"iȭdZddlmZmZddlmZmZddlZddlZddl Z ddl Z ddl Z ddl m Z ddlmZ ddlmZddlmZmZdd lmZd Zn #e$rd ZYnwxYw ddlZn #e$rdZYnwxYw ddlZddlZddlZn#e$r dZdZdZYnwxYwd d lmZd dlm Z!m"Z#e j$e%&e j'e j$e%Z(Gdde)Z*Gdde*Z+Gdde*Z,Gdde*Z-Gdde*Z.Gdde*Z/Gdde*Z0Gdde*Z1Gdd e*Z2e j3d!kre2Z0d"Z4dS)#z5Implementing support for MySQL Authentication Plugins) b64encode b64decode)sha1sha256N)quote)uuid4)UnsupportedAlgorithm)hashes serialization)paddingTF)errors)normalize_unicode_string"validate_normalized_unicode_stringc2eZdZdZdZdZ ddZdZdZdS) BaseAuthPluginaBase class for authentication plugins Classes inheriting from BaseAuthPlugin should implement the method prepare_password(). When instantiating, auth_data argument is required. The username, password and database are optional. The ssl_enabled argument can be used to tell the plugin whether SSL is active or not. The method auth_response() method is used to retrieve the password which was prepared by prepare_password(). FNcL||_||_||_||_||_dS)InitializationN) _auth_data _username _password _database _ssl_enabled)self auth_datausernamepassworddatabase ssl_enabledinstances V/srv/django_bis/venv311/lib/python3.11/site-packages/mysql/connector/authentication.py__init__zBaseAuthPlugin.__init__[s.$!!!'ct)zPrepares and returns password to be send to MySQL This method needs to be implemented by classes inheriting from this class. It is used by the auth_response() method. Raises NotImplementedError. )NotImplementedErrorrs r"prepare_passwordzBaseAuthPlugin.prepare_passwordds "!r$c|jr4|js-tjd|j|S)zReturns the prepared password to send to MySQL Raises InterfaceError on errors. For example, when SSL is required by not enabled. Returns str {name} requires SSLname) requires_sslrrInterfaceErrorformat plugin_namer(r's r" auth_responsezBaseAuthPlugin.auth_responsens_   (T%6 ('(=(D(D%)E)')'(( ($$&&&r$)NNNFN) __name__ __module__ __qualname____doc__r-r0r#r(r1r$r"rrJsb  LKIM-1((((""" ' ' ' ' 'r$rc eZdZdZdZdZdZdS)MySQLNativePasswordAuthPluginzBClass implementing the MySQL Native Password authentication pluginFmysql_native_passwordc|jstjd|jsdS|j}t |jt r|jd}n|j}|j}d} t|}t|}t||z}dt||D}tj dg|R}n9#t$r,}tjd |d}~wwxYw|S)z;Prepares and returns password as native MySQL 4.1+ password"Missing authentication data (seed)r$utf-8Ncg|] \}}||z  Sr6r6).0h1h3s r" zBMySQLNativePasswordAuthPlugin.prepare_password..s ???"bR"W???r$20BzFailed scrambling password; {0})rrr.r isinstancestrencoderdigestzipstructpack Exceptionr/) rrrhash4hash1hash2hash3xoredexcs r"r(z.MySQLNativePasswordAuthPlugin.prepare_passwordsF N'(LMM M~ 3> dnc * * &~,,W55HH~HO  ?NN))++EKK&&((EU*++2244E??S->->???EK....EE ? ? ?'188==?? ? ? s2BD D;'D66D;Nr2r3r4r5r-r0r(r6r$r"r8r8|s3LLL)Kr$r8c eZdZdZdZdZdZdS)MySQLClearPasswordAuthPluginzAClass implementing the MySQL Clear Password authentication pluginTmysql_clear_passwordc|jsdS|j}t|tr|d}|dzS!Returns password as as clear textutf8rrCrDrErrs r"r(z-MySQLClearPasswordAuthPlugin.prepare_passwordF~ 7> h $ $ /v..H'!!r$NrQr6r$r"rSrSs3KKL(K " " " " "r$rSc eZdZdZdZdZdZdS)MySQLSHA256PasswordAuthPluginzClass implementing the MySQL SHA256 authentication plugin Note that encrypting using RSA is not supported since the Python Standard Library does not provide this OpenSSL functionality. Tsha256_passwordc|jsdS|j}t|tr|d}|dzSrVrZr[s r"r(z.MySQLSHA256PasswordAuthPlugin.prepare_passwordr\r$NrQr6r$r"r^r^s9 L#K " " " " "r$r^c4eZdZdZdZdZdZdZdZdZ dZ d S) "MySQLCachingSHA2PasswordAuthPluginzClass implementing the MySQL caching_sha2_password authentication plugin Note that encrypting using RSA is not supported since the Python Standard Library does not provide this OpenSSL functionality. Fcaching_sha2_passwordcB|jstjd|jsdSt |jt r|jdn|j}|j}t|}t}| t|| ||}dt||D}tj dg|R}|S)z Returns a scramble of the password using a Nonce sent by the server. The scramble is of the form: XOR(SHA2(password), SHA2(SHA2(SHA2(password)), Nonce)) r;r$r<cg|] \}}||z  Sr6r6)r>r?h2s r"rAz@MySQLCachingSHA2PasswordAuthPlugin._scramble..s ;;;Xb"b;;;r$32B) rrr.rrCrDrErrFupdaterGrHrI)rrrrLrMrOrNs r" _scramblez,MySQLCachingSHA2PasswordAuthPlugin._scrambles  N'(LMM M~ 3$.#..C4>((11148N O x  '')) VE]]))++,,, Y ;;UE):):;;; E*E*** r$ct|jdkr|S|jd|jkr|SdS)Nr r)lenrrkperform_full_authentication_full_authenticationr's r"r(z3MySQLCachingSHA2PasswordAuthPlugin.prepare_passwordsS t  ! # #>>## # _Q 4#C C C,,.. .tr$c|js-tjd|j|jsdS|j}t |tr|d}|dzS)rWr*r+rXrY) rrr.r/r0rrCrDrEr[s r"roz7MySQLCachingSHA2PasswordAuthPlugin._full_authentications  ('(=(D(D%)E)')'(( (~ 7> h $ $ /v..H'!!r$N) r2r3r4r5r-r0rnfast_auth_successrkr(ror6r$r"rbrbsc L)K"#6 " " " " "r$rbceZdZdZgdZdZdZeZdZ dZ dZ dZ dZ dZdZdZd Zd Zd Zd Zd ZdZddZdZdZdZdZdZdS)MySQLLdapSaslPasswordAuthPlugina5Class implementing the MySQL ldap sasl authentication plugin. The MySQL's ldap sasl authentication plugin support two authentication methods SCRAM-SHA-1 and GSSAPI (using Kerberos). This implementation only support SCRAM-SHA-1 and SCRAM-SHA-256. SCRAM-SHA-1 amd SCRAM-SHA-256 This method requires 2 messages from client and 2 responses from server. The first message from client will be generated by prepare_password(), after receive the response from the server, it is required that this response is passed back to auth_continue() which will return the second message from the client. After send this second message to the server, the second server respond needs to be passed to auth_finalize() to finish the authentication process. )z SCRAM-SHA-1z SCRAM-SHA-256GSSAPIFauthentication_ldap_sasl_clientNrcPtdt||DS)Ncg|] \}}||z  Sr6r6)r>b1b2s r"rAz8MySQLLdapSaslPasswordAuthPlugin._xor..#s @@@&"bb2g@@@r$)bytesrG)rbytes1bytes2s r"_xorz$MySQLLdapSaslPasswordAuthPlugin._xor"s)@@C,?,?@@@AAAr$c`tj|||j}|SN)hmacnewdef_digest_moderF)rrsalt digest_makers r"_hmacz%MySQLLdapSaslPasswordAuthPlugin._hmac%s*x$0DEE ""$$$r$c|}|||dz}|}t|dz D].}|||}|||}/|S)zPrepares Hi Hi(password, salt, iterations) where Hi(p,s,i) is defined as PBKDF2 (HMAC, p, s, i, output length of H). sr )rErranger})rrrcountpwhiaux_s r"_hiz#MySQLLdapSaslPasswordAuthPlugin._hi)sy __   ZZD#66 7 7uqy!! $ $A**R%%C2s##BB r$ct|}t|}|'tjd||S)Nzbroken_rule: {}) norm_ustr valid_normrr.r/)rstringnorm_str broken_rulecharrules r" _normalizez*MySQLLdapSaslPasswordAuthPlugin._normalize7sIV$$ **  "'(9(@(@(M(MNN N r$c.d}ttdd|_|||j|j}t|tr|d}|S)aqThis method generates the first message to the server to start the The client-first message consists of a gs2-header, the desired username, and a randomly generated client nonce cnonce. The first message from the server has the form: b'n,a=,n=,r= Returns client's first message z.n,a={user_name},n={user_name},r={client_nonce}-r) user_name client_noncerY) rDrreplacerr/rrrCrE)r cfm_fprnatcfms r"_first_messagez.MySQLLdapSaslPasswordAuthPlugin._first_messageBsF LL00b99$//$.*I*I-1-> @@ c3   %**V$$C r$c>td|jtjj|jdtjj } tj }td |j nx#tjj j $r\}td|||t!jd|d}~wwxYwn1#tjjj$r}|jsBtd|t!jd | td tj||jdd }|d }nc#tjjj$rG}td|t!jd|d}~wwxYwYd}~nd}~wwxYwtjjtjjtjjf}|jr|j}nd}td|tj|tjj}||_ tj!||tE|d |_# |j#$}nc#tjjj$rG}td|t!jd|d}~wwxYwtd||S)zGet a TGT Authentication request and initiates security context. This method will contact the Kerberos KDC in order of obtain a TGT. z# user name: %srY name_typezE# Stored credentials found, if password was given it will be ignored.z Credentials has expired: %szCredentials has expired: {}Nz* Unable to retrieve stored credentials: %sz/Unable to retrieve stored credentials error: {}z5# Attempt to retrieve credentials with given passwordinitiateusagerz; Unable to retrieve credentials with the given password: %sz:Unable to retrieve credentials with the given password: {}z ldap/ldapauthz# service principal: %sr,credsflagsrz'Unable to initiate security context: %sz'Unable to initiate security context: {}z# initial client token: %s)%_LOGGERdebugrgssapirawnames import_namerENameTypeuser Credentialslifetime exceptionsExpiredCredentialsErrorwarningacquirerr.r/miscGSSErrorrerroracquire_cred_with_passwordProgrammingErrorRequirementFlagmutual_authenticationextended_errordelegate_to_peerkrb_service_principalNamekerberos_principal target_nameSecurityContextsumctxstep) rrcrederracquire_cred_resultflags_lservice_principalservkinitial_client_tokens r"_first_message_krbz2MySQLLdapSaslPasswordAuthPlugin._first_message_krbVs  '888J$001F1Fv1N1N;A?;O1QQ  *%''D MM. / / / W :(@ W W W >DDD Y'''+,I,P,PQT,U,UVVV W z' * * *> * JCPPP+ELLSQQSSS *MM#3444*0**O*O!4>#8#8#@#@ +P+T+T'.q1DDz/***MM#125777 1#VC[[****DDDD *&)?)8):   % 0 $ :   /  /1BCCC -9[\\\ )u0403G 0:<<<  _#'8==?? z' _ _ _ MMCS I I I'(Q(X(XY\(](]^^ ^ _  24HIII##s}/-DB%$D%D>ADDDI 9A IAG I I9AH;;III LM?8AM::M?ctd||j|}td|td|jj||jjfS)a Continue with the Kerberos TGT service request. With the TGT authentication service given response generate a TGT service request. This method must be invoked sequentially (in a loop) until the security context is completed and an empty response needs to be send to acknowledge the server. Args: tgt_auth_challenge the challenge for the negotiation. Returns: tuple (bytearray TGS service request, bool True if context is completed otherwise False). tgt_auth challenge: %sz# context step response: %sz# context completed?: %s)rrrrcompletertgt_auth_challengeresps r"auth_continue_krbz1MySQLLdapSaslPasswordAuthPlugin.auth_continue_krbsm  .0BCCCx}}/00 3T::: 0$(2CDDDTX&&&r$c0|jjstjdtd|td|jj |j|}td|nc#tj j j $rG}td|tj d |d}~wwxYwtd|td }td ||j|d }td |dt!|d|jS)aPAccept handshake and generate closing handshake message for server. This method verifies the server authenticity from the given message and included signature and generates the closing handshake for the server. When this method is invoked the security context is already established and the client and server can send GSSAPI formated secure messages. To finish the authentication handshake the server sends a message with the security layer availability and the maximum buffer size. Since the connector only uses the GSSAPI authentication mechanism to authenticate the user with the server, the server will verify clients message signature and terminate the GSSAPI authentication and send two messages; an authentication acceptance b'' and a OK packet (that must be received after sent the returned message from this method). Args: message a wrapped hssapi message from the server. Returns: bytearray closing handshake message to be send to the server. z"Security context is not completed.z# servers message: %sz# GSSAPI flags in use: %sz# unwraped: %s#Unable to unwrap server message: %s#Unable to unwrap server message: {}Nz# unwrapped server message: %sz# message response: %sFencryptz*# wrapped message response: %s, length: %dr)rrrrrr actual_flagsunwraprrr BadMICErrorr.r/ bytearraywraprmmessagerrunwrapedrresponsewrapeds r"auth_accept_close_handshakez;MySQLLdapSaslPasswordAuthPlugin.auth_accept_close_handshakesm2x  P)*NOO O -w777 1483HIII 1xw//H MM*H 5 5 5 5z$0 1 1 1 MM? E E E')$$*F3KK11 1 1  6AAA /00 .999x77 BQiVAY 1 1 1~"5BC81AC33C8c |j}||_td|||jvrTt jd|d |jdd|jdd|jvr/tst j d| S|jdkr t|_|S) zThis method will prepare the fist message to the server. Returns bytes to send to the server as the first message. z read_method_name_from_server: %szpThe sasl authentication method "{}" requested from the server is not supported. Only "{}" and "{}" are supportedz", "NsGSSAPIzwModule gssapi is required for GSSAPI authentication mechanism but was not found. Unable to authenticate with the servers SCRAM-SHA-256)rdecoderrrsasl_mechanismsrr.r/joinrrrrrr)rrauth_mechanisms r"r1z-MySQLLdapSaslPasswordAuthPlugin.auth_responses //11%:" 8.III !5 5 5'EEKV"FKK0DSbS0I$J$J(,F.F.// /  ' ' '-&'''**,, , ?. . .#)D ""$$$r$c  |jstjd||j}||t |j|j}t dt| | |d}t dt| ||}t dt| | |d}t dt| dd ||jd |jg}t d |d||jd td ||j d |jg}t d|| ||}t dt| |||} t dt|  t| || |_t d|jtd ||j } dd | d |jdt|  g} t d| | S)aThis method generates the second message to the server Second message consist on the concatenation of the client and the server nonce, and cproof. c=>,r=,p= where: : xor(, ) : hmac(salted_password, b"Client Key") : hmac(, ) : h() : ,, c=,r= : n=r= r;zsalted_password: %ss Client Keyzclient_key: %szstored_key: %ss Server Keyzserver_key: %s,zn={}zr={}zclient_first_no_header: %szc={}zn,a={},z auth_msg: %szclient_signature: %szclient_proof: %szserver_auth_var: %szp={}zsecond_message: %s)rrr.rrrr server_salt iterationsrrrrrrrFrr/rr servers_firstrE server_noncer}server_auth_var) rpasswsalted_password client_key stored_key server_keyclient_first_no_headerauth_msgclient_signature client_proof client_headermsgs r"_second_messagez/MySQLLdapSaslPasswordAuthPlugin._second_messages" N'(LMM M//((5#,T-=#>#>#'?44  +007799 ; ; ;ZZ??  & *(=(=(D(D(F(FGGG))*55<<>>  & *(=(=(D(D(F(FGGGZZ??  & *(=(=(D(D(F(FGGG!$ MM$//$.99 : : MM$+ , ,+."/"/  24JKKK88 "   MM)I$4$4//%1%117;;;A688 E E MM$+ , , .//  nh///::j(//2C2CDD , 01188:: < < <yy-=>>  ()L*A*A*H*H*J*JKKK( JJz8??#4#4 5 5 7 77=vxx  +T-ABBB!   T__T^<< = = D D F FHHHN hh m44 d&788 i &=&=&D&D&F&FGGIJJ  *C000zz||r$cf|rt|ttfs'tjd| |}||_|d\}}}n5#t$r(tjd|wxYw| dr*| dr| ds'tjd||j |vr0|dd|_ td |j n'tjd ||dd|_td |jt!|j |dd}td |t#||_dS#tjd |xYw)zValidates first message from the server. Extracts the server's salt and iterations from the servers 1st response. First message from the server is in the form: ,i= zUnexpected server message: {}rzr=zs=zi=z&Incomplete reponse from the server: {}Nzserver_nonce: %szP$Q$Q B')++16-+@+@BB B B)0022M!.D 0=0C0CC0H0H -NFII B B B')++16-+@+@BB B B((.. B  && B##D)) B')++16-+@+@BB B   . . .qrr 2D  MM,d.? @ @ @ @')++16-+@+@BB B"!"": 2D4D4+,, . . . N!!"" I MM*11)<< = = =!)nnDOOO N')77=vm7L7LNN Ns4A<<2B.:A H)H0cT|||S)zwreturn the second message from the client. Returns bytes to send to the server as the second message. )r r)rservers_first_responses r" auth_continuez-MySQLLdapSaslPasswordAuthPlugin.auth_continueks+ $$%;<<<##%%%r$c,|r=t|tr(t|dks|dst jd|dd}td||j |kS)aXValidates second message from the server. The client and the server prove to each other they have the same Auth variable. The second message from the server consist of the server's proof: server_proof = HMAC(, ) where: : hmac(, b"Server Key") : ,, c=,r= Our server_proof must be equal to the Auth variable send on this second response. rsv=z(The server's proof is not well formated.Nzserver auth variable: %s) rCrrmrrr.rrrr)rservers_second server_vars r"_validate_second_reponsez8MySQLLdapSaslPasswordAuthPlugin._validate_second_reponsess  TZ %J%J T ~   ! !)B)B5)I)I !'(RSS S#ABB'..00  0*===#z11r$cX||stjddS)zfinalize the authentication process. Raises errors.InterfaceError if the ervers_second_response is invalid. Returns True in succesfull authentication False otherwise. z7Authentication failed: Unable to proof server identity.T)rrr.)rservers_second_responses r" auth_finalizez-MySQLLdapSaslPasswordAuthPlugin.auth_finalizes?,,-DEE B')ABB Btr$r)r2r3r4r5rr-r0rrr client_saltrrrrr}rrrrrrrr1rr r rrr6r$r"rsrssA"A@@OL3KOLKK JOBBB%%%      (A$A$A$H''',111f%%%%8BBBH&N&N&NP&&&222.     r$rscZeZdZdZdZdZdZedZdZ dZ dZ d d Z d Z d ZdS) MySQLKerberosAuthPluginz3Implement the MySQL Kerberos authentication plugin.authentication_kerberos_clientFNc0 tjd}t|j}|ddkr|dd\}}|S#tjjj$r}tj cYd}~Sd}~wwxYw)z(Get user from credentials without realm.rr@rr N) rrrDr,findrrrrgetpassgetuser)rrrrs r"get_user_from_credentialsz1MySQLKerberosAuthPlugin.get_user_from_credentialss %&Z888Euz??Dyy~~##**S!,,aKz' % % %?$$ $ $ $ $ $ $ %sAAB8B BBctdtjj|dtjj} tj ||j dd}n8#tjj j $r}tjd|d}~wwxYw|d}|S) z.Acquire credentials through provided password.z8Attempt to acquire credentials through provided passwordr<rrrz7Unable to acquire credentials with the given password: Nr)rrrrrrrErrrrrrrr)rupnrrrrs r"_acquire_cred_with_passwordz3MySQLKerberosAuthPlugin._acquire_cred_with_passwords F   :#// JJw  o*0    55N))'22$6 z'   )O#OO  $A& s$:BC8CCctjd|ddd}|dd}tjd|d|d|d}||d}tjd|ddd}tjd|d|ddd}||fSaYParse authentication data. Get the SPN and REALM from the authentication data packet. Format: SPN string length two bytes + SPN string + UPN realm string length two bytes + UPN realm string Returns: tuple: With 'spn' and 'realm'. zzz||U\\^^++r$c|jsdS|j}t|tr|d}|dzS)z!Return password as as clear text.rXrYrZr[s r"r(z(MySQLKerberosAuthPlugin.prepare_passwordr\r$cVd}d}|rC ||\}}n)#tj$r}td|d}~wwxYw||S|jr |jd|nd}t d|t d|t d|j tj d}t|j }t d t d || dd kr| dd \}} n|}d} |jr |jd|n|}|jrA|j|kr6t d |j||}| r"| |kr|j||}n#tjjj$r@}|r|j||}nt'jd|Yd}~n_d}~wtjjj$r@}|r|j||}nt'jd|Yd}~nd}~wwxYwtjjtjjtjjf} tj|tjj} | tjj } tj!| |tE| d|_# |j#$} n8#tjjj$r}t'jd|d}~wwxYwt d| | S)z'Prepare the fist message to the server.NInvalid authentication data: rService Principal: %s Realm: %s Username: %srrzCached credentials foundzCached credentials UPN: %srr zBThe user from cached credentials doesn't match with the given userzCredentials has expired: z-Unable to retrieve cached credentials error: rr%Unable to initiate security context: Initial client token: %s)%r.rHrInterruptedErrorr(rrrrrrDr,rrrr!rrrrr.rrrrrrrrr canonicalizeMechTypekerberosrrcontextr)rrr+r-rr r creds_upn creds_user creds_realmrr,cnamers r"r1z%MySQLKerberosAuthPlugin.auth_responses  N N!229== UU< N N N&'Ls'L'LMMM N ;((** *-1^E))%))) -s333 k5))) ndn555) &Z888EEJI MM4 5 5 5 MM6 B B B~~c""b((*3//#q*A*A' KK& " 15NT^--e---YC~ B$.J">"> !>- < +u 4 4*88==z$< O O O Ot~188==+,M,M,MNNNz'    t~188==+ICII   " 8  " 1  " 3  { o8   !!&/":;;-e**      #'<#4#4#6#6 z'   '===    02FGGG##sQ!AAA DG##J<6H77J6JJ<MN /NN ctd||j|}td|td|jj||jjfS)!Continue with the Kerberos TGT service request. With the TGT authentication service given response generate a TGT service request. This method must be invoked sequentially (in a loop) until the security context is completed and an empty response needs to be send to acknowledge the server. Args: tgt_auth_challenge: the challenge for the negotiation. Returns: tuple (bytearray TGS service request, bool True if context is completed otherwise False). rzContext step response: %sContext completed?: %s)rrr<rrrs r"r z%MySQLKerberosAuthPlugin.auth_continueBso  .0BCCC|  !344 14888 . 0EFFFT\***r$c0|jjstjdtd|td|jj |j|}td|nc#tj j j $rG}td|tj d |d}~wwxYwtd|td }td ||j|d }td |dt!|d|jS)a_Accept handshake and generate closing handshake message for server. This method verifies the server authenticity from the given message and included signature and generates the closing handshake for the server. When this method is invoked the security context is already established and the client and server can send GSSAPI formated secure messages. To finish the authentication handshake the server sends a message with the security layer availability and the maximum buffer size. Since the connector only uses the GSSAPI authentication mechanism to authenticate the user with the server, the server will verify clients message signature and terminate the GSSAPI authentication and send two messages; an authentication acceptance b'' and a OK packet (that must be received after sent the returned message from this method). Args: message: a wrapped gssapi message from the server. Returns: bytearray (closing handshake message to be send to the server). z!Security context is not completedzServer message: %szGSSAPI flags in use: %sz Unwraped: %srrNzUnwrapped server message: %srzMessage response: %sFrz(Wrapped message response: %s, length: %dr)r<rrrrrrrrrrrr.r/rrrmrrs r"rz3MySQLKerberosAuthPlugin.auth_accept_close_handshakeZss4|$ O)*MNN N *G444 /1JKKK |**733H MM.( 3 3 3 3z$0    MM? E E E'5<z.sc!ffrkr$cztjtj|Sr)rXrYexistsrZrhs r"rjz.s$27>>"'2D2DQ2G2G#H#Hr$)rJr`z Parameter "z " is invalidzDoes not contain parameter NzInvalid profile z in: "z". Errors found: )ocirer ImportErrorrrDEFAULT_LOCATION from_fileappendKeyErrorConfigFileNotFound InvalidConfigInvalidKeyFilePathInvalidPrivateKeyMissingPrivateKeyPassphraseProfileNotFoundrD) roci_path profile_namerer error_listreq_keysrPreq_keyrs r"_get_valid_oci_configz*MySQL_OCI_AuthPlugin._get_valid_oci_configs & . . . . . . . . . & & &)%&& & & /.H 11HH    ())(LAAJ# O OO!'*O0x0G1DEEO"))*M*M*M*MNNNOOO%%&MG&M&MNNNNNNNNO  O  )  $  )  (  2  &   ( ( (   c#hh ' ' ' ' ' ' ' ' (  0)/<//x//",//00 0sJ *C8BC CB;6C;CC)D-"DDc:tstjdtd|jt |jtd|||}||d}| |jtj tj }|||}td||S)z-Prepare authentication string for the server.rTzserver nonce: %s, len %dz#OCI configuration file location: %sr`zauthentication response: %s)rVrrrrrrmr~rbsignr PKCS1v15r SHA256rRrE)rryrPrarKr1s r"r1z"MySQL_OCI_AuthPlugin.auth_responses% )9   0os4?';'; = = = ;XFFF//99 ++Jz,BCC $$ O     MOO  33IzJJ  3]CCC##%%%r$)Nrcr) r2r3r4r5r0r-r<rRrbr~r1r6r$r"rGrGss<<-KLGFFF$&,,,,\&&&&&&r$rGc2eZdZdZdZdZdZdZddZdZ dS) MySQLSSPIKerberosAuthPluginzDImplement the MySQL Kerberos authentication plugin with Windows SSPIrFNctjd|ddd}|dd}tjd|d|d|d}||d}tjd|ddd}tjd|d|ddd}||fSr#r&r(s r"r.z,MySQLSSPIKerberosAuthPlugin._parse_auth_data r/r$ctdd}d}|rC ||\}}n)#tj$r}t d|d}~wwxYwtd|td|td|jtttj dtj tj f}|jr|j r|j||j f}nd}|}td|td |dutjd ||t|tj |_ d}|j|\}} td |td | td|jj| dj} td|jjn)#t,$r}tjd|d}~wwxYwtd| | S)z(Prepare the first message to the server.zauth_response for sspiNr2r3r4r5zKPackage "pywin32" (Python for Win32 (pywin32) extensions) is not installed.z targetspn: %sz_auth_info is None: %sKerberos) targetspn auth_infoscflagsdatarepContext step err: %sContext step out_buf: %srCrz pkg_info: %sr6r7)rrr.rHrr8rsspiconsspirrISC_REQ_MUTUAL_AUTHISC_REQ_DELEGATEr ClientAuthrSECURITY_NETWORK_DREP clientauth authorize authenticatedBufferpkg_inforJr.) rrr+r-rr _auth_infordataout_bufrs r"r1z)MySQLSSPIKerberosAuthPlugin.auth_response%sx .///  N N!229== UU< N N N&'Ls'L'LMMM N  -s333 k5))) ndn555 ?dl)%&& &  '  $  > dn .%@JJJ  oy111 . d0BCCC/ )zJJ(EGGG D?44T::LC MM0# 6 6 6 MM4g > > > MM2DO4Q R R R#*1:#4 MM.$/*B C C C C   '===    02FGGG##s.;A! AA!B,H11 I;IIctd||j|\}}td|td||dj}td|td|jj||jjfS)rBrrrrzContext step resp: %srC)rrrrrr)rrrrrs r"r z)MySQLSSPIKerberosAuthPlugin.auth_continue\s  .0BCCC001CDD W ,c222 0':::qz  -t444 .0MNNNT_222r$r) r2r3r4r5r0r-r<r.r1r r6r$r"rrs\NN2KLG,,,25$5$5$5$n33333r$rntctD]}|j|kr|cStjd|)a.Return authentication class based on plugin name This function returns the class for the authentication plugin plugin_name. The returned class is a subclass of BaseAuthPlugin. Raises errors.NotSupportedError when plugin_name is not supported. Returns subclass of BaseAuthPlugin. z,Authentication plugin '{0}' is not supported)r__subclasses__r0rNotSupportedErrorr/)r0 authclasss r"get_auth_pluginr|si$2244  K / /    0  "6==kJJ L LLr$)5r5base64rrhashlibrrrrloggingrXrH urllib.parseruuidrcryptography.exceptionsr cryptography.hazmat.primitivesr r )cryptography.hazmat.primitives.asymmetricr rVrnrrrwin32apirrutilsrrrr getLoggerr2 addHandler NullHandlerrobjectrr8rSr^rbrsrrGrr,rr6r$r"rs:<;''''''''   #<<<<<<DDDDDDDDAAAAAA!###"#MMMM FFFKKKNNNOOOO DGHHH FFFFFFFF(&&':w':'<'<=== ' H % %/'/'/'/'/'V/'/'/'d!!!!!N!!!H""""">"""$"""""N""",:":":":":":":":"zOOOOOnOOOd yyyyynyyyxo&o&o&o&o&>o&o&o&dp3p3p3p3p3.p3p3p3f7d??9LLLLLs5A AAAA('A(, A99 BB