a2SrSSKJrJr SSKrSSKrSSKrSSKrSSKJ r J r J r J r SSK Jr SSKr\R&"\5rSrSSjrS /SS S 4S jrS rSrSrSrSrSqSrSr Sr!Sr"Sr#SSjr$Sr%Sr&SSjr'g!\a SSKJr Ncf=f)aoauthlib.oauth1.rfc5849.signature ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module represents a direct implementation of `section 3.4`_ of the spec. Terminology: * Client: software interfacing with an OAuth API * Server: the API provider * Resource Owner: the user who is granting authorization to the client Steps for signing a request: 1. Collect parameters from the uri query, auth header, & body 2. Normalize those parameters 3. Normalize the uri 4. Pass the normalized uri, normalized parameters, and http method to construct the base string 5. Pass the base string and any keys needed to a signing function .. _`section 3.4`: https://tools.ietf.org/html/rfc5849#section-3.4 )absolute_importunicode_literalsN)extract_paramssafe_string_equals unicode_type urldecode)utilsc[R"UR55nUS- nU[R"U5- nUS- nU[R"U5- nU$)a**String Construction** Per `section 3.4.1.1`_ of the spec. For example, the HTTP request:: POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="Example", oauth_consumer_key="9djdj82h48djs9d2", oauth_token="kkk9d7dh3k39sjv7", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131201", oauth_nonce="7d8f3e4a", oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D" c2&a3=2+q is represented by the following signature base string (line breaks are for display purposes only):: POST&http%3A%2F%2Fexample.com%2Frequest&a2%3Dr%2520b%26a3%3D2%2520q %26a3%3Da%26b5%3D%253D%25253D%26c%2540%3D%26c2%3D%26oauth_consumer_ key%3D9djdj82h48djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_m ethod%3DHMAC-SHA1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk 9d7dh3k39sjv7 .. _`section 3.4.1.1`: https://tools.ietf.org/html/rfc5849#section-3.4.1.1 &)r escapeupper) http_methodbase_string_uri%normalized_encoded_request_parameters base_strings 4lib/third_party/oauthlib/oauth1/rfc5849/signature.pyconstruct_base_stringr*seR [..01++o..++CDD+ c[U[5(d [S5e[R"U5up#pEpgU(aU(d [S5eU(dSnUR 5nUR 5nUbUR 5nSnSU;aUR SS5upX)4U;aUn[R "X#XESS45$)a**Base String URI** Per `section 3.4.1.2`_ of the spec. For example, the HTTP request:: GET /r%20v/X?id=123 HTTP/1.1 Host: EXAMPLE.COM:80 is represented by the base string URI: "http://example.com/r%20v/X". In another example, the HTTPS request:: GET /?q=1 HTTP/1.1 Host: www.example.net:8080 is represented by the base string URI: "https://www.example.net:8080/". .. _`section 3.4.1.2`: https://tools.ietf.org/html/rfc5849#section-3.4.1.2 The host argument overrides the netloc part of the uri argument. zuri must be a unicode object.z$uri must include a scheme and netloc/))http80)https443:r ) isinstancer ValueErrorurlparselowersplit urlunparse) urihostschemenetlocpathparamsqueryfragment default_portsports rnormalize_base_string_urir.ls. C & & 4 553;2C2CC2H/&$ v ; <<  D <<>& <<>&  ZZ\F- F]c1%JD~&f   fdBC DDrrTFcU=(d 0n/nU(aUR[U55 U(a|[SUR555nUR S5nUbHUR[ R "U5Vs/sHnU(d USS:wdMUPM sn5 [U5=(d /n URU 5 /n UHCupU RS5(a[ R"U 5n U RX45 ME U(a[[SU 55n U $s snf)a**Parameter Sources** Parameters starting with `oauth_` will be unescaped. Body parameters must be supplied as a dict, a list of 2-tuples, or a formencoded query string. Headers must be supplied as a dict. Per `section 3.4.1.3.1`_ of the spec. For example, the HTTP request:: POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="Example", oauth_consumer_key="9djdj82h48djs9d2", oauth_token="kkk9d7dh3k39sjv7", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131201", oauth_nonce="7d8f3e4a", oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D" c2&a3=2+q contains the following (fully decoded) parameters used in the signature base sting:: +------------------------+------------------+ | Name | Value | +------------------------+------------------+ | b5 | =%3D | | a3 | a | | c@ | | | a2 | r b | | oauth_consumer_key | 9djdj82h48djs9d2 | | oauth_token | kkk9d7dh3k39sjv7 | | oauth_signature_method | HMAC-SHA1 | | oauth_timestamp | 137131201 | | oauth_nonce | 7d8f3e4a | | c2 | | | a3 | 2 q | +------------------------+------------------+ Note that the value of "b5" is "=%3D" and not "==". Both "c@" and "c2" have empty values. While the encoding rules specified in this specification for the purpose of constructing the signature base string exclude the use of a "+" character (ASCII code 43) to represent an encoded space character (ASCII code 32), this practice is widely used in "application/x-www-form-urlencoded" encoded values, and MUST be properly decoded, as demonstrated by one of the "a3" parameter instances (the "a3" parameter is used twice in this request). .. _`section 3.4.1.3.1`: https://tools.ietf.org/html/rfc5849#section-3.4.1.3.1 c3J# UHupUR5U4v M g7fN)r!).0kvs r %collect_parameters..sDODA!'')QOs!# authorizationrrealmoauth_cUSS:g$)Nroauth_signature)is r$collect_parameters..As1!22r) extendrdictitemsgetr parse_authorization_headerr startswithunescapeappendlistfilter) uri_querybodyheadersexclude_oauth_signature with_realmr) headers_lowerauthorization_headerr= bodyparamsunescaped_paramsr3r4s rcollect_parametersrSs$~ Mr' & MM)I&' DGMMODDM(,,_=' mm556JKK 1Q47? K &d#)r*-- da||H .. aQF#24DEG Gs E%Ec&UVVs/sH1up[R"U5[R"U54PM3 nnnUR5 UVVs/sHupSRX5PM nnnSR U5$s snnfs snnf)a **Parameters Normalization** Per `section 3.4.1.3.2`_ of the spec. For example, the list of parameters from the previous section would be normalized as follows: Encoded:: +------------------------+------------------+ | Name | Value | +------------------------+------------------+ | b5 | %3D%253D | | a3 | a | | c%40 | | | a2 | r%20b | | oauth_consumer_key | 9djdj82h48djs9d2 | | oauth_token | kkk9d7dh3k39sjv7 | | oauth_signature_method | HMAC-SHA1 | | oauth_timestamp | 137131201 | | oauth_nonce | 7d8f3e4a | | c2 | | | a3 | 2%20q | +------------------------+------------------+ Sorted:: +------------------------+------------------+ | Name | Value | +------------------------+------------------+ | a2 | r%20b | | a3 | 2%20q | | a3 | a | | b5 | %3D%253D | | c%40 | | | c2 | | | oauth_consumer_key | 9djdj82h48djs9d2 | | oauth_nonce | 7d8f3e4a | | oauth_signature_method | HMAC-SHA1 | | oauth_timestamp | 137131201 | | oauth_token | kkk9d7dh3k39sjv7 | +------------------------+------------------+ Concatenated Pairs:: +-------------------------------------+ | Name=Value | +-------------------------------------+ | a2=r%20b | | a3=2%20q | | a3=a | | b5=%3D%253D | | c%40= | | c2= | | oauth_consumer_key=9djdj82h48djs9d2 | | oauth_nonce=7d8f3e4a | | oauth_signature_method=HMAC-SHA1 | | oauth_timestamp=137131201 | | oauth_token=kkk9d7dh3k39sjv7 | +-------------------------------------+ and concatenated together into a single string (line breaks are for display purposes only):: a2=r%20b&a3=2%20q&a3=a&b5=%3D%253D&c%40=&c2=&oauth_consumer_key=9dj dj82h48djs9d2&oauth_nonce=7d8f3e4a&oauth_signature_method=HMAC-SHA1 &oauth_timestamp=137131201&oauth_token=kkk9d7dh3k39sjv7 .. _`section 3.4.1.3.2`: https://tools.ietf.org/html/rfc5849#section-3.4.1.3.2 z{0}={1}r )r r sortformatjoin)r)r3r4 key_valuesparameter_partss rnormalize_parametersrZFsd@FFvtqa%,,q/2v*F  // 9CC Y%%a+ /C / ""GDs 8BB cB[XRUR5$r1)sign_hmac_sha1 client_secretresource_owner_secretrclients rsign_hmac_sha1_with_clientras  %9%944 66rcUn[R"U=(d S5nUS- nU[R"U=(d S5- nURS5nURS5n[R"XV[ R 5n[R"UR55SSRS5$)a4**HMAC-SHA1** The "HMAC-SHA1" signature method uses the HMAC-SHA1 signature algorithm as defined in `RFC2104`_:: digest = HMAC-SHA1 (key, text) Per `section 3.4.2`_ of the spec. .. _`RFC2104`: https://tools.ietf.org/html/rfc2104 .. _`section 3.4.2`: https://tools.ietf.org/html/rfc5849#section-3.4.2 rr utf-8N) r r encodehmacnewhashlibsha1binascii b2a_base64digestdecoderr]r^textkeykey_utf8 text_utf8 signatures rr\r\s( $  ](b)#*# +1r 22#ZZ (kk'")hhxGLL9)   Y--/ 0" 5 < >#6#67G .rc[U[5(aURS5n[5n[ X!5nUR X5n[ R"U5SSRS5$)aA**RSA-SHA1** Per `section 3.4.3`_ of the spec. The "RSA-SHA1" signature method uses the RSASSA-PKCS1-v1_5 signature algorithm as defined in `RFC3447, Section 8.2`_ (also known as PKCS#1), using SHA-1 as the hash function for EMSA-PKCS1-v1_5. To use this method, the client MUST have established client credentials with the server that included its RSA public key (in a manner that is beyond the scope of this specification). .. _`section 3.4.3`: https://tools.ietf.org/html/rfc5849#section-3.4.3 .. _`RFC3447, Section 8.2`: https://tools.ietf.org/html/rfc3447#section-8.2 rcNrd) rrrer_prepare_key_plussignrjrkrm)rrsa_private_keyalgrpss r sign_rsa_sha1r$sd  \**$$W-K"$##/# hh{ !   Q  $ + +G 44rcdUR(d [S5e[XR5$)Nz4rsa_key is required when using RSA signature method.)rsa_keyrrr_s rsign_rsa_sha1_with_clientr=s$  K LL {NN 33rc[R"U=(d S5nUS- nU[R"U=(d S5- nU$)aSign a request using plaintext. Per `section 3.4.4`_ of the spec. The "PLAINTEXT" method does not employ a signature algorithm. It MUST be used with a transport-layer mechanism such as TLS or SSL (or sent over a secure channel with equivalent protections). It does not utilize the signature base string or the "oauth_timestamp" and "oauth_nonce" parameters. .. _`section 3.4.4`: https://tools.ietf.org/html/rfc5849#section-3.4.4 rr )r r )r]r^rss rsign_plaintextrCsD*ll=.B/) s)  u||17R88) rcB[URUR5$r1)rr]r^r_s rsign_plaintext_with_clientrfs ,,f.J.J KKrc[UR5n[UR5n[ UR XC5n[ XQU5n[X`R5nU(d[RSU5 U$)aVerify a HMAC-SHA1 signature. Per `section 3.4`_ of the spec. .. _`section 3.4`: https://tools.ietf.org/html/rfc5849#section-3.4 To satisfy `RFC2616 section 5.2`_ item 1, the request argument's uri attribute MUST be an absolute URI whose netloc part identifies the origin server or gateway on which the resource resides. Any Host item of the request argument's headers dict attribute will be ignored. .. _`RFC2616 section 5.2`: https://tools.ietf.org/html/rfc2616#section-5.2 z,Verify HMAC-SHA1 failed: sig base string: %s) rZr)r.r$rrr\rrslogdebug)requestr]r^ norm_paramsr$rrsmatchs rverify_hmac_sha1rjsf %W^^4+!'++.#%g&9&93L+[9NO) Y(9(9 :% IIVerify a RSASSA-PKCS #1 v1.5 base64 encoded signature. Per `section 3.4.3`_ of the spec. Note this method requires the jwt and cryptography libraries. .. _`section 3.4.3`: https://tools.ietf.org/html/rfc5849#section-3.4.3 To satisfy `RFC2616 section 5.2`_ item 1, the request argument's uri attribute MUST be an absolute URI whose netloc part identifies the origin server or gateway on which the resource resides. Any Host item of the request argument's headers dict attribute will be ignored. .. _`RFC2616 section 5.2`: https://tools.ietf.org/html/rfc2616#section-5.2 rcz+Verify RSA-SHA1 failed: sig base string: %s)rZr)r.r$rrrerj a2b_base64rsrrverifyrr) rrsa_public_keyrr$messagesigrrp verify_oks rverify_rsa_sha1rs"%W^^4+!'++.# !'"5"5s"- //5vg G--44W=>#"$##.#jjs+) II;WE rc~[X5n[X0R5nU(d[R S5 U$)zVerify a PLAINTEXT signature. Per `section 3.4`_ of the spec. .. _`section 3.4`: https://tools.ietf.org/html/rfc5849#section-3.4 zVerify PLAINTEXT failed)rrrsrr)rr]r^rsrs rverify_plaintextrs3]B) Y(9(9 :% II'( ,rr1)NN)(__doc__ __future__rrrjrhrfloggingoauthlib.commonrrrrrr r ImportError urllib.parseparse getLogger__name__rrr.rSrZrar\rvrurzrrrrrrrrrr<rrrs(9 (("!?DIEr"$#/3"' ~Ba#H6 /Fd8 /Fd 524 FL4! @ M"!"sB BB