3 e$@sddlZddlZddlZddlmZddlmZddlmZddlmZddl m Z ej e e fZejeZej ejeefZGdd d ZGd d d eZGd d d eZeeje dddZGdddZdS)N)_base64_alphabet) base64_decode) base64_encode) want_bytes) BadSignaturec@s6eZdZdZeeedddZeeeedddZdS) SigningAlgorithmzgSubclasses must implement :meth:`get_signature` to provide signature generation functionality. )keyvaluereturncCs tdS)z2Returns the signature for the given key and value.N)NotImplementedError)selfr r r;/tmp/pip-build-3irwxpxt/itsdangerous/itsdangerous/signer.py get_signatureszSigningAlgorithm.get_signature)r r sigr cCstj||j||S)zMVerifies the given signature matches the expected signature. )hmaccompare_digestr)r r r rrrrverify_signaturesz!SigningAlgorithm.verify_signatureN)__name__ __module__ __qualname____doc__bytesrboolrrrrrrsrc@s"eZdZdZeeedddZdS) NoneAlgorithmz`Provides an algorithm that does not perform any signing and returns an empty signature. )r r r cCsdS)Nr)r r r rrrr%szNoneAlgorithm.get_signatureN)rrrrrrrrrrr src@sFeZdZUdZeejZej d ej dddZ e e e dddZ dS) HMACAlgorithmz*Provides signature generation using HMACs.N) digest_methodcCs|dkr|j}||_dS)N)default_digest_methodr)r rrrr__init__1szHMACAlgorithm.__init__)r r r cCstj|||jd}|jS)N)msg digestmod)rnewrdigest)r r r macrrrr7szHMACAlgorithm.get_signature)N) rrrr staticmethodhashlibsha1r_tAnyr rrrrrrr)s r) secret_keyr cCs&t|ttfrt|gSdd|DS)NcSsg|] }t|qSr)r).0srrr @sz#_make_keys_list..) isinstancestrrr)r+rrr_make_keys_list<s r1c@seZdZUdZeejZej dZ e  de e eeje ejej ejedddZeed d d Zde ed d dZeedddZeedddZeeedddZeedddZeedddZdS)SigneraA signer securely signs bytes, then unsigns them to verify that the value hasn't been changed. The secret key should be a random string of ``bytes`` and should not be saved to code or version control. Different salts should be used to distinguish signing in different contexts. See :doc:`/concepts` for information about the security of the secret key and salt. :param secret_key: The secret key to sign and verify with. Can be a list of keys, oldest to newest, to support key rotation. :param salt: Extra key to combine with ``secret_key`` to distinguish signatures in different contexts. :param sep: Separator between the signature and value. :param key_derivation: How to derive the signing key from the secret key and salt. Possible values are ``concat``, ``django-concat``, or ``hmac``. Defaults to :attr:`default_key_derivation`, which defaults to ``django-concat``. :param digest_method: Hash function to use when generating the HMAC signature. Defaults to :attr:`default_digest_method`, which defaults to :func:`hashlib.sha1`. Note that the security of the hash alone doesn't apply when used intermediately in HMAC. :param algorithm: A :class:`SigningAlgorithm` instance to use instead of building a default :class:`HMACAlgorithm` with the ``digest_method``. .. versionchanged:: 2.0 Added support for key rotation by passing a list to ``secret_key``. .. versionchanged:: 0.18 ``algorithm`` was added as an argument to the class constructor. .. versionchanged:: 0.14 ``key_derivation`` and ``digest_method`` were added as arguments to the class constructor. z django-concatitsdangerous.Signer.N)r+saltsepkey_derivationr algorithmcCst||_t||_|jtkr&td|dk r8t|}nd}||_|dkrP|j}||_|dkrd|j }||_ |dkr|t |j }||_ dS)NzThe given separator cannot be used because it may be contained in the signature itself. ASCII letters, digits, and '-_=' must not be used.sitsdangerous.Signer) r1 secret_keysrr6r ValueErrorr5default_key_derivationr7rrrr8)r r+r5r6r7rr8rrrr xs$     zSigner.__init__)r cCs |jdS)zThe newest (last) entry in the :attr:`secret_keys` list. This is for compatibility from before key rotation support was added. r)r9)r rrrr+szSigner.secret_key)r+r cCs|dkr|jd }nt|}|jdkrBtjt|j|j|jS|jdkrltjt|j|jd|jS|jdkrt j ||jd}|j |j|jS|jdkr|St d dS) aThis method is called to derive the key. The default key derivation choices can be overridden here. Key derivation is not intended to be used as a security method to make a complex key out of a short password. Instead you should use large random secret keys. :param secret_key: A specific secret key to derive from. Defaults to the last item in :attr:`secret_keys`. .. versionchanged:: 2.0 Added the ``secret_key`` parameter. Nrconcatz django-concatssignerr)r"nonezUnknown key derivation methodr<) r9rr7r)castrrr5r$rr#update TypeError)r r+r%rrr derive_keys       zSigner.derive_key)r r cCs&t|}|j}|jj||}t|S)z*Returns the signature for the given value.)rrBr8rr)r r r rrrrrszSigner.get_signaturecCst|}||j|j|S)zSigns the given string.)rr6r)r r rrrsignsz Signer.sign)r rr c Cs`y t|}Wntk r dSXt|}x0t|jD]"}|j|}|jj|||r6dSq6WdS)z+Verifies the signature for the given value.FT)r Exceptionrreversedr9rBr8r)r r rr+r rrrrs  zSigner.verify_signature) signed_valuer cCs^t|}|j|kr$td|jd|j|jd\}}|j||rF|Std|d|ddS)zUnsigns the given string.zNo z found in valuerz Signature z does not match)payloadN)rr6rrsplitr)r rFr rrrrunsigns  z Signer.unsignc Cs(y|j|dStk r"dSXdS)znOnly validates the given signed value. Returns ``True`` if the signature exists and is valid. TFN)rIr)r rFrrrvalidates  zSigner.validate)r3r4NNN)N)rrrrr&r'r(rr)r*r;r0 _t_secret_key_t_opt_str_bytes _t_str_bytesOptionalrr propertyrr+rBrrCrrrIrJrrrrr2Cs $.'!r2)r'rtypingr)encodingrrrrexcrUnionr0rrMrNrLIterablerKrrrListr1r2rrrrs