds t d|ddj }t jd||j|k(S)aXValidates second message from the server. The client and the server prove to each other they have the same Auth variable. The second message from the server consist of the server's proof: server_proof = HMAC(, ) where: : hmac(, b"Server Key") : ,, c=,r= Our server_proof must be equal to the Auth variable send on this second response. rsv=z'The server's proof is not well formatedNzserver auth variable: %s) rVrrrrrrrhr#)r9r server_vars r1_validate_second_reponsez8MySQLLdapSaslPasswordAuthPlugin._validate_second_reponsesm"ni8>"a'!,,U3 !JK K#AB'..0  /<##z11r<servers_second_responsec<|j|s tdy)zfinalize the authentication process. Raises InterfaceError if the ervers_second_response is invalid. Returns True in successful authentication False otherwise. z6Authentication failed: Unable to proof server identityT)rr)r9rs r1 auth_finalizez-MySQLLdapSaslPasswordAuthPlugin.auth_finalizes(,,-DE H r<cy)zPlugin official name.authentication_ldap_sasl_clientr9s r1r^z$MySQLLdapSaslPasswordAuthPlugin.names1r<cy)z'Signals whether or not SSL is required.Frrs r1 requires_sslz,MySQLLdapSaslPasswordAuthPlugin.requires_sslsr<sockrc vtjd||jd|_|j|fi|}| t dtjd|t ||j||j}tjd|t |dk\r|dd k(r|dd k(ry|dd}|j|}|j||j}|dd k(r.|dd k(r%|j|ddr|j}t|S|d k(r|d tk7rd}tjdtjd|d|dztjdt |tjdd} d} | s| dkrtjdd| dzdtjd|tjd|d|dz|j||d\} } tjd| |j| xsd|j}| dz } | s| dkr| st d| d|tjd|t ||j||d} tjd| t | |j| |j}tjd||j}tjd |t|S)!aSHandles server's `auth switch request` response. Args: sock: Pointer to the socket connection. auth_data: Plugin provided data (extracted from a packet representing an `auth switch request` response). kwargs: Custom configuration to be passed to the auth plugin when invoked. The parameters defined here will override the ones defined in the auth plugin itself. Returns: packet: Last server's response after back-and-forth communication. z# auth_data: %sr!NzGot a NULL auth responsez# request: %s size: %sz# server response packet: %sr=vrz*# Continue with sasl GSSAPI authenticationz# response header: %srz# response size: %sz# Negotiate a service requestFrz%s Attempt %s %sz--------------------z<< server response: %sz# response code: %sz >> response to server: %sr<z'Unable to fulfill server request after z! attempts. Last server response: z0 last GSSAPI response from server: %s length: %dz* >> last response to server: %s length: %dz"<< final handshake from server: %sz<< ok packet from server: %s)rrhgetr!rrrsendrecvrrrrrr-) r9rrrrpacket dec_response cresponse rcode_sizertriesrz last_steps r1auth_switch_responsez4MySQLLdapSaslPasswordAuthPlugin.auth_switch_responses"  & 2%+ZZ0G%H"%4%%i:6:   !;< < -xXG ( 3V< v;! q S 0VAY"_!!":L**<8I IIi YY[FayCF1IO%%fQRj1!YY[FXV}W) #q Z(?J LLE F LL0&9I:>2J K LL.F < LL8 9HE519 /519hO 5v> 2F;KZ!^4LM!%!7!7z{8K!Lh 94@ $+#& 519$=eWE77=h@ LLBF   88 9LMI LL<I  IIi YY[F LL=v FYY[F LL7 @V}r<)2__name__ __module__ __qualname____doc__rr rR__annotations__rrr rr rrr r!r"rr#r$rarvr%rxr&r' staticmethodr-r2r;rErLrYrr boolrrrrrrrrrpropertyr^rrrr<r1rrAsr$"LOT#YK $OX$"&L(3-&K!%K#%+/8C=/J%)OXc]))-K&++&-"&C  &#'M8C='"&L(3-&BUBEBeBB%e%5%U% C u S U 33,G$HUOG$R'"*5/' x$ %'0252U2h%%% % %rs|:' ' FF'5%?OoO#     s A00A?