# # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # import abc import base64 import struct # import kerberos Optional dependency imported in relevant codeblock import six try: import ujson as json except ImportError: import json from gremlin_python.driver import request from gremlin_python.driver.resultset import ResultSet __author__ = 'David M. Brown (davebshow@gmail.com)' class GremlinServerError(Exception): def __init__(self, status): super(GremlinServerError, self).__init__('{0}: {1}'.format(status['code'], status['message'])) self._status_attributes = status['attributes'] self.status_code = status['code'] @property def status_attributes(self): return self._status_attributes class ConfigurationError(Exception): pass @six.add_metaclass(abc.ABCMeta) class AbstractBaseProtocol: @abc.abstractmethod def connection_made(self, transport): self._transport = transport @abc.abstractmethod def data_received(self, message, results_dict): pass @abc.abstractmethod def write(self, request_id, request_message): pass class GremlinServerWSProtocol(AbstractBaseProtocol): MAX_CONTENT_LENGTH = 65536 QOP_AUTH_BIT = 1 _kerberos_context = None def __init__(self, message_serializer, username='', password='', kerberized_service=''): self._message_serializer = message_serializer self._username = username self._password = password self._kerberized_service = kerberized_service def connection_made(self, transport): super(GremlinServerWSProtocol, self).connection_made(transport) def write(self, request_id, request_message): message = self._message_serializer.serialize_message( request_id, request_message) self._transport.write(message) def data_received(self, message, results_dict): # if Gremlin Server cuts off then we get a None for the message if message is None: raise GremlinServerError({'code': 500, 'message': 'Server disconnected - please try to reconnect', 'attributes': {}}) message = self._message_serializer.deserialize_message(message) request_id = message['requestId'] result_set = results_dict[request_id] if request_id in results_dict else ResultSet(None, None) status_code = message['status']['code'] aggregate_to = message['result']['meta'].get('aggregateTo', 'list') data = message['result']['data'] result_set.aggregate_to = aggregate_to if status_code == 407: if self._username and self._password: auth_bytes = b''.join([b'\x00', self._username.encode('utf-8'), b'\x00', self._password.encode('utf-8')]) auth = base64.b64encode(auth_bytes) request_message = request.RequestMessage( 'traversal', 'authentication', {'sasl': auth.decode()}) elif self._kerberized_service: request_message = self._kerberos_received(message) else: raise ConfigurationError( 'Gremlin server requires authentication credentials in DriverRemoteConnection.' 'For basic authentication provide username and password. ' 'For kerberos authentication provide the kerberized_service parameter.') self.write(request_id, request_message) data = self._transport.read() # Allow for auth handshake with multiple steps return self.data_received(data, results_dict) elif status_code == 204: result_set.stream.put_nowait([]) del results_dict[request_id] return status_code elif status_code in [200, 206]: result_set.stream.put_nowait(data) if status_code == 200: result_set.status_attributes = message['status']['attributes'] del results_dict[request_id] return status_code else: del results_dict[request_id] raise GremlinServerError(message['status']) def _kerberos_received(self, message): # Inspired by: https://github.com/thobbs/pure-sasl/blob/0.6.2/puresasl/mechanisms.py # https://github.com/thobbs/pure-sasl/blob/0.6.2/LICENSE try: import kerberos except ImportError: raise ImportError('Please install gremlinpython[kerberos].') # First pass: get service granting ticket and return it to gremlin-server if not self._kerberos_context: try: _, kerberos_context = kerberos.authGSSClientInit( self._kerberized_service, gssflags=kerberos.GSS_C_MUTUAL_FLAG) kerberos.authGSSClientStep(kerberos_context, '') auth = kerberos.authGSSClientResponse(kerberos_context) self._kerberos_context = kerberos_context except kerberos.KrbError as e: raise ConfigurationError( 'Kerberos authentication requires a valid service name in DriverRemoteConnection, ' 'as well as a valid tgt (export KRB5CCNAME) or keytab (export KRB5_KTNAME): ' + str(e)) return request.RequestMessage('', 'authentication', {'sasl': auth}) # Second pass: completion of authentication sasl_response = message['status']['attributes']['sasl'] if not self._username: result_code = kerberos.authGSSClientStep(self._kerberos_context, sasl_response) if result_code == kerberos.AUTH_GSS_COMPLETE: self._username = kerberos.authGSSClientUserName(self._kerberos_context) return request.RequestMessage('', 'authentication', {'sasl': ''}) # Third pass: sasl quality of protection (qop) handshake # Gremlin-server Krb5Authenticator only supports qop=QOP_AUTH; use ssl for confidentiality. # Handshake content format: # byte 0: the selected qop. 1==auth, 2==auth-int, 4==auth-conf # byte 1-3: the max length for any buffer sent back and forth on this connection. (big endian) # the rest of the buffer: the authorization user name in UTF-8 - not null terminated. kerberos.authGSSClientUnwrap(self._kerberos_context, sasl_response) data = kerberos.authGSSClientResponse(self._kerberos_context) plaintext_data = base64.b64decode(data) assert len(plaintext_data) == 4, "Unexpected response from gremlin server sasl handshake" word, = struct.unpack('!I', plaintext_data) qop_bits = word >> 24 assert self.QOP_AUTH_BIT & qop_bits, "Unexpected sasl qop level received from gremlin server" name_length = len(self._username) fmt = '!I' + str(name_length) + 's' word = self.QOP_AUTH_BIT << 24 | self.MAX_CONTENT_LENGTH out = struct.pack(fmt, word, self._username.encode("utf-8"),) encoded = base64.b64encode(out).decode('ascii') kerberos.authGSSClientWrap(self._kerberos_context, encoded) auth = kerberos.authGSSClientResponse(self._kerberos_context) return request.RequestMessage('', 'authentication', {'sasl': auth})