o "4g,@sddlmZddlZddlZddlZddlmZmZddlm Z m Z m Z m Z ddl mZddlmZmZmZmZddlmZmZdd lmZerPdd lmZmZGd d d ZeZejZejZejZejZej Z ej!Z!ej"Z"dS) ) annotationsN) TYPE_CHECKINGAny) Algorithmget_default_algorithms has_cryptorequires_cryptography)PyJWK) DecodeErrorInvalidAlgorithmErrorInvalidSignatureErrorInvalidTokenError)base64url_decodebase64url_encode)RemovedInPyjwt3Warning)AllowedPrivateKeysAllowedPublicKeysc@seZdZdZ  dHdId d ZedJd d ZdKddZdLddZdMddZ dNddZ     dOdPd+d,Z -   dQdRd4d5Z -   dQdSd7d8Z dTd9d:ZdUd||jvr tdt|tstd||j|<|j|dS)zW Registers a new Algorithm for use when creating and verifying tokens. z Algorithm already has a handler.z!Object is not of type `Algorithm`N)r ValueError isinstancer TypeErrorradd)r"r)r+r$r$r%register_algorithm6s   zPyJWS.register_algorithmcCs*||jvr td|j|=|j|dS)z Unregisters an Algorithm for use when creating and verifying tokens Throws KeyError if algorithm is not registered. zJThe specified algorithm could not be removed because it is not registered.N)rKeyErrorrremove)r"r)r$r$r%unregister_algorithmCs zPyJWS.unregister_algorithm list[str]cCs t|jS)zM Returns a list of supported values for the 'alg' parameter. )rr)r"r$r$r%get_algorithmsQs zPyJWS.get_algorithmsalg_namec CsNz|j|WSty&}zts|tvrtd|d|td|d}~ww)z For a given string name, return the matching Algorithm object. Example usage: >>> jws_obj.get_algorithm_by_name("RS256") z Algorithm 'z9' could not be found. Do you have cryptography installed?Algorithm not supportedN)rr1rr NotImplementedError)r"r6er$r$r%get_algorithm_by_nameWs    zPyJWS.get_algorithm_by_nameHS256FTpayloadbytesr# AllowedPrivateKeys | str | bytes algorithm str | Noneheaders json_encodertype[json.JSONEncoder] | Noneis_payload_detachedbool sort_headerscCs*g}|dur|nd} |r"|d} | r|d} |d} | dur"d}|j| d} |r4||| || ds;| d=|rBd| d<nd| vrI| d=tj| d||d } |t| |r`|}nt|}||d |}| | }| |}| ||}|t||rd |d <d |}| d S)Nnonealgb64FT)typrHrJ),:) separatorscls sort_keys.rutf-8)get header_typ_validate_headersupdatejsondumpsencodeappendrjoinr: prepare_keysigndecode)r"r<r#r?rArBrDrFsegments algorithm_ headers_alg headers_b64header json_header msg_payload signing_inputr+ signatureencoded_stringr$r$r%rYhsL              z PyJWS.encodejwt str | bytes'AllowedPublicKeys | PyJWK | str | bytesdetached_payload bytes | Nonedict[str, Any]c Ks|rtdt|t|duri}i|j|}|d}|r-|s-t|ts-td| |\} } } } | dddurU|durFtd|} d | dd d | g} |r`| | | | ||| | | d S) Nzypassing additional kwargs to decode_complete() is deprecated and will be removed in pyjwt version 3. Unsupported kwargs: r(z\It is required that you pass in a value for the "algorithms" argument when calling decode().rITFzIt is required that you pass in a value for the "detached_payload" argument to decode a message having the b64 header set to false.rPrr)r<rcrg)warningswarntupler rrr-r r _loadrSr[rsplit_verify_signature) r"rjr#rrrmkwargsmerged_optionsr(r<rfrcrgr$r$r%decode_completes:  zPyJWS.decode_completercKs:|rtdt|t|j|||||d}|dS)Nzppassing additional kwargs to decode() is deprecated and will be removed in pyjwt version 3. Unsupported kwargs: )rmr<)rprqrrr rrx)r"rjr#rrrmrvdecodedr$r$r%r^s   z PyJWS.decodecCs||d}|||S)zReturns back the JWT header parameters as a dict() Note: The signature is not verified so the header parameters should not be fully trusted until signature verification is complete )rsrU)r"rjrAr$r$r%get_unverified_headers zPyJWS.get_unverified_header*tuple[bytes, bytes, dict[str, Any], bytes]c Cslt|tr |d}t|tstdtz|dd\}}|dd\}}Wnty9}ztd|d}~wwzt|}Wnt t j fyT}ztd|d}~wwzt |}Wntyp} ztd| | d} ~ wwt|tsztdzt|} Wnt t j fy}ztd |d}~wwzt|} Wnt t j fy}ztd |d}~ww| ||| fS) NrRz$Invalid token type. Token must be a rPrzNot enough segmentszInvalid header paddingzInvalid header string: z,Invalid header string: must be a json objectzInvalid payload paddingzInvalid crypto padding)r-r*rYr=r rtsplitr,rr.binasciiErrorrWloadsdict) r"rjrfcrypto_segmentheader_segmentpayload_segmenterr header_datarcr9r<rgr$r$r%rssL            z PyJWS._loadrfrcrgc Cs|dur t|tr |jg}z|d}Wn tytdw|r)|dur-||vr-tdt|tr9|j}|j}nz||}WntyQ} ztd| d} ~ ww| |}| |||sbt ddS)NrHzAlgorithm not specifiedz&The specified alg value is not allowedr7zSignature verification failed) r-r algorithm_namer1r rr#r:r8r\verifyr ) r"rfrcrgr#rrHr+ prepared_keyr9r$r$r%ru s,     zPyJWS._verify_signaturecCsd|vr ||ddSdS)Nkid) _validate_kid)r"rAr$r$r%rU?szPyJWS._validate_headersrcCst|ts tddS)Nz(Key ID header parameter must be a string)r-r*r)r"rr$r$r%rCs zPyJWS._validate_kid)NN)rrrrrr)rr')r)r*r+rrr)r)r*rr)rr4)r6r*rr)r;NNFT)r<r=r#r>r?r@rArrBrCrDrErFrErr*)riNNN) rjrkr#rlrrrrrmrnrro) rjrkr#rlrrrrrmrnrr)rjrkrro)rjrkrr|)riN) rfr=rcrorgr=r#rlrrrr)rArorr)rrrr)__name__ __module__ __qualname__rTr& staticmethodr!r0r3r5r:rYrxr^r{rsrurUrr$r$r$r%rsD      H 0  + r)# __future__rr~rWrptypingrrrrrrr api_jwkr exceptionsr r r rutilsrrrrrr_jws_global_objrYrxr^r0r3r:r{r$r$r$r%s.   .