summaryrefslogtreecommitdiffstats
path: root/requests/auth.py
diff options
context:
space:
mode:
Diffstat (limited to 'requests/auth.py')
-rw-r--r--requests/auth.py176
1 files changed, 109 insertions, 67 deletions
diff --git a/requests/auth.py b/requests/auth.py
index d1da4ee..30529e2 100644
--- a/requests/auth.py
+++ b/requests/auth.py
@@ -7,19 +7,27 @@ requests.auth
This module contains the authentication handlers for Requests.
"""
+import os
+import re
import time
import hashlib
+import logging
from base64 import b64encode
-from urlparse import urlparse
-from .utils import randombytes, parse_dict_header
+from .compat import urlparse, str
+from .utils import parse_dict_header
+log = logging.getLogger(__name__)
+
+CONTENT_TYPE_FORM_URLENCODED = 'application/x-www-form-urlencoded'
+CONTENT_TYPE_MULTI_PART = 'multipart/form-data'
def _basic_auth_str(username, password):
"""Returns a Basic Auth string."""
- return 'Basic %s' % b64encode('%s:%s' % (username, password))
+
+ return 'Basic ' + b64encode(('%s:%s' % (username, password)).encode('latin1')).strip().decode('latin1')
class AuthBase(object):
@@ -32,8 +40,8 @@ class AuthBase(object):
class HTTPBasicAuth(AuthBase):
"""Attaches HTTP Basic Authentication to the given Request object."""
def __init__(self, username, password):
- self.username = str(username)
- self.password = str(password)
+ self.username = username
+ self.password = password
def __call__(self, r):
r.headers['Authorization'] = _basic_auth_str(self.username, self.password)
@@ -41,7 +49,7 @@ class HTTPBasicAuth(AuthBase):
class HTTPProxyAuth(HTTPBasicAuth):
- """Attaches HTTP Proxy Authenetication to a given Request object."""
+ """Attaches HTTP Proxy Authentication to a given Request object."""
def __call__(self, r):
r.headers['Proxy-Authorization'] = _basic_auth_str(self.username, self.password)
return r
@@ -52,87 +60,121 @@ class HTTPDigestAuth(AuthBase):
def __init__(self, username, password):
self.username = username
self.password = password
+ self.last_nonce = ''
+ self.nonce_count = 0
+ self.chal = {}
- def handle_401(self, r):
- """Takes the given response and tries digest-auth, if needed."""
+ def build_digest_header(self, method, url):
- s_auth = r.headers.get('www-authenticate', '')
+ realm = self.chal['realm']
+ nonce = self.chal['nonce']
+ qop = self.chal.get('qop')
+ algorithm = self.chal.get('algorithm')
+ opaque = self.chal.get('opaque')
+
+ if algorithm is None:
+ _algorithm = 'MD5'
+ else:
+ _algorithm = algorithm.upper()
+ # lambdas assume digest modules are imported at the top level
+ if _algorithm == 'MD5':
+ def md5_utf8(x):
+ if isinstance(x, str):
+ x = x.encode('utf-8')
+ return hashlib.md5(x).hexdigest()
+ hash_utf8 = md5_utf8
+ elif _algorithm == 'SHA':
+ def sha_utf8(x):
+ if isinstance(x, str):
+ x = x.encode('utf-8')
+ return hashlib.sha1(x).hexdigest()
+ hash_utf8 = sha_utf8
+ # XXX MD5-sess
+ KD = lambda s, d: hash_utf8("%s:%s" % (s, d))
+
+ if hash_utf8 is None:
+ return None
- if 'digest' in s_auth.lower():
+ # XXX not implemented yet
+ entdig = None
+ p_parsed = urlparse(url)
+ path = p_parsed.path
+ if p_parsed.query:
+ path += '?' + p_parsed.query
- last_nonce = ''
- nonce_count = 0
+ A1 = '%s:%s:%s' % (self.username, realm, self.password)
+ A2 = '%s:%s' % (method, path)
- chal = parse_dict_header(s_auth.replace('Digest ', ''))
+ if qop is None:
+ respdig = KD(hash_utf8(A1), "%s:%s" % (nonce, hash_utf8(A2)))
+ elif qop == 'auth' or 'auth' in qop.split(','):
+ if nonce == self.last_nonce:
+ self.nonce_count += 1
+ else:
+ self.nonce_count = 1
- realm = chal['realm']
- nonce = chal['nonce']
- qop = chal.get('qop')
- algorithm = chal.get('algorithm', 'MD5')
- opaque = chal.get('opaque', None)
+ ncvalue = '%08x' % self.nonce_count
+ s = str(self.nonce_count).encode('utf-8')
+ s += nonce.encode('utf-8')
+ s += time.ctime().encode('utf-8')
+ s += os.urandom(8)
- algorithm = algorithm.upper()
- # lambdas assume digest modules are imported at the top level
- if algorithm == 'MD5':
- H = lambda x: hashlib.md5(x).hexdigest()
- elif algorithm == 'SHA':
- H = lambda x: hashlib.sha1(x).hexdigest()
- # XXX MD5-sess
- KD = lambda s, d: H("%s:%s" % (s, d))
+ cnonce = (hashlib.sha1(s).hexdigest()[:16])
+ noncebit = "%s:%s:%s:%s:%s" % (nonce, ncvalue, cnonce, qop, hash_utf8(A2))
+ respdig = KD(hash_utf8(A1), noncebit)
+ else:
+ # XXX handle auth-int.
+ return None
- if H is None:
- return None
+ self.last_nonce = nonce
- # XXX not implemented yet
- entdig = None
- p_parsed = urlparse(r.request.url)
- path = p_parsed.path
- if p_parsed.query:
- path += '?' + p_parsed.query
+ # XXX should the partial digests be encoded too?
+ base = 'username="%s", realm="%s", nonce="%s", uri="%s", ' \
+ 'response="%s"' % (self.username, realm, nonce, path, respdig)
+ if opaque:
+ base += ', opaque="%s"' % opaque
+ if algorithm:
+ base += ', algorithm="%s"' % algorithm
+ if entdig:
+ base += ', digest="%s"' % entdig
+ if qop:
+ base += ', qop=auth, nc=%s, cnonce="%s"' % (ncvalue, cnonce)
- A1 = '%s:%s:%s' % (self.username, realm, self.password)
- A2 = '%s:%s' % (r.request.method, path)
+ return 'Digest %s' % (base)
- if qop == 'auth':
- if nonce == last_nonce:
- nonce_count += 1
- else:
- nonce_count = 1
- last_nonce = nonce
+ def handle_401(self, r, **kwargs):
+ """Takes the given response and tries digest-auth, if needed."""
- ncvalue = '%08x' % nonce_count
- cnonce = (hashlib.sha1("%s:%s:%s:%s" % (
- nonce_count, nonce, time.ctime(), randombytes(8)))
- .hexdigest()[:16]
- )
- noncebit = "%s:%s:%s:%s:%s" % (nonce, ncvalue, cnonce, qop, H(A2))
- respdig = KD(H(A1), noncebit)
- elif qop is None:
- respdig = KD(H(A1), "%s:%s" % (nonce, H(A2)))
- else:
- # XXX handle auth-int.
- return None
+ num_401_calls = getattr(self, 'num_401_calls', 1)
+ s_auth = r.headers.get('www-authenticate', '')
- # XXX should the partial digests be encoded too?
- base = 'username="%s", realm="%s", nonce="%s", uri="%s", ' \
- 'response="%s"' % (self.username, realm, nonce, path, respdig)
- if opaque:
- base += ', opaque="%s"' % opaque
- if entdig:
- base += ', digest="%s"' % entdig
- base += ', algorithm="%s"' % algorithm
- if qop:
- base += ', qop=auth, nc=%s, cnonce="%s"' % (ncvalue, cnonce)
+ if 'digest' in s_auth.lower() and num_401_calls < 2:
+
+ setattr(self, 'num_401_calls', num_401_calls + 1)
+ pat = re.compile(r'digest ', flags=re.IGNORECASE)
+ self.chal = parse_dict_header(pat.sub('', s_auth, count=1))
+
+ # Consume content and release the original connection
+ # to allow our new request to reuse the same one.
+ r.content
+ r.raw.release_conn()
+ prep = r.request.copy()
+ prep.prepare_cookies(r.cookies)
- r.request.headers['Authorization'] = 'Digest %s' % (base)
- r.request.send(anyway=True)
- _r = r.request.response
+ prep.headers['Authorization'] = self.build_digest_header(
+ prep.method, prep.url)
+ _r = r.connection.send(prep, **kwargs)
_r.history.append(r)
+ _r.request = prep
return _r
+ setattr(self, 'num_401_calls', 1)
return r
def __call__(self, r):
+ # If we have a saved nonce, skip the 401
+ if self.last_nonce:
+ r.headers['Authorization'] = self.build_digest_header(r.method, r.url)
r.register_hook('response', self.handle_401)
return r
generated by cgit v1.2.3-70-g09d2 (git 2.52.0) at 2025-12-21 13:08:40 +0000