U lu fÑ?ã@sŠdZddlZddlZddlmZmZmZmZmZm Z m Z m Z ddl Z ddl mZddlmZddlmZdZd ZGd d „d ƒZd d gZdS) z*Base implementation of 0MQ authentication.éN)ÚAnyÚ AwaitableÚDictÚListÚOptionalÚSetÚTupleÚUnion)Ú_check_version)Úz85é)Úload_certificatesÚ*s1.0c@sÚeZdZUdZded<eed<eed<eeefed<ded<e eed <e eed <eeeeeffed <eeee effed <eed <d=e deedœdd„Z ddœdd„Z ddœdd„Zeddœdd„Zeddœdd„Zd>ee eeefddœdd „Zd?eeeejfdd"œd#d$„Zd@eedd%œd&d'„Ze ed(œd)d*„ZdAee edd"œd+d,„Zee d-œd.d/„Zeeeeee fd0œd1d2„Zee eee fd3œd4d5„Zee eee fd6œd7d8„ZdBe e e edd:œd;d<„ZdS)CÚ AuthenticatoraüImplementation of ZAP authentication for zmq connections. This authenticator class does not register with an event loop. As a result, you will need to manually call `handle_zap_message`:: auth = zmq.Authenticator() auth.allow("127.0.0.1") auth.start() while True: await auth.handle_zap_msg(auth.zap_socket.recv_multipart()) Alternatively, you can register `auth.zap_socket` with a poller. Since many users will want to run ZAP in a way that does not block the main thread, other authentication classes (such as :mod:`zmq.auth.thread`) are provided. Note: - libzmq provides four levels of security: default NULL (which the Authenticator does not see), and authenticated NULL, PLAIN, CURVE, and GSSAPI, which the Authenticator can see. - until you add policies, all incoming NULL connections are allowed. (classic ZeroMQ behavior), and all PLAIN and CURVE connections are denied. - GSSAPI requires no configuration. z zmq.ContextÚcontextÚencodingÚ allow_anyÚcredentials_providersz zmq.SocketÚ zap_socketÚ_allowedÚ_deniedÚ passwordsÚcertsÚlogNúutf-8)rrrcCsbtddƒ|ptj ¡|_||_d|_i|_d|_t ƒ|_ t ƒ|_ i|_ i|_ |pZt d¡|_dS)N)érÚsecurityFzzmq.auth)r ÚzmqÚContextÚinstancerrrrrÚsetrrrrÚloggingÚ getLoggerr)Úselfrrr©r$ú1/tmp/pip-unpacked-wheel-h6ekxre8/zmq/auth/base.pyÚ__init__:s zAuthenticator.__init__)ÚreturncCs:|jjtjtjd|_d|j_|j d¡|j  d¡dS)zCreate and bind the ZAP socket)Z socket_classr zinproc://zeromq.zap.01ZStartingN) rÚsocketrZREPZSocketrZlingerÚbindrÚdebug©r#r$r$r%ÚstartPs zAuthenticator.startcCs|jr|j ¡d|_dS)zClose the ZAP socketN)rÚcloser+r$r$r%ÚstopWs zAuthenticator.stop)Ú addressesr'cGs2|jrtdƒ‚|j dd |¡¡|j |¡dS)a6Allow IP address(es). Connections from addresses not explicitly allowed will be rejected. - For NULL, all clients from this address will be accepted. - For real auth setups, they will be allowed to continue with authentication. allow is mutually exclusive with deny. z Only use allow or deny, not bothz Allowing %sú,N)rÚ ValueErrorrr*ÚjoinrÚupdate©r#r/r$r$r%Úallow]s zAuthenticator.allowcGs2|jrtdƒ‚|j dd |¡¡|j |¡dS)z§Deny IP address(es). Addresses not explicitly denied will be allowed to continue with authentication. deny is mutually exclusive with allow. z"Only use a allow or deny, not bothz Denying %sr0N)rr1rr*r2rr3r4r$r$r%ÚdenylszAuthenticator.denyr)Údomainrr'cCs |r||j|<|j d|¡dS)zõConfigure PLAIN authentication for a given domain. PLAIN authentication uses a plain-text password file. To cover all domains, use "*". You can modify the password file at any time; it is reloaded automatically. zConfigure plain: %sN©rrr*)r#r7rr$r$r%Úconfigure_plainxs  zAuthenticator.configure_plainÚ.)r7Úlocationr'c Csp|j d||¡|tkr d|_nLd|_zt|ƒ|j|<Wn2tk rj}z|j d||¡W5d}~XYnXdS)a Configure CURVE authentication for a given domain. CURVE authentication uses a directory that holds all public client certificates, i.e. their public keys. To cover all domains, use "*". You can add and remove certificates in that directory at any time. configure_curve must be called every time certificates are added or removed, in order to update the Authenticator's state To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location. zConfigure curve: %s[%s]TFz&Failed to load CURVE certs from %s: %sN)rr*ÚCURVE_ALLOW_ANYrr rÚ ExceptionÚerror)r#r7r;Úer$r$r%Úconfigure_curve…szAuthenticator.configure_curve)r7Úcredentials_providerr'cCs,d|_|dk r||j|<n|j d|¡dS)aÁConfigure CURVE authentication for a given domain. CURVE authentication using a callback function validating the client public key according to a custom mechanism, e.g. checking the key against records in a db. credentials_provider is an object of a class which implements a callback method accepting two parameters (domain and key), e.g.:: class CredentialsProvider(object): def __init__(self): ...e.g. db connection def callback(self, domain, key): valid = ...lookup key and/or domain in db if valid: logging.info('Authorizing: {0}, {1}'.format(domain, key)) return True else: logging.warning('NOT Authorizing: {0}, {1}'.format(domain, key)) return False To cover all domains, use "*". FNz0None credentials_provider provided for domain:%s)rrrr>)r#r7rAr$r$r%Úconfigure_curve_callback s z&Authenticator.configure_curve_callback)Úclient_public_keyr'cCst |¡ d¡S)aðReturn the User-Id corresponding to a CURVE client's public key Default implementation uses the z85-encoding of the public key. Override to define a custom mapping of public key : user-id This is only called on successful authentication. Parameters ---------- client_public_key: bytes The client public key used for the given message Returns ------- user_id: unicode The user ID as text Úascii)r ÚencodeÚdecode)r#rCr$r$r%Ú curve_user_idÂszAuthenticator.curve_user_idcCsdS)z~Configure GSSAPI authentication Currently this is a no-op because there is nothing to configure with GSSAPI. Nr$)r#r7r;r$r$r%Úconfigure_gssapi×szAuthenticator.configure_gssapi)Úmsgc ƒsÎt|ƒdkrJˆj d|¡t|ƒdkr4ˆj d¡nˆ |ddd¡dS|dd…\}}}}}}|dd…}| ˆjd ¡}| ˆjd ¡}|tkr²ˆj d |¡ˆ |dd ¡dSˆj d ||||||¡d } d } d} ˆjr|ˆjkrüd} ˆj d|¡nd} d} ˆj d|¡n>ˆj rR|ˆj kr@d} d} ˆj d|¡nd} ˆj d|¡d} | s¤|dkr€| s€ˆj d¡d} n$|dkrât|ƒdkr¸ˆj d|¡ˆ |dd¡dS‡fdd„|Dƒ\} } ˆ  || | ¡\} } nÂ|dkrJt|ƒdkrˆj d|¡ˆ |dd¡dS|d }ˆ  ||¡IdH\} } | r¤ˆ  |¡} nZ|d!kr¤t|ƒdkr‚ˆj d"|¡ˆ |dd¡dS|d }| d#¡} ˆ  ||¡\} } | r¼ˆ |d$d%| ¡nˆ |d| ¡dS)&zPerform ZAP authenticationéz*Invalid ZAP message, not enough frames: %rézNot enough information to replyr s400sNot enough framesNÚreplacezInvalid ZAP version: %rsInvalid versionzQversion: %r, request_id: %r, domain: %r, address: %r, identity: %r, mechanism: %rFs NO ACCESSTzPASSED (allowed) address=%ssAddress not allowedzDENIED (not allowed) address=%ssAddress deniedzDENIED (denied) address=%szPASSED (not denied) address=%sÚ anonymoussNULLzALLOWED (NULL)sPLAINzInvalid PLAIN credentials: %rsInvalid credentialsc3s|]}| ˆjd¡VqdS)rLN)rFr)Ú.0Úcr+r$r%Ú $sz3Authenticator.handle_zap_message..sCURVEzInvalid CURVE credentials: %rrsGSSAPIzInvalid GSSAPI credentials: %rÚutf8ó200óOK)Úlenrr>Ú_send_zap_replyrFrÚVERSIONr*rrÚ_authenticate_plainÚ_authenticate_curverGÚ_authenticate_gssapi)r#rIÚversionÚ request_idr7ÚaddressÚidentityZ mechanismÚ credentialsÚallowedZdeniedÚreasonÚusernameÚpasswordÚkeyÚ principalr$r+r%Úhandle_zap_messageßs”   ø      ÿ     z Authenticator.handle_zap_message)r7rarbr'cCs˜d}d}|jr~|sd}||jkrR||j|krL||j||krFd}qPd}qVd}nd}|rn|j d|||¡q|j d |¡nd }|j d |¡||fS) zPLAIN ZAP authenticationFórTsInvalid passwordsInvalid usernamesInvalid domainz1ALLOWED (PLAIN) domain=%s username=%s password=%sz DENIED %ssNo passwords definedzDENIED (PLAIN) %sr8)r#r7rarbr_r`r$r$r%rWCs. üz!Authenticator._authenticate_plain)r7Ú client_keyr'cÃsd}d}|jr$d}d}|j d¡nä|jikr¨|s6d}||jkr¢t |¡}|j| ||¡}t|tƒrp|IdH}|r~d}d}nd}|rŠd nd }|j d |||¡nd }n`|s°d}||j krt |¡}|j |  |¡ràd}d}nd}|rìd nd }|j d |||¡nd }||fS)zCURVE ZAP authenticationFrfTrSz ALLOWED (CURVE allow any client)rNs Unknown keyZALLOWEDZDENIEDz0%s (CURVE auth_callback) domain=%s client_key=%ssUnknown domainz"%s (CURVE) domain=%s client_key=%s) rrr*rr rEÚcallbackÚ isinstancerrÚget)r#r7rgr_r`Zz85_client_keyÚrÚstatusr$r$r%rXisV      ü   üz!Authenticator._authenticate_curve)r7rdr'cCs|j d||¡dS)zPNothing to do for GSSAPI, which has already been handled by an external service.z'ALLOWED (GSSAPI) domain=%s principal=%s)TrS)rr*)r#r7rdr$r$r%rY§sz"Authenticator._authenticate_gssapirM)r[Ú status_codeÚ status_textÚuser_idr'cCs\|dkr |nd}t|tƒr(| |jd¡}d}|j d||¡t|||||g}|j |¡dS)z.Send a ZAP reply to finish the authentication.rRrfrLzZAP reply code=%s text=%sN) riÚstrrErrr*rVrZsend_multipart)r#r[rmrnroÚmetadataZreplyr$r$r%rU¬s zAuthenticator._send_zap_reply)NrN)rN)rr:)rN)rN)rM) Ú__name__Ú __module__Ú __qualname__Ú__doc__Ú__annotations__rpÚboolrrrÚbytesrr&r,r.r5r6r9r ÚosÚPathLiker@rBrGrHrrerrWrXrYrUr$r$r$r%rsŽ   üü  ÿþ ÿ þ ÿþ "ÿþ e þ ' þ > ûúrr<)rur!ryÚtypingrrrrrrrr rZ zmq.errorr Z zmq.utilsr rr r<rVrÚ__all__r$r$r$r%Ús(   ,