httpx-patched 1.6.2.1

data/lib/httpx/plugins/auth/digest.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require "time"
+require "securerandom"
+require "digest"
+
+module HTTPX
+  module Plugins
+    module Authentication
+      class Digest
+        def initialize(user, password, hashed: false, **)
+          @user = user
+          @password = password
+          @nonce = 0
+          @hashed = hashed
+        end
+
+        def can_authenticate?(authenticate)
+          authenticate && /Digest .*/.match?(authenticate)
+        end
+
+        def authenticate(request, authenticate)
+          "Digest #{generate_header(request.verb, request.path, authenticate)}"
+        end
+
+        private
+
+        def generate_header(meth, uri, authenticate)
+          # discard first token, it's Digest
+          auth_info = authenticate[/^(\w+) (.*)/, 2]
+
+          params = auth_info.split(/ *, */)
+                            .to_h { |val| val.split("=", 2) }
+                            .transform_values { |v| v.delete("\"") }
+          nonce = params["nonce"]
+          nc = next_nonce
+
+          # verify qop
+          qop = params["qop"]
+
+          if params["algorithm"] =~ /(.*?)(-sess)?$/
+            alg = Regexp.last_match(1)
+            algorithm = ::Digest.const_get(alg)
+            raise DigestError, "unknown algorithm \"#{alg}\"" unless algorithm
+
+            sess = Regexp.last_match(2)
+          else
+            algorithm = ::Digest::MD5
+          end
+
+          if qop || sess
+            cnonce = make_cnonce
+            nc = format("%<nonce>08x", nonce: nc)
+          end
+
+          a1 = if sess
+            [
+              (@hashed ? @password : algorithm.hexdigest("#{@user}:#{params["realm"]}:#{@password}")),
+              nonce,
+              cnonce,
+            ].join ":"
+          else
+            @hashed ? @password : "#{@user}:#{params["realm"]}:#{@password}"
+          end
+
+          ha1 = algorithm.hexdigest(a1)
+          ha2 = algorithm.hexdigest("#{meth}:#{uri}")
+          request_digest = [ha1, nonce]
+          request_digest.push(nc, cnonce, qop) if qop
+          request_digest << ha2
+          request_digest = request_digest.join(":")
+
+          header = [
+            %(username="#{@user}"),
+            %(nonce="#{nonce}"),
+            %(uri="#{uri}"),
+            %(response="#{algorithm.hexdigest(request_digest)}"),
+          ]
+          header << %(realm="#{params["realm"]}") if params.key?("realm")
+          header << %(algorithm=#{params["algorithm"]}) if params.key?("algorithm")
+          header << %(cnonce="#{cnonce}") if cnonce
+          header << %(nc=#{nc})
+          header << %(qop=#{qop}) if qop
+          header << %(opaque="#{params["opaque"]}") if params.key?("opaque")
+          header.join ", "
+        end
+
+        def make_cnonce
+          ::Digest::MD5.hexdigest [
+            Time.now.to_i,
+            Process.pid,
+            SecureRandom.random_number(2**32),
+          ].join ":"
+        end
+
+        def next_nonce
+          @nonce += 1
+        end
+      end
+    end
+  end
+end

data/lib/httpx/plugins/auth/ntlm.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "httpx/base64"
+require "ntlm"
+
+module HTTPX
+  module Plugins
+    module Authentication
+      class Ntlm
+        def initialize(user, password, domain: nil)
+          @user = user
+          @password = password
+          @domain = domain
+        end
+
+        def can_authenticate?(authenticate)
+          authenticate && /NTLM .*/.match?(authenticate)
+        end
+
+        def negotiate
+          "NTLM #{NTLM.negotiate(domain: @domain).to_base64}"
+        end
+
+        def authenticate(_req, www)
+          challenge = www[/NTLM (.*)/, 1]
+
+          challenge = Base64.decode64(challenge)
+          ntlm_challenge = NTLM.authenticate(challenge, @user, @domain, @password).to_base64
+
+          "NTLM #{ntlm_challenge}"
+        end
+      end
+    end
+  end
+end

data/lib/httpx/plugins/auth/socks5.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module HTTPX
+  module Plugins
+    module Authentication
+      class Socks5
+        def initialize(user, password, **)
+          @user = user
+          @password = password
+        end
+
+        def can_authenticate?(*)
+          @user && @password
+        end
+
+        def authenticate(*)
+          [0x01, @user.bytesize, @user, @password.bytesize, @password].pack("CCA*CA*")
+        end
+      end
+    end
+  end
+end

data/lib/httpx/plugins/auth.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module HTTPX
+  module Plugins
+    #
+    # This plugin adds a shim +authorization+ method to the session, which will fill
+    # the HTTP Authorization header, and another, +bearer_auth+, which fill the "Bearer " prefix
+    # in its value.
+    #
+    # https://gitlab.com/os85/httpx/wikis/Auth#auth
+    #
+    module Auth
+      module InstanceMethods
+        def authorization(token)
+          with(headers: { "authorization" => token })
+        end
+
+        def bearer_auth(token)
+          authorization("Bearer #{token}")
+        end
+      end
+    end
+    register_plugin :auth, Auth
+  end
+end

data/lib/httpx/plugins/aws_sdk_authentication.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+module HTTPX
+  module Plugins
+    #
+    # This plugin applies AWS Sigv4 to requests, using the AWS SDK credentials and configuration.
+    #
+    # It requires the "aws-sdk-core" gem.
+    #
+    module AwsSdkAuthentication
+      # Mock configuration, to be used only when resolving credentials
+      class Configuration
+        attr_reader :profile
+
+        def initialize(profile)
+          @profile = profile
+        end
+
+        def respond_to_missing?(*)
+          true
+        end
+
+        def method_missing(*); end
+      end
+
+      #
+      # encapsulates access to an AWS SDK credentials store.
+      #
+      class Credentials
+        def initialize(aws_credentials)
+          @aws_credentials = aws_credentials
+        end
+
+        def username
+          @aws_credentials.access_key_id
+        end
+
+        def password
+          @aws_credentials.secret_access_key
+        end
+
+        def security_token
+          @aws_credentials.session_token
+        end
+      end
+
+      class << self
+        def load_dependencies(_klass)
+          require "aws-sdk-core"
+        end
+
+        def configure(klass)
+          klass.plugin(:aws_sigv4)
+        end
+
+        def extra_options(options)
+          options.merge(max_concurrent_requests: 1)
+        end
+
+        def credentials(profile)
+          mock_configuration = Configuration.new(profile)
+          Credentials.new(Aws::CredentialProviderChain.new(mock_configuration).resolve)
+        end
+
+        def region(profile)
+          # https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-core/lib/aws-sdk-core/plugins/regional_endpoint.rb#L62
+          keys = %w[AWS_REGION AMAZON_REGION AWS_DEFAULT_REGION]
+          env_region = ENV.values_at(*keys).compact.first
+          env_region = nil if env_region == ""
+          cfg_region = Aws.shared_config.region(profile: profile)
+          env_region || cfg_region
+        end
+      end
+
+      # adds support for the following options:
+      #
+      # :aws_profile :: AWS account profile to retrieve credentials from.
+      module OptionsMethods
+        private
+
+        def option_aws_profile(value)
+          String(value)
+        end
+      end
+
+      module InstanceMethods
+        #
+        # aws_authentication
+        # aws_authentication(credentials: Aws::Credentials.new('akid', 'secret'))
+        # aws_authentication()
+        #
+        def aws_sdk_authentication(
+          credentials: AwsSdkAuthentication.credentials(@options.aws_profile),
+          region: AwsSdkAuthentication.region(@options.aws_profile),
+          **options
+        )
+
+          aws_sigv4_authentication(
+            credentials: credentials,
+            region: region,
+            provider_prefix: "aws",
+            header_provider_field: "amz",
+            **options
+          )
+        end
+        alias_method :aws_auth, :aws_sdk_authentication
+      end
+    end
+    register_plugin :aws_sdk_authentication, AwsSdkAuthentication
+  end
+end

data/lib/httpx/plugins/aws_sigv4.rb

@@ -0,0 +1,239 @@
+# frozen_string_literal: true
+
+module HTTPX
+  module Plugins
+    #
+    # This plugin adds AWS Sigv4 authentication.
+    #
+    # https://docs.aws.amazon.com/IAM/latest/UserGuide/signing-elements.html
+    #
+    # https://gitlab.com/os85/httpx/wikis/AWS-SigV4
+    #
+    module AWSSigV4
+      Credentials = Struct.new(:username, :password, :security_token)
+
+      # Signs requests using the AWS sigv4 signing.
+      class Signer
+        def initialize(
+          service:,
+          region:,
+          credentials: nil,
+          username: nil,
+          password: nil,
+          security_token: nil,
+          provider_prefix: "aws",
+          header_provider_field: "amz",
+          unsigned_headers: [],
+          apply_checksum_header: true,
+          algorithm: "SHA256"
+        )
+          @credentials = credentials || Credentials.new(username, password, security_token)
+          @service = service
+          @region = region
+
+          @unsigned_headers = Set.new(unsigned_headers.map(&:downcase))
+          @unsigned_headers << "authorization"
+          @unsigned_headers << "x-amzn-trace-id"
+          @unsigned_headers << "expect"
+
+          @apply_checksum_header = apply_checksum_header
+          @provider_prefix = provider_prefix
+          @header_provider_field = header_provider_field
+
+          @algorithm = algorithm
+        end
+
+        def sign!(request)
+          lower_provider_prefix = "#{@provider_prefix}4"
+          upper_provider_prefix = lower_provider_prefix.upcase
+
+          downcased_algorithm = @algorithm.downcase
+
+          datetime = (request.headers["x-#{@header_provider_field}-date"] ||= Time.now.utc.strftime("%Y%m%dT%H%M%SZ"))
+          date = datetime[0, 8]
+
+          content_hashed = request.headers["x-#{@header_provider_field}-content-#{downcased_algorithm}"] || hexdigest(request.body)
+
+          request.headers["x-#{@header_provider_field}-content-#{downcased_algorithm}"] ||= content_hashed if @apply_checksum_header
+          request.headers["x-#{@header_provider_field}-security-token"] ||= @credentials.security_token if @credentials.security_token
+
+          signature_headers = request.headers.each.reject do |k, _|
+            @unsigned_headers.include?(k)
+          end
+          # aws sigv4 needs to declare the host, regardless of protocol version
+          signature_headers << ["host", request.authority] unless request.headers.key?("host")
+          signature_headers.sort_by!(&:first)
+
+          signed_headers = signature_headers.map(&:first).join(";")
+
+          canonical_headers = signature_headers.map do |k, v|
+            # eliminate whitespace between value fields, unless it's a quoted value
+            "#{k}:#{v.start_with?("\"") && v.end_with?("\"") ? v : v.gsub(/\s+/, " ").strip}\n"
+          end.join
+
+          # canonical request
+          creq = "#{request.verb}" \
+                 "\n#{request.canonical_path}" \
+                 "\n#{request.canonical_query}" \
+                 "\n#{canonical_headers}" \
+                 "\n#{signed_headers}" \
+                 "\n#{content_hashed}"
+
+          credential_scope = "#{date}" \
+                             "/#{@region}" \
+                             "/#{@service}" \
+                             "/#{lower_provider_prefix}_request"
+
+          algo_line = "#{upper_provider_prefix}-HMAC-#{@algorithm}"
+          # string to sign
+          sts = "#{algo_line}" \
+                "\n#{datetime}" \
+                "\n#{credential_scope}" \
+                "\n#{OpenSSL::Digest.new(@algorithm).hexdigest(creq)}"
+
+          # signature
+          k_date = hmac("#{upper_provider_prefix}#{@credentials.password}", date)
+          k_region = hmac(k_date, @region)
+          k_service = hmac(k_region, @service)
+          k_credentials = hmac(k_service, "#{lower_provider_prefix}_request")
+          sig = hexhmac(k_credentials, sts)
+
+          credential = "#{@credentials.username}/#{credential_scope}"
+          # apply signature
+          request.headers["authorization"] =
+            "#{algo_line} " \
+            "Credential=#{credential}, " \
+            "SignedHeaders=#{signed_headers}, " \
+            "Signature=#{sig}"
+        end
+
+        private
+
+        def hexdigest(value)
+          digest = OpenSSL::Digest.new(@algorithm)
+
+          if value.respond_to?(:read)
+            if value.respond_to?(:to_path)
+              # files, pathnames
+              digest.file(value.to_path).hexdigest
+            else
+              # gzipped request bodies
+              raise Error, "request body must be rewindable" unless value.respond_to?(:rewind)
+
+              buffer = Tempfile.new("httpx", encoding: Encoding::BINARY, mode: File::RDWR)
+              begin
+                IO.copy_stream(value, buffer)
+                buffer.flush
+
+                digest.file(buffer.to_path).hexdigest
+              ensure
+                value.rewind
+                buffer.close
+                buffer.unlink
+              end
+            end
+          else
+            # error on endless generators
+            raise Error, "hexdigest for endless enumerators is not supported" if value.unbounded_body?
+
+            mb_buffer = value.each.with_object("".b) do |chunk, b|
+              b << chunk
+              break if b.bytesize >= 1024 * 1024
+            end
+
+            digest.hexdigest(mb_buffer)
+          end
+        end
+
+        def hmac(key, value)
+          OpenSSL::HMAC.digest(OpenSSL::Digest.new(@algorithm), key, value)
+        end
+
+        def hexhmac(key, value)
+          OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new(@algorithm), key, value)
+        end
+      end
+
+      class << self
+        def load_dependencies(*)
+          require "set"
+          require "digest/sha2"
+          require "cgi/escape"
+        end
+
+        def configure(klass)
+          klass.plugin(:expect)
+        end
+      end
+
+      # adds support for the following options:
+      #
+      # :sigv4_signer :: instance of HTTPX::Plugins::AWSSigV4 used to sign requests.
+      module OptionsMethods
+        private
+
+        def option_sigv4_signer(value)
+          value.is_a?(Signer) ? value : Signer.new(value)
+        end
+      end
+
+      module InstanceMethods
+        def aws_sigv4_authentication(**options)
+          with(sigv4_signer: Signer.new(**options))
+        end
+
+        def build_request(*)
+          request = super
+
+          return request if request.headers.key?("authorization")
+
+          signer = request.options.sigv4_signer
+
+          return request unless signer
+
+          signer.sign!(request)
+
+          request
+        end
+      end
+
+      module RequestMethods
+        def canonical_path
+          path = uri.path.dup
+          path << "/" if path.empty?
+          path.gsub(%r{[^/]+}) { |part| CGI.escape(part.encode("UTF-8")).gsub("+", "%20").gsub("%7E", "~") }
+        end
+
+        def canonical_query
+          params = query.split("&")
+          # params = params.map { |p| p.match(/=/) ? p : p + '=' }
+          # From: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html#create-canonical-request
+          # Sort the parameter names by character code point in ascending order.
+          # Parameters with duplicate names should be sorted by value.
+          #
+          # Default sort <=> in JRuby will swap members
+          # occasionally when <=> is 0 (considered still sorted), but this
+          # causes our normalized query string to not match the sent querystring.
+          # When names match, we then sort by their values.  When values also
+          # match then we sort by their original order
+          params.each.with_index.sort do |a, b|
+            a, a_offset = a
+            b, b_offset = b
+            a_name, a_value = a.split("=", 2)
+            b_name, b_value = b.split("=", 2)
+            if a_name == b_name
+              if a_value == b_value
+                a_offset <=> b_offset
+              else
+                a_value <=> b_value
+              end
+            else
+              a_name <=> b_name
+            end
+          end.map(&:first).join("&")
+        end
+      end
+    end
+    register_plugin :aws_sigv4, AWSSigV4
+  end
+end

data/lib/httpx/plugins/basic_auth.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module HTTPX
+  module Plugins
+    #
+    # This plugin adds helper methods to implement HTTP Basic Auth (https://datatracker.ietf.org/doc/html/rfc7617)
+    #
+    # https://gitlab.com/os85/httpx/wikis/Auth#basic-auth
+    #
+    module BasicAuth
+      class << self
+        def load_dependencies(_klass)
+          require_relative "auth/basic"
+        end
+
+        def configure(klass)
+          klass.plugin(:auth)
+        end
+      end
+
+      module InstanceMethods
+        def basic_auth(user, password)
+          authorization(Authentication::Basic.new(user, password).authenticate)
+        end
+      end
+    end
+    register_plugin :basic_auth, BasicAuth
+  end
+end

data/lib/httpx/plugins/brotli.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module HTTPX
+  module Plugins
+    module Brotli
+      class Deflater < Transcoder::Deflater
+        def deflate(chunk)
+          return unless chunk
+
+          ::Brotli.deflate(chunk)
+        end
+      end
+
+      module RequestBodyClassMethods
+        def initialize_deflater_body(body, encoding)
+          return Brotli.encode(body) if encoding == "br"
+
+          super
+        end
+      end
+
+      module ResponseBodyClassMethods
+        def initialize_inflater_by_encoding(encoding, response, **kwargs)
+          return Brotli.decode(response, **kwargs) if encoding == "br"
+
+          super
+        end
+      end
+
+      module_function
+
+      def load_dependencies(*)
+        require "brotli"
+      end
+
+      def self.extra_options(options)
+        options.merge(supported_compression_formats: %w[br] + options.supported_compression_formats)
+      end
+
+      def encode(body)
+        Deflater.new(body)
+      end
+
+      def decode(_response, **)
+        ::Brotli.method(:inflate)
+      end
+    end
+    register_plugin :brotli, Brotli
+  end
+end