Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh-128192: support sha-256 digest authentication #128193

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

calvinbui
Copy link

@calvinbui calvinbui commented Dec 23, 2024

as mentioned in the issue, other authentication exist, but i don't see them supported out of the box in hashlib.

this all depends if python wishes to support rfc7616

Copy link

cpython-cla-bot bot commented Dec 23, 2024

All commit authors signed the Contributor License Agreement.
CLA signed

@bedevere-app
Copy link

bedevere-app bot commented Dec 23, 2024

Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply the skip news label instead.

@ZeroIntensity
Copy link
Member

ZeroIntensity commented Dec 23, 2024

cc @picnixz (cryptography expert)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks fine, but you should add a test.

from RFC-7616

   This specification defines the following algorithms:

   o  SHA2-256 (mandatory to implement)

   o  SHA2-512/256 (as a backup algorithm)

   o  MD5 (for backward compatibility).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i dont know, I assume i would just be re-writing a test that probably exists in hashlib?

i've only found a single test written for this function that checks for an invalid algorithm.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hashlib does not need to be tested. What needs to be tested is that MD5, SHA and SHA-256 are recognized algorithms if you specify them as is in the request headers. This is an opportunity to add tests for this as well.

Copy link
Contributor

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A preliminary round of comments. You can also update "RFC 2617" to "RFC 2617/7616" in the AbstractDigestAuthHandler comment.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hashlib does not need to be tested. What needs to be tested is that MD5, SHA and SHA-256 are recognized algorithms if you specify them as is in the request headers. This is an opportunity to add tests for this as well.

@@ -1182,6 +1182,8 @@ def get_algorithm_impls(self, algorithm):
elif algorithm == 'SHA':
H = lambda x: hashlib.sha1(x.encode("ascii")).hexdigest()
# XXX MD5-sess
elif algorithm == 'SHA-256':
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you move the XXX MD5-sess before the else and not before the elif? thanks. In addition, mention that the algorithm names are taken from https://datatracker.ietf.org/doc/html/rfc7616#section-6.1.

@@ -0,0 +1 @@
Support digest authentication algorithm SHA-256 in :mod:`urllib.request`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Support digest authentication algorithm SHA-256 in :mod:`urllib.request`.
Upgrade HTTP digest authentication algorithm for :mod:`urllib.request` by
supporting SHA-2/256 digest authentication as specified in :rfc:`7616`.

This also requires a What's New entry. However, we do not have any documentation concerning HTTP digest access authentication (we only have https://docs.python.org/3/library/urllib.request.html#abstractdigestauthhandler-objects but never do we mention which digests we are supporting). Nonetheless, maybe we can update the wording of that documented entry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants