=OOf;dZddlZddlZddlmZmZddlmZmZm Z dZ ddl Z ddl m Z dZ dZe r ddlZdZd d lmZmZd Zd Zd ZdZdZdZdZdZdZdZy#e$rY6wxYw#e$r ed wxYw) N)LDAPPackageUnavailableErrorLDAPCommunicationError)ReverseDnsSettingget_hostname_by_addr is_ip_addrT)ChannelBindingsFz'package gssapi (or winkerberos) missing)send_sasl_negotiationabort_sasl_negotiationc |jd} ddlm}ddlm}ddlm}|j||}|j}|jdvr&|j|j|}n|j||}|j|d|jz}t s t#| St%j&| S#YyxYw#t$r tdwxYw) NTr)x509)default_backend)hasheszpackage cryptography missing)md5sha1stls-server-end-point:)application_data) getpeercert cryptographyrcryptography.hazmat.backendsrcryptography.hazmat.primitivesr ImportErrorrload_der_x509_certificatesignature_hash_algorithmnameHashSHA256updatefinalizeposix_gssapi_unavailabler winkerberoschannelBindings) ssl_socketserver_certificaterrrcerthash_algorithmdigestrs ]/var/www/premiumrankchecker/venv/lib/python3.12/site-packages/ldap3/protocol/sasl/kerberos.pyget_channel_bindingsr,<s'33D9J%@9  ) )*O PD22No-V]]_o.?@^_->? MM$%/&//2CC #0@AA**ts t||St||S)a Performs a bind using the Kerberos v5 ("GSSAPI") SASL mechanism from RFC 4752. Does not support any security layers, only authentication! sasl_credentials can be empty or a tuple with one or two elements. The first element determines which service principal to request a ticket for and can be one of the following: - None or False, to use the hostname from the Server object - True to perform a reverse DNS lookup to retrieve the canonical hostname for the hosts IP address - A string containing the hostname The optional second element is what authorization ID to request. - If omitted or None, the authentication ID is used as the authorization ID - If a string, the authorization ID to use. Should start with "dn:" or "user:". The optional third element is a raw gssapi credentials structure which can be used over the implicit use of a krb ccache. )r#_posix_sasl_gssapi_windows_sasl_gssapi) connectioncontrolss r+ sasl_gssapir2Xs!( $!*h77#J99cH|jr't|jdk(s|jdsd|jjzS|jddur-t |j j d}d|z}|S|jdtjvr|jd}|j j d}|jj}|tjk(r t |}n~|tjk(rt|r`t |}nT|tjk(rt |d}|2|}n/|tjk(rt|rt |d}||}d|z}|Sd|jdz}|S)a Common logic for determining our target name for kerberos negotiation, regardless of whether we are using gssapi on a posix system or winkerberos on windows. Returns a string in the form "ldap@" + a target hostname. The hostname can either be user specified, come from the connection, or resolved using reverse DNS based on parameters set in sasl_credentials. The default if no sasl_credentials are specified is to use the host in the connection server object. rzldap@TF)success_required)sasl_credentialslenserverhostrsocket getpeernamerSUPPORTED_VALUESREQUIRE_RESOLVE_ALL_ADDRESSES!REQUIRE_RESOLVE_IP_ADDRESSES_ONLYr OPTIONAL_RESOLVE_ALL_ADDRESSES"OPTIONAL_RESOLVE_IP_ADDRESSES_ONLY)r0hostname target_name rdns_settingpeer_ipresolved_hostnames r+_common_determine_target_namerFrs  ' '3z/J/J+Kq+P..q1**////""1%-' (9(9(E(E(G(JK( > =  $ $Q '+<+M+M M!2215 ##//1!4$$)) ,JJ J+G4H .PP P(#/8 .MM M!5Wu U  ,, .QQ Q(#$8SX$Y!$00H(   ; ;A >> r3c,d}d}tsM|jr?tjtj|jd|j nd}|j rt|j dk\r-|j dr|j djd}t|j dk\rQ|j drBtr td |j d}tj|d|j }||fS) a Given our connection, figure out the authorization id (i.e. the kerberos principal) and kerberos credentials being used for our SASL bind. On posix systems, we can actively negotiate with raw credentials and receive a kerberos client ticket during our SASL bind. So credentials can be specified. However, on windows systems, winkerberos expects to use the credentials cached by the system because windows machines are generally domain-joined. So no initiation is supported, as the TGT must already be valid prior to beginning the SASL bind, and the windows system credentials will be used as needed with that. r3Ninitiate)rusagestorerr utf-8rzThe winkerberos package does not support specifying raw credentialsto initiate GSSAPI Kerberos communication. A ticket granting ticket must have already been obtained for the user before beginning a SASL bind.)baserIrJ) r#usergssapi CredentialsName cred_storer6r7encoder)r0authz_idcreds raw_credss r+$_common_determine_authz_id_and_credsrVs H E $yCyHyH"" JOO(DJ^h^s^stNR"" z** +q 0Z5P5PQR5S!2215< 1()`a a "%6 6$%dee'(91a'CD !!r3ctjt|tjj}t |\}}tj |tjj|t|j}d} |j|}|d}t|||}|d} |jrn 7|j!|} t#| j$} |j't)| |zd}t|||j$S#tjj$rY{wxYw#tjj*t,f$rt/||wxYw)z Performs a bind using the Kerberos v5 ("GSSAPI") SASL mechanism from RFC 4752 using the gssapi package that works natively on most posix operating systems. )rmechrTchannel_bindingsN saslCredsF)rNrPrFNameTypehostbased_servicerVSecurityContextMechTypekerberosr,r:stepr complete exceptionsMissingContextErrorunwrapr`messagewrapbytesGSSErrorrr ) r0r1rBrSrTctxin_token out_tokenresultunwrapped_tokenr_s r+r.r.s[ ++;JGIjIjkK::FOHe  k8P8PX]2FzGXGX2Y [CH*I  *:xKFk*H << **X.!NOfOf!gHHU#9:8CUK $Z9;L;LMM $$88      & &(> ?z84 s1 (E6 D AE E=E?EE1E4ct|}t|\}}tjtjztj ztj z}tj||\}}d} d}|stj|tj|jdt|j} | tjk(}tj|xsd} tj | } t#||| } | dxsd}|stj$|tj|jdd} tj|r(tj&tj|} t)| }tjt+||zjd}tj,||tj|xsd} t#||tj | S#tj.t0f$rt3||wxYw)z Performs a bind using the Kerberos v5 ("GSSAPI") SASL mechanism from RFC 4752 using the winkerberos package that works natively on most windows operating systems. )gssflagsr3FrK)rcrdre)rFrVr$GSS_C_MUTUAL_FLAGGSS_C_SEQUENCE_FLAGGSS_C_INTEG_FLAGGSS_C_CONF_FLAGauthGSSClientInitauthGSSClientStepbase64 b64encodedecoder,r:AUTH_GSS_COMPLETEauthGSSClientResponse b64decoder authGSSClientUnwrapstandard_b64decoder`rrauthGSSClientWraprsrr )r0r1rBrS_rzrtrunegotiation_completestatusrvout_token_bytesrwr]r_authz_only_msgs r+r/r/s  0 ;K6zBKHa  ) )  + + ,  ( ( )  ' ' (  * *; JFAsH$& !2238H8H8R8Y8YZa8bDXYcYjYjDkmF%+k.K.K$K #99#>D"I$..y9O*:xQFk*1cH' ''V-=-=h-G-N-Nw-WX  , ,S 1%889Z9Z[^9_` !NO_!` ))%0F*G(*RSZZ[bc%%c>:55c:@b $Z6;K;KI;VWW  "8 9z84 s:B*H&%DH&&'I )__doc__rr:core.exceptionsrr core.rdnsrrr r#rN gssapi.rawr rwindows_gssapi_unavailabler$saslr r r[INTEGRITY_PROTECTIONCONFIDENTIALITY_PROTECTIONr,r2rFrVr`r.r/r3r+rs6 RLL *$"U%*"@N8:40f<"0!H/o   U)*STTUs AA&A#"A#&A4