Added a digest authentication helper (2/2)

This completes the implementation of the digest helper, implementing for
additional hashing algorithms sha256 and sha512, as well as auth-int
qop. It implements tests and documents the features.

The DigestAuth feature was shimmed into the existing API so it could be
used in place of BasicAuth in the auth field of ClientSession and
ClientRequest.

Author: TimMenninger

aiohttp/__init__.py

@@ -50,7 +50,7 @@
 from .connector import AddrInfoType, SocketFactoryType
 from .cookiejar import CookieJar, DummyCookieJar
 from .formdata import FormData
-from .helpers import BasicAuth, ChainMapProxy, ETag
+from .helpers import BasicAuth, ChainMapProxy, DigestAuth, ETag
 from .http import (
     HttpVersion,
     HttpVersion10,
@@ -164,6 +164,7 @@
     # helpers
     "BasicAuth",
     "ChainMapProxy",
+    "DigestAuth",
     "ETag",
     # http
     "HttpVersion",

aiohttp/client.py

@@ -95,7 +95,7 @@
 from .helpers import (
     _SENTINEL,
     EMPTY_BODY_METHODS,
-    BasicAuth,
+    AuthBase,
     TimeoutHandle,
     frozen_dataclass_decorator,
     get_env_proxy_for_url,
@@ -174,7 +174,7 @@ class _RequestOptions(TypedDict, total=False):
     cookies: Union[LooseCookies, None]
     headers: Union[LooseHeaders, None]
     skip_auto_headers: Union[Iterable[str], None]
-    auth: Union[BasicAuth, None]
+    auth: Union[AuthBase, None]
     allow_redirects: bool
     max_redirects: int
     compress: Union[str, bool]
@@ -183,7 +183,7 @@ class _RequestOptions(TypedDict, total=False):
     raise_for_status: Union[None, bool, Callable[[ClientResponse], Awaitable[None]]]
     read_until_eof: bool
     proxy: Union[StrOrURL, None]
-    proxy_auth: Union[BasicAuth, None]
+    proxy_auth: Union[AuthBase, None]
     timeout: "Union[ClientTimeout, _SENTINEL, None]"
     ssl: Union[SSLContext, bool, Fingerprint]
     server_hostname: Union[str, None]
@@ -270,9 +270,9 @@ def __init__(
         cookies: Optional[LooseCookies] = None,
         headers: Optional[LooseHeaders] = None,
         proxy: Optional[StrOrURL] = None,
-        proxy_auth: Optional[BasicAuth] = None,
+        proxy_auth: Optional[AuthBase] = None,
         skip_auto_headers: Optional[Iterable[str]] = None,
-        auth: Optional[BasicAuth] = None,
+        auth: Optional[AuthBase] = None,
         json_serialize: JSONEncoder = json.dumps,
         request_class: Type[ClientRequest] = ClientRequest,
         response_class: Type[ClientResponse] = ClientResponse,
@@ -429,7 +429,7 @@ async def _request(
         cookies: Optional[LooseCookies] = None,
         headers: Optional[LooseHeaders] = None,
         skip_auto_headers: Optional[Iterable[str]] = None,
-        auth: Optional[BasicAuth] = None,
+        auth: Optional[AuthBase] = None,
         allow_redirects: bool = True,
         max_redirects: int = 10,
         compress: Union[str, bool] = False,
@@ -440,7 +440,7 @@ async def _request(
         ] = None,
         read_until_eof: bool = True,
         proxy: Optional[StrOrURL] = None,
-        proxy_auth: Optional[BasicAuth] = None,
+        proxy_auth: Optional[AuthBase] = None,
         timeout: Union[ClientTimeout, _SENTINEL, None] = sentinel,
         ssl: Union[SSLContext, bool, Fingerprint] = True,
         server_hostname: Optional[str] = None,
@@ -672,6 +672,13 @@ async def _request(
                             resp = await req.send(conn)
                             try:
                                 await resp.start(conn)
+                                # Try performing digest authentication. It returns
+                                # True if we need to resend the request, as
+                                # DigestAuth is a bit of a handshake. This is
+                                # a no-op for BasicAuth. If it
+                                if auth is not None and auth.authenticate(resp):
+                                    resp.close()
+                                    continue
                             except BaseException:
                                 resp.close()
                                 raise
@@ -824,12 +831,12 @@ def ws_connect(
         autoclose: bool = True,
         autoping: bool = True,
         heartbeat: Optional[float] = None,
-        auth: Optional[BasicAuth] = None,
+        auth: Optional[AuthBase] = None,
         origin: Optional[str] = None,
         params: Query = None,
         headers: Optional[LooseHeaders] = None,
         proxy: Optional[StrOrURL] = None,
-        proxy_auth: Optional[BasicAuth] = None,
+        proxy_auth: Optional[AuthBase] = None,
         ssl: Union[SSLContext, bool, Fingerprint] = True,
         server_hostname: Optional[str] = None,
         proxy_headers: Optional[LooseHeaders] = None,
@@ -872,12 +879,12 @@ async def _ws_connect(
         autoclose: bool = True,
         autoping: bool = True,
         heartbeat: Optional[float] = None,
-        auth: Optional[BasicAuth] = None,
+        auth: Optional[AuthBase] = None,
         origin: Optional[str] = None,
         params: Query = None,
         headers: Optional[LooseHeaders] = None,
         proxy: Optional[StrOrURL] = None,
-        proxy_auth: Optional[BasicAuth] = None,
+        proxy_auth: Optional[AuthBase] = None,
         ssl: Union[SSLContext, bool, Fingerprint] = True,
         server_hostname: Optional[str] = None,
         proxy_headers: Optional[LooseHeaders] = None,
@@ -1247,7 +1254,7 @@ def skip_auto_headers(self) -> FrozenSet[istr]:
         return self._skip_auto_headers
 
     @property
-    def auth(self) -> Optional[BasicAuth]:  # type: ignore[misc]
+    def auth(self) -> Optional[AuthBase]:
         """An object that represents HTTP Basic Authorization"""
         return self._default_auth
 
@@ -1412,8 +1419,7 @@ def request(
         headers - (optional) Dictionary of HTTP Headers to send with
         the request
         cookies - (optional) Dict object to send with the request
-        auth - (optional) BasicAuth named tuple represent HTTP Basic Auth
-        auth - aiohttp.helpers.BasicAuth
+        auth - (optional) something implementing AuthBase for authentication
         allow_redirects - (optional) If set to False, do not follow
         redirects
         version - Request HTTP version.

aiohttp/client_reqrep.py

@@ -43,8 +43,10 @@
 from .hdrs import CONTENT_TYPE
 from .helpers import (
     _SENTINEL,
+    AuthBase,
     BaseTimerContext,
     BasicAuth,
+    DigestAuth,
     HeadersMixin,
     TimerNoop,
     basicauth_from_netrc,
@@ -186,7 +188,7 @@ class ConnectionKey(NamedTuple):
     is_ssl: bool
     ssl: Union[SSLContext, bool, Fingerprint]
     proxy: Optional[URL]
-    proxy_auth: Optional[BasicAuth]
+    proxy_auth: Optional[AuthBase]
     proxy_headers_hash: Optional[int]  # hash(CIMultiDict)
 
 
@@ -230,15 +232,15 @@ def __init__(
         skip_auto_headers: Optional[Iterable[str]] = None,
         data: Any = None,
         cookies: Optional[LooseCookies] = None,
-        auth: Optional[BasicAuth] = None,
+        auth: Optional[AuthBase] = None,
         version: http.HttpVersion = http.HttpVersion11,
         compress: Union[str, bool] = False,
         chunked: Optional[bool] = None,
         expect100: bool = False,
         loop: asyncio.AbstractEventLoop,
         response_class: Optional[Type["ClientResponse"]] = None,
         proxy: Optional[URL] = None,
-        proxy_auth: Optional[BasicAuth] = None,
+        proxy_auth: Optional[AuthBase] = None,
         timer: Optional[BaseTimerContext] = None,
         session: Optional["ClientSession"] = None,
         ssl: Union[SSLContext, bool, Fingerprint] = True,
@@ -287,12 +289,12 @@ def __init__(
         self.update_auto_headers(skip_auto_headers)
         self.update_cookies(cookies)
         self.update_content_encoding(data, compress)
-        self.update_auth(auth, trust_env)
         self.update_proxy(proxy, proxy_auth, proxy_headers)
 
         self.update_body_from_data(data)
         if data is not None or self.method not in self.GET_METHODS:
             self.update_transfer_encoding()
+        self.update_auth(auth, trust_env)  # Must be after we set the body
         self.update_expect_continue(expect100)
         self._traces = [] if traces is None else traces
 
@@ -322,7 +324,7 @@ def ssl(self) -> Union["SSLContext", bool, Fingerprint]:
         return self._ssl
 
     @property
-    def connection_key(self) -> ConnectionKey:  # type: ignore[misc]
+    def connection_key(self) -> ConnectionKey:
         if proxy_headers := self.proxy_headers:
             h: Optional[int] = hash(tuple(proxy_headers.items()))
         else:
@@ -370,7 +372,7 @@ def update_host(self, url: URL) -> None:
 
         # basic auth info
         if url.raw_user or url.raw_password:
-            self.auth = helpers.BasicAuth(url.user or "", url.password or "")
+            self.auth = BasicAuth(url.user or "", url.password or "")
 
     def update_version(self, version: Union[http.HttpVersion, str]) -> None:
         """Convert request version to two elements tuple.
@@ -494,7 +496,7 @@ def update_transfer_encoding(self) -> None:
             if hdrs.CONTENT_LENGTH not in self.headers:
                 self.headers[hdrs.CONTENT_LENGTH] = str(len(self.body))
 
-    def update_auth(self, auth: Optional[BasicAuth], trust_env: bool = False) -> None:
+    def update_auth(self, auth: Optional[AuthBase], trust_env: bool = False) -> None:
         """Set basic auth."""
         if auth is None:
             auth = self.auth
@@ -505,10 +507,12 @@ def update_auth(self, auth: Optional[BasicAuth], trust_env: bool = False) -> Non
         if auth is None:
             return
 
-        if not isinstance(auth, helpers.BasicAuth):
-            raise TypeError("BasicAuth() tuple is required instead")
+        if not isinstance(auth, BasicAuth) and not isinstance(auth, DigestAuth):
+            raise TypeError("BasicAuth() or DigestAuth() is required instead")
 
-        self.headers[hdrs.AUTHORIZATION] = auth.encode()
+        authorization_hdr = auth.encode(self.method, self.url, self.body)
+        if authorization_hdr:
+            self.headers[hdrs.AUTHORIZATION] = authorization_hdr
 
     def update_body_from_data(self, body: Any) -> None:
         if body is None:
@@ -561,7 +565,7 @@ def update_expect_continue(self, expect: bool = False) -> None:
     def update_proxy(
         self,
         proxy: Optional[URL],
-        proxy_auth: Optional[BasicAuth],
+        proxy_auth: Optional[AuthBase],
         proxy_headers: Optional[LooseHeaders],
     ) -> None:
         self.proxy = proxy
@@ -570,7 +574,7 @@ def update_proxy(
             self.proxy_headers = None
             return
 
-        if proxy_auth and not isinstance(proxy_auth, helpers.BasicAuth):
+        if proxy_auth and not isinstance(proxy_auth, BasicAuth):
             raise ValueError("proxy_auth must be None or BasicAuth() tuple")
         self.proxy_auth = proxy_auth