123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315 |
- """
- requests.auth
- ~~~~~~~~~~~~~
-
- This module contains the authentication handlers for Requests.
- """
-
- import hashlib
- import os
- import re
- import threading
- import time
- import warnings
- from base64 import b64encode
-
- from ._internal_utils import to_native_string
- from .compat import basestring, str, urlparse
- from .cookies import extract_cookies_to_jar
- from .utils import parse_dict_header
-
- CONTENT_TYPE_FORM_URLENCODED = "application/x-www-form-urlencoded"
- CONTENT_TYPE_MULTI_PART = "multipart/form-data"
-
-
- def _basic_auth_str(username, password):
- """Returns a Basic Auth string."""
-
- # "I want us to put a big-ol' comment on top of it that
- # says that this behaviour is dumb but we need to preserve
- # it because people are relying on it."
- # - Lukasa
- #
- # These are here solely to maintain backwards compatibility
- # for things like ints. This will be removed in 3.0.0.
- if not isinstance(username, basestring):
- warnings.warn(
- "Non-string usernames will no longer be supported in Requests "
- "3.0.0. Please convert the object you've passed in ({!r}) to "
- "a string or bytes object in the near future to avoid "
- "problems.".format(username),
- category=DeprecationWarning,
- )
- username = str(username)
-
- if not isinstance(password, basestring):
- warnings.warn(
- "Non-string passwords will no longer be supported in Requests "
- "3.0.0. Please convert the object you've passed in ({!r}) to "
- "a string or bytes object in the near future to avoid "
- "problems.".format(type(password)),
- category=DeprecationWarning,
- )
- password = str(password)
- # -- End Removal --
-
- if isinstance(username, str):
- username = username.encode("latin1")
-
- if isinstance(password, str):
- password = password.encode("latin1")
-
- authstr = "Basic " + to_native_string(
- b64encode(b":".join((username, password))).strip()
- )
-
- return authstr
-
-
- class AuthBase:
- """Base class that all auth implementations derive from"""
-
- def __call__(self, r):
- raise NotImplementedError("Auth hooks must be callable.")
-
-
- class HTTPBasicAuth(AuthBase):
- """Attaches HTTP Basic Authentication to the given Request object."""
-
- def __init__(self, username, password):
- self.username = username
- self.password = password
-
- def __eq__(self, other):
- return all(
- [
- self.username == getattr(other, "username", None),
- self.password == getattr(other, "password", None),
- ]
- )
-
- def __ne__(self, other):
- return not self == other
-
- def __call__(self, r):
- r.headers["Authorization"] = _basic_auth_str(self.username, self.password)
- return r
-
-
- class HTTPProxyAuth(HTTPBasicAuth):
- """Attaches HTTP Proxy Authentication to a given Request object."""
-
- def __call__(self, r):
- r.headers["Proxy-Authorization"] = _basic_auth_str(self.username, self.password)
- return r
-
-
- class HTTPDigestAuth(AuthBase):
- """Attaches HTTP Digest Authentication to the given Request object."""
-
- def __init__(self, username, password):
- self.username = username
- self.password = password
- # Keep state in per-thread local storage
- self._thread_local = threading.local()
-
- def init_per_thread_state(self):
- # Ensure state is initialized just once per-thread
- if not hasattr(self._thread_local, "init"):
- self._thread_local.init = True
- self._thread_local.last_nonce = ""
- self._thread_local.nonce_count = 0
- self._thread_local.chal = {}
- self._thread_local.pos = None
- self._thread_local.num_401_calls = None
-
- def build_digest_header(self, method, url):
- """
- :rtype: str
- """
-
- realm = self._thread_local.chal["realm"]
- nonce = self._thread_local.chal["nonce"]
- qop = self._thread_local.chal.get("qop")
- algorithm = self._thread_local.chal.get("algorithm")
- opaque = self._thread_local.chal.get("opaque")
- hash_utf8 = None
-
- if algorithm is None:
- _algorithm = "MD5"
- else:
- _algorithm = algorithm.upper()
- # lambdas assume digest modules are imported at the top level
- if _algorithm == "MD5" or _algorithm == "MD5-SESS":
-
- def md5_utf8(x):
- if isinstance(x, str):
- x = x.encode("utf-8")
- return hashlib.md5(x).hexdigest()
-
- hash_utf8 = md5_utf8
- elif _algorithm == "SHA":
-
- def sha_utf8(x):
- if isinstance(x, str):
- x = x.encode("utf-8")
- return hashlib.sha1(x).hexdigest()
-
- hash_utf8 = sha_utf8
- elif _algorithm == "SHA-256":
-
- def sha256_utf8(x):
- if isinstance(x, str):
- x = x.encode("utf-8")
- return hashlib.sha256(x).hexdigest()
-
- hash_utf8 = sha256_utf8
- elif _algorithm == "SHA-512":
-
- def sha512_utf8(x):
- if isinstance(x, str):
- x = x.encode("utf-8")
- return hashlib.sha512(x).hexdigest()
-
- hash_utf8 = sha512_utf8
-
- KD = lambda s, d: hash_utf8(f"{s}:{d}") # noqa:E731
-
- if hash_utf8 is None:
- return None
-
- # XXX not implemented yet
- entdig = None
- p_parsed = urlparse(url)
- #: path is request-uri defined in RFC 2616 which should not be empty
- path = p_parsed.path or "/"
- if p_parsed.query:
- path += f"?{p_parsed.query}"
-
- A1 = f"{self.username}:{realm}:{self.password}"
- A2 = f"{method}:{path}"
-
- HA1 = hash_utf8(A1)
- HA2 = hash_utf8(A2)
-
- if nonce == self._thread_local.last_nonce:
- self._thread_local.nonce_count += 1
- else:
- self._thread_local.nonce_count = 1
- ncvalue = f"{self._thread_local.nonce_count:08x}"
- s = str(self._thread_local.nonce_count).encode("utf-8")
- s += nonce.encode("utf-8")
- s += time.ctime().encode("utf-8")
- s += os.urandom(8)
-
- cnonce = hashlib.sha1(s).hexdigest()[:16]
- if _algorithm == "MD5-SESS":
- HA1 = hash_utf8(f"{HA1}:{nonce}:{cnonce}")
-
- if not qop:
- respdig = KD(HA1, f"{nonce}:{HA2}")
- elif qop == "auth" or "auth" in qop.split(","):
- noncebit = f"{nonce}:{ncvalue}:{cnonce}:auth:{HA2}"
- respdig = KD(HA1, noncebit)
- else:
- # XXX handle auth-int.
- return None
-
- self._thread_local.last_nonce = nonce
-
- # XXX should the partial digests be encoded too?
- base = (
- f'username="{self.username}", realm="{realm}", nonce="{nonce}", '
- f'uri="{path}", response="{respdig}"'
- )
- if opaque:
- base += f', opaque="{opaque}"'
- if algorithm:
- base += f', algorithm="{algorithm}"'
- if entdig:
- base += f', digest="{entdig}"'
- if qop:
- base += f', qop="auth", nc={ncvalue}, cnonce="{cnonce}"'
-
- return f"Digest {base}"
-
- def handle_redirect(self, r, **kwargs):
- """Reset num_401_calls counter on redirects."""
- if r.is_redirect:
- self._thread_local.num_401_calls = 1
-
- def handle_401(self, r, **kwargs):
- """
- Takes the given response and tries digest-auth, if needed.
-
- :rtype: requests.Response
- """
-
- # If response is not 4xx, do not auth
- # See https://github.com/psf/requests/issues/3772
- if not 400 <= r.status_code < 500:
- self._thread_local.num_401_calls = 1
- return r
-
- if self._thread_local.pos is not None:
- # Rewind the file position indicator of the body to where
- # it was to resend the request.
- r.request.body.seek(self._thread_local.pos)
- s_auth = r.headers.get("www-authenticate", "")
-
- if "digest" in s_auth.lower() and self._thread_local.num_401_calls < 2:
-
- self._thread_local.num_401_calls += 1
- pat = re.compile(r"digest ", flags=re.IGNORECASE)
- self._thread_local.chal = parse_dict_header(pat.sub("", s_auth, count=1))
-
- # Consume content and release the original connection
- # to allow our new request to reuse the same one.
- r.content
- r.close()
- prep = r.request.copy()
- extract_cookies_to_jar(prep._cookies, r.request, r.raw)
- prep.prepare_cookies(prep._cookies)
-
- prep.headers["Authorization"] = self.build_digest_header(
- prep.method, prep.url
- )
- _r = r.connection.send(prep, **kwargs)
- _r.history.append(r)
- _r.request = prep
-
- return _r
-
- self._thread_local.num_401_calls = 1
- return r
-
- def __call__(self, r):
- # Initialize per-thread state, if needed
- self.init_per_thread_state()
- # If we have a saved nonce, skip the 401
- if self._thread_local.last_nonce:
- r.headers["Authorization"] = self.build_digest_header(r.method, r.url)
- try:
- self._thread_local.pos = r.body.tell()
- except AttributeError:
- # In the case of HTTPDigestAuth being reused and the body of
- # the previous request was a file-like object, pos has the
- # file position of the previous body. Ensure it's set to
- # None.
- self._thread_local.pos = None
- r.register_hook("response", self.handle_401)
- r.register_hook("response", self.handle_redirect)
- self._thread_local.num_401_calls = 1
-
- return r
-
- def __eq__(self, other):
- return all(
- [
- self.username == getattr(other, "username", None),
- self.password == getattr(other, "password", None),
- ]
- )
-
- def __ne__(self, other):
- return not self == other
|