i SSKrSSKrSSKrSSKrSSKrSSKJr SSKJr SSK J r SSK J r J r Jr SSKJrJrJr \R&"S\R(S\R*4S 9r\R&"S \R*S 9r\R0\\\R2\R0\\4\R0\\\44\R0\\4\4rS \R<\S \R2\R<\\R<\44S jr S&S\RBS\R<\S \R(\/\44Sjjr""SS\RF5r$"SS\RF5r%"SS\RF5r&"SS\RF5r'"SS\RF5r(\RR"SS9"SS55r*"SS \RV5r,"S!S"\\RZ5r."S#S$\R^S%9r0g)'N) Credential)to_text)GssChannelBindings)FeatureMissingErrorNegotiateOptions SpnegoError) BufferType IOVBuffer IOVResBufferF.)bound NativeIOVusernamereturnclUcgSU;aURSS5upOSn[USS9[USS94$)aSplits a username and returns the domain component. Will split a username in the Netlogon form `DOMAIN\username` and return the domain and user part as separate strings. If the user does not contain the `DOMAIN\` prefix or is in the `UPN` form then then user stays the same and the domain is an empty string. Args: username: The username to split Returns: Tuple[Optional[str], Optional[str]]: The domain and username. N)NN\passthru) nonstring)splitr)rdomains I/home/james-whalen/.local/lib/python3.13/site-packages/spnego/_context.pysplit_usernamersJ x#>>$2 6Z 0'(j2Y YY error_typecontextc4^^S[S[4UU4SjjnU$)a]Wraps a function that makes a native GSSAPI/SSPI syscall and convert native exceptions to a SpnegoError. Wraps a function that can potentially raise a WindowsError or GSSError and converts it to the common SpnegoError that is exposed by this library. This is to ensure the context proxy functions raise a common set of errors rather than a specific error for the provider. The underlying error is preserved in the SpnegoError if the user wishes to inspect that. Args: error_type: The native error type that need to be wrapped. context: An optional context message to add to the error if raised. funcrc>^S[RS[RS[4UUU4Sjjn[R"[U5$)NargskwargsrcH>T"U0UD6$!Tan[UTS9UeSnAff=f)N) base_error context_msg)r)r r! native_errrrrs rwrapper5wrap_system_error..decorator..wrapperBs; ^T,V,, ^!ZWMS]] ^s ! !)typingAnyr cast)rr&rrs` r decorator$wrap_system_error..decoratorAsB ^6:: ^ ^ ^ ^{{1g&&r)r )rrr+s`` rwrap_system_errorr-4s#''a'' rc.\rSrSr%Sr\\S'\\S'Srg) WrapResultNz Result of the `wrap()` function.data encryptedN) __name__ __module__ __qualname____firstlineno____doc__bytes__annotations__bool__static_attributes__r3rrr/r/Ns* KOrr/cL\rSrSr%Sr\R \S4\S'\ \S'Sr g) IOVWrapResultUz$Result of the `wrap_iov()` function..buffersr2r3N) r4r5r6r7r8r(Tupler r:r;r<r3rrr>r>Us. \\,+ ,,Orr>c8\rSrSr%Sr\\S'\\S'\\S'Srg)WinRMWrapResult\z&Result of the `wrap_winrm()` function.headerr1padding_lengthr3N) r4r5r6r7r8r9r:intr<r3rrrCrC\s0 M KrrCc8\rSrSr%Sr\\S'\\S'\\S'Sr g) UnwrapResultdz"Result of the `unwrap()` function.r1r2qopr3N) r4r5r6r7r8r9r:r;rGr<r3rrrIrIds, KO HrrIcV\rSrSr%Sr\R \S4\S'\ \S'\ \S'Sr g) IOVUnwrapResultlz&Result of the `unwrap_iov()` function..r@r2rKr3N) r4r5r6r7r8r(rAr r:r;rGr<r3rrrMrMls#0 \\,+ ,,O HrrMT)frozenc$\rSrSr%Sr\\S'Srg)SecPkgContextSizestaQSizes of important structures used for messages. This dataclass exposes the sizes of important structures used in message support functions like wrap, wrap_iov, sign, etc. Use :meth:`ContextReq.query_message_sizes` to retrieve this value for an authenticated context. Currently only ``header`` is exposed but other sizes may be added in the future if needed. Attributes: header: The size of the header/signature of a wrapped token. This corresponds to cbSecurityTrailer in SecPkgContext_Sizes in SSPI and the size of the allocated GSS_IOV_BUFFER_TYPE_HEADER IOV buffer. rEr3N)r4r5r6r7r8rGr:r<r3rrrQrQts KrrQcD\rSrSrSrSrSrSrSrSr Sr S r S r S r S rS rSrg) ContextReqrr ii ii>r3N)r4r5r6r7nonedelegate mutual_auth replay_detectsequence_detectconfidentiality integrity dce_styleidentifydelegate_policy no_integritydefaultr<r3rrrTrTsE DHKM O OIIH OLMGrrTc\rSrSrSrSrSrSrSrSr Sr S r \ S \ R\\44S j5r\S \4S j5r\S \4S j5r\S\S S4Sj5rSrg)GSSMechz1.3.6.1.4.1.311.2.2.10z 1.3.6.1.5.5.2z1.2.840.113554.1.2.2z1.2.840.48018.1.2.2z 1.3.5.1.5.2z 1.3.6.1.5.2z1.2.840.113554.1.2.2.3z1.3.6.1.4.1.311.2.2.30rc0[RS_[RRS_[RS_[RRS_[RS_[RRS_[R S_[R RS_[R S_[R RS_[RS_[RRS_[RS_[RRS_[RS_[RRS_$) NNTLMSPNEGOKerberosz MS KerberoszKerberos (draft) IAKerberoszKerberos User to UserNEGOEX) rintlmvaluespnegokerberos _ms_kerberos_kerberos_draft_iakerb kerberos_u2unegoexclss r native_labelsGSSMech.native_labelssL LL& LL    NNH  NN (    j     " "J    -   & &    # #%7   # # ) )+=  OO\  OO ! !<   "9   & &(?  NNH NN (!  rc>UR(agUR$)Nrt)is_kerberos_oidnameselfs r common_nameGSSMech.common_names   yyrcU[R[R[R[R4;$)zDetermines if the mech is a Kerberos mech. Kerberos has been known under serveral OIDs in the past. This tells the caller whether the OID is one of those "known" OIDs. Returns: bool: Whether the mech is a Kerberos mech (True) or not (False). )rirtrurvrwrs rrGSSMech.is_kerberos_oids1(('*>*>@W@WY`YhYhiiiroidc`[HnURU:XdMUs $ [SU-5e)zConverts an OID string to a GSSMech value. Converts an OID string to a GSSMech value if it is known. Args: oid: The OID as a string to convert from. Raises: ValueError: if the OID is not a known GSSMech. z'%s' is not a valid GSSMech OID)rirr ValueError)rmechs rfrom_oidGSSMech.from_oids2DzzS  >DE Err3N)r4r5r6r7rqrsrtrurvrwrxry classmethodr(Dictstrr|propertyrr;r staticmethodrr<r3rrriris #D F&H(L#OG,L %F fkk#s(3  (S  j j jFcFiFFrric\rSrSrSrS\R \S\R\ S\R\ S\R\ S\ S\ S \ S \ S S 4S jr \S4Sj5r\S4Sj5r\S5S \R\ S \R \ 4Sjj5r\S \4Sj5r\\R,S \R\ 4Sj55r\\R,S \4Sj55r\S \ 4Sj5r\\R,S \R\ 4Sj55r\\R,S \4Sj55r\R,S6Sj5r\R,S \4Sj5r\R,S5S S.S\R\S\R\ S \R\4Sjjj5r \R,S7S\S\S\R\!S \"4Sjj5r#\R,S7S \RH\%S\S\R\!S \&4S!jj5r'\R,S\S \(4S"j5r)\R,S\S \*4S#j5r+\R,S \RH\%S \,4S$j5r-\R,S%\S\S \4S&j5r.\R,S5S\S\R\!S \4S'jj5r/\R,S\S(\S \!4S)j5r0\\R,S \R \Rb\ \!44S*j55r2S5S+\ S,\RfS \Rf4S-jjr4\S \4S.j5r5S \RH\%S/\Rl\7/\84S \R \84S0jr9S8S1\S S 4S2jjr:S3r;g )9 ContextProxyaBase class for a authentication context. A base class the defined a common entry point for the various authentication context's that are used in this library. For a new context to be added it must implement the abstract functions in this class and translate the calls to what is required internally. Args: credentials: A list of credentials to use for authentication. hostname: The principal part of the SPN. This is required for Kerberos auth to build the SPN. service: The service part of the SPN. This is required for Kerberos auth to build the SPN. channel_bindings: The optional :class:`spnego.channel_bindings.GssChannelBindings` for the context. context_req: The :class:`spnego.ContextReq` flags to use when setting up the context. usage: The usage of the context, `initiate` for a client and `accept` for a server. protocol: The protocol to authenticate with, can be `ntlm`, `kerberos`, or `negotiate`. Not all providers support all three protocols as that is handled by :class:`SPNEGOContext`. options: The :class:`spnego.NegotiateOptions` that define pyspnego specific options to control the negotiation. Attributes: usage (str): The usage of the context, `initiate` for a client and `accept` for a server. protocol (str): The protocol to set the context up with; `ntlm`, `kerberos`, or `negotiate`. spn (str): The service principal name of the service to connect to. channel_bindings (spnego.channel_bindings.GssChannelBindings): Optional channel bindings to provide with the context. options (NegotiateOptions): The user specified negotiation options. context_req (ContextReq): The context requirements flags as an int value specific to the context provider. credentialshostnameservicechannel_bindings context_requsageprotocoloptionsrNc PUR5UlURS;a[SUR-5eUR5UlURS;a[SUR-5eURUR US9;a[SUR-5eX lX0lSUlU(dU(a)[U(aUOS<SU=(d S <35UlX@l [U5Ul XPl S Ul URH%upXY-(dMU=RU -sl M' S UlS UlU[R"-(a/UR%5(d['[R"5egg) N)initiateacceptz.Invalid usage '%s', must be initiate or accept)rqrt negotiatecredsspzDInvalid protocol '%s', must be ntlm, kerberos, negotiate, or credssp)rzProtocol %s is not availableHOST/ unspecifiedrF)lowerrrravailable_protocols _hostname_servicespnrrrrr _context_req_context_attr_map _context_attr _is_wrapped wrapping_iov iov_availabler) rrrrrrrrrgenericproviders r__init__ContextProxy.__init__sh[[] ::3 3MPTPZPZZ[ [ ( == L Lcfjfsfsst t == 8 8 8 I I;dmmKL L!  hW'&*H(JcVcJcdeDH 0'0 &!%!7!7 G$$!!X-!"8! %22 24;M;M;O;O%&6&C&CD Droutgoingcg)aFReset the NTLM crypto handles after signing/verifying the SPNEGO mechListMIC. `MS-SPNG`_ documents that after signing or verifying the mechListMIC, the RC4 key state needs to be the same for the mechListMIC and for the first message signed/sealed by the application. Because we use SSPI on Windows hosts which does all the work for us this function only matters for Linux hosts. Args: outgoing: Whether to reset the outgoing or incoming RC4 key state. .. _MS-SPNG: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-spng/b87587b3-9d72-4027-8131-b76b5368115f Nr3)rrs r_reset_ntlm_crypto_state%ContextProxy._reset_ntlm_crypto_state;s r) rrrrrrrrrrr)rNN)rr)TN)T)rrCrrIrrMrrrrrArr)rrCallabler rrrr<r3rrrrs6+E[[,+E//#&+E% +E !//*<= +E  +E+E+E"+E +EZ 1&//:J*K 1W]WbWbcfWg 1 1 d    &//#"6     $   j    V__S%9      U            %7     ,0' AE ' //%(' !//*<= '   ' ' R    6??3;O [e  > $(  __S !  __S !     >   u        5 \  8  __S !    4   5    %       V__S%9 U  .  5 u   2  6;;v||JO/L#M    #888  8t0%??3'%9?)V_I_9`% Y %N       rr) metaclassr)1r dataclassesenumr(rspnego._credentialr spnego._textrspnego.channel_bindingsrspnego.exceptionsrrr spnego.iovr r r TypeVarrr)r rUnionrArGr;r9rrrrTyper- NamedTupler/r>rCrIrM dataclassrQIntFlagrTEnumriABCMetarr3rrr/s  ) 6PP:: NN3fooc6::o>? NN;fjj 9  ll  LLj#o. T5#=M0NNO LLS!  ZV__S1Zfll6??SVCWY_YhYhilYmCm6nZ2&++8LX^XgXgijhkmnhnXo4""F%%f'' 6$$  f''  d#$(MM0FFc499FFR^  S[[^  r