o
    ˷e}@                     @   s   d Z g dZddlmZ ddlZddlZdZdZdZdZ	d	Z
ed
ZdZdZG dd deZG dd deZee_G dd deZee_dS )zAn implementation of the OpenID Provider Authentication Policy
Extension 1.0, Draft 5

@see: http://openid.net/developers/specs/

@since: 2.1.0
)RequestResponsens_uriAUTH_PHISHING_RESISTANTAUTH_MULTI_FACTORAUTH_MULTI_FACTOR_PHYSICALLEVELS_NISTLEVELS_JISA    )	ExtensionNz+http://specs.openid.net/extensions/pape/1.0zEhttp://schemas.openid.net/pape/policies/2007/06/multi-factor-physicalz<http://schemas.openid.net/pape/policies/2007/06/multi-factorzBhttp://schemas.openid.net/pape/policies/2007/06/phishing-resistantz4http://schemas.openid.net/pape/policies/2007/06/nonez$^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$zDhttp://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdfz*http://www.jisa.or.jp/spec/auth_level.htmlc                   @   s8   e Zd ZeedZdd ZdddZdd Zd	d
 Z	dS )PAPEExtension)nistjisac                 C   s   | j  | _d S N)_default_auth_level_aliasescopyauth_level_aliasesself r   T/var/www/ideatree/venv/lib/python3.10/site-packages/openid/extensions/draft/pape5.py__init__/   s   zPAPEExtension.__init__Nc                 C   sj   |du rz|  |}W n" ty   |  }Y nw | j|}|dur.||kr.td||||| j|< dS )a&  Add an auth level URI alias to this request.

        @param auth_level_uri: The auth level URI to send in the
            request.

        @param alias: The namespace alias to use for this auth level
            in this message. May be None if the alias is not
            important.
        Nz-Attempting to redefine alias %r from %r to %r)	_getAliasKeyError_generateAliasr   getr   auth_level_urialiasexisting_urir   r   r   _addAuthLevelAlias2   s   
z PAPEExtension._addAuthLevelAliasc                 C   s2   t dD ]}d|f }|| jvr|  S qtd)z!Return an unused auth level aliasi  zcust%dz,Could not find an unused alias (tried 1000!))ranger   RuntimeError)r   ir   r   r   r   r   I   s   

zPAPEExtension._generateAliasc                 C   s,   | j  D ]\}}||kr|  S qt|)zmReturn the alias for the specified auth level URI.

        @raises KeyError: if no alias is defined
        )r   itemsr   r   r   r   r   r   R   s
   zPAPEExtension._getAliasr   )
__name__
__module____qualname__r   r   r   r   r   r   r   r   r   r   r   r   )   s    
	r   c                       sp   e Zd ZdZdZ			d fdd	Zdd Zdd	 Zdd
dZdd Z	dd Z
ee
Z
dddZdd Z  ZS )r   aD  A Provider Authentication Policy request, sent from a relying
    party to a provider

    @ivar preferred_auth_policies: The authentication policies that
        the relying party prefers
    @type preferred_auth_policies: [str]

    @ivar max_auth_age: The maximum time, in seconds, that the relying
        party wants to allow to have elapsed before the user must
        re-authenticate
    @type max_auth_age: int or NoneType

    @ivar preferred_auth_level_types: Ordered list of authentication
        level namespace URIs

    @type preferred_auth_level_types: [str]
    papeNc                    sP   t t|   |d u rg }|| _|| _g | _|d ur$|D ]	}| | qd S d S r   )superr   r   preferred_auth_policiesmax_auth_agepreferred_auth_level_typesaddAuthLevel)r   r)   r*   r+   
auth_level	__class__r   r   r   s   s   zRequest.__init__c                 C   s   t | jp| jd up| jS r   )boolr)   r*   r+   r   r   r   r   __bool__   s
   zRequest.__bool__c                 C   s   || j vr| j | dS dS )a  Add an acceptable authentication policy URI to this request

        This method is intended to be used by the relying party to add
        acceptable authentication types to the request.

        @param policy_uri: The identifier for the preferred type of
            authentication.
        @see: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-05.html#auth_policies
        N)r)   appendr   
policy_urir   r   r   addPolicyURI   s   

zRequest.addPolicyURIc                 C   s*   |  || || jvr| j| d S d S r   )r   r+   r2   )r   r   r   r   r   r   r,      s   
zRequest.addAuthLevelc                 C   sr   dd | ji}| jdurt| j|d< | jr7g }| jD ]}| |}||d|f < || qd ||d< |S )/@see: C{L{Extension.getExtensionArgs}}
        r)    Nr*   auth_level.ns.%sr+   )joinr)   r*   strr+   r   r2   )r   ns_argspreferred_typesr   r   r   r   r   getExtensionArgs   s   


zRequest.getExtensionArgsc                 C   s:   |  }|j |j}|j  }|i krdS ||| |S )zaInstantiate a Request object from the arguments in a
        C{checkid_*} OpenID message
        N)messagegetArgsr   	isOpenID1parseExtensionArgs)clsrequestr   args
is_openid1r   r   r   fromOpenIDRequest   s   
zRequest.fromOpenIDRequestFc              	   C   s   g | _ |d}|r(t|trt|dd}|dD ]}|| j vr'| j | q|d}d| _|rFzt|| _W n t	yE   |rC Y nw |d}|r|
  }|D ]8}	d|	f }
z||
 }W n tyv   |rr| j|	}nd}Y nw |du r|rt	d	|	f qU| ||	 qUdS dS )
a-  Set the state of this request to be that expressed in these
        PAPE arguments

        @param args: The PAPE arguments without a namespace

        @param strict: Whether to raise an exception if the input is
            out of spec or otherwise malformed. If strict is false,
            malformed input will be ignored.

        @param is_openid1: Whether the input should be treated as part
            of an OpenID1 request

        @rtype: None

        @raises ValueError: When the max_auth_age is not parseable as
            an integer
        r)   zutf-8)encodingr7   r*   Nr+   r8   z6preferred auth level %r is not defined in this message)r)   r   
isinstancebytesr:   splitr2   r*   int
ValueErrorstripr   r   r,   )r   rD   rE   strictpolicies_strurimax_auth_age_strr+   aliasesr   keyr   r   r   rA      sR   





zRequest.parseExtensionArgsc                 C   s   t t| jj|S )a  Given a list of authentication policy URIs that a provider
        supports, this method returns the subsequence of those types
        that are preferred by the relying party.

        @param supported_types: A sequence of authentication policy
            type URIs that are supported by a provider

        @returns: The sub-sequence of the supported types that are
            preferred by the relying party. This list will be ordered
            in the order that the types appear in the supported_types
            sequence, and may be empty if the provider does not prefer
            any of the supported authentication types.

        @returntype: [str]
        )listfilterr)   __contains__)r   supported_typesr   r   r   preferredTypes   s   zRequest.preferredTypesNNNr   F)r$   r%   r&   __doc__ns_aliasr   r1   r5   r,   r=   rF   classmethodrA   rX   __classcell__r   r   r.   r   r   ^   s    

?r   c                       sv   e Zd ZdZdZd fdd	ZdddZdd	 Zd
d Ze	eddZ
dd Zdd ZdddZeeZdd Z  ZS )r   zA Provider Authentication Policy response, sent from a provider
    to a relying party

    @ivar auth_policies: List of authentication policies conformed to
        by this OpenID assertion, represented as policy URIs
    r'   Nc                    sZ   t t|   |r|| _ng | _|| _i | _|d u ri }| D ]
\}}| || q d S r   )r(   r   r   auth_policies	auth_timeauth_levelsr#   setAuthLevel)r   r_   r`   ra   rP   levelr.   r   r   r      s   zResponse.__init__c                 C   s   |  || || j|< dS )a  Set the value for the given auth level type.

        @param level: string representation of an authentication level
            valid for level_uri

        @param alias: An optional namespace alias for the given auth
            level URI. May be omitted if the alias is not
            significant. The library will use a reasonable default for
            widely-used auth level types.
        N)r   ra   )r   	level_urirc   r   r   r   r   rb   0  s   zResponse.setAuthLevelc                 C   s
   | j | S )a  Return the auth level for the specified auth level
        identifier

        @returns: A string that should map to the auth levels defined
            for the auth level type

        @raises KeyError: If the auth level type is not present in
            this message
        )ra   )r   rd   r   r   r   getAuthLevel>  s   

zResponse.getAuthLevelc                 C   s&   zt | tW S  ty   Y d S w r   )rK   re   r   r   r   r   r   r   _getNISTAuthLevelJ  s
   zResponse._getNISTAuthLevelz7Backward-compatibility accessor for the NIST auth level)docc                 C   s.   |t krtd|| jvr| j| dS dS )a  Add a authentication policy to this response

        This method is intended to be used by the provider to add a
        policy that the provider conformed to when authenticating the user.

        @param policy_uri: The identifier for the preferred type of
            authentication.
        @see: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html#auth_policies
        z4To send no policies, do not set any on the response.N)	AUTH_NONEr!   r_   r2   r3   r   r   r   r5   T  s   

zResponse.addPolicyURIc                 C   s6   |  }| |j}| }|dur||| |S dS )a9  Create a C{L{Response}} object from a successful OpenID
        library response
        (C{L{openid.consumer.consumer.SuccessResponse}}) response
        message

        @param success_response: A SuccessResponse from consumer.complete()
        @type success_response: C{L{openid.consumer.consumer.SuccessResponse}}

        @rtype: Response or None
        @returns: A provider authentication policy response from the
            data that was supplied with the C{id_res} response or None
            if the provider sent no signed PAPE response arguments.
        N)getSignedNSr   r@   rA   )rB   success_responser   rD   rE   r   r   r   fromSuccessResponsee  s   zResponse.fromSuccessResponseFc              	   C   sZ  | d}|r|d}n|rtdg }t|dkr(|r(t|v r(td|f d|v r;d}|r4t|tj|dd	 d
d |D }|| _| D ]H\}}|	dr|dd }	|		dr^qIz	|d|	f  }
W n t
y{   |rw| j |	}
nd}
Y nw |
du r|rtd|	f qI| |
||	 qI| d}|rt|r|| _dS |rtddS dS )a  Parse the provider authentication policy arguments into the
        internal state of this object

        @param args: unqualified provider authentication policy
            arguments

        @param strict: Whether to raise an exception when bad data is
            encountered

        @returns: None. The data is parsed into the internal fields of
            this object.
        r_   r7   zMissing auth_policies   z=Got some auth policies, as well as the special "none" URI: %rnonez0"none" used as a policy URI (see PAPE draft < 5)   )
stacklevelc                 S   s   g | ]
}|d t fvr|qS )rm   )rh   ).0ur   r   r   
<listcomp>  s    z/Response.parseExtensionArgs.<locals>.<listcomp>zauth_level.   Nzns.r8   zUndefined auth level alias: %rr`   #auth_time must be in RFC3339 format)r   rJ   rL   lenrh   warningswarnr_   r#   
startswithr   r   rb   TIME_VALIDATORmatchr`   )r   rD   rE   rN   rO   r_   msgrS   valr   rP   r`   r   r   r   rA     s`   





zResponse.parseExtensionArgsc                 C   s   t | jdkrdti}ndd| ji}| j D ]\}}| |}||d|f < t||d|f < q| jdurGt	
| jsBtd| j|d< |S )	r6   r	   r_   r7   r8   zauth_level.%sNrt   r`   )ru   r_   rh   r9   ra   r#   r   r:   r`   ry   rz   rL   )r   r;   
level_typerc   r   r   r   r   r=     s   


zResponse.getExtensionArgsrY   r   rZ   )r$   r%   r&   r[   r\   r   rb   re   rf   propertynist_auth_levelr5   rk   rA   r]   r=   r^   r   r   r.   r   r     s     

Dr   )r[   __all__openid.extensionr
   rv   rer   r   r   r   rh   compilery   r   r   r   r   r   r   r   r   r   <module>   s0    
5 6 
L