`Kh*B UdZddlZddlZddlZddlZddlmZmZmZm Z m Z m Z m Z m Z mZddlmZddlmZddlmZddlmZdd lmZmZdd lmZGd d e d Zej:ej:ej<ej<ej>ej>ej>ej>ej@ej@ej@ej@d Z!ee"ee#gdffe$d<ejJdZ&dZ'ee e ddfe$d<e(e)e!jUZ+ee e"dfe$d<e,hdZ-ee e"e$d<de"de"fdZ.de"de"fdZ/de"dee"e"ffdZ0Gdd Z1y)!av Digest authentication middleware for aiohttp client. This middleware implements HTTP Digest Authentication according to RFC 7616, providing a more secure alternative to Basic Authentication. It supports all standard hash algorithms including MD5, SHA, SHA-256, SHA-512 and their session variants, as well as both 'auth' and 'auth-int' quality of protection (qop) options. N) CallableDictFinal FrozenSetListLiteralTuple TypedDictUnion)URL)hdrs) ClientError)ClientHandlerType) ClientRequestClientResponse)PayloadcTeZdZUeed<eed<eed<eed<eed<eed<eed<y) DigestAuthChallengerealmnonceqop algorithmopaquedomainstaleN)__name__ __module__ __qualname__str__annotations__/var/www/CtrlAgent-Voice-Telephony-Channel/python-server/venv/lib/python3.12/site-packages/aiohttp/client_middleware_digest_auth.pyrr#s% J J HN K K Jr#rF)total) MD5zMD5-SESSSHAzSHA-SESSSHA256z SHA256-SESSzSHA-256z SHA-256-SESSSHA512z SHA512-SESSzSHA-512z SHA-512-SESSz hashlib._HashDigestFunctionsz-(\w+)\s*=\s*(?:"((?:[^"\\]|\\.)*)"|([^\s,]+)))rrrrrrr.CHALLENGE_FIELDSSUPPORTED_ALGORITHMS>urirrcnoncerresponseusernameQUOTED_AUTH_FIELDSvaluereturnc&|jddS)z,Escape double quotes for HTTP header values."\"replacer2s r$ escape_quotesr:qs ==e $$r#c&|jddS)z-Unescape double quotes in HTTP header values.r6r5r7r9s r$unescape_quotesr<vs == $$r#headerc tj|Dcic](\}}}|jx}r||r t|n|*c}}}Scc}}}w)a Parse key-value pairs from WWW-Authenticate or similar HTTP headers. This function handles the complex format of WWW-Authenticate header values, supporting both quoted and unquoted values, proper handling of commas in quoted values, and whitespace variations per RFC 7616. Examples of supported formats: - key1="value1", key2=value2 - key1 = "value1" , key2="value, with, commas" - key1=value1,key2="value2" - realm="example.com", nonce="12345", qop="auth" Args: header: The header value string to parse Returns: Dictionary mapping parameter names to their values )_HEADER_PAIRS_PATTERNfindallstripr<)r=key quoted_val unquoted_val stripped_keys r$parse_header_pairsrF{sZ,.C-J-J6-R   )C\IIK 'L ' Zoj1\Q  s-A c eZdZdZ ddedededdfdZded ed ee e d fdefd Z d edefd Z de defdZdedede fdZy)DigestAuthMiddlewarea HTTP digest authentication middleware for aiohttp client. This middleware intercepts 401 Unauthorized responses containing a Digest authentication challenge, calculates the appropriate digest credentials, and automatically retries the request with the proper Authorization header. Features: - Handles all aspects of Digest authentication handshake automatically - Supports all standard hash algorithms: - MD5, MD5-SESS - SHA, SHA-SESS - SHA256, SHA256-SESS, SHA-256, SHA-256-SESS - SHA512, SHA512-SESS, SHA-512, SHA-512-SESS - Supports 'auth' and 'auth-int' quality of protection modes - Properly handles quoted strings and parameter parsing - Includes replay attack protection with client nonce count tracking - Supports preemptive authentication per RFC 7616 Section 3.6 Standards compliance: - RFC 7616: HTTP Digest Access Authentication (primary reference) - RFC 2617: HTTP Authentication (deprecated by RFC 7616) - RFC 1945: Section 11.1 (username restrictions) Implementation notes: The core digest calculation is inspired by the implementation in https://github.com/requests/requests/blob/v2.18.4/requests/auth.py with added support for modern digest auth features and error handling. loginpassword preemptiver3Nc| td| tdd|vr td||_|jd|_|jd|_d|_d|_i|_||_g|_ y)Nz"None is not allowed as login valuez%None is not allowed as password value:z8A ":" is not allowed in username (RFC 1945#section-11.1)utf-8r#r) ValueError _login_strencode _login_bytes_password_bytes_last_nonce_bytes _nonce_count _challenge _preemptive_protection_space)selfrIrJrKs r$__init__zDigestAuthMiddleware.__init__s =AB B  DE E %<WX X&+*/,,w*?-5__W-E!$/1!+,.r#methodurlbodyr#c "#K|j}d|vr tdd|vr td|d}|d}|s td|jdd}|jdd j}|jd d} |j d } |j d } t |j } d} d }|rxd dhj|jdDchc]#}|js|j%c}}|std|d|vrdnd } | j d }|tvr$td|ddjtt|#dtdtf#fd "dtdtdtf"fd }dj|j| |jf}|jd| j }| dk(rFt!|t"r|j%d{}n|}"|}dj||f}"|}"|}| |j&k(r|xj(dz c_nd|_| |_|j(d}|j d }t+j,d jt/|j(j d | t1j2j d t5j6dgj9dd }|j d }|jj;d!r"dj|| |f}| r dj| ||||f}|||}n||dj| |f}t=|j>t=|t=|| |jA|d"}| rt=| |d <| r| |d<||d#<||d$<g}|jCD];\} }!| tDvr|jG| d%|!d&&|jG| d'|!=d(dj|Scc}w7`w))a Build digest authorization header for the current challenge. Args: method: The HTTP method (GET, POST, etc.) url: The request URL body: The request body (used for qop=auth-int) Returns: A fully formatted Digest authorization header string Raises: ClientError: If the challenge is missing required parameters or contains unsupported values rz:Malformed Digest auth challenge: Missing 'realm' parameterrz:Malformed Digest auth challenge: Missing 'nonce' parameterzBSecurity issue: Digest auth challenge contains empty 'nonce' valuerrr&rrNr#authzauth-int,zEDigest auth error: Unsupported Quality of Protection (qop) value(s): z/Digest auth error: Unsupported hash algorithm: z. Supported algorithms: z, xr3cL|jjS)z.Hs1:'')002 2r#sdc6dj||fS)zDRFC 7616 Section 3: KD(secret, data) = H(concat(secret, ":", data)).:)join)rgrhrfs r$KDz(DigestAuthMiddleware._encode..KDsTYY1v&' 'r#rjrMNr 08xz-SESS)r0rrr-r/rncr.z="r5=zDigest )$rVrgetupperrQr path_qs intersectionsplitrAr*rkr,bytesrRrS isinstanceras_bytesrTrUhashlibsha1r timectimeosurandomrdendswithr:rPdecodeitemsr1append)$rYr[r\r] challengerrqop_rawrr nonce_bytes realm_bytespathr qop_bytesq valid_qopsrlA1A2 entity_bytes entity_hashHA1HA2ncvalue ncvalue_bytesr. cnonce_bytesnoncebitresponse_digest header_fieldspairsfieldr2rfres$ @@r$_encodezDigestAuthMiddleware._encodes&OO ) #L  ) #L  '"'"T --r*MM+u5;;= x,ll7+ ll7+ 3x  *-::$+MM#$6Dq!'')DJ![\c[de!+j 8*fC 7+I O +A)M))-3G)H(IK )3 3 35 3 (% (E (e ( YY));8L8LM N q ' . . 0 * $(%)]]_4 # L/KB ,-Bee $00 0    "  !D !,&&s+w/  HH))*11':JJL''0JJqM     )+cr }}W-  ??  % %g .DIIsK>?@C yym\9cJH!h/O diic0B&CDO &doo6"5)"5)'..0"  &3F&;M( # #&M% ")M$ &,M( #)//1 1LE5** wbq12 waw/0  1 5)*++SE< 5s&C#Q4'Q,=Q,DQ4Q1I Q4ct|}|jD]H}|j|st|t|k(s|ddk(ry|t|dk(sHyy)z Check if the given URL is within the current protection space. According to RFC 7616, a URI is in the protection space if any URI in the protection space is a prefix of it (after both have been made absolute). /TF)r rX startswithlen)rYr\ request_str space_strs r$_in_protection_spacez)DigestAuthMiddleware._in_protection_spacepsk#h // I)))4;3y>1Yr]c5I3y>*c1 r#r/c P|jdk7ry|jjdd}|sy|jd\}}}|sy|j dk7ry|syt |x}syi|_tD]%}|j|x}s||j |<'|jj} |j jdx} rg|_ | jD]} | jd} | jd r=|jjt| j!t#| b|jjtt#| nt| g|_ t%|j S) z Takes the given response and tries digest-auth, if needed. Returns true if the original request must be resent. iFzwww-authenticater_ digestrr5r)statusheadersrr partitionlowerrFrVr+r\originrXrvrArrr rkr bool) rYr/ auth_headerr[sepr header_pairsrr2rrr-s r$ _authenticatez"DigestAuthMiddleware._authenticates ??c !&&**+=rB *44S9W <<>X %!37 ;; ;% /E$((//u/).& / $$&__((2 26 2%'D "||~ Aiin>>#&**11#fkk#c(6K2LM**11#c#h-@ A'*&k]D "DOO$$r#requesthandlercKd}tdD]}|dkDs3|jr{|jro|j|jrT|j |j |j|jd{|jtj<||d{}|j|rn|J|S7J7!w)zRun the digest auth middleware.Nr) rangerWrVrr\rr[r]rr AUTHORIZATIONr)rYrrr/ retry_counts r$__call__zDigestAuthMiddleware.__call__s 8 KQ  OO--gkk:<@LLNNGKK=7 2 23 %W--H%%h/% *###7 .s*A=C?C *C*C +C C C)T)rrr__doc__r rrZr r rrrrrrrrrr"r#r$rHrHsD /// /  /4_,_, #_,+0'#,1F+G_, _,B(9%n9%9%v$/@ r#rH)2rrzr~rer|typingrrrrrrr r r yarlr r_rclient_exceptionsrclient_middlewaresr client_reqreprrpayloadrrmd5r{sha256sha512r*r rwr!compiler?r+tuplesortedkeysr, frozensetr1r:r<rFrHr"r#r$rs    *18)5 ;; << nn>>~~NNnn>>~~NN Bc8UG_$<==> "# 46 % QRTWW  05VO