(XcUddlZddlmZddlmZddlmZddlm Z ddlm Z ddlm ZddlmZmZddlmZdd lmZdd lmZdd lmZGd d ej6ej8Zy)N) chan_bindings) sec_contexts)message) named_tuples)names)oids)RequirementFlagIntEnumFlagSet)_utils)Name) CredentialsceZdZdZ d/dej ejdej edej e jdej e dej e dej e d ej e jd ej ej d ej ed dffd Z d/dej ejdej edej e jdej e dej e dej e d ej e jd ej ej d ej ed dfdZded efdZdeded e fdZdeded ej0fdZded ej4fdZded efdZded efdZ d0de ded e fdZded dfdZd efdZ dZ!e"jFded ejHfdZ%e&d e fd Z'e&d ej e fd!Z(e"jRd"d#Z*e"jRd$d%Z+e"jRd d&Z,e"jRdd'Z-e"jRd(d)Z.e&e"jFd efd*Z/e"j` d1dej ed ej efd+Z1ded ej efd,Z2 d1dej ed ej efd-Z3d ejhejjdejhdefffd.Z6xZ7S)2SecurityContextaA GSSAPI Security Context This class represents a GSSAPI security context that may be used with and/or returned by other GSSAPI methods. It inherits from the low-level GSSAPI :class:`~gssapi.raw.sec_contexts.SecurityContext` class, and thus may used with both low-level and high-level API methods. This class may be pickled and unpickled (the attached delegated credentials object will not be preserved, however). Nbasetokennamecredslifetimeflagsmechchannel_bindingsusagereturnc |tj|}tjdtt |||S)Nr) rsec_contextsimport_sec_contexttcastsuperr__new__) clsrrrrrrrrr __class__s 5/usr/lib/python3/dist-packages/gssapi/sec_contexts.pyr zSecurityContext.__new__ sB   33E:Dvv'OS9#tDF Fc dd|_||| %| dvrd} tj| d| |_n4|!|jdk7r|j|_n|d|_nd|_|jdk(r8| t d ||_||_tt||_ ||_ n|||| t d ||_ ||_ d|_ d|_y |jrd|_nd|_d|_y#tj$rd } tj| dwxYw) a The constructor creates a new security context, but does not begin the initiate or accept process. If the `base` argument is used, an existing :class:`~gssapi.raw.sec_contexts.SecurityContext` object from the low-level API is converted into a high-level object. If the `token` argument is passed, the security context is imported using the token. Otherwise, a new security context is created. If the `usage` argument is not passed, the constructor will attempt to detect what the appropriate usage is based on either the existing security context (if `base` or `token` are used) or the argument set. For a security context of the `initiate` usage, the `name` argument must be used, and the `creds`, `mech`, `flags`, `lifetime`, and `channel_bindings` arguments may be used as well. For a security context of the `accept` usage, the `creds` and `channel_bindings` arguments may optionally be used. N)initiateacceptz+Usage must be either 'initiate' or 'accept'zsecurity context)objbothr&r'zNYou must pass the 'name' argument when creating an initiating security contextzVYou must pass at most the 'creds' argument when creating an accepting security contextz7Cannot extract usage from a partially completed context) _last_errexcsUnknownUsageErrorr TypeError _target_name_mechr r _desired_flags_desired_lifetime_channel_bindings_creds_delegated_credslocally_initiatedMissingContextError _complete) selfrrrrrrrrrmsgs r#__init__zSecurityContext.__init__3snN ""4#66r$encryptc0tj|||S)a5Wrap a message, optionally with encryption This wraps a message, signing it and optionally encrypting it. Args: message (bytes): the message to wrap encrypt (bool): whether or not to encrypt the message Returns: WrapResult: the wrapped message and details about it (e.g. whether encryption was used succesfully) Raises: ~gssapi.exceptions.ExpiredContextError ~gssapi.exceptions.MissingContextError ~gssapi.exceptions.BadQoPError )r<wrap)r8rrDs r#rFzSecurityContext.wraps0}}T7G44r$c.tj||S)aUnwrap a wrapped message. This method unwraps/unencrypts a wrapped message, verifying the signature along the way. Args: message (bytes): the message to unwrap/decrypt Returns: UnwrapResult: the unwrapped message and details about it (e.g. wheter encryption was used) Raises: ~gssapi.exceptions.InvalidTokenError ~gssapi.exceptions.BadMICError ~gssapi.exceptions.DuplicateTokenError ~gssapi.exceptions.ExpiredTokenError ~gssapi.exceptions.TokenTooLateError ~gssapi.exceptions.TokenTooEarlyError ~gssapi.exceptions.ExpiredContextError ~gssapi.exceptions.MissingContextError )r<unwrapr>s r#rHzSecurityContext.unwraps6tW--r$c|j|d}|jstjd|jS)aEncrypt a message. This method wraps and encrypts a message, similarly to :meth:`wrap`. The difference is that encryption is always used, and the method will raise an exception if this is not possible. Additionally, this method simply returns the encrypted message directly. Args: message (bytes): the message to encrypt Returns: bytes: the encrypted message Raises: ~gssapi.exceptions.EncryptionNotUsed: the encryption could not be used ~gssapi.exceptions.ExpiredContextError ~gssapi.exceptions.MissingContextError ~gssapi.exceptions.BadQoPError T)rDz!Wrapped message was not encrypted)rF encryptedr+EncryptionNotUsedrr8rress r#rDzSecurityContext.encrypts94iii.}}(()LM M{{r$c|j|}|js>|jtjzr!t j d|j|jS)aDecrypt a message. This method decrypts and unwraps a message, verifying the signature along the way, similarly to :meth:`unwrap`. The difference is that this method will raise an exception if encryption was established by the context and not used, and simply returns the decrypted message directly. Args: message (bytes): the encrypted message Returns: bytes: the decrypted message Raises: ~gssapi.exceptions.EncryptionNotUsed: encryption was expected, but not used ~gssapi.exceptions.InvalidTokenError ~gssapi.exceptions.BadMICError ~gssapi.exceptions.DuplicateTokenError ~gssapi.exceptions.ExpiredTokenError ~gssapi.exceptions.TokenTooLateError ~gssapi.exceptions.TokenTooEarlyError ~gssapi.exceptions.ExpiredContextError ~gssapi.exceptions.MissingContextError zTThe context was established with encryption, but unwrapped message was not encrypted)unwrapped_message)rHrJ actual_flagsr confidentialityr+rKrrLs r#decryptzSecurityContext.decrypt1s\>kk'" !!O$C$CC((*=KK%% 7C **S+6F3K 7++D;F; JJ' /"".S//0II JJ}e ,+s/KK**9k+.<<+.99c6F6F+.<<9 9r$c,tj|S)z7The amount of time for which this context remains valid)r context_timer]s r#rzSecurityContext.lifetimes))$//r$c|jS)zThe credentials delegated from the initiator to the acceptor .. warning:: This value will not be preserved across picklings. These should be separately exported and transfered. )r4r]s r#delegated_credszSecurityContext.delegated_credss$$$r$r_z2The :class:`Name` of the initiator of this contextr`z/The :class:`Name` of the target of this contextz8The mechanism (:class:`MechType`) in use by this contextzThe flags set on this contextraz)Whether this context was locally intiatedc|jr6|j}|& |jdj}||_|S|Sy#tj $rYywxYw)z7Whether negotiation for this context has been completedT)rbF)_startedr7rmrbr+r6)r8rbs r#rbzSecurityContext.completesd ==~~H.#}}d};DDH&.DNO8O//! !sAAAcp|jdk(r|j|xsdS|j|S)a*Perform a negotation step. This method performs a negotiation step based on the usage type of this context. If `__DEFER_STEP_ERRORS__` is set to True on the class, this method will return a token, even when exceptions would be thrown. The generated exception will be thrown on the next method call or property lookup on the context. **This is the default behavior.** This method should be used in a while loop, as such: .. code-block:: python input_token = None try: while not ctx.complete: output_token = ctx.step(input_token) if not output_token: break input_token = send_and_receive(output_token) except GSSError as e: handle_the_issue() .. tip:: Disabling `__DEFER_STEP_ERRORS__` is rarely necessary. When this method is used in a loop (as above), `__DEFER_STEP_ERRORS__` will ensure that you always send an error token when it's available, keeping the other end of the security context updated with the status of the negotiation. Args: token (bytes): the input token from the other participant's step Returns: bytes: the output token to send to the other participant Raises: ~gssapi.exceptions.InvalidTokenError ~gssapi.exceptions.InvalidCredentialsError ~gssapi.exceptions.MissingCredentialsError ~gssapi.exceptions.ExpiredCredentialsError ~gssapi.exceptions.BadChannelBindingsError ~gssapi.exceptions.BadMICError ~gssapi.exceptions.ExpiredTokenError: (initiate only) ~gssapi.exceptions.DuplicateTokenError ~gssapi.exceptions.MissingContextError ~gssapi.exceptions.BadNameTypeError: (initiate only) ~gssapi.exceptions.BadNameError: (initiate only) ~gssapi.exceptions.BadMechanismError r'r$)r)r_acceptor_step_initiator_steprYs r#stepzSecurityContext.step s=t :: !&&U\c&: :''e'4 4r$ctj||j||j}|jt |j|_nd|_|j |_|jSN) raccept_sec_contextr3r2rqr r4 more_stepsr7rr8rrMs r#ruzSecurityContext._acceptor_stepJsi..udkk/3T5K5KM    *$/0C0C$DD !$(D ! ^^+yyr$c tj|j|j||j|j |j |j|}|j |_ |jSry) rinit_sec_contextr.r3r/r0r1r2r{r7rr|s r#rvzSecurityContext._initiator_stepZsc,,T->-> -14::-1-@-@-1-C-C-1-C-C-2 4!^^+yyr$c<t|d|jffSry)typer^r]s r# __reduce__zSecurityContext.__reduce__jsT T4;;=122r$) NNNNNNNNN)Try)8__name__ __module__ __qualname____doc__rOptionalrrbytesrnamesr r introidsOIDrchan_bindingsChannelBindingsstrr r:r?rCboolrh WrapResultrF UnwrapResultrHrDrRrVrZr^rer check_last_errrirmpropertyrrqinquire_propertyr_r`rrPr5rbcatch_and_return_tokenrwrurvTupleTyper __classcell__)r"s@r#rrs ;?#'(,)-$(!%&*GK!%Fjj667Fzz% Fjj% F zz+& F **S/ Fzz#Fjj#F**^%C%CDFzz#F F*;?#'(,)-$(!%&*GK!%c0jj667c0zz% c0jj% c0 zz+& c0 **S/ c0zz#c0jj#c0**^%C%CDc0zz#c0 c0T// /6777 7B555    54..   .: B(( (Z3 33 3699 9,66"BM 7979  $ $7979r0#00 %K!8 % %-V,,NPN)&))HJK "6 " "J LD*6**02L///CE $& ""$(<5zz% <5 E <5#<5| E $$( zz%   E   3 )*AGGD%K,@@ A3r$r) metaclass)typingr gssapi.rawrrrrrr<rrhrrrrgssapi.raw.typesr r gssapi.exceptions exceptionsr+gssapir gssapi.namesr gssapi.credsr rCheckLastErrorr$r#rsF64*-&$< $] 3m33 & 5 5] 3r$