feat(authenitcation.digest): add support for SHA-512-256 algorithm

spaceone · spaceone · commit 1d5a0f5b2ae0 · 2026-05-27T00:56:43.000+02:00
diff --git a/httoop/authentication/digest.py b/httoop/authentication/digest.py
@@ -1,38 +1,43 @@
 from __future__ import annotations
 
-from hashlib import md5, sha256
+from hashlib import md5, new, sha256
 from hmac import compare_digest
+from time import time
 from typing import Callable
+from uuid import uuid4
 
 from httoop.exceptions import InvalidHeader
 from httoop.header.element import HeaderElement
 from httoop.util import ByteUnicodeDict, _
 
 
 class DigestAuthScheme:
-
     algorithms = {
-        'MD5': lambda val: md5(val).hexdigest().encode('ASCII'),  # nosec
-        'MD5-sess': lambda val: md5(val).hexdigest().encode('ASCII'),  # nosec
-        'SHA-256': lambda val: sha256(val).hexdigest().encode('ASCII'),
-        'SHA-256-sess': lambda val: sha256(val).hexdigest().encode('ASCII'),
-        # 'SHA-512-256': lambda val: sha256(val).hexdigest().encode('ASCII'), TODO: ??
-        # 'SHA-512-256-sess': lambda val: sha256(val).hexdigest().encode('ASCII'), TODO: ??
-    }
+        'MD5': lambda: md5(),  # noqa: S324
+        'SHA-256': lambda: sha256(),
+        'SHA-512-256': lambda: new('sha512_256'),
+    }  # not case insensitive per RFC
+    algorithms['MD5-sess'] = algorithms['MD5']
+    algorithms['SHA-256-sess'] = algorithms['SHA-256']
+    algorithms['SHA-512-256-sess'] = algorithms['SHA-512-256']
     qops = (b'auth', b'auth-int')  # quality of protection
 
     @classmethod
-    def get_algorithm(cls, algorithm: bytes | str) -> Callable:
+    def get_algorithm(cls, algorithm: bytes | str) -> Callable[bytes, bytes]:
         try:
-            return cls.algorithms[algorithm.decode('ASCII', 'ignore') if isinstance(algorithm, bytes) else algorithm]
+            H = cls.algorithms[algorithm.decode('ASCII', 'ignore') if isinstance(algorithm, bytes) else algorithm]
         except KeyError:
-            raise InvalidHeader(_('Unknown digest authentication algorithm: %r'), algorithm)
+            raise InvalidHeader(_('Unknown digest authentication algorithm: %r'), algorithm) from None
+
+        def _algo(value) -> bytes:
+            h = H()
+            h.update(value)
+            return h.hexdigest().encode('ASCII')
+
+        return _algo
 
     @classmethod
     def generate_nonce(cls, authinfo: ByteUnicodeDict) -> bytes:
-        from time import time
-        from uuid import uuid4
-
         nonce = b'%d:%s:%s' % (
             time(),
             authinfo.get('etag', authinfo.get('realm', b'')),
@@ -176,7 +181,7 @@ def calculate_request_digest(cls, authinfo: ByteUnicodeDict) -> bytes:
         algorithm = authinfo.get('algorithm', b'MD5').decode('ASCII', 'replace')
         H = cls.get_algorithm(algorithm)
 
-        if algorithm == 'MD5-sess' and authinfo.get('A1'):  # noqa: SIM108
+        if algorithm.endswith('-sess') and authinfo.get('A1'):  # noqa: SIM108
             secret = H(authinfo['A1'])
         else:
             secret = H(cls.A1(authinfo))
@@ -208,7 +213,7 @@ def A1(cls, params: ByteUnicodeDict) -> bytes:
 
         if not algorithm or algorithm == b'MD5':
             return b'%s:%s:%s' % (params['username'], params['realm'], params['password'])
-        if algorithm == b'MD5-sess':
+        if algorithm.endswith(b'-sess'):
             H = cls.get_algorithm(algorithm)
             s = b'%s:%s:%s' % (params['username'], params['realm'], params['password'])
             return b'%s:%s:%s' % (H(s), params['nonce'], params['cnonce'])
