o f>h99 @sUdZddlZddlZddlZddlZddlmZmZmZm Z m Z m Z m Z m Z mZddlmZddlmZddlmZddlmZdd lmZmZdd lmZGd d d e d dZejejejejejejejejej ej ej ej d Z!ee"ee#gdffe$d<e%dZ&dZ'ee e ddfe$d<e(e)e!*Z+ee e"dfe$d<e,hdZ-ee e"e$d<de"de"fddZ.de"de"fddZ/de"dee"e"ffd d!Z0Gd"d#d#Z1dS)$av Digest authentication middleware for aiohttp client. This middleware implements HTTP Digest Authentication according to RFC 7616, providing a more secure alternative to Basic Authentication. It supports all standard hash algorithms including MD5, SHA, SHA-256, SHA-512 and their session variants, as well as both 'auth' and 'auth-int' quality of protection (qop) options. N) CallableDictFinal FrozenSetListLiteralTuple TypedDictUnion)URL)hdrs) ClientError)ClientHandlerType) ClientRequestClientResponse)Payloadc@s6eZdZUeed<eed<eed<eed<eed<dS)DigestAuthChallengerealmnonceqop algorithmopaqueN)__name__ __module__ __qualname__str__annotations__rrX/var/www/html/venv/lib/python3.10/site-packages/aiohttp/client_middleware_digest_auth.pyr#s  rF)total) MD5zMD5-SESSSHAzSHA-SESSSHA256z SHA256-SESSzSHA-256z SHA-256-SESSSHA512z SHA512-SESSzSHA-512z SHA-512-SESSz hashlib._HashDigestFunctionsz-(\w+)\s*=\s*(?:"((?:[^"\\]|\\.)*)"|([^\s,]+)))rrrrr.CHALLENGE_FIELDSSUPPORTED_ALGORITHMS>urirrcnoncerresponseusernameQUOTED_AUTH_FIELDSvaluereturncC |ddS)z,Escape double quotes for HTTP header values."\"replacer-rrr escape_quotesk r5cCr/)z-Unescape double quotes in HTTP header values.r1r0r2r4rrrunescape_quotespr6r7headercsfddt|DS)a Parse key-value pairs from WWW-Authenticate or similar HTTP headers. This function handles the complex format of WWW-Authenticate header values, supporting both quoted and unquoted values, proper handling of commas in quoted values, and whitespace variations per RFC 7616. Examples of supported formats: - key1="value1", key2=value2 - key1 = "value1" , key2="value, with, commas" - key1=value1,key2="value2" - realm="example.com", nonce="12345", qop="auth" Args: header: The header value string to parse Returns: Dictionary mapping parameter names to their values cs0i|]\}}}|r|rt|n|qSr)stripr7).0key quoted_val unquoted_val stripped_keyrr s  z&parse_header_pairs..)_HEADER_PAIRS_PATTERNfindall)r8rr>rparse_header_pairsus rCc @steZdZdZdededdfddZded ed eee d fdefd d Z de de fddZ dedede fddZdS)DigestAuthMiddlewarea HTTP digest authentication middleware for aiohttp client. This middleware intercepts 401 Unauthorized responses containing a Digest authentication challenge, calculates the appropriate digest credentials, and automatically retries the request with the proper Authorization header. Features: - Handles all aspects of Digest authentication handshake automatically - Supports all standard hash algorithms: - MD5, MD5-SESS - SHA, SHA-SESS - SHA256, SHA256-SESS, SHA-256, SHA-256-SESS - SHA512, SHA512-SESS, SHA-512, SHA-512-SESS - Supports 'auth' and 'auth-int' quality of protection modes - Properly handles quoted strings and parameter parsing - Includes replay attack protection with client nonce count tracking Standards compliance: - RFC 7616: HTTP Digest Access Authentication (primary reference) - RFC 2617: HTTP Authentication (deprecated by RFC 7616) - RFC 1945: Section 11.1 (username restrictions) Implementation notes: The core digest calculation is inspired by the implementation in https://github.com/requests/requests/blob/v2.18.4/requests/auth.py with added support for modern digest auth features and error handling. loginpasswordr.NcCsd|durtd|durtdd|vrtd||_|d|_|d|_d|_d|_i|_dS)Nz"None is not allowed as login valuez%None is not allowed as password value:z8A ":" is not allowed in username (RFC 1945#section-11.1)utf-8r) ValueError _login_strencode _login_bytes_password_bytes_last_nonce_bytes _nonce_count _challenge)selfrErFrrr__init__s   zDigestAuthMiddleware.__init__methodurlbodyrIc! sF|j}d|vr tdd|vrtd|d}|d}|s"td|dd}|dd }|d d} |d } |d } t|j} d} d }|rpd dhdd|dD}|sctd|d|vridnd } | d }|t vrtd|dd t t |dt dt ffdd dt dt dt ffdd }d |j | |jf}|d| }| dkrt|tr|Id H}n|}|}d ||f}|}|}| |jkr|jd!7_nd!|_| |_|jd"}|d }td t|jd | td td#gd d$}|d }|d%r,d || |f}| r?d | ||||f}|||}n ||d | |f}t|jt|t|| ||d&}| rdt| |d <| rs| |d<||d'<||d(<g}| D]!\}} |t!vr|"|d)| d*qy|"|d+| qyd,d |S)-a Build digest authorization header for the current challenge. Args: method: The HTTP method (GET, POST, etc.) url: The request URL body: The request body (used for qop=auth-int) Returns: A fully formatted Digest authorization header string Raises: ClientError: If the challenge is missing required parameters or contains unsupported values rz:Malformed Digest auth challenge: Missing 'realm' parameterrz:Malformed Digest auth challenge: Missing 'nonce' parameterzBSecurity issue: Digest auth challenge contains empty 'nonce' valuerrr!rrHrIauthzauth-intcSsh|] }|r|qSr)r9)r:qrrr sz/DigestAuthMiddleware._encode..,zEDigest auth error: Unsupported Quality of Protection (qop) value(s): z/Digest auth error: Unsupported hash algorithm: z. Supported algorithms: z, xr.cs|S)z.Hsdcsd||fS)zDRFC 7616 Section 3: KD(secret, data) = H(concat(secret, ":", data)).:)join)r`ra)r_rrKDsz(DigestAuthMiddleware._encode..KDrbrGNr 08xz-SESS)r+rrr(r*rncr)z="r0=zDigest )#rQrgetupperrLr path_qs intersectionsplitr%rcr'bytesrMrN isinstanceras_bytesrOrPhashlibsha1rtimectimeosurandomr]endswithr5rKdecodeitemsr,append)!rRrTrUrV challengerrqop_rawrr nonce_bytes realm_bytespathr qop_bytes valid_qopsrdA1A2 entity_bytes entity_hashHA1HA2ncvalue ncvalue_bytesr) cnonce_bytesnoncebitresponse_digest header_fieldspairsfieldr-r)r_r^r_encodes                 zDigestAuthMiddleware._encoder*c Cs|jdkrdS|jdd}|sdS|d\}}}|sdS|dkr&dS|s*dSt|}s2dSi|_tD]}||}rE||j|<q7t|jS)z Takes the given response and tries digest-auth, if needed. Returns true if the original request must be resent. iFzwww-authenticaterW digest) statusheadersrj partitionlowerrCrQr&bool) rRr* auth_headerrTsepr header_pairsrr-rrr _authenticatees(     z"DigestAuthMiddleware._authenticaterequesthandlercsjd}tdD]%}|dkr||j|j|jIdH|jtj<||IdH}||s,nq|dus3J|S)zRun the digest auth middleware.Nr) rangerrTrUrVrr AUTHORIZATIONr)rRrrr* retry_countrrr__call__s    zDigestAuthMiddleware.__call__)rrr__doc__rrSr r rrrrrrrrrrrrrrDs6  "(rD)2rrrrvrerttypingrrrrrrrr r yarlr rWr client_exceptionsrclient_middlewaresr client_reqreprrpayloadrrmd5rssha256sha512r%rrorcompilerAr&tuplesortedkeysr' frozensetr,r5r7rCrDrrrrsR ,      $