f?dZddlZddlZddlmZmZmZmZmZm Z m Z m Z ddl Z ddl mZddlmZddlmZdZd ZGd d Zd d gZy) z*Base implementation of 0MQ authentication.N)Any AwaitableDictListOptionalSetTupleUnion)_check_version)z85)load_certificates*s1.0c :eZdZUdZded<eed<eed<eeefed<ded<e eed <e eed <eeeeeffed <eeee effed <eed < d-de dded efdZ d.dZ d.dZdeddfdZdeddfdZ d/ded e eeefddfdZ d0dedeeej(fddfdZ d/dededdfdZde defdZ d/dede eddfdZdee fd Zded!ed"edeee ffd#Zded$e deee ffd%Zded&e deee ffd'Z d1d(e d)e d*e d+eddf d,Zy)2 AuthenticatoraImplementation of ZAP authentication for zmq connections. This authenticator class does not register with an event loop. As a result, you will need to manually call `handle_zap_message`:: auth = zmq.Authenticator() auth.allow("127.0.0.1") auth.start() while True: await auth.handle_zap_msg(auth.zap_socket.recv_multipart()) Alternatively, you can register `auth.zap_socket` with a poller. Since many users will want to run ZAP in a way that does not block the main thread, other authentication classes (such as :mod:`zmq.auth.thread`) are provided. Note: - libzmq provides four levels of security: default NULL (which the Authenticator does not see), and authenticated NULL, PLAIN, CURVE, and GSSAPI, which the Authenticator can see. - until you add policies, all incoming NULL connections are allowed. (classic ZeroMQ behavior), and all PLAIN and CURVE connections are denied. - GSSAPI requires no configuration. z zmq.Contextcontextencoding allow_anycredentials_providersz zmq.Socket zap_socket_allowed_denied passwordscertslogNc6tdd|xstjj|_||_d|_i|_d|_t|_ t|_ i|_ i|_ |xstjd|_y)N)rsecurityFzzmq.auth)r zmqContextinstancerrrrrsetrrrrlogging getLoggerr)selfrrrs H/var/www/cvtools/html/venv/lib/python3.12/site-packages/zmq/auth/base.py__init__zAuthenticator.__init__:s vz*8#++"6"6"8   %'" u  7'++J7returnc|jjtjtj|_d|j _|j jd|jjdy)zCreate and bind the ZAP socket) socket_classr zinproc://zeromq.zap.01StartingN) rsocketrREPSocketrlingerbindrdebugr%s r&startzAuthenticator.startPsT,,--cggCJJ-O!" 56 z"r(c^|jr|jjd|_y)zClose the ZAP socketN)rcloser3s r&stopzAuthenticator.stopWs ?? OO ! ! #r( addressesc|jr td|jjddj ||j j |y)a6Allow IP address(es). Connections from addresses not explicitly allowed will be rejected. - For NULL, all clients from this address will be accepted. - For real auth setups, they will be allowed to continue with authentication. allow is mutually exclusive with deny. z Only use allow or deny, not bothz Allowing %s,N)r ValueErrorrr2joinrupdater%r8s r&allowzAuthenticator.allow]sD <<?@ @ }chhy&9: Y'r(c|jr td|jjddj ||j j |y)zDeny IP address(es). Addresses not explicitly denied will be allowed to continue with authentication. deny is mutually exclusive with allow. z"Only use a allow or deny, not bothz Denying %sr:N)rr;rr2r<rr=r>s r&denyzAuthenticator.denylsD ==AB B |SXXi%89 I&r(domainc^|r||j|<|jjd|y)zConfigure PLAIN authentication for a given domain. PLAIN authentication uses a plain-text password file. To cover all domains, use "*". You can modify the password file at any time; it is reloaded automatically. zConfigure plain: %sNrrr2)r%rBrs r&configure_plainzAuthenticator.configure_plainxs( %.DNN6 " ,f5r(locationc|jjd|||tk(rd|_yd|_ t ||j |<y#t $r'}|jjd||Yd}~yd}~wwxYw)a Configure CURVE authentication for a given domain. CURVE authentication uses a directory that holds all public client certificates, i.e. their public keys. To cover all domains, use "*". You can add and remove certificates in that directory at any time. configure_curve must be called every time certificates are added or removed, in order to update the Authenticator's state To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location. zConfigure curve: %s[%s]TFz&Failed to load CURVE certs from %s: %sN)rr2CURVE_ALLOW_ANYrrr Exceptionerror)r%rBrFes r&configure_curvezAuthenticator.configure_curvess" 0&(C  &!DN"DN V%6x%@ 6" VGSTUU VsA BA;;Bcredentials_providercnd|_|||j|<y|jjd|y)aConfigure CURVE authentication for a given domain. CURVE authentication using a callback function validating the client public key according to a custom mechanism, e.g. checking the key against records in a db. credentials_provider is an object of a class which implements a callback method accepting two parameters (domain and key), e.g.:: class CredentialsProvider(object): def __init__(self): ...e.g. db connection def callback(self, domain, key): valid = ...lookup key and/or domain in db if valid: logging.info('Authorizing: {0}, {1}'.format(domain, key)) return True else: logging.warning('NOT Authorizing: {0}, {1}'.format(domain, key)) return False To cover all domains, use "*". FNz0None credentials_provider provided for domain:%s)rrrrJ)r%rBrMs r&configure_curve_callbackz&Authenticator.configure_curve_callbacks46  +1ED & &v . HHNNMv Vr(client_public_keycJtj|jdS)aReturn the User-Id corresponding to a CURVE client's public key Default implementation uses the z85-encoding of the public key. Override to define a custom mapping of public key : user-id This is only called on successful authentication. Parameters ---------- client_public_key: bytes The client public key used for the given message Returns ------- user_id: unicode The user ID as text ascii)r encodedecode)r%rPs r& curve_user_idzAuthenticator.curve_user_ids&zz+,33G<z3Authenticator.handle_zap_message..$s%&;>'t~~f554>> (#CC"&!40F*G  {F3 -F HHNN. 7r( client_keycKd}d}|jr#d}d}|jjd||fS|jik7r|sd}||jvrt j |}|j|j ||}t|tr |d{}|rd}d}nd}|rd nd }|jjd |||||fSd }||fS|sd}||jvrbt j |}|j|j|rd}d}nd}|rd nd }|jjd |||||fSd }||fS7w)zCURVE ZAP authenticationFr(Trez ALLOWED (CURVE allow any client)rNs Unknown keyALLOWEDDENIEDz0%s (CURVE auth_callback) domain=%s client_key=%ssUnknown domainz"%s (CURVE) domain=%s client_key=%s) rrr2rr rScallback isinstancerrget)r%rBr{rrrtz85_client_keyrstatuss r&rjz!Authenticator._authenticate_curveis >>GF HHNN= >fe ' '2 -333!$J!7..v6??Wa+A"G"F+F&-8F" @3+2-#!$J!7::f%)).9"G"F+F&-88" +Q sBE E!B6Erxc>|jjd||y)zPNothing to do for GSSAPI, which has already been handled by an external service.z'ALLOWED (GSSAPI) domain=%s principal=%s)Tre)rr2)r%rBrxs r&rkz"Authenticator._authenticate_gssapis @&)Tr(rm status_code status_textuser_idc|dk(r|nd}t|tr|j|jd}d}|jj d||t |||||g}|jj|y)z.Send a ZAP reply to finish the authentication.rdr(r]zZAP reply code=%s text=%sN) rstrrSrrr2rhrsend_multipart)r%rmrrrmetadatareplys r&rgzAuthenticator._send_zap_replysn)F2' gs #nnT]]I>G 2KM*k;R &&u-r()Nzutf-8N)r)N)rN)r.)r^) __name__ __module__ __qualname____doc____annotations__rboolrrrbytesrr'r4r7r?rArEr osPathLikerLrOrUrXrryr rirjrkrgrWr(r&rrsh4MOS>)#h XCc3h'(( T%*%% && H,0 8-(88 8,# ( ( ( 's 't 'HL 6 6,4T#s(^,D 6  6FIVV+0bkk1A+BV V8>B W W7: W  WD=u==,<@  +3C=  b=DKb=H$$%($47$ tU{ $L<<',< tU{ <|35U4QV;EW# ... .  .  .r(rrH)rr#rtypingrrrrrrr r r zmq.errorr zmq.utilsr rrrHrhr__all__rWr(r&rsI0  JJJ $$ f.f.R - .r(