a Ô×0h¯%ã@sÎddlmZddlmZddlZddlZddlZddl m Z ddl m Z ddl m Z ddl m Z ddlmZGd d „d ƒZGd d „d eƒZddddœdd„ZGdd„deƒZdddœdd„ZGdd„dƒZdS)é)Ú annotationsNé)Ú_base64_alphabet)Ú base64_decode)Ú base64_encode©Ú want_bytes)Ú BadSignaturec@s6eZdZdZddddœdd„Zdddddœdd „Zd S) ÚSigningAlgorithmzgSubclasses must implement :meth:`get_signature` to provide signature generation functionality. Úbytes©ÚkeyÚvalueÚreturncCs tƒ‚dS)z2Returns the signature for the given key and value.N)ÚNotImplementedError©Úselfr r©rúA/var/www/auris/lib/python3.9/site-packages/itsdangerous/signer.pyÚ get_signatureszSigningAlgorithm.get_signatureÚbool)r rÚsigrcCst || ||¡¡S)zMVerifies the given signature matches the expected signature. )ÚhmacÚcompare_digestr)rr rrrrrÚverify_signaturesz!SigningAlgorithm.verify_signatureN)Ú__name__Ú __module__Ú __qualname__Ú__doc__rrrrrrr sr c@s"eZdZdZddddœdd„ZdS)Ú NoneAlgorithmz`Provides an algorithm that does not perform any signing and returns an empty signature. r r cCsdS)Nórrrrrr$szNoneAlgorithm.get_signatureN)rrrrrrrrrrsrr r út.Any)ÚstringrcCs t |¡S)zÈDon't access ``hashlib.sha1`` until runtime. FIPS builds may not include SHA-1, in which case the import and use as a default would fail before the developer can configure something else. )ÚhashlibÚsha1)r"rrrÚ _lazy_sha1(sr%c@sDeZdZUdZeeƒZded<d ddœdd„Zdddd œd d „Z dS) Ú HMACAlgorithmz*Provides signature generation using HMACs.r!Údefault_digest_methodN)Ú digest_methodcCs|dur|j}||_dS)N)r'r()rr(rrrÚ__init__8szHMACAlgorithm.__init__r r cCstj|||jd}| ¡S)N)ÚmsgÚ digestmod)rÚnewr(Údigest)rr rÚmacrrrr>szHMACAlgorithm.get_signature)N) rrrrÚ staticmethodr%r'Ú__annotations__r)rrrrrr&0s r&ú7str | bytes | cabc.Iterable[str] | cabc.Iterable[bytes]z list[bytes]©Ú secret_keyrcCs&t|ttfƒrt|ƒgSdd„|DƒS)NcSsg|] }t|ƒ‘qSrr)Ú.0ÚsrrrÚ Ir z#_make_keys_list..)Ú isinstanceÚstrr r)r3rrrÚ_make_keys_listCs r9c@s¾eZdZUdZeeƒZded<dZded<d(d d d d dddœdd„Z e ddœdd„ƒZ d)d ddœdd„Z d ddœdd„Z d ddœdd„Zd d dd œd!d"„Zd dd#œd$d%„Zd dd#œd&d'„Zd S)*ÚSigneraÖA signer securely signs bytes, then unsigns them to verify that the value hasn't been changed. The secret key should be a random string of ``bytes`` and should not be saved to code or version control. Different salts should be used to distinguish signing in different contexts. See :doc:`/concepts` for information about the security of the secret key and salt. :param secret_key: The secret key to sign and verify with. Can be a list of keys, oldest to newest, to support key rotation. :param salt: Extra key to combine with ``secret_key`` to distinguish signatures in different contexts. :param sep: Separator between the signature and value. :param key_derivation: How to derive the signing key from the secret key and salt. Possible values are ``concat``, ``django-concat``, or ``hmac``. Defaults to :attr:`default_key_derivation`, which defaults to ``django-concat``. :param digest_method: Hash function to use when generating the HMAC signature. Defaults to :attr:`default_digest_method`, which defaults to :func:`hashlib.sha1`. Note that the security of the hash alone doesn't apply when used intermediately in HMAC. :param algorithm: A :class:`SigningAlgorithm` instance to use instead of building a default :class:`HMACAlgorithm` with the ``digest_method``. .. versionchanged:: 2.0 Added support for key rotation by passing a list to ``secret_key``. .. versionchanged:: 0.18 ``algorithm`` was added as an argument to the class constructor. .. versionchanged:: 0.14 ``key_derivation`` and ``digest_method`` were added as arguments to the class constructor. r!r'ú django-concatr8Údefault_key_derivationóitsdangerous.Signeró.Nr1zstr | bytes | Nonez str | bytesz str | Nonez t.Any | NonezSigningAlgorithm | None)r3ÚsaltÚsepÚkey_derivationr(Ú algorithmcCs†t|ƒ|_t|ƒ|_|jtvr&tdƒ‚|dur8t|ƒ}nd}||_|durP|j}||_|durd|j }||_ |dur|t |j ƒ}||_ dS)NzŠThe given separator cannot be used because it may be contained in the signature itself. ASCII letters, digits, and '-_=' must not be used.r=) r9Ú secret_keysrr@rÚ ValueErrorr?r<rAr'r(r&rB)rr3r?r@rAr(rBrrrr)s&   ÿ  zSigner.__init__r )rcCs |jdS)zThe newest (last) entry in the :attr:`secret_keys` list. This is for compatibility from before key rotation support was added. éÿÿÿÿ)rC)rrrrr3¯szSigner.secret_keyr2cCs´|dur|jd}nt|ƒ}|jdkrBt t| |j|¡ ¡¡S|jdkrlt t| |jd|¡ ¡¡S|jdkršt j ||jd}|  |j¡| ¡S|jdkr¨|St d ƒ‚dS) aüThis method is called to derive the key. The default key derivation choices can be overridden here. Key derivation is not intended to be used as a security method to make a complex key out of a short password. Instead you should use large random secret keys. :param secret_key: A specific secret key to derive from. Defaults to the last item in :attr:`secret_keys`. .. versionchanged:: 2.0 Added the ``secret_key`` parameter. NrEÚconcatr;ssignerr)r+ÚnonezUnknown key derivation method) rCrrAÚtÚcastr r(r?r-rr,ÚupdateÚ TypeError)rr3r.rrrÚ derive_key¶s    ÿ   zSigner.derive_key)rrcCs&t|ƒ}| ¡}|j ||¡}t|ƒS)z*Returns the signature for the given value.)rrLrBrr)rrr rrrrr×szSigner.get_signaturecCst|ƒ}||j| |¡S)zSigns the given string.)rr@r)rrrrrÚsignÞsz Signer.signr)rrrcCs^z t|ƒ}Wnty YdS0t|ƒ}t|jƒD]$}| |¡}|j |||¡r4dSq4dS)z+Verifies the signature for the given value.FT)rÚ ExceptionrÚreversedrCrLrBr)rrrr3r rrrrãs   zSigner.verify_signature)Ú signed_valuercCs^t|ƒ}|j|vr$td|j›dƒ‚| |jd¡\}}| ||¡rF|Std|›d|d‚dS)zUnsigns the given string.zNo z found in valuerz Signature z does not match)ÚpayloadN)rr@r Úrsplitr)rrPrrrrrÚunsignôs  z Signer.unsigncCs*z| |¡WdSty$YdS0dS)znOnly validates the given signed value. Returns ``True`` if the signature exists and is valid. TFN)rSr )rrPrrrÚvalidates   zSigner.validate)r=r>NNN)N)rrrrr/r%r'r0r<r)Úpropertyr3rLrrMrrSrTrrrrr:Ls" + ù.!r:)r )Ú __future__rÚcollections.abcÚabcZcabcr#rÚtypingrHÚencodingrrrrÚexcr r rr%r&r9r:rrrrÚs