hIdZddlmZmZmZddlmZddlZddlZddl Z ddl Z e je Z ddlZddlZddlZddlZddlZer ddlmZmZmZmZnddlmZmZddlmZmZddlmZ dd lmZddlZ ddl!Z dd l"m#Z$[ dd l'm(Z(dd l)m*Z*m+Z+m,Z,m-Z-ddl.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6ddl7m8Z8m9Z9m:Z:ddlm;Z;mZ>m?Z?m@Z@mAZAmBZBmCZCmDZDddlEmFZFmGZGddlHmIZImJZJmKZKddlLmMZMgdZNejdkr.ddlmPZPdePvr#ePjde jMd[Peje;dejZTgdZUdZVd-dZWdZXeYe$ZZejdZ[Gdd e\Z]ejd!jZ`ejd"jZbd#ZcGd$d%e\ZdGd&d'e4ZeGd(d)e4Zfd*e8dd+fd,Zgy#e%$re jMd dxZ$ZYywxYw).z@passlib.totp -- TOTP / RFC6238 / Google Authenticator utilities.)absolute_importdivisionprint_function)PY3N)urlparse parse_qslquoteunquote)r r )rr)warn)default_backend)ciphersz=can't import 'cryptography' package, totp encryption disabled)exc) TokenErrorMalformedTokenErrorInvalidTokenErrorUsedTokenError) to_unicodeto_bytesconsteq getrandbytesrng SequenceMixin xor_bytes getrandstr) BASE64_CHARS b32encode b32decode) uunicodenative_string_types bascii_to_str int_types num_typesirangebyte_elem_value UnicodeIOsuppress_cause) hybrid_methodmemoized_property) lookup_hash compile_hmac pbkdf2_hmac) pbkdf2_sha256) AppWalletTOTPrrrr TotpToken TotpMatch)) uses_queryotpauthz4registered 'otpauth' scheme with urlparse.uses_queryz\s|[-=])r4cztD] }||zr |cStd}d}tD]}||z|kDs |}||z}|S)zb helper for group_string() -- calculates optimal size of group for given string size. r) _chunk_sizes)klensizebestrems N/var/www/html/Resume-Scraper/venv/lib/python3.12/site-packages/passlib/totp.py_get_group_sizer@Ys_ d{K ?D C $; D+C Kc~t}t||jfdtd|DS)z reformat string into (roughly) evenly-sized groups, separated by **sep**. useful for making tokens & keys easier to read by humans. c3.K|] }||zywN).0or<values r? zgroup_string..ssCE!AdFOCsr)lenr@joinr$)rHsepr;r<s` @r? group_stringrMls6 u:D 4 D 88CVAtT-BC CCrAcX|dk(r)t|tstj|dd|St |d}t j d|jd}|dk(s|dk(r#tj|jS|d k(r t|Std |) zR internal TOTP() helper -- decodes key according to specified format. rawbyteskeyparamzutf-8hexbase16base32unknown byte-encoding format: ) isinstancerPrExpectedTypeErrorr _clean_resubencodebase64 b16decodeupperr ValueErrorrQformats r? _decode_bytesrdys #u%''We< <  S &C --C ' ' 0C &H, ,, 8 ~vGHHrAz(?i)^[a-z0-9][a-z0-9_.-]*$cleZdZdZdZdZdZdZ d dZdZ dZ e dZ d Z edd Zd Zd Zy)r.a This class stores application-wide secrets that can be used to encrypt & decrypt TOTP keys for storage. It's mostly an internal detail, applications usually just need to pass ``secrets`` or ``secrets_path`` to :meth:`TOTP.using`. .. seealso:: :ref:`totp-storing-instances` for more details on this workflow. Arguments ========= :param secrets: Dict of application secrets to use when encrypting/decrypting stored TOTP keys. This should include a secret to use when encrypting new keys, but may contain additional older secrets to decrypt existing stored keys. The dict should map tags -> secrets, so that each secret is identified by a unique tag. This tag will be stored along with the encrypted key in order to determine which secret should be used for decryption. Tag should be string that starts with regex range ``[a-z0-9]``, and the remaining characters must be in ``[a-z0-9_.-]``. It is recommended to use something like a incremental counter ("1", "2", ...), an ISO date ("2016-01-01", "2016-05-16", ...), or a timestamp ("19803495", "19813495", ...) when assigning tags. This mapping be provided in three formats: * A python dict mapping tag -> secret * A JSON-formatted string containing the dict * A multiline string with the format ``"tag: value\ntag: value\n..."`` (This last format is mainly useful when loading from a text file via **secrets_path**) .. seealso:: :func:`generate_secret` to create a secret with sufficient entropy :param secrets_path: Alternately, callers can specify a separate file where the application-wide secrets are stored, using either of the string formats described in **secrets**. :param default_tag: Specifies which tag in **secrets** should be used as the default for encrypting new keys. If omitted, the tags will be sorted, and the largest tag used as the default. if all tags are numeric, they will be sorted numerically; otherwise they will be sorted alphabetically. this permits tags to be assigned numerically, or e.g. using ``YYYY-MM-DD`` dates. :param encrypt_cost: Optional time-cost factor for key encryption. This value corresponds to log2() of the number of PBKDF2 rounds used. .. warning:: The application secret(s) should be stored in a secure location by your application, and each secret should contain a large amount of entropy (to prevent brute-force attacks if the encrypted keys are leaked). :func:`generate_secret` is provided as a convenience helper to generate a new application secret of suitable size. Best practice is to load these values from a file via **secrets_path**, and then have your application give up permission to read this file once it's running. Public Methods ============== .. autoattribute:: has_secrets .. autoattribute:: default_tag Semi-Private Methods ==================== The following methods are used internally by the :class:`TOTP` class in order to encrypt & decrypt keys using the provided application secrets. They will generally not be publically useful, and may have their API changed periodically. .. automethod:: get_secret .. automethod:: encrypt_key .. automethod:: decrypt_key Ncv|)t|tr t|}|dk\sJ||_|'| t dt |dj }|j|x}|_|rK||j|n/td|Drt|t}n t|}||_ yy)Nrz3'secrets' and 'secrets_path' are mutually exclusivertc3<K|]}|jywrD)isdigit)rFtags r?rIz%AppWallet.__init__..)s6sS[[]6s)rQ) rYr int encrypt_cost TypeErroropenread_parse_secrets_secrets get_secretallmax default_tag)selfsecretsrwrn secrets_paths r?__init__zAppWallet.__init__s  #,(;<"<0 1$ $ ,D   #" UVV<.335G#'"5"5g">>$- & ,6g66!'s3 !'l *D  rAc`d}t|trV|jjdrt j |}n!d|vrd|vrd}||}d}n t d|iSt|tr|j}n |r tdtfd |DS) zf parse 'secrets' parameter :returns: Dict[tag:str, secret:bytes] T)[{ :c3K|jD]^}|j}|s|jdr(|jdd\}}|j|jf`yw)N#r) splitlinesstrip startswithsplit)sourcelinerlsecrets r? iter_pairsz,AppWallet._parse_secrets..iter_pairsAsb & 1 1 3>#zz|(<*.**S!*s&A5A5:A5Fz"unrecognized secrets string formatz+'secrets' must be mapping, or list of itemsc3HK|]\}}j||ywrD)_parse_secret_pair)rFrlrHrxs r?rIz+AppWallet._parse_secrets..Ws*."U++C7.s") rYr lstriprjsonloadsradictitemsro)rxr check_typers` r?rrzAppWallet._parse_secrets/s f1 2}}))*5F+C6M> $F+"  !EFF >I  %\\^FIJ J.&,.. .rAc&t|trn*t|tr t|}nt d|t j |std|t|tst|d|}|std|||fS)Nztag must be unicode/string: z!tag contains invalid characters: zsecret rRztag contains empty secret: ) rYr rmstrro_tag_rematchrarPr)rxrlrHs r?rzAppWallet._parse_secret_pairZs c. /  S !c(CEF F}}S!cKL L%'U*>?EEF FEzrAc|jduS)z2whether at least one application secret is presentN)rwrxs r? has_secretszAppWallet.has_secretsmst++rAc|j}|s td ||S#t$rttd|wxYw)zh resolve a secret tag to the secret (as bytes). throws a KeyError if not found. z!no application secrets configuredzunknown secret tag: )rsKeyErrorr')rxrlrys r?rtzAppWallet.get_secretrsP -->? ? N3<  N c*K!LM M Ns  !Act tdtd||d|zd}tjtjj |ddtj j|ddt}|r|jn|j}|j||jzS)a& Internal helper for :meth:`encrypt_key` -- handles lowlevel encryption/decryption. Algorithm details: This function uses PBKDF2-HMAC-SHA256 to generate a 32-byte AES key and a 16-byte IV from the application secret & random salt. It then uses AES-256-CTR to encrypt/decrypt the TOTP key. CTR mode was chosen over CBC because the main attack scenario here is that the attacker has stolen the database, and is trying to decrypt a TOTP key (the plaintext value here). To make it hard for them, we want every password to decrypt to a potentially valid key -- thus need to avoid any authentication or padding oracle attacks. While some random padding construction could be devised to make this work for CBC mode, a stream cipher mode is just plain simpler. OFB/CFB modes would also work here, but seeing as they have malleability and cyclic issues (though remote and barely relevant here), CTR was picked as the best overall choice. NzITOTP encryption requires 'cryptography' package (https://cryptography.io)sha256r0)saltroundskeylen ) _cg_ciphers RuntimeErrorr,Cipher algorithmsAESmodesCTR_cg_default_backend decryptor encryptorupdatefinalize)rHrrcostdecryptkeyivcipherctxs r?_cipher_aes_keyzAppWallet._cipher_aes_keys.   ;< < Hf4dTVW##K$:$:$>$>uSbz$J$/$5$5$9$9%*$E$7$9;%,f 1A1A1Czz% 3<<>11rAc $|s tdtt|j}|j}|j }|s t d|j||j|||}td||t|t|S)a0 Helper used to encrypt TOTP keys for storage. :param key: TOTP key to encrypt, as raw bytes. :returns: dict containing encrypted TOTP key & configuration parameters. this format should be treated as opaque, and potentially subject to change, though it is designed to be easily serialized/deserialized (e.g. via JSON). .. note:: This function requires installation of the external `cryptography `_ package. To give some algorithm details: This function uses AES-256-CTR to encrypt the provided data. It takes the application secret and randomly generated salt, and uses PBKDF2-HMAC-SHA256 to combine them and generate the AES key & IV. zno key providedz8no application secrets configured, can't encrypt OTP keyr)vctsk) rarr salt_sizernrwrorrtrr)rxrQrrrlckeys r? encrypt_keyzAppWallet.encrypt_keys,./ /C0  VW W##C)=tTJa43)D/Yt_MMrAcbt|ts td|jdd}d}|dk(r |j}nt d||d}|d}|t |d |j|t |d | }||jk7s||jk7rd }||fS) a Helper used to decrypt TOTP keys from storage format. Consults configured secrets to decrypt key. :param source: source object, as returned by :meth:`encrypt_key`. :returns: ``(key, needs_recrypt)`` -- **key** will be the decrypted key, as bytes. **needs_recrypt** will be a boolean flag indicating whether encryption cost or default tag is too old, and henace that key needs re-encrypting before storing. .. note:: This function requires installation of the external `cryptography `_ package. z'enckey' must be dictionaryrNFrz)missing / unrecognized 'enckey' version: rrrr)rHrrrT) rYrrogetrrarrtrnrw)rxenckeyversion needs_recrypt _cipher_keyrlrrQs r? decrypt_keyzAppWallet.decrypt_keys,&$'9: :**S$' a<..KgWX XSkc{F3K(??3'6#;'   4$$ $t/?/?(? MM!!rA)NNNN)F)__name__ __module__ __qualname____doc__rrnrsrwr{rrrpropertyrrt staticmethodrrrrErAr?r.r.s{WzI LHK EI"'+R).V &,, N"#2#2JNB("rAr.z>Qz>IsceZdZdZdZdxZZdZejZ dZ dZ dZ dZdZdZdZdZdZe d.d Zed Z d/fd Zed0d Zed ZedZedZej<dZedZej<dZedZ edZ!d1dZ"edZ#dZ$dZ%e&dZ'd2dZ(dZ)edZ*d3dZ+d2dZ,edZ-ed Z.ed!Z/ed"Z0e d.d#Z1ed$Z2ed%Z3d4d&Z4d'Z5ed(Z6d2d)Z7ed*Z8ed+Z9ed,Z:d2d-Z;xZ>> # your application can create a custom class when it initializes >>> from passlib.totp import TOTP, generate_secret >>> TotpFactory = TOTP.using(secrets={"1": generate_secret()}) >>> # subsequent TOTP objects created from this factory >>> # will use the specified secrets to encrypt their keys... >>> totp = TotpFactory.new() >>> totp.to_dict() {'enckey': {'c': 14, 'k': 'H77SYXWORDPGVOQTFRR2HFUB3C45XXI7', 's': 'G5DOQPIHIBUM2OOHHADQ', 't': '1', 'v': 1}, 'type': 'totp', 'v': 1} .. seealso:: :ref:`totp-creation` and :ref:`totp-storing-instances` tutorials for a usage example r/cXttd}|||<di|}t||S)z helper which uses constructor to validate parameter value. it returns corresponding attribute, so we use normalized value. rOrbrE)r _DUMMY_KEYgetattr)attrrHkwdsobjsubclss r? norm_paramzTOTP.using..norm_params2Ju5DDJ.4.C3% %rAdigitsalgperiodissuerz6'wallet' and 'secrets' keywords are mutually exclusivewalletrz1now() function must return non-negative int/floatrE)typerrrrr.rrorYrrZr#rnow) clsrrrrrrrrrs @r?usingz TOTP.usingspfsfb) &  &x8FM ?#E3/FJ  &x8FM  &x8FM %--FM XYY  fi0++FIxHH"FM ?ceY/CEQJ DC D%c*FJ rAc |dddi|S)zY convenience alias for creating new TOTP key, same as ``TOTP(new=True)`` newTrErE)rrs r?rzTOTP.news $t$t$$rAc  tt| di| | r| |_t |xs |j } | j |_| j} | dkrtd|z|r;|r td|| }n|| kDrtd| ztt||_ n-|s td|dk(r||_n|rt|||_ t!|j|j"kr8d|j"z}|r t|t%|t&j(d | |j*}t-|t.std t1|z|d ks|d kDr td ||_|r|j3|||_| r|j7| | |_||j;|dd||_yy)Nr4z%r hash digest too smallz+'key' and 'new=True' are mutually exclusivez+'size' should be less than digest size (%d)z4must specify either an existing 'key', or 'new=True' encryptedz5for security purposes, secret key must be >= %d bytesr) stacklevelz#digits must be an integer, not a %rr7rzdigits must in range(6,11)r)minvalrE)superr/r{changedr*rname digest_sizerrorarrrQ encrypted_keyrdrJ _min_key_sizer rPasslibSecurityWarningrrYr"r _check_labellabel _check_issuerr _check_serialr)rxrQrcrrrr<rrrrrinformsg __class__s r?r{z TOTP.__init__s dD"*T* "DL3?$((+99&& ?9C?@ @  MNN|" #!"(*5"677#C.DHRS S { "!$D  $S&1DH txx=4-- -JDL^L^^C o%S#44C >[[F&),ADLPQ Q A:"9: :     e $DJ    v & DK     vx  : DK rAc|t|tstj|d|||krt d||fzy)zR check that serial value (e.g. 'counter') is non-negative integer rmz%s must be >= %dN)rYr"rrZra)rHrSrs r?rzTOTP._check_serialOsD %+''ue< < 6>/5&/AB B rAc(|rd|vr tdyy)zQ check that label doesn't contain chars forbidden by KeyURI spec rzlabel may not contain ':'Nrars r?rzTOTP._check_labelYs SE\89 9"5rAc(|rd|vr tdyy)zR check that issuer doesn't contain chars forbidden by KeyURI spec rzissuer may not contain ':'Nr)rs r?rzTOTP._check_issueras cVm9: :$6rAc|jS)z) secret key as raw bytes )_keyrs r?rQzTOTP.keyps yyrAct|tstj|td||_dx|_|_y)NrQ)rYrPrrZr_encrypted_key _keyed_hmac)rxrHs r?rQzTOTP.keyws<%'''ue< < 265d.rAc|j}|;|j}|s td|j|jx}|_|S)z secret key, encrypted using application secret. this match the output of :meth:`AppWallet.encrypt_key`, and should be treated as an opaque json serializable object. z6no application secrets present, can't encrypt TOTP key)rrrorrQ)rxrrs r?rzTOTP.encrypted_keysM$$ >[[F XYY+1+=+=dhh+G GFT( rAc|j}|s td|j|\|_}|rd|_y||_y)Nz6no application secrets present, can't decrypt TOTP keyT)rrorrQrr)rxrHrrs r?rzTOTP.encrypted_keysETU U"("4"4U";- DL#(D rAcnttj|jj S)z: secret key encoded as hexadecimal string )r!r^ b16encoderQlowerrs r?hex_keyz TOTP.hex_keys' V--dhh78>>@@rAc,t|jS)z5 secret key encoded as base32 string )rrQrs r? base32_keyzTOTP.base32_keys ""rAc|dk(s|dk(r |j}n |dk(r |j}ntd||r t||}|S)a pretty-print the secret key. This is mainly useful for situations where the user cannot get the qrcode to work, and must enter the key manually into their TOTP client. It tries to format the key in a manner that is easier for humans to read. :param format: format to output secret key. ``"hex"`` and ``"base32"`` are both accepted. :param sep: separator to insert to break up key visually. can be any of ``"-"`` (the default), ``" "``, or ``False`` (no separator). :return: key as native string. Usage example:: >>> t = TOTP('s3jdvb7qd2r7jpxx') >>> t.pretty_key() 'S3JD-VB7Q-D2R7-JPXX' rUrVrWrX)rrrarM)rxrcrLrQs r? pretty_keyzTOTP.pretty_keysN0 U?f0,,C x //C6KL L sC(C rAct|tr|St|tr t|S|t|j St |dr#t j|jStj|dd)as Normalize time value to unix epoch seconds. :arg time: Can be ``None``, :class:`!datetime`, or unix epoch timestamp as :class:`!float` or :class:`!int`. If ``None``, uses current system time. Naive datetimes are treated as UTC. :returns: unix epoch timestamp as :class:`int`. utctimetuplezint, float, or datetimetime) rYr"floatrmrhasattrcalendartimegmr rrZ)rr s r?normalize_timezTOTP.normalize_timesv dI &K e $t9  \swwy> ! T> *??4#4#4#67 7''.GP PrAc ||jzS)zI convert timestamp to HOTP counter using :attr:`period`. r)rxr s r?_time_to_counterzTOTP._time_to_counterst{{""rAc ||jzS)zI convert HOTP counter to timestamp using :attr:`period`. r)rxcounters r?_counter_to_timezTOTP._counter_to_times$$rAc&|j}t|trtd||fz}nGt |d}t j td|}|js tdt||k7rtd|z|S)a Normalize OTP token representation: strips whitespace, converts integers to a zero-padded string, validates token content & number of digits. This is a hybrid method -- it can be called at the class level, as ``TOTP.normalize_token()``, or the instance level as ``TOTP().normalize_token()``. It will normalize to the instance-specific number of :attr:`~TOTP.digits`, or use the class default. :arg token: token as ascii bytes, unicode, or an integer. :raises ValueError: if token has wrong number of digits, or contains non-numeric characters. :returns: token as :class:`!unicode` string, containing only digits 0-9. %0*dtokenrRrTz&Token must contain only the digits 0-9z!Token must have exactly %d digits) rrYr"rrr[r\rkrrJ) self_or_clsrrs r?normalize_tokenzTOTP.normalize_tokens*## eY 'fI/EuG4EMM!B%/E==?)*RSS u: %&IF&RS S rAc|j|}|j|}|dkr td|j|}t |||S)a Generate token for specified time (uses current time if none specified). :arg time: Can be ``None``, a :class:`!datetime`, or class:`!float` / :class:`!int` unix epoch timestamp. If ``None`` (the default), uses current system time. Naive datetimes are treated as UTC. :returns: A :class:`TotpToken` instance, which can be treated as a sequence of ``(token, expire_time)`` -- see that class for more details. Usage example:: >>> # generate a new token, wrapped in a TotpToken instance... >>> otp = TOTP('s3jdvb7qd2r7jpxx') >>> otp.generate(1419622739) >>> # when you just need the token... >>> otp.generate(1419622739).token '897212' rztimestamp must be >= 0)rrra _generater0)rxr rrs r?generatez TOTP.generate.sT8""4(''- Q;56 6w'ug..rAct|tsJd|dk\sJd|j}|'t|j|j x}|_|t |}|jj}t||k(sJd|dk\sJdt|dd z}t|||d zdd z}|j}d|cxkr d ksJd Jd td||fz| dS)z base implementation of HOTP token generation algorithm. :arg counter: HOTP counter, as non-negative integer :returns: token as unicode string zcounter must be integerrzcounter must be non-negativeNz digest_size: sanity check failedz"digest_size: sanity check 2 failedr4i zdigits: sanity check failedr)rYr"rr+rrQ _pack_uint64 digest_inforrJr%_unpack_uint32rr)rxr keyed_hmacdigestroffsetrHrs r?rzTOTP._generateQs'9-H/HH!|;;;%%  ,8488,L LJ)L12 ,,88 6{k)M+MMb F"FF ,s2vfVAX67:ZG 6B= === ==& VUO+fWX66rAc F|j|j|fi|S)a Convenience wrapper around :meth:`TOTP.from_source` and :meth:`TOTP.match`. This parses a TOTP key & configuration from the specified source, and tries and match the token. It's designed to parallel the :meth:`passlib.ifc.PasswordHash.verify` method. :param token: Token string to match. :param source: Serialized TOTP key. Can be anything accepted by :meth:`TOTP.from_source`. :param \\*\\*kwds: All additional keywords passed to :meth:`TOTP.match`. :return: A :class:`TotpMatch` instance, or raises a :exc:`TokenError`. ) from_sourcer)rrrrs r?verifyz TOTP.verifyss%,-sv&,,U;d;;rAc`|j|}|j|d||z}|d}t||j||z }|j||zdz}|j |||} | |k\sJd| |k(rt |dz|j zt|| ||S)aP Match TOTP token against specified timestamp. Searches within a window before & after the provided time, in order to account for transmission delay and small amounts of skew in the client's clock. :arg token: Token to validate. may be integer or string (whitespace and hyphens are ignored). :param time: Unix epoch timestamp, can be any of :class:`!float`, :class:`!int`, or :class:`!datetime`. if ``None`` (the default), uses current system time. *this should correspond to the time the token was received from the client*. :param int window: How far backward and forward in time to search for a match. Measured in seconds. Defaults to ``30``. Typically only useful if set to multiples of :attr:`period`. :param int skew: Adjust timestamp by specified value, to account for excessive client clock skew. Measured in seconds. Defaults to ``0``. Negative skew (the common case) indicates transmission delay, and/or that the client clock is running behind the server. Positive skew indicates the client clock is running ahead of the server (and by enough that it cancels out any negative skew added by the transmission delay). You should ensure the server clock uses a reliable time source such as NTP, so that only the client clock's inaccuracy needs to be accounted for. This is an advanced parameter that should usually be left at ``0``; The **window** parameter is usually enough to account for any observed transmission delay. :param last_counter: Optional value of last counter value that was successfully used. If specified, verify will never search earlier counters, no matter how large the window is. Useful when client has previously authenticated, and thus should never provide a token older than previously verified value. :raises ~passlib.exc.TokenError: If the token is malformed, fails to match, or has already been used. :returns TotpMatch: Returns a :class:`TotpMatch` instance on successful match. Can be treated as tuple of ``(counter, time)``. Raises error if token is malformed / can't be verified. Usage example:: >>> totp = TOTP('s3jdvb7qd2r7jpxx') >>> # valid token for this time period >>> totp.match('897212', 1419622729) >>> # token from counter step 30 sec ago (within allowed window) >>> totp.match('000492', 1419622729) >>> # invalid token -- token from 60 sec ago (outside of window) >>> totp.match('760389', 1419622729) Traceback: ... InvalidTokenError: Token did not match windowr"rz*sanity check failed: counter went backward) expire_time)rrrvr _find_matchrrr1) rxrr r/skew last_counter client_timestartendrs r?rz TOTP.matchsV""4( 68,Tk  LL$"7"7 f8L"MN##K&$89A=""5%5,&T(TT l " lQ.>$++-MN N wf55rAc|j|}|dkrd}||kr t|j}|||kst|||r|S|}||krt|||r|S|dz }||krt)aw helper for verify() -- returns counter value within specified range that matches token. :arg token: token value to match (will be normalized internally) :arg start: starting counter value to check :arg end: check up to (but not including) this counter value :arg expected: optional expected value where search should start, to help speed up searches. :raises ~passlib.exc.TokenError: If the token is malformed, or fails to verify. :returns: counter value that matched rr)rrrr)rxrr5r6expectedrrs r?r1zTOTP._find_matchs0$$U+ 19E %<#% %>> Hu$4'%RZI[:\O muhw/0 qLGm !!rAc>t|tr-|j|jk(r|S|jd}t|tr|j |St |d}|jdr|j|S|j|S)a Load / create a TOTP object from a serialized source. This acts as a wrapper for the various deserialization methods: * TOTP URIs are handed off to :meth:`from_uri` * Any other strings are handed off to :meth:`from_json` * Dicts are handed off to :meth:`from_dict` :param source: Serialized TOTP object. :raises ValueError: If the key has been encrypted, but the application secret isn't available; or if the string cannot be recognized, parsed, or decoded. See :meth:`TOTP.using()` for how to configure application secrets. :returns: a :class:`TOTP` instance. Fencryptz totp sourcerRz otpauth://) rYr/rto_dictr from_dictrrfrom_uri from_jsonrrs r?r,zTOTP.from_source%s, fd #zzV]]* ^^E^2F fd #==( (F-8   \ *<<' '==( (rAct|dj}t|}|jdk7r|j d|j |j |j|S)a< create an OTP instance from a URI (such as returned by :meth:`to_uri`). :returns: :class:`TOTP` instance. :raises ValueError: if the uri cannot be parsed or contains errors. .. seealso:: :ref:`totp-configuring-clients` tutorial for a usage example urirRr6zwrong uri scheme)rrrscheme_uri_parse_error_check_otp_typenetloc_from_parsed_uri)rrBresults r?r>z TOTP.from_uriMseE*002# ==I %&&'9: : FMM*##F++rAcJ|dk(ry|dk(r tdtd|z)zg validate otp URI type is supported. returns True or raises appropriate error. totpThotpzHOTP not supportedzunknown otp type: %r)NotImplementedErrorra)rrs r?rEzTOTP._check_otp_typeds2 6> 6>%&:; ;/$677rAc >|j}|jdrt|dkDrt|dd}n|j dd|vr |j d\}}nd}|r|jxsd}t|}t|jD]"\}}||vr|j d|z|||<$|r#d |vr||d <n|d |k7r|j d |d i|jd i|S#t $r|j dwxYw) z internal from_uri() helper -- handles parsing a validated TOTP URI :param result: a urlparse() instance :returns: cls instance /rNz missing labelrzmalformed labelrzduplicate parameter (%r)rzconflicting issuer identifiersrE) pathrrJr rDrrarrrquery_adapt_uri_params)rrHrrparamsrrs r?rGzTOTP._from_parsed_uripsI    C SZ!^E!"I&E&&7 7 %< > % C 0 F KKM)TEE"fll+ DAqF{**+E+IJJF1I  v%#)x !V+**+KLL5*S**4V455/ >**+<== >s DDc |sJd|s|jdt|||d}|r|j|d|d<|r||d<|r|j|d|d<|rt|d|tj |S) zY from_uri() helper -- converts uri params into constructor args. z"from_uri() failed to provide labelzmissing 'secret' parameterrW)rrrQrcrrrz0: unexpected parameters encountered in otp uri: )rDr_uri_parse_intr rPasslibRuntimeWarning) rrrrr algorithmrextrars r?rQzTOTP._adapt_uri_paramss:::&&'CD D%F8L  //ADN #DK  //ADN  u"88 : rActd|S)z8uri parsing helper -- creates preformatted error messagezInvalid otpauth uri: rreasons r?rDzTOTP._uri_parse_errorsv?@@rAc\ t|S#t$r|jd|zwxYw)z#uri parsing helper -- int() wrapperzMalformed %r parameter)rmrarD)rrrSs r?rTzTOTP._uri_parse_ints: Iv;  I&&'?%'GH H Is +c| |j}|s td|j|t|d}|j }| |j }|r5|j |t|dd|}|jd|ftdjd|D}|sJdtd||fzS) a Serialize key and configuration into a URI, per Google Auth's `KeyUriFormat `_. :param str label: Label to associate with this token when generating a URI. Displayed to user by most OTP client applications (e.g. Google Authenticator), and typically has format such as ``"John Smith"`` or ``"jsmith@webservice.example.org"``. Defaults to **label** constructor argument. Must be provided in one or the other location. May not contain ``:``. :param str issuer: String identifying the token issuer (e.g. the domain or canonical name of your service). Optional but strongly recommended if you're rendering to a URI. Used internally by some OTP client applications (e.g. Google Authenticator) to distinguish entries which otherwise have the same label. Defaults to **issuer** constructor argument, or ``None``. May not contain ``:``. :raises ValueError: * if a label was not provided either as an argument, or in the constructor. * if the label or issuer contains invalid characters. :returns: all the configuration information for this OTP token generator, encoded into a URI. These URIs are frequently converted to a QRCode for transferring to a TOTP client application such as Google Auth. Usage example:: >>> from passlib.totp import TOTP >>> tp = TOTP('s3jdvb7qd2r7jpxx') >>> uri = tp.to_uri("user@example.org", "myservice.another-example.org") >>> uri 'otpauth://totp/user@example.org?secret=S3JDVB7QD2R7JPXX&issuer=myservice.another-example.org' .. versionchanged:: 1.7.2 This method now prepends the issuer URI label. This is recommended by the KeyURI specification, for compatibility with older clients. z.s)^e' c53C-D D^s')zparam_str should never be emptyzotpauth://totp/%s?%s) rrarr _to_uri_paramsrrappendrrK)rxrrrR param_strs r?to_uriz TOTP.to_uris\ =JJE[\ \ % eS!$$& >[[F    v & %VS159E MM8V, -cFKK^W]^^ ;;;'(E9+===rAcld|jfg}|jdk7r+|jd|jjf|jdk7r&|jdt |jf|j dk7r&|jdt |j f|S)z+return list of (key, param) entries for URIrrrVr7rrr)rrrar`rrrrxargss r?r`zTOTP._to_uri_paramss4??+, 88v  KKdhhnn&67 8 ;;!  KK3t{{#34 5 ;;"  KK3t{{#34 5 rAcdt|d}|jtj|S)an Load / create an OTP object from a serialized json string (as generated by :meth:`to_json`). :arg json: Serialized output from :meth:`to_json`, as unicode or ascii bytes. :raises ValueError: If the key has been encrypted, but the application secret isn't available; or if the string cannot be recognized, parsed, or decoded. See :meth:`TOTP.using()` for how to configure application secrets. :returns: a :class:`TOTP` instance. .. seealso:: :ref:`totp-storing-instances` tutorial for a usage example z json sourcerR)rr=rrr@s r?r?zTOTP.from_json&s((F-8}}TZZ/00rAcV|j|}tj|ddS)a Serialize configuration & internal state to a json string, mainly useful for persisting client-specific state in a database. All keywords passed to :meth:`to_dict`. :returns: json string containing serializes configuration & state. r:T),r) sort_keys separators)r<rdumps)rxr;states r?to_jsonz TOTP.to_json=s' W -zz%4JGGrAc |t|trd|vr|jd|di|jdi|S)aU Load / create a TOTP object from a dictionary (as generated by :meth:`to_dict`) :param source: dict containing serialized TOTP key & configuration. :raises ValueError: If the key has been encrypted, but the application secret isn't available; or if the dict cannot be recognized, parsed, or decoded. See :meth:`TOTP.using()` for how to configure application secrets. :returns: A :class:`TOTP` instance. .. seealso:: :ref:`totp-storing-instances` tutorial for a usage example rzunrecognized formatrE)rYr_dict_parse_error_adapt_dict_kwdsr@s r?r=zTOTP.from_dictMsF(&$'6+?''(=> >4)S))3F344rAc |j|sJ|jdd}|r||jks||jkDr|j d|d||jk7rd|d<d|vr)d|vsJ|j |jdd nd|vr|j d |jd d|S) zt Internal helper for .from_json() -- Adapts serialized json dict into constructor keywords. rNzmissing/unsupported version ()TrrrQrrbzmissing 'enckey' / 'key'r3)rEpopmin_json_version json_versionrpr)rrrvers r?rqzTOTP._adapt_dict_kwdses""4((hhsD!cC000C#:J:J4J''c(ST T C$$ $"DO t  $ $ KKDHHX.{K C $ ''(BC C & rActd|S)z9dict parsing helper -- creates preformatted error messagezInvalid totp data: rrYs r?rpzTOTP._dict_parse_errorsV=>>rAct|jd}|jdk7r|j|d<|jdk7r|j|d<|jdk7r|j|d<|j r|j |d <|j }|r|t|j k7r||d <||j}|xr |j}|r|j|d <|S|j|d <|S) aw Serialize configuration & internal state to a dict, mainly useful for persisting client-specific state in a database. :param encrypt: Whether to output should be encrypted. * ``None`` (the default) -- uses encrypted key if application secrets are available, otherwise uses plaintext key. * ``True`` -- uses encrypted key, or raises TypeError if application secret wasn't provided to OTP constructor. * ``False`` -- uses raw key. :returns: dictionary, containing basic (json serializable) datatypes. rJ)rrrrr7rrrrrrrQ) rrvrrrrrrrrrr)rxr;rmrrs r?r<z TOTP.to_dicts&t((v6 88v 88E%L ;;! "kkE(O ;;" "kkE(O ::!ZZE'N fT 1 11$E(O ?[[F3!3!3G "00E(O  ??E%L  rA)NNNNNN) NrWFNNNNNNF)r)rW-rD)NrrN)NN)=rrrrrrurvr_timer rrrrrrrrrr classmethodrrr{rrrrrrQsetterrrrr rrrr(rrrr-rr1r,r>rErGrQrDrTrcr`r?rnr=rqrpr< __classcell__)rs@r?r/r/sFZM'('|F **C DN KF C EF FG 15,0bbP%% )1EI27G!ZCC::;;  ZZ66   ( ( AA ## LQQ6# % Z!/F7D<<.`6D*"p")")N,,, 8 8.6.6`?C>B0AAIIK>Z 11, H 55.<??,rAr/cneZdZdZdZdZdZdZedZ edZ e dZ e dZ dZd Zy) r0a@ Object returned by :meth:`TOTP.generate`. It can be treated as a sequence of ``(token, expire_time)``, or accessed via the following attributes: .. autoattribute:: token .. autoattribute:: expire_time .. autoattribute:: counter .. autoattribute:: remaining .. autoattribute:: valid Nc.||_||_||_yzu .. warning:: the constructor signature is an internal detail, and is subject to change. N)rJrr)rxrJrrs r?r{zTotpToken.__init__s    rAcL|jj|jS)z9Timestamp marking beginning of period when token is validrJrrrs r? start_timezTotpToken.start_timesyy))$,,77rAcR|jj|jdzSz3Timestamp marking end of period when token is validrrrs r?r0zTotpToken.expire_time"yy))$,,*:;;rAcdtd|j|jjz S)z.number of (float) seconds before token expiresr)rvr0rJrrs r? remainingzTotpToken.remainings&1d&&899rAc,t|jS)zwhether token is still valid)boolrrs r?validzTotpToken.validsDNN##rAc2|j|jfSrD)rr0rs r? _as_tuplezTotpToken._as_tupleszz4++++rAcZ|jrdnd}d|j|j|fzS)NrTz expiredz')rrr0)rxexpireds r?__repr__zTotpToken.__repr__s0"J8 D,,g67 7rA)rrrrrJrrr{r)rr0rrrrrrErAr?r0r0s{  D EG88<<::$$,7rAr0ceZdZdZdZdZdZdZd dZe dZ e dZ e dZ e d Z e d Zd Zd Zy)r1a Object returned by :meth:`TOTP.match` and :meth:`TOTP.verify` on a successful match. It can be treated as a sequence of ``(counter, time)``, or accessed via the following attributes: .. autoattribute:: counter :annotation: = 0 .. autoattribute:: time :annotation: = 0 .. autoattribute:: expected_counter :annotation: = 0 .. autoattribute:: skipped :annotation: = 0 .. autoattribute:: expire_time :annotation: = 0 .. autoattribute:: cache_seconds :annotation: = 60 .. autoattribute:: cache_time :annotation: = 0 This object will always have a ``True`` boolean value. Nrrc<||_||_||_||_yr)rJrr r/)rxrJrr r/s r?r{zTotpMatch.__init__&s     rAcL|jj|jS)z7 Counter value expected for timestamp. )rJrr rs r?expected_counterzTotpMatch.expected_counter0s yy))$))44rAc4|j|jz S)z How many steps were skipped between expected and actual matched counter value (may be positive, zero, or negative). )rrrs r?skippedzTotpMatch.skipped7s ||d3333rAcR|jj|jdzSrrrs r?r0zTotpMatch.expire_timeDrrAcH|jj|jzS)z Number of seconds counter should be cached before it's guaranteed to have passed outside of verification window. )rJrr/rs r? cache_secondszTotpMatch.cache_secondsIsyy$++--rAc4|j|jzS)z[ Timestamp marking when counter has passed outside of verification window. )r0r/rs r? cache_timezTotpMatch.cache_timeSs $++--rAc2|j|jfSrD)rr rs r?rzTotpMatch._as_tupleZs||TYY&&rAcR|j|j|jf}d|zS)Nz/)rr rres r?rzTotpMatch.__repr__]s' dii););<@4GGrA)r)rrrrrJrr r/r{r)rrr0rrrrrErAr?r1r1s> D G DF55 44<<.... 'HrAr1c |dkDsJt|dkDsJttj|tjdt|z}t t ||S)z generate a random string suitable for use as an :class:`AppWallet` application secret. :param entropy: number of bits of entropy (controls size/complexity of password). rrr2)rJrmmathceillogrr)entropycharsetcounts r?generate_secretresS Q; w ?E c7E **rA)rz)hr __future__rrrpasslib.utils.compatrr^rrlogging getLoggerrrrstructsysr r{re urllib.parserrr r urllibwarningsr cryptography.hazmat.backendsr r1cryptography.hazmat.primitives.ciphers.algorithms cryptography,cryptography.hazmat.primitives.ciphers.modescryptography.hazmat.primitivesr r ImportErrordebugpasslibr passlib.excrrrr passlib.utilsrrrrrrrrpasslib.utils.binaryrrrrrr r!r"r#r$r%r&r'passlib.utils.decorr(r)passlib.crypto.digestr*r+r, passlib.hashr-__all__ version_infor5racompileUr[r:r@rMrdr AES_SUPPORTrobjectr.Structpackr%unpackr'rr/r0r1rrErAr?rsFA@$  'g''1  @@%, -S<7E ZZTTTCCVVV@HH& .g# " )$ HI BJJq}bdd +  &DI4;  "**1 2Z"Z"J v}}T"'' t$++ p6pr%87 87vfH fHX cr): +M:-IIMN(,,K%-s/G G>=G>