Ë
    ÔópiÛD  ã                   ó&  — U d Z ddlZddlZddlZddlZddlZddlmZmZm	Z	m
Z
mZmZmZmZmZ ddlmZ ddlmZ ddlmZ ddlmZ dd	lmZmZ dd
lmZ  G d„ ded¬«      Zej<                  ej<                  ej>                  ej>                  ej@                  ej@                  ej@                  ej@                  ejB                  ejB                  ejB                  ejB                  dœZ"ee#ee$gdf   f   e%d<    ejL                  ejN                  dk  rdnd«      Z(dZ)e	eed   df      e%d<    e* e+e"jY                  «       «      «      Z-e	ee#df      e%d<    e.h d£«      Z/e	e
e#      e%d<   de#de#fd„Z0de#de#fd„Z1de#dee#e#f   fd „Z2 G d!„ d"«      Z3y)#av  
Digest authentication middleware for aiohttp client.

This middleware implements HTTP Digest Authentication according to RFC 7616,
providing a more secure alternative to Basic Authentication. It supports all
standard hash algorithms including MD5, SHA, SHA-256, SHA-512 and their session
variants, as well as both 'auth' and 'auth-int' quality of protection (qop) options.
é    N)	ÚCallableÚDictÚFinalÚ	FrozenSetÚListÚLiteralÚTupleÚ	TypedDictÚUnion)ÚURLé   )Úhdrs)ÚClientError)ÚClientHandlerType)ÚClientRequestÚClientResponse)ÚPayloadc                   óT   — e Zd ZU eed<   eed<   eed<   eed<   eed<   eed<   eed<   y)	ÚDigestAuthChallengeÚrealmÚnonceÚqopÚ	algorithmÚopaqueÚdomainÚstaleN)Ú__name__Ú
__module__Ú__qualname__ÚstrÚ__annotations__© ó    úg/opt/services/ai/voice_agent/venv/lib/python3.12/site-packages/aiohttp/client_middleware_digest_auth.pyr   r   $   s%   … ØƒJØƒJØ	ƒHØƒNØƒKØƒKØ„Jr#   r   F)Útotal)ÚMD5zMD5-SESSÚSHAzSHA-SESSÚSHA256zSHA256-SESSzSHA-256zSHA-256-SESSÚSHA512zSHA512-SESSzSHA-512zSHA-512-SESSzhashlib._HashÚDigestFunctions)é   é   z:(?:^|\s|,\s*)(\w+)\s*=\s*(?:"((?:[^"\\]|\\.)*)"|([^\s,]+))z>(?:^|\s|,\s*)((?>\w+))\s*=\s*(?:"((?:[^"\\]|\\.)*)"|([^\s,]+)))r   r   r   r   r   r   r   .ÚCHALLENGE_FIELDSÚSUPPORTED_ALGORITHMS>   Úurir   r   Úcnoncer   ÚresponseÚusernameÚQUOTED_AUTH_FIELDSÚvalueÚreturnc                 ó&   — | j                  dd«      S )z,Escape double quotes for HTTP header values.ú"ú\"©Úreplace©r4   s    r$   Úescape_quotesr<   u   s   € à=‰=˜˜eÓ$Ð$r#   c                 ó&   — | j                  dd«      S )z-Unescape double quotes in HTTP header values.r8   r7   r9   r;   s    r$   Úunescape_quotesr>   z   s   € à=‰=˜ Ó$Ð$r#   Úheaderc           	      ó¦   — t         j                  | «      D ci c](  \  }}}|j                  «       x}r||rt        |«      n|“Œ* c}}}S c c}}}w )a  
    Parse key-value pairs from WWW-Authenticate or similar HTTP headers.

    This function handles the complex format of WWW-Authenticate header values,
    supporting both quoted and unquoted values, proper handling of commas in
    quoted values, and whitespace variations per RFC 7616.

    Examples of supported formats:
      - key1="value1", key2=value2
      - key1 = "value1" , key2="value, with, commas"
      - key1=value1,key2="value2"
      - realm="example.com", nonce="12345", qop="auth"

    Args:
        header: The header value string to parse

    Returns:
        Dictionary mapping parameter names to their values
    )Ú_HEADER_PAIRS_PATTERNÚfindallÚstripr>   )r?   ÚkeyÚ
quoted_valÚunquoted_valÚstripped_keys        r$   Úparse_header_pairsrH      sZ   € ô, .C×-JÑ-JÈ6Ó-R÷ð á)ˆC˜\ØŸI™I›KÐ'ˆLÐ'ð 	±Z”o jÔ1À\ÑQôð ùô s   š-Ac            	       óˆ   — e Zd ZdZ	 ddedededdfd„Zded	ed
ee	e
d   f   defd„Zd	edefd„Zdedefd„Zdededefd„Zy)ÚDigestAuthMiddlewarea  
    HTTP digest authentication middleware for aiohttp client.

    This middleware intercepts 401 Unauthorized responses containing a Digest
    authentication challenge, calculates the appropriate digest credentials,
    and automatically retries the request with the proper Authorization header.

    Features:
    - Handles all aspects of Digest authentication handshake automatically
    - Supports all standard hash algorithms:
      - MD5, MD5-SESS
      - SHA, SHA-SESS
      - SHA256, SHA256-SESS, SHA-256, SHA-256-SESS
      - SHA512, SHA512-SESS, SHA-512, SHA-512-SESS
    - Supports 'auth' and 'auth-int' quality of protection modes
    - Properly handles quoted strings and parameter parsing
    - Includes replay attack protection with client nonce count tracking
    - Supports preemptive authentication per RFC 7616 Section 3.6

    Standards compliance:
    - RFC 7616: HTTP Digest Access Authentication (primary reference)
    - RFC 2617: HTTP Authentication (deprecated by RFC 7616)
    - RFC 1945: Section 11.1 (username restrictions)

    Implementation notes:
    The core digest calculation is inspired by the implementation in
    https://github.com/requests/requests/blob/v2.18.4/requests/auth.py
    with added support for modern digest auth features and error handling.
    ÚloginÚpasswordÚ
preemptiver5   Nc                 ó  — |€t        d«      ‚|€t        d«      ‚d|v rt        d«      ‚|| _        |j                  d«      | _        |j                  d«      | _        d| _        d| _        i | _        || _        g | _	        y )Nz"None is not allowed as login valuez%None is not allowed as password valueú:z8A ":" is not allowed in username (RFC 1945#section-11.1)úutf-8r#   r   )
Ú
ValueErrorÚ
_login_strÚencodeÚ_login_bytesÚ_password_bytesÚ_last_nonce_bytesÚ_nonce_countÚ
_challengeÚ_preemptiveÚ_protection_space)ÚselfrK   rL   rM   s       r$   Ú__init__zDigestAuthMiddleware.__init__¹   sŠ   € ð ˆ=ÜÐAÓBÐBàÐÜÐDÓEÐEà%‰<ÜÐWÓXÐXà&+ˆŒØ*/¯,©,°wÓ*?ˆÔØ-5¯_©_¸WÓ-EˆÔà!$ˆÔØˆÔØ/1ˆŒØ!+ˆÔà,.ˆÕr#   ÚmethodÚurlÚbodyr#   c           
   ƒ   óð  ‡#‡$K  — | j                   }d|vrt        d«      ‚d|vrt        d«      ‚|d   }|d   }|st        d«      ‚|j                  dd«      }|j                  dd	«      }|j                  «       }	|j                  d
d«      }
|j	                  d«      }|j	                  d«      }t        |«      j                  }d}d}|rxddhj                  |j                  d«      D ch c]#  }|j                  «       sŒ|j                  «       ’Œ% c}«      }|st        d|› «      ‚d|v rdnd}|j	                  d«      }|	t        vr$t        d|	› ddj                  t        «      › «      ‚t        |	   Š$dt        dt        fˆ$fd„Š#dt        dt        dt        fˆ#fd„}dj                  | j                  || j                  f«      }|j                  «       › d|› j	                  «       }|dk(  rFt!        |t"        «      r|j%                  «       ƒ d{  –—† }n|} ‰#|«      }dj                  ||f«      } ‰#|«      } ‰#|«      }|| j&                  k(  r| xj(                  dz  c_        nd| _        || _        | j(                  d›}|j	                  d«      }t+        j,                  dj                  t/        | j(                  «      j	                  d«      |t1        j2                  «       j	                  d«      t5        j6                  d«      g«      «      j9                  «       dd  }|j	                  d«      }|	j                  «       j;                  d!«      r ‰#dj                  |||f«      «      }|r dj                  |||||f«      } |||«      }n ||dj                  ||f«      «      }t=        | j>                  «      t=        |«      t=        |«      ||jA                  «       |d"œ}|
rt=        |
«      |d
<   |r||d<   ||d#<   ||d$<   g } |jC                  «       D ];  \  }!}"|!tD        v r| jG                  |!› d%|"› d&«       Œ&| jG                  |!› d'|"› «       Œ= d(dj                  | «      › S c c}w 7 Œ`­w))aÕ  
        Build digest authorization header for the current challenge.

        Args:
            method: The HTTP method (GET, POST, etc.)
            url: The request URL
            body: The request body (used for qop=auth-int)

        Returns:
            A fully formatted Digest authorization header string

        Raises:
            ClientError: If the challenge is missing required parameters or
                         contains unsupported values

        r   z:Malformed Digest auth challenge: Missing 'realm' parameterr   z:Malformed Digest auth challenge: Missing 'nonce' parameterzBSecurity issue: Digest auth challenge contains empty 'nonce' valuer   Ú r   r&   r   rP   r#   Úauthzauth-intú,zEDigest auth error: Unsupported Quality of Protection (qop) value(s): z/Digest auth error: Unsupported hash algorithm: z. Supported algorithms: z, Úxr5   c                 óL   •—  ‰| «      j                  «       j                  «       S )z<RFC 7616 Section 3: Hash function H(data) = hex(hash(data)).)Ú	hexdigestrS   )rd   Úhash_fns    €r$   ÚHz'DigestAuthMiddleware._encode.<locals>.H  s   ø€ á˜1“:×'Ñ'Ó)×0Ñ0Ó2Ð2r#   ÚsÚdc                 ó6   •—  ‰dj                  | |f«      «      S )zDRFC 7616 Section 3: KD(secret, data) = H(concat(secret, ":", data)).ó   :)Újoin)ri   rj   rh   s     €r$   ÚKDz(DigestAuthMiddleware._encode.<locals>.KD   s   ø€ áT—Y‘Y  1˜vÓ&Ó'Ð'r#   rl   rO   Nr   Ú08xé   é   z-SESS)r2   r   r   r/   r1   r   Úncr0   z="r7   ú=zDigest )$rX   r   ÚgetÚupperrS   r   Úpath_qsÚintersectionÚsplitrC   r*   rm   r.   ÚbytesrT   rU   Ú
isinstancer   Úas_bytesrV   rW   ÚhashlibÚsha1r    ÚtimeÚctimeÚosÚurandomrf   Úendswithr<   rR   ÚdecodeÚitemsr3   Úappend)%r[   r]   r^   r_   Ú	challenger   r   Úqop_rawÚalgorithm_originalr   r   Únonce_bytesÚrealm_bytesÚpathr   Ú	qop_bytesÚqÚ
valid_qopsrn   ÚA1ÚA2Úentity_bytesÚentity_hashÚHA1ÚHA2ÚncvalueÚncvalue_bytesr0   Úcnonce_bytesÚnoncebitÚresponse_digestÚheader_fieldsÚpairsÚfieldr4   rh   rg   s%                                      @@r$   Ú_encodezDigestAuthMiddleware._encodeÓ   sŸ  ùè ø€ ð& —O‘Oˆ	Ø˜)Ñ#ÜØLóð ð ˜)Ñ#ÜØLóð ð
 ˜'Ñ"ˆØ˜'Ñ"ˆñ ÜØTóð ð —-‘-  rÓ*ˆà&Ÿ]™]¨;¸Ó>ÐØ&×,Ñ,Ó.ˆ	Ø—‘˜x¨Ó,ˆð —l‘l 7Ó+ˆØ—l‘l 7Ó+ˆÜ3‹x×Ñˆð ˆØˆ	ÙØ  *Ð-×:Ñ:Ø$+§M¡M°#Ó$6ÖD˜q¸!¿'¹'½)—‘•ÒDóˆJñ Ü!Ø[Ð\cÐ[dÐeóð ð !+¨jÑ 8‘*¸fˆCØŸ
™
 7Ó+ˆIàœOÑ+ÜØAÀ)Àð M)Ø)-¯©Ô3GÓ)HÐ(IðKóð ô )¨Ñ3ˆð	3”ð 	3œ5õ 	3ð	(”%ð 	(œEð 	(¤eõ 	(ð
 Y‰Y˜×)Ñ)¨;¸×8LÑ8LÐMÓNˆØ—‘“Ð˜q  Ð'×.Ñ.Ó0ˆØ*ÒÜ˜$¤Ô(Ø%)§]¡]£_×4‘à#Ù˜L›/ˆKØ—‘˜B Ð,Ó-ˆBá‹eˆÙ‹eˆð ˜$×0Ñ0Ò0Ø×Ò Ñ"Öà !ˆDÔà!,ˆÔØ×&Ñ& sÐ+ˆØŸ™ wÓ/ˆô —‘ØH‰Hä˜×)Ñ)Ó*×1Ñ1°'Ó:ØÜ—J‘J“L×'Ñ'¨Ó0Ü—J‘J˜q“Mð	óó	
÷ ‰)‹+crð	ˆð —}‘} WÓ-ˆð ?‰?Ó×%Ñ% gÔ.ÙD—I‘I˜s K°Ð>Ó?Ó@ˆCñ Ø—y‘yØ˜m¨\¸9ÀcÐJóˆHñ !  hÓ/‰Oá   d§i¡i°¸cÐ0BÓ&CÓDˆOô & d§o¡oÓ6Ü" 5Ó)Ü" 5Ó)ØØ'×.Ñ.Ó0Ø+ñ
ˆñ Ü&3°FÓ&;ˆM˜(Ñ#ñ Ø#&ˆM˜%Ñ Ø")ˆM˜$ÑØ&,ˆM˜(Ñ#ð ˆØ)×/Ñ/Ó1ò 	1‰LˆE5ØÔ*Ñ*Ø—‘ ˜w b¨¨¨qÐ1Õ2à—‘ ˜w a¨ wÐ/Õ0ð		1ð ˜Ÿ™ 5Ó)Ð*Ð+Ð+ùòS Eð<  5ûs&   „C%Q6Ã)Q.Ã?Q.ÄDQ6ÈQ3ÈI Q6c                 óÈ   — t        |«      }| j                  D ]H  }|j                  |«      sŒt        |«      t        |«      k(  s|d   dk(  r y|t        |«         dk(  sŒH y y)zô
        Check if the given URL is within the current protection space.

        According to RFC 7616, a URI is in the protection space if any URI
        in the protection space is a prefix of it (after both have been made absolute).
        éÿÿÿÿú/TF)r    rZ   Ú
startswithÚlen)r[   r^   Úrequest_strÚ	space_strs       r$   Ú_in_protection_spacez)DigestAuthMiddleware._in_protection_spacev  sk   € ô ˜#“hˆØ×/Ñ/ò 		ˆIà×)Ñ)¨)Ô4Øä;Ó¤3 y£>Ò1°Y¸r±]ÀcÒ5IÙàœ3˜y›>Ñ*¨cÓ1Ùð		ð r#   r1   c           
      óP  — |j                   dk7  ry|j                  j                  dd«      }|sy|j                  d«      \  }}}|sy|j	                  «       dk7  ry|syt        |«      x}syi | _        t        D ]%  }|j                  |«      x}sŒ|| j                  |<   Œ' |j                  j                  «       }	| j                  j                  d«      x}
r©g | _
        |
j                  «       D ]Ž  }|j                  d«      }|j                  d	«      r=| j                  j                  t        |	j!                  t#        |«      «      «      «       Œb| j                  j                  t        t#        |«      «      «       Œ nt        |	«      g| _
        t%        | j                  «      S )
zŠ
        Takes the given response and tries digest-auth, if needed.

        Returns true if the original request must be resent.
        i‘  Fzwww-authenticatera   ú Údigestr   r7   r    )ÚstatusÚheadersrt   Ú	partitionÚlowerrH   rX   r-   r^   ÚoriginrZ   rx   rC   r¡   r…   r    rm   r   Úbool)r[   r1   Úauth_headerr]   Úseprª   Úheader_pairsrœ   r4   r­   r   r/   s               r$   Ú_authenticatez"DigestAuthMiddleware._authenticateŠ  s‚  € ð ?‰?˜cÒ!Øà×&Ñ&×*Ñ*Ð+=¸rÓBˆÙØà*×4Ñ4°SÓ9ÑˆWÙàà<‰<‹>˜XÒ%àáàô !3°7Ó ;Ð;Ð;àð ˆŒÜ%ò 	/ˆEØ$×(Ñ(¨Ó/Ð/ˆuÑ/Ø).—‘ Ò&ð	/ð
 —‘×$Ñ$Ó&ˆà—_‘_×(Ñ(¨Ó2Ð2ˆ6Ð2à%'ˆDÔ"Ø—|‘|“~ò Aà—i‘i “nØ—>‘> #Ô&à×*Ñ*×1Ñ1´#°f·k±kÄ#ÀcÃ(Ó6KÓ2LÕMð ×*Ñ*×1Ñ1´#´c¸#³h³-Õ@ñAô '*¨&£k ]ˆDÔ"ô D—O‘OÓ$Ð$r#   ÚrequestÚhandlerc              ƒ   ó   K  — d}t        d«      D ]±  }|dkD  s3| j                  r{| j                  ro| j                  |j                  «      rT| j                  |j                  |j                  |j                  «      ƒ d{  –—† |j                  t        j                  <    ||«      ƒ d{  –—† }| j                  |«      rŒ± n |€J ‚|S 7 ŒJ7 Œ!­w)zRun the digest auth middleware.Né   r   )ÚrangerY   rX   r¥   r^   r   r]   r_   rª   r   ÚAUTHORIZATIONr²   )r[   r³   r´   r1   Úretry_counts        r$   Ú__call__zDigestAuthMiddleware.__call__Å  sÀ   è ø€ ð ˆÜ  ›8ò 	ˆKð ˜QŠØ× Ò Ø—O’OØ×-Ñ-¨g¯k©kÔ:à<@¿L¹LØ—N‘N G§K¡K°·±ó=÷ 7—‘¤× 2Ñ 2Ñ3ñ
 % WÓ-×-ˆHð ×%Ñ% hÕ/Ùð%	ð* Ð#Ð#Ð#Øˆð7øð
 .ús*   ‚A=CÁ?C
Â *CÂ*CÂ+CÃ
CÃC)T)r   r   r   Ú__doc__r    r®   r\   r   r   r   r   r   r¥   r   r²   r   r   rº   r"   r#   r$   rJ   rJ   š   sµ   „ ñðD  ñ	/àð/ð ð/ð ð	/ð
 
ó/ð4a,Øða,Ø #ða,Ø+0°¸'À#¹,Ð1FÑ+Gða,à	óa,ðF¨ð °ó ð(9% nð 9%¸ó 9%ðvØ$ðØ/@ðà	ôr#   rJ   )4r»   r|   r€   ÚreÚsysr~   Útypingr   r   r   r   r   r   r	   r
   r   Úyarlr   ra   r   Úclient_exceptionsr   Úclient_middlewaresr   Úclient_reqrepr   r   Úpayloadr   r   Úmd5r}   Úsha256Úsha512r*   r    ry   r!   ÚcompileÚversion_inforA   r-   ÚtupleÚsortedÚkeysr.   Ú	frozensetr3   r<   r>   rH   rJ   r"   r#   r$   ú<module>rÍ      s¸  ðòó Û 	Û 	Û 
Û ÷
÷ 
õ 
õ å Ý *Ý 1ß 8Ý ô˜)¨5õ ð ;‰;Ø—‘Ø<‰<Ø—‘Øn‰nØ—>‘>Ø~‰~Ø—N‘NØn‰nØ—>‘>Ø~‰~Ø—N‘NñB€c˜8 U G¨_Ð$<Ñ=Ð=Ñ>ó ð" #˜Ÿ
™
à
×Ñ˜'Ò!ñ Bà	JóÐ ð<ð	 %Ø	ØÐQÑRÐTWÐWññó ñ  05±V¸O×<PÑ<PÓ<RÓ5SÓ/TÐ e˜E # s (™OÑ,Ó Tñ -6ÚIó-Ð E˜) C™.Ñ)ó ð
%˜ð % ó %ð
%˜3ð % 3ó %ð
˜sð  t¨C°¨H¡~ó ÷6Fò Fr#   