o RDi[@sddlmZddlZddlZddlZddlZddlmZmZddlm Z ddl m Z m Z m Z ddlmZddlmZmZmZmZmZdd lmZdd lmZdd lmZmZmZmZmZm Z m!Z!dd l"m#Z#m$Z$m%Z%m&Z&m'Z'dd l(m)Z)ddl*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0ddl1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7ddl8m9Z9ddl:m;Z;mddl:m?Z?ddl@mAZAddlBmCZCmDZDmEZEddlFmGZGddlHmIZIddlJmKZKe rddlLmMZMeNeOZPdZQdZRdZSdZTdZUhd ZVGd!d"d"ZWd0d*d+ZXd1d.d/ZYdS)2) annotationsN)datetimetimezone)Thread) TYPE_CHECKINGAnyCallable)default_backend)Encoding NoEncryption PrivateFormatload_der_private_keyload_pem_private_key)get_application_path) urlencode)DAY_IN_SECONDSHTTP_HEADER_ACCEPTHTTP_HEADER_CONTENT_TYPEHTTP_HEADER_SERVICE_NAMEHTTP_HEADER_USER_AGENT"PARAMETER_CLIENT_REQUEST_MFA_TOKEN+PARAMETER_CLIENT_STORE_TEMPORARY_CREDENTIAL)COMPILERIMPLEMENTATIONOPERATING_SYSTEMPLATFORMPYTHON_VERSION)ER_FAILED_TO_CONNECT_TO_DB)BadGatewayError DatabaseErrorErrorForbiddenErrorProgrammingErrorServiceUnavailableError)!ACCEPT_TYPE_APPLICATION_SNOWFLAKECONTENT_TYPE_APPLICATION_JSON&ID_TOKEN_INVALID_LOGIN_REQUEST_GS_CODE"OAUTH_ACCESS_TOKEN_EXPIRED_GS_CODEPYTHON_CONNECTOR_USER_AGENTReauthenticationRequest)detect_platforms)BaseHttpConfig HttpConfig)SessionManager)SessionManagerFactory)'SQLSTATE_CONNECTION_WAS_NOT_ESTABLISHED) TokenCacheTokenKey TokenType)VERSION) AuthNoAuth) AuthByOAuth) AuthByPluginznet.snowflake.temporary_token temp_tokenzSNOWFLAKE-PYTHON-DRIVERID_TOKENMFATOKEN> LOGIN_NAME ACCOUNT_NAME SVN_REVISION AUTHENTICATOR CLIENT_APP_IDCLIENT_APP_VERSIONCLIENT_ENVIRONMENTSESSION_PARAMETERSEXT_AUTHN_DUO_METHODc@seZdZdZd>ddZe      d?d@ddZ          dAdBd)d*ZdCd.d/ZdDd1d2Z dEd4d5Z dFd7d8Z dGd9d:Z dHdr=r<rBrM)r- to_base_dictr/ get_managerr4rrrrrrnameloggergetEffectiveLevelr+clone)useraccount applicationinternal_application_nameinternal_application_version ocsp_modecert_revocation_check_moderPrRrSrTrVrX sync_configrMrMrNbase_auth_databs:  zAuth.base_auth_dataF auth_instancer8rqstrrpdatabase str | Noneschema warehouserolepasscodepasscode_in_passwordbool mfa_callbackCallable[[], None] | Nonepassword_callbackCallable[[], str] | Nonesession_parametersdict[Any, Any] | Nonetimeoutdict[str, str | int | bool]cstdttr iS| durj} | duri} tt}tt t t t t i}t| vr1| t|t<d}tj|||jjj|jjj|jjj|jj|jjj|jjj|jjj|jjj|jjj|jjjddd }t|} |td|||||||d|i}|dur||d<|dur||d <|dur||d <|dur||d <|d t!|}| rd |dd<n|rd |dd<||dd<| r| |dd<tddd|d"Dz|jj#||t$%|jd}WnCt&y}z|j'dj(|jj)|jj*t|dt+t,dd}~wt-t.fy)}z|j'dj(|jj)|jj*t|dt+t,dd}~ww|dr|d/ddvr|d/d|d<d|dd<did|_0dKfd"d# }t1||||t$%|gd$}d%|_2|3t4| r| }|j0r~|j0/d&dkrt5||j0r~|j0/d&dks~n|j6| d'|j0}|r|dr|d/dd(krt|}|d/d|d<|jj#||t$%|jd}ny|r|dr|d/d)st78|jjdt9d*j(|jj)|jj*|d&dt+t,d| SnL|drA|d/dd+krAt4| rAt|}|d/d|d<||dd,<t:d-r&j;nd|dd.<| |dd/<|jj#||t$%|jd}td0|d1s|/d2t+}|t|jj)|t?j@tAtB|d&tC|t,d|tDkrttEstAtB|d&tC|t,dd3d4lFmG}t|rtd5tjHttIJtKjLjMdd6d3d7lFmN}t|r|>|jj)|t?jOt78|jjdt9d8j(|jj)|jj*|d&dt+t,ddStd9|dr|d/d)durd:nd;td<|dr|d/d=durd:nd;td>|dr|d/d?durd:nd;td@|dr4|d/dAdur4d:nd;|dsFt78ddt7dBdCi|jjP|d/d)|d/d=|d/dD|d/d?|d/dAdE|Q|jj)|| ||drdF|dvr|d/dF|jj_R|drdG|dvr|d/dG}|/d|jj_S|/d |jj_T|/dH|jj_U|/d |jj_V|drdI|dvr| WdJd|d/dID|jjX| | S)LN authenticatez/session/v1/login-requestF) use_pooling)rVzQaccount=%s, user=%s, database=%s, schema=%s, warehouse=%s, role=%s, request_id=%s request_id databaseName schemaNamer~roleName?rr[rDPASSCODErCzbody['data']: %scSs"i|] \}}||tvr |ndqS)******)$AUTHENTICATION_REQUEST_KEY_WHITELIST).0kvrMrMrN sz%Auth.authenticate..rSzUFailed to connect to DB. Verify the account name is correct: {host}:{port}. {message})hostportmessage)msgerrnosqlstatezIFailed to connect to DB. Service is unavailable: {host}:{port}. {message} nextAction)EXT_AUTHN_DUO_ALLEXT_AUTHN_DUO_PUSH_N_PASSCODE inFlightCtxpushTimeout)rr[rFrGcs|jj|||jd|_dS)Nr)rI _post_request_socket_timeoutret)rKurlheadersbodyryrMrNpost_request_wrapper's  z/Auth.authenticate..post_request_wrapper)targetargsTr)rEXT_AUTHN_SUCCESStokenzLFailed to connect to DB. MFA authentication failed: {host}:{port}. {message} PWD_CHANGEr<passwordPASSWORDCHOSEN_NEW_PASSWORDzcompleted authenticationsuccesscoder5 AuthByKeyPairzGJWT Token authentication failed. Token expires at: %s. Current Time: %s)tzinfo)AuthByUsrPwdMfaz1Failed to connect to DB: {host}:{port}. {message}z token = %srNULLzmaster_token = %s masterTokenz id_token = %sidTokenzmfa_token = %smfaTokenrzGThere is no data in the returning response, please retry the operation.masterValidityInSeconds)master_validity_in_secondsid_token mfa_token sessionId sessionInfo warehouseName parameterscSsi|] }|d|dqS)rlvaluerM)rprMrMrNrsrFrG)Yrmdebug isinstancer6rrzuuiduuid4rr&rr%rr)rrErxrI _connectionrr_internal_application_name_internal_application_version _ocsp_modervrP_network_timeoutrrTrVrocopydeepcopy update_bodyritemsrjsondumpsr" __class__format_host_portrr0r$rgetrrdaemonstartcallablenextjoinr!errorhandler_wrapperr hasattrrr'r_delete_temporary_credentialr3r:r*r#intr(r7r_jwt_token_exprnowrutcreplacer MFA_TOKEN update_tokenswrite_temporary_credentials _session_id _database_schema _warehouse_roleupdate_update_parameters)rKryrqrpr{r}r~rrrrrrrrrr body_templaterurl_parametersrerrrtcrrr session_inforMrrNrs"                                            zAuth.authenticater cred_typer3cCs|t|||SrH)get_token_cacheretriever2rKrrprrMrMrN_read_temporary_credentialszAuth._read_temporary_credentialdict[str, Any]cCsH|tdr|||tj|j_|tdr"|||tj|j_ dSdS)aAttempt to load cached credentials to skip interactive authentication. SSO (ID_TOKEN): If present, avoids opening browser for external authentication. Controlled by client_store_temporary_credential parameter. MFA (MFA_TOKEN): If present, skips MFA prompt on next connection. Controlled by client_request_mfa_token parameter. If cached tokens are expired/invalid, they're deleted and normal auth proceeds. FN) rrrr3r:rIrrrr)rKrrprrMrMrNread_temporary_credentialss   zAuth.read_temporary_credentialscredcCs.|s tddS|t||||dS)Nz=no credential is given when try to store temporary credential)rmrrstorer2)rKrrprrrMrMrN_write_temporary_credentials z Auth._write_temporary_credentialresponsecCsd|jjjjr|tdr|||tj|dd|t dr0|||tj |dddSdS)aVCache credentials received from successful authentication for future use. Tokens are only cached if: 1. Server returned the token in response (server-side caching must be enabled) 2. Client has caching enabled via session parameters 3. User consented to caching (consent_cache_id_token for ID tokens) Fr[rrN) rIr auth_classconsent_cache_id_tokenrrrr3r:rr)rKrrprrrMrMrNr+s  z Auth.write_temporary_credentialscCs|t|||dSrH)rremover2rrMrMrNrHsz!Auth._delete_temporary_credentialr1cCs$|jdurtj|jjjd|_|jS)N)skip_file_permissions_check)rJr1makerIr#_unsafe_skip_file_permissions_check)rKrMrMrNrMs zAuth.get_token_cacher)NNNNNN) rPrQrRrQrSrQrTrUrVrWrXrY) NNNNNFNNNN)ryr8rqrzrprzr{r|r}r|r~r|rr|rr|rrrrrrrrrrQrFr)rrzrprzrr3rFr|)rrzrprzrrrFrG) rrzrprzrr3rr|rFrG) rrzrprzrrrrrFrG)rrzrprzrr3rFrG)rFr1)__name__ __module__ __qualname____doc__rO staticmethodrxrrrrrrrrMrMrMrNrE[s<  9  b    rErprzrqprivatekey_path key_passwordr|rFc Cs|dur|nd}t|d}t||td}Wdn1s$wY|jtjtj t d}ddl m }||t } | j||dS)Nrbrbackendencodingrencryption_algorithmr5r)rqrp)encodeopenrreadr private_bytesr DERr PKCS8r rrrprepare) rprqrrencoded_passwordkeyp_key private_keyrryrMrMrNget_token_from_private_keyUs"   r&private_key_filercCs~t|d}t||td}Wdn1swY|jtjtj t d}t |dtd}ddl m }||S)zPHelper function to generate the public key fingerprint from the private key filerrNr)r[rrr5r)rrrrr rr rr r r r rr calculate_public_key_fingerprint)r'rr#r$r%rrMrMrNget_public_key_fingerprintls   r)) rprzrqrzrrzrr|rFrz)r'rzrrzrFrz)Z __future__rrrloggingrrr threadingrtypingrrrcryptography.hazmat.backendsr ,cryptography.hazmat.primitives.serializationr r r r r_utilsrcompatr constantsrrrrrrr descriptionrrrrr errorcodererrorsrr r!r"r#r$networkr%r&r'r(r)r*platform_detectionr+rVr,r-r.SyncSessionManagerr/rr0 token_cacher1r2r3versionr4no_authr6oauthr7rr8 getLoggerrrmKEYRING_SERVICE_NAME KEYRING_USERKEYRING_DRIVER_NAMEr:rrrEr&r)rMrMrMrNsR     $              }