Mh?dZddlZddlZddlmZmZmZmZmZm Z m Z m Z ddl Z ddl mZddlmZddlmZdZd ZGd d Zd d gZdS) z*Base implementation of 0MQ authentication.N)Any AwaitableDictListOptionalSetTupleUnion)_check_version)z85)load_certificates*s1.0c eZdZUdZded<eed<eed<eeefed<ded<e eed <e eed <eeeeeffed <eeee effed <eed < d1de dded efdZ d2dZ d2dZdeddfdZdeddfdZ d3ded e eeefddfdZ d4dedeeejfddfdZ d3dededdfdZde defd Z d3dede eddfd!Zd"ee fd#Zded$ed%edeee ffd&Zded'e deee ffd(Zded)e deee ffd*Z d5d,e d-e d.e d/eddf d0ZdS)6 AuthenticatoraImplementation of ZAP authentication for zmq connections. This authenticator class does not register with an event loop. As a result, you will need to manually call `handle_zap_message`:: auth = zmq.Authenticator() auth.allow("127.0.0.1") auth.start() while True: await auth.handle_zap_msg(auth.zap_socket.recv_multipart()) Alternatively, you can register `auth.zap_socket` with a poller. Since many users will want to run ZAP in a way that does not block the main thread, other authentication classes (such as :mod:`zmq.auth.thread`) are provided. Note: - libzmq provides four levels of security: default NULL (which the Authenticator does not see), and authenticated NULL, PLAIN, CURVE, and GSSAPI, which the Authenticator can see. - until you add policies, all incoming NULL connections are allowed. (classic ZeroMQ behavior), and all PLAIN and CURVE connections are denied. - GSSAPI requires no configuration. z zmq.Contextcontextencoding allow_anycredentials_providersz zmq.Socket zap_socket_allowed_denied passwordscertslogNutf-8cFtdd|ptj|_||_d|_i|_d|_t|_ t|_ i|_ i|_ |ptjd|_dS)N)rsecurityFzzmq.auth)r zmqContextinstancerrrrrsetrrrrlogging getLoggerr)selfrrrs M/var/www/html/test/jupyter/venv/lib/python3.11/site-packages/zmq/auth/base.py__init__zAuthenticator.__init__:s vz***8#+"6"6"8"8   %'" uu  7'+J77returnc|jtjtj|_d|j_|jd|j ddS)zCreate and bind the ZAP socket) socket_classr zinproc://zeromq.zap.01StartingN) rsocketr REPSocketrlingerbindrdebugr&s r'startzAuthenticator.startPs],--cgCJ-OO!" 5666 z"""""r)cT|jr|jd|_dS)zClose the ZAP socketN)rcloser4s r'stopzAuthenticator.stopWs+ ? $ O ! ! # # #r) addressesc|jrtd|jdd||j|dS)a6Allow IP address(es). Connections from addresses not explicitly allowed will be rejected. - For NULL, all clients from this address will be accepted. - For real auth setups, they will be allowed to continue with authentication. allow is mutually exclusive with deny. z Only use allow or deny, not bothz Allowing %s,N)r ValueErrorrr3joinrupdater&r9s r'allowzAuthenticator.allow]s\ < A?@@ @ }chhy&9&9::: Y'''''r)c|jrtd|jdd||j|dS)zDeny IP address(es). Addresses not explicitly denied will be allowed to continue with authentication. deny is mutually exclusive with allow. z"Only use a allow or deny, not bothz Denying %sr;N)rr<rr3r=rr>r?s r'denyzAuthenticator.denyls\ = CABB B |SXXi%8%8999 I&&&&&r)rdomaincT|r ||j|<|jd|dS)zConfigure PLAIN authentication for a given domain. PLAIN authentication uses a plain-text password file. To cover all domains, use "*". You can modify the password file at any time; it is reloaded automatically. zConfigure plain: %sNrrr3)r&rCrs r'configure_plainzAuthenticator.configure_plainxs5  /%.DN6 " ,f55555r).locationc |jd|||tkr d|_dSd|_ t ||j|<dS#t $r'}|jd||Yd}~dSd}~wwxYw)a Configure CURVE authentication for a given domain. CURVE authentication uses a directory that holds all public client certificates, i.e. their public keys. To cover all domains, use "*". You can add and remove certificates in that directory at any time. configure_curve must be called every time certificates are added or removed, in order to update the Authenticator's state To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location. zConfigure curve: %s[%s]TFz&Failed to load CURVE certs from %s: %sN)rr3CURVE_ALLOW_ANYrrr Exceptionerror)r&rCrHes r'configure_curvezAuthenticator.configure_curves" 0&(CCC  & &!DNNN"DN V%6x%@%@ 6""" V V VGSTUUUUUUUUU VsA BA>>Bcredentials_providercfd|_| ||j|<dS|jd|dS)aConfigure CURVE authentication for a given domain. CURVE authentication using a callback function validating the client public key according to a custom mechanism, e.g. checking the key against records in a db. credentials_provider is an object of a class which implements a callback method accepting two parameters (domain and key), e.g.:: class CredentialsProvider(object): def __init__(self): ...e.g. db connection def callback(self, domain, key): valid = ...lookup key and/or domain in db if valid: logging.info('Authorizing: {0}, {1}'.format(domain, key)) return True else: logging.warning('NOT Authorizing: {0}, {1}'.format(domain, key)) return False To cover all domains, use "*". FNz0None credentials_provider provided for domain:%s)rrrrL)r&rCrOs r'configure_curve_callbackz&Authenticator.configure_curve_callbacksA6  +1ED &v . . . HNNMv V V V V Vr)client_public_keycPtj|dS)aReturn the User-Id corresponding to a CURVE client's public key Default implementation uses the z85-encoding of the public key. Override to define a custom mapping of public key : user-id This is only called on successful authentication. Parameters ---------- client_public_key: bytes The client public key used for the given message Returns ------- user_id: unicode The user ID as text ascii)r encodedecode)r&rRs r' curve_user_idzAuthenticator.curve_user_ids#&z+,,33G<<z3Authenticator.handle_zap_message..$sD&&; 8 ''t~f5554> (#CCC"&!40FF* 4G {F3333-F HNN. 7 7 7r) client_keyctKd}d}|jr d}d}|jdn|jikr|sd}||jvrt j|}|j|||}t|tr|d{V}|rd}d}nd}|rd nd }|jd |||nqd }nn|sd}||j vr_t j|}|j | |rd}d}nd}|rd nd }|jd |||nd }||fS)zCURVE ZAP authenticationFr)Trgz ALLOWED (CURVE allow any client)rNs Unknown keyALLOWEDDENIEDz0%s (CURVE auth_callback) domain=%s client_key=%ssUnknown domainz"%s (CURVE) domain=%s client_key=%s) rrr3rr rUcallback isinstancerrget)r&rCr}rtrvz85_client_keyrstatuss r'rlz!Authenticator._authenticate_curveis >4 +GF HNN= > > > >  '2 - - 333!$J!7!7.v6??WWa++ A,"G"FF+F&-;8F" + ##!$J!7!7:f%)).99,"G"FF+F&-;88" +r)rzc>|jd||dS)zPNothing to do for GSSAPI, which has already been handled by an external service.z'ALLOWED (GSSAPI) domain=%s principal=%s)Trg)rr3)r&rCrzs r'rmz"Authenticator._authenticate_gssapis  @&)TTT{r)r`ro status_code status_textuser_idc|dkr|nd}t|tr||jd}d}|jd||t |||||g}|j|dS)z.Send a ZAP reply to finish the authentication.rfr)r_zZAP reply code=%s text=%sN) rstrrUrrr3rjrsend_multipart)r&rorrrmetadatareplys r'rizAuthenticator._send_zap_replys)F22'' gs # # ?nnT]I>>G 2KMMM*k;R &&u-----r))NrN)r*N)rN)rrG)r`) __name__ __module__ __qualname____doc____annotations__rboolrrrbytesrr(r5r8r@rBrFr osPathLikerNrQrWrZrr{r rkrlrmrirYr)r'rrs4MMMOOOS>)))#h XCc3h'(((( T%*%% &&&& HHH,0 88-(88 8888,#### ( ( ( ( ( ( 's 't ' ' ' 'HL 6 6 6,4T#s(^,D 6  6 6 6 6FIVVV+0bk1A+BV VVVV8>B W W W7: W  W W W WD=u=====,<@   +3C=     b=DKb=b=b=b=H$$%($47$ tU{ $$$$L<<',< tU{ <<<<|35U4QV;EW# .... .  .  ......r)rrJ)rr$rtypingrrrrrrr r r zmq.errorr zmq.utilsr rrrJrjr__all__rYr)r'rs00  JJJJJJJJJJJJJJJJJJJJ $$$$$$$$$$$$ f.f.f.f.f.f.f.f.R - .r)