o Zh?@sdZddlZddlZddlmZmZmZmZmZm Z m Z m Z ddl Z ddl mZddlmZddlmZdZd ZGd d d Zd d gZdS) z*Base implementation of 0MQ authentication.N)Any AwaitableDictListOptionalSetTupleUnion)_check_version)z85)load_certificates*s1.0c @seZdZUdZded<eed<eed<eeefed<ded<e eed <e eed <eeeeeffed <eeee effed <eed <   d@de dded efddZ dAddZ dAddZdeddfddZdeddfddZ dBded e eeefddfddZ dCded!eeejfddfd"d#Z dBded$eddfd%d&Zd'e defd(d)Z dBded!e eddfd*d+Zd,ee fd-d.Zded/ed0edeee ffd1d2Zded3e deee ffd4d5Zded6e deee ffd7d8Z 9dDd:e d;e dd?ZdS)E AuthenticatoraImplementation of ZAP authentication for zmq connections. This authenticator class does not register with an event loop. As a result, you will need to manually call `handle_zap_message`:: auth = zmq.Authenticator() auth.allow("127.0.0.1") auth.start() while True: await auth.handle_zap_msg(auth.zap_socket.recv_multipart()) Alternatively, you can register `auth.zap_socket` with a poller. Since many users will want to run ZAP in a way that does not block the main thread, other authentication classes (such as :mod:`zmq.auth.thread`) are provided. Note: - libzmq provides four levels of security: default NULL (which the Authenticator does not see), and authenticated NULL, PLAIN, CURVE, and GSSAPI, which the Authenticator can see. - until you add policies, all incoming NULL connections are allowed. (classic ZeroMQ behavior), and all PLAIN and CURVE connections are denied. - GSSAPI requires no configuration. z zmq.Contextcontextencoding allow_anycredentials_providersz zmq.Socket zap_socket_allowed_denied passwordscertslogNutf-8cCsbtdd|p tj|_||_d|_i|_d|_t |_ t |_ i|_ i|_ |p-td|_dS)N)rsecurityFzzmq.auth)r zmqContextinstancerrrrrsetrrrrlogging getLoggerr)selfrrrr$D/var/www/html/lang_env/lib/python3.10/site-packages/zmq/auth/base.py__init__:s zAuthenticator.__init__returncCs:|jjtjtjd|_d|j_|jd|j ddS)zCreate and bind the ZAP socket)Z socket_classr zinproc://zeromq.zap.01ZStartingN) rsocketrZREPZSocketrZlingerbindrdebugr#r$r$r%startPs zAuthenticator.startcCs|jr|jd|_dS)zClose the ZAP socketN)rcloser+r$r$r%stopWs  zAuthenticator.stop addressescG2|jrtd|jdd||j|dS)a6Allow IP address(es). Connections from addresses not explicitly allowed will be rejected. - For NULL, all clients from this address will be accepted. - For real auth setups, they will be allowed to continue with authentication. allow is mutually exclusive with deny. z Only use allow or deny, not bothz Allowing %s,N)r ValueErrorrr*joinrupdater#r/r$r$r%allow]s zAuthenticator.allowcGr0)zDeny IP address(es). Addresses not explicitly denied will be allowed to continue with authentication. deny is mutually exclusive with allow. z"Only use a allow or deny, not bothz Denying %sr1N)rr2rr*r3rr4r5r$r$r%denylszAuthenticator.denyrdomaincCs |r||j|<|jd|dS)zConfigure PLAIN authentication for a given domain. PLAIN authentication uses a plain-text password file. To cover all domains, use "*". You can modify the password file at any time; it is reloaded automatically. zConfigure plain: %sNrrr*)r#r8rr$r$r%configure_plainxs zAuthenticator.configure_plain.locationc Cst|jd|||tkrd|_dSd|_z t||j|<WdSty9}z|jd||WYd}~dSd}~ww)a Configure CURVE authentication for a given domain. CURVE authentication uses a directory that holds all public client certificates, i.e. their public keys. To cover all domains, use "*". You can add and remove certificates in that directory at any time. configure_curve must be called every time certificates are added or removed, in order to update the Authenticator's state To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location. zConfigure curve: %s[%s]TFz&Failed to load CURVE certs from %s: %sN)rr*CURVE_ALLOW_ANYrr r Exceptionerror)r#r8r<er$r$r%configure_curves zAuthenticator.configure_curvecredentials_providercCs.d|_|dur||j|<dS|jd|dS)aConfigure CURVE authentication for a given domain. CURVE authentication using a callback function validating the client public key according to a custom mechanism, e.g. checking the key against records in a db. credentials_provider is an object of a class which implements a callback method accepting two parameters (domain and key), e.g.:: class CredentialsProvider(object): def __init__(self): ...e.g. db connection def callback(self, domain, key): valid = ...lookup key and/or domain in db if valid: logging.info('Authorizing: {0}, {1}'.format(domain, key)) return True else: logging.warning('NOT Authorizing: {0}, {1}'.format(domain, key)) return False To cover all domains, use "*". FNz0None credentials_provider provided for domain:%s)rrrr?)r#r8rBr$r$r%configure_curve_callbacksz&Authenticator.configure_curve_callbackclient_public_keycCst|dS)aReturn the User-Id corresponding to a CURVE client's public key Default implementation uses the z85-encoding of the public key. Override to define a custom mapping of public key : user-id This is only called on successful authentication. Parameters ---------- client_public_key: bytes The client public key used for the given message Returns ------- user_id: unicode The user ID as text ascii)r encodedecode)r#rDr$r$r% curve_user_idszAuthenticator.curve_user_idcCsdS)z~Configure GSSAPI authentication Currently this is a no-op because there is nothing to configure with GSSAPI. Nr$)r#r8r<r$r$r%configure_gssapiszAuthenticator.configure_gssapimsgc st|dkr'jd|t|dkrjddS|ddddS|dd\}}}}}}|dd}|jd }|jd }|tkr[jd ||dd dSjd ||||||d } d } d} jr|jvrd} jd|n)d} d} jd|nj r|j vrd} d} jd|n d} jd|d} | sL|dkr| sjdd} n|dkrt|dkrֈjd||dddSfdd|D\} } || | \} } na|dkrt|dkrjd||dddS|d } ||IdH\} } | r |} n-|d!krLt|dkr;jd"||dddS|d }|d#} ||\} } | rY|d$d%| dS|d| dS)&zPerform ZAP authenticationz*Invalid ZAP message, not enough frames: %rzNot enough information to replyr s400sNot enough framesNreplacezInvalid ZAP version: %rsInvalid versionzQversion: %r, request_id: %r, domain: %r, address: %r, identity: %r, mechanism: %rFs NO ACCESSTzPASSED (allowed) address=%ssAddress not allowedzDENIED (not allowed) address=%ssAddress deniedzDENIED (denied) address=%szPASSED (not denied) address=%s anonymoussNULLzALLOWED (NULL)sPLAINzInvalid PLAIN credentials: %rsInvalid credentialsc3s|] }|jdVqdS)rMN)rGr).0cr+r$r% $s z3Authenticator.handle_zap_message..sCURVEzInvalid CURVE credentials: %rrsGSSAPIzInvalid GSSAPI credentials: %rutf8200OK)lenrr?_send_zap_replyrGrVERSIONr*rr_authenticate_plain_authenticate_curverH_authenticate_gssapi)r#rJversion request_idr8addressidentityZ mechanism credentialsallowedZdeniedreasonusernamepasswordkey principalr$r+r%handle_zap_messages                z Authenticator.handle_zap_messagerbrccCsd}d}|jrE|s d}||jvr)||j|vr&||j||kr#d}nd}nd}nd}|r:|jd|||||fS|jd |||fSd }|jd |||fS) zPLAIN ZAP authenticationFrTsInvalid passwordsInvalid usernamesInvalid domainz1ALLOWED (PLAIN) domain=%s username=%s password=%sz DENIED %ssNo passwords definedzDENIED (PLAIN) %sr9)r#r8rbrcr`rar$r$r%rXCs2  z!Authenticator._authenticate_plain client_keycs(d}d}|jrd}d}|jd||fS|jikr^|sd}||jvrXt|}|j|||}t|tr<|IdH}|rCd}d}nd}|rId nd }|jd |||||fSd }||fS|sbd}||j vrt|}|j | |ryd}d}nd}|rd nd }|jd |||||fSd }||fS)zCURVE ZAP authenticationFrgTrTz ALLOWED (CURVE allow any client)rNs Unknown keyZALLOWEDZDENIEDz0%s (CURVE auth_callback) domain=%s client_key=%ssUnknown domainz"%s (CURVE) domain=%s client_key=%s) rrr*rr rFcallback isinstancerrget)r#r8rhr`raZz85_client_keyrstatusr$r$r%rYis` 3           z!Authenticator._authenticate_curverecCs|jd||dS)zPNothing to do for GSSAPI, which has already been handled by an external service.z'ALLOWED (GSSAPI) domain=%s principal=%s)TrT)rr*)r#r8rer$r$r%rZsz"Authenticator._authenticate_gssapirNr\ status_code status_textuser_idcCs\|dkr|nd}t|tr||jd}d}|jd||t|||||g}|j|dS)z.Send a ZAP reply to finish the authentication.rSrgrMzZAP reply code=%s text=%sN) rjstrrFrrr*rWrZsend_multipart)r#r\rnrorpmetadataZreplyr$r$r%rVs zAuthenticator._send_zap_reply)NrN)r'N)rN)rr;)rN) __name__ __module__ __qualname____doc____annotations__rqboolrrrbytesrr&r,r.r6r7r:r osPathLikerArCrHrIrrfrrXrYrZrVr$r$r$r%rs          " d  &  > rr=)rvr!rztypingrrrrrrrr rZ zmq.errorr Z zmq.utilsr rr r=rWr__all__r$r$r$r%s(    ,