Gitiles
Code Review Sign In
android-review.linaro.org / toolchain / prebuilts / ndk / r25 / 4e9417de81d40daf6e50c7b15b864e78e83214e2 / . / toolchains / llvm / prebuilt / linux-x86_64 / python3 / lib / python3.9 / site-packages / pip / _vendor / requests / auth.py
blob: eeface39ae62c3975ff535e6b1f79f2c28fbf888 [file] [log] [blame]
Yi Kong4e9417d2022-10-12 11:48:30 +0900[diff] [blame^]1# -*- coding: utf-8 -*-
2
3"""
4requests.auth
5~~~~~~~~~~~~~
6
7This module contains the authentication handlers for Requests.
8"""
9
10import os
11import re
12import time
13import hashlib
14import threading
15import warnings
16
17from base64 import b64encode
18
19from .compat import urlparse, str, basestring
20from .cookies import extract_cookies_to_jar
21from ._internal_utils import to_native_string
22from .utils import parse_dict_header
23
24CONTENT_TYPE_FORM_URLENCODED = 'application/x-www-form-urlencoded'
25CONTENT_TYPE_MULTI_PART = 'multipart/form-data'
26
27
28def _basic_auth_str(username, password):
29 """Returns a Basic Auth string."""
30
31 # "I want us to put a big-ol' comment on top of it that
32 # says that this behaviour is dumb but we need to preserve
33 # it because people are relying on it."
34 # - Lukasa
35 #
36 # These are here solely to maintain backwards compatibility
37 # for things like ints. This will be removed in 3.0.0.
38 if not isinstance(username, basestring):
39 warnings.warn(
40 "Non-string usernames will no longer be supported in Requests "
41 "3.0.0. Please convert the object you've passed in ({!r}) to "
42 "a string or bytes object in the near future to avoid "
43 "problems.".format(username),
44 category=DeprecationWarning,
45 )
46 username = str(username)
47
48 if not isinstance(password, basestring):
49 warnings.warn(
50 "Non-string passwords will no longer be supported in Requests "
51 "3.0.0. Please convert the object you've passed in ({!r}) to "
52 "a string or bytes object in the near future to avoid "
53 "problems.".format(type(password)),
54 category=DeprecationWarning,
55 )
56 password = str(password)
57 # -- End Removal --
58
59 if isinstance(username, str):
60 username = username.encode('latin1')
61
62 if isinstance(password, str):
63 password = password.encode('latin1')
64
65 authstr = 'Basic ' + to_native_string(
66 b64encode(b':'.join((username, password))).strip()
67 )
68
69 return authstr
70
71
72class AuthBase(object):
73 """Base class that all auth implementations derive from"""
74
75 def __call__(self, r):
76 raise NotImplementedError('Auth hooks must be callable.')
77
78
79class HTTPBasicAuth(AuthBase):
80 """Attaches HTTP Basic Authentication to the given Request object."""
81
82 def __init__(self, username, password):
83 self.username = username
84 self.password = password
85
86 def __eq__(self, other):
87 return all([
88 self.username == getattr(other, 'username', None),
89 self.password == getattr(other, 'password', None)
90 ])
91
92 def __ne__(self, other):
93 return not self == other
94
95 def __call__(self, r):
96 r.headers['Authorization'] = _basic_auth_str(self.username, self.password)
97 return r
98
99
100class HTTPProxyAuth(HTTPBasicAuth):
101 """Attaches HTTP Proxy Authentication to a given Request object."""
102
103 def __call__(self, r):
104 r.headers['Proxy-Authorization'] = _basic_auth_str(self.username, self.password)
105 return r
106
107
108class HTTPDigestAuth(AuthBase):
109 """Attaches HTTP Digest Authentication to the given Request object."""
110
111 def __init__(self, username, password):
112 self.username = username
113 self.password = password
114 # Keep state in per-thread local storage
115 self._thread_local = threading.local()
116
117 def init_per_thread_state(self):
118 # Ensure state is initialized just once per-thread
119 if not hasattr(self._thread_local, 'init'):
120 self._thread_local.init = True
121 self._thread_local.last_nonce = ''
122 self._thread_local.nonce_count = 0
123 self._thread_local.chal = {}
124 self._thread_local.pos = None
125 self._thread_local.num_401_calls = None
126
127 def build_digest_header(self, method, url):
128 """
129 :rtype: str
130 """
131
132 realm = self._thread_local.chal['realm']
133 nonce = self._thread_local.chal['nonce']
134 qop = self._thread_local.chal.get('qop')
135 algorithm = self._thread_local.chal.get('algorithm')
136 opaque = self._thread_local.chal.get('opaque')
137 hash_utf8 = None
138
139 if algorithm is None:
140 _algorithm = 'MD5'
141 else:
142 _algorithm = algorithm.upper()
143 # lambdas assume digest modules are imported at the top level
144 if _algorithm == 'MD5' or _algorithm == 'MD5-SESS':
145 def md5_utf8(x):
146 if isinstance(x, str):
147 x = x.encode('utf-8')
148 return hashlib.md5(x).hexdigest()
149 hash_utf8 = md5_utf8
150 elif _algorithm == 'SHA':
151 def sha_utf8(x):
152 if isinstance(x, str):
153 x = x.encode('utf-8')
154 return hashlib.sha1(x).hexdigest()
155 hash_utf8 = sha_utf8
156 elif _algorithm == 'SHA-256':
157 def sha256_utf8(x):
158 if isinstance(x, str):
159 x = x.encode('utf-8')
160 return hashlib.sha256(x).hexdigest()
161 hash_utf8 = sha256_utf8
162 elif _algorithm == 'SHA-512':
163 def sha512_utf8(x):
164 if isinstance(x, str):
165 x = x.encode('utf-8')
166 return hashlib.sha512(x).hexdigest()
167 hash_utf8 = sha512_utf8
168
169 KD = lambda s, d: hash_utf8("%s:%s" % (s, d))
170
171 if hash_utf8 is None:
172 return None
173
174 # XXX not implemented yet
175 entdig = None
176 p_parsed = urlparse(url)
177 #: path is request-uri defined in RFC 2616 which should not be empty
178 path = p_parsed.path or "/"
179 if p_parsed.query:
180 path += '?' + p_parsed.query
181
182 A1 = '%s:%s:%s' % (self.username, realm, self.password)
183 A2 = '%s:%s' % (method, path)
184
185 HA1 = hash_utf8(A1)
186 HA2 = hash_utf8(A2)
187
188 if nonce == self._thread_local.last_nonce:
189 self._thread_local.nonce_count += 1
190 else:
191 self._thread_local.nonce_count = 1
192 ncvalue = '%08x' % self._thread_local.nonce_count
193 s = str(self._thread_local.nonce_count).encode('utf-8')
194 s += nonce.encode('utf-8')
195 s += time.ctime().encode('utf-8')
196 s += os.urandom(8)
197
198 cnonce = (hashlib.sha1(s).hexdigest()[:16])
199 if _algorithm == 'MD5-SESS':
200 HA1 = hash_utf8('%s:%s:%s' % (HA1, nonce, cnonce))
201
202 if not qop:
203 respdig = KD(HA1, "%s:%s" % (nonce, HA2))
204 elif qop == 'auth' or 'auth' in qop.split(','):
205 noncebit = "%s:%s:%s:%s:%s" % (
206 nonce, ncvalue, cnonce, 'auth', HA2
207 )
208 respdig = KD(HA1, noncebit)
209 else:
210 # XXX handle auth-int.
211 return None
212
213 self._thread_local.last_nonce = nonce
214
215 # XXX should the partial digests be encoded too?
216 base = 'username="%s", realm="%s", nonce="%s", uri="%s", ' \
217 'response="%s"' % (self.username, realm, nonce, path, respdig)
218 if opaque:
219 base += ', opaque="%s"' % opaque
220 if algorithm:
221 base += ', algorithm="%s"' % algorithm
222 if entdig:
223 base += ', digest="%s"' % entdig
224 if qop:
225 base += ', qop="auth", nc=%s, cnonce="%s"' % (ncvalue, cnonce)
226
227 return 'Digest %s' % (base)
228
229 def handle_redirect(self, r, **kwargs):
230 """Reset num_401_calls counter on redirects."""
231 if r.is_redirect:
232 self._thread_local.num_401_calls = 1
233
234 def handle_401(self, r, **kwargs):
235 """
236 Takes the given response and tries digest-auth, if needed.
237
238 :rtype: requests.Response
239 """
240
241 # If response is not 4xx, do not auth
242 # See https://github.com/psf/requests/issues/3772
243 if not 400 <= r.status_code < 500:
244 self._thread_local.num_401_calls = 1
245 return r
246
247 if self._thread_local.pos is not None:
248 # Rewind the file position indicator of the body to where
249 # it was to resend the request.
250 r.request.body.seek(self._thread_local.pos)
251 s_auth = r.headers.get('www-authenticate', '')
252
253 if 'digest' in s_auth.lower() and self._thread_local.num_401_calls < 2:
254
255 self._thread_local.num_401_calls += 1
256 pat = re.compile(r'digest ', flags=re.IGNORECASE)
257 self._thread_local.chal = parse_dict_header(pat.sub('', s_auth, count=1))
258
259 # Consume content and release the original connection
260 # to allow our new request to reuse the same one.
261 r.content
262 r.close()
263 prep = r.request.copy()
264 extract_cookies_to_jar(prep._cookies, r.request, r.raw)
265 prep.prepare_cookies(prep._cookies)
266
267 prep.headers['Authorization'] = self.build_digest_header(
268 prep.method, prep.url)
269 _r = r.connection.send(prep, **kwargs)
270 _r.history.append(r)
271 _r.request = prep
272
273 return _r
274
275 self._thread_local.num_401_calls = 1
276 return r
277
278 def __call__(self, r):
279 # Initialize per-thread state, if needed
280 self.init_per_thread_state()
281 # If we have a saved nonce, skip the 401
282 if self._thread_local.last_nonce:
283 r.headers['Authorization'] = self.build_digest_header(r.method, r.url)
284 try:
285 self._thread_local.pos = r.body.tell()
286 except AttributeError:
287 # In the case of HTTPDigestAuth being reused and the body of
288 # the previous request was a file-like object, pos has the
289 # file position of the previous body. Ensure it's set to
290 # None.
291 self._thread_local.pos = None
292 r.register_hook('response', self.handle_401)
293 r.register_hook('response', self.handle_redirect)
294 self._thread_local.num_401_calls = 1
295
296 return r
297
298 def __eq__(self, other):
299 return all([
300 self.username == getattr(other, 'username', None),
301 self.password == getattr(other, 'password', None)
302 ])
303
304 def __ne__(self, other):
305 return not self == other