mg[NdZddlZddlZddlZddlZddlmZddlmZm Z m Z m Z m Z m Z mZddlmZmZddlmZddlmZmZdd lmZmZmZmZmZdd lmZmZm Z dd lm!Z!m"Z"erdd l#m$Z$Gd deZ%GddeZ& ejNdk(rddl(m)Z)nddl*m)Z)GddeZ.ee-e.fZ/dZ0dZ1dZ2dZ3dZ4dZ5dZ6dZ7d Z8d!Z9d"Z:d#Z;d$Zd'Z?d(Z@dZAd)ZBd*ZCd)ZDd+ZEGd,d-e ZFGd.d/ZGGd0d1ZHed3de/dd/fd2ZIy#e+$rZ,de-de e%e&ffdZ)YdZ,[,dZ,[,wwxYw)4SSH agent clientN) TracebackType) TYPE_CHECKINGListOptionalSequenceTupleTypeUnion)ProtocolSelf)SSHForwardListener)async_context_managermaybe_wait_closed)ByteStringUInt32PacketDecodeError SSHPacket)KeyPairListArgSSHCertificate SSHKeyPair)load_default_keypairs load_keypairs)TemporaryDirectoryc eZdZdZdedefdZy) AgentReaderz&Protocol for reading from an SSH agentnreturnc Kyw)z'Read exactly n bytes from the SSH agentN)selfrs .lib/python3.12/site-packages/asyncssh/agent.py readexactlyzAgentReader.readexactly,N)__name__ __module__ __qualname____doc__intbytesr%r"r$rr)s063656r.rc0eZdZdZdeddfdZddZddZy) AgentWriterz$Protocol for writing to an SSH agentdatar Ncy)zWrite bytes to the SSH agentNr"r#r1s r$writezAgentWriter.write3r.cy)z!Close connection to the SSH agentNr"r#s r$closezAgentWriter.close6r5r.c Kyw)z1Wait for the connection to the SSH agent to closeNr"r7s r$ wait_closedzAgentWriter.wait_closed9r&r'r N)r(r)r*r+r-r4r8r:r"r.r$r0r00s#.+%+D+0@r.r0win32) open_agent agent_pathr c^Kttjdttzw)z6Dummy function if we're unable to import agent supportzAgent support unavailable: %s)OSErrorerrnoENOENTstr_exc)r>s r$r=r=Cs#ell$Cc$i$OPPs+-c&eZdZdZdeeeffdZy)_SupportsOpenAgentConnectionz+A class that supports open_agent_connectionr c Kyw)z8Open a forwarded ssh-agent connection back to the clientNr"r7s r$open_agent_connectionz2_SupportsOpenAgentConnection.open_agent_connectionMr&r'N)r(r)r*r+r rr0rHr"r.r$rFrFJs5GU; 3K-LGr.rF  ceZdZdZdZdddededeffd Zedefd Z edefd Z d e dd ffd Z dedd ffd Z dedefdZddZxZS)SSHAgentKeyPairz,Surrogate for a key managed by the SSH agentagentSSHAgentClient algorithm public_datacommentc|jd}|r |jdr |dddz}n|dd}n|}|dk(rtjdk7rd}n|f}|r|f}n|}t |||||||||_||_d|_y) Ns-cert-v01@openssh.comsk-is @openssh.comssh-rsar<) rsa-sha2-256 rsa-sha2-512rfr) endswith startswithsysplatformsuper__init___agent_is_cert_flags) r#r_rarbrcis_cert sig_algorithmsig_algorithmshost_key_algorithms __class__s r$rnzSSHAgentKeyPair.__init__xs$$%=> ##F+ )$3/ A )$3 %M J &3<<7+B> ,-N 4=< "0  M>,k7 D   r.r c|jS)z/ Return if this key pair has an associated cert)rpr7s r$has_certzSSHAgentKeyPair.has_certs}}r.cy)z; Return if this key pair has an associated X.509 cert chainFr"r7s r$has_x509_chainzSSHAgentKeyPair.has_x509_chainsr.certNc2t||d|_y)z$Set certificate to use with this keyTN)rmset_certificaterp)r#r{rvs r$r}zSSHAgentKeyPair.set_certificates % r.rsct|||dvr|xjtzc_y|dk(r|xjtzc_yy)z4Set the signature algorithm to use when signing data)rgsx509v3-rsa2048-sha256rhN)rmset_sig_algorithmrqSSH_AGENT_RSA_SHA2_256SSH_AGENT_RSA_SHA2_512)r#rsrvs r$rz!SSHAgentKeyPair.set_sig_algorithmsF !-0 G G KK1 1K o - KK1 1K.r.r1cK|jj|j||jd{S7w)z9Asynchronously sign a block of data with this private keyN)rosignkey_public_datarqr3s r$ sign_asynczSSHAgentKeyPair.sign_asyncs1[[%%d&:&:D$++NNNNs 5><>cXK|jj|gd{y7w)z#Remove this key pair from the agentN)ro remove_keysr7s r$removezSSHAgentKeyPair.removes"kk%%tf---s *(*r;)r(r)r*r+ _key_typer-rnpropertyboolrxrzrr}rrr __classcell__)rvs@r$r^r^ss6I.5#.3@$  Nt2u22OUOuO .r.r^c eZdZdZdefdZdefdZdee e dee dee de fd Z d'd Zed eed e defdZd'dZdededeeeffdZd(deeedeefdZ d)dedededefdZ d*dedeed eed e dd f dZ d+dedeed eed e dd f dZdeedd fdZ d(dedeedd fd Z d'd!Z!dedd fd"Z"dedd fd#Z#deefd$Z$d'd%Z%d'd&Z&y ),r`rr>c`||_d|_d|_tj|_yN) _agent_path_reader_writerasyncioLock_lock)r#r>s r$rnzSSHAgentClient.__init__s%%.2 .2 \\^ r.r cK|Sw)z;Allow SSHAgentClient to be used as an async context managerr"r7s r$ __aenter__zSSHAgentClient.__aenter__s  sexc_type exc_value tracebackc@K|jd{y7w)z?Wait for connection close when used as an async context managerNF)_cleanup)r#rrrs r$ __aexit__zSSHAgentClient.__aexit__s mmo s Nc`K|j|jd{y7w)zClean up this SSH agent clientN)r8r:r7s r$rzSSHAgentClient._cleanups#    s $.,.lifetimeconfirmcrd}|r|ttt|zz }|r|ttz }|S)zEncode key constraintsr.)rSSH_AGENT_CONSTRAIN_LIFETIMErSSH_AGENT_CONSTRAIN_CONFIRM)rrresults r$encode_constraintsz!SSHAgentClient.encode_constraintss>  d786(;KK KF  d67 7F r.cKt|jtr+t|jd{\|_|_y|jj d{\|_|_y7B7w)zConnect to the SSH agentN) isinstancerrCr=rrrHr7s r$connectzSSHAgentClient.connectsd d&& ,/9$:J:J/K)K &DL$,&&<<>> 'DL$,*L?s!3A<A8/A<%A:&A<:A<msgtypeargscK|j4d{ |js|jd{|j}|j}|J|Jt |dj |z}|j tt||ztj|jdd{d}t|j|d{}|j}||fcdddd{S777U747#ttt f$r3} |j#d{7t%t'| dd} ~ wwxYw#1d{7swYyxYww)zSend an SSH agent requestNr.r\big)rrrrrjoinr4rlenr, from_bytesr%rget_byter@EOFErrorrr ValueErrorrC) r#rrreaderwriterpayloadresplenrespresptypeexcs r$ _make_requestzSSHAgentClient._make_requests1::: 5||,,.(())))))w-#((4.8 VCL1G;<..0B0B10E*EN (:(:7(C"CE==?~'::)+F"C!(X'89 5mmo%% S*4 5)::sE>DE>E)DDB DD "D&D 'D E>DE>DDDE>E&3E!E E!!E&&E))E;/E2 0E;7E> identitiesc K|jtd{\}}|tk(rg}|j}t |D]a}|j }|j }|r||vr*t |} | j } |jt|| ||c|j|Std|z7w)aRequest the available client keys This method is a coroutine which returns a list of client keys available in the ssh-agent. :param identities: (optional) A list of allowed byte string identities to return. If empty, all identities on the SSH agent will be returned. :returns: A list of :class:`SSHKeyPair` objects NUnknown SSH agent response: %d) rSSH_AGENTC_REQUEST_IDENTITIESSSH_AGENT_IDENTITIES_ANSWER get_uint32range get_stringrappendr^ check_endr) r#rrrrnum_keys_key_blobrcpacketras r$get_keyszSSHAgentClient.get_keyss $$%BC C $ 2 2')F(H8_??,//+(*"<"8,"--/  odI.6AB% NN M=HI I- DsCC B2Crr1flagsc$K|jtt|t|t|d{\}}|tk(r"|j }|j |S|tk(r tdtd|z7Tw)z+Sign a block of data with the requested keyNz!Unable to sign with requested keyr) rSSH_AGENTC_SIGN_REQUESTrrSSH_AGENT_SIGN_RESPONSErrSSH_AGENT_FAILUREr)r#rr1rrrsigs r$rzSSHAgentClient.sign7s $112I282B28,u  OO$ . .//#C NN J * *@A A=HI IOs7BBABkeylist passphrasec K|rt||}d}n t|}d}|j||}tjj dxsd}t ttdzt|z} |D]} |} | jjdr| | z } | rtnt} | j} |j| | jt| xsd| d{\}}|t k(r|j#|t$k(r|rt'd t'd |zy7Hw) a4Add keys to the agent This method adds a list of local private keys and optional matching certificates to the agent. :param keylist: (optional) The list of keys to add. If not specified, an attempt will be made to load keys from the files :file:`.ssh/id_ed25519_sk`, :file:`.ssh/id_ecdsa_sk`, :file:`.ssh/id_ed448`, :file:`.ssh/id_ed25519`, :file:`.ssh/id_ecdsa`, :file:`.ssh/id_rsa` and :file:`.ssh/id_dsa` in the user's home directory with optional matching certificates loaded from the files :file:`.ssh/id_ed25519_sk-cert.pub`, :file:`.ssh/id_ecdsa_sk-cert.pub`, :file:`.ssh/id_ed448-cert.pub`, :file:`.ssh/id_ed25519-cert.pub`, :file:`.ssh/id_ecdsa-cert.pub`, :file:`.ssh/id_rsa-cert.pub`, and :file:`.ssh/id_dsa-cert.pub`. Failures when adding keys are ignored in this case, as the agent may not recognize some of these key types. :param passphrase: (optional) The passphrase to use to decrypt the keys. :param lifetime: (optional) The time in seconds after which the keys should be automatically deleted, or `None` to store these keys indefinitely (the default). :param confirm: (optional) Whether or not to require confirmation for each private key operation which uses these keys, defaulting to `False`. :type keylist: *see* :ref:`SpecifyingPrivateKeys` :type passphrase: `str` :type lifetime: `int` or `None` :type confirm: `bool` :raises: :exc:`ValueError` if the keys cannot be added FTSSH_SK_PROVIDERinternalzsk-provider@openssh.comrer.NzUnable to add keyr)rrrosenvirongetrSSH_AGENT_CONSTRAIN_EXTENSIONrrarjSSH_AGENTC_ADD_ID_CONSTRAINEDSSH_AGENTC_ADD_IDENTITYget_comment_bytesrget_agent_private_keySSH_AGENT_SUCCESSrrr)r#rrrrkeypairsignore_failuresbase_constraintsprovidersk_constraintskeypair constraintsrrcrrs r$add_keyszSSHAgentClient.add_keysHsJV $Wj9H#O,Z8H"O228WE::>>"34B ;< 9:;)* G*K  ++F3~- 7B31 //1G(()0)F)F)H)/3)?NN Hd ,, ..&$%899 !AH!LMM- NsC2D?4D=5,D?"D?rpinc0K|j||}|rtnt}|j|t |t |xsd|d{\}}|t k(r|j y|tk(r tdtd|z7Cw)aMStore keys associated with a smart card in the agent :param provider: The name of the smart card provider :param pin: (optional) The PIN to use to unlock the smart card :param lifetime: (optional) The time in seconds after which the keys should be automatically deleted, or `None` to store these keys indefinitely (the default). :param confirm: (optional) Whether or not to require confirmation for each private key operation which uses these keys, defaulting to `False`. :type provider: `str` :type pin: `str` or `None` :type lifetime: `int` or `None` :type confirm: `bool` :raises: :exc:`ValueError` if the keys cannot be added NzUnable to add keysr) r(SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINEDSSH_AGENTC_ADD_SMARTCARD_KEYrrrrrr) r#rrrrrrrrs r$add_smartcard_keysz!SSHAgentClient.add_smartcard_keyss4--h@ $;*F  $11'6(;K282C2= ??$ ( ( NN  * *12 2=HI I?sABBABcK|D]q}|jtt|jd{\}}|tk(r|j Q|t k(r tdtd|zy7Ew)zRemove a key stored in the agent :param keylist: The list of keys to remove. :type keylist: `list` of :class:`SSHKeyPair` :raises: :exc:`ValueError` if any keys are not found Nz Key not foundr)rSSH_AGENTC_REMOVE_IDENTITYrrbrrrr)r#rrrrs r$rzSSHAgentClient.remove_keyssG(()C)/0C0C)DFF Hd,, .. 11 !AH!LMMFs2A<A:AA<cK|jtt|t|xsdd{\}}|tk(r|j y|t k(r t dt d|z7Cw)awRemove keys associated with a smart card stored in the agent :param provider: The name of the smart card provider :param pin: (optional) The PIN to use to unlock the smart card :type provider: `str` :type pin: `str` or `None` :raises: :exc:`ValueError` if the keys are not found rNzKeys not foundr)rSSH_AGENTC_REMOVE_SMARTCARD_KEYrrrrr)r#rrrrs r$remove_smartcard_keysz$SSHAgentClient.remove_smartcard_keyss} $$%D%+H%5vciR7HJ J $ ( ( NN  * *-. .=HI I Js1A9A7AA9cK|jtd{\}}|tk(r|jy|tk(r t dt d|z7Cw)zqRemove all keys stored in the agent :raises: :exc:`ValueError` if the keys can't be removed NzUnable to remove all keysr)r SSH_AGENTC_REMOVE_ALL_IDENTITIESrrrr)r#rrs r$ remove_allzSSHAgentClient.remove_allsd$$%EF F $ ( ( NN  * *89 9=HI I GsA!AAA!cK|jtt|d{\}}|tk(r|j y|t k(r t dt d|z7Cw)aLock the agent using the specified passphrase .. note:: The lock and unlock actions don't appear to be supported on the Windows 10 OpenSSH agent. :param passphrase: The passphrase required to later unlock the agent :type passphrase: `str` :raises: :exc:`ValueError` if the agent can't be locked NzUnable to lock SSH agentr)rSSH_AGENTC_LOCKrrrrrr#rrrs r$lockzSSHAgentClient.locksn $11/282D FF$ ( ( NN  * *78 8=HI IF#A+A)AA+cK|jtt|d{\}}|tk(r|j y|t k(r t dt d|z7Cw)aUnlock the agent using the specified passphrase .. note:: The lock and unlock actions don't appear to be supported on the Windows 10 OpenSSH agent. :param passphrase: The passphrase to use to unlock the agent :type passphrase: `str` :raises: :exc:`ValueError` if the agent can't be unlocked NzUnable to unlock SSH agentr)rSSH_AGENTC_UNLOCKrrrrrrs r$unlockzSSHAgentClient.unlockso $112C282D FF$ ( ( NN  * *9: :=HI IFrcPK|jttdd{\}}|tk(r<>r;r)r)r"NNF)NNF)'r(r)r*r+ _AgentPathrnr rrr BaseExceptionrrrr staticmethodr,r-rrr rrrrrrrrCrrrrrrrrr8r:r"r.r$r`r`s3$:$ $ m1D(E#+M#:#+M#:?C!  Xc] T e  ?535u5 #y. !58&J(5/)B&J Z &JR!"J5JJJ&+J"8:3715',PNnPN#+C=PN!)#PN!%PN26PNf7;;?16'J'J&.sm'J+3C='J+/'J<@'JRN*)=N$N0:>JCJ)1#JBFJ4J"JSJTJ0JsJtJ0J J: !  r.r`c8eZdZdZdddedefdZdefdZd d Zy ) SSHAgentListenerz*Listener used to forward agent connectionstempdirzTemporaryDirectory[str]path unix_listenerc.||_||_||_yr)_tempdir_path_unix_listener)r#r r r s r$rnzSSHAgentListener.__init__ps  +r.r c|jS)z!Return the path being listened on)rr7s r$get_pathzSSHAgentListener.get_pathvszzr.Ncl|jj|jjy)zClose the agent listenerN)rr8rcleanupr7s r$r8zSSHAgentListener.close{s& !!# r.r;) r(r)r*r+rCrrnrr8r"r.r$r r ms24, 9,, 2, #  r.r cK|s tjjdd}t|}|j d{|S7w)aMake a connection to the SSH agent This function attempts to connect to an ssh-agent process listening on a UNIX domain socket at `agent_path`. If not provided, it will attempt to get the path from the `SSH_AUTH_SOCK` environment variable. If the connection is successful, an :class:`SSHAgentClient` object is returned that has methods on it you can use to query the ssh-agent. If no path is specified and the environment variable is not set or the connection to the agent fails, an error is raised. :param agent_path: (optional) The path to use to contact the ssh-agent process, or the :class:`SSHServerConnection` to forward the agent request over. :type agent_path: `str` or :class:`SSHServerConnection` :returns: An :class:`SSHAgentClient` :raises: :exc:`OSError` or :exc:`ChannelOpenError` if the connection to the agent can't be opened SSH_AUTH_SOCKrN)rrrr`r)r>r_s r$ connect_agentrsB8 ZZ^^OR8 : &E --/ LsAA A A )r)Jr+rrArrktypesrtypingrrrrr r r typing_extensionsr r listenerrmiscrrrrrrrr public_keyrrrrrtempfilerrr0rl agent_win32r= agent_unix ImportErrorrDrCrFrrrrrrrrrrrrrrrrrSSH_AGENT_EXTENSION_FAILURErrrrrr^r`r rr"r.r$r$s* NNN,(:FFBB<+6(6 @( @ Q ||w+*G8G344 5 ,.+-+-+-+- +-+-+-+-+-+-(+-,-+,+-+-+-,-+,+.,-+,J.jJ.Zj j Z   *!J!8H!!CQQSQ +{* +QQQsDD$ DD$