U ~fh).@sdZddlmZddlZddlZddlmZmZddlm Z m Z m Z m Z m Z mZddlZddlmZddlmZddlmZmZmZmZmZmZmZmZmZdd lmZm Z dd l!m"Z"e rdd l#m$Z$dd l%m&Z&d Z'ddddddZ(eGdddZ)dddddddZ*dS)z$MONGODB-OIDC Authentication helpers.) annotationsN) dataclassfield) TYPE_CHECKINGAnyMappingMutableMappingOptionalUnion)Binary) remaining) CALLBACK_VERSIONHUMAN_CALLBACK_TIMEOUT_SECONDS MACHINE_CALLBACK_TIMEOUT_SECONDSTIME_BETWEEN_CALLS_SECONDS OIDCCallbackOIDCCallbackContextOIDCCallbackResult OIDCIdPInfo_OIDCProperties)ConfigurationErrorOperationFailure)_AUTHENTICATION_FAILURE_CODE)AsyncConnection)MongoCredentialFrztuple[str, int]_OIDCAuthenticator) credentialsaddressreturncCs|jjr|jjS|j}|j}|jsd}|j}|D]:}||dkrFd}q0|dr0|d|ddr0d}q0|std|dd|t ||d|j_|jjS) NFrTz*.zRefusing to connect to z(, which is not in authOIDCAllowedHosts: )username properties) cachedatar Zmechanism_properties environment allowed_hosts startswithendswithrr)rrprincipal_namer!foundr%pattr+B/tmp/pip-unpacked-wheel-36gvocj8/pymongo/asynchronous/auth_oidc.py_get_authenticator/s$  r-c@s^eZdZUded<ded<eddZded<eddZded <eddZd ed <ed dZd ed<ee j dZ ded<ed dZ ded<dddddZ dddddZddddZdddd d!Zdddd"d#Zddd$d%Zdd&dd'd(d)Zd*d+d,d-d.Zdd/dd0d1Zdddd2d3d4Zdddd5d6Zdd&d7d8d9Zddd&d:d;d<ZdS)=rstrr rr!N)defaultz Optional[str] refresh_token access_tokenzOptional[OIDCIdPInfo]idp_inforint token_gen_id)default_factoryzthreading.Locklockfloatlast_call_timerOptional[Mapping[str, Any]])connrcs2|||jjr"||IdHS||IdHS)z(Handle a reauthenticate from the server.N) _invalidater!callback_authenticate_machine_authenticate_human)selfr:r+r+r,reauthenticateWs z!_OIDCAuthenticator.reauthenticatecsX|j}|r0|r0|j}|r0|dr0|j|_|S|jjrH||IdHS||IdHS)z'Handle an initial authenticate request.doneN) Zauth_ctxZspeculate_succeededZspeculative_authenticater4oidc_token_gen_idr!r<r=r>)r?r:ctxrespr+r+r, authenticate`s  z_OIDCAuthenticator.authenticatez"Optional[MutableMapping[str, Any]])rcCs|js dS|d|jiS)z-Get the appropriate speculative auth command.Njwt)r1_get_start_command)r?r+r+r,get_spec_auth_cmdrsz$_OIDCAuthenticator.get_spec_auth_cmdzMapping[str, Any]c sp|jr`z||IdHWStk r^}z(||rL||IdHWYSW5d}~XYnX||IdHSN)r1_sasl_start_jwtr_is_auth_errorr=)r?r:er+r+r,r=xs z(_OIDCAuthenticator._authenticate_machinec s|jr`z||IdHWStk r^}z(||rL||IdHWYSW5d}~XYnX|jrz||IdHWStk r}z.||rd|_||IdHWYSW5d}~XYnX|d}|||IdH}|||IdHSrI) r1rJrrKr>r0rG _run_command_sasl_continue_jwt)r?r:rLcmd start_respr+r+r,r>s$   z&_OIDCAuthenticator._authenticate_humanc CsH|j}|jdk }|r"|jdkr"dS|jr.|j}|jr:|j}|j}|rH|S|dkrX|sXdS|sB|dk rB|j|j}||kr|W5QRSt|j}|tkrt t|t|_|rt }|jdk st nt t pt}t|t|j|j|jjd}||} t| tstd| j|_| j|_|jd7_W5QRX|jS)N)Ztimeout_secondsversionr0r2r z2Callback result must be of type OIDCCallbackResultr)r!Zhuman_callbackr2r<r1r6timer8rsleeprAssertionErrorr3r rrr r0r fetch isinstancer ValueErrorr4) r?r!Zis_humancb prev_token new_tokendeltatimeoutcontextrDr+r+r,_get_access_tokensP     z$_OIDCAuthenticator._get_access_tokenzMutableMapping[str, Any])r:rOrc sVz|jd|ddIdHWStk rP}z||r>||W5d}~XYnXdS)Nz $externalT)Z no_reauth)commandrrKr;)r?r:rOrLr+r+r,rMs   z_OIDCAuthenticator._run_command Exceptionbool)errrcCst|tsdS|jtkS)NF)rVrcoder)r?rbr+r+r,rKs z!_OIDCAuthenticator._is_auth_errorNonecCs*|jpd}|dk r ||jkr dSd|_dS)Nr)rBr4r1)r?r:r4r+r+r,r;s z_OIDCAuthenticator._invalidate)r:rPrcs`d|_d|_t|d}d|kr.tf||_|}|j|_| d|i|}| ||IdHS)NpayloadZissuerrF) r1r0bsondecoderr2r^r4rB_get_continue_commandrM)r?r:rPZ start_payloadr1rOr+r+r,rNs z%_OIDCAuthenticator._sasl_continue_jwtcs0|}|j|_|d|i}|||IdHS)NrF)r^r4rBrGrM)r?r:r1rOr+r+r,rJsz"_OIDCAuthenticator._sasl_start_jwt)rercCs:|dkr |j}|rd|i}ni}tt|}dd|dS)Nnrz MONGODB-OIDC)Z saslStartZ mechanismre)r r rfencode)r?rer( bin_payloadr+r+r,rG s z%_OIDCAuthenticator._get_start_command)rerPrcCstt|}d||ddS)NrconversationId)Z saslContinuererl)r rfrj)r?rerPrkr+r+r,rhs z(_OIDCAuthenticator._get_continue_command)__name__ __module__ __qualname____annotations__rr0r1r2r4 threadingLockr6r8r@rErHr=r>r^rMrKr;rNrJrGrhr+r+r+r,rLs*  !8   rrar9)rr:r@rcs4t||j}|r ||IdHS||IdHSdS)z Authenticate using MONGODB-OIDC.N)r-rr@rE)rr:r@Z authenticatorr+r+r,_authenticate_oidcs rs)+__doc__ __future__rrqrRZ dataclassesrrtypingrrrrr r rfZ bson.binaryr Z pymongo._csotr Zpymongo.auth_oidc_sharedr rrrrrrrrZpymongo.errorsrrZpymongo.helpers_sharedrZpymongo.asynchronous.poolrZpymongo.auth_sharedrZ_IS_SYNCr-rrsr+r+r+r,s(    ,    R