o a}@sdZddlZddlZddlZddlZddlZddlmZmZm Z ddl m Z ddl mZeeZdededed efd d ZdMd ed ed efddZ  dNddZd efddZdedededefddZ  dOdefddZdd ZdOd!d"Zd#d$Zd%d&ZdOd'd(Zd)d*Zdefd+d,Z  dOdedefd-d.Z iZ!defd/d0Z"d1d2Z#deded3efd4d5Z$ded6efd7d8Z%d9d:Z&d6efd;d<Z'd=d>Z(defd?d@Z)d6efdAdBZ*defdCdDZ+d6efdEdFZ,dGdHZ-dIdJZ.dOdKdLZ/dS)Pa This module is an implementation of `section 3.4`_ of RFC 5849. **Usage** Steps for signing a request: 1. Collect parameters from the request using ``collect_parameters``. 2. Normalize those parameters using ``normalize_parameters``. 3. Create the *base string URI* using ``base_string_uri``. 4. Create the *signature base string* from the above three components using ``signature_base_string``. 5. Pass the *signature base string* and the client credentials to one of the sign-with-client functions. The HMAC-based signing functions needs client credentials with secrets. The RSA-based signing functions needs client credentials with an RSA private key. To verify a request, pass the request and credentials to one of the verify functions. The HMAC-based signing functions needs the shared secrets. The RSA-based verify functions needs the RSA public key. **Scope** All of the functions in this module should be considered internal to OAuthLib, since they are not imported into the "oauthlib.oauth1" module. Programs using OAuthLib should not use directly invoke any of the functions in this module. **Deprecated functions** The "sign_" methods that are not "_with_client" have been deprecated. They may be removed in a future release. Since they are all internal functions, this should have no impact on properly behaving programs. .. _`section 3.4`: https://tools.ietf.org/html/rfc5849#section-3.4 N)extract_paramssafe_string_equals urldecode)utils http_method base_str_uri%normalized_encoded_request_parametersreturncCs>t|}|d7}|t|7}|d7}|t|7}|S)a Construct the signature base string. The *signature base string* is the value that is calculated and signed by the client. It is also independently calculated by the server to verify the signature, and therefore must produce the exact same value at both ends or the signature won't verify. The rules for calculating the *signature base string* are defined in section 3.4.1.1`_ of RFC 5849. .. _`section 3.4.1.1`: https://tools.ietf.org/html/rfc5849#section-3.4.1.1 &)rescapeupper)rrr base_stringrC/usr/lib/python3/dist-packages/oauthlib/oauth1/rfc5849/signature.pysignature_base_string6s rurihostc Cs0t|ts tdt|\}}}}}}|std|sd}|}|}|dur.|}d|vr}|dd\}} t|dkrDtdt| dkrM|}n:zt| } Wn ty^td w| dksgd | krktd || fd vrt|}n|dt| }n t|dkrtdt||||d d f} | ddS)a Calculates the _base string URI_. The *base string URI* is one of the components that make up the *signature base string*. The ``host`` is optional. If provided, it is used to override any host and port values in the ``uri``. The value for ``host`` is usually extracted from the "Host" request header from the HTTP request. Its value may be just the hostname, or the hostname followed by a colon and a TCP/IP port number (hostname:port). If a value for the``host`` is provided but it does not contain a port number, the default port number is used (i.e. if the ``uri`` contained a port number, it will be discarded). The rules for calculating the *base string URI* are defined in section 3.4.1.2`_ of RFC 5849. .. _`section 3.4.1.2`: https://tools.ietf.org/html/rfc5849#section-3.4.1.2 :param uri: URI :param host: hostname with optional port number, separated by a colon :return: base string URI zuri must be a string.zmissing scheme/N:rrz missing hostzport is not an integerizport out of range))httpP)httpsi z%20) isinstancestr ValueErrorurlparselowersplitlenint urlunparsereplace) rrschemenetlocpathparamsqueryfragmenthostnameport_strport_numvrrrbase_string_uriis>         r/rTFc s|durg}|p i}g}|r|t||r8dd|D}|d}|dur8|fddt|Dt|p=g}||g} |D]\} } | drUt| } | | | fqG|rht t dd | } | S) a Gather the request parameters from all the parameter sources. This function is used to extract all the parameters, which are then passed to ``normalize_parameters`` to produce one of the components that make up the *signature base string*. Parameters starting with `oauth_` will be unescaped. Body parameters must be supplied as a dict, a list of 2-tuples, or a form encoded query string. Headers must be supplied as a dict. The rules where the parameters must be sourced from are defined in `section 3.4.1.3.1`_ of RFC 5849. .. _`Sec 3.4.1.3.1`: https://tools.ietf.org/html/rfc5849#section-3.4.1.3.1 NcSsi|] \}}||qSr)r.0kr.rrr sz&collect_parameters.. authorizationcs g|] }s |ddkr|qS)rrealmr)r1i with_realmrr s  z&collect_parameters..oauth_cSs |ddkS)Nroauth_signaturer)r6rrr5s z$collect_parameters..) extendritemsgetrparse_authorization_headerr startswithunescapeappendlistfilter) uri_querybodyheadersexclude_oauth_signaturer8r( headers_lowerauthorization_header bodyparamsunescaped_paramsr2r.rr7rcollect_parameterss2       rNcCs.dd|D}|dd|D}d|S)aV Calculate the normalized request parameters. The *normalized request parameters* is one of the components that make up the *signature base string*. The rules for parameter normalization are defined in `section 3.4.1.3.2`_ of RFC 5849. .. _`Sec 3.4.1.3.2`: https://tools.ietf.org/html/rfc5849#section-3.4.1.3.2 cSs$g|]\}}t|t|fqSrrr r0rrrr9Qs$z(normalize_parameters..cSsg|] \}}d||qS)z{}={})formatr0rrrr9[sr )sortjoin)r( key_valuesparameter_partsrrrnormalize_parameters;s rUhash_algorithm_name sig_base_str client_secretresource_owner_secretc Cs|}t|pd}|d7}|t|pd7}tjtjtjd}||}|d}|d} t|| |} t | dd dS)a] **HMAC-SHA256** The "HMAC-SHA256" signature method uses the HMAC-SHA256 signature algorithm as defined in `RFC4634`_:: digest = HMAC-SHA256 (key, text) Per `section 3.4.2`_ of the spec. .. _`RFC4634`: https://tools.ietf.org/html/rfc4634 .. _`section 3.4.2`: https://tools.ietf.org/html/rfc5849#section-3.4.2 rr SHA-1SHA-256SHA-512utf-8N) rr hashlibsha1sha256sha512encodehmacnewbinascii b2a_base64digestdecode) rVrWrXrYtextkeymhash_algkey_utf8 text_utf8 signaturerrr _sign_hmaces  rrc CsPt|j}t|j}t|j||}t||||}t||j}|s&t d||S)aVerify a HMAC-SHA1 signature. Per `section 3.4`_ of the spec. .. _`section 3.4`: https://tools.ietf.org/html/rfc5849#section-3.4 To satisfy `RFC2616 section 5.2`_ item 1, the request argument's uri attribute MUST be an absolute URI whose netloc part identifies the origin server or gateway on which the resource resides. Any Host item of the request argument's headers dict attribute will be ignored. .. _`RFC2616 section 5.2`: https://tools.ietf.org/html/rfc2616#section-5.2 z-Verify HMAC failed: signature base string: %s) rUr(r/rrrrrrrqlogdebug) rVrequestrXrY norm_paramsbs_urirWrqmatchrrr _verify_hmacs    rycCtd||j|jSNr[rrrXrYrWclientrrrsign_hmac_sha1_with_clientrcCtd|||Sr{ryrurXrYrrrverify_hmac_sha1rcC2tdtt|tr|dn|}td|||S)aU Deprecated function for calculating a HMAC-SHA1 signature. This function has been replaced by invoking ``sign_hmac`` with "SHA-1" as the hash algorithm name. This function was invoked by sign_hmac_sha1_with_client and test_signatures.py, but does any application invoke it directly? If not, it can be removed. z8use sign_hmac_sha1_with_client instead of sign_hmac_sha1asciir[warningswarnDeprecationWarningrbytesrjrrrrXrYrrrsign_hmac_sha1s  rcCrzNr\r|r}rrrsign_hmac_sha256_with_clientrrcCrrrrrrrverify_hmac_sha256srcCr)a[ Deprecated function for calculating a HMAC-SHA256 signature. This function has been replaced by invoking ``sign_hmac`` with "SHA-256" as the hash algorithm name. This function was invoked by sign_hmac_sha256_with_client and test_signatures.py, but does any application invoke it directly? If not, it can be removed. zs$    3{ W* C!     > Q #