o /׾gW8@sdZgdZddlmZddlmZddlmZmZddl Z ddl Z e e Z ddgZgd Ze d ZGd d d eZd dZGdddeZdZddZddZddZefddZdS)aQ This module contains the C{L{TrustRoot}} class, which helps handle trust root checking. This module is used by the C{L{openid.server.server}} module, but it is also available to server implementers who wish to use it for additional trust root checking. It also implements relying party return_to URL verification, based on the realm. ) TrustRootRP_RETURN_TO_URL_TYPEextractReturnToURLsreturnToMatchesverifyReturnTo)urinorm)services)urlparse urlunparseNhttphttps(acadaeaeroafagaialamanaoaqararpaasasiaatauawaxazbabbbdbebfbgbhbibizbjbmbnbobrbsbtbvbwbybzcacatcccdcfcgchcickclcmcncocomcoopcrcucvcxcyczdedjdkdmdodzecedueeegereseteufifjfkfmfofrgagbgdgegfggghgiglgmgngovgpgqgrgsgtgugwgyhkhmhnhrhthuidieilimininfointioiqirisitjejmjojobsjpkekgkhkikmknkpkrkwkykzlalblclilklrlsltlulvlymamcmdmemgmhmilmkmlmmmnmomobimpmqmrmsmtmumuseummvmwmxmymznanamencnenetnfngninlnonpnrnunzomorgpapepfpgphpkplpmpnprpropsptpwpyqarerorsrurwsasbscsdsesgshsisjskslsmsnsosrstsusvsysztctdteltftgthtjtktltmtntotptrtraveltttvtwtzuaugukusuyuzvavcvevgvivnvuwfwsz xn--0zwm56dzxn--11b5bs3a9aj6gzxn--80akhbyknj4fzxn--9t4b11yi5az xn--deba0adz xn--g6w251dzxn--hgbk6aj7f53bbazxn--hlcj6aya9esc7az xn--jxalpdlpz xn--kgbechtvz xn--zckzahyeytyuzazmzwz3(?:[-a-zA-Z0-9!$&'\(\)\*+,;=._~]|%[a-zA-Z0-9]{2})+$c@s eZdZdZddZddZdS)RealmVerificationRedirectedzOAttempting to verify this realm resulted in a redirect. @since: 2.1.0 cCs||_||_dSNrelying_party_urlrp_url_after_redirects)selfrrr a/var/www/html/backend_erp/backend_erp_env/lib/python3.10/site-packages/openid/server/trustroot.py__init__Hs z$RealmVerificationRedirected.__init__cCsd|j|jfS)Nz2Attempting to verify %r resulted in redirect to %rrrr r r!__str__Ls z#RealmVerificationRedirected.__str__N)__name__ __module__ __qualname____doc__r"r$r r r r!rBs rc Cszt|}Wn tyYdSwt|\}}}}}}|s.|s,d|vr,|dd\}}d}tdd||||f}d|vrYz |d\}}Wn tyOYdSwtd|sXdSn|}d}|}t|shdS||||fS)N?/:z\d+$) r ValueErrorr splitr rmatchlowerhost_segment_re) urlprotonetlocpathparamsqueryfraghostportr r r! _parseURLRs4      r<c@speZdZdZddZddZddZdd ZeeZd d Z ee Z d d Z ee Z ddZ ddZ ddZ dS)ra This class represents an OpenID trust root. The C{L{parse}} classmethod accepts a trust root string, producing a C{L{TrustRoot}} object. The method OpenID server implementers would be most likely to use is the C{L{isSane}} method, which checks the trust root for given patterns that indicate that the trust root is too broad or points to a local network resource. @sort: parse, isSane cCs(||_||_||_||_||_||_dSrunparsedr4wildcardr:r;r6)rr>r4r?r:r;r6r r r!r"s  zTrustRoot.__init__cCs|jdkrdS|jd}|jr|ddksJ||d=|r&|ds&|d=|s*dSd|vr0dS|d}|tvr:dSt|dkrBdS|jrYt|d krYt|d d krYt|d kSdS) aA This method checks the to see if a trust root represents a reasonable (sane) set of URLs. 'http://*.com/', for example is not a reasonable pattern, as it cannot meaningfully specify the site claiming it. This function attempts to find many related examples, but it can only work via heuristics. Negative responses from this method should be treated as advisory, used only to alert the user to examine the trust root carefully. @return: Whether the trust root is sane @rtype: C{bool} localhostT.rr,Fr*)r:r/r?_top_level_domainslen)r host_partstldr r r!isSanes*     zTrustRoot.isSanec Cst|}|dur dS|\}}}}||jkrdS||jkrdSd|vr$dS|js/||jkr.dSn||js>d||jkr>dS||jkrrt|j}|jd|}|d|} || kr[dSd|jvrcd} nd} |jd| vpq||| vSd S) z Validates a URL against this trust root. @param url: The URL to check @type url: C{str} @return: Whether the given URL is within this trust root. @rtype: C{bool} NF*rAr)&z?/rBT)r<r4r;r?r:endswithr6rG) rr3 url_partsr4r:r;r6path_len trust_prefix url_prefixallowedr r r! validateURLs6        zTrustRoot.validateURLc Cst|}|dur dS|\}}}}|tvrdS|ddkrdS|dddkr)dS|drEt|dkr<|ddkr bool is this a sane trust root? NF)r[rJ)rXtrust_root_stringrYr r r! checkSanity-s zTrustRoot.checkSanitycCs||}|duo ||S)zpquick func for validating a url against a trust root. See the TrustRoot class if you need more control.N)r[rS)rXrYr3rr r r!checkURL:s zTrustRoot.checkURLcCs>|jr|jdsJ|jd|j}d|j||jfS|jS)aZReturn a discovery URL for this realm. This function does not check to make sure that the realm is valid. Its behaviour on invalid inputs is undefined. @rtype: str @returns: The URL upon which relying party discovery should be run in order to verify the return_to URL @since: 2.1.0 rAwwwz %s://%s%s)r?r:rWr4r6r>)r www_domainr r r!buildDiscoveryURLBs   zTrustRoot.buildDiscoveryURLcCs d|j|j|j|j|j|jfS)Nz!TrustRoot(%r, %r, %r, %r, %r, %r)r=r#r r r!__repr__WszTrustRoot.__repr__cCst|Sr)reprr#r r r!r$\szTrustRoot.__str__N)r%r&r'r(r"rJrSr[ classmethodr]r^rarbr$r r r r!rts 694  rz*http://specs.openid.net/auth/2.0/return_tocCs|tgr |jSdS)aIf the endpoint is a relying party OpenID return_to endpoint, return the endpoint URL. Otherwise, return None. This function is intended to be used as a filter for the Yadis filtering interface. @see: C{L{openid.yadis.services}} @see: C{L{openid.yadis.filters}} @param endpoint: An XRDS BasicServiceEndpoint, as returned by performing Yadis dicovery. @returns: The endpoint URL or None if the endpoint is not a relying party endpoint. @rtype: str or NoneType N) matchTypesruri)endpointr r r!_extractReturnURLgs rhcCs6|D]}t|}|dur|js||rdSqdS)zbIs the return_to URL under one of the supplied allowed return_to URLs? @since: 2.1.0 NTF)rr[r?rS)allowed_return_to_urls return_toallowed_return_to return_realmr r r!r~s rcCs&t|t\}}||krt|||S)z\Given a relying party discovery URL return a list of return_to URLs. @since: 2.1.0 )rgetServiceEndpointsrhr)rrreturn_to_urlsr r r!getAllowedReturnURLssroc Cst|}|dur dSz||}Wnty-}ztt|WYd}~dSd}~wwt||r5dStd|||fdS)aVerify that a return_to URL is valid for the given realm. This function builds a discovery URL, performs Yadis discovery on it, makes sure that the URL does not redirect, parses out the return_to URLs, and finally checks to see if the current return_to URL matches the return_to. @raises DiscoveryFailure: When Yadis discovery fails @returns: True if the return_to URL is valid for the realm @since: 2.1.0 NFTz;Failed to validate return_to %r for realm %r, was not in %s) rr[rarlogger exceptionstrrerror) realm_strrj_vrfyrealmallowable_urlserrr r r!rs  r)r(__all__openidr openid.yadisr urllib.parser r rlogging getLoggerr%rprUrFcompiler2 Exceptionrr<objectrrrhrrorr r r r!s,   "q