o FhB @sUdZddlZddlZddlZddlZddlmZmZmZm Z m Z m Z m Z m Z mZddlmZddlmZddlmZddlmZdd lmZmZdd lmZGd d d e d dZejejejejejejejejej ej ej ej d Z!ee"ee#gdffe$d<e%dZ&dZ'ee e ddfe$d<e(e)e!*Z+ee e"dfe$d<e,hdZ-ee e"e$d<de"de"fddZ.de"de"fddZ/de"dee"e"ffd d!Z0Gd"d#d#Z1dS)$av Digest authentication middleware for aiohttp client. This middleware implements HTTP Digest Authentication according to RFC 7616, providing a more secure alternative to Basic Authentication. It supports all standard hash algorithms including MD5, SHA, SHA-256, SHA-512 and their session variants, as well as both 'auth' and 'auth-int' quality of protection (qop) options. N) CallableDictFinal FrozenSetListLiteralTuple TypedDictUnion)URL)hdrs) ClientError)ClientHandlerType) ClientRequestClientResponse)Payloadc@sFeZdZUeed<eed<eed<eed<eed<eed<eed<dS) DigestAuthChallengerealmnonceqop algorithmopaquedomainstaleN)__name__ __module__ __qualname__str__annotations__r r X/var/www/html/venv/lib/python3.10/site-packages/aiohttp/client_middleware_digest_auth.pyr#s  rF)total) MD5zMD5-SESSSHAzSHA-SESSSHA256z SHA256-SESSzSHA-256z SHA-256-SESSSHA512z SHA512-SESSzSHA-512z SHA-512-SESSz hashlib._HashDigestFunctionsz-(\w+)\s*=\s*(?:"((?:[^"\\]|\\.)*)"|([^\s,]+)))rrrrrrr.CHALLENGE_FIELDSSUPPORTED_ALGORITHMS>urirrcnoncerresponseusernameQUOTED_AUTH_FIELDSvaluereturncC |ddS)z,Escape double quotes for HTTP header values."\"replacer/r r r! escape_quotesq r7cCr1)z-Unescape double quotes in HTTP header values.r3r2r4r6r r r!unescape_quotesvr8r9headercsfddt|DS)a Parse key-value pairs from WWW-Authenticate or similar HTTP headers. This function handles the complex format of WWW-Authenticate header values, supporting both quoted and unquoted values, proper handling of commas in quoted values, and whitespace variations per RFC 7616. Examples of supported formats: - key1="value1", key2=value2 - key1 = "value1" , key2="value, with, commas" - key1=value1,key2="value2" - realm="example.com", nonce="12345", qop="auth" Args: header: The header value string to parse Returns: Dictionary mapping parameter names to their values cs0i|]\}}}|r|rt|n|qSr )stripr9).0key quoted_val unquoted_val stripped_keyr r! s  z&parse_header_pairs..)_HEADER_PAIRS_PATTERNfindall)r:r r@r!parse_header_pairs{s rEc @seZdZdZ ddedededdfdd Zd ed ed ee e d fdefddZ d edefddZ de defddZdedede fddZdS)DigestAuthMiddlewarea HTTP digest authentication middleware for aiohttp client. This middleware intercepts 401 Unauthorized responses containing a Digest authentication challenge, calculates the appropriate digest credentials, and automatically retries the request with the proper Authorization header. Features: - Handles all aspects of Digest authentication handshake automatically - Supports all standard hash algorithms: - MD5, MD5-SESS - SHA, SHA-SESS - SHA256, SHA256-SESS, SHA-256, SHA-256-SESS - SHA512, SHA512-SESS, SHA-512, SHA-512-SESS - Supports 'auth' and 'auth-int' quality of protection modes - Properly handles quoted strings and parameter parsing - Includes replay attack protection with client nonce count tracking - Supports preemptive authentication per RFC 7616 Section 3.6 Standards compliance: - RFC 7616: HTTP Digest Access Authentication (primary reference) - RFC 2617: HTTP Authentication (deprecated by RFC 7616) - RFC 1945: Section 11.1 (username restrictions) Implementation notes: The core digest calculation is inspired by the implementation in https://github.com/requests/requests/blob/v2.18.4/requests/auth.py with added support for modern digest auth features and error handling. Tloginpassword preemptiver0NcCsp|durtd|durtdd|vrtd||_|d|_|d|_d|_d|_i|_||_g|_ dS)Nz"None is not allowed as login valuez%None is not allowed as password value:z8A ":" is not allowed in username (RFC 1945#section-11.1)utf-8r) ValueError _login_strencode _login_bytes_password_bytes_last_nonce_bytes _nonce_count _challenge _preemptive_protection_space)selfrGrHrIr r r!__init__s   zDigestAuthMiddleware.__init__methodurlbodyrLc" sJ|j}d|vr tdd|vrtd|d}|d}|s"td|dd}|dd }|} |d d} |d } |d } t|j} d}d }|rrd dhdd|dD}|setd|d|vrkdnd }|d }| t vrtd| dd t t | dt dt ffdd dt dt dt ffdd }d |j | |jf}|d| }|dkrt|tr|Id H}n|}|}d ||f}|}|}| |jkr|jd!7_nd!|_| |_|jd"}|d }td t|jd | td td#gd d$}|d }| d%r.d || |f}|rAd | ||||f}|||}n ||d | |f}t|jt|t|| ||d&}| rft| |d <|ru||d<||d'<||d(<g}| D]!\} }!| t!vr|"| d)|!d*q{|"| d+|!q{d,d |S)-a Build digest authorization header for the current challenge. Args: method: The HTTP method (GET, POST, etc.) url: The request URL body: The request body (used for qop=auth-int) Returns: A fully formatted Digest authorization header string Raises: ClientError: If the challenge is missing required parameters or contains unsupported values rz:Malformed Digest auth challenge: Missing 'realm' parameterrz:Malformed Digest auth challenge: Missing 'nonce' parameterzBSecurity issue: Digest auth challenge contains empty 'nonce' valuerrr#rrKrLauthzauth-intcSsh|] }|r|qSr )r;)r<qr r r! sz/DigestAuthMiddleware._encode..,zEDigest auth error: Unsupported Quality of Protection (qop) value(s): z/Digest auth error: Unsupported hash algorithm: z. Supported algorithms: z, xr0cs|S)z.Hsdcsd||fS)zDRFC 7616 Section 3: KD(secret, data) = H(concat(secret, ":", data)).:)join)rerf)rdr r!KDsz(DigestAuthMiddleware._encode..KDrgrJNr 08xz-SESS)r-rrr*r,rncr+z="r2=zDigest )#rTrgetupperrOr path_qs intersectionsplitr'rhr)bytesrPrQ isinstanceras_bytesrRrShashlibsha1rtimectimeosurandomrbendswithr7rNdecodeitemsr.append)"rWrYrZr[ challengerrqop_rawalgorithm_originalrr nonce_bytes realm_bytespathr qop_bytes valid_qopsriA1A2 entity_bytes entity_hashHA1HA2ncvalue ncvalue_bytesr+ cnonce_bytesnoncebitresponse_digest header_fieldspairsfieldr/r )rdrcr!_encodes                  zDigestAuthMiddleware._encodecCs\t|}|jD]$}||sqt|t|ks|ddkr dS|t|dkr+dSqdS)z Check if the given URL is within the current protection space. According to RFC 7616, a URI is in the protection space if any URI in the protection space is a prefix of it (after both have been made absolute). /TF)rrV startswithlen)rWrZ request_str space_strr r r!_in_protection_spacers  z)DigestAuthMiddleware._in_protection_spacer,c Cs|jdkrdS|jdd}|sdS|d\}}}|sdS|dkr&dS|s*dSt|}s2dSi|_tD]}||}rE||j|<q7|j } |jd} rg|_ | D]$} | d} | d rt|j t| t| qZ|j tt| qZnt| g|_ t|jS) z Takes the given response and tries digest-auth, if needed. Returns true if the original request must be resent. iFzwww-authenticater\ digestrr2r)statusheadersro partitionlowerrErTr(rZoriginrVrsr;rrrrhr bool) rWr, auth_headerrYsepr header_pairsrr/rrr*r r r! _authenticates<         z"DigestAuthMiddleware._authenticaterequesthandlercsd}tdD]1}|dks|jr*|jr*||jr*||j|j|jIdH|jt j <||IdH}| |s8nq|dus?J|S)zRun the digest auth middleware.Nr) rangerUrTrrZrrYr[rr AUTHORIZATIONr)rWrrr, retry_countr r r!__call__s&     zDigestAuthMiddleware.__call__)T)rrr__doc__rrrXr r rrrrrrrrrr r r r!rFs>"  $;rF)2rrwr{rerytypingrrrrrrrr r yarlr r\r client_exceptionsrclient_middlewaresr client_reqreprrpayloadrrmd5rxsha256sha512r'rrtrcompilerCr(tuplesortedkeysr) frozensetr.r7r9rErFr r r r!sV ,       $