o g,@sdZddlmZddlmZddlmZddlmZGdddZ Gd d d e Z Gd d d e Z Gd dde Z Gddde Z Gddde ZedddgZGdddeZGdddeZGdddZdS)z Modern, adaptable authentication machinery. Replaces certain parts of `.SSHClient`. For a concrete implementation, see the ``OpenSSHAuthStrategy`` class in `Fabric `_. ) namedtuple)AgentKey) get_logger)AuthenticationExceptionc@s0eZdZdZddZddZddZdd Zd S) AuthSourcez Some SSH authentication source, such as a password, private key, or agent. See subclasses in this module for concrete implementations. All implementations must accept at least a ``username`` (``str``) kwarg. cC ||_dSNusername)selfr r P/var/www/html/api-tag/env/lib/python3.10/site-packages/paramiko/auth_strategy.py__init__ zAuthSource.__init__cKs0dd|D}d|}|jjd|dS)NcSsg|] \}}|d|qS)=r ).0kvr r r sz$AuthSource._repr..z, ())itemsjoin __class____name__)r kwargspairsjoinedr r r_reprs zAuthSource._reprcCs|Sr )rr r r r__repr__"szAuthSource.__repr__cCt)z) Perform authentication. NotImplementedErrorr transportr r r authenticate%szAuthSource.authenticateN)r __module__ __qualname____doc__rrr!r'r r r rrs  rc@eZdZdZddZdS)NoneAuthzS Auth type "none", ie https://www.rfc-editor.org/rfc/rfc4252#section-5.2 . cCs ||jSr ) auth_noner r%r r rr'1s zNoneAuth.authenticateNrr(r)r*r'r r r rr,,s r,cs4eZdZdZfddZfddZddZZS)Passworda Password authentication. :param callable password_getter: A lazy callable that should return a `str` password value at authentication time, such as a `functools.partial` wrapping `getpass.getpass`, an API call to a secrets store, or similar. If you already know the password at instantiation time, you should simply use something like ``lambda: "my literal"`` (for a literal, but also, shame on you!) or ``lambda: variable_name`` (for something stored in a variable). ctj|d||_dSNr )superrpassword_getter)r r r3rr rrDs zPassword.__init__cstj|jdS)N)user)r2rr r r4r rr!HszPassword.__repr__cCs|}||j|Sr )r3 auth_passwordr )r r&passwordr r rr'MszPassword.authenticate)rr(r)r*rr!r' __classcell__r r r4rr/5s   r/c@r+) PrivateKeya Essentially a mixin for private keys. Knows how to auth, but leaves key material discovery/loading/decryption to subclasses. Subclasses **must** ensure that they've set ``self.pkey`` to a decrypted `.PKey` instance before calling ``super().authenticate``; typically either in their ``__init__``, or in an overridden ``authenticate`` prior to its `super` call. cCs||j|jSr )auth_publickeyr pkeyr%r r rr'eszPrivateKey.authenticateNr.r r r rr9Xs r9cs,eZdZdZfddZfddZZS)InMemoryPrivateKeyz1 An in-memory, decrypted `.PKey` object. cr0r1)r2rr;)r r r;r4r rrns zInMemoryPrivateKey.__init__cs(tj|jd}t|jtr|d7}|S)N)r;z [agent])r2rr; isinstancer)r repr4r rr!ss zInMemoryPrivateKey.__repr__rr(r)r*rr!r8r r r4rr<is r<c(eZdZdZfddZddZZS)OnDiskPrivateKeya Some on-disk private key that needs opening and possibly decrypting. :param str source: String tracking where this key's path was specified; should be one of ``"ssh-config"``, ``"python-config"``, or ``"implicit-home"``. :param Path path: The filesystem path this key was loaded from. :param PKey pkey: The `PKey` object this auth source uses/represents. cs>tj|d||_d}||vrtd|||_||_dS)Nr )z ssh-configz python-configz implicit-homez source argument must be one of: )r2rsource ValueErrorpathr;)r r rBrDr;allowedr4r rrs zOnDiskPrivateKey.__init__cCs|j|j|jt|jdS)N)keyrBrD)rr;rBstrrDr r r rr!szOnDiskPrivateKey.__repr__r?r r r4rrA|s  rA SourceResultrBresultcr@) AuthResulta Represents a partial or complete SSH authentication attempt. This class conceptually extends `AuthStrategy` by pairing the former's authentication **sources** with the **results** of trying to authenticate with them. `AuthResult` is a (subclass of) `list` of `namedtuple`, which are of the form ``namedtuple('SourceResult', 'source', 'result')`` (where the ``source`` member is an `AuthSource` and the ``result`` member is either a return value from the relevant `.Transport` method, or an exception object). .. note:: Transport auth method results are always themselves a ``list`` of "next allowable authentication methods". In the simple case of "you just authenticated successfully", it's an empty list; if your auth was rejected but you're allowed to try again, it will be a list of string method names like ``pubkey`` or ``password``. The ``__str__`` of this class represents the empty-list scenario as the word ``success``, which should make reading the result of an authentication session more obvious to humans. Instances also have a `strategy` attribute referencing the `AuthStrategy` which was attempted. cs||_tj|i|dSr )strategyr2r)r rKargsrr4r rrszAuthResult.__init__cCsddd|DS)N css&|]}|jd|jp dVqdS)z -> successN)rBrI)rxr r r s z%AuthResult.__str__..)rr r r r__str__s zAuthResult.__str__)rr(r)r*rrQr8r r r4rrJs rJc@s eZdZdZddZddZdS) AuthFailurea Basic exception wrapping an `AuthResult` indicating overall auth failure. Note that `AuthFailure` descends from `AuthenticationException` but is generally "higher level"; the latter is now only raised by individual `AuthSource` attempts and should typically only be seen by users when encapsulated in this class. It subclasses `AuthenticationException` primarily for backwards compatibility reasons. cCrr rI)r rIr r rrrzAuthFailure.__init__cCsdt|jS)NrM)rGrIr r r rrQszAuthFailure.__str__N)rr(r)r*rrQr r r rrRs rRc@s(eZdZdZddZddZddZdS) AuthStrategya This class represents one or more attempts to auth with an SSH server. By default, subclasses must at least accept an ``ssh_config`` (`.SSHConfig`) keyword argument, but may opt to accept more as needed for their particular strategy. cCs||_tt|_dSr ) ssh_configrrlog)r rUr r rrszAuthStrategy.__init__cCr")a[ Generator yielding `AuthSource` instances, in the order to try. This is the primary override point for subclasses: you figure out what sources you need, and ``yield`` them. Subclasses _of_ subclasses may find themselves wanting to do things like filtering or discarding around a call to `super`. r#r r r r get_sourcess zAuthStrategy.get_sourcesc Csd}t|d}|D]E}|jd|z ||}d}Wn$tyC}z|}|jj}|jd|d|WYd}~nd}~ww| t |||rPnq |sXt |d|S) z Handles attempting `AuthSource` instances yielded from `get_sources`. You *normally* won't need to override this, but it's an option for advanced users. F)rKzTrying TzAuthentication via z failed with NrS) rJrWrVdebugr' ExceptionrrinfoappendrHrR)r r& succeededoverall_resultrBrIe source_classr r rr's,     zAuthStrategy.authenticateN)rr(r)r*rrWr'r r r rrTs  rTN)r* collectionsragentrutilr ssh_exceptionrrr,r/r9r<rArHlistrJrRrTr r r rs     #! .