i&d SSKrSSKrSSKrSSKrSSKrSSKJrJrJrJ r J r J r J r J r JrJrJr SSKJrJrJrJrJrJr SSKJrJr SSKJr SSKJr SSKJ r J!r!J"r"J#r# SSK$J%r%J&r&J'r' \RP"\)5r*S r+Sr,SSK-r-SSK.r.SS K/J0r0Jr SS K/J1r2 SS K/J3r3J4r4 S r9Sr:SSK/Jr; SSK/J&r< SSK/J=r=J>r>J?r?J@r@ SrASrBSSS\R\'S44SjrDS1SSS\7S\R\S\R\S\RS4 S jjrGSSS\R\H4S!jrIS2S"\HS#\HS$\R\JS%\JSS&4 S'jjrKS(S)S*\RS+SS&4S,jrLS-\7S\H4S.jrM"S/S0\5rNg!\5a(r6\7"\65r,S r+\*RqS\6-5 Sr6C6NSr6C6ff=f!\5a)r6\7"\65r:S r9\*RqS\:-5 Sr6C6GNSr6C6ff=f)3N) IOV ContextProxy ContextReqGSSMechIOVUnwrapResult IOVWrapResultSecPkgContextSizes UnwrapResultWinRMWrapResult WrapResultwrap_system_error) CredentialCredentialCacheKerberosCCacheKerberosKeytabPasswordunify_credentials)to_bytesto_text)GssChannelBindings)GSSError)InvalidCredentialErrorNegotiateOptionsNoContextError SpnegoError) BufferType IOVBuffer IOVResBufferT)ChannelBindingsr) exceptions)inquire_sec_context_by_oidset_cred_optionFzEPython gssapi not available, cannot use any GSSAPIProxy protocols: %s)r)r) IOVBufferType unwrap_iovwrap_iovwrap_iov_lengthz-Python gssapi IOV extension not available: %sz1.2.840.113554.1.2.2.5.5z1.2.752.43.13.29iovGSSIOVreturn.c/nUH;n[[UR5URS9nUR U5 M= [ U5$)z7Converts GSSAPI IOV buffer to generic IOVBuffer result.)typedata)rrr+valueappendtuple)r'buffersi buffer_entrys E/home/james-whalen/.local/lib/python3.13/site-packages/spnego/_gss.py_create_iov_resultr4JsBG #AFF);!''J |$ >mechz gssapi.OIDusage credentials context_reqzgssapi.creds.Credentialsc8[[RUS:XaSOS5n[U=(a- U[R -=(d U[R -5nUGH*n[U[5(aaSnUR(a [R"URUS9nOUS:Xa g[R"XqU/S9nURn Us $[U[5(aUS:wa[RSU5 M[ R""5n [ R$"U ['UR(55n Sn UR*(a*[ R,"U ['UR*55n [R"[/X5US9s $[U[0[245(aUS:wa[RSU5 GM[U[05(a-UR*=(d S n ['UR45nS nO#URn [7UR85nS n[;['U 5UUUS 9n[R"UUS9s $[RS U5 GM- [=SS9e)aGets the GSSAPI credential. Will get a GSSAPI credential for the mech specified. If the username and password is specified then a new set of credentials are explicitly required for the mech specified. Otherwise the credentials are retrieved based on the credential type specified. Args: mech: The mech OID to get the credentials for, only Kerberos is supported. usage: Either `initiate` for a client context or `accept` for a server context. credentials: List of credentials to retreive from. context_req: Context requirement flags that can control how the credential is retrieved. Returns: gssapi.creds.Credentials: The credential set that was created/retrieved. initiateuserhostbased_serviceNbase name_type)namer7mechszCSkipping %s as it can only be used for an initiate Kerberos context)r?r7TF) forwardable is_keytabz@Skipping credential %s as it does not support required mech typez#No applicable credentials available context_msg)getattrgssapiNameTypeboolrdelegatedelegate_policy isinstancerusernameName Credentialslifetimerlogdebugkrb5 init_context cc_resolverccache principalparse_name_flags_gss_acquire_cred_from_ccacherrkeytab_encode_kerb_passwordpassword_kinitr)r6r7r8r9r@rDcredrYgss_cred_ctxrXkrb5_principalrOr^rEraw_creds r3_get_gssapi_credentialrfTs*5J3FL_`I{v j6I6I(I(u[[e[u[uMuwK dO , ,I}}"KKT]]iP *$))ydVTH!!AO n - - " _aef##%C__S(4;;*?@F>BN~~!%!6!6sHT^^>/R#DKK0 ==0?! "'# H%%85A A IIXZ^ _ ux !-R SSr5c [RnXR$![[4a [ [S05nOf=f[ RRU5RnOI![a<n[RSUR<S[U5<35 SnSnAOSnAff=fX!UR'U[l[U5$)z;Attempts to get the SASL description of the mech specified.resultzgss_inquire_saslname_for_mech(z ) failed: N)_gss_sasl_descriptionrh dotted_formAttributeErrorKeyErrorrHrIrawinquire_saslname_for_mechmech_description ExceptionrSrTstr)r6res sasl_desces r3riris;#**##$$ H %;+Xr:;JJ88>OO  DDTDTVYZ[V\]^ &#&  &&s' !AA)A22 B8<2B33B8rOr^rDrEzgssapi.raw.Credsc*[R"5nSnSnU(aK[R"XA5nU(d.[U5Sn[R"UR 5nU(d[R "X@5n[R"U5n[[S5(a.[R"XF5n [R"XHSU 5 [R"US5 Ub[R"X5 U(a[R"XFXS9n O[R"XFXS9n [R"US5n [R "XKU5 [R""XKU 5 [%U S5$) aGets a Kerberos credential. This will get the GSSAPI credential that contains the Kerberos TGT inside it. This is used instead of gss_acquire_cred_with_password as the latter does not expose a way to request a forwardable ticket or to retrieve a TGT from a keytab. This way makes it possible to request whatever is needed before making it usable in GSSAPI. Args: username: The username to get the credential for. password: The password to use to retrieve the credential. forwardable: Whether to request a forwardable credential. is_keytab: Whether password is a keytab or just a password. Returns: gssapi.raw.Creds: The GSSAPI credential for the Kerberos mech. Nr$get_init_creds_opt_set_default_flagssgss_krb5T)r\)r^sMEMORY)rUrV kt_resolvelistcopyrYrZget_init_creds_opt_allochasattrprincipal_get_realmrv#get_init_creds_opt_set_canonicalize"get_init_creds_opt_set_forwardableget_init_creds_keytabget_init_creds_password cc_new_unique cc_initialize cc_store_credr[) rOr^rDrErcktprinc first_entryinit_optrealmr` mem_ccaches r3r_r_s4.    C'+B-1E __S +r(1+KIIk334E %%c4,,S1Ht;<<((4 11#eT,,Xt< //F ))#hJ++CT##C3Js.s- (T ::r5rXz krb5.CCacherYzkrb5.Principalc[[RS5(a[RR [ R R5nSnU(a@[R"[UR5[RRS9nUR=(d SnUR(aURS-U-n[RRSU0UU/SS9R$[RR!5n[RR#XPR$U(a UR$OSS 9 U$) zAcquire GSSAPI credential from CCache. Args: ccache: The CCache to acquire the credential from. principal: The optional principal to acquire the cred for. Returns: gssapi.raw.Creds: The GSSAPI credentials from the ccache. acquire_cred_fromNr>r5:sccacher;)rArBr7)cachekeytab_principal)r{rIrmOID from_int_seqrkerberosr-rPrrArJr< cache_typercredsCredskrb5_import_credaddr)rXrYrrA ccache_name gssapi_credss r3r[r[s vzz.//::**7+;+;+A+AB ;;GINN$;vG[G[\Dkk(S    ++d2[@Kzz++  $* , %  zz'')  ##  PYinn_c $ r5r-c/nUH#nURURSSS95 M% SRU5$![a URS5 MVf=f)aEncode string to use for Kerberos passwords. Encodes the input string to use with Kerberos functions as a password. This is a special encoding method to ensure that any invalid surrogate chars are encoded as the replacement char U+FFFD. This is needed when dealing with randomly generated passwords like gMSA or machine accounts. The raw UTF-16 bytes can be encoded in a string with the following: b"...".decode("utf-16-le", errors="surrogatepass") The invalid surrogate pairs in the UTF-16 byte sequence will be preserved in the str value allowing this function to replace it as needed. This means the value can be used with both NTLM and Kerberos authentication with the same value. Args: value: The string to encode to bytes. Returns: bytes: The encoded string value. zutf-8strict)errorss�r5)r.encodeUnicodeEncodeErrorjoin)r-b_datacs r3r]r](s_0F  + MM!((78(< = 88F " + MM/ * +s=AAcl^\rSrSrSrSSSSS\R SS\R4 S\ R\ R\ \ \ R\ 4S\ R\ S\ R\ S \ R\ S \ R\S \S \ S \ S\S\ R SS4U4Sjjjr\S9S\ R\S\ R\ 4Sjj5r\S\4Sj5r\S\ R\ 4Sj5r\S\4Sj5r\S\ R\ 4Sj5r\\"\S5S\4Sj55rS:Sjr\"\S5S9SS.S\ R\S \ R\S\ R\4Sjjj5r\"\S5S\ 4Sj5r!\"\S 5S;S!\S"\S#\ R\"S\#4S$jj5r$\"\S%5S;S&\ RJ\&S"\S#\ R\"S\'4S'jj5r(S!\S\)4S(jr*\"\S)5S!\S\+4S*j5r,\"\S+5S&\ RJ\&S\-4S,j5r.S-\S!\S\4S.jr/\"\S/5S9S!\S#\ R\"S\4S0jj5r0\"\S15S!\S2\S\"4S3j5r1\S\ R\ Rd\\"44S4j5r3S5\4SS64S7jr5S8r6U=r7$)< GSSAPIProxyiJzGSSAPI proxy class for GSSAPI on Linux. This proxy class for GSSAPI exposes GSSAPI calls into a common interface for Kerberos authentication. This context uses the Python gssapi library to interface with the gss_* calls to provider Kerberos. Nr;rrOr^hostnameservicechannel_bindingsr9r7protocoloptionskwargsr)c >[(d[S[-5e[X5n [[ U]XXEXgX5 [RR[RR5Ul U RSS5n U (d![URUR U US9n U[&R(-(ajUR S:XaZU c*[R*"UR UR/S9n [-[RR[.5U 5 XlSUlg!["an [%U SS9U eSn A ff=f)Nz2GSSAPIProxy requires the Python gssapi library: %s_gssapi_credential)r8r9zGetting GSSAPI credential) base_errorrGr;)r7rB) HAS_GSSAPI ImportErrorGSSAPI_IMP_ERRrsuperr__init__rIrrrrr-_mechgetrfr7rrr no_integrityrQr"_GSS_KRB5_CRED_NO_CI_FLAGS_X _credential_context)selfrOr^rrrr9r7rrrr8gssapi_credentialgss_err __class__s r3rGSSAPIProxy.__init__Qs0zRUccd d';  k4) 7kRZ ZZ,,W-=-=-C-CD "JJ';TB  l$:JJJJ + + %! 00 0TZZ:5M ($*$6$6TZZPTPZPZ|$\!  ''(DE!  -AE  l!WB]^dkk ls E E  EE c/nU(a#U[R-(a [(aURS5 U$Nr)rwrapping_winrmHAS_IOVr.)clsravails r3available_protocolsGSSAPIProxy.available_protocolss/G&6&E&EEgg LL $ r5c[$N)r)rs r3 iov_availableGSSAPIProxy.iov_availablesr5cUR(a>URS:Xa.[URR5R S5$g)Naccept)rr7rinitiator_namerstriprs r3client_principalGSSAPIProxy.client_principals9 ==TZZ834==778??G Gr5cXURSL=(a URR$r)rcompleters r3rGSSAPIProxy.completes }}D(CT]]-C-CCr5cgrrs r3negotiated_protocolGSSAPIProxy.negotiated_protocolsr5zRetrieving session keycUR(a:[UR[RR [ 55S$[ SS9e)Nrz;Retrieving session key failed as no context was initializedrF)rr!rIrr_GSS_C_INQ_SSPI_SESSION_KEYrrs r3 session_keyGSSAPIProxy.session_keys> ==-dmmVZZ=T=TUp=qrstu u -jk kr5c [URURURURUR UR URURS9$)N)rrrr9r7rrr) r _hostname_servicerr9r7rrrrs r3 new_contextGSSAPIProxy.new_contextsM^^MM!22((**]]LL#//  r5zProcessing security token)rin_tokencUR(dA[RS[R"U=(d S5R 55 UR (Gd0nU=(d URnU(aB[URURURURURS9US'URS:Xa}UR=(d S<SUR =(d S<3n["R$"U["R&R(S 9US 'UR*US 'UR,US '["R."SUR0URS .UD6UlUR R3U5n[5UR R65UlUR(dA[RS[R"U=(d S5R 55 U$![:R<a UR R>(aeNf=f)NzGSSAPI step input: %sr5)initiator_address_typeinitiator_addressacceptor_address_typeacceptor_addressapplication_datarr;host@ unspecified)r@rAr6flags)rr7zGSSAPI step output: %sr) _is_wrappedrSrTbase64 b64encodedecoderrrinitiator_addrtyperacceptor_addrtyperrr7rrrIrPrJr=r _context_reqSecurityContextrstepint actual_flags _context_attr gss_errorsMissingContextErrorr)rrrcontext_kwargsspn out_tokens r3rGSSAPIProxy.steps II-v/?/?C/P/W/W/Y Z}}};=N/H43H3H 5D+;+N+N&6&H&H*:*L*L%5%F%F%5%F%F 612zzZ'!%!8&!8$..:YM:YZ)/SFOODeDe)fv&)-v&*.*;*;w'"22n9I9IQUQ[Q[n_mnDMMM&&x0  !$T]]%?%?!@D  II.0@0@AQc0R0Y0Y0[ \--  }}%%&  s $H0I  I zGetting context sizescUR(d [SS9e[[RSSS9n[ URU5 [ [USR=(d S5S9$)Nz;Cannot get message sizes until context has been establishedrFr5F) std_layoutr)header) rrr(r#rr&r lenr-)rr's r3query_message_sizesGSSAPIProxy.query_message_sizess[}} -jk k     s+!SV\\-@S)ABBr5z Wrapping datar,encryptqopcUR(d [SS9e[RR URXUS9n[ UR URS9$)N.Cannot wrap until context has been establishedrF confidentialr)r, encrypted)rrrIrmwrapr messager )rr,rrrrs r3r GSSAPIProxy.wrapsF}} -]^ ^jjoodmmTSoQs{{cmmDDr5zWrapping IOV bufferr'cUR(d [SS9eURXR5n[ USS06n[ URXRUS9n[ [U5US9$)NrrFrFr)r0r )rr_build_iov_list_convert_iov_bufferr(r%rr4)rr'rrr0 iov_bufferr s r3r%GSSAPIProxy.wrap_iovsb}} -]^ ^&&s,D,DEW77 T]]JRUV %7 %CyYYr5c2UR[RU[R/5RnUSR =(d SnUSR =(d SnUSR =(d Sn[ X4U-[U5S9$)Nrr5)rr,padding_length)r%rrpaddingr0r,r r)rr,r'renc_datars r3 wrap_winrmGSSAPIProxy.wrap_winrmsxmmZ..j6H6HIJRRQ#q6;;%#a&++$fg3EVYZaVbccr5zUnwrapping datacUR(d [SS9e[RR URU5n[ UR URURS9$)N0Cannot unwrap until context has been establishedrF)r,r r) rrrIrmunwrapr r r r)rr,rrs r3rGSSAPIProxy.unwrapsJ}} -_` `jj t4 377SSr5zUnwrapping IOV buffercUR(d [SS9eURXR5n[ USS06n[ URU5n[ [U5URURS9$)NrrFrF)r0r r) rrrrr(r$rr4r r)rr'r0rrrs r3r$GSSAPIProxy.unwrap_iovso }} -_` `&&s,D,DEW77  3'9*'EQTQ^Q^dgdkdkllr5rcpUR(d [SS9e[URR5nU(aZUS:XaTUR [ R U4U[ R/5RnUSR=(d S$URX-5R$)NrrFsKerberos 5 GSS-API Mechanismrr5) rrrir6r$r#rr,r0r)rrr,rsr's r3 unwrap_winrmGSSAPIProxy.unwrap_winrm%s}} -_` `)$--*<*<=  &EE//M$8$8&#A4I[I["\]eeCq6;;%# %;;v}-22 2r5zSigning messagecUR(d [SS9e[RR URXS9$)Nz.Cannot sign until context has been establishedrF)r)rrrIrmget_mic)rr,rs r3signGSSAPIProxy.sign;s3}} -]^ ^zz!!$--!??r5zVerifying messagemiccUR(d [SS9e[RR URX5$)Nz0Cannot verify until context has been establishedrF)rrrIrm verify_mic)rr,r's r3verifyGSSAPIProxy.verifyBs0}} -_` `zz$$T]]D>>r5c [RS4[RS4[RS4[RS4[R S4[R S4[RS4[RS4[RS 4/ n/nUHQup4[[RU5(dM&URU[[RU545 MS U$) Ndelegate_to_peermutual_authenticationreplay_detectionout_of_sequence_detectionconfidentiality integrity dce_styleidentifyok_as_delegate)rrL mutual_auth replay_detectsequence_detectr1r2r3r4rMr{rIRequirementFlagr.rH)rattr_mapattrs spnego_flag gssapi_names r3_context_attr_mapGSSAPIProxy._context_attr_mapIs "4 5  # #%< =  % %'9 :  ' ')D E  ' '): ;  ! !; /  ! !; /  * -  ' ')9 :  (0 $Kv--{;; k763I3I;+WXY)1 r5buffer GSSIOVBufferc2SnSn[UR[5(a URnO[UR[5(a URnOm[UR[5(aSUR-nO>[ R [ R[ R/nURU;nURnUR[ R:Xa[ Rn[[U5X25$)NF)rNr,bytesrKrrrrtrailerr+ data_readonlyemptyrAr#)rr@ buffer_data buffer_alloc auto_alloc buffer_types r3rGSSAPIProxy._convert_iov_buffer_s  fkk5 ) ) ++K  T * *!;;L  S ) )!FKK/K$++Z-?-?ASASTJ!;;*4Lkk ;;*22 2%**KM+6 RRr5)rrrrr)r)r)TN)8__name__ __module__ __qualname____firstlineno____doc__rdefaultrnonetypingOptionalUnionrqrListrAnyr classmethodrrKrpropertyrrrr NativeErrorrDrrrr rrr r Iterablerrr%r rr rrr$r!r%r*Tupler>rr__static_attributes__ __classcell__)rs@r3rrJs|]a)-)-(,@D","4"4"$4$9$9-F//&,,sJ J@W/W"XY-F//#&-F//#& -F % -F !//*<= -F -F-F-F"-F**-F -F-F^&//:J*KW]WbWbcfWgd&//#"6D$DDV__S%9{$<=lUl>l  {$?@,0-AE -//%(-!//*<= -   -A-^{$;< C%7 C= C{O4EEE6??3;OE[eE5E{$9:$( Z __S ! Z Z__S ! Z  Z; Zdudd{$56T5T\T7T{$;< m __S ! m  m= m3533%3,{$56@@V__S%9@U@7@ {$78?5?u??9? 6;;v||JO/L#M*S)SSSr5rr)NF)OrryloggingsysrTspnego._contextrrrrrrr r r r r spnego._credentialrrrrrr spnego._textrrspnego.channel_bindingsrspnego.exceptionsrr[rrrr spnego.iovrrr getLoggerrMrSrrrIrU gssapi.rawrr rr!r"rrtrqrTrGSSAPI_IOV_IMP_ERRr(rAr#r$r%r&rrr]r4rWrUrfrDrirKr_r[r]rrr5r3rksQ      +65 ;: !   [43F T(4OO 91HlC6G)H04 TT TT TTZ(TT, TT  __/0 TTn' '1G'.*. =;=;=;&=; =;  =;@& &/0&&R  DkS,kSm[VNJIIUXYYZZ[TQGII=@RRSSTs0E3#F$3F!9FF!$G*GG