a lJh9@sdZddlmZddlmZmZmZmZddlm Z m Z m Z ddl m Z ddl mZmZddlmZmZmZmZmZmZmZmZdd lmZerdd lmZGd d d Zd S)z5Implementing support for MySQL Authentication Plugins) annotations) TYPE_CHECKINGAnyDictOptional)InterfaceErrorNotSupportedError get_exception)logger)MySQLAuthPluginget_auth_plugin)AUTH_SWITCH_STATUSDEFAULT_CHARSET_IDDEFAULT_MAX_ALLOWED_PACKET ERR_STATUSEXCHANGE_FURTHER_STATUS MFA_STATUS OK_STATUS MySQLProtocol) HandShakeType) MySQLSocketc@seZdZdZddddZeddddZed dd d Zd dd d dZe de fddddddddddZ d,ddddddddZ ddddd d!Z ddddd"d#Zd$d$d$d$de de dddd%ddfdd&ddddddddddd'dd(d(dd)d*d+ZdS)-MySQLAuthenticatorz$Implements the authentication phase.None)returncCs(d|_i|_i|_d|_d|_d|_dS)z Constructor.FN) _username _passwords_plugin_config _ssl_enabled_auth_strategy_auth_plugin_classselfr$P/var/www/shaz/venv/lib/python3.9/site-packages/mysql/connector/authentication.py__init__8s zMySQLAuthenticator.__init__boolcCs|jS)z&Signals whether or not SSL is enabled.)rr"r$r$r% ssl_enabledAszMySQLAuthenticator.ssl_enabledzDict[str, Any]cCs|jS)aCustom arguments that are being provided to the authentication plugin when called. The parameters defined here will override the ones defined in the auth plugin itself. The plugin config is a read-only property - the plugin configuration provided when invoking `authenticate()` is recorded and can be queried by accessing this property. Returns: dict: The latest plugin configuration provided when invoking `authenticate()`. )rr"r$r$r% plugin_configFsz MySQLAuthenticator.plugin_config)configrcCs|j|dS)z,Update the 'plugin_config' instance variableN)rupdate)r#r*r$r$r%update_plugin_configWsz'MySQLAuthenticator.update_plugin_configrrstrzOptional[Dict[str, Any]]intbytes)sockhost ssl_optionscharset client_flagsmax_allowed_packetrc Cs|dur i}tj|||d}||td|j|d|d|d|dd|d d|d |d d }td |||tdd|_|S)aSets up an SSL communication channel. Args: sock: Pointer to the socket connection. host: Server host name. ssl_options: SSL and TLS connection options (see `network.MySQLSocket.build_ssl_context`). charset: Client charset (see [1]), only the lower 8-bits. client_flags: Integer representing client capabilities flags. max_allowed_packet: Maximum packet size. Returns: ssl_request_payload: Payload used to carry out SSL authentication. References: [1]: https://dev.mysql.com/doc/dev/mysql-server/latest/ page_protocol_basic_character_set.html#a_protocol_character_set N)r3r4r5zBuilding SSL contextcacertkeyZ verify_certFZverify_identity tls_versionsZtls_ciphersuites)Zssl_caZssl_certZssl_keyZssl_verify_certZssl_verify_identityr9Ztls_cipher_suiteszSwitching to SSLzSSL has been enabledT) rZ make_auth_sslsendr debugZbuild_ssl_contextgetZ switch_to_sslr) r#r0r1r2r3r4r5Zssl_request_payload ssl_contextr$r$r% setup_ssl[s.       zMySQLAuthenticator.setup_sslNrz Optional[str])new_strategy_namestrategy_classusernamepassword_factorrcCsP|dur|j}|dur|j}td|t||d||j|d|jd|_dS)aSwitches the authorization plugin. Args: new_strategy_name: New authorization plugin name to switch to. strategy_class: New authorization plugin class to switch to (has higher precedence than the authorization plugin name). username: Username to be used - if not defined, the username provided when `authentication()` was invoked is used. password_factor: Up to three levels of authentication (MFA) are allowed, hence you can choose the password corresponding to the 1st, 2nd, or 3rd factor - 1st is the default. NzSwitching to strategy %s)Z plugin_nameauth_plugin_classr)r() rr!r r;r rr<r(r )r#r?r@rArBr$r$r%_switch_auth_strategys  z(MySQLAuthenticator._switch_auth_strategyzOptional[bytes])r0pktrcCsd}|dtkr||jvr"tdt|\}}|j||dtd||jj |jj ||fi|j }|dt krt |}|jj||fi|j }|dtkrtd|S|dtkrt||d7}qtdd S) a Handles MFA (Multi-Factor Authentication) response. Up to three levels of authentication (MFA) are allowed. Args: sock: Pointer to the socket connection. pkt: MFA response. Returns: ok_packet: If last server's response is an OK packet. None: If last server's response isn't an OK packet and no ERROR was raised. Raises: InterfaceError: If got an invalid N factor. errors.ErrorTypes: If got an ERROR response. z5Failed Multi Factor Authentication (invalid N factor))rBzMFA %i factor %szMFA completed succesfullyrz"MFA terminated with a no ok packetN)rrrrZparse_auth_next_factorrDr r;r nameauth_switch_responserrparse_auth_more_dataauth_more_responserrr warning)r#r0rEZn_factorr? auth_datar$r$r% _mfa_n_factors:         z MySQLAuthenticator._mfa_n_factorcCs |dtkr t|dkr td|dtkrftdt|\}}|||jj ||fi|j }|dt krtdt |}|jj ||fi|j }|dtkrtd|jj|S|dtkrtdtd|jj|||S|dtkrt|d S) aHandles server's response. Args: sock: Pointer to the socket connection. pkt: Server's response after completing the `HandShakeResponse`. Returns: ok_packet: If last server's response is an OK packet. None: If last server's response isn't an OK packet and no ERROR was raised. Raises: errors.ErrorTypes: If got an ERROR response. NotSupportedError: If got Authentication with old (insecure) passwords. rGzAuthentication with old (insecure) passwords is not supported. For more information, lookup Password Hashing in the latest MySQL manualz+Server's response is an auth switch requestzExchanging further packetsz%s completed succesfullyz$Starting multi-factor authenticationzMFA 1 factor %sN)rlenr r r;rZparse_auth_switch_requestrDr rIrrrJrKrrHrrNrr )r#r0rEr?rMr$r$r%_handle_server_responses>          z*MySQLAuthenticator._handle_server_responserFrzOptional[Dict[str, str]]z Optional[int])r0 handshakerA password1 password2 password3databaser3r4r5 auth_pluginrC conn_attrsis_change_user_request read_timeout write_timeoutrcCs||_|||d|_| |_tj|||||| | | | | ||j|jd \}|_|rVdd|fndd|f}|j|g|Rt | |}| ||}|durt dd|S)aPerforms the authentication phase. During re-authentication you must set `is_change_user_request` to True. Args: sock: Pointer to the socket connection. handshake: Initial handshake. username: Account's username. password1: Account's password factor 1. password2: Account's password factor 2. password3: Account's password factor 3. database: Initial database name for the connection. charset: Client charset (see [1]), only the lower 8-bits. client_flags: Integer representing client capabilities flags. max_allowed_packet: Maximum packet size. auth_plugin: Authorization plugin name. auth_plugin_class: Authorization plugin class (has higher precedence than the authorization plugin name). conn_attrs: Connection attributes. is_change_user_request: Whether is a `change user request` operation or not. read_timeout: Timeout in seconds upto which the connector should wait for the server to reply back before raising an ReadTimeoutError. write_timeout: Timeout in seconds upto which the connector should spend to send data to the server before raising an WriteTimeoutError. Returns: ok_packet: OK packet. Raises: InterfaceError: If OK packet is NULL. ReadTimeoutError: If the time taken for the server to reply back exceeds 'read_timeout' (if set). WriteTimeoutError: If the time taken to send data packets to the server exceeds 'write_timeout' (if set). References: [1]: https://dev.mysql.com/doc/dev/mysql-server/latest/ page_protocol_basic_character_set.html#a_protocol_character_set )rrF) rRrApasswordrVr3r4r5rWrCrXrYr(r)rNzGot a NULL ok_pkt) rrr!rZ make_authr(r)r r:r/recvrQr)r#r0rRrArSrTrUrVr3r4r5rWrCrXrYrZr[Zresponse_payloadZ send_argsrEZok_pktr$r$r% authenticate#s8:    zMySQLAuthenticator.authenticate)NNr)__name__ __module__ __qualname____doc__r&propertyr(r)r,rrr>rDrNrQr_r$r$r$r%r5s@  <"6;rN)rc __future__rtypingrrrrerrorsrr r r pluginsr r protocolrrrrrrrrtypesrnetworkrrr$r$r$r%s  (