Yi Kong | 4e9417d | 2022-10-12 11:48:30 +0900 | [diff] [blame^] | 1 | # -*- coding: utf-8 -*- |
| 2 | |
| 3 | """ |
| 4 | requests.auth |
| 5 | ~~~~~~~~~~~~~ |
| 6 | |
| 7 | This module contains the authentication handlers for Requests. |
| 8 | """ |
| 9 | |
| 10 | import os |
| 11 | import re |
| 12 | import time |
| 13 | import hashlib |
| 14 | import threading |
| 15 | import warnings |
| 16 | |
| 17 | from base64 import b64encode |
| 18 | |
| 19 | from .compat import urlparse, str, basestring |
| 20 | from .cookies import extract_cookies_to_jar |
| 21 | from ._internal_utils import to_native_string |
| 22 | from .utils import parse_dict_header |
| 23 | |
| 24 | CONTENT_TYPE_FORM_URLENCODED = 'application/x-www-form-urlencoded' |
| 25 | CONTENT_TYPE_MULTI_PART = 'multipart/form-data' |
| 26 | |
| 27 | |
| 28 | def _basic_auth_str(username, password): |
| 29 | """Returns a Basic Auth string.""" |
| 30 | |
| 31 | # "I want us to put a big-ol' comment on top of it that |
| 32 | # says that this behaviour is dumb but we need to preserve |
| 33 | # it because people are relying on it." |
| 34 | # - Lukasa |
| 35 | # |
| 36 | # These are here solely to maintain backwards compatibility |
| 37 | # for things like ints. This will be removed in 3.0.0. |
| 38 | if not isinstance(username, basestring): |
| 39 | warnings.warn( |
| 40 | "Non-string usernames will no longer be supported in Requests " |
| 41 | "3.0.0. Please convert the object you've passed in ({!r}) to " |
| 42 | "a string or bytes object in the near future to avoid " |
| 43 | "problems.".format(username), |
| 44 | category=DeprecationWarning, |
| 45 | ) |
| 46 | username = str(username) |
| 47 | |
| 48 | if not isinstance(password, basestring): |
| 49 | warnings.warn( |
| 50 | "Non-string passwords will no longer be supported in Requests " |
| 51 | "3.0.0. Please convert the object you've passed in ({!r}) to " |
| 52 | "a string or bytes object in the near future to avoid " |
| 53 | "problems.".format(type(password)), |
| 54 | category=DeprecationWarning, |
| 55 | ) |
| 56 | password = str(password) |
| 57 | # -- End Removal -- |
| 58 | |
| 59 | if isinstance(username, str): |
| 60 | username = username.encode('latin1') |
| 61 | |
| 62 | if isinstance(password, str): |
| 63 | password = password.encode('latin1') |
| 64 | |
| 65 | authstr = 'Basic ' + to_native_string( |
| 66 | b64encode(b':'.join((username, password))).strip() |
| 67 | ) |
| 68 | |
| 69 | return authstr |
| 70 | |
| 71 | |
| 72 | class AuthBase(object): |
| 73 | """Base class that all auth implementations derive from""" |
| 74 | |
| 75 | def __call__(self, r): |
| 76 | raise NotImplementedError('Auth hooks must be callable.') |
| 77 | |
| 78 | |
| 79 | class HTTPBasicAuth(AuthBase): |
| 80 | """Attaches HTTP Basic Authentication to the given Request object.""" |
| 81 | |
| 82 | def __init__(self, username, password): |
| 83 | self.username = username |
| 84 | self.password = password |
| 85 | |
| 86 | def __eq__(self, other): |
| 87 | return all([ |
| 88 | self.username == getattr(other, 'username', None), |
| 89 | self.password == getattr(other, 'password', None) |
| 90 | ]) |
| 91 | |
| 92 | def __ne__(self, other): |
| 93 | return not self == other |
| 94 | |
| 95 | def __call__(self, r): |
| 96 | r.headers['Authorization'] = _basic_auth_str(self.username, self.password) |
| 97 | return r |
| 98 | |
| 99 | |
| 100 | class HTTPProxyAuth(HTTPBasicAuth): |
| 101 | """Attaches HTTP Proxy Authentication to a given Request object.""" |
| 102 | |
| 103 | def __call__(self, r): |
| 104 | r.headers['Proxy-Authorization'] = _basic_auth_str(self.username, self.password) |
| 105 | return r |
| 106 | |
| 107 | |
| 108 | class HTTPDigestAuth(AuthBase): |
| 109 | """Attaches HTTP Digest Authentication to the given Request object.""" |
| 110 | |
| 111 | def __init__(self, username, password): |
| 112 | self.username = username |
| 113 | self.password = password |
| 114 | # Keep state in per-thread local storage |
| 115 | self._thread_local = threading.local() |
| 116 | |
| 117 | def init_per_thread_state(self): |
| 118 | # Ensure state is initialized just once per-thread |
| 119 | if not hasattr(self._thread_local, 'init'): |
| 120 | self._thread_local.init = True |
| 121 | self._thread_local.last_nonce = '' |
| 122 | self._thread_local.nonce_count = 0 |
| 123 | self._thread_local.chal = {} |
| 124 | self._thread_local.pos = None |
| 125 | self._thread_local.num_401_calls = None |
| 126 | |
| 127 | def build_digest_header(self, method, url): |
| 128 | """ |
| 129 | :rtype: str |
| 130 | """ |
| 131 | |
| 132 | realm = self._thread_local.chal['realm'] |
| 133 | nonce = self._thread_local.chal['nonce'] |
| 134 | qop = self._thread_local.chal.get('qop') |
| 135 | algorithm = self._thread_local.chal.get('algorithm') |
| 136 | opaque = self._thread_local.chal.get('opaque') |
| 137 | hash_utf8 = None |
| 138 | |
| 139 | if algorithm is None: |
| 140 | _algorithm = 'MD5' |
| 141 | else: |
| 142 | _algorithm = algorithm.upper() |
| 143 | # lambdas assume digest modules are imported at the top level |
| 144 | if _algorithm == 'MD5' or _algorithm == 'MD5-SESS': |
| 145 | def md5_utf8(x): |
| 146 | if isinstance(x, str): |
| 147 | x = x.encode('utf-8') |
| 148 | return hashlib.md5(x).hexdigest() |
| 149 | hash_utf8 = md5_utf8 |
| 150 | elif _algorithm == 'SHA': |
| 151 | def sha_utf8(x): |
| 152 | if isinstance(x, str): |
| 153 | x = x.encode('utf-8') |
| 154 | return hashlib.sha1(x).hexdigest() |
| 155 | hash_utf8 = sha_utf8 |
| 156 | elif _algorithm == 'SHA-256': |
| 157 | def sha256_utf8(x): |
| 158 | if isinstance(x, str): |
| 159 | x = x.encode('utf-8') |
| 160 | return hashlib.sha256(x).hexdigest() |
| 161 | hash_utf8 = sha256_utf8 |
| 162 | elif _algorithm == 'SHA-512': |
| 163 | def sha512_utf8(x): |
| 164 | if isinstance(x, str): |
| 165 | x = x.encode('utf-8') |
| 166 | return hashlib.sha512(x).hexdigest() |
| 167 | hash_utf8 = sha512_utf8 |
| 168 | |
| 169 | KD = lambda s, d: hash_utf8("%s:%s" % (s, d)) |
| 170 | |
| 171 | if hash_utf8 is None: |
| 172 | return None |
| 173 | |
| 174 | # XXX not implemented yet |
| 175 | entdig = None |
| 176 | p_parsed = urlparse(url) |
| 177 | #: path is request-uri defined in RFC 2616 which should not be empty |
| 178 | path = p_parsed.path or "/" |
| 179 | if p_parsed.query: |
| 180 | path += '?' + p_parsed.query |
| 181 | |
| 182 | A1 = '%s:%s:%s' % (self.username, realm, self.password) |
| 183 | A2 = '%s:%s' % (method, path) |
| 184 | |
| 185 | HA1 = hash_utf8(A1) |
| 186 | HA2 = hash_utf8(A2) |
| 187 | |
| 188 | if nonce == self._thread_local.last_nonce: |
| 189 | self._thread_local.nonce_count += 1 |
| 190 | else: |
| 191 | self._thread_local.nonce_count = 1 |
| 192 | ncvalue = '%08x' % self._thread_local.nonce_count |
| 193 | s = str(self._thread_local.nonce_count).encode('utf-8') |
| 194 | s += nonce.encode('utf-8') |
| 195 | s += time.ctime().encode('utf-8') |
| 196 | s += os.urandom(8) |
| 197 | |
| 198 | cnonce = (hashlib.sha1(s).hexdigest()[:16]) |
| 199 | if _algorithm == 'MD5-SESS': |
| 200 | HA1 = hash_utf8('%s:%s:%s' % (HA1, nonce, cnonce)) |
| 201 | |
| 202 | if not qop: |
| 203 | respdig = KD(HA1, "%s:%s" % (nonce, HA2)) |
| 204 | elif qop == 'auth' or 'auth' in qop.split(','): |
| 205 | noncebit = "%s:%s:%s:%s:%s" % ( |
| 206 | nonce, ncvalue, cnonce, 'auth', HA2 |
| 207 | ) |
| 208 | respdig = KD(HA1, noncebit) |
| 209 | else: |
| 210 | # XXX handle auth-int. |
| 211 | return None |
| 212 | |
| 213 | self._thread_local.last_nonce = nonce |
| 214 | |
| 215 | # XXX should the partial digests be encoded too? |
| 216 | base = 'username="%s", realm="%s", nonce="%s", uri="%s", ' \ |
| 217 | 'response="%s"' % (self.username, realm, nonce, path, respdig) |
| 218 | if opaque: |
| 219 | base += ', opaque="%s"' % opaque |
| 220 | if algorithm: |
| 221 | base += ', algorithm="%s"' % algorithm |
| 222 | if entdig: |
| 223 | base += ', digest="%s"' % entdig |
| 224 | if qop: |
| 225 | base += ', qop="auth", nc=%s, cnonce="%s"' % (ncvalue, cnonce) |
| 226 | |
| 227 | return 'Digest %s' % (base) |
| 228 | |
| 229 | def handle_redirect(self, r, **kwargs): |
| 230 | """Reset num_401_calls counter on redirects.""" |
| 231 | if r.is_redirect: |
| 232 | self._thread_local.num_401_calls = 1 |
| 233 | |
| 234 | def handle_401(self, r, **kwargs): |
| 235 | """ |
| 236 | Takes the given response and tries digest-auth, if needed. |
| 237 | |
| 238 | :rtype: requests.Response |
| 239 | """ |
| 240 | |
| 241 | # If response is not 4xx, do not auth |
| 242 | # See https://github.com/psf/requests/issues/3772 |
| 243 | if not 400 <= r.status_code < 500: |
| 244 | self._thread_local.num_401_calls = 1 |
| 245 | return r |
| 246 | |
| 247 | if self._thread_local.pos is not None: |
| 248 | # Rewind the file position indicator of the body to where |
| 249 | # it was to resend the request. |
| 250 | r.request.body.seek(self._thread_local.pos) |
| 251 | s_auth = r.headers.get('www-authenticate', '') |
| 252 | |
| 253 | if 'digest' in s_auth.lower() and self._thread_local.num_401_calls < 2: |
| 254 | |
| 255 | self._thread_local.num_401_calls += 1 |
| 256 | pat = re.compile(r'digest ', flags=re.IGNORECASE) |
| 257 | self._thread_local.chal = parse_dict_header(pat.sub('', s_auth, count=1)) |
| 258 | |
| 259 | # Consume content and release the original connection |
| 260 | # to allow our new request to reuse the same one. |
| 261 | r.content |
| 262 | r.close() |
| 263 | prep = r.request.copy() |
| 264 | extract_cookies_to_jar(prep._cookies, r.request, r.raw) |
| 265 | prep.prepare_cookies(prep._cookies) |
| 266 | |
| 267 | prep.headers['Authorization'] = self.build_digest_header( |
| 268 | prep.method, prep.url) |
| 269 | _r = r.connection.send(prep, **kwargs) |
| 270 | _r.history.append(r) |
| 271 | _r.request = prep |
| 272 | |
| 273 | return _r |
| 274 | |
| 275 | self._thread_local.num_401_calls = 1 |
| 276 | return r |
| 277 | |
| 278 | def __call__(self, r): |
| 279 | # Initialize per-thread state, if needed |
| 280 | self.init_per_thread_state() |
| 281 | # If we have a saved nonce, skip the 401 |
| 282 | if self._thread_local.last_nonce: |
| 283 | r.headers['Authorization'] = self.build_digest_header(r.method, r.url) |
| 284 | try: |
| 285 | self._thread_local.pos = r.body.tell() |
| 286 | except AttributeError: |
| 287 | # In the case of HTTPDigestAuth being reused and the body of |
| 288 | # the previous request was a file-like object, pos has the |
| 289 | # file position of the previous body. Ensure it's set to |
| 290 | # None. |
| 291 | self._thread_local.pos = None |
| 292 | r.register_hook('response', self.handle_401) |
| 293 | r.register_hook('response', self.handle_redirect) |
| 294 | self._thread_local.num_401_calls = 1 |
| 295 | |
| 296 | return r |
| 297 | |
| 298 | def __eq__(self, other): |
| 299 | return all([ |
| 300 | self.username == getattr(other, 'username', None), |
| 301 | self.password == getattr(other, 'password', None) |
| 302 | ]) |
| 303 | |
| 304 | def __ne__(self, other): |
| 305 | return not self == other |