i;j%SSKrSSKr\R\\S'SSKJr \R\\S'\ r "SS\5r "SS\R5r"S S \5r"S S \R 5r"S S\5r"SS\\S9r"SS\5r"SS\5r"SS\5r"SS\5r"SS\5r"SS\5r"SS\5r"S S!\5r"S"S#\5r"S$S%\5r"S&S'\5r"S(S)\5r g!\a r\rSrCNSrCff=f!\ a \r Nf=f)*NGSSError)rWinErrorcB\rSrSrSrS\S\RSS4SjrSr g) NativeErrorzeStub for a native error that can be used to generate a SpnegoError from a known platform native code.msgkwargsreturnNc LXlSHnX2;dM [XX#5 M g)N)maj_codewinerror)rsetattr)selfrr keys K/home/james-whalen/.local/lib/python3.13/site-packages/spnego/exceptions.py__init__NativeError.__init__s"+C}6;/,)r) __name__ __module__ __qualname____firstlineno____doc__strtypingAnyr__static_attributes__rrrrs#o0C06::0$0rrc<\rSrSrSrSrSrSrSrSr Sr S r S r S r S rg )NegotiateOptionsa: Flags that the caller can use to control the negotiation behaviour. A list of features as bit flags that the caller can specify when creating the security context. These flags can be used on both Windows or Linux but are a no-op on Windows as it should always have the same features available. On Linux the features it can implement depend on a wide range of factors like the system libraries/headers that are installed, what GSSAPI implementation is present, and what Python libraries are available. This is a pretty advanced feature and is mostly a way to control the kerberos to ntlm fallback behaviour on Linux. The `use_*` options when combined with `protocol='credssp'` control the underlying auth proxy provider that is used in the CredSSP authentication process and not the parent context proxy the user interacts with. These are the currently implemented feature flags: use_sspi: Ensures the context proxy used is :class:`spnego._sspi.SSPIProxy`. use_gssapi: Ensures the context proxy used is :class:`spnego._gss.GSSAPIProxy`. use_negotiate: Ensures the context proxy used is :class:`spnego._negotiate.NegotiateProxy`. use_ntlm: Ensures the context proxy used is :class:`spnego._ntlm.NTLMProxy`. negotiate_kerberos: Will make sure that Kerberos is at least available to try for authentication when using the `negotiate` protocol. If Kerberos cannot be used due to the Python gssapi library not being installed then it will raise a :class:`spnego.exceptions.FeatureMissingError`. If Kerberos was available but it cannot get a credential or create a context then it will just fallback to NTLM auth. If you wish to only use Kerberos with no NTLM fallback, set `protocol='kerberos'` when creating the security context. session_key: Ensure that the authenticated context will be able to return the session key that was negotiated between the client and the server. Older versions of `gss-ntlmssp`_ do not expose the functions required to retrieve this info so when this feature flag is set then the NTLM fallback process will use a builtin NTLM process and not `gss-ntlmssp`_ if the latter is too old to retrieve the session key. Cannot be used in combination with `protocol='credssp'` as CredSSP does not provide a session key. wrapping_iov: The GSSAPI IOV methods are extensions to the Kerberos spec and not implemented or exposed on all platforms, macOS is a popular example. If the caller requires the wrap_iov and unwrap_iov methods this will ensure it fails fast before the auth has been set up. Unfortunately there is no fallback for this as if the headers aren't present for GSSAPI then we can't do anything to fix that. This won't fail if `negotiate` was used and NTLM was the chosen protocol as that happens post negotiation. wrapping_winrm: To created a wrapped WinRM message the IOV extensions are required when using Kerberos auth. Setting this flag will skip Kerberos when `protocol='negotiate'` if the IOV headers aren't present and just fallback to NTLM. .. _gss-ntlmssp: https://github.com/gssapi/gss-ntlmssp r @rN)rrrrrnoneuse_sspi use_gssapi use_negotiateuse_ntlmnegotiate_kerberos session_key wrapping_iovwrapping_winrmrrrrr r s:4l DHJMH#KLNrr cR\rSrSr\S\4Sj5r\S\4Sj5rS\4Sjr Sr g)FeatureMissingErrorcr c URS$)Nr)argsrs r feature_idFeatureMissingError.feature_iddsyy|rc[RS[RS[RS[RS0R UR SUR -5nU$)NzLThe Python gssapi library is not installed so Kerberos cannot be negotiated.z|The system is missing the GSSAPI IOV extension headers or CredSSP is being requested, cannot utilize wrap_iov and unwrap_iovzcThe system is missing the GSSAPI IOV extension headers required for WinRM encryption with Kerberos.z?The protocol selected does not support getting the session key.zUnknown option flag: %d)r r/r1r2r0getr9)rrs rmessageFeatureMissingError.messagehsh  / /2  ) ),F  + +..  ( (*k  #doo84??J K  rcUR$N)r=r8s r__str__FeatureMissingError.__str__vs ||rrN) rrrrpropertyr r9rr=rArrrrr4r4csC ,   rr4cL\rSrSrSrSrSrSrSrSr Sr S r S r S r S rS rSrSrSrg) ErrorCodeza]Common error codes for SPNEGO operations. Mostly a copy of the `GSS major error codes`_ with the names made more pythonic. Not all codes have a corresponding SpnegoError class as they are reserved for the codes that apply to both GSSAPI and SSPI. .. _GSS major error codes: https://docs.oracle.com/cd/E19683-01/816-1331/reference-4/index.html r"r#r$r% r&rN)rrrrrbad_mechbad_name bad_bindingsbad_micno_cred no_context invalid_tokeninvalid_credentialcredentials_expiredcontext_expiredfailurebad_qop unavailablerrrrrErEzsLHHLGGJMOGGKrrEc |^\rSrSr%0r\R \\R4\ S'0r \R \\4\ S'0r \R \\4\ S'S\RS\RSS4S jr SS \R\S \R\S\RS\RSS4 U4S jjjrS rU=r$)_SpnegoErrorRegistry_SpnegoErrorRegistry__registry _SpnegoErrorRegistry__gssapi_map_SpnegoErrorRegistry__sspi_mapr7r r Nc2[USS5nUbX0R;aXRU'SUR4SUR44HJupE[XS5nUcM[ U[ [ 45(dU/nUHnU=(d SXW'M ML g)N ERROR_CODE _GSSAPI_CODE _SSPI_CODEr)getattrr_r`ra isinstancelisttuple)clsr7r error_code system_attrmappingcodescs rr_SpnegoErrorRegistry.__init__s S,5  !j&F),NN: &'5c6F6F%G,X[XfXfIg$h KCd3E}edE]33'_1 %irrk base_errorc>UbUO [USS5nUcU(d[SUR-5e[USS5n[USS5nUbURR US5nOAUbUR R US5nO![S[ U5R-5eURR U=(d SU5n[[U]*"UU/UQ70UD6$)Nrcz.%s requires either an error_code or base_errorr r z^base_error of type '%s' is not supported, must be a gssapi.exceptions.GSSError or WindowsErrorr) rf ValueErrorrr`r<ratyper_superr]__call__) rjrkrqr7r r r new_cls __class__s rrv_SpnegoErrorRegistry.__call__s$.#9ZwsLZ^?_   !QTWT`T`!`aaz:t%>? ..$$Z_1c:)7<       rr)NN)rrrrr_rDictintType__annotations__r`rarrOptional Exceptionrvr __classcell__rxs@rr]r]s02J C,-2*,L&++c3h',(*J CH%*-zz-**-  -4,015$ OOC($ OOI.$ zz $ ** $ $ $ rr]c ^\rSrSrSrS S\R \R\\ 4S\R \ S\R \ SS4U4Sjjjr \ S\4S j5r\ S\ 4S j5rS rU=r$) SpnegoErroravCommon error for SPNEGO exception. Creates an common error record for SPNEGO errors raised by pyspnego. This error record can wrap system level error records raised by GSSAPI or SSPI and wrap them into a common error record across the various platforms. While this reflects the GSSAPI major codes that can be raised, it is up to the GSSAPI platform to conform to those error codes. Some platforms like MIT krb5 always report `GSS_S_FAILURE` and use the minor code to report the actual error message. Args: error_code: The ErrorCode for the error, this must be set if base_error is not set. base_error: The system level error from SSPI or GSSAPI, this must be set if error_code is not set. context_msg: Optional message to provide more context around the error. Attributes: base_error (Optional[Union[GSSError, WinError]]): The system level error if one was provided. Nrkrq context_msgr cd>X lXlX0l[[U]UR 5 gr@)rq _error_code_context_messagerurrr=)rrkrqrrxs rrSpnegoError.__init__s) %% + k4)$,,7rc[USUR5=(d Sn[U[[45(aUS$U$)z6The Windows NT Status code that represents this error.rer)rfrrgrhri)rrns r nt_statusSpnegoError.nt_statuss<lD,<,<=K%edE];;uQxFFrcURb UROSnUR(a[UR5nO [USS5nSX4-nUR(aUSUR-- nU$)Nr _BASE_MESSAGEzUnknown error codezSpnegoError (%d): %sz , Context: %s)rrqrrfr)rrk base_messagers rr=SpnegoError.message sp)-)9)9)ET%%: ??t/L#4:NOL$ 'AA  ?T%:%:: :C r)rrrq)NNN)rrrrrrr~Unionr{rErrrrCrr=rrrs@rrrs8EI15,0 8OOFLLi$@A 8OOI. 8__S) 8  8 8G3GG    rr) metaclassc8\rSrSr\R rSrSrSr Sr g)BadMechanismErroriz&An unsupported mechanism was requestedii rN) rrrrrErOrcrrdrerrrrrrs##JrsW ++i # ++i H 0)0B t||B J). @A 4A H;)';;| ;{+ [, ,[k+[U H Hs(DD'D$DD$'D21D2