U
    Ha                  	   @   s  U d dl Z d dlZd dlZd dlZd dlZd dlZd dlZejr@dZ	dZ
edd ejjejjfD Zeje ed< e
ddfejeef ejeef eeje ejejeejf  eddd	Ze
ddfejeef ejeef eeje ejejeejf  edd
dZeeedddZeedddZeeeejeef dddZd eeeedddZeeedddZ eeeje dddZ!dS )!    NZ>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789i c                 c   s"   | ]}|d k	r|dkr|V  qd S )N/ .0sepr   r   5/tmp/pip-unpacked-wheel-ub1y1qyw/werkzeug/security.py	<genexpr>   s      r   _os_alt_seps)datasalt
iterationskeylenhashfuncreturnc                 C   s$   t jdtdd t| |||| S )a  Like :func:`pbkdf2_bin`, but returns a hex-encoded string.

    :param data: the data to derive.
    :param salt: the salt for the derivation.
    :param iterations: the number of iterations.
    :param keylen: the length of the resulting key.  If not provided,
                   the digest size will be used.
    :param hashfunc: the hash function to use.  This can either be the
                     string name of a known hash function, or a function
                     from the hashlib module.  Defaults to sha256.

    .. deprecated:: 2.0
        Will be removed in Werkzeug 2.1. Use :func:`hashlib.pbkdf2_hmac`
        instead.

    .. versionadded:: 0.9
    zj'pbkdf2_hex' is deprecated and will be removed in Werkzeug 2.1. Use 'hashlib.pbkdf2_hmac().hex()' instead.   
stacklevel)warningswarnDeprecationWarning
pbkdf2_binhex)r
   r   r   r   r   r   r   r   
pbkdf2_hex   s    r   c                 C   sj   t jdtdd t| tr$| d} t|tr8|d}|sBd}nt|rT| j}n|}t	|| |||S )ae  Returns a binary digest for the PBKDF2 hash algorithm of `data`
    with the given `salt`. It iterates `iterations` times and produces a
    key of `keylen` bytes. By default, SHA-256 is used as hash function;
    a different hashlib `hashfunc` can be provided.

    :param data: the data to derive.
    :param salt: the salt for the derivation.
    :param iterations: the number of iterations.
    :param keylen: the length of the resulting key.  If not provided
                   the digest size will be used.
    :param hashfunc: the hash function to use.  This can either be the
                     string name of a known hash function or a function
                     from the hashlib module.  Defaults to sha256.

    .. deprecated:: 2.0
        Will be removed in Werkzeug 2.1. Use :func:`hashlib.pbkdf2_hmac`
        instead.

    .. versionadded:: 0.9
    zd'pbkdf2_bin' is deprecated and will be removed in Werkzeug 2.1. Use 'hashlib.pbkdf2_hmac()' instead.r   r   utf8sha256)
r   r   r   
isinstancestrencodecallablenamehashlibpbkdf2_hmac)r
   r   r   r   r   	hash_namer   r   r   r   5   s    




r   )abr   c                 C   sD   t jdtdd t| tr$| d} t|tr8|d}t| |S )ai  This function compares strings in somewhat constant time.  This
    requires that the length of at least one string is known in advance.

    Returns `True` if the two strings are equal, or `False` if they are not.

    .. deprecated:: 2.0
        Will be removed in Werkzeug 2.1. Use
        :func:`hmac.compare_digest` instead.

    .. versionadded:: 0.7
    zd'safe_str_cmp' is deprecated and will be removed in Werkzeug 2.1. Use 'hmac.compare_digest' instead.r   r   utf-8)r   r   r   r   r   r   hmaccompare_digest)r#   r$   r   r   r   safe_str_cmpg   s    



r(   )lengthr   c                 C   s(   | dkrt dddd t| D S )zAGenerate a random string of SALT_CHARS with specified ``length``.r   zSalt length must be positive c                 s   s   | ]}t tV  qd S N)secretschoice
SALT_CHARS)r   _r   r   r   r      s     zgen_salt.<locals>.<genexpr>)
ValueErrorjoinrange)r)   r   r   r   gen_salt   s    r3   )methodr   passwordr   c                 C   s   | dkr|| fS | d}| d}| dr|s:td| dd d}t|dkr`td	|d
} |r~t|d
 pzd
nt}t	| |||
 d|  d| fS |rt|||  | fS t| | | fS )zInternal password hash helper.  Supports plaintext without salt,
    unsalted and salted passwords.  In case salted passwords are used
    hmac is used.
    plainr%   zpbkdf2:zSalt is required for PBKDF2   N:)   r   z&Invalid number of arguments for PBKDF2r   )r   
startswithr0   splitlenpopintDEFAULT_PBKDF2_ITERATIONSr    r!   r   r&   new	hexdigest)r4   r   r5   argsr   r   r   r   _hash_internal   s$    



rC   pbkdf2:sha256   )r5   r4   salt_lengthr   c                 C   s8   |dkrt |nd}t||| \}}| d| d| S )a  Hash a password with the given method and salt with a string of
    the given length. The format of the string returned includes the method
    that was used so that :func:`check_password_hash` can check the hash.

    The format for the hashed string looks like this::

        method$salt$hash

    This method can **not** generate unsalted passwords but it is possible
    to set param method='plain' in order to enforce plaintext passwords.
    If a salt is used, hmac is used internally to salt the password.

    If PBKDF2 is wanted it can be enabled by setting the method to
    ``pbkdf2:method:iterations`` where iterations is optional::

        pbkdf2:sha256:80000$salt$hash
        pbkdf2:sha256$salt$hash

    :param password: the password to hash.
    :param method: the hash method to use (one that hashlib supports). Can
                   optionally be in the format ``pbkdf2:method:iterations``
                   to enable PBKDF2.
    :param salt_length: the length of the salt in letters.
    r6   r*   $)r3   rC   )r5   r4   rF   r   hZactual_methodr   r   r   generate_password_hash   s    rI   )pwhashr5   r   c                 C   s<   |  ddk rdS | dd\}}}tt|||d |S )a  Check a password against a given salted and hashed password value.
    In order to support unsalted legacy passwords this method supports
    plain text passwords, md5 and sha1 hashes (both salted and unsalted).

    Returns `True` if the password matched, `False` otherwise.

    :param pwhash: a hashed string like returned by
                   :func:`generate_password_hash`.
    :param password: the plaintext password to compare against the hash.
    rG   r   Fr   )countr;   r&   r'   rC   )rJ   r5   r4   r   Zhashvalr   r   r   check_password_hash   s    rL   )	directory	pathnamesr   c                    sp   | g}|D ]Z  dkr t   t fddtD sTtj sT dksT drZ dS |  q
t j	| S )a2  Safely join zero or more untrusted path components to a base
    directory to avoid escaping the base directory.

    :param directory: The trusted base directory.
    :param pathnames: The untrusted path components relative to the
        base directory.
    :return: A safe path, otherwise ``None``.
    r*   c                 3   s   | ]}| kV  qd S r+   r   r   filenamer   r   r      s     zsafe_join.<locals>.<genexpr>z..z../N)
	posixpathnormpathanyr	   ospathisabsr:   appendr1   )rM   rN   partsr   rO   r   	safe_join   s    	

rY   )rD   rE   )"r    r&   rT   rQ   r,   typingtr   TYPE_CHECKINGr.   r?   listrU   r   altsepr	   Listr   __annotations__Unionbytesr>   OptionalCallabler   r   boolr(   r3   TuplerC   rI   rL   rY   r   r   r   r   <module>   s`    $2"      