././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1629918151.7656353 scramp-1.4.1/0000775000175000017500000000000000000000000013571 5ustar00tlocketlocke00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1627291001.0 scramp-1.4.1/LICENSE0000664000175000017500000000205300000000000014576 0ustar00tlocketlocke00000000000000MIT License Copyright (c) 2019 Tony Locke Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1627291001.0 scramp-1.4.1/MANIFEST.in0000664000175000017500000000011500000000000015324 0ustar00tlocketlocke00000000000000include versioneer.py include scramp/_version.py include LICENSE README.adoc ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1629918151.7656353 scramp-1.4.1/PKG-INFO0000664000175000017500000000226600000000000014674 0ustar00tlocketlocke00000000000000Metadata-Version: 1.2 Name: scramp Version: 1.4.1 Summary: An implementation of the SCRAM protocol. Home-page: https://github.com/tlocke/scramp Maintainer: Tony Locke Maintainer-email: tlocke@tlocke.org.uk License: MIT Description: Scramp ------ A pure-Python implementation of the SCRAM authentication protocol. Keywords: SCRAM authentication SASL Platform: UNKNOWN Classifier: Development Status :: 3 - Alpha Classifier: Intended Audience :: Developers Classifier: License :: OSI Approved :: MIT License Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.6 Classifier: Programming Language :: Python :: 3.7 Classifier: Programming Language :: Python :: 3.8 Classifier: Programming Language :: Python :: Implementation Classifier: Programming Language :: Python :: Implementation :: CPython Classifier: Programming Language :: Python :: Implementation :: Jython Classifier: Programming Language :: Python :: Implementation :: PyPy Classifier: Operating System :: OS Independent Classifier: Topic :: Software Development :: Libraries :: Python Modules Requires-Python: >=3.6 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1629918030.0 scramp-1.4.1/README.adoc0000664000175000017500000003711700000000000015367 0ustar00tlocketlocke00000000000000= Scramp :toc: preamble :toclevels: 2 A Python implementation of the SCRAM authentication protocol defined by https://tools.ietf.org/html/rfc5802[RFC 5802] and https://www.rfc-editor.org/rfc/rfc7677.txt[RFC 7677]. Scramp supports the following mechanisms: * SCRAM-SHA-1 * SCRAM-SHA-1-PLUS * SCRAM-SHA-256 * SCRAM-SHA-256-PLUS * SCRAM-SHA-512 * SCRAM-SHA-512-PLUS * SCRAM-SHA3-512 * SCRAM-SHA3-512-PLUS == Installation * Create a virtual environment: `python3 -m venv venv` * Activate the virtual environment: `source venv/bin/activate` * Install: `pip install scramp` == Examples === Client and Server Here's an example using both the client and the server. It's a bit contrived as normally you'd be using either the client or server on its own. ``` >>> from scramp import ScramClient, ScramMechanism >>> >>> USERNAME = 'user' >>> PASSWORD = 'pencil' >>> MECHANISMS = ['SCRAM-SHA-256'] >>> >>> >>> # Choose a mechanism for our server >>> m = ScramMechanism() # Default is SCRAM-SHA-256 >>> >>> # On the server side we create the authentication information for each user >>> # and store it in an authentication database. We'll use a dict: >>> db = {} >>> >>> salt, stored_key, server_key, iteration_count = m.make_auth_info(PASSWORD) >>> >>> db[USERNAME] = salt, stored_key, server_key, iteration_count >>> >>> # Define your own function for retrieving the authentication information >>> # from the database given a username >>> >>> def auth_fn(username): ... return db[username] >>> >>> # Make the SCRAM server >>> s = m.make_server(auth_fn) >>> >>> # Now set up the client and carry out authentication with the server >>> c = ScramClient(MECHANISMS, USERNAME, PASSWORD) >>> cfirst = c.get_client_first() >>> >>> s.set_client_first(cfirst) >>> sfirst = s.get_server_first() >>> >>> c.set_server_first(sfirst) >>> cfinal = c.get_client_final() >>> >>> s.set_client_final(cfinal) >>> sfinal = s.get_server_final() >>> >>> c.set_server_final(sfinal) >>> >>> # If it all runs through without raising an exception, the authentication >>> # has succeeded ``` === Client only Here's an example using just the client. The client nonce is specified in order to give a reproducible example, but in production you'd omit the `c_nonce` parameter and let `ScramClient` generate a client nonce: ``` >>> from scramp import ScramClient >>> >>> USERNAME = 'user' >>> PASSWORD = 'pencil' >>> C_NONCE = 'rOprNGfwEbeRWgbNEkqO' >>> MECHANISMS = ['SCRAM-SHA-256'] >>> >>> # Normally the c_nonce would be omitted, in which case ScramClient will >>> # generate the nonce itself. >>> >>> c = ScramClient(MECHANISMS, USERNAME, PASSWORD, c_nonce=C_NONCE) >>> >>> # Get the client first message and send it to the server >>> cfirst = c.get_client_first() >>> print(cfirst) n,,n=user,r=rOprNGfwEbeRWgbNEkqO >>> >>> # Set the first message from the server >>> c.set_server_first( ... 'r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,' ... 's=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096') >>> >>> # Get the client final message and send it to the server >>> cfinal = c.get_client_final() >>> print(cfinal) c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ= >>> >>> # Set the final message from the server >>> c.set_server_final('v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=') >>> >>> # If it all runs through without raising an exception, the authentication >>> # has succeeded ``` === Server only Here's an example using just the server. The server nonce and salt is specified in order to give a reproducible example, but in production you'd omit the `s_nonce` and `salt` parameters and let Scramp generate them: ``` >>> from scramp import ScramMechanism >>> >>> USERNAME = 'user' >>> PASSWORD = 'pencil' >>> S_NONCE = '%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0' >>> SALT = b'[m\x99h\x9d\x125\x8e\xec\xa0K\x14\x126\xfa\x81' >>> >>> db = {} >>> >>> m = ScramMechanism() >>> >>> salt, stored_key, server_key, iteration_count = m.make_auth_info( ... PASSWORD, salt=SALT) >>> >>> db[USERNAME] = salt, stored_key, server_key, iteration_count >>> >>> # Define your own function for getting a password given a username >>> def auth_fn(username): ... return db[username] >>> >>> # Normally the s_nonce parameter would be omitted, in which case the >>> # server will generate the nonce itself. >>> >>> s = m.make_server(auth_fn, s_nonce=S_NONCE) >>> >>> # Set the first message from the client >>> s.set_client_first('n,,n=user,r=rOprNGfwEbeRWgbNEkqO') >>> >>> # Get the first server message, and send it to the client >>> sfirst = s.get_server_first() >>> print(sfirst) r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096 >>> >>> # Set the final message from the client >>> s.set_client_final( ... 'c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,' ... 'p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=') >>> >>> # Get the final server message and send it to the client >>> sfinal = s.get_server_final() >>> print(sfinal) v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4= >>> >>> # If it all runs through without raising an exception, the authentication >>> # has succeeded ``` === Server only with passlib Here's an example using just the server and using the https://passlib.readthedocs.io/en/stable/index.html[passlib hashing library]. The server nonce and salt is specified in order to give a reproducible example, but in production you'd omit the `s_nonce` and `salt` parameters and let Scramp generate them: ``` >>> from scramp import ScramMechanism >>> from passlib.hash import scram >>> >>> USERNAME = 'user' >>> PASSWORD = 'pencil' >>> S_NONCE = '%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0' >>> SALT = b'[m\x99h\x9d\x125\x8e\xec\xa0K\x14\x126\xfa\x81' >>> ITERATION_COUNT = 4096 >>> >>> db = {} >>> hash = scram.using(salt=SALT, rounds=ITERATION_COUNT).hash(PASSWORD) >>> >>> salt, iteration_count, digest = scram.extract_digest_info(hash, 'sha-256') >>> >>> stored_key, server_key = m.make_stored_server_keys(digest) >>> >>> db[USERNAME] = salt, stored_key, server_key, iteration_count >>> >>> # Define your own function for getting a password given a username >>> def auth_fn(username): ... return db[username] >>> >>> # Normally the s_nonce parameter would be omitted, in which case the >>> # server will generate the nonce itself. >>> >>> m = ScramMechanism() >>> s = m.make_server(auth_fn, s_nonce=S_NONCE) >>> >>> # Set the first message from the client >>> s.set_client_first('n,,n=user,r=rOprNGfwEbeRWgbNEkqO') >>> >>> # Get the first server message, and send it to the client >>> sfirst = s.get_server_first() >>> print(sfirst) r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096 >>> >>> # Set the final message from the client >>> s.set_client_final( ... 'c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,' ... 'p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=') >>> >>> # Get the final server message and send it to the client >>> sfinal = s.get_server_final() >>> print(sfinal) v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4= >>> >>> # If it all runs through without raising an exception, the authentication >>> # has succeeded ``` === Server Error Here's an example of when setting a message from the client causes an error. The server nonce and salt is specified in order to give a reproducible example, but in production you'd omit the `s_nonce` and `salt` parameters and let Scramp generate them: ``` >>> from scramp import ScramException, ScramMechanism >>> >>> USERNAME = 'user' >>> PASSWORD = 'pencil' >>> S_NONCE = '%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0' >>> SALT = b'[m\x99h\x9d\x125\x8e\xec\xa0K\x14\x126\xfa\x81' >>> >>> db = {} >>> >>> m = ScramMechanism() >>> >>> salt, stored_key, server_key, iteration_count = m.make_auth_info( ... PASSWORD, salt=SALT) >>> >>> db[USERNAME] = salt, stored_key, server_key, iteration_count >>> >>> # Define your own function for getting a password given a username >>> def auth_fn(username): ... return db[username] >>> >>> # Normally the s_nonce parameter would be omitted, in which case the >>> # server will generate the nonce itself. >>> >>> s = m.make_server(auth_fn, s_nonce=S_NONCE) >>> >>> try: ... # Set the first message from the client ... s.set_client_first('p=tls-unique,,n=user,r=rOprNGfwEbeRWgbNEkqO') ... except ScramException as e: ... print(e) ... # Get the final server message and send it to the client ... sfinal = s.get_server_final() ... print(sfinal) Received GS2 flag 'p' which indicates that the client requires channel binding, but the server does not. channel-binding-not-supported e=channel-binding-not-supported ``` == API Docs === scramp.MECHANISMS A tuple of the supported mechanism names. === scramp.ScramClient `ScramClient(mechanisms, username, password, channel_binding=None, c_nonce=None)`:: Constructor of the `ScramClient` class, with the following parameters: `mechanisms`::: A list or tuple of mechanism names. ScramClient will choose the most secure. If `cbind_data` is `None`, the '-PLUS' variants will be filtered out first. The chosen mechanism is available as the property `mechanism_name`. `username`::: `password`::: `channel_binding`::: Providing a value for this parameter allows channel binding to be used (ie. it lets you use mechanisms ending in '-PLUS'). The value for `channel_binding` is a tuple consisting of the channel binding name and the channel binding data. For example, if the channel binding name is 'tls-unique', the `channel_binding` parameter would be `('tls-unique', data)`, where `data` is obtained by calling https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.get_channel_binding[SSLSocket.get_channel_binding()]. `c_nonce`::: The client nonce. It's sometimes useful to set this when testing / debugging, but in production this should be omitted, in which case `ScramClient` will generate a client nonce. The `ScramClient` object has the following methods and properties: `get_client_first()`:: Get the client first message. `set_server_first(message)`:: Set the first message from the server. `get_client_final()`:: Get the final client message. `set_server_final(message)`:: Set the final message from the server. `mechanism_name`:: The mechanism chosen from the list given in the constructor. === scramp.ScramMechanism `ScramMechanism(mechanism='SCRAM-SHA-256')`:: Constructor of the `ScramMechanism` class, with the following parameter: `mechanism`::: The SCRAM mechanism to use. The `ScramMechanism` object has the following methods and properties: `make_auth_info(password, iteration_count=None, salt=None)`:: returns the tuple `(salt, stored_key, server_key, iteration_count)` which is stored in the authentication database on the server side. It has the following parameters: `password`::: The user's password as a `str`. `iteration_count`::: The rounds as an `int`. If `None` then use the minimum associated with the mechanism. `salt`::: It's sometimes useful to set this binary parameter when testing / debugging, but in production this should be omitted, in which case a salt will be generated. `make_server(auth_fn, channel_binding=None, s_nonce=None)`:: returns a `ScramServer` object. It takes the following parameters: `auth_fn`::: This is a function provided by the programmer that has one parameter, a username of type `str` and returns returns the tuple `(salt, stored_key, server_key, iteration_count)`. Where `salt`, `stored_key` and `server_key` are of a binary type, and `iteration_count` is an `int`. `channel_binding`::: Providing a value for this parameter allows channel binding to be used (ie. it lets you use mechanisms ending in '-PLUS'). The value for `channel_binding` is a tuple consisting of the channel binding name and the channel binding data. For example, if the channel binding name is 'tls-unique', the `channel_binding` parameter would be `('tls-unique', data)`, where `data` is obtained by calling https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.get_channel_binding[SSLSocket.get_channel_binding()]. `s_nonce`::: The server nonce as a `str`. It's sometimes useful to set this when testing / debugging, but in production this should be omitted, in which case `ScramServer` will generate a server nonce. `make_stored_server_keys(salted_password)`:: returns `(stored_key, server_key)` tuple of `bytes` objects given a salted password. This is useful if you want to use a separate hashing implementation from the one provided by Scramp. It takes the following parameter: `salted_password`::: A binary object representing the hashed password. `iteration_count`:: The minimum iteration count recommended for this mechanism. === scramp.ScramServer The `ScramServer` object has the following methods: `set_client_first(message)`:: Set the first message from the client. `get_server_first()`:: Get the server first message. `set_client_final(message)`:: Set the final client message. `get_server_final()`:: Get the server final message. === scramp.make_channel_binding() A helper function that makes a `channel_binding` tuple when given a channel binding name and an SSL socket. The parameters are: `name`::: A channel binding name such as 'tls-unique' or 'tls-server-end-point'. `ssl_socket`::: An instance of an https://docs.python.org/3/library/ssl.html#ssl.SSLSocket[ssl socket]. == Testing * Activate the virtual environment: `source venv/bin/activate` * Install `tox`: `pip install tox` * Run `tox`: `tox` == Doing A Release Of Scramp Run `tox` to make sure all tests pass, then update the release notes, then do: ``` git tag -a x.y.z -m "version x.y.z" rm -r dist python setup.py sdist bdist_wheel --python-tag py3 for f in dist/*; do gpg --detach-sign -a $f; done twine upload dist/* ``` == Release Notes === Version 1.4.1, 2021-08-25 * When using `make_channel_binding()` to create a tls-server-end-point channel binding, support certificates with hash algorithm of sha512. === Version 1.4.0, 2021-03-28 * Raise an exception if the client receives an error from the server. === Version 1.3.0, 2021-03-28 * As the specification allows, server errors are now sent to the client in the `server_final` message, an exception is still thrown as before. === Version 1.2.2, 2021-02-13 * Fix bug in generating the AuthMessage. It was incorrect when channel binding was used. So now Scramp supports channel binding. === Version 1.2.1, 2021-02-07 * Add support for channel binding. * Add support for SCRAM-SHA-512 and SCRAM-SHA3-512 and their channel binding variants. === Version 1.2.0, 2020-05-30 * This is a backwardly incompatible change on the server side, the client side will work as before. The idea of this change is to make it possible to have an authentication database. That is, the authentication information can be stored, and then retrieved when needed to authenticate the user. * In addition, it's now possible on the server side to use a third party hashing library such as passlib as the hashing implementation. === Version 1.1.1, 2020-03-28 * Add the README and LICENCE to the distribution. === Version 1.1.0, 2019-02-24 * Add support for the SCRAM-SHA-1 mechanism. === Version 1.0.0, 2019-02-17 * Implement the server side as well as the client side. === Version 0.0.0, 2019-02-10 * Copied SCRAM implementation from https://github.com/tlocke/pg8000[pg8000]. The idea is to make it a general SCRAM implemtation. Credit to the https://github.com/cagdass/scrampy[Scrampy] project which I read through to help with this project. Also credit to the https://github.com/efficks/passlib[passlib] project from which I copied the `saslprep` function. ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1629918151.7656353 scramp-1.4.1/scramp/0000775000175000017500000000000000000000000015056 5ustar00tlocketlocke00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1627291001.0 scramp-1.4.1/scramp/__init__.py0000664000175000017500000000043400000000000017170 0ustar00tlocketlocke00000000000000from scramp.core import ( ScramClient, ScramException, ScramMechanism, make_channel_binding, ) __all__ = [ScramClient, ScramMechanism, ScramException, make_channel_binding] from ._version import get_versions __version__ = get_versions()["version"] del get_versions ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1629918151.7656353 scramp-1.4.1/scramp/_version.py0000664000175000017500000000076100000000000017260 0ustar00tlocketlocke00000000000000 # This file was generated by 'versioneer.py' (0.19) from # revision-control system data, or from the parent directory name of an # unpacked source archive. Distribution tarballs contain a pre-generated copy # of this file. import json version_json = ''' { "date": "2021-08-25T20:00:39+0100", "dirty": false, "error": null, "full-revisionid": "c4d2e89ca029467a0010abdd13d6ec9ead063d9e", "version": "1.4.1" } ''' # END VERSION_JSON def get_versions(): return json.loads(version_json) ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1629917756.0 scramp-1.4.1/scramp/core.py0000664000175000017500000005124300000000000016365 0ustar00tlocketlocke00000000000000import hashlib import unicodedata from enum import IntEnum, unique from functools import wraps from operator import attrgetter from os import urandom from stringprep import ( in_table_a1, in_table_b1, in_table_c12, in_table_c21_c22, in_table_c3, in_table_c4, in_table_c5, in_table_c6, in_table_c7, in_table_c8, in_table_c9, in_table_d1, in_table_d2, ) from uuid import uuid4 from asn1crypto.x509 import Certificate from scramp.utils import b64dec, b64enc, h, hi, hmac, uenc, xor # https://tools.ietf.org/html/rfc5802 # https://www.rfc-editor.org/rfc/rfc7677.txt @unique class ClientStage(IntEnum): get_client_first = 1 set_server_first = 2 get_client_final = 3 set_server_final = 4 @unique class ServerStage(IntEnum): set_client_first = 1 get_server_first = 2 set_client_final = 3 get_server_final = 4 def _check_stage(Stages, current_stage, next_stage): if current_stage is None: if next_stage != 1: raise ScramException(f"The method {Stages(1).name} must be called first.") elif current_stage == 4: raise ScramException("The authentication sequence has already finished.") elif next_stage != current_stage + 1: raise ScramException( f"The next method to be called is " f"{Stages(current_stage + 1).name}, not this method." ) class ScramException(Exception): def __init__(self, message, server_error=None): super().__init__(message) self.server_error = server_error def __str__(self): s_str = "" if self.server_error is None else f" {self.server_error}" return super().__str__() + s_str MECHANISMS = ( "SCRAM-SHA-1", "SCRAM-SHA-1-PLUS", "SCRAM-SHA-256", "SCRAM-SHA-256-PLUS", "SCRAM-SHA-512", "SCRAM-SHA-512-PLUS", "SCRAM-SHA3-512", "SCRAM-SHA3-512-PLUS", ) CHANNEL_TYPES = ( "tls-server-end-point", "tls-unique", "tls-unique-for-telnet", ) def make_channel_binding(name, ssl_socket): if name == "tls-unique": return (name, ssl_socket.get_channel_binding(name)) elif name == "tls-server-end-point": cert_bin = ssl_socket.getpeercert(binary_form=True) cert = Certificate.load(cert_bin) # Find the hash algorithm to use according to # https://tools.ietf.org/html/rfc5929#section-4 hash_algo = cert.hash_algo if hash_algo in ("md5", "sha1"): hash_algo = "sha256" try: hash_obj = hashlib.new(hash_algo) except ValueError as e: raise ScramException( f"Hash algorithm {hash_algo} not supported by hashlib. {e}" ) hash_obj.update(cert_bin) return ("tls-server-end-point", hash_obj.digest()) else: raise ScramException(f"Channel binding name {name} not recognized.") class ScramMechanism: MECH_LOOKUP = { "SCRAM-SHA-1": (hashlib.sha1, False, 4096, 0), "SCRAM-SHA-1-PLUS": (hashlib.sha1, True, 4096, 1), "SCRAM-SHA-256": (hashlib.sha256, False, 4096, 2), "SCRAM-SHA-256-PLUS": (hashlib.sha256, True, 4096, 3), "SCRAM-SHA-512": (hashlib.sha512, False, 4096, 4), "SCRAM-SHA-512-PLUS": (hashlib.sha512, True, 4096, 5), "SCRAM-SHA3-512": (hashlib.sha3_512, False, 10000, 6), "SCRAM-SHA3-512-PLUS": (hashlib.sha3_512, True, 10000, 7), } def __init__(self, mechanism="SCRAM-SHA-256"): if mechanism not in MECHANISMS: raise ScramException( f"The mechanism name '{mechanism}' is not supported. The " f"supported mechanisms are {MECHANISMS}." ) self.name = mechanism ( self.hf, self.use_binding, self.iteration_count, self.strength, ) = self.MECH_LOOKUP[mechanism] def make_auth_info(self, password, iteration_count=None, salt=None): if iteration_count is None: iteration_count = self.iteration_count salt, stored_key, server_key = _make_auth_info( self.hf, password, iteration_count, salt=salt ) return salt, stored_key, server_key, iteration_count def make_stored_server_keys(self, salted_password): _, stored_key, server_key = _c_key_stored_key_s_key(self.hf, salted_password) return stored_key, server_key def make_server(self, auth_fn, channel_binding=None, s_nonce=None): return ScramServer( self, auth_fn, channel_binding=channel_binding, s_nonce=s_nonce ) def _make_auth_info(hf, password, i, salt=None): if salt is None: salt = urandom(16) salted_password = _make_salted_password(hf, password, salt, i) _, stored_key, server_key = _c_key_stored_key_s_key(hf, salted_password) return salt, stored_key, server_key def _validate_channel_binding(channel_binding): if channel_binding is None: return if not isinstance(channel_binding, tuple): raise ScramException( "The channel_binding parameter must either be None or a tuple." ) if len(channel_binding) != 2: raise ScramException( "The channel_binding parameter must either be None or a tuple of " "two elements (type, data)." ) channel_type, channel_data = channel_binding if channel_type not in CHANNEL_TYPES: raise ScramException( "The channel_binding parameter must either be None or a tuple " "with the first element a str specifying one of the channel " "types {CHANNEL_TYPES}." ) if not isinstance(channel_data, bytes): raise ScramException( "The channel_binding parameter must either be None or a tuple " "with the second element a bytes object containing the bind data." ) class ScramClient: def __init__( self, mechanisms, username, password, channel_binding=None, c_nonce=None ): if not isinstance(mechanisms, (list, tuple)): raise ScramException( "The 'mechanisms' parameter must be a list or tuple of " "mechanism names." ) _validate_channel_binding(channel_binding) mechs = [ScramMechanism(m) for m in mechanisms] mechs = [ m for m in mechs if channel_binding is not None or (channel_binding is None and not m.use_binding) ] if len(mechs) == 0: raise Exception("There are no suitable mechanisms in the list.") mech = sorted(mechs, key=attrgetter("strength"))[-1] self.hf, self.use_binding = mech.hf, mech.use_binding self.mechanism_name = mech.name if self.use_binding: if channel_binding is None: raise ScramException( "The channel_binding parameter can't be None if channel " "binding is required." ) else: if channel_binding is not None: raise ScramException( "The channel_binding parameter must be None if channel " "binding is not required." ) self.c_nonce = _make_nonce() if c_nonce is None else c_nonce self.username = username self.password = password self.channel_binding = channel_binding self.stage = None def _set_stage(self, next_stage): _check_stage(ClientStage, self.stage, next_stage) self.stage = next_stage def get_client_first(self): self._set_stage(ClientStage.get_client_first) self.client_first_bare, client_first = _get_client_first( self.username, self.c_nonce, self.channel_binding ) return client_first def set_server_first(self, message): self._set_stage(ClientStage.set_server_first) self.server_first = message self.auth_message, self.nonce, self.salt, self.iterations = _set_server_first( message, self.c_nonce, self.client_first_bare, self.channel_binding ) def get_client_final(self): self._set_stage(ClientStage.get_client_final) self.server_signature, cfinal = _get_client_final( self.hf, self.password, self.salt, self.iterations, self.nonce, self.auth_message, self.channel_binding, ) return cfinal def set_server_final(self, message): self._set_stage(ClientStage.set_server_final) _set_server_final(message, self.server_signature) def set_error(f): @wraps(f) def wrapper(self, *args, **kwds): try: return f(self, *args, **kwds) except ScramException as e: if e.server_error is not None: self.error = e.server_error self.stage = ServerStage.set_client_final raise e return wrapper class ScramServer: def __init__(self, mechanism, auth_fn, channel_binding=None, s_nonce=None): self.m = mechanism _validate_channel_binding(channel_binding) if mechanism.use_binding: if channel_binding is None: raise ScramException( "The mechanism requires channel binding, and so " "channel_binding can't be None." ) else: if channel_binding is not None: raise ScramException( "The mechanism does not support channel binding, and so " "channel_binding must be None." ) self.channel_binding = channel_binding self.s_nonce = _make_nonce() if s_nonce is None else s_nonce self.auth_fn = auth_fn self.stage = None self.server_signature = None self.error = None def _set_stage(self, next_stage): _check_stage(ServerStage, self.stage, next_stage) self.stage = next_stage @set_error def set_client_first(self, client_first): self._set_stage(ServerStage.set_client_first) self.nonce, self.user, self.client_first_bare = _set_client_first( client_first, self.s_nonce, self.channel_binding ) salt, self.stored_key, self.server_key, self.i = self.auth_fn(self.user) self.salt = b64enc(salt) @set_error def get_server_first(self): self._set_stage(ServerStage.get_server_first) self.auth_message, server_first = _get_server_first( self.nonce, self.salt, self.i, self.client_first_bare, self.channel_binding ) return server_first @set_error def set_client_final(self, client_final): self._set_stage(ServerStage.set_client_final) self.server_signature = _set_client_final( self.m.hf, client_final, self.s_nonce, self.stored_key, self.server_key, self.auth_message, self.channel_binding, ) @set_error def get_server_final(self): self._set_stage(ServerStage.get_server_final) return _get_server_final(self.server_signature, self.error) def _make_nonce(): return str(uuid4()).replace("-", "") def _make_auth_message(nonce, client_first_bare, server_first, cbind_data): cbind_input = b64enc(_make_cbind_input(cbind_data)) msg = client_first_bare, server_first, "c=" + cbind_input, "r=" + nonce return ",".join(msg) def _make_salted_password(hf, password, salt, iterations): return hi(hf, uenc(saslprep(password)), salt, iterations) def _c_key_stored_key_s_key(hf, salted_password): client_key = hmac(hf, salted_password, b"Client Key") stored_key = h(hf, client_key) server_key = hmac(hf, salted_password, b"Server Key") return client_key, stored_key, server_key def _check_client_key(hf, stored_key, auth_msg, proof): client_signature = hmac(hf, stored_key, auth_msg) client_key = xor(client_signature, b64dec(proof)) key = h(hf, client_key) if key != stored_key: raise ScramException("The client keys don't match.", SERVER_ERROR_INVALID_PROOF) def _make_gs2_header(channel_binding): if channel_binding is None: return "n,," else: channel_type, _ = channel_binding return f"p={channel_type},," def _make_cbind_input(channel_binding): gs2_header = _make_gs2_header(channel_binding).encode("ascii") if channel_binding is None: return gs2_header else: _, cbind_data = channel_binding return gs2_header + cbind_data def _parse_message(msg): return dict((e[0], e[2:]) for e in msg.split(",") if len(e) > 1) def _get_client_first(username, c_nonce, channel_binding): try: u = saslprep(username) except ScramException as e: raise ScramException(e.args[0], SERVER_ERROR_INVALID_USERNAME_ENCODING) bare = ",".join((f"n={u}", f"r={c_nonce}")) gs2_header = _make_gs2_header(channel_binding) return bare, gs2_header + bare def _set_client_first(client_first, s_nonce, channel_binding): first_comma = client_first.index(",") second_comma = client_first.index(",", first_comma + 1) gs2_header = client_first[:second_comma].split(",") gs2_cbind_flag = gs2_header[0] gs2_char = gs2_cbind_flag[0] if gs2_char == "y": if channel_binding is not None: raise ScramException( "Recieved GS2 flag 'y' which indicates that the client " "doesn't think the server supports channel binding, but in " "fact it does.", SERVER_ERROR_SERVER_DOES_SUPPORT_CHANNEL_BINDING, ) elif gs2_char == "n": if channel_binding is not None: raise ScramException( "Received GS2 flag 'n' which indicates that the client " "doesn't require channel binding, but the server does.", SERVER_ERROR_SERVER_DOES_SUPPORT_CHANNEL_BINDING, ) elif gs2_char == "p": if channel_binding is None: raise ScramException( "Received GS2 flag 'p' which indicates that the client " "requires channel binding, but the server does not.", SERVER_ERROR_CHANNEL_BINDING_NOT_SUPPORTED, ) channel_type, _ = channel_binding cb_name = gs2_cbind_flag.split("=")[-1] if cb_name != channel_type: raise ScramException( f"Received channel binding name {cb_name} but this server " f"supports the channel binding name {channel_type}.", SERVER_ERROR_UNSUPPORTED_CHANNEL_BINDING_TYPE, ) else: raise ScramException( f"Received GS2 flag {gs2_char} which isn't recognized.", SERVER_ERROR_OTHER_ERROR, ) client_first_bare = client_first[second_comma + 1 :] msg = _parse_message(client_first_bare) c_nonce = msg["r"] nonce = c_nonce + s_nonce user = msg["n"] return nonce, user, client_first_bare def _get_server_first(nonce, salt, iterations, client_first_bare, channel_binding): sfirst = ",".join((f"r={nonce}", f"s={salt}", f"i={iterations}")) auth_msg = _make_auth_message(nonce, client_first_bare, sfirst, channel_binding) return auth_msg, sfirst def _set_server_first(server_first, c_nonce, client_first_bare, channel_binding): msg = _parse_message(server_first) if "e" in msg: raise ScramException(f"The server returned the error: {msg['e']}") nonce = msg["r"] salt = msg["s"] iterations = int(msg["i"]) if not nonce.startswith(c_nonce): raise ScramException("Client nonce doesn't match.", SERVER_ERROR_OTHER_ERROR) auth_msg = _make_auth_message( nonce, client_first_bare, server_first, channel_binding ) return auth_msg, nonce, salt, iterations def _get_client_final( hf, password, salt_str, iterations, nonce, auth_msg_str, cbind_data ): salt = b64dec(salt_str) salted_password = _make_salted_password(hf, password, salt, iterations) client_key, stored_key, server_key = _c_key_stored_key_s_key(hf, salted_password) auth_msg = uenc(auth_msg_str) client_signature = hmac(hf, stored_key, auth_msg) client_proof = xor(client_key, client_signature) server_signature = hmac(hf, server_key, auth_msg) cbind_input = _make_cbind_input(cbind_data) msg = ["c=" + b64enc(cbind_input), "r=" + nonce, "p=" + b64enc(client_proof)] return b64enc(server_signature), ",".join(msg) SERVER_ERROR_INVALID_ENCODING = "invalid-encoding" SERVER_ERROR_EXTENSIONS_NOT_SUPPORTED = "extensions-not-supported" SERVER_ERROR_INVALID_PROOF = "invalid-proof" SERVER_ERROR_INVALID_ENCODING = "invalid-encoding" SERVER_ERROR_CHANNEL_BINDINGS_DONT_MATCH = "channel-bindings-dont-match" SERVER_ERROR_SERVER_DOES_SUPPORT_CHANNEL_BINDING = "server-does-support-channel-binding" SERVER_ERROR_SERVER_DOES_NOT_SUPPORT_CHANNEL_BINDING = ( "server does not support channel binding" ) SERVER_ERROR_CHANNEL_BINDING_NOT_SUPPORTED = "channel-binding-not-supported" SERVER_ERROR_UNSUPPORTED_CHANNEL_BINDING_TYPE = "unsupported-channel-binding-type" SERVER_ERROR_UNKNOWN_USER = "unknown-user" SERVER_ERROR_INVALID_USERNAME_ENCODING = "invalid-username-encoding" SERVER_ERROR_NO_RESOURCES = "no-resources" SERVER_ERROR_OTHER_ERROR = "other-error" def _set_client_final( hf, client_final, s_nonce, stored_key, server_key, auth_msg_str, cbind_data ): auth_msg = uenc(auth_msg_str) msg = _parse_message(client_final) nonce = msg["r"] proof = msg["p"] channel_binding = msg["c"] if not b64dec(channel_binding) == _make_cbind_input(cbind_data): raise ScramException( "The channel bindings don't match.", SERVER_ERROR_CHANNEL_BINDINGS_DONT_MATCH, ) if not nonce.endswith(s_nonce): raise ScramException("Server nonce doesn't match.", SERVER_ERROR_OTHER_ERROR) _check_client_key(hf, stored_key, auth_msg, proof) sig = hmac(hf, server_key, auth_msg) return b64enc(sig) def _get_server_final(server_signature, error): return f"v={server_signature}" if error is None else f"e={error}" def _set_server_final(message, server_signature): msg = _parse_message(message) if "e" in msg: raise ScramException(f"The server returned the error: {msg['e']}") if server_signature != msg["v"]: raise ScramException( "The server signature doesn't match.", SERVER_ERROR_OTHER_ERROR ) def saslprep(source): # mapping stage # - map non-ascii spaces to U+0020 (stringprep C.1.2) # - strip 'commonly mapped to nothing' chars (stringprep B.1) data = "".join(" " if in_table_c12(c) else c for c in source if not in_table_b1(c)) # normalize to KC form data = unicodedata.normalize("NFKC", data) if not data: return "" # check for invalid bi-directional strings. # stringprep requires the following: # - chars in C.8 must be prohibited. # - if any R/AL chars in string: # - no L chars allowed in string # - first and last must be R/AL chars # this checks if start/end are R/AL chars. if so, prohibited loop # will forbid all L chars. if not, prohibited loop will forbid all # R/AL chars instead. in both cases, prohibited loop takes care of C.8. is_ral_char = in_table_d1 if is_ral_char(data[0]): if not is_ral_char(data[-1]): raise ScramException( "malformed bidi sequence", SERVER_ERROR_INVALID_ENCODING ) # forbid L chars within R/AL sequence. is_forbidden_bidi_char = in_table_d2 else: # forbid R/AL chars if start not setup correctly; L chars allowed. is_forbidden_bidi_char = is_ral_char # check for prohibited output # stringprep tables A.1, B.1, C.1.2, C.2 - C.9 for c in data: # check for chars mapping stage should have removed assert not in_table_b1(c), "failed to strip B.1 in mapping stage" assert not in_table_c12(c), "failed to replace C.1.2 in mapping stage" # check for forbidden chars for f, msg in ( (in_table_a1, "unassigned code points forbidden"), (in_table_c21_c22, "control characters forbidden"), (in_table_c3, "private use characters forbidden"), (in_table_c4, "non-char code points forbidden"), (in_table_c5, "surrogate codes forbidden"), (in_table_c6, "non-plaintext chars forbidden"), (in_table_c7, "non-canonical chars forbidden"), (in_table_c8, "display-modifying/deprecated chars forbidden"), (in_table_c9, "tagged characters forbidden"), (is_forbidden_bidi_char, "forbidden bidi character"), ): if f(c): raise ScramException(msg, SERVER_ERROR_INVALID_ENCODING) return data ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1627291001.0 scramp-1.4.1/scramp/utils.py0000664000175000017500000000121700000000000016571 0ustar00tlocketlocke00000000000000import hmac as hmaca from base64 import b64decode, b64encode def hmac(hf, key, msg): return hmaca.new(key, msg=msg, digestmod=hf).digest() def h(hf, msg): return hf(msg).digest() def hi(hf, password, salt, iterations): u = ui = hmac(hf, password, salt + b"\x00\x00\x00\x01") for i in range(iterations - 1): ui = hmac(hf, password, ui) u = xor(u, ui) return u def xor(bytes1, bytes2): return bytes(a ^ b for a, b in zip(bytes1, bytes2)) def b64enc(binary): return b64encode(binary).decode("utf8") def b64dec(string): return b64decode(string) def uenc(string): return string.encode("utf-8") ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1629918151.7656353 scramp-1.4.1/scramp.egg-info/0000775000175000017500000000000000000000000016550 5ustar00tlocketlocke00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1629918151.0 scramp-1.4.1/scramp.egg-info/PKG-INFO0000664000175000017500000000226600000000000017653 0ustar00tlocketlocke00000000000000Metadata-Version: 1.2 Name: scramp Version: 1.4.1 Summary: An implementation of the SCRAM protocol. Home-page: https://github.com/tlocke/scramp Maintainer: Tony Locke Maintainer-email: tlocke@tlocke.org.uk License: MIT Description: Scramp ------ A pure-Python implementation of the SCRAM authentication protocol. Keywords: SCRAM authentication SASL Platform: UNKNOWN Classifier: Development Status :: 3 - Alpha Classifier: Intended Audience :: Developers Classifier: License :: OSI Approved :: MIT License Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.6 Classifier: Programming Language :: Python :: 3.7 Classifier: Programming Language :: Python :: 3.8 Classifier: Programming Language :: Python :: Implementation Classifier: Programming Language :: Python :: Implementation :: CPython Classifier: Programming Language :: Python :: Implementation :: Jython Classifier: Programming Language :: Python :: Implementation :: PyPy Classifier: Operating System :: OS Independent Classifier: Topic :: Software Development :: Libraries :: Python Modules Requires-Python: >=3.6 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1629918151.0 scramp-1.4.1/scramp.egg-info/SOURCES.txt0000664000175000017500000000045600000000000020441 0ustar00tlocketlocke00000000000000LICENSE MANIFEST.in README.adoc setup.cfg setup.py versioneer.py scramp/__init__.py scramp/_version.py scramp/core.py scramp/utils.py scramp.egg-info/PKG-INFO scramp.egg-info/SOURCES.txt scramp.egg-info/dependency_links.txt scramp.egg-info/requires.txt scramp.egg-info/top_level.txt test/test_scramp.py././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1629918151.0 scramp-1.4.1/scramp.egg-info/dependency_links.txt0000664000175000017500000000000100000000000022616 0ustar00tlocketlocke00000000000000 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1629918151.0 scramp-1.4.1/scramp.egg-info/requires.txt0000664000175000017500000000002200000000000021142 0ustar00tlocketlocke00000000000000asn1crypto>=1.4.0 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1629918151.0 scramp-1.4.1/scramp.egg-info/top_level.txt0000664000175000017500000000000700000000000021277 0ustar00tlocketlocke00000000000000scramp ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1629918151.7656353 scramp-1.4.1/setup.cfg0000664000175000017500000000106300000000000015412 0ustar00tlocketlocke00000000000000[versioneer] vcs = git style = pep440 versionfile_source = scramp/_version.py versionfile_build = scramp/_version.py tag_prefix = parentdir_prefix = scramp- [tox:tox] [testenv] commands = black --check . flake8 . pytest -v -x test python -m doctest README.adoc python setup.py check deps = pytest pytest-mock black flake8 flake8-alphabetize passlib [flake8] application-names = scramp ignore = E203,W503 max-line-length = 88 exclude = .git,__pycache__,build,dist,venv,.tox application-import-names = scramp [egg_info] tag_build = tag_date = 0 ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1629917756.0 scramp-1.4.1/setup.py0000664000175000017500000000272600000000000015312 0ustar00tlocketlocke00000000000000#!/usr/bin/env python from setuptools import setup import versioneer long_description = """ Scramp ------ A pure-Python implementation of the SCRAM authentication protocol.""" cmdclass = dict(versioneer.get_cmdclass()) version = versioneer.get_version() setup( name="scramp", maintainer="Tony Locke", maintainer_email="tlocke@tlocke.org.uk", version=version, cmdclass=cmdclass, description="An implementation of the SCRAM protocol.", long_description=long_description, url="https://github.com/tlocke/scramp", license="MIT", python_requires=">=3.6", install_requires=["asn1crypto>=1.4.0"], classifiers=[ "Development Status :: 3 - Alpha", "Intended Audience :: Developers", "License :: OSI Approved :: MIT License", "Programming Language :: Python", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: Implementation", "Programming Language :: Python :: Implementation :: CPython", "Programming Language :: Python :: Implementation :: Jython", "Programming Language :: Python :: Implementation :: PyPy", "Operating System :: OS Independent", "Topic :: Software Development :: Libraries :: Python Modules", ], keywords="SCRAM authentication SASL", packages=("scramp",), ) ././@PaxHeader0000000000000000000000000000003400000000000011452 xustar000000000000000028 mtime=1629918151.7656353 scramp-1.4.1/test/0000775000175000017500000000000000000000000014550 5ustar00tlocketlocke00000000000000././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1629917756.0 scramp-1.4.1/test/test_scramp.py0000664000175000017500000002640700000000000017457 0ustar00tlocketlocke00000000000000import hashlib import pytest from scramp import ( ScramClient, ScramException, ScramMechanism, core, make_channel_binding, ) from scramp.utils import b64dec USERNAME = "user" PASSWORD = "pencil" SCRAM_SHA_1_EXCHANGE = { "cfirst": "n,,n=user,r=fyko+d2lbbFgONRv9qkxdawL", "sfirst": "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j," "s=QSXCR+Q6sek8bf92,i=4096", "cfinal": "c=biws,r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j," "p=v0X8v3Bz2T0CJGbJQyF0X+HI4Ts=", "sfinal": "v=rmF9pqV8S7suAoZWja4dJRkFsKQ=", "cfirst_bare": "n=user,r=fyko+d2lbbFgONRv9qkxdawL", "c_nonce": "fyko+d2lbbFgONRv9qkxdawL", "s_nonce": "3rfcNHYJY1ZVvWVs7j", "nonce": "fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j", "auth_message": "n=user,r=fyko+d2lbbFgONRv9qkxdawL," "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j," "s=QSXCR+Q6sek8bf92,i=4096,c=biws," "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j", "salt": "QSXCR+Q6sek8bf92", "iterations": 4096, "server_signature": "rmF9pqV8S7suAoZWja4dJRkFsKQ=", "hf": hashlib.sha1, "stored_key": "6dlGYMOdZcOPutkcNY8U2g7vK9Y=", "server_key": "D+CSWLOshSulAsxiupA+qs2/fTE=", "use_binding": False, "cbind_data": None, "channel_binding": None, } SCRAM_SHA_1_PLUS_EXCHANGE = { "cfirst": "p=tls-unique,,n=user,r=fyko+d2lbbFgONRv9qkxdawL", "sfirst": "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j," "s=QSXCR+Q6sek8bf92,i=4096", "cfinal": "c=cD10bHMtdW5pcXVlLCx4eHg=," "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j," "p=/63TtbB5lIS6610+k4/luJMJqAI=", "sfinal": "v=GCPHy5gy1sRwXTCbwNhiiWIzLtU=", "cfirst_bare": "n=user,r=fyko+d2lbbFgONRv9qkxdawL", "c_nonce": "fyko+d2lbbFgONRv9qkxdawL", "s_nonce": "3rfcNHYJY1ZVvWVs7j", "nonce": "fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j", "auth_message": "n=user,r=fyko+d2lbbFgONRv9qkxdawL," "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j," "s=QSXCR+Q6sek8bf92,i=4096,c=cD10bHMtdW5pcXVlLCx4eHg=," "r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j", "salt": "QSXCR+Q6sek8bf92", "iterations": 4096, "server_signature": "GCPHy5gy1sRwXTCbwNhiiWIzLtU=", "hf": hashlib.sha1, "stored_key": "6dlGYMOdZcOPutkcNY8U2g7vK9Y=", "server_key": "D+CSWLOshSulAsxiupA+qs2/fTE=", "use_binding": True, "cbind_data": b"xxx", "channel_binding": ("tls-unique", b"xxx"), } SCRAM_SHA_256_EXCHANGE = { "cfirst": "n,,n=user,r=rOprNGfwEbeRWgbNEkqO", "sfirst": "r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0," "s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096", "cfinal": "c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0," "p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=", "sfinal": "v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=", "cfirst_bare": "n=user,r=rOprNGfwEbeRWgbNEkqO", "c_nonce": "rOprNGfwEbeRWgbNEkqO", "s_nonce": "%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0", "nonce": "rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0", "auth_message": "n=user,r=rOprNGfwEbeRWgbNEkqO," "r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0," "s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096,c=biws," "r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0", "salt": "W22ZaJ0SNY7soEsUEjb6gQ==", "iterations": 4096, "server_signature": "6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=", "hf": hashlib.sha256, "stored_key": "WG5d8oPm3OtcPnkdi4Uo7BkeZkBFzpcXkuLmtbsT4qY=", "server_key": "wfPLwcE6nTWhTAmQ7tl2KeoiWGPlZqQxSrmfPwDl2dU=", "use_binding": False, "cbind_data": None, "channel_binding": None, } SCRAM_SHA_256_PLUS_EXCHANGE = { "cfirst": "p=tls-unique,,n=user,r=rOprNGfwEbeRWgbNEkqO", "sfirst": "r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0," "s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096", "cfinal": "c=cD10bHMtdW5pcXVlLCx4eHg=," "r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0," "p=v0J7PaQUPWowoTrwRLCKLzIZBpNUhWFlTrUKI1j9DpM=", "sfinal": "v=XjAev9iHBOvTxT+eNzBaFmP1IrqWah2PpZAa0wQrfY4=", "cfirst_bare": "n=user,r=rOprNGfwEbeRWgbNEkqO", "c_nonce": "rOprNGfwEbeRWgbNEkqO", "s_nonce": "%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0", "nonce": "rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0", "auth_message": "n=user,r=rOprNGfwEbeRWgbNEkqO," "r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0," "s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096,c=cD10bHMtdW5pcXVlLCx4eHg=," "r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0", "salt": "W22ZaJ0SNY7soEsUEjb6gQ==", "iterations": 4096, "server_signature": "XjAev9iHBOvTxT+eNzBaFmP1IrqWah2PpZAa0wQrfY4=", "hf": hashlib.sha256, "stored_key": "WG5d8oPm3OtcPnkdi4Uo7BkeZkBFzpcXkuLmtbsT4qY=", "server_key": "wfPLwcE6nTWhTAmQ7tl2KeoiWGPlZqQxSrmfPwDl2dU=", "use_binding": True, "cbind_data": b"xxx", "channel_binding": ("tls-unique", b"xxx"), } params = [ ("SCRAM-SHA-1", SCRAM_SHA_1_EXCHANGE), ("SCRAM-SHA-1-PLUS", SCRAM_SHA_1_PLUS_EXCHANGE), ("SCRAM-SHA-256", SCRAM_SHA_256_EXCHANGE), ("SCRAM-SHA-256-PLUS", SCRAM_SHA_256_PLUS_EXCHANGE), ] @pytest.mark.parametrize("mech,x", params) def test_get_client_first(mech, x): cfirst_bare, cfirst = core._get_client_first( USERNAME, x["c_nonce"], x["channel_binding"] ) assert cfirst_bare == x["cfirst_bare"] assert cfirst == x["cfirst"] @pytest.mark.parametrize("mech,x", params) def test_make_auth_message(mech, x): auth_msg = core._make_auth_message( x["nonce"], x["cfirst_bare"], x["sfirst"], x["channel_binding"] ) assert auth_msg == x["auth_message"] @pytest.mark.parametrize("mech,x", params) def test_get_client_final(mech, x): server_signature, cfinal = core._get_client_final( x["hf"], PASSWORD, x["salt"], x["iterations"], x["nonce"], x["auth_message"], x["channel_binding"], ) assert server_signature == x["server_signature"] assert cfinal == x["cfinal"] @pytest.mark.parametrize("mech,x", params) def test_client_order(mech, x): c = ScramClient([mech], USERNAME, PASSWORD, channel_binding=x["channel_binding"]) with pytest.raises(ScramException): c.set_server_first(x["sfirst"]) @pytest.mark.parametrize("mech,x", params) def test_client(mech, x): c = ScramClient( [mech], USERNAME, PASSWORD, channel_binding=x["channel_binding"], c_nonce=x["c_nonce"], ) assert c.get_client_first() == x["cfirst"] c.set_server_first(x["sfirst"]) assert c.get_client_final() == x["cfinal"] @pytest.mark.parametrize("mech,x", params) def test_set_client_first(mech, x): nonce, user, cfirst_bare = core._set_client_first( x["cfirst"], x["s_nonce"], x["channel_binding"] ) assert nonce == x["nonce"] assert user == USERNAME assert cfirst_bare == x["cfirst_bare"] @pytest.mark.parametrize("mech,x", params) def test_get_server_first(mech, x): auth_message, sfirst = core._get_server_first( x["nonce"], x["salt"], x["iterations"], x["cfirst_bare"], x["channel_binding"] ) assert auth_message == x["auth_message"] assert sfirst == x["sfirst"] @pytest.mark.parametrize("mech,x", params) def test_set_client_final(mech, x): server_signature = core._set_client_final( x["hf"], x["cfinal"], x["s_nonce"], b64dec(x["stored_key"]), b64dec(x["server_key"]), x["auth_message"], x["channel_binding"], ) assert server_signature == x["server_signature"] @pytest.mark.parametrize("mech,x", params) def test_get_server_final(mech, x): assert core._get_server_final(x["server_signature"], None) == x["sfinal"] @pytest.mark.parametrize("mech,x", params) def test_server_order(mech, x): m = ScramMechanism(mechanism=mech) def auth_fn(username): lookup = { USERNAME: m.make_auth_info( PASSWORD, salt=x["salt"], iteration_count=x["iterations"] ) } return lookup[username] s = m.make_server(auth_fn, channel_binding=x["channel_binding"]) with pytest.raises(ScramException): s.set_client_final(x["cfinal"]) @pytest.mark.parametrize("mech,x", params) def test_server(mech, x): m = ScramMechanism(mechanism=mech) def auth_fn(username): lookup = { USERNAME: m.make_auth_info( PASSWORD, salt=b64dec(x["salt"]), iteration_count=x["iterations"] ) } return lookup[username] s = m.make_server( auth_fn, channel_binding=x["channel_binding"], s_nonce=x["s_nonce"] ) s.set_client_first(x["cfirst"]) assert s.get_server_first() == x["sfirst"] s.set_client_final(x["cfinal"]) assert s.get_server_final() == x["sfinal"] def test_check_stage(): with pytest.raises( ScramException, match="The next method to be called is get_server_first, not this " "method.", ): core._check_stage( core.ServerStage, core.ServerStage.set_client_first, core.ServerStage.get_server_final, ) def test_set_client_first_error(): x = SCRAM_SHA_256_EXCHANGE m = ScramMechanism(mechanism="SCRAM-SHA-256") def auth_fn(username): lookup = { USERNAME: m.make_auth_info( PASSWORD, salt=b64dec(x["salt"]), iteration_count=x["iterations"] ) } return lookup[username] s = m.make_server( auth_fn, channel_binding=x["channel_binding"], s_nonce=x["s_nonce"] ) with pytest.raises( ScramException, match="Received GS2 flag 'p' which indicates that the client " "requires channel binding, but the server does not.", ): s.set_client_first("p=tls-unique,,n=user,r=rOprNGfwEbeRWgbNEkqO") assert s.get_server_final() == "e=channel-binding-not-supported" def test_set_client_final_error(): x = SCRAM_SHA_256_EXCHANGE m = ScramMechanism(mechanism="SCRAM-SHA-256") def auth_fn(username): lookup = { USERNAME: m.make_auth_info( PASSWORD, salt=b64dec(x["salt"]), iteration_count=x["iterations"] ) } return lookup[username] s = m.make_server( auth_fn, channel_binding=x["channel_binding"], s_nonce=x["s_nonce"] ) s.set_client_first(x["cfirst"]) s.get_server_first() with pytest.raises(ScramException, match="other-error"): s.set_client_final( "c=biws,r=rOprNGfwEbeRWgbNEkqO_invalid," "p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=" ) assert s.get_server_final() == "e=other-error" def test_set_server_first_error(): c = ScramClient(["SCRAM-SHA-256"], "user", "pencil") c.get_client_first() with pytest.raises(ScramException, match="other-error"): c.set_server_first("e=other-error") def test_make_channel_binding_tls_server_end_point(mocker): ssl_socket = mocker.Mock() ssl_socket.getpeercert = mocker.Mock(return_value=b"cafe") mock_cert = mocker.Mock() mock_cert.hash_algo = "sha512" mocker.patch("scramp.core.Certificate.load", return_value=mock_cert) result = make_channel_binding("tls-server-end-point", ssl_socket) assert result == ( "tls-server-end-point", b"5\x9dQ\xe2\xc4a\x17g\x1bK\xeci\x98\x9e\x16R\x96}\xe4~D\x15\xfb\xb3\x1fn]=" b"\re?s\x10\xf2\xf8\xa6+\x91i\x9d\x84,iO\x8emDu\xb4\x19\x06i\xa7\x1a\xf1i\xc6" b"K\x81\xcbp\xd1\xaf\xd7", ) ././@PaxHeader0000000000000000000000000000002600000000000011453 xustar000000000000000022 mtime=1627291001.0 scramp-1.4.1/versioneer.py0000664000175000017500000021113600000000000016330 0ustar00tlocketlocke00000000000000# Version: 0.19 """The Versioneer - like a rocketeer, but for versions. The Versioneer ============== * like a rocketeer, but for versions! * https://github.com/python-versioneer/python-versioneer * Brian Warner * License: Public Domain * Compatible with: Python 3.6, 3.7, 3.8, 3.9 and pypy3 * [![Latest Version][pypi-image]][pypi-url] * [![Build Status][travis-image]][travis-url] This is a tool for managing a recorded version number in distutils-based python projects. The goal is to remove the tedious and error-prone "update the embedded version string" step from your release process. Making a new release should be as easy as recording a new tag in your version-control system, and maybe making new tarballs. ## Quick Install * `pip install versioneer` to somewhere in your $PATH * add a `[versioneer]` section to your setup.cfg (see [Install](INSTALL.md)) * run `versioneer install` in your source tree, commit the results * Verify version information with `python setup.py version` ## Version Identifiers Source trees come from a variety of places: * a version-control system checkout (mostly used by developers) * a nightly tarball, produced by build automation * a snapshot tarball, produced by a web-based VCS browser, like github's "tarball from tag" feature * a release tarball, produced by "setup.py sdist", distributed through PyPI Within each source tree, the version identifier (either a string or a number, this tool is format-agnostic) can come from a variety of places: * ask the VCS tool itself, e.g. "git describe" (for checkouts), which knows about recent "tags" and an absolute revision-id * the name of the directory into which the tarball was unpacked * an expanded VCS keyword ($Id$, etc) * a `_version.py` created by some earlier build step For released software, the version identifier is closely related to a VCS tag. Some projects use tag names that include more than just the version string (e.g. "myproject-1.2" instead of just "1.2"), in which case the tool needs to strip the tag prefix to extract the version identifier. For unreleased software (between tags), the version identifier should provide enough information to help developers recreate the same tree, while also giving them an idea of roughly how old the tree is (after version 1.2, before version 1.3). Many VCS systems can report a description that captures this, for example `git describe --tags --dirty --always` reports things like "0.7-1-g574ab98-dirty" to indicate that the checkout is one revision past the 0.7 tag, has a unique revision id of "574ab98", and is "dirty" (it has uncommitted changes). The version identifier is used for multiple purposes: * to allow the module to self-identify its version: `myproject.__version__` * to choose a name and prefix for a 'setup.py sdist' tarball ## Theory of Operation Versioneer works by adding a special `_version.py` file into your source tree, where your `__init__.py` can import it. This `_version.py` knows how to dynamically ask the VCS tool for version information at import time. `_version.py` also contains `$Revision$` markers, and the installation process marks `_version.py` to have this marker rewritten with a tag name during the `git archive` command. As a result, generated tarballs will contain enough information to get the proper version. To allow `setup.py` to compute a version too, a `versioneer.py` is added to the top level of your source tree, next to `setup.py` and the `setup.cfg` that configures it. This overrides several distutils/setuptools commands to compute the version when invoked, and changes `setup.py build` and `setup.py sdist` to replace `_version.py` with a small static file that contains just the generated version data. ## Installation See [INSTALL.md](./INSTALL.md) for detailed installation instructions. ## Version-String Flavors Code which uses Versioneer can learn about its version string at runtime by importing `_version` from your main `__init__.py` file and running the `get_versions()` function. From the "outside" (e.g. in `setup.py`), you can import the top-level `versioneer.py` and run `get_versions()`. Both functions return a dictionary with different flavors of version information: * `['version']`: A condensed version string, rendered using the selected style. This is the most commonly used value for the project's version string. The default "pep440" style yields strings like `0.11`, `0.11+2.g1076c97`, or `0.11+2.g1076c97.dirty`. See the "Styles" section below for alternative styles. * `['full-revisionid']`: detailed revision identifier. For Git, this is the full SHA1 commit id, e.g. "1076c978a8d3cfc70f408fe5974aa6c092c949ac". * `['date']`: Date and time of the latest `HEAD` commit. For Git, it is the commit date in ISO 8601 format. This will be None if the date is not available. * `['dirty']`: a boolean, True if the tree has uncommitted changes. Note that this is only accurate if run in a VCS checkout, otherwise it is likely to be False or None * `['error']`: if the version string could not be computed, this will be set to a string describing the problem, otherwise it will be None. It may be useful to throw an exception in setup.py if this is set, to avoid e.g. creating tarballs with a version string of "unknown". Some variants are more useful than others. Including `full-revisionid` in a bug report should allow developers to reconstruct the exact code being tested (or indicate the presence of local changes that should be shared with the developers). `version` is suitable for display in an "about" box or a CLI `--version` output: it can be easily compared against release notes and lists of bugs fixed in various releases. The installer adds the following text to your `__init__.py` to place a basic version in `YOURPROJECT.__version__`: from ._version import get_versions __version__ = get_versions()['version'] del get_versions ## Styles The setup.cfg `style=` configuration controls how the VCS information is rendered into a version string. The default style, "pep440", produces a PEP440-compliant string, equal to the un-prefixed tag name for actual releases, and containing an additional "local version" section with more detail for in-between builds. For Git, this is TAG[+DISTANCE.gHEX[.dirty]] , using information from `git describe --tags --dirty --always`. For example "0.11+2.g1076c97.dirty" indicates that the tree is like the "1076c97" commit but has uncommitted changes (".dirty"), and that this commit is two revisions ("+2") beyond the "0.11" tag. For released software (exactly equal to a known tag), the identifier will only contain the stripped tag, e.g. "0.11". Other styles are available. See [details.md](details.md) in the Versioneer source tree for descriptions. ## Debugging Versioneer tries to avoid fatal errors: if something goes wrong, it will tend to return a version of "0+unknown". To investigate the problem, run `setup.py version`, which will run the version-lookup code in a verbose mode, and will display the full contents of `get_versions()` (including the `error` string, which may help identify what went wrong). ## Known Limitations Some situations are known to cause problems for Versioneer. This details the most significant ones. More can be found on Github [issues page](https://github.com/python-versioneer/python-versioneer/issues). ### Subprojects Versioneer has limited support for source trees in which `setup.py` is not in the root directory (e.g. `setup.py` and `.git/` are *not* siblings). The are two common reasons why `setup.py` might not be in the root: * Source trees which contain multiple subprojects, such as [Buildbot](https://github.com/buildbot/buildbot), which contains both "master" and "slave" subprojects, each with their own `setup.py`, `setup.cfg`, and `tox.ini`. Projects like these produce multiple PyPI distributions (and upload multiple independently-installable tarballs). * Source trees whose main purpose is to contain a C library, but which also provide bindings to Python (and perhaps other languages) in subdirectories. Versioneer will look for `.git` in parent directories, and most operations should get the right version string. However `pip` and `setuptools` have bugs and implementation details which frequently cause `pip install .` from a subproject directory to fail to find a correct version string (so it usually defaults to `0+unknown`). `pip install --editable .` should work correctly. `setup.py install` might work too. Pip-8.1.1 is known to have this problem, but hopefully it will get fixed in some later version. [Bug #38](https://github.com/python-versioneer/python-versioneer/issues/38) is tracking this issue. The discussion in [PR #61](https://github.com/python-versioneer/python-versioneer/pull/61) describes the issue from the Versioneer side in more detail. [pip PR#3176](https://github.com/pypa/pip/pull/3176) and [pip PR#3615](https://github.com/pypa/pip/pull/3615) contain work to improve pip to let Versioneer work correctly. Versioneer-0.16 and earlier only looked for a `.git` directory next to the `setup.cfg`, so subprojects were completely unsupported with those releases. ### Editable installs with setuptools <= 18.5 `setup.py develop` and `pip install --editable .` allow you to install a project into a virtualenv once, then continue editing the source code (and test) without re-installing after every change. "Entry-point scripts" (`setup(entry_points={"console_scripts": ..})`) are a convenient way to specify executable scripts that should be installed along with the python package. These both work as expected when using modern setuptools. When using setuptools-18.5 or earlier, however, certain operations will cause `pkg_resources.DistributionNotFound` errors when running the entrypoint script, which must be resolved by re-installing the package. This happens when the install happens with one version, then the egg_info data is regenerated while a different version is checked out. Many setup.py commands cause egg_info to be rebuilt (including `sdist`, `wheel`, and installing into a different virtualenv), so this can be surprising. [Bug #83](https://github.com/python-versioneer/python-versioneer/issues/83) describes this one, but upgrading to a newer version of setuptools should probably resolve it. ## Updating Versioneer To upgrade your project to a new release of Versioneer, do the following: * install the new Versioneer (`pip install -U versioneer` or equivalent) * edit `setup.cfg`, if necessary, to include any new configuration settings indicated by the release notes. See [UPGRADING](./UPGRADING.md) for details. * re-run `versioneer install` in your source tree, to replace `SRC/_version.py` * commit any changed files ## Future Directions This tool is designed to make it easily extended to other version-control systems: all VCS-specific components are in separate directories like src/git/ . The top-level `versioneer.py` script is assembled from these components by running make-versioneer.py . In the future, make-versioneer.py will take a VCS name as an argument, and will construct a version of `versioneer.py` that is specific to the given VCS. It might also take the configuration arguments that are currently provided manually during installation by editing setup.py . Alternatively, it might go the other direction and include code from all supported VCS systems, reducing the number of intermediate scripts. ## Similar projects * [setuptools_scm](https://github.com/pypa/setuptools_scm/) - a non-vendored build-time dependency * [minver](https://github.com/jbweston/miniver) - a lightweight reimplementation of versioneer ## License To make Versioneer easier to embed, all its code is dedicated to the public domain. The `_version.py` that it creates is also in the public domain. Specifically, both are released under the Creative Commons "Public Domain Dedication" license (CC0-1.0), as described in https://creativecommons.org/publicdomain/zero/1.0/ . [pypi-image]: https://img.shields.io/pypi/v/versioneer.svg [pypi-url]: https://pypi.python.org/pypi/versioneer/ [travis-image]: https://img.shields.io/travis/com/python-versioneer/python-versioneer.svg [travis-url]: https://travis-ci.com/github/python-versioneer/python-versioneer """ import configparser import errno import json import os import re import subprocess import sys class VersioneerConfig: """Container for Versioneer configuration parameters.""" def get_root(): """Get the project root directory. We require that all commands are run from the project root, i.e. the directory that contains setup.py, setup.cfg, and versioneer.py . """ root = os.path.realpath(os.path.abspath(os.getcwd())) setup_py = os.path.join(root, "setup.py") versioneer_py = os.path.join(root, "versioneer.py") if not (os.path.exists(setup_py) or os.path.exists(versioneer_py)): # allow 'python path/to/setup.py COMMAND' root = os.path.dirname(os.path.realpath(os.path.abspath(sys.argv[0]))) setup_py = os.path.join(root, "setup.py") versioneer_py = os.path.join(root, "versioneer.py") if not (os.path.exists(setup_py) or os.path.exists(versioneer_py)): err = ( "Versioneer was unable to run the project root directory. " "Versioneer requires setup.py to be executed from " "its immediate directory (like 'python setup.py COMMAND'), " "or in a way that lets it use sys.argv[0] to find the root " "(like 'python path/to/setup.py COMMAND')." ) raise VersioneerBadRootError(err) try: # Certain runtime workflows (setup.py install/develop in a setuptools # tree) execute all dependencies in a single python process, so # "versioneer" may be imported multiple times, and python's shared # module-import table will cache the first one. So we can't use # os.path.dirname(__file__), as that will find whichever # versioneer.py was first imported, even in later projects. me = os.path.realpath(os.path.abspath(__file__)) me_dir = os.path.normcase(os.path.splitext(me)[0]) vsr_dir = os.path.normcase(os.path.splitext(versioneer_py)[0]) if me_dir != vsr_dir: print( "Warning: build in %s is using versioneer.py from %s" % (os.path.dirname(me), versioneer_py) ) except NameError: pass return root def get_config_from_root(root): """Read the project setup.cfg file to determine Versioneer config.""" # This might raise EnvironmentError (if setup.cfg is missing), or # configparser.NoSectionError (if it lacks a [versioneer] section), or # configparser.NoOptionError (if it lacks "VCS="). See the docstring at # the top of versioneer.py for instructions on writing your setup.cfg . setup_cfg = os.path.join(root, "setup.cfg") parser = configparser.ConfigParser() with open(setup_cfg, "r") as f: parser.read_file(f) VCS = parser.get("versioneer", "VCS") # mandatory def get(parser, name): if parser.has_option("versioneer", name): return parser.get("versioneer", name) return None cfg = VersioneerConfig() cfg.VCS = VCS cfg.style = get(parser, "style") or "" cfg.versionfile_source = get(parser, "versionfile_source") cfg.versionfile_build = get(parser, "versionfile_build") cfg.tag_prefix = get(parser, "tag_prefix") if cfg.tag_prefix in ("''", '""'): cfg.tag_prefix = "" cfg.parentdir_prefix = get(parser, "parentdir_prefix") cfg.verbose = get(parser, "verbose") return cfg class NotThisMethod(Exception): """Exception raised if a method is not valid for the current scenario.""" # these dictionaries contain VCS-specific tools LONG_VERSION_PY = {} HANDLERS = {} def register_vcs_handler(vcs, method): # decorator """Create decorator to mark a method as the handler of a VCS.""" def decorate(f): """Store f in HANDLERS[vcs][method].""" if vcs not in HANDLERS: HANDLERS[vcs] = {} HANDLERS[vcs][method] = f return f return decorate def run_command(commands, args, cwd=None, verbose=False, hide_stderr=False, env=None): """Call the given command(s).""" assert isinstance(commands, list) p = None for c in commands: try: dispcmd = str([c] + args) # remember shell=False, so use git.cmd on windows, not just git p = subprocess.Popen( [c] + args, cwd=cwd, env=env, stdout=subprocess.PIPE, stderr=(subprocess.PIPE if hide_stderr else None), ) break except EnvironmentError: e = sys.exc_info()[1] if e.errno == errno.ENOENT: continue if verbose: print("unable to run %s" % dispcmd) print(e) return None, None else: if verbose: print("unable to find command, tried %s" % (commands,)) return None, None stdout = p.communicate()[0].strip().decode() if p.returncode != 0: if verbose: print("unable to run %s (error)" % dispcmd) print("stdout was %s" % stdout) return None, p.returncode return stdout, p.returncode LONG_VERSION_PY[ "git" ] = r''' # This file helps to compute a version number in source trees obtained from # git-archive tarball (such as those provided by githubs download-from-tag # feature). Distribution tarballs (built by setup.py sdist) and build # directories (produced by setup.py build) will contain a much shorter file # that just contains the computed version number. # This file is released into the public domain. Generated by # versioneer-0.19 (https://github.com/python-versioneer/python-versioneer) """Git implementation of _version.py.""" import errno import os import re import subprocess import sys def get_keywords(): """Get the keywords needed to look up the version information.""" # these strings will be replaced by git during git-archive. # setup.py/versioneer.py will grep for the variable names, so they must # each be defined on a line of their own. _version.py will just call # get_keywords(). git_refnames = "%(DOLLAR)sFormat:%%d%(DOLLAR)s" git_full = "%(DOLLAR)sFormat:%%H%(DOLLAR)s" git_date = "%(DOLLAR)sFormat:%%ci%(DOLLAR)s" keywords = {"refnames": git_refnames, "full": git_full, "date": git_date} return keywords class VersioneerConfig: """Container for Versioneer configuration parameters.""" def get_config(): """Create, populate and return the VersioneerConfig() object.""" # these strings are filled in when 'setup.py versioneer' creates # _version.py cfg = VersioneerConfig() cfg.VCS = "git" cfg.style = "%(STYLE)s" cfg.tag_prefix = "%(TAG_PREFIX)s" cfg.parentdir_prefix = "%(PARENTDIR_PREFIX)s" cfg.versionfile_source = "%(VERSIONFILE_SOURCE)s" cfg.verbose = False return cfg class NotThisMethod(Exception): """Exception raised if a method is not valid for the current scenario.""" LONG_VERSION_PY = {} HANDLERS = {} def register_vcs_handler(vcs, method): # decorator """Create decorator to mark a method as the handler of a VCS.""" def decorate(f): """Store f in HANDLERS[vcs][method].""" if vcs not in HANDLERS: HANDLERS[vcs] = {} HANDLERS[vcs][method] = f return f return decorate def run_command(commands, args, cwd=None, verbose=False, hide_stderr=False, env=None): """Call the given command(s).""" assert isinstance(commands, list) p = None for c in commands: try: dispcmd = str([c] + args) # remember shell=False, so use git.cmd on windows, not just git p = subprocess.Popen([c] + args, cwd=cwd, env=env, stdout=subprocess.PIPE, stderr=(subprocess.PIPE if hide_stderr else None)) break except EnvironmentError: e = sys.exc_info()[1] if e.errno == errno.ENOENT: continue if verbose: print("unable to run %%s" %% dispcmd) print(e) return None, None else: if verbose: print("unable to find command, tried %%s" %% (commands,)) return None, None stdout = p.communicate()[0].strip().decode() if p.returncode != 0: if verbose: print("unable to run %%s (error)" %% dispcmd) print("stdout was %%s" %% stdout) return None, p.returncode return stdout, p.returncode def versions_from_parentdir(parentdir_prefix, root, verbose): """Try to determine the version from the parent directory name. Source tarballs conventionally unpack into a directory that includes both the project name and a version string. We will also support searching up two directory levels for an appropriately named parent directory """ rootdirs = [] for i in range(3): dirname = os.path.basename(root) if dirname.startswith(parentdir_prefix): return {"version": dirname[len(parentdir_prefix):], "full-revisionid": None, "dirty": False, "error": None, "date": None} else: rootdirs.append(root) root = os.path.dirname(root) # up a level if verbose: print("Tried directories %%s but none started with prefix %%s" %% (str(rootdirs), parentdir_prefix)) raise NotThisMethod("rootdir doesn't start with parentdir_prefix") @register_vcs_handler("git", "get_keywords") def git_get_keywords(versionfile_abs): """Extract version information from the given file.""" # the code embedded in _version.py can just fetch the value of these # keywords. When used from setup.py, we don't want to import _version.py, # so we do it with a regexp instead. This function is not used from # _version.py. keywords = {} try: f = open(versionfile_abs, "r") for line in f.readlines(): if line.strip().startswith("git_refnames ="): mo = re.search(r'=\s*"(.*)"', line) if mo: keywords["refnames"] = mo.group(1) if line.strip().startswith("git_full ="): mo = re.search(r'=\s*"(.*)"', line) if mo: keywords["full"] = mo.group(1) if line.strip().startswith("git_date ="): mo = re.search(r'=\s*"(.*)"', line) if mo: keywords["date"] = mo.group(1) f.close() except EnvironmentError: pass return keywords @register_vcs_handler("git", "keywords") def git_versions_from_keywords(keywords, tag_prefix, verbose): """Get version information from git keywords.""" if not keywords: raise NotThisMethod("no keywords at all, weird") date = keywords.get("date") if date is not None: # Use only the last line. Previous lines may contain GPG signature # information. date = date.splitlines()[-1] # git-2.2.0 added "%%cI", which expands to an ISO-8601 -compliant # datestamp. However we prefer "%%ci" (which expands to an "ISO-8601 # -like" string, which we must then edit to make compliant), because # it's been around since git-1.5.3, and it's too difficult to # discover which version we're using, or to work around using an # older one. date = date.strip().replace(" ", "T", 1).replace(" ", "", 1) refnames = keywords["refnames"].strip() if refnames.startswith("$Format"): if verbose: print("keywords are unexpanded, not using") raise NotThisMethod("unexpanded keywords, not a git-archive tarball") refs = set([r.strip() for r in refnames.strip("()").split(",")]) # starting in git-1.8.3, tags are listed as "tag: foo-1.0" instead of # just "foo-1.0". If we see a "tag: " prefix, prefer those. TAG = "tag: " tags = set([r[len(TAG):] for r in refs if r.startswith(TAG)]) if not tags: # Either we're using git < 1.8.3, or there really are no tags. We use # a heuristic: assume all version tags have a digit. The old git %%d # expansion behaves like git log --decorate=short and strips out the # refs/heads/ and refs/tags/ prefixes that would let us distinguish # between branches and tags. By ignoring refnames without digits, we # filter out many common branch names like "release" and # "stabilization", as well as "HEAD" and "master". tags = set([r for r in refs if re.search(r'\d', r)]) if verbose: print("discarding '%%s', no digits" %% ",".join(refs - tags)) if verbose: print("likely tags: %%s" %% ",".join(sorted(tags))) for ref in sorted(tags): # sorting will prefer e.g. "2.0" over "2.0rc1" if ref.startswith(tag_prefix): r = ref[len(tag_prefix):] if verbose: print("picking %%s" %% r) return {"version": r, "full-revisionid": keywords["full"].strip(), "dirty": False, "error": None, "date": date} # no suitable tags, so version is "0+unknown", but full hex is still there if verbose: print("no suitable tags, using unknown + full revision id") return {"version": "0+unknown", "full-revisionid": keywords["full"].strip(), "dirty": False, "error": "no suitable tags", "date": None} @register_vcs_handler("git", "pieces_from_vcs") def git_pieces_from_vcs(tag_prefix, root, verbose, run_command=run_command): """Get version from 'git describe' in the root of the source tree. This only gets called if the git-archive 'subst' keywords were *not* expanded, and _version.py hasn't already been rewritten with a short version string, meaning we're inside a checked out source tree. """ GITS = ["git"] if sys.platform == "win32": GITS = ["git.cmd", "git.exe"] out, rc = run_command(GITS, ["rev-parse", "--git-dir"], cwd=root, hide_stderr=True) if rc != 0: if verbose: print("Directory %%s not under git control" %% root) raise NotThisMethod("'git rev-parse --git-dir' returned error") # if there is a tag matching tag_prefix, this yields TAG-NUM-gHEX[-dirty] # if there isn't one, this yields HEX[-dirty] (no NUM) describe_out, rc = run_command(GITS, ["describe", "--tags", "--dirty", "--always", "--long", "--match", "%%s*" %% tag_prefix], cwd=root) # --long was added in git-1.5.5 if describe_out is None: raise NotThisMethod("'git describe' failed") describe_out = describe_out.strip() full_out, rc = run_command(GITS, ["rev-parse", "HEAD"], cwd=root) if full_out is None: raise NotThisMethod("'git rev-parse' failed") full_out = full_out.strip() pieces = {} pieces["long"] = full_out pieces["short"] = full_out[:7] # maybe improved later pieces["error"] = None # parse describe_out. It will be like TAG-NUM-gHEX[-dirty] or HEX[-dirty] # TAG might have hyphens. git_describe = describe_out # look for -dirty suffix dirty = git_describe.endswith("-dirty") pieces["dirty"] = dirty if dirty: git_describe = git_describe[:git_describe.rindex("-dirty")] # now we have TAG-NUM-gHEX or HEX if "-" in git_describe: # TAG-NUM-gHEX mo = re.search(r'^(.+)-(\d+)-g([0-9a-f]+)$', git_describe) if not mo: # unparseable. Maybe git-describe is misbehaving? pieces["error"] = ("unable to parse git-describe output: '%%s'" %% describe_out) return pieces # tag full_tag = mo.group(1) if not full_tag.startswith(tag_prefix): if verbose: fmt = "tag '%%s' doesn't start with prefix '%%s'" print(fmt %% (full_tag, tag_prefix)) pieces["error"] = ("tag '%%s' doesn't start with prefix '%%s'" %% (full_tag, tag_prefix)) return pieces pieces["closest-tag"] = full_tag[len(tag_prefix):] # distance: number of commits since tag pieces["distance"] = int(mo.group(2)) # commit: short hex revision ID pieces["short"] = mo.group(3) else: # HEX: no tags pieces["closest-tag"] = None count_out, rc = run_command(GITS, ["rev-list", "HEAD", "--count"], cwd=root) pieces["distance"] = int(count_out) # total number of commits # commit date: see ISO-8601 comment in git_versions_from_keywords() date = run_command(GITS, ["show", "-s", "--format=%%ci", "HEAD"], cwd=root)[0].strip() # Use only the last line. Previous lines may contain GPG signature # information. date = date.splitlines()[-1] pieces["date"] = date.strip().replace(" ", "T", 1).replace(" ", "", 1) return pieces def plus_or_dot(pieces): """Return a + if we don't already have one, else return a .""" if "+" in pieces.get("closest-tag", ""): return "." return "+" def render_pep440(pieces): """Build up version string, with post-release "local version identifier". Our goal: TAG[+DISTANCE.gHEX[.dirty]] . Note that if you get a tagged build and then dirty it, you'll get TAG+0.gHEX.dirty Exceptions: 1: no tags. git_describe was just HEX. 0+untagged.DISTANCE.gHEX[.dirty] """ if pieces["closest-tag"]: rendered = pieces["closest-tag"] if pieces["distance"] or pieces["dirty"]: rendered += plus_or_dot(pieces) rendered += "%%d.g%%s" %% (pieces["distance"], pieces["short"]) if pieces["dirty"]: rendered += ".dirty" else: # exception #1 rendered = "0+untagged.%%d.g%%s" %% (pieces["distance"], pieces["short"]) if pieces["dirty"]: rendered += ".dirty" return rendered def render_pep440_pre(pieces): """TAG[.post0.devDISTANCE] -- No -dirty. Exceptions: 1: no tags. 0.post0.devDISTANCE """ if pieces["closest-tag"]: rendered = pieces["closest-tag"] if pieces["distance"]: rendered += ".post0.dev%%d" %% pieces["distance"] else: # exception #1 rendered = "0.post0.dev%%d" %% pieces["distance"] return rendered def render_pep440_post(pieces): """TAG[.postDISTANCE[.dev0]+gHEX] . The ".dev0" means dirty. Note that .dev0 sorts backwards (a dirty tree will appear "older" than the corresponding clean one), but you shouldn't be releasing software with -dirty anyways. Exceptions: 1: no tags. 0.postDISTANCE[.dev0] """ if pieces["closest-tag"]: rendered = pieces["closest-tag"] if pieces["distance"] or pieces["dirty"]: rendered += ".post%%d" %% pieces["distance"] if pieces["dirty"]: rendered += ".dev0" rendered += plus_or_dot(pieces) rendered += "g%%s" %% pieces["short"] else: # exception #1 rendered = "0.post%%d" %% pieces["distance"] if pieces["dirty"]: rendered += ".dev0" rendered += "+g%%s" %% pieces["short"] return rendered def render_pep440_old(pieces): """TAG[.postDISTANCE[.dev0]] . The ".dev0" means dirty. Exceptions: 1: no tags. 0.postDISTANCE[.dev0] """ if pieces["closest-tag"]: rendered = pieces["closest-tag"] if pieces["distance"] or pieces["dirty"]: rendered += ".post%%d" %% pieces["distance"] if pieces["dirty"]: rendered += ".dev0" else: # exception #1 rendered = "0.post%%d" %% pieces["distance"] if pieces["dirty"]: rendered += ".dev0" return rendered def render_git_describe(pieces): """TAG[-DISTANCE-gHEX][-dirty]. Like 'git describe --tags --dirty --always'. Exceptions: 1: no tags. HEX[-dirty] (note: no 'g' prefix) """ if pieces["closest-tag"]: rendered = pieces["closest-tag"] if pieces["distance"]: rendered += "-%%d-g%%s" %% (pieces["distance"], pieces["short"]) else: # exception #1 rendered = pieces["short"] if pieces["dirty"]: rendered += "-dirty" return rendered def render_git_describe_long(pieces): """TAG-DISTANCE-gHEX[-dirty]. Like 'git describe --tags --dirty --always -long'. The distance/hash is unconditional. Exceptions: 1: no tags. HEX[-dirty] (note: no 'g' prefix) """ if pieces["closest-tag"]: rendered = pieces["closest-tag"] rendered += "-%%d-g%%s" %% (pieces["distance"], pieces["short"]) else: # exception #1 rendered = pieces["short"] if pieces["dirty"]: rendered += "-dirty" return rendered def render(pieces, style): """Render the given version pieces into the requested style.""" if pieces["error"]: return {"version": "unknown", "full-revisionid": pieces.get("long"), "dirty": None, "error": pieces["error"], "date": None} if not style or style == "default": style = "pep440" # the default if style == "pep440": rendered = render_pep440(pieces) elif style == "pep440-pre": rendered = render_pep440_pre(pieces) elif style == "pep440-post": rendered = render_pep440_post(pieces) elif style == "pep440-old": rendered = render_pep440_old(pieces) elif style == "git-describe": rendered = render_git_describe(pieces) elif style == "git-describe-long": rendered = render_git_describe_long(pieces) else: raise ValueError("unknown style '%%s'" %% style) return {"version": rendered, "full-revisionid": pieces["long"], "dirty": pieces["dirty"], "error": None, "date": pieces.get("date")} def get_versions(): """Get version information or return default if unable to do so.""" # I am in _version.py, which lives at ROOT/VERSIONFILE_SOURCE. If we have # __file__, we can work backwards from there to the root. Some # py2exe/bbfreeze/non-CPython implementations don't do __file__, in which # case we can only use expanded keywords. cfg = get_config() verbose = cfg.verbose try: return git_versions_from_keywords(get_keywords(), cfg.tag_prefix, verbose) except NotThisMethod: pass try: root = os.path.realpath(__file__) # versionfile_source is the relative path from the top of the source # tree (where the .git directory might live) to this file. Invert # this to find the root from __file__. for i in cfg.versionfile_source.split('/'): root = os.path.dirname(root) except NameError: return {"version": "0+unknown", "full-revisionid": None, "dirty": None, "error": "unable to find root of source tree", "date": None} try: pieces = git_pieces_from_vcs(cfg.tag_prefix, root, verbose) return render(pieces, cfg.style) except NotThisMethod: pass try: if cfg.parentdir_prefix: return versions_from_parentdir(cfg.parentdir_prefix, root, verbose) except NotThisMethod: pass return {"version": "0+unknown", "full-revisionid": None, "dirty": None, "error": "unable to compute version", "date": None} ''' @register_vcs_handler("git", "get_keywords") def git_get_keywords(versionfile_abs): """Extract version information from the given file.""" # the code embedded in _version.py can just fetch the value of these # keywords. When used from setup.py, we don't want to import _version.py, # so we do it with a regexp instead. This function is not used from # _version.py. keywords = {} try: f = open(versionfile_abs, "r") for line in f.readlines(): if line.strip().startswith("git_refnames ="): mo = re.search(r'=\s*"(.*)"', line) if mo: keywords["refnames"] = mo.group(1) if line.strip().startswith("git_full ="): mo = re.search(r'=\s*"(.*)"', line) if mo: keywords["full"] = mo.group(1) if line.strip().startswith("git_date ="): mo = re.search(r'=\s*"(.*)"', line) if mo: keywords["date"] = mo.group(1) f.close() except EnvironmentError: pass return keywords @register_vcs_handler("git", "keywords") def git_versions_from_keywords(keywords, tag_prefix, verbose): """Get version information from git keywords.""" if not keywords: raise NotThisMethod("no keywords at all, weird") date = keywords.get("date") if date is not None: # Use only the last line. Previous lines may contain GPG signature # information. date = date.splitlines()[-1] # git-2.2.0 added "%cI", which expands to an ISO-8601 -compliant # datestamp. However we prefer "%ci" (which expands to an "ISO-8601 # -like" string, which we must then edit to make compliant), because # it's been around since git-1.5.3, and it's too difficult to # discover which version we're using, or to work around using an # older one. date = date.strip().replace(" ", "T", 1).replace(" ", "", 1) refnames = keywords["refnames"].strip() if refnames.startswith("$Format"): if verbose: print("keywords are unexpanded, not using") raise NotThisMethod("unexpanded keywords, not a git-archive tarball") refs = set([r.strip() for r in refnames.strip("()").split(",")]) # starting in git-1.8.3, tags are listed as "tag: foo-1.0" instead of # just "foo-1.0". If we see a "tag: " prefix, prefer those. TAG = "tag: " tags = set([r[len(TAG) :] for r in refs if r.startswith(TAG)]) if not tags: # Either we're using git < 1.8.3, or there really are no tags. We use # a heuristic: assume all version tags have a digit. The old git %d # expansion behaves like git log --decorate=short and strips out the # refs/heads/ and refs/tags/ prefixes that would let us distinguish # between branches and tags. By ignoring refnames without digits, we # filter out many common branch names like "release" and # "stabilization", as well as "HEAD" and "master". tags = set([r for r in refs if re.search(r"\d", r)]) if verbose: print("discarding '%s', no digits" % ",".join(refs - tags)) if verbose: print("likely tags: %s" % ",".join(sorted(tags))) for ref in sorted(tags): # sorting will prefer e.g. "2.0" over "2.0rc1" if ref.startswith(tag_prefix): r = ref[len(tag_prefix) :] if verbose: print("picking %s" % r) return { "version": r, "full-revisionid": keywords["full"].strip(), "dirty": False, "error": None, "date": date, } # no suitable tags, so version is "0+unknown", but full hex is still there if verbose: print("no suitable tags, using unknown + full revision id") return { "version": "0+unknown", "full-revisionid": keywords["full"].strip(), "dirty": False, "error": "no suitable tags", "date": None, } @register_vcs_handler("git", "pieces_from_vcs") def git_pieces_from_vcs(tag_prefix, root, verbose, run_command=run_command): """Get version from 'git describe' in the root of the source tree. This only gets called if the git-archive 'subst' keywords were *not* expanded, and _version.py hasn't already been rewritten with a short version string, meaning we're inside a checked out source tree. """ GITS = ["git"] if sys.platform == "win32": GITS = ["git.cmd", "git.exe"] out, rc = run_command(GITS, ["rev-parse", "--git-dir"], cwd=root, hide_stderr=True) if rc != 0: if verbose: print("Directory %s not under git control" % root) raise NotThisMethod("'git rev-parse --git-dir' returned error") # if there is a tag matching tag_prefix, this yields TAG-NUM-gHEX[-dirty] # if there isn't one, this yields HEX[-dirty] (no NUM) describe_out, rc = run_command( GITS, [ "describe", "--tags", "--dirty", "--always", "--long", "--match", "%s*" % tag_prefix, ], cwd=root, ) # --long was added in git-1.5.5 if describe_out is None: raise NotThisMethod("'git describe' failed") describe_out = describe_out.strip() full_out, rc = run_command(GITS, ["rev-parse", "HEAD"], cwd=root) if full_out is None: raise NotThisMethod("'git rev-parse' failed") full_out = full_out.strip() pieces = {} pieces["long"] = full_out pieces["short"] = full_out[:7] # maybe improved later pieces["error"] = None # parse describe_out. It will be like TAG-NUM-gHEX[-dirty] or HEX[-dirty] # TAG might have hyphens. git_describe = describe_out # look for -dirty suffix dirty = git_describe.endswith("-dirty") pieces["dirty"] = dirty if dirty: git_describe = git_describe[: git_describe.rindex("-dirty")] # now we have TAG-NUM-gHEX or HEX if "-" in git_describe: # TAG-NUM-gHEX mo = re.search(r"^(.+)-(\d+)-g([0-9a-f]+)$", git_describe) if not mo: # unparseable. Maybe git-describe is misbehaving? pieces["error"] = "unable to parse git-describe output: '%s'" % describe_out return pieces # tag full_tag = mo.group(1) if not full_tag.startswith(tag_prefix): if verbose: fmt = "tag '%s' doesn't start with prefix '%s'" print(fmt % (full_tag, tag_prefix)) pieces["error"] = "tag '%s' doesn't start with prefix '%s'" % ( full_tag, tag_prefix, ) return pieces pieces["closest-tag"] = full_tag[len(tag_prefix) :] # distance: number of commits since tag pieces["distance"] = int(mo.group(2)) # commit: short hex revision ID pieces["short"] = mo.group(3) else: # HEX: no tags pieces["closest-tag"] = None count_out, rc = run_command(GITS, ["rev-list", "HEAD", "--count"], cwd=root) pieces["distance"] = int(count_out) # total number of commits # commit date: see ISO-8601 comment in git_versions_from_keywords() date = run_command(GITS, ["show", "-s", "--format=%ci", "HEAD"], cwd=root)[ 0 ].strip() # Use only the last line. Previous lines may contain GPG signature # information. date = date.splitlines()[-1] pieces["date"] = date.strip().replace(" ", "T", 1).replace(" ", "", 1) return pieces def do_vcs_install(manifest_in, versionfile_source, ipy): """Git-specific installation logic for Versioneer. For Git, this means creating/changing .gitattributes to mark _version.py for export-subst keyword substitution. """ GITS = ["git"] if sys.platform == "win32": GITS = ["git.cmd", "git.exe"] files = [manifest_in, versionfile_source] if ipy: files.append(ipy) try: me = __file__ if me.endswith(".pyc") or me.endswith(".pyo"): me = os.path.splitext(me)[0] + ".py" versioneer_file = os.path.relpath(me) except NameError: versioneer_file = "versioneer.py" files.append(versioneer_file) present = False try: f = open(".gitattributes", "r") for line in f.readlines(): if line.strip().startswith(versionfile_source): if "export-subst" in line.strip().split()[1:]: present = True f.close() except EnvironmentError: pass if not present: f = open(".gitattributes", "a+") f.write("%s export-subst\n" % versionfile_source) f.close() files.append(".gitattributes") run_command(GITS, ["add", "--"] + files) def versions_from_parentdir(parentdir_prefix, root, verbose): """Try to determine the version from the parent directory name. Source tarballs conventionally unpack into a directory that includes both the project name and a version string. We will also support searching up two directory levels for an appropriately named parent directory """ rootdirs = [] for i in range(3): dirname = os.path.basename(root) if dirname.startswith(parentdir_prefix): return { "version": dirname[len(parentdir_prefix) :], "full-revisionid": None, "dirty": False, "error": None, "date": None, } else: rootdirs.append(root) root = os.path.dirname(root) # up a level if verbose: print( "Tried directories %s but none started with prefix %s" % (str(rootdirs), parentdir_prefix) ) raise NotThisMethod("rootdir doesn't start with parentdir_prefix") SHORT_VERSION_PY = """ # This file was generated by 'versioneer.py' (0.19) from # revision-control system data, or from the parent directory name of an # unpacked source archive. Distribution tarballs contain a pre-generated copy # of this file. import json version_json = ''' %s ''' # END VERSION_JSON def get_versions(): return json.loads(version_json) """ def versions_from_file(filename): """Try to determine the version from _version.py if present.""" try: with open(filename) as f: contents = f.read() except EnvironmentError: raise NotThisMethod("unable to read _version.py") mo = re.search( r"version_json = '''\n(.*)''' # END VERSION_JSON", contents, re.M | re.S ) if not mo: mo = re.search( r"version_json = '''\r\n(.*)''' # END VERSION_JSON", contents, re.M | re.S ) if not mo: raise NotThisMethod("no version_json in _version.py") return json.loads(mo.group(1)) def write_to_version_file(filename, versions): """Write the given version number to the given _version.py file.""" os.unlink(filename) contents = json.dumps(versions, sort_keys=True, indent=1, separators=(",", ": ")) with open(filename, "w") as f: f.write(SHORT_VERSION_PY % contents) print("set %s to '%s'" % (filename, versions["version"])) def plus_or_dot(pieces): """Return a + if we don't already have one, else return a .""" if "+" in pieces.get("closest-tag", ""): return "." return "+" def render_pep440(pieces): """Build up version string, with post-release "local version identifier". Our goal: TAG[+DISTANCE.gHEX[.dirty]] . Note that if you get a tagged build and then dirty it, you'll get TAG+0.gHEX.dirty Exceptions: 1: no tags. git_describe was just HEX. 0+untagged.DISTANCE.gHEX[.dirty] """ if pieces["closest-tag"]: rendered = pieces["closest-tag"] if pieces["distance"] or pieces["dirty"]: rendered += plus_or_dot(pieces) rendered += "%d.g%s" % (pieces["distance"], pieces["short"]) if pieces["dirty"]: rendered += ".dirty" else: # exception #1 rendered = "0+untagged.%d.g%s" % (pieces["distance"], pieces["short"]) if pieces["dirty"]: rendered += ".dirty" return rendered def render_pep440_pre(pieces): """TAG[.post0.devDISTANCE] -- No -dirty. Exceptions: 1: no tags. 0.post0.devDISTANCE """ if pieces["closest-tag"]: rendered = pieces["closest-tag"] if pieces["distance"]: rendered += ".post0.dev%d" % pieces["distance"] else: # exception #1 rendered = "0.post0.dev%d" % pieces["distance"] return rendered def render_pep440_post(pieces): """TAG[.postDISTANCE[.dev0]+gHEX] . The ".dev0" means dirty. Note that .dev0 sorts backwards (a dirty tree will appear "older" than the corresponding clean one), but you shouldn't be releasing software with -dirty anyways. Exceptions: 1: no tags. 0.postDISTANCE[.dev0] """ if pieces["closest-tag"]: rendered = pieces["closest-tag"] if pieces["distance"] or pieces["dirty"]: rendered += ".post%d" % pieces["distance"] if pieces["dirty"]: rendered += ".dev0" rendered += plus_or_dot(pieces) rendered += "g%s" % pieces["short"] else: # exception #1 rendered = "0.post%d" % pieces["distance"] if pieces["dirty"]: rendered += ".dev0" rendered += "+g%s" % pieces["short"] return rendered def render_pep440_old(pieces): """TAG[.postDISTANCE[.dev0]] . The ".dev0" means dirty. Exceptions: 1: no tags. 0.postDISTANCE[.dev0] """ if pieces["closest-tag"]: rendered = pieces["closest-tag"] if pieces["distance"] or pieces["dirty"]: rendered += ".post%d" % pieces["distance"] if pieces["dirty"]: rendered += ".dev0" else: # exception #1 rendered = "0.post%d" % pieces["distance"] if pieces["dirty"]: rendered += ".dev0" return rendered def render_git_describe(pieces): """TAG[-DISTANCE-gHEX][-dirty]. Like 'git describe --tags --dirty --always'. Exceptions: 1: no tags. HEX[-dirty] (note: no 'g' prefix) """ if pieces["closest-tag"]: rendered = pieces["closest-tag"] if pieces["distance"]: rendered += "-%d-g%s" % (pieces["distance"], pieces["short"]) else: # exception #1 rendered = pieces["short"] if pieces["dirty"]: rendered += "-dirty" return rendered def render_git_describe_long(pieces): """TAG-DISTANCE-gHEX[-dirty]. Like 'git describe --tags --dirty --always -long'. The distance/hash is unconditional. Exceptions: 1: no tags. HEX[-dirty] (note: no 'g' prefix) """ if pieces["closest-tag"]: rendered = pieces["closest-tag"] rendered += "-%d-g%s" % (pieces["distance"], pieces["short"]) else: # exception #1 rendered = pieces["short"] if pieces["dirty"]: rendered += "-dirty" return rendered def render(pieces, style): """Render the given version pieces into the requested style.""" if pieces["error"]: return { "version": "unknown", "full-revisionid": pieces.get("long"), "dirty": None, "error": pieces["error"], "date": None, } if not style or style == "default": style = "pep440" # the default if style == "pep440": rendered = render_pep440(pieces) elif style == "pep440-pre": rendered = render_pep440_pre(pieces) elif style == "pep440-post": rendered = render_pep440_post(pieces) elif style == "pep440-old": rendered = render_pep440_old(pieces) elif style == "git-describe": rendered = render_git_describe(pieces) elif style == "git-describe-long": rendered = render_git_describe_long(pieces) else: raise ValueError("unknown style '%s'" % style) return { "version": rendered, "full-revisionid": pieces["long"], "dirty": pieces["dirty"], "error": None, "date": pieces.get("date"), } class VersioneerBadRootError(Exception): """The project root directory is unknown or missing key files.""" def get_versions(verbose=False): """Get the project version from whatever source is available. Returns dict with two keys: 'version' and 'full'. """ if "versioneer" in sys.modules: # see the discussion in cmdclass.py:get_cmdclass() del sys.modules["versioneer"] root = get_root() cfg = get_config_from_root(root) assert cfg.VCS is not None, "please set [versioneer]VCS= in setup.cfg" handlers = HANDLERS.get(cfg.VCS) assert handlers, "unrecognized VCS '%s'" % cfg.VCS verbose = verbose or cfg.verbose assert ( cfg.versionfile_source is not None ), "please set versioneer.versionfile_source" assert cfg.tag_prefix is not None, "please set versioneer.tag_prefix" versionfile_abs = os.path.join(root, cfg.versionfile_source) # extract version from first of: _version.py, VCS command (e.g. 'git # describe'), parentdir. This is meant to work for developers using a # source checkout, for users of a tarball created by 'setup.py sdist', # and for users of a tarball/zipball created by 'git archive' or github's # download-from-tag feature or the equivalent in other VCSes. get_keywords_f = handlers.get("get_keywords") from_keywords_f = handlers.get("keywords") if get_keywords_f and from_keywords_f: try: keywords = get_keywords_f(versionfile_abs) ver = from_keywords_f(keywords, cfg.tag_prefix, verbose) if verbose: print("got version from expanded keyword %s" % ver) return ver except NotThisMethod: pass try: ver = versions_from_file(versionfile_abs) if verbose: print("got version from file %s %s" % (versionfile_abs, ver)) return ver except NotThisMethod: pass from_vcs_f = handlers.get("pieces_from_vcs") if from_vcs_f: try: pieces = from_vcs_f(cfg.tag_prefix, root, verbose) ver = render(pieces, cfg.style) if verbose: print("got version from VCS %s" % ver) return ver except NotThisMethod: pass try: if cfg.parentdir_prefix: ver = versions_from_parentdir(cfg.parentdir_prefix, root, verbose) if verbose: print("got version from parentdir %s" % ver) return ver except NotThisMethod: pass if verbose: print("unable to compute version") return { "version": "0+unknown", "full-revisionid": None, "dirty": None, "error": "unable to compute version", "date": None, } def get_version(): """Get the short version string for this project.""" return get_versions()["version"] def get_cmdclass(cmdclass=None): """Get the custom setuptools/distutils subclasses used by Versioneer. If the package uses a different cmdclass (e.g. one from numpy), it should be provide as an argument. """ if "versioneer" in sys.modules: del sys.modules["versioneer"] # this fixes the "python setup.py develop" case (also 'install' and # 'easy_install .'), in which subdependencies of the main project are # built (using setup.py bdist_egg) in the same python process. Assume # a main project A and a dependency B, which use different versions # of Versioneer. A's setup.py imports A's Versioneer, leaving it in # sys.modules by the time B's setup.py is executed, causing B to run # with the wrong versioneer. Setuptools wraps the sub-dep builds in a # sandbox that restores sys.modules to it's pre-build state, so the # parent is protected against the child's "import versioneer". By # removing ourselves from sys.modules here, before the child build # happens, we protect the child from the parent's versioneer too. # Also see https://github.com/python-versioneer/python-versioneer/issues/52 cmds = {} if cmdclass is None else cmdclass.copy() # we add "version" to both distutils and setuptools from distutils.core import Command class cmd_version(Command): description = "report generated version string" user_options = [] boolean_options = [] def initialize_options(self): pass def finalize_options(self): pass def run(self): vers = get_versions(verbose=True) print("Version: %s" % vers["version"]) print(" full-revisionid: %s" % vers.get("full-revisionid")) print(" dirty: %s" % vers.get("dirty")) print(" date: %s" % vers.get("date")) if vers["error"]: print(" error: %s" % vers["error"]) cmds["version"] = cmd_version # we override "build_py" in both distutils and setuptools # # most invocation pathways end up running build_py: # distutils/build -> build_py # distutils/install -> distutils/build ->.. # setuptools/bdist_wheel -> distutils/install ->.. # setuptools/bdist_egg -> distutils/install_lib -> build_py # setuptools/install -> bdist_egg ->.. # setuptools/develop -> ? # pip install: # copies source tree to a tempdir before running egg_info/etc # if .git isn't copied too, 'git describe' will fail # then does setup.py bdist_wheel, or sometimes setup.py install # setup.py egg_info -> ? # we override different "build_py" commands for both environments if "build_py" in cmds: _build_py = cmds["build_py"] elif "setuptools" in sys.modules: from setuptools.command.build_py import build_py as _build_py else: from distutils.command.build_py import build_py as _build_py class cmd_build_py(_build_py): def run(self): root = get_root() cfg = get_config_from_root(root) versions = get_versions() _build_py.run(self) # now locate _version.py in the new build/ directory and replace # it with an updated value if cfg.versionfile_build: target_versionfile = os.path.join(self.build_lib, cfg.versionfile_build) print("UPDATING %s" % target_versionfile) write_to_version_file(target_versionfile, versions) cmds["build_py"] = cmd_build_py if "setuptools" in sys.modules: from setuptools.command.build_ext import build_ext as _build_ext else: from distutils.command.build_ext import build_ext as _build_ext class cmd_build_ext(_build_ext): def run(self): root = get_root() cfg = get_config_from_root(root) versions = get_versions() _build_ext.run(self) if self.inplace: # build_ext --inplace will only build extensions in # build/lib<..> dir with no _version.py to write to. # As in place builds will already have a _version.py # in the module dir, we do not need to write one. return # now locate _version.py in the new build/ directory and replace # it with an updated value target_versionfile = os.path.join(self.build_lib, cfg.versionfile_source) print("UPDATING %s" % target_versionfile) write_to_version_file(target_versionfile, versions) cmds["build_ext"] = cmd_build_ext if "cx_Freeze" in sys.modules: # cx_freeze enabled? from cx_Freeze.dist import build_exe as _build_exe # nczeczulin reports that py2exe won't like the pep440-style string # as FILEVERSION, but it can be used for PRODUCTVERSION, e.g. # setup(console=[{ # "version": versioneer.get_version().split("+", 1)[0], # FILEVERSION # "product_version": versioneer.get_version(), # ... class cmd_build_exe(_build_exe): def run(self): root = get_root() cfg = get_config_from_root(root) versions = get_versions() target_versionfile = cfg.versionfile_source print("UPDATING %s" % target_versionfile) write_to_version_file(target_versionfile, versions) _build_exe.run(self) os.unlink(target_versionfile) with open(cfg.versionfile_source, "w") as f: LONG = LONG_VERSION_PY[cfg.VCS] f.write( LONG % { "DOLLAR": "$", "STYLE": cfg.style, "TAG_PREFIX": cfg.tag_prefix, "PARENTDIR_PREFIX": cfg.parentdir_prefix, "VERSIONFILE_SOURCE": cfg.versionfile_source, } ) cmds["build_exe"] = cmd_build_exe del cmds["build_py"] if "py2exe" in sys.modules: # py2exe enabled? from py2exe.distutils_buildexe import py2exe as _py2exe class cmd_py2exe(_py2exe): def run(self): root = get_root() cfg = get_config_from_root(root) versions = get_versions() target_versionfile = cfg.versionfile_source print("UPDATING %s" % target_versionfile) write_to_version_file(target_versionfile, versions) _py2exe.run(self) os.unlink(target_versionfile) with open(cfg.versionfile_source, "w") as f: LONG = LONG_VERSION_PY[cfg.VCS] f.write( LONG % { "DOLLAR": "$", "STYLE": cfg.style, "TAG_PREFIX": cfg.tag_prefix, "PARENTDIR_PREFIX": cfg.parentdir_prefix, "VERSIONFILE_SOURCE": cfg.versionfile_source, } ) cmds["py2exe"] = cmd_py2exe # we override different "sdist" commands for both environments if "sdist" in cmds: _sdist = cmds["sdist"] elif "setuptools" in sys.modules: from setuptools.command.sdist import sdist as _sdist else: from distutils.command.sdist import sdist as _sdist class cmd_sdist(_sdist): def run(self): versions = get_versions() self._versioneer_generated_versions = versions # unless we update this, the command will keep using the old # version self.distribution.metadata.version = versions["version"] return _sdist.run(self) def make_release_tree(self, base_dir, files): root = get_root() cfg = get_config_from_root(root) _sdist.make_release_tree(self, base_dir, files) # now locate _version.py in the new base_dir directory # (remembering that it may be a hardlink) and replace it with an # updated value target_versionfile = os.path.join(base_dir, cfg.versionfile_source) print("UPDATING %s" % target_versionfile) write_to_version_file( target_versionfile, self._versioneer_generated_versions ) cmds["sdist"] = cmd_sdist return cmds CONFIG_ERROR = """ setup.cfg is missing the necessary Versioneer configuration. You need a section like: [versioneer] VCS = git style = pep440 versionfile_source = src/myproject/_version.py versionfile_build = myproject/_version.py tag_prefix = parentdir_prefix = myproject- You will also need to edit your setup.py to use the results: import versioneer setup(version=versioneer.get_version(), cmdclass=versioneer.get_cmdclass(), ...) Please read the docstring in ./versioneer.py for configuration instructions, edit setup.cfg, and re-run the installer or 'python versioneer.py setup'. """ SAMPLE_CONFIG = """ # See the docstring in versioneer.py for instructions. Note that you must # re-run 'versioneer.py setup' after changing this section, and commit the # resulting files. [versioneer] #VCS = git #style = pep440 #versionfile_source = #versionfile_build = #tag_prefix = #parentdir_prefix = """ INIT_PY_SNIPPET = """ from ._version import get_versions __version__ = get_versions()['version'] del get_versions """ def do_setup(): """Do main VCS-independent setup function for installing Versioneer.""" root = get_root() try: cfg = get_config_from_root(root) except ( EnvironmentError, configparser.NoSectionError, configparser.NoOptionError, ) as e: if isinstance(e, (EnvironmentError, configparser.NoSectionError)): print("Adding sample versioneer config to setup.cfg", file=sys.stderr) with open(os.path.join(root, "setup.cfg"), "a") as f: f.write(SAMPLE_CONFIG) print(CONFIG_ERROR, file=sys.stderr) return 1 print(" creating %s" % cfg.versionfile_source) with open(cfg.versionfile_source, "w") as f: LONG = LONG_VERSION_PY[cfg.VCS] f.write( LONG % { "DOLLAR": "$", "STYLE": cfg.style, "TAG_PREFIX": cfg.tag_prefix, "PARENTDIR_PREFIX": cfg.parentdir_prefix, "VERSIONFILE_SOURCE": cfg.versionfile_source, } ) ipy = os.path.join(os.path.dirname(cfg.versionfile_source), "__init__.py") if os.path.exists(ipy): try: with open(ipy, "r") as f: old = f.read() except EnvironmentError: old = "" if INIT_PY_SNIPPET not in old: print(" appending to %s" % ipy) with open(ipy, "a") as f: f.write(INIT_PY_SNIPPET) else: print(" %s unmodified" % ipy) else: print(" %s doesn't exist, ok" % ipy) ipy = None # Make sure both the top-level "versioneer.py" and versionfile_source # (PKG/_version.py, used by runtime code) are in MANIFEST.in, so # they'll be copied into source distributions. Pip won't be able to # install the package without this. manifest_in = os.path.join(root, "MANIFEST.in") simple_includes = set() try: with open(manifest_in, "r") as f: for line in f: if line.startswith("include "): for include in line.split()[1:]: simple_includes.add(include) except EnvironmentError: pass # That doesn't cover everything MANIFEST.in can do # (http://docs.python.org/2/distutils/sourcedist.html#commands), so # it might give some false negatives. Appending redundant 'include' # lines is safe, though. if "versioneer.py" not in simple_includes: print(" appending 'versioneer.py' to MANIFEST.in") with open(manifest_in, "a") as f: f.write("include versioneer.py\n") else: print(" 'versioneer.py' already in MANIFEST.in") if cfg.versionfile_source not in simple_includes: print( " appending versionfile_source ('%s') to MANIFEST.in" % cfg.versionfile_source ) with open(manifest_in, "a") as f: f.write("include %s\n" % cfg.versionfile_source) else: print(" versionfile_source already in MANIFEST.in") # Make VCS-specific changes. For git, this means creating/changing # .gitattributes to mark _version.py for export-subst keyword # substitution. do_vcs_install(manifest_in, cfg.versionfile_source, ipy) return 0 def scan_setup_py(): """Validate the contents of setup.py against Versioneer's expectations.""" found = set() setters = False errors = 0 with open("setup.py", "r") as f: for line in f.readlines(): if "import versioneer" in line: found.add("import") if "versioneer.get_cmdclass()" in line: found.add("cmdclass") if "versioneer.get_version()" in line: found.add("get_version") if "versioneer.VCS" in line: setters = True if "versioneer.versionfile_source" in line: setters = True if len(found) != 3: print("") print("Your setup.py appears to be missing some important items") print("(but I might be wrong). Please make sure it has something") print("roughly like the following:") print("") print(" import versioneer") print(" setup( version=versioneer.get_version(),") print(" cmdclass=versioneer.get_cmdclass(), ...)") print("") errors += 1 if setters: print("You should remove lines like 'versioneer.VCS = ' and") print("'versioneer.versionfile_source = ' . This configuration") print("now lives in setup.cfg, and should be removed from setup.py") print("") errors += 1 return errors if __name__ == "__main__": cmd = sys.argv[1] if cmd == "setup": errors = do_setup() errors += scan_setup_py() if errors: sys.exit(1)