3 (hoO@sdZddlmZmZddlmZmZddlZddlZddl Z ddl m Z ddl m Z ddlmZmZmZmZdd lmZmZejeZGd d d eZGd d d eZGdddeZGdddeZGdddeZ GdddeZ!ddZ"dS)z5Implementing support for MySQL Authentication Plugins) b64encode b64decode)sha1sha256N)uuid4)errors)PY2isstr UNICODE_TYPES STRING_TYPES)normalize_unicode_string"validate_normalized_unicode_stringc@s2eZdZdZdZdZd ddZddZd d ZdS) BaseAuthPluginaBase class for authentication plugins Classes inheriting from BaseAuthPlugin should implement the method prepare_password(). When instantiating, auth_data argument is required. The username, password and database are optional. The ssl_enabled argument can be used to tell the plugin whether SSL is active or not. The method auth_response() method is used to retrieve the password which was prepared by prepare_password(). FNcCs"||_||_||_||_||_dS)ZInitializationN) _auth_data _username _passwordZ _database _ssl_enabled)self auth_datausernamepasswordZdatabaseZ ssl_enabledrR/tmp/pip-install-q3hcpn_q/mysql-connector-python/mysql/connector/authentication.py__init__?s zBaseAuthPlugin.__init__cCstdS)zPrepares and returns password to be send to MySQL This method needs to be implemented by classes inheriting from this class. It is used by the auth_response() method. Raises NotImplementedError. N)NotImplementedError)rrrrprepare_passwordHszBaseAuthPlugin.prepare_passwordcCs*|jr"|j r"tjdj|jd|jS)zReturns the prepared password to send to MySQL Raises InterfaceError on errors. For example, when SSL is required by not enabled. Returns str z{name} requires SSL)name) requires_sslrrInterfaceErrorformat plugin_namer)rrrr auth_responseRs zBaseAuthPlugin.auth_response)NNNF) __name__ __module__ __qualname____doc__rr"rrr#rrrrr.s   rc@s eZdZdZdZdZddZdS)MySQLNativePasswordAuthPluginzBClass implementing the MySQL Native Password authentication pluginFZmysql_native_passwordc Cs*|jstjd|jsdS|j}t|jr8|jjd}n|j}trzt|}yt|j}Wqtk rvtjdYqXn |}|j}d}yht |j }t |j }t ||j }trddt ||D}nddt ||D}t j d |}Wn4tk r$}ztjd j|WYdd}~XnX|S) z;Prepares and returns password as native MySQL 4.1+ passwordz"Missing authentication data (seed)zutf-8zAuthentication data incorrectNcSs g|]\}}t|t|AqSr)ord).0h1h3rrr szBMySQLNativePasswordAuthPlugin.prepare_password..cSsg|]\}}||AqSrr)r+r,r-rrrr.s20BzFailed scrambling password; {0})r/)rrr rr encoder buffer TypeErrorrdigestzipstructpack Exceptionr!) rrrZhash4hash1hash2hash3xoredexcrrrrfs:    z.MySQLNativePasswordAuthPlugin.prepare_passwordN)r$r%r&r'rr"rrrrrr(`sr(c@s eZdZdZdZdZddZdS)MySQLClearPasswordAuthPluginzAClass implementing the MySQL Clear Password authentication pluginTZmysql_clear_passwordcCsF|js dS|j}tr*t|tr>|jd}nt|tr>|jd}|dS)z!Returns password as as clear textutf8)rr isinstanceunicoder0str)rrrrrrs    z-MySQLClearPasswordAuthPlugin.prepare_passwordN)r$r%r&r'rr"rrrrrr=sr=c@s eZdZdZdZdZddZdS)MySQLSHA256PasswordAuthPluginzClass implementing the MySQL SHA256 authentication plugin Note that encrypting using RSA is not supported since the Python Standard Library does not provide this OpenSSL functionality. TZsha256_passwordcCsF|js dS|j}tr*t|tr>|jd}nt|tr>|jd}|dS)z!Returns password as as clear textr>r?)rr r@rAr0rB)rrrrrrs    z.MySQLSHA256PasswordAuthPlugin.prepare_passwordN)r$r%r&r'rr"rrrrrrCsrCc@s8eZdZdZdZdZdZdZddZdd Z d d Z d S) "MySQLCachingSHA2PasswordAuthPluginzClass implementing the MySQL caching_sha2_password authentication plugin Note that encrypting using RSA is not supported since the Python Standard Library does not provide this OpenSSL functionality. FZcaching_sha2_passwordc Cs|jstjd|jsdSt|jtr2|jjdn|j}trtt|}yt|j}Wq~t k rptjdYq~Xn |}|j}t |j }t }|j t |j |j ||j }trddt ||D}nddt ||D}tjd |}|S) z Returns a scramble of the password using a Nonce sent by the server. The scramble is of the form: XOR(SHA2(password), SHA2(SHA2(SHA2(password)), Nonce)) z"Missing authentication data (seed)r)zutf-8zAuthentication data incorrectcSs g|]\}}t|t|AqSr)r*)r+r,h2rrrr.sz@MySQLCachingSHA2PasswordAuthPlugin._scramble..cSsg|]\}}||AqSrr)r+r,rGrrrr.s32B)rH)rrr rr@r r0r r1r2rr3updater4r5r6)rrrr8r9r;r:rrr _scrambles.   z,MySQLCachingSHA2PasswordAuthPlugin._scramblecCs2t|jdkr|jS|jd|jkr.|jSdS)Nrr)lenrrJperform_full_authentication_full_authentication)rrrrrs z3MySQLCachingSHA2PasswordAuthPlugin.prepare_passwordcCs`|jstjdj|jd|js$dS|j}trDt|trX|j d}nt|t rX|j d}|dS)z!Returns password as as clear textz{name} requires SSL)rr>r?) rrr r!r"rr r@r r0rB)rrrrrrMs     z7MySQLCachingSHA2PasswordAuthPlugin._full_authenticationN) r$r%r&r'rr"rLZfast_auth_successrJrrMrrrrrDs'rDc@seZdZdZdZdZeZdZdZ dZ dZ dZ ddZ dd Zd d Zd d ZddZddZddZddZddZddZddZdS)MySQLLdapSaslPasswordAuthPluginaClass implementing the MySQL ldap sasl authentication plugin. The MySQL's ldap sasl authentication plugin support two authentication methods SCRAM-SHA-1 and GSSAPI (using Kerberos). This implementation only support SCRAM-SHA-1. SCRAM-SHA-1 This method requires 2 messages from client and 2 responses from server. The first message from client will be generated by prepare_password(), after receive the response from the server, it is required that this response is passed back to auth_continue() which will return the second message from the client. After send this second message to the server, the second server respond needs to be passed to auth_finalize() to finish the authentication process. FZauthentication_ldap_sasl_clientNrcCsLtr0ddt||D}djdd|D}|Stddt||DSdS)NcSs g|]\}}t|t|AqSr)r*)r+b1b2rrrr.&sz8MySQLLdapSaslPasswordAuthPlugin._xor..r)cSsg|] }t|qSr)chr)r+irrrr.'scSsg|]\}}||AqSrr)r+rOrPrrrr.*s)r r4joinbytes)rZbytes1Zbytes2xorrrr_xor$s z$MySQLLdapSaslPasswordAuthPlugin._xorcCstj|||j}|jS)N)hmacnewdef_digest_moder3)rrsaltZ digest_makerrrr_hmac,sz%MySQLLdapSaslPasswordAuthPlugin._hmaccCsN|j}|j||d}|}x,t|dD]}|j||}|j||}q*W|S)zPrepares Hi Hi(password, salt, iterations) where Hi(p,s,i) is defined as PBKDF2 (HMAC, p, s, i, output length of H). sr)r0r[rangerV)rrrZcountpwhiZaux_rrr_hi0s z#MySQLLdapSaslPasswordAuthPlugin._hicCsHt|}t|}|dk rDtjdj||\}}tjdj||||S)Nzbroken_rule: {}z5Unable to normalice character: `{}` in `{}` due to {}) norm_ustr valid_normrr r!)rstringZnorm_strZ broken_rulecharZrulerrr _normalize>s z*MySQLLdapSaslPasswordAuthPlugin._normalizecCsbd}ttjdd|_|j|j|j|jd}trJt|t r^|j d}nt|tr^|j d}|S)aqThis method generates the first message to the server to start the The client-first message consists of a gs2-header, the desired username, and a randomly generated client nonce cnonce. The first message from the server has the form: b'n,a=,n=,r= Returns client's first message z.n,a={user_name},n={user_name},r={client_nonce}-r)Z user_name client_noncer?) rBrreplacerhr!rfrr r@r r0)rZ cfm_fprnatZcfmrrr_first_messageIs      z.MySQLLdapSaslPasswordAuthPlugin._first_messagecCs8tjd|jj|jdkr0tjdj|jd|jS)zThis method will prepare the fist message to the server. Returns bytes to send to the server as the first message. z read_method_name_from_server: %ss SCRAM-SHA-1zfThe sasl authentication method "{}" requested from the server is not supported. Only "{}" is supportedz SCRAM-SHA-1)_LOGGERdebugrdecoderr r!rj)rrrrr#`s   z-MySQLLdapSaslPasswordAuthPlugin.auth_responsec Cs|jstjd|j|j}|j|t|j|j}t j dt |j |j |d}t j dt |j |j|j}t j dt |j |j |d}t j dt |j djd j|j|jd j|jg}t j d |dj||jd jt d j|j|jjj d j|jg}t j d||j ||j}t j dt |j |j||} t j dt | j t |j ||jj |_t j d|jt d j|j|jjj } djd j| d j|jdjt | j g} t j d| | jS)aThis method generates the second message to the server Second message consist on the concatenation of the client and the server nonce, and cproof. c=>,r=,p= where: : xor(, ) : hmac(salted_password, b"Client Key") : hmac(, ) : h() : ,, c=,r= : n=r= z"Missing authentication data (seed)zsalted_password: %ss Client Keyzclient_key: %szstored_key: %ss Server Keyzserver_key: %s,zn={}zr={}zclient_first_no_header: %szc={}zn,a={},z auth_msg: %szclient_signature: %szclient_proof: %szserver_auth_var: %szp={}zsecond_message: %s)rrr rfrrar server_salt iterationsrkrlrrmr[rYr3rSr!rrh servers_firstr0 server_noncerVserver_auth_var) rZpasswZsalted_passwordZ client_keyZ stored_keyZ server_keyZclient_first_no_headerZauth_msgZclient_signatureZ client_proofZ client_headermsgrrr_second_messagepsP           z/MySQLLdapSaslPasswordAuthPlugin._second_messagecCs>||_| st|t r(tjdj|y|jd\}}}Wn$tk r`tjdj|YnX|jd s|jd s|jd rtjdj||j |kr|dd|_ t j d |j ntjd j||dd|_ t j d |j t|j y*|dd}t j d j|t||_Wntjd j|YnXdS)zValidates first message from the server. Extracts the server's salt and iterations from the servers 1st response. First message from the server is in the form: ,i= zUnexpected server message: {}rnzr=zs=zi=z&Incomplete reponse from the server: {}Nzserver_nonce: %sz, ) where: : hmac(, b"Server Key") : ,, c=,r= Our server_proof must be equal to the Auth variable send on this second response. rvsv=z(The server's proof is not well formated.Nzserver auth variable: %s) r@ bytearrayrKryrr rmrkrlrs)rZservers_secondZ server_varrrr_validate_second_reponses   z8MySQLLdapSaslPasswordAuthPlugin._validate_second_reponsecCs|j|stjddS)zfinalize the authentication process. Raises errors.InterfaceError if the ervers_second_response is invalid. Returns True in succesfull authentication False otherwise. z7Authentication failed: Unable to proof server identity.T)r~rr )rZservers_second_responserrr auth_finalizes  z-MySQLLdapSaslPasswordAuthPlugin.auth_finalize)r$r%r&r'rr"rrYrhZ client_saltrorprsrVr[rarfrjr#rur{r|r~rrrrrrN s( D'rNcCs4xtjD]}|j|kr |Sq Wtjdj|dS)a.Return authentication class based on plugin name This function returns the class for the authentication plugin plugin_name. The returned class is a subclass of BaseAuthPlugin. Raises errors.NotSupportedError when plugin_name is not supported. Returns subclass of BaseAuthPlugin. z,Authentication plugin '{0}' is not supportedN)r__subclasses__r"rZNotSupportedErrorr!)r"Z authclassrrrget_auth_plugins  r)#r'base64rrhashlibrrrWloggingr5uuidrrrZcatch23r r r r utilsr rbrrc getLoggerr$rkobjectrr(r=rCrDrNrrrrrs&   2/L