o RDi'@sUddlmZddlZddlZddlZddlZddlZddlmZddl m Z ddl m Z ddlmZddlmZmZddlZddlZdd lmZmZdd lmZmZmZdd lmZdd lmZdd l m!Z!m"Z"ddl#m$Z%ddl&m'Z'm(Z(ddl)m*Z*erddl+m,Z,ej-Z.de/d<e.Z0de/d<eZ1de/d<eZ2de/d<e2Z3de/d< dZ4de/d<e5e6Z7dLdd Z8dMd%d&Z9dNd'd(Z:ed)dd*Z;d+e/d)< ,dOdPd0d1ZdRd8d9Z?dSd;d<Z@e e*jAdTd?d@ZB dUdVdJdKZCdS)W) annotationsN) ContextVar)wraps) signature)socket) TYPE_CHECKINGAny)4OCSP_ROOT_CERTS_DICT_LOCK_TIMEOUT_DEFAULT_NO_TIMEOUTOCSPMode)CertRevocationCheckMode CRLConfig CRLValidator)$ER_OCSP_RESPONSE_CERT_STATUS_REVOKED)OperationalError)SessionManagerSessionManagerFactory) connection)PyOpenSSLContext WrappedSocket)ssl_)x509r DEFAULT_OCSP_MODEFEATURE_OCSP_MODEint$FEATURE_ROOT_CERTS_DICT_LOCK_TIMEOUTr DEFAULT_CRL_CONFIGFEATURE_CRL_CONFIG str | None%FEATURE_OCSP_RESPONSE_CACHE_FILE_NAMEkwargsdict[str, Any]returncCs*|d}|r |StjdptjdS)zResolve CA bundle path from kwargs or standard environment variables. Precedence: 1) kwargs['ca_certs'] if provided by caller 2) REQUESTS_CA_BUNDLE 3) SSL_CERT_FILE ca_certsREQUESTS_CA_BUNDLE SSL_CERT_FILE)getosenviron)r cafr*\/var/www/Datamplify/venv/lib/python3.10/site-packages/snowflake/connector/ssl_wrap_socket.py_resolve_cafile5s r,ctxrcafileNonec Cs|rz |j|ddWn tjttfyYnwz&|j}ddlm}t |dr:t |j dr=| |j j WdSWdSWdSt ttjjttfyPYdSw)zOLoad CA bundle (when provided) and enable OpenSSL partial-chain support on ctx.N)r.capathr)cryptoX509StoreFlags PARTIAL_CHAIN)load_verify_locationssslSSLErrorOSError ValueError_ctxget_cert_storeOpenSSLr1hasattrr2 set_flagsr3AttributeError ImportErrorSSLError)r-r.store_cryptor*r*r+ _ensure_partial_chain_on_contextCs"    rDcCs8ttj}ztj|_Wn tyYnwt|||S)zNCreate PyOpenSSL context configured for CERT_REQUIRED and partial-chain trust.)rrPROTOCOL_TLS_CLIENTr5 CERT_REQUIRED verify_mode ExceptionrD)r.r-r*r*r+!_build_context_with_partial_chainXs    rI_CURRENT_SESSION_MANAGER)defaultz.ContextVar[weakref.ref[SessionManager] | None]Tcreate_default_if_missingboolSessionManager | NonecKsNt}|dur|rtSdS|}|dur|rtSdS|jdi|S)zReturn the SessionManager associated with the current handshake, if any. If the weak reference is dead or no manager was set, returns ``None``. Nr*)rJr&r get_managerclone)rL clone_kwargs sm_weak_refcontext_session_managerr*r*r+get_current_session_managerms  rTsmrcCst|dur t|SdS)aSet the SessionManager for the current execution context. Called from SnowflakeConnection so that OCSP downloads use the same proxy / header configuration as the initiating connection. Alternative approach would be moving method inject_into_urllib3() inside connection initialization, but in case this delay (from module import time to connection initialization time) would cause some code to break we stayed with this approach, having in mind soon OCSP deprecation. N)rJsetweakrefref)rUr*r*r+set_current_session_managers rYcCs&zt|WdStyYdSw)zPRestore previous SessionManager context stored in *token* (from ContextVar.set).N)rJresetrH)tokenr*r*r+reset_current_session_managers  r\cCstdtt_dS)z@Monkey-patch urllib3 with PyOpenSSL-backed SSL-support and OCSP.z#Injecting ssl_wrap_socket_with_ocspN)logdebug+ssl_wrap_socket_with_cert_revocation_checks connection_ssl_wrap_socketr*r*r*r+inject_into_urllib3s  rblist[x509.Certificate]csLt}|j|d|jdd}ddlmddlmfdd|DS) N)r.T) binary_formr)default_backend)load_der_x509_certificatecsg|]}|qSr*r*).0certrerfr*r+ sz._load_trusted_certificates..)r5create_default_contextr4 get_ca_certscryptography.hazmat.backendsrecryptography.x509rf)r.r-certsr*rir+_load_trusted_certificatess     rpargsrc OsLttjj|i|}|j}|d}|dst|d<|d}t|}t |t s3t ||d<nt ||tjdi|}t dtjjtjtjkrotjttt|d}||jshtd|tdt d|St d tjtttj krd d l!m"} | tttj#k|t$d %||j} | std |td|St d|S)Nserver_hostnamer# ssl_contextzCRL Check Mode: %s)trusted_certificateszIThe certificate is revoked or could not be validated via CRL: hostname={})msgerrnozXThe certificate revocation check was successful. No additional checks will be performed.z0OCSP Mode: %s, OCSP response cache file name: %sr )SnowflakeOCSPAsn1Crypto)ocsp_response_cache_uri use_fail_openhostnameroot_certs_dict_lock_timeoutz?The certificate is revoked or could not be validated: hostname=z~This connection does not perform OCSP checks. Revocation status of the certificate will not be checked against OCSP Responder.r*)&_sigrra bind_partial argumentsr&certifiwherer, isinstancerrIrDr]r^rcert_revocation_check_modenamer DISABLEDr from_configrTrpvalidate_connectionrrformatrrrr DISABLE_OCSP_CHECKSocsp_asn1cryptorw FAIL_OPENrvalidate) rqr boundparamsrr provided_ctxcafile_for_ctxret crl_validatorSFOCSPvr*r*r+r_sx            r_rzstrport max_retrytimeout int | NoneOpenSSL.SSL.Connectionc Csd}d}t|D]]}z7t}|||ftjtjj}|dur&||tj||} | | | d| | WStjj tfye} z| }t|dd}t|WYd} ~ qd} ~ ww|rj|dS)zfThe OpenSSL connection without validating certificates. This is used to diagnose SSL issues. Nr zutf-8)rangerconnectr;r@Context SSLv23_METHOD set_timeout Connectionset_connect_stateset_tlsext_host_nameencode do_handshake SysCallErrorr7mintimesleep) rzrrrerr sleeping_time_clientcontext client_sslexr*r*r+_openssl_connects4    r)r r!r"r)r-rr.rr"r/)r.rr"r)T)rLrMr"rN)rUrNr"r)r"r/)r.rr"rc)rqrr rr"r)rrN) rzrrrrrrrr"r)D __future__rloggingr'r5rrW contextvarsr functoolsrinspectrr|rtypingrrr OpenSSL.SSLr; constantsr r crlr r r errorcodererrorsrsession_managerrrvendored.urllib3rr`"vendored.urllib3.contrib.pyopensslrrvendored.urllib3.utilr cryptographyrrr__annotations__rrrrr getLogger__name__r]r,rDrIrJrTrYr\rbrprar_rr*r*r*r+sb                      Q