B b ,cö?ã@s†dZddlZddlZddlmZmZmZmZmZm Z m Z ddl Z ddl m Z ddlmZddlmZdZd ZGd d „d ƒZd d gZdS) z*Base implementation of 0MQ authentication.éN)ÚAnyÚDictÚListÚOptionalÚSetÚTupleÚUnion)Ú_check_version)Úz85é)Úload_certificatesÚ*s1.0c@sÖeZdZUdZded<eed<eed<eeefed<ded<e eed <e eed <eeeeeffed <eeee effed <eed <d=e deedœdd„Z ddœdd„Z ddœdd„Zeddœdd„Zeddœdd„Zd>eeeefddœdd „Zd?eeeejfdd"œd#d$„Zd@eedd%œd&d'„Ze ed(œd)d*„ZdAee edd"œd+d,„Zee d-œd.d/„Zeeeeee fd0œd1d2„Zee eee fd3œd4d5„Zee eee fd6œd7d8„ZdBe e e edd:œd;d<„ZdS)CÚ AuthenticatoraöImplementation of ZAP authentication for zmq connections. This authenticator class does not register with an event loop. As a result, you will need to manually call `handle_zap_message`:: auth = zmq.Authenticator() auth.allow("127.0.0.1") auth.start() while True: auth.handle_zap_msg(auth.zap_socket.recv_multipart()) Alternatively, you can register `auth.zap_socket` with a poller. Since many users will want to run ZAP in a way that does not block the main thread, other authentication classes (such as :mod:`zmq.auth.thread`) are provided. Note: - libzmq provides four levels of security: default NULL (which the Authenticator does not see), and authenticated NULL, PLAIN, CURVE, and GSSAPI, which the Authenticator can see. - until you add policies, all incoming NULL connections are allowed. (classic ZeroMQ behavior), and all PLAIN and CURVE connections are denied. - GSSAPI requires no configuration. z zmq.ContextÚcontextÚencodingÚ allow_anyÚcredentials_providersz zmq.SocketÚ zap_socketÚ whitelistÚ blacklistÚ passwordsÚcertsÚlogNúutf-8)rrrcCsbtddƒ|ptj ¡|_||_d|_i|_d|_t ƒ|_ t ƒ|_ i|_ i|_ |pZt d¡|_dS)N)érZsecurityFzzmq.auth)r ÚzmqZContextÚinstancerrrrrÚsetrrrrÚloggingZ getLoggerr)Úselfrrr©r ú,lib/python3.7/site-packages/zmq/auth/base.pyÚ__init__:s zAuthenticator.__init__)ÚreturncCs4|j tj¡|_d|j_|j d¡|j d¡dS)zCreate and bind the ZAP socketr zinproc://zeromq.zap.01ZStartingN) rZsocketrZREPrZlingerZbindrÚdebug)rr r r!ÚstartPs zAuthenticator.startcCs|jr|j ¡d|_dS)zClose the ZAP socketN)rÚclose)rr r r!ÚstopWs zAuthenticator.stop)Ú addressesr#cGs2|jrtdƒ‚|j dd |¡¡|j |¡dS)aIAllow (whitelist) IP address(es). Connections from addresses not in the whitelist will be rejected. - For NULL, all clients from this address will be accepted. - For real auth setups, they will be allowed to continue with authentication. whitelist is mutually exclusive with blacklist. z-Only use a whitelist or a blacklist, not bothz Allowing %sú,N)rÚ ValueErrorrr$ÚjoinrÚupdate)rr(r r r!Úallow]s zAuthenticator.allowcGs2|jrtdƒ‚|j dd |¡¡|j |¡dS)z»Deny (blacklist) IP address(es). Addresses not in the blacklist will be allowed to continue with authentication. Blacklist is mutually exclusive with whitelist. z-Only use a whitelist or a blacklist, not bothz Denying %sr)N)rr*rr$r+rr,)rr(r r r!ÚdenylszAuthenticator.denyr )Údomainrr#cCs |r||j|<|j d|¡dS)zõConfigure PLAIN authentication for a given domain. PLAIN authentication uses a plain-text password file. To cover all domains, use "*". You can modify the password file at any time; it is reloaded automatically. zConfigure plain: %sN)rrr$)rr/rr r r!Úconfigure_plainxs  zAuthenticator.configure_plainÚ.)r/Úlocationr#c Csp|j d||¡|tkr d|_nLd|_yt|ƒ|j|<Wn2tk rj}z|j d||¡Wdd}~XYnXdS)a Configure CURVE authentication for a given domain. CURVE authentication uses a directory that holds all public client certificates, i.e. their public keys. To cover all domains, use "*". You can add and remove certificates in that directory at any time. configure_curve must be called every time certificates are added or removed, in order to update the Authenticator's state To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location. zConfigure curve: %s[%s]TFz&Failed to load CURVE certs from %s: %sN)rr$ÚCURVE_ALLOW_ANYrr rÚ ExceptionÚerror)rr/r2Úer r r!Úconfigure_curve…szAuthenticator.configure_curve)r/Úcredentials_providerr#cCs,d|_|dk r||j|<n|j d|¡dS)aConfigure CURVE authentication for a given domain. CURVE authentication using a callback function validating the client public key according to a custom mechanism, e.g. checking the key against records in a db. credentials_provider is an object of a class which implements a callback method accepting two parameters (domain and key), e.g.:: class CredentialsProvider(object): def __init__(self): ...e.g. db connection def callback(self, domain, key): valid = ...lookup key and/or domain in db if valid: logging.info('Authorizing: {0}, {1}'.format(domain, key)) return True else: logging.warning('NOT Authorizing: {0}, {1}'.format(domain, key)) return False To cover all domains, use "*". To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location. FNz0None credentials_provider provided for domain:%s)rrrr5)rr/r8r r r!Úconfigure_curve_callback s z&Authenticator.configure_curve_callback)Úclient_public_keyr#cCst |¡ d¡S)aðReturn the User-Id corresponding to a CURVE client's public key Default implementation uses the z85-encoding of the public key. Override to define a custom mapping of public key : user-id This is only called on successful authentication. Parameters ---------- client_public_key: bytes The client public key used for the given message Returns ------- user_id: unicode The user ID as text Úascii)r ÚencodeÚdecode)rr:r r r!Ú curve_user_idÄszAuthenticator.curve_user_idcCsdS)z~Configure GSSAPI authentication Currently this is a no-op because there is nothing to configure with GSSAPI. Nr )rr/r2r r r!Úconfigure_gssapiÙszAuthenticator.configure_gssapi)Úmsgc sÈt|ƒdkrJˆj d|¡t|ƒdkr4ˆj d¡nˆ |ddd¡dS|dd…\}}}}}}|dd…}| ˆjd ¡}| ˆjd ¡}|tkr²ˆj d |¡ˆ |dd ¡dSˆj d ||||||¡d } d } d} ˆjr|ˆjkrüd} ˆj d|¡nd} d} ˆj d|¡n>ˆj rR|ˆj kr@d} d} ˆj d|¡nd} ˆj d|¡d} | sž|dkr€| s€ˆj d¡d} n|dkrât|ƒdkr¸ˆj d|¡ˆ |dd¡dS‡fdd„|Dƒ\} } ˆ  || | ¡\} } n¼|dkrDt|ƒdkrˆj d|¡ˆ |dd¡dS|d }ˆ  ||¡\} } | ržˆ  |¡} nZ|d!kržt|ƒdkr|ˆj d"|¡ˆ |dd¡dS|d }| d#¡} ˆ  ||¡\} } | r¶ˆ |d$d%| ¡nˆ |d| ¡dS)&zPerform ZAP authenticationéz*Invalid ZAP message, not enough frames: %rézNot enough information to replyr s400sNot enough framesNÚreplacezInvalid ZAP version: %rsInvalid versionzQversion: %r, request_id: %r, domain: %r, address: %r, identity: %r, mechanism: %rFs NO ACCESSTzPASSED (whitelist) address=%ssAddress not in whitelistz$DENIED (not in whitelist) address=%ssAddress is blacklistedzDENIED (blacklist) address=%sz$PASSED (not in blacklist) address=%sÚ anonymoussNULLzALLOWED (NULL)sPLAINzInvalid PLAIN credentials: %rsInvalid credentialsc3s|]}| ˆjd¡VqdS)rCN)r=r)Ú.0Úc)rr r!ú (sz3Authenticator.handle_zap_message..sCURVEzInvalid CURVE credentials: %rrsGSSAPIzInvalid GSSAPI credentials: %rÚutf8s200sOK)Úlenrr5Ú_send_zap_replyr=rÚVERSIONr$rrÚ_authenticate_plainÚ_authenticate_curver>Ú_authenticate_gssapi)rr@ÚversionÚ request_idr/ZaddressZidentityZ mechanismZ credentialsÚallowedZdeniedÚreasonÚusernameÚpasswordÚkeyÚ principalr )rr!Úhandle_zap_messageásŽ           z Authenticator.handle_zap_message)r/rSrTr#cCs˜d}d}|jr~|sd}||jkrR||j|krL||j||krFd}qPd}qVd}nd}|rn|j d|||¡q|j d |¡nd }|j d |¡||fS) zPLAIN ZAP authenticationFór TsInvalid passwordsInvalid usernamesInvalid domainz1ALLOWED (PLAIN) domain=%s username=%s password=%sz DENIED %ssNo passwords definedzDENIED (PLAIN) %s)rrr$)rr/rSrTrQrRr r r!rLFs, z!Authenticator._authenticate_plain)r/Ú client_keyr#cCsöd}d}|jr$d}d}|j d¡nÊ|jikr|s6d}||jkrŠt |¡}|j| ||¡rfd}d}nd}|rrdnd }|j d |||¡qîd }n^|s˜d}||jkrêt |¡}|j| |¡rÆd}d}nd}|rÒdnd }|j d |||¡nd }||fS) zCURVE ZAP authenticationFrXTsOKz ALLOWED (CURVE allow any client)r s Unknown keyZALLOWEDZDENIEDz0%s (CURVE auth_callback) domain=%s client_key=%ssUnknown domainz"%s (CURVE) domain=%s client_key=%s) rrr$rr r<ÚcallbackrÚget)rr/rYrQrRZz85_client_keyZstatusr r r!rMlsL       z!Authenticator._authenticate_curve)r/rVr#cCs|j d||¡dS)zPNothing to do for GSSAPI, which has already been handled by an external service.z'ALLOWED (GSSAPI) domain=%s principal=%s)TsOK)rr$)rr/rVr r r!rN¥sz"Authenticator._authenticate_gssapirD)rPÚ status_codeÚ status_textÚuser_idr#cCs\|dkr |nd}t|tƒr(| |jd¡}d}|j d||¡t|||||g}|j |¡dS)z.Send a ZAP reply to finish the authentication.s200rXrCzZAP reply code=%s text=%sN) Ú isinstanceÚstrr<rrr$rKrZsend_multipart)rrPr\r]r^ZmetadataZreplyr r r!rJªs zAuthenticator._send_zap_reply)NrN)r N)r r1)r N)r N)rD) Ú__name__Ú __module__Ú __qualname__Ú__doc__Ú__annotations__r`ÚboolrrrÚbytesrr"r%r'r-r.r0rÚosÚPathLiker7r9r>r?rrWrrLrMrNrJr r r r!rsD     " f$9 rr3)rdrrhÚtypingrrrrrrrrZ zmq.errorr Z zmq.utilsr rr r3rKrÚ__all__r r r r!Ús$   *