o iD @sUdZddlZddlZddlZddlZddlZddlmZmZm Z m Z m Z m Z m Z mZmZddlmZddlmZddlmZddlmZdd lmZmZdd lmZGd d d ed dZejejejejej ej ej ej ej!ej!ej!ej!d Z"ee#ee$gdffe%d<e&ej'dkrdndZ(dZ)e e e ddfe%d<e*e+e",Z-e e e#dfe%d<e.hdZ/e e e#e%d<de#de#fddZ0de#de#fdd Z1d!e#dee#e#ffd"d#Z2Gd$d%d%Z3dS)&av Digest authentication middleware for aiohttp client. This middleware implements HTTP Digest Authentication according to RFC 7616, providing a more secure alternative to Basic Authentication. It supports all standard hash algorithms including MD5, SHA, SHA-256, SHA-512 and their session variants, as well as both 'auth' and 'auth-int' quality of protection (qop) options. N) CallableDictFinal FrozenSetListLiteralTuple TypedDictUnion)URL)hdrs) ClientError)ClientHandlerType) ClientRequestClientResponse)Payloadc@sFeZdZUeed<eed<eed<eed<eed<eed<eed<dS) DigestAuthChallengerealmnonceqop algorithmopaquedomainstaleN)__name__ __module__ __qualname__str__annotations__r r _/home/kim/smarthome/.venv/lib/python3.10/site-packages/aiohttp/client_middleware_digest_auth.pyr$s  rF)total) MD5zMD5-SESSSHAzSHA-SESSSHA256z SHA256-SESSzSHA-256z SHA-256-SESSSHA512z SHA512-SESSzSHA-512z SHA-512-SESSz hashlib._HashDigestFunctions) z:(?:^|\s|,\s*)(\w+)\s*=\s*(?:"((?:[^"\\]|\\.)*)"|([^\s,]+))z>(?:^|\s|,\s*)((?>\w+))\s*=\s*(?:"((?:[^"\\]|\\.)*)"|([^\s,]+)))rrrrrrr.CHALLENGE_FIELDSSUPPORTED_ALGORITHMS>rcnoncerurirusernameresponseQUOTED_AUTH_FIELDSvaluereturncC |ddS)z,Escape double quotes for HTTP header values."\"replacer1r r r! escape_quotesu r9cCr3)z-Unescape double quotes in HTTP header values.r5r4r6r8r r r!unescape_quoteszr:r;headercsfddt|DS)a Parse key-value pairs from WWW-Authenticate or similar HTTP headers. This function handles the complex format of WWW-Authenticate header values, supporting both quoted and unquoted values, proper handling of commas in quoted values, and whitespace variations per RFC 7616. Examples of supported formats: - key1="value1", key2=value2 - key1 = "value1" , key2="value, with, commas" - key1=value1,key2="value2" - realm="example.com", nonce="12345", qop="auth" Args: header: The header value string to parse Returns: Dictionary mapping parameter names to their values cs0i|]\}}}|r|rt|n|qSr )stripr;).0keyZ quoted_valZ unquoted_valZ stripped_keyr r! s  z&parse_header_pairs..)_HEADER_PAIRS_PATTERNfindall)r<r r@r!parse_header_pairss rDc @seZdZdZ ddedededdfdd Zd ed ed ee e d fdefddZ d edefddZ de defddZdedede fddZdS)DigestAuthMiddlewarea HTTP digest authentication middleware for aiohttp client. This middleware intercepts 401 Unauthorized responses containing a Digest authentication challenge, calculates the appropriate digest credentials, and automatically retries the request with the proper Authorization header. Features: - Handles all aspects of Digest authentication handshake automatically - Supports all standard hash algorithms: - MD5, MD5-SESS - SHA, SHA-SESS - SHA256, SHA256-SESS, SHA-256, SHA-256-SESS - SHA512, SHA512-SESS, SHA-512, SHA-512-SESS - Supports 'auth' and 'auth-int' quality of protection modes - Properly handles quoted strings and parameter parsing - Includes replay attack protection with client nonce count tracking - Supports preemptive authentication per RFC 7616 Section 3.6 Standards compliance: - RFC 7616: HTTP Digest Access Authentication (primary reference) - RFC 2617: HTTP Authentication (deprecated by RFC 7616) - RFC 1945: Section 11.1 (username restrictions) Implementation notes: The core digest calculation is inspired by the implementation in https://github.com/requests/requests/blob/v2.18.4/requests/auth.py with added support for modern digest auth features and error handling. Tloginpassword preemptiver2NcCsp|durtd|durtdd|vrtd||_|d|_|d|_d|_d|_i|_||_g|_ dS)Nz"None is not allowed as login valuez%None is not allowed as password value:z8A ":" is not allowed in username (RFC 1945#section-11.1)utf-8r) ValueError _login_strencode _login_bytes_password_bytes_last_nonce_bytes _nonce_count _challenge _preemptive_protection_space)selfrFrGrHr r r!__init__s   zDigestAuthMiddleware.__init__methodurlbodyrKc" sJ|j}d|vr tdd|vrtd|d}|d}|s"td|dd}|dd }|} |d d} |d } |d } t|j} d}d }|rrd dhdd|dD}|setd|d|vrkdnd }|d }| t vrtd| dd t t | dt dt ffdd dt dt dt ffdd }d |j | |jf}|d| }|dkrt|tr|Id H}n|}|}d ||f}|}|}| |jkr|jd!7_nd!|_| |_|jd"}|d }td t|jd | td td#gd d$}|d }| d%r.d || |f}|rAd | ||||f}|||}n ||d | |f}t|jt|t|| ||d&}| rft| |d <|ru||d<||d'<||d(<g}| D]!\} }!| t!vr|"| d)|!d*q{|"| d+|!q{d,d |S)-a Build digest authorization header for the current challenge. Args: method: The HTTP method (GET, POST, etc.) url: The request URL body: The request body (used for qop=auth-int) Returns: A fully formatted Digest authorization header string Raises: ClientError: If the challenge is missing required parameters or contains unsupported values rz:Malformed Digest auth challenge: Missing 'realm' parameterrz:Malformed Digest auth challenge: Missing 'nonce' parameterzBSecurity issue: Digest auth challenge contains empty 'nonce' valuerrr#rrJrKauthzauth-intcSsh|] }|r|qSr )r=)r>qr r r! sz/DigestAuthMiddleware._encode..,zEDigest auth error: Unsupported Quality of Protection (qop) value(s): z/Digest auth error: Unsupported hash algorithm: z. Supported algorithms: z, xr2cs|S)z.Hsdcsd||fS)zDRFC 7616 Section 3: KD(secret, data) = H(concat(secret, ":", data)).:)join)rdre)rcr r!KD sz(DigestAuthMiddleware._encode..KDrfrINr 08xz-SESS)r.rrr-r/rncr,z="r4=zDigest )#rSrgetupperrNr Zpath_qs intersectionsplitr'rgr+bytesrOrP isinstanceras_bytesrQrRhashlibsha1rtimectimeosurandomraendswithr9rMdecodeitemsr0append)"rVrXrYrZ challengerrZqop_rawZalgorithm_originalrrZ nonce_bytesZ realm_bytespathrZ qop_bytesZ valid_qopsrhA1A2Z entity_bytesZ entity_hashHA1HA2ncvalueZ ncvalue_bytesr,Z cnonce_bytesnoncebitZresponse_digestZ header_fieldspairsfieldr1r )rcrbr!_encodes                  zDigestAuthMiddleware._encodecCs\t|}|jD]$}||sqt|t|ks|ddkr dS|t|dkr+dSqdS)z Check if the given URL is within the current protection space. According to RFC 7616, a URI is in the protection space if any URI in the protection space is a prefix of it (after both have been made absolute). /TF)rrU startswithlen)rVrYZ request_strZ space_strr r r!_in_protection_spacevs  z)DigestAuthMiddleware._in_protection_spacer/c Cs|jdkrdS|jdd}|sdS|d\}}}|sdS|dkr&dS|s*dSt|}s2dSi|_tD]}||}rE||j|<q7|j } |jd} rg|_ | D]$} | d} | d rt|j t| t| qZ|j tt| qZnt| g|_ t|jS) z Takes the given response and tries digest-auth, if needed. Returns true if the original request must be resent. iFzwww-authenticater[ digestrr4r)statusheadersrn partitionlowerrDrSr*rYoriginrUrqr=rr~rrgr bool) rVr/ auth_headerrXseprZ header_pairsrr1rrr-r r r! _authenticates<         z"DigestAuthMiddleware._authenticaterequesthandlercsd}tdD]1}|dks|jr*|jr*||jr*||j|j|jIdH|jt j <||IdH}| |s8nq|dus?J|S)zRun the digest auth middleware.Nr) rangerTrSrrYrrXrZrr Z AUTHORIZATIONr)rVrrr/Z retry_countr r r!__call__s&     zDigestAuthMiddleware.__call__)T)rrr__doc__rrrWr r rrrrrrrrrr r r r!rEs>"  $;rE)4rruryresysrwtypingrrrrrrrr r Zyarlr r[r Zclient_exceptionsrZclient_middlewaresrZ client_reqreprrpayloadrrmd5rvsha256sha512r'rrrrcompile version_inforBr*tuplesortedkeysr+ frozensetr0r9r;rDrEr r r r!s\ ,        $