Ef?dZddlZddlZddlmZmZmZmZmZm Z m Z ddl Z ddl m Z ddlmZddlmZdZd ZGd d Zd d gZy) z*Base implementation of 0MQ authentication.N)AnyDictListOptionalSetTupleUnion)_check_version)z85)load_certificates*s1.0c 4eZdZUdZded<eed<eed<eeefed<ded<e eed <e eed <eeeeeffed <eeee effed <eed < d-de dded efdZ d.dZ d.dZdeddfdZdeddfdZ d/ded eeefddfdZ d0dedeeej(fddfdZ d/dededdfdZde defdZ d/dede eddfdZdee fd Zded!ed"edeee ffd#Zded$e deee ffd%Zded&e deee ffd'Z d1d(e d)e d*e d+eddf d,Zy)2 AuthenticatoraImplementation of ZAP authentication for zmq connections. This authenticator class does not register with an event loop. As a result, you will need to manually call `handle_zap_message`:: auth = zmq.Authenticator() auth.allow("127.0.0.1") auth.start() while True: auth.handle_zap_msg(auth.zap_socket.recv_multipart()) Alternatively, you can register `auth.zap_socket` with a poller. Since many users will want to run ZAP in a way that does not block the main thread, other authentication classes (such as :mod:`zmq.auth.thread`) are provided. Note: - libzmq provides four levels of security: default NULL (which the Authenticator does not see), and authenticated NULL, PLAIN, CURVE, and GSSAPI, which the Authenticator can see. - until you add policies, all incoming NULL connections are allowed. (classic ZeroMQ behavior), and all PLAIN and CURVE connections are denied. - GSSAPI requires no configuration. z zmq.Contextcontextencoding allow_anycredentials_providersz zmq.Socket zap_socket whitelist blacklist passwordscertslogNc6tdd|xstjj|_||_d|_i|_d|_t|_ t|_ i|_ i|_ |xstjd|_y)N)rsecurityFzzmq.auth)r zmqContextinstancerrrrrsetrrrrlogging getLoggerr)selfrrrs //usr/lib/python3/dist-packages/zmq/auth/base.py__init__zAuthenticator.__init__:s vz*8#++"6"6"8   %'" 7'++J7returnc|jjtj|_d|j_|jj d|jjdy)zCreate and bind the ZAP socketr zinproc://zeromq.zap.01StartingN) rsocketrREPrlingerbindrdebugr$s r%startzAuthenticator.startPsK,,--cgg6!" 56 z"r'c^|jr|jjd|_y)zClose the ZAP socketN)rcloser0s r%stopzAuthenticator.stopWs ?? OO ! ! #r' addressesc|jr td|jjddj ||j j |y)aIAllow (whitelist) IP address(es). Connections from addresses not in the whitelist will be rejected. - For NULL, all clients from this address will be accepted. - For real auth setups, they will be allowed to continue with authentication. whitelist is mutually exclusive with blacklist. -Only use a whitelist or a blacklist, not bothz Allowing %s,N)r ValueErrorrr/joinrupdater$r5s r%allowzAuthenticator.allow]sD >>LM M }chhy&9: i(r'c|jr td|jjddj ||j j |y)zDeny (blacklist) IP address(es). Addresses not in the blacklist will be allowed to continue with authentication. Blacklist is mutually exclusive with whitelist. r7z Denying %sr8N)rr9rr/r:rr;r<s r%denyzAuthenticator.denylsD >>LM M |SXXi%89 i(r'domainc^|r||j|<|jjd|y)zConfigure PLAIN authentication for a given domain. PLAIN authentication uses a plain-text password file. To cover all domains, use "*". You can modify the password file at any time; it is reloaded automatically. zConfigure plain: %sNrrr/)r$r@rs r%configure_plainzAuthenticator.configure_plainxs( %.DNN6 " ,f5r'locationc|jjd|||tk(rd|_yd|_ t ||j |<y#t $r'}|jjd||Yd}~yd}~wwxYw)a Configure CURVE authentication for a given domain. CURVE authentication uses a directory that holds all public client certificates, i.e. their public keys. To cover all domains, use "*". You can add and remove certificates in that directory at any time. configure_curve must be called every time certificates are added or removed, in order to update the Authenticator's state To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location. zConfigure curve: %s[%s]TFz&Failed to load CURVE certs from %s: %sN)rr/CURVE_ALLOW_ANYrr r Exceptionerror)r$r@rDes r%configure_curvezAuthenticator.configure_curvess" 0&(C  &!DN"DN V%6x%@ 6" VGSTUU VsA BA;;Bcredentials_providercnd|_|||j|<y|jjd|y)aConfigure CURVE authentication for a given domain. CURVE authentication using a callback function validating the client public key according to a custom mechanism, e.g. checking the key against records in a db. credentials_provider is an object of a class which implements a callback method accepting two parameters (domain and key), e.g.:: class CredentialsProvider(object): def __init__(self): ...e.g. db connection def callback(self, domain, key): valid = ...lookup key and/or domain in db if valid: logging.info('Authorizing: {0}, {1}'.format(domain, key)) return True else: logging.warning('NOT Authorizing: {0}, {1}'.format(domain, key)) return False To cover all domains, use "*". To allow all client keys without checking, specify CURVE_ALLOW_ANY for the location. FNz0None credentials_provider provided for domain:%s)rrrrH)r$r@rKs r%configure_curve_callbackz&Authenticator.configure_curve_callbacks4:  +1ED & &v . HHNNMv Vr'client_public_keycJtj|jdS)aReturn the User-Id corresponding to a CURVE client's public key Default implementation uses the z85-encoding of the public key. Override to define a custom mapping of public key : user-id This is only called on successful authentication. Parameters ---------- client_public_key: bytes The client public key used for the given message Returns ------- user_id: unicode The user ID as text ascii)r encodedecode)r$rNs r% curve_user_idzAuthenticator.curve_user_ids&zz+,33G<z3Authenticator.handle_zap_message..'s%&; s8a< HHNNG M3x!|@A $$SVV5IJ DGGAVWh !"g t}}i8.. : g  HHNN4c :  V5G H   8        >>$..(>H4EwO ^^$..(2>HEwOG#G/0h&{#q(HHNN#BKP((V=ST&@K&"(#'":":68X"Vh&{#q(HHNN#BKP((V=ST!!n"&":":63"G#11#6Hi'{#q(HHNN#C[Q((V=ST'N $++F3"&";";FI"N   VUH E  VV >'t~~f554>> (#CC"&!40F*G  {F3 -F HHNN. 7r' client_keycpd}d}|jr#d}d}|jjd||fS|jik7r{|sd}||jvrct j |}|j|j ||rd}d}nd}|rdnd }|jjd |||||fSd }||fS|sd}||jvrbt j |}|j|j|rd}d}nd}|rdnd }|jjd |||||fSd }||fS) zCURVE ZAP authenticationFr'Trcz ALLOWED (CURVE allow any client)rs Unknown keyALLOWEDDENIEDz0%s (CURVE auth_callback) domain=%s client_key=%ssUnknown domainz"%s (CURVE) domain=%s client_key=%s) rrr/rr rQcallbackrget)r$r@ryrprrz85_client_keystatuss r%rhz!Authenticator._authenticate_curvelsk >>GF HHNN= >`_ ' '2 -333!$J!7--f5>>v~V"G"F+F&-8F" @3+2-#!$J!7::f%)).9"G"F+F&-88" +r'rvc>|jjd||y)zPNothing to do for GSSAPI, which has already been handled by an external service.z'ALLOWED (GSSAPI) domain=%s principal=%s)Trc)rr/)r$r@rvs r%riz"Authenticator._authenticate_gssapis @&)Tr'rk status_code status_textuser_idc|dk(r|nd}t|tr|j|jd}d}|jj d||t |||||g}|jj|y)z.Send a ZAP reply to finish the authentication.rbr'r[zZAP reply code=%s text=%sN) isinstancestrrQrrr/rfrsend_multipart)r$rkrrrmetadatareplys r%rezAuthenticator._send_zap_replysn)F2' gs #nnT]]I>G 2KM*k;R &&u-r')Nzutf-8N)r(N)rN)r.)r\) __name__ __module__ __qualname____doc____annotations__rboolrrrbytesrr&r1r4r=r?rCr osPathLikerJrMrSrVrrwrrgrhrirerUr'r%rrs`4MOS>)3x3xCc3h'(( T%*%% && H,0 8-(88 8,# ) ) ) )s )t )>B 6 6,0cN 6  6FIVV+0bkk1A+BV V8>B"W"W7:"W "WH=u==,<@  +3C=  c=d5kc=J$$%($47$ tU{ $L7#757U4QV;EW7r35U4QV;EW# ... .  .  .r'rrF)rr"rtypingrrrrrrr r zmq.errorr zmq.utilsr rr rFrfr__all__rUr'r%rsI0  ??? $$ d.d.N - .r'