requests-http-signature


Namerequests-http-signature JSON
Version 0.7.1 PyPI version JSON
download
home_pagehttps://github.com/pyauth/requests-http-signature
SummaryA Requests auth module for HTTP Message Signatures
upload_time2022-04-19 18:40:25
maintainer
docs_urlNone
authorAndrey Kislyuk
requires_python
licenseApache Software License
keywords
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            requests-http-signature: A Requests auth module for HTTP Signature
==================================================================
**requests-http-signature** is a `Requests <https://github.com/requests/requests>`_ `authentication plugin
<http://docs.python-requests.org/en/master/user/authentication/>`_ (``requests.auth.AuthBase`` subclass) implementing
the `IETF HTTP Message Signatures draft standard <https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/>`_.

Installation
------------
::

    $ pip install requests-http-signature

Usage
-----

.. code-block:: python

  import requests
  from requests_http_signature import HTTPSignatureAuth, algorithms
  
  preshared_key_id = 'squirrel'
  preshared_secret = b'monorail_cat'
  url = 'https://example.com/'

  auth = HTTPSignatureAuth(key=preshared_secret,
                           key_id=preshared_key_id,
                           signature_algorithm=algorithms.HMAC_SHA256)
  requests.get(url, auth=auth)

By default, only the ``Date`` header and the ``@method``, ``@authority``, and ``@target-uri`` derived component
identifiers are signed for body-less requests such as GET. The ``Date`` header is set if it is absent. In addition,
the ``Authorization`` header is signed if it is present, and for requests with bodies (such as POST), the
``Content-Digest`` header is set to the SHA256 of the request body using the format described in the
`IETF Digest Fields draft <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-digest-headers>`_ and signed.
To add other headers to the signature, pass an array of header names in the ``covered_component_ids`` keyword argument.
See the `API documentation <https://pyauth.github.io/requests-http-signature/#id3>`_ for the full list of options and
details.

Verifying responses
~~~~~~~~~~~~~~~~~~~
The class method ``HTTPSignatureAuth.verify()`` can be used to verify responses received back from the server:

.. code-block:: python

  class MyKeyResolver:
      def resolve_public_key(self, key_id):
          assert key_id == 'squirrel'
          return 'monorail_cat'

  response = requests.get(url, auth=auth)
  verify_result = HTTPSignatureAuth.verify(response,
                                           signature_algorithm=algorithms.HMAC_SHA256,
                                           key_resolver=MyKeyResolver())

More generally, you can reconstruct an arbitrary request using the
`Requests API <https://docs.python-requests.org/en/latest/api/#requests.Request>`_ and pass it to ``verify()``:

.. code-block:: python

  request = requests.Request(...)  # Reconstruct the incoming request using the Requests API
  prepared_request = request.prepare()  # Generate a PreparedRequest
  HTTPSignatureAuth.verify(prepared_request, ...)

To verify incoming requests and sign responses in the context of an HTTP server, see the
`flask-http-signature <https://github.com/pyauth/flask-http-signature>`_ and
`http-message-signatures <https://github.com/pyauth/http-message-signatures>`_ packages.

.. admonition:: See what is signed

 It is important to understand and follow the best practice rule of "See what is signed" when verifying HTTP message
 signatures. The gist of this rule is: if your application neglects to verify that the information it trusts is
 what was actually signed, the attacker can supply a valid signature but point you to malicious data that wasn't signed
 by that signature. Failure to follow this rule can lead to vulnerability against signature wrapping and substitution
 attacks.

 In requests-http-signature, you can ensure that the information signed is what you expect to be signed by only trusting
 the data returned by the ``verify()`` method::

   verify_result = HTTPSignatureAuth.verify(message, ...)

See the `API documentation <https://pyauth.github.io/requests-http-signature/#id3>`_ for full details.

Asymmetric key algorithms
~~~~~~~~~~~~~~~~~~~~~~~~~
To sign or verify messages with an asymmetric key algorithm, set the ``signature_algorithm`` keyword argument to
``algorithms.ED25519``, ``algorithms.ECDSA_P256_SHA256``, ``algorithms.RSA_V1_5_SHA256``, or
``algorithms.RSA_PSS_SHA512``. Note that signing with rsa-pss-sha512 is not currently supported due to a limitation of
the cryptography library.

For asymmetric key algorithms, you can supply the private key as the ``key`` parameter to the ``HTTPSignatureAuth()``
constructor as bytes in the PEM format, or configure the key resolver as follows:

.. code-block:: python

  with open('key.pem', 'rb') as fh:
      auth = HTTPSignatureAuth(algorithm=algorithms.RSA_V1_5_SHA256,
                               key=fh.read(),
                               key_id=preshared_key_id)
  requests.get(url, auth=auth)

  class MyKeyResolver:
      def resolve_public_key(self, key_id: str):
          return public_key_pem_bytes[key_id]

      def resolve_private_key(self, key_id: str):
          return private_key_pem_bytes[key_id]

  auth = HTTPSignatureAuth(algorithm=algorithms.RSA_V1_5_SHA256,
                           key=fh.read(),
                           key_resolver=MyKeyResolver())
  requests.get(url, auth=auth)

Digest algorithms
~~~~~~~~~~~~~~~~~
To generate a Content-Digest header using SHA-512 instead of the default SHA-256, subclass ``HTTPSignatureAuth`` as
follows::

  class MySigner(HTTPSignatureAuth):
      signing_content_digest_algorithm = "sha-512"

Links
-----
* `Project home page (GitHub) <https://github.com/pyauth/requests-http-signature>`_
* `Package documentation <https://pyauth.github.io/requests-http-signature/>`_
* `Package distribution (PyPI) <https://pypi.python.org/pypi/requests-http-signature>`_
* `Change log <https://github.com/pyauth/requests-http-signature/blob/master/Changes.rst>`_
* `http-message-signatures <https://github.com/pyauth/http-message-signatures>`_ - a dependency of this library that
  handles much of the implementation
* `IETF HTTP Signatures draft <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures>`_

Bugs
~~~~
Please report bugs, issues, feature requests, etc. on `GitHub <https://github.com/pyauth/requests-http-signature/issues>`_.

License
-------
Licensed under the terms of the `Apache License, Version 2.0 <http://www.apache.org/licenses/LICENSE-2.0>`_.



            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/pyauth/requests-http-signature",
    "name": "requests-http-signature",
    "maintainer": "",
    "docs_url": null,
    "requires_python": "",
    "maintainer_email": "",
    "keywords": "",
    "author": "Andrey Kislyuk",
    "author_email": "kislyuk@gmail.com",
    "download_url": "https://files.pythonhosted.org/packages/d1/31/3e2a9e47c81636a9206e7de02b5f65c46cc9297dd4d1d02b87727ff3d232/requests-http-signature-0.7.1.tar.gz",
    "platform": "MacOS X",
    "description": "requests-http-signature: A Requests auth module for HTTP Signature\n==================================================================\n**requests-http-signature** is a `Requests <https://github.com/requests/requests>`_ `authentication plugin\n<http://docs.python-requests.org/en/master/user/authentication/>`_ (``requests.auth.AuthBase`` subclass) implementing\nthe `IETF HTTP Message Signatures draft standard <https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/>`_.\n\nInstallation\n------------\n::\n\n    $ pip install requests-http-signature\n\nUsage\n-----\n\n.. code-block:: python\n\n  import requests\n  from requests_http_signature import HTTPSignatureAuth, algorithms\n  \n  preshared_key_id = 'squirrel'\n  preshared_secret = b'monorail_cat'\n  url = 'https://example.com/'\n\n  auth = HTTPSignatureAuth(key=preshared_secret,\n                           key_id=preshared_key_id,\n                           signature_algorithm=algorithms.HMAC_SHA256)\n  requests.get(url, auth=auth)\n\nBy default, only the ``Date`` header and the ``@method``, ``@authority``, and ``@target-uri`` derived component\nidentifiers are signed for body-less requests such as GET. The ``Date`` header is set if it is absent. In addition,\nthe ``Authorization`` header is signed if it is present, and for requests with bodies (such as POST), the\n``Content-Digest`` header is set to the SHA256 of the request body using the format described in the\n`IETF Digest Fields draft <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-digest-headers>`_ and signed.\nTo add other headers to the signature, pass an array of header names in the ``covered_component_ids`` keyword argument.\nSee the `API documentation <https://pyauth.github.io/requests-http-signature/#id3>`_ for the full list of options and\ndetails.\n\nVerifying responses\n~~~~~~~~~~~~~~~~~~~\nThe class method ``HTTPSignatureAuth.verify()`` can be used to verify responses received back from the server:\n\n.. code-block:: python\n\n  class MyKeyResolver:\n      def resolve_public_key(self, key_id):\n          assert key_id == 'squirrel'\n          return 'monorail_cat'\n\n  response = requests.get(url, auth=auth)\n  verify_result = HTTPSignatureAuth.verify(response,\n                                           signature_algorithm=algorithms.HMAC_SHA256,\n                                           key_resolver=MyKeyResolver())\n\nMore generally, you can reconstruct an arbitrary request using the\n`Requests API <https://docs.python-requests.org/en/latest/api/#requests.Request>`_ and pass it to ``verify()``:\n\n.. code-block:: python\n\n  request = requests.Request(...)  # Reconstruct the incoming request using the Requests API\n  prepared_request = request.prepare()  # Generate a PreparedRequest\n  HTTPSignatureAuth.verify(prepared_request, ...)\n\nTo verify incoming requests and sign responses in the context of an HTTP server, see the\n`flask-http-signature <https://github.com/pyauth/flask-http-signature>`_ and\n`http-message-signatures <https://github.com/pyauth/http-message-signatures>`_ packages.\n\n.. admonition:: See what is signed\n\n It is important to understand and follow the best practice rule of \"See what is signed\" when verifying HTTP message\n signatures. The gist of this rule is: if your application neglects to verify that the information it trusts is\n what was actually signed, the attacker can supply a valid signature but point you to malicious data that wasn't signed\n by that signature. Failure to follow this rule can lead to vulnerability against signature wrapping and substitution\n attacks.\n\n In requests-http-signature, you can ensure that the information signed is what you expect to be signed by only trusting\n the data returned by the ``verify()`` method::\n\n   verify_result = HTTPSignatureAuth.verify(message, ...)\n\nSee the `API documentation <https://pyauth.github.io/requests-http-signature/#id3>`_ for full details.\n\nAsymmetric key algorithms\n~~~~~~~~~~~~~~~~~~~~~~~~~\nTo sign or verify messages with an asymmetric key algorithm, set the ``signature_algorithm`` keyword argument to\n``algorithms.ED25519``, ``algorithms.ECDSA_P256_SHA256``, ``algorithms.RSA_V1_5_SHA256``, or\n``algorithms.RSA_PSS_SHA512``. Note that signing with rsa-pss-sha512 is not currently supported due to a limitation of\nthe cryptography library.\n\nFor asymmetric key algorithms, you can supply the private key as the ``key`` parameter to the ``HTTPSignatureAuth()``\nconstructor as bytes in the PEM format, or configure the key resolver as follows:\n\n.. code-block:: python\n\n  with open('key.pem', 'rb') as fh:\n      auth = HTTPSignatureAuth(algorithm=algorithms.RSA_V1_5_SHA256,\n                               key=fh.read(),\n                               key_id=preshared_key_id)\n  requests.get(url, auth=auth)\n\n  class MyKeyResolver:\n      def resolve_public_key(self, key_id: str):\n          return public_key_pem_bytes[key_id]\n\n      def resolve_private_key(self, key_id: str):\n          return private_key_pem_bytes[key_id]\n\n  auth = HTTPSignatureAuth(algorithm=algorithms.RSA_V1_5_SHA256,\n                           key=fh.read(),\n                           key_resolver=MyKeyResolver())\n  requests.get(url, auth=auth)\n\nDigest algorithms\n~~~~~~~~~~~~~~~~~\nTo generate a Content-Digest header using SHA-512 instead of the default SHA-256, subclass ``HTTPSignatureAuth`` as\nfollows::\n\n  class MySigner(HTTPSignatureAuth):\n      signing_content_digest_algorithm = \"sha-512\"\n\nLinks\n-----\n* `Project home page (GitHub) <https://github.com/pyauth/requests-http-signature>`_\n* `Package documentation <https://pyauth.github.io/requests-http-signature/>`_\n* `Package distribution (PyPI) <https://pypi.python.org/pypi/requests-http-signature>`_\n* `Change log <https://github.com/pyauth/requests-http-signature/blob/master/Changes.rst>`_\n* `http-message-signatures <https://github.com/pyauth/http-message-signatures>`_ - a dependency of this library that\n  handles much of the implementation\n* `IETF HTTP Signatures draft <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures>`_\n\nBugs\n~~~~\nPlease report bugs, issues, feature requests, etc. on `GitHub <https://github.com/pyauth/requests-http-signature/issues>`_.\n\nLicense\n-------\nLicensed under the terms of the `Apache License, Version 2.0 <http://www.apache.org/licenses/LICENSE-2.0>`_.\n\n\n",
    "bugtrack_url": null,
    "license": "Apache Software License",
    "summary": "A Requests auth module for HTTP Message Signatures",
    "version": "0.7.1",
    "split_keywords": [],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "11a385a9de30febba52e6d4a1b15d487",
                "sha256": "5770fa5c6cd9dd700bc2aa92d3d1dd8e26b9a7c083585d2db0c8bf9ec482c906"
            },
            "downloads": -1,
            "filename": "requests_http_signature-0.7.1-py3-none-any.whl",
            "has_sig": true,
            "md5_digest": "11a385a9de30febba52e6d4a1b15d487",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": null,
            "size": 12531,
            "upload_time": "2022-04-19T18:40:23",
            "upload_time_iso_8601": "2022-04-19T18:40:23.313719Z",
            "url": "https://files.pythonhosted.org/packages/bb/82/b12255a9e7af3aa9ca387ea74c4069074b1470592d90359ed88f635be804/requests_http_signature-0.7.1-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "md5": "9b26352f545f64ad146877b68e81bda9",
                "sha256": "ebc5b2fbb95d4519385afd385b31a34e9bdff20fd0b3f36e8ce42945b8340997"
            },
            "downloads": -1,
            "filename": "requests-http-signature-0.7.1.tar.gz",
            "has_sig": true,
            "md5_digest": "9b26352f545f64ad146877b68e81bda9",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": null,
            "size": 18998,
            "upload_time": "2022-04-19T18:40:25",
            "upload_time_iso_8601": "2022-04-19T18:40:25.072461Z",
            "url": "https://files.pythonhosted.org/packages/d1/31/3e2a9e47c81636a9206e7de02b5f65c46cc9297dd4d1d02b87727ff3d232/requests-http-signature-0.7.1.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2022-04-19 18:40:25",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "github_user": "pyauth",
    "github_project": "requests-http-signature",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": true,
    "lcname": "requests-http-signature"
}
        
Elapsed time: 0.02687s