tniD UdZddlZddlZddlZddlZddlZddlmZmZm Z m Z m Z m Z m Z mZmZddlmZddlmZddlmZddlmZdd lmZmZdd lmZGd d ed Zejejejejej ej ej ej ej!ej!ej!ej!d Z"ee#ee$gdffe%d<ej&ej'dkrdndZ(dZ)e e e ddfe%d<e*e+e",Z-e e e#dfe%d<e.hdZ/e e e#e%d<de#de#fdZ0de#de#fdZ1de#dee#e#ffd Z2Gd!d"Z3dS)#av Digest authentication middleware for aiohttp client. This middleware implements HTTP Digest Authentication according to RFC 7616, providing a more secure alternative to Basic Authentication. It supports all standard hash algorithms including MD5, SHA, SHA-256, SHA-512 and their session variants, as well as both 'auth' and 'auth-int' quality of protection (qop) options. N) CallableDictFinal FrozenSetListLiteralTuple TypedDictUnion)URL)hdrs) ClientError)ClientHandlerType) ClientRequestClientResponse)PayloadcVeZdZUeed<eed<eed<eed<eed<eed<eed<dS) DigestAuthChallengerealmnonceqop algorithmopaquedomainstaleN)__name__ __module__ __qualname__str__annotations__b/var/www/html/gpu-tools/venv/lib/python3.11/site-packages/aiohttp/client_middleware_digest_auth.pyrr$sO JJJ JJJ HHHNNN KKK KKK JJJJJr#rF)total) MD5zMD5-SESSSHAzSHA-SESSSHA256z SHA256-SESSzSHA-256z SHA-256-SESSSHA512z SHA512-SESSzSHA-512z SHA-512-SESSz hashlib._HashDigestFunctions) z:(?:^|\s|,\s*)(\w+)\s*=\s*(?:"((?:[^"\\]|\\.)*)"|([^\s,]+))z>(?:^|\s|,\s*)((?>\w+))\s*=\s*(?:"((?:[^"\\]|\\.)*)"|([^\s,]+)))rrrrrrr.CHALLENGE_FIELDSSUPPORTED_ALGORITHMS>urirrcnoncerresponseusernameQUOTED_AUTH_FIELDSvaluereturnc.|ddS)z,Escape double quotes for HTTP header values."\"replacer4s r$ escape_quotesr<us ==e $ $$r#c.|ddS)z-Unescape double quotes in HTTP header values.r8r7r9r;s r$unescape_quotesr>zs == $ $$r#headercPfdt|DS)a Parse key-value pairs from WWW-Authenticate or similar HTTP headers. This function handles the complex format of WWW-Authenticate header values, supporting both quoted and unquoted values, proper handling of commas in quoted values, and whitespace variations per RFC 7616. Examples of supported formats: - key1="value1", key2=value2 - key1 = "value1" , key2="value, with, commas" - key1=value1,key2="value2" - realm="example.com", nonce="12345", qop="auth" Args: header: The header value string to parse Returns: Dictionary mapping parameter names to their values cli|]0\}}}|x|rt|n|1Sr")stripr>).0key quoted_val unquoted_val stripped_keys r$ z&parse_header_pairs..sV    )C\IIKK 'L ZQoj111\   r#)_HEADER_PAIRS_PATTERNfindall)r?rGs @r$parse_header_pairsrKs<(    -B-J-J6-R-R   r#c eZdZdZ ddedededdfdZd ed ed ee e d fdefd Z d edefdZ de defdZdedede fdZdS)DigestAuthMiddlewarea HTTP digest authentication middleware for aiohttp client. This middleware intercepts 401 Unauthorized responses containing a Digest authentication challenge, calculates the appropriate digest credentials, and automatically retries the request with the proper Authorization header. Features: - Handles all aspects of Digest authentication handshake automatically - Supports all standard hash algorithms: - MD5, MD5-SESS - SHA, SHA-SESS - SHA256, SHA256-SESS, SHA-256, SHA-256-SESS - SHA512, SHA512-SESS, SHA-512, SHA-512-SESS - Supports 'auth' and 'auth-int' quality of protection modes - Properly handles quoted strings and parameter parsing - Includes replay attack protection with client nonce count tracking - Supports preemptive authentication per RFC 7616 Section 3.6 Standards compliance: - RFC 7616: HTTP Digest Access Authentication (primary reference) - RFC 2617: HTTP Authentication (deprecated by RFC 7616) - RFC 1945: Section 11.1 (username restrictions) Implementation notes: The core digest calculation is inspired by the implementation in https://github.com/requests/requests/blob/v2.18.4/requests/auth.py with added support for modern digest auth features and error handling. Tloginpassword preemptiver5Nc,|td|tdd|vrtd||_|d|_|d|_d|_d|_i|_||_g|_ dS)Nz"None is not allowed as login valuez%None is not allowed as password value:z8A ":" is not allowed in username (RFC 1945#section-11.1)utf-8r#r) ValueError _login_strencode _login_bytes_password_bytes_last_nonce_bytes _nonce_count _challenge _preemptive_protection_space)selfrNrOrPs r$__init__zDigestAuthMiddleware.__init__s =ABB B  DEE E %<<WXX X&+*/,,w*?*?-5__W-E-E!$/1!+,.r#methodurlbodyr#c "#K|j}d|vrtdd|vrtd|d}|d}|std|dd}|dd }|} |d d} |d } |d } t |j} d}d }|red dhd|dD}|std|d|vrdnd }|d }| tvr-td| dd tt| #dtdtf#fd "dtdtdtf"fd }d |j | |jf}|d| }|dkrTt|t r|d{V}n|}"|}d ||f}"|}"|}| |jkr|xjdz c_nd|_| |_|jd}|d }t)jd t-|jd | t/jd t3jd gdd!}|d }| d"r!"d || |f}|r'd | ||||f}|||}n!||d | |f}t;|jt;|t;|| ||d#}| rt;| |d <|r||d<||d$<||d%<g}| D]D\} }!| tBvr|"| d&|!d'*|"| d(|!Ed)d |S)*a Build digest authorization header for the current challenge. Args: method: The HTTP method (GET, POST, etc.) url: The request URL body: The request body (used for qop=auth-int) Returns: A fully formatted Digest authorization header string Raises: ClientError: If the challenge is missing required parameters or contains unsupported values rz:Malformed Digest auth challenge: Missing 'realm' parameterrz:Malformed Digest auth challenge: Missing 'nonce' parameterzBSecurity issue: Digest auth challenge contains empty 'nonce' valuerrr&rrSr#authzauth-intc^h|]*}||+Sr")rB)rCqs r$ z/DigestAuthMiddleware._encode.. s-DDDq!''))DDDDr#,zEDigest auth error: Unsupported Quality of Protection (qop) value(s): z/Digest auth error: Unsupported hash algorithm: z. Supported algorithms: z, xr5cb|S)z.Hs)71::''))0022 2r#sdcDd||fS)zDRFC 7616 Section 3: KD(secret, data) = H(concat(secret, ":", data)).:)join)rorprns r$KDz(DigestAuthMiddleware._encode..KD s#1TYY1v&&'' 'r#rrrRNr 08xz-SESS)r2rrr/r1rncr0z="r7=zDigest )#r[rgetupperrVr path_qs intersectionsplitr*rsr.bytesrWrX isinstanceras_bytesrYrZhashlibsha1r timectimeosurandomrlendswithr<rUdecodeitemsr3append)$r^r`rarb challengerrqop_rawalgorithm_originalrr nonce_bytes realm_bytespathr qop_bytes valid_qopsrtA1A2 entity_bytes entity_hashHA1HA2ncvalue ncvalue_bytesr0 cnonce_bytesnoncebitresponse_digest header_fieldspairsfieldr4rnrms$ @@r$_encodezDigestAuthMiddleware._encodes&O ) # #L  ) # #L  '"'" T --r**&]];>>&,,.. x,,ll7++ ll7++ 3xx  , *-::DDGMM#$6$6DDDJ !e\cee!+j 8 8**fC 7++I O + +K)KK)-3G)H)HKK )3 3 35 3 3 3 3 3 3 (% (E (e ( ( ( ( ( ( YY);8LM N N  ' ' ' ' . . 0 0 *  $(( $%)]]__444444 # !L//KB ,--Baeeaee $0 0 0    "    !D !,&,,w//  HH)**11'::JLL''00JqMM       )++crc }}W--  ??   % %g . . A!DIIsK>??@@C  Eyym\9cJH!bh//OO bdiic0B&C&CDDO &do66"5))"5))'..00+    <&3F&;&;M( #  -#&M% ")M$ &,M( #)//11 1 1LE5*** 111112222 ////0000+5))+++r#ct|}|jD]c}||st|t|ks |ddkrdS|t|dkrdSddS)z Check if the given URL is within the current protection space. According to RFC 7616, a URI is in the protection space if any URI in the protection space is a prefix of it (after both have been made absolute). /TF)r r] startswithlen)r^ra request_str space_strs r$_in_protection_spacez)DigestAuthMiddleware._in_protection_spacevs#hh /  I)))44 ;3y>>11Yr]c5I5Itt3y>>*c11tt2ur#r1c |jdkrdS|jdd}|sdS|d\}}}|sdS|dkrdS|sdSt |x}sdSi|_tD]#}||x}r ||j|<$|j } |jdx} rg|_ | D]} | d} | d rH|j t| t#| t|j tt#| nt| g|_ t%|jS) z Takes the given response and tries digest-auth, if needed. Returns true if the original request must be resent. iFzwww-authenticaterd digestrr7r)statusheadersrz partitionlowerrKr[r-raoriginr]r~rBrrr rsr bool) r^r1 auth_headerr`sepr header_pairsrr4rrr/s r$ _authenticatez"DigestAuthMiddleware._authenticates ?c ! !5&**+=rBB  5*44S99W 5 <<>>X % %5 5!37 ; ;;  5% / /E$((///u /).&$$&&_((22 26 3%'D "||~~ A Aiinn>>#&&A*11#fkk#c((6K6K2L2LMMMM*11#c#hh--@@@@ A'*&kk]D "DO$$$r#requesthandlercbKd}tdD]}|dks(|jr_|jrX||jr>||j|j|jd{V|jtj <||d{V}| |sn|J|S)zRun the digest auth middleware.Nr) ranger\r[rrarr`rbrr AUTHORIZATIONr)r^rrr1 retry_counts r$__call__zDigestAuthMiddleware.__call__s 88  KQ O--gk:: =ALLNGK==777777 23 %WW--------H%%h//  ###r#)T)rrr__doc__r rr_r r rrrrrrrrrr"r#r$rMrMsD //// /  ////4a,a, #a,+0'#,1F+Ga, a,a,a,a,F(9%n9%9%9%9%9%v$/@ r#rM)4rrrresysrtypingrrrrrrr r r yarlr rdrclient_exceptionsrclient_middlewaresr client_reqreprrpayloadrrmd5rsha256sha512r*r rr!compile version_inforIr-tuplesortedkeysr. frozensetr3r<r>rKrMr"r#r$rsQ                       ******11111188888888)5 ; < n>~Nn>~N B Bc8UG_$<==>   "#  '!!BA J< % QRTWW    05uVVO