Mr.X

�

XR_I���SrSSKJrJrJr SSKJr SSKrSSKrSSK	r	SSK
r
\
R"\5r
SSKrSSKrSSKrSSKrSSKr\(a
SSKJrJrJrJr OSSKJrJr SSKJrJr SSKJr SS	KJr SSKr SSK!r SS
K"J#r$ C SSK'J(r( SS
K)J*r*J+r+J,r,J-r- SSK.J/r/J0r0J1r1J2r2J3r3J4r4J5r5J6r6 SSK7J8r8J9r9J:r: SSKJ;r;J<r<J=r=J>r>J?r?J@r@JArAJBrBJCrCJDrD SSKEJFrFJGrG SSKHJIrIJJrJJKrK SSKLJMrM /SQrN\R�S:a0SSKJPrP S\P;a#\PR�"S5 \
RMS5 CP\R�"\;"S5\R�5rT/SQrUSrVS-SjrWSrX\Y"\$5rZ\R�"S5r["SS \\5r]\R�"S!5R�r`\R�"S"5R�rbS#rc"S$S%\\5rd"S&S'\45re"S(S)\45rfS*\8SS+4S,jrgg!\%a \
RMS5 S=r$rGNf=f)[email protected] -- TOTP / RFC6238 / Google Authenticator utilities.�)�absolute_import�division�print_function)�PY3N)�urlparse�	parse_qsl�quote�unquote)r	r
)rr)�warn)�default_backend)�ciphersz=can't import 'cryptography' package, totp encryption disabled)�exc)�
TokenError�MalformedTokenError�InvalidTokenError�UsedTokenError)�
to_unicode�to_bytes�consteq�getrandbytes�rng�
SequenceMixin�	xor_bytes�
getrandstr)�BASE64_CHARS�	b32encode�	b32decode)
�u�unicode�native_string_types�
bascii_to_str�	int_types�	num_types�irange�byte_elem_value�	UnicodeIO�suppress_cause)�
hybrid_method�memoized_property)�lookup_hash�compile_hmac�pbkdf2_hmac)�
pbkdf2_sha256)�	AppWallet�TOTPrrrr�	TotpToken�	TotpMatch)���)�
uses_query�otpauthz4registered 'otpauth' scheme with urlparse.uses_queryz\s|[-=])r4��c��[HnX-(aMUs $ [SnSn[HnX-U:�dM
UnX-nM U$)zV
helper for group_string() --
calculates optimal size of group for given string size.
r)�_chunk_sizes)�klen�size�best�rems    �./usr/lib/python3/dist-packages/passlib/totp.py�_get_group_sizer@YsQ�����{�{��K��
��?�D�
�C����;����D��+�C���K�c�^^�[T5n[U5mURUU4Sj[SUT555$)z�
reformat string into (roughly) evenly-sized groups, separated by **sep**.
useful for making tokens & keys easier to read by humans.
c3�2># �UHnTXT-v� M g7f�N�)�.0�or<�values  ��r?�	<genexpr>�group_string.<locals>.<genexpr>ss����C�-B��E�!�d�F�O�-B�s�r)�lenr@�joinr$)rH�sepr;r<s`  @r?�group_stringrNls6���
�u�:�D��4� �D��8�8�C�V�A�t�T�-B�C�C�CrAc�j�US:Xa/[U[5(d[R"USS5eU$[	USS9n[
R
SU5RS5nUS:XdUS:Xa$[R"UR55$US	:Xa[U5$[S
U<35e)zF
internal TOTP() helper --
decodes key according to specified format.
�raw�bytes�key��param�zutf-8�hex�base16�base32�unknown byte-encoding format: )
�
isinstancerQr�ExpectedTypeErrorr�	_clean_re�sub�encode�base64�	b16decode�upperr�
ValueError�rR�formats  r?�
_decode_bytesreys���
����#�u�%�%��'�'��W�e�<�<��
��S��
&�C�
�-�-��C�
 �
'�
'��
0�C�
���&�H�,�����	�	��,�,�	�8�	���~���v�G�H�HrAz(?i)^[a-z0-9][a-z0-9_.-]*$c�x�\rSrSrSrSrSrSrSrSSjr	Sr
Sr\S	5r
S
r\SSj5rSrS
rSrg)r.�a�
This class stores application-wide secrets that can be used
to encrypt & decrypt TOTP keys for storage.
It's mostly an internal detail, applications usually just need
to pass ``secrets`` or ``secrets_path`` to :meth:`TOTP.using`.

.. seealso::

    :ref:`totp-storing-instances` for more details on this workflow.

Arguments
=========
:param secrets:
    Dict of application secrets to use when encrypting/decrypting
    stored TOTP keys.  This should include a secret to use when encrypting
    new keys, but may contain additional older secrets to decrypt
    existing stored keys.

    The dict should map tags -> secrets, so that each secret is identified
    by a unique tag.  This tag will be stored along with the encrypted
    key in order to determine which secret should be used for decryption.
    Tag should be string that starts with regex range ``[a-z0-9]``,
    and the remaining characters must be in ``[a-z0-9_.-]``.

    It is recommended to use something like a incremental counter
    ("1", "2", ...), an ISO date ("2016-01-01", "2016-05-16", ...), 
    or a timestamp ("19803495", "19813495", ...) when assigning tags.

    This mapping be provided in three formats:

    * A python dict mapping tag -> secret
    * A JSON-formatted string containing the dict
    * A multiline string with the format ``"tag: value\ntag: value\n..."``

    (This last format is mainly useful when loading from a text file via **secrets_path**)

    .. seealso:: :func:`generate_secret` to create a secret with sufficient entropy

:param secrets_path:
    Alternately, callers can specify a separate file where the
    application-wide secrets are stored, using either of the string
    formats described in **secrets**.

:param default_tag:
    Specifies which tag in **secrets** should be used as the default
    for encrypting new keys. If omitted, the tags will be sorted,
    and the largest tag used as the default.

    if all tags are numeric, they will be sorted numerically;
    otherwise they will be sorted alphabetically.
    this permits tags to be assigned numerically,
    or e.g. using ``YYYY-MM-DD`` dates.

:param encrypt_cost:
    Optional time-cost factor for key encryption.
    This value corresponds to log2() of the number of PBKDF2
    rounds used.

.. warning::

    The application secret(s) should be stored in a secure location by
    your application, and each secret should contain a large amount
    of entropy (to prevent brute-force attacks if the encrypted keys
    are leaked).

    :func:`generate_secret` is provided as a convenience helper
    to generate a new application secret of suitable size.

    Best practice is to load these values from a file via **secrets_path**,
    and then have your application give up permission to read this file
    once it's running.

Public Methods
==============
.. autoattribute:: has_secrets
.. autoattribute:: default_tag

Semi-Private Methods
====================
The following methods are used internally by the :class:`TOTP`
class in order to encrypt & decrypt keys using the provided application
secrets.  They will generally not be publically useful, and may have their
API changed periodically.

.. automethod:: get_secret
.. automethod:: encrypt_key
.. automethod:: decrypt_key
��Nc��Ub.[U[5(a[U5nUS:�deX0lUb(Ub[	S5e[US5R
5nURU5=olU(aMUbURU5 O1[SU55(a[U[S9nO[U5nX lgg)Nrz3'secrets' and 'secrets_path' are mutually exclusive�rtc3�@# �UHoR5v� M g7frD)�isdigit)rF�tags  r?rI�%AppWallet.__init__.<locals>.<genexpr>)s���6�g�s�[�[�]�]�g�s�)rR)
rZr �int�encrypt_cost�	TypeError�open�read�_parse_secrets�_secrets�
get_secret�all�max�default_tag)�self�secretsrzrq�secrets_paths     r?�__init__�AppWallet.__init__s����#��,�(;�<�<�"�<�0���1�$�$�$� ,���#��"�� U�V�V��<��.�3�3�5�G�#'�"5�"5�g�">�>��-�
��&�����,��6�g�6�6�6�!�'�s�3��!�'�l��*��rAc�^�Sn[U[5(a`UR5RS5(a[R
"U5nO%SU;aSU;aSnU"U5nSnO[
S5eUc0$[U[5(aUR5nOU(a[S5e[U4S	jU55$)
zF
parse 'secrets' parameter

:returns:
    Dict[tag:str, secret:bytes]
T)�[�{�
�:c3�# �UR5HjnUR5nU(dMURS5(aM4URSS5up#UR5UR54v� Ml g7f)N�#r��)�
splitlines�strip�
startswith�split)�source�linern�secrets    r?�
iter_pairs�,AppWallet._parse_secrets.<locals>.iter_pairsAs_��� &� 1� 1� 3��#�z�z�|���4�����(<�(<�*.�*�*�S�!�*<�K�C�"%�)�)�+�v�|�|�~�"=�=�	!4�s�)B�B�;BFz"unrecognized secrets string formatz+'secrets' must be mapping, or list of itemsc3�J># �UHupTRX5v� M g7frD)�_parse_secret_pair)rFrnrHr{s   �r?rI�+AppWallet._parse_secrets.<locals>.<genexpr>Ws(����.�&,�
���+�+�C�7�7�&,�s� #)
rZr �lstripr��json�loadsrb�dict�itemsrr)r{r��
check_typer�s`   r?ru�AppWallet._parse_secrets/s�����
��f�1�2�2��}�}��)�)�*�5�5����F�+�����C�6�M�>�$�F�+��"�
� �!E�F�F��>��I�
���
%�
%��\�\�^�F���I�J�J��.�&,�.�.�	.rAc�X�[U[5(aO0[U[5(a[U5nO[	SU<35e[
R
U5(d[SU<35e[U[5(d[USU<3S9nU(d[SU<35eX4$)Nztag must be unicode/string: z!tag contains invalid characters: zsecret rSztag contains empty secret: )
rZr rp�strrr�_tag_re�matchrbrQr)r{rnrHs   r?r��AppWallet._parse_secret_pairZs����c�.�/�/��
��S�
!�
!��c�(�C���E�F�F��}�}�S�!�!��c�K�L�L��%��'�'��U��*>�?�E����E�F�F��z�rAc��URSL$)z2whether at least one application secret is presentN)rz�r{s r?�has_secrets�AppWallet.has_secretsms�����t�+�+rAc��URnU(d[S5eX!$![a [[SU<355ef=f)zP
resolve a secret tag to the secret (as bytes).
throws a KeyError if not found.
z!no application secrets configuredzunknown secret tag: )rv�KeyErrorr')r{rnr|s   r?rw�AppWallet.get_secretrsN��
�-�-����>�?�?�	N��<����	N� ��c�*K�!L�M�M�	N�s	�$�#Ac��[c[S5e[SXSU-SS9n[R"[RRUSS5[RRUSS5[55nU(aUR5OUR5nURU5UR5-$)a�
Internal helper for :meth:`encrypt_key` --
handles lowlevel encryption/decryption.

Algorithm details:

This function uses PBKDF2-HMAC-SHA256 to generate a 32-byte AES key
and a 16-byte IV from the application secret & random salt.
It then uses AES-256-CTR to encrypt/decrypt the TOTP key.

CTR mode was chosen over CBC because the main attack scenario here
is that the attacker has stolen the database, and is trying to decrypt a TOTP key
(the plaintext value here).  To make it hard for them, we want every password
to decrypt to a potentially valid key -- thus need to avoid any authentication
or padding oracle attacks.  While some random padding construction could be devised
to make this work for CBC mode, a stream cipher mode is just plain simpler.
OFB/CFB modes would also work here, but seeing as they have malleability
and cyclic issues (though remote and barely relevant here),
CTR was picked as the best overall choice.
NzITOTP encryption requires 'cryptography' package (https://cryptography.io)�sha256r��0)�salt�rounds�keylen� )
�_cg_ciphers�RuntimeErrorr,�Cipher�
algorithms�AES�modes�CTR�_cg_default_backend�	decryptor�	encryptor�update�finalize)rHr�r��cost�decrypt�keyiv�cipher�ctxs        r?�_cipher_aes_key�AppWallet._cipher_aes_key�s���.��� ;�<�
<�
�H�f��d��TV�W���#�#�K�$:�$:�$>�$>�u�S�b�z�$J�$/�$5�$5�$9�$9�%���*�$E�$7�$9�;��%,�f��� ��1A�1A�1C���z�z�%� �3�<�<�>�1�1rAc	�,�U(d[S5e[[UR5nURnUR
nU(d[
S5eURXRU5X#5n[SX4[U5[U5S9$)a�
Helper used to encrypt TOTP keys for storage.

:param key:
    TOTP key to encrypt, as raw bytes.

:returns:
    dict containing encrypted TOTP key & configuration parameters.
    this format should be treated as opaque, and potentially subject
    to change, though it is designed to be easily serialized/deserialized
    (e.g. via JSON).

.. note::

    This function requires installation of the external
    `cryptography <https://cryptography.io>`_ package.

To give some algorithm details:  This function uses AES-256-CTR to encrypt
the provided data.  It takes the application secret and randomly generated salt,
and uses PBKDF2-HMAC-SHA256 to combine them and generate the AES key & IV.
zno key providedz8no application secrets configured, can't encrypt OTP keyr�)�v�c�t�s�k)rbrr�	salt_sizerqrzrrr�rwr�r)r{rRr�r�rn�ckeys      r?�encrypt_key�AppWallet.encrypt_key�s|��,��.�/�/��C����0��� � ��������V�W�W��#�#�C����)=�t�J���a�4�)�D�/�Y�t�_�M�MrAc�h�[U[5(d[S5eURSS5nSnUS:Xa
URnO[SU<35eUSnUSnU"[
US	5URU5[
US
5US9nX`R:wdXPR:waSnXs4$)
a.
Helper used to decrypt TOTP keys from storage format.
Consults configured secrets to decrypt key.

:param source:
    source object, as returned by :meth:`encrypt_key`.

:returns:
    ``(key, needs_recrypt)`` --

    **key** will be the decrypted key, as bytes.

    **needs_recrypt** will be a boolean flag indicating
    whether encryption cost or default tag is too old,
    and henace that key needs re-encrypting before storing.

.. note::

    This function requires installation of the external
    `cryptography <https://cryptography.io>`_ package.
z'enckey' must be dictionaryr�NFr�z)missing / unrecognized 'enckey' version: r�r�r�r�)rHr�r�r�T)
rZr�rr�getr�rbrrwrqrz)r{�enckey�version�
needs_recrypt�_cipher_keyrnr�rRs        r?�decrypt_key�AppWallet.decrypt_key�s���,�&�$�'�'��9�:�:��*�*�S�$�'���
��a�<��.�.�K��g�W�X�X��S�k���c�{����F�3�K�(��?�?�3�'��6�#�;�'��	
���$�$�$��/?�/?�(?� �M��!�!rA)rvrzrq)NNNN)F)�__name__�
__module__�__qualname__�__firstlineno__�__doc__r�rqrvrzr~rur��propertyr�rw�staticmethodr�r�r��__static_attributes__rErAr?r.r.�s{��W�z�I�
�L��H��K�
EI�"�'+�R).�V
�&�,��,�N�"�#2��#2�JN�B("rAr.z>Qz>Isc�^�\rSrSrSrSrS=rrSr\	RrSrSr
SrSrSrSrSrSrS	r\S0S
j5r\S5rS1U4Sjjr\S2S
j5r\S5r\S5r\S5r\R>S5r\S5r \ R>S5r \S5r!\S5r"S3Sjr#\S5r$Sr%Sr&\'S5r(S4Sjr)Sr*\S5r+S5Sjr,S4Sjr-\S 5r.\S!5r/\S"5r0\S#5r1\S0S$j5r2\S%5r3\S&5r4S6S'jr5S(r6\S)5r7S4S*jr8\S+5r9\S,5r:\S-5r;S4S.jr<S/r=U=r>$)7r/iae

Helper for generating and verifying TOTP codes.

Given a secret key and set of configuration options, this object
offers methods for token generation, token validation, and serialization.
It can also be used to track important persistent TOTP state,
such as the last counter used.

This class accepts the following options
(only **key** and **format** may be specified as positional arguments).

:arg str key:
    The secret key to use. By default, should be encoded as
    a base32 string (see **format** for other encodings).

    Exactly one of **key** or ``new=True`` must be specified.

:arg str format:
    The encoding used by the **key** parameter. May be one of:
    ``"base32"`` (base32-encoded string),
    ``"hex"`` (hexadecimal string), or ``"raw"`` (raw bytes).
    Defaults to ``"base32"``.

:param bool new:
    If ``True``, a new key will be generated using :class:`random.SystemRandom`.

    Exactly one ``new=True`` or **key** must be specified.

:param str label:
    Label to associate with this token when generating a URI.
    Displayed to user by most OTP client applications (e.g. Google Authenticator),
    and typically has format such as ``"John Smith"`` or ``"[email protected]"``.
    Defaults to ``None``.
    See :meth:`to_uri` for details.

:param str issuer:
    String identifying the token issuer (e.g. the domain name of your service).
    Used internally by some OTP client applications (e.g. Google Authenticator) to distinguish entries
    which otherwise have the same label.
    Optional but strongly recommended if you're rendering to a URI.
    Defaults to ``None``.
    See :meth:`to_uri` for details.

:param int size:
    Number of bytes when generating new keys. Defaults to size of hash algorithm (e.g. 20 for SHA1).

    .. warning::

        Overriding the default values for ``digits``, ``period``, or ``alg`` may
        cause problems with some OTP client programs (such as Google Authenticator),
        which may have these defaults hardcoded.

:param int digits:
    The number of digits in the generated / accepted tokens. Defaults to ``6``.
    Must be in range [6 .. 10].

    .. rst-class:: inline-title
    .. caution::
       Due to a limitation of the HOTP algorithm, the 10th digit can only take on values 0 .. 2,
       and thus offers very little extra security.

:param str alg:
    Name of hash algorithm to use. Defaults to ``"sha1"``.
    ``"sha256"`` and ``"sha512"`` are also accepted, per :rfc:`6238`.

:param int period:
    The time-step period to use, in integer seconds. Defaults to ``30``.

..
    See the passlib documentation for a full list of attributes & methods.
�
r�Nr7�sha1�Fc�^	�[SU405m	U	4SjnUbU"SU5T	lUbU"SU5T	lUbU"SU5T	lUbU"SU5T	lU(a#[S0UD6T	lU(a[S5eO;Ub8[U[
5(d[R"U[
S5eUT	lUb<[U"5[5(aU"5S	:�dS
5e[U5T	l
T	$)a*
Dynamically create subtype of :class:`!TOTP` class
which has the specified defaults set.

:parameters: **digits, alg, period, issuer**:

    All these options are the same as in the :class:`TOTP` constructor,
    and the resulting class will use any values you specify here
    as the default for all TOTP instances it creates.

:param wallet:
    Optional :class:`AppWallet` that will be used for encrypting/decrypting keys.

:param secrets, secrets_path, encrypt_cost:

    If specified, these options will be passed to the :class:`AppWallet` constructor,
    allowing you to directly specify the secret keys that should be used
    to encrypt & decrypt stored keys.

:returns:
    subclass of :class:`!TOTP`.

This method is useful for creating a TOTP class configured
to use your application's secrets for encrypting & decrypting
keys, as well as create new keys using it's desired configuration defaults.

As an example::

    >>> # your application can create a custom class when it initializes
    >>> from passlib.totp import TOTP, generate_secret
    >>> TotpFactory = TOTP.using(secrets={"1": generate_secret()})

    >>> # subsequent TOTP objects created from this factory
    >>> # will use the specified secrets to encrypt their keys...
    >>> totp = TotpFactory.new()
    >>> totp.to_dict()
    {'enckey': {'c': 14,
      'k': 'H77SYXWORDPGVOQTFRR2HFUB3C45XXI7',
      's': 'G5DOQPIHIBUM2OOHHADQ',
      't': '1',
      'v': 1},
     'type': 'totp',
     'v': 1}

.. seealso:: :ref:`totp-creation` and :ref:`totp-storing-instances` tutorials for a usage example
r/c�N>�[[SS9nXU'T"S0UD6n[X05$)z|
helper which uses constructor to validate parameter value.
it returns corresponding attribute, so we use normalized value.
rPrcrE)r��
_DUMMY_KEY�getattr)�attrrH�kwds�obj�subclss    �r?�
norm_param�TOTP.using.<locals>.norm_param�s.����J�u�5�D���J��.�4�.�C��3�%�%rA�digits�alg�period�issuerz6'wallet' and 'secrets' keywords are mutually exclusive�walletrz1now() function must return non-negative int/floatrE)�typer�r�r�r�r.r�rrrZrr[r#r��now)
�clsr�r�r�r�r�r�r�r�r�s
         @r?�using�
TOTP.using�s���p�f�s�f�b�)��	&���&�x��8�F�M��?�#�E�3�/�F�J���&�x��8�F�M���&�x��8�F�M��%�-��-�F�M��� X�Y�Y��
�
��f�i�0�0��+�+�F�I�x�H�H�"�F�M��?��c�e�Y�/�/�C�E�Q�J�
D�C�
D�>�%�c�*�F�J��
rAc��U"SSS0UD6$)zI
convenience alias for creating new TOTP key, same as ``TOTP(new=True)``
�newTrErE)r�r�s  r?r��TOTP.new�s��
�$�t�$�t�$�$rAc�>�[[U]
"S0UD6 U
(aX�l[	U=(d UR
5nURUlURn
U
S:a[SU-5eU(aAU(a[S5eUcU
nOXm:�a[SU
-5e[[U5Ul
O6U(d[S5eUS:XaXlOU(a[X5Ul
[!UR5UR":a:SUR"-nU(a[U5e[%U[&R(SS	9 UcUR*n[-U[.5(d[S
[1U5-5eUS:dUS:�a[S
5eX@lU(aUR3U5 X�lU	(aUR7U	5 X�lUbUR;USSS9 Xplgg)Nr4z%r hash digest too smallz+'key' and 'new=True' are mutually exclusivez+'size' should be less than digest size (%d)z4must specify either an existing 'key', or 'new=True'�	encryptedz5for security purposes, secret key must be >= %d bytesr�)�
stacklevelz#digits must be an integer, not a %rr7r�zdigits must in range(6,11)r�)�minvalrE)�superr/r~�changedr*r��name�digest_sizer�rrrbrrrR�
encrypted_keyrerK�
_min_key_sizerr�PasslibSecurityWarningr�rZr"r��_check_label�label�
_check_issuerr��
_check_serialr�)r{rRrdr�r�r�r<r�rr�r�r��infor��msg�	__class__s               �r?r~�
TOTP.__init__s����
	�d�D�"�*�T�*��"�L��3�?�$�(�(�+���9�9����&�&����?��9�C�?�@�@���� M�N�N��|�"���#�!�"(�*5�"6�7�7�#�C��.�D�H���R�S�S�
�{�
"�!$��
�$�S�1�D�H��t�x�x�=�4�-�-�-�J�D�L^�L^�^�C�� ��o�%��S�#�4�4��C��>��[�[�F��&�)�,�,��A�D��L�P�Q�Q��A�:��"���9�:�:�������e�$��J�����v�&� �K������v�x���:� �K�rAc��[U[5(d[R"USU5eX:a[	SX4-5eg)zB
check that serial value (e.g. 'counter') is non-negative integer
rpz%s must be >= %dN)rZr"rr[rb)rHrTr�s   r?r�TOTP._check_serialOsC��
�%��+�+��'�'��u�e�<�<��>��/�5�/�A�B�B�rAc�6�U(aSU;a[S5egg)zA
check that label doesn't contain chars forbidden by KeyURI spec
r�zlabel may not contain ':'N�rb�rs r?r�TOTP._check_labelYs ��
�S�E�\��8�9�9�"�5rAc�6�U(aSU;a[S5egg)zB
check that issuer doesn't contain chars forbidden by KeyURI spec
r�zissuer may not contain ':'Nr)r�s r?r�TOTP._check_issueras ��
�c�V�m��9�:�:�$�6rAc��UR$)z
secret key as raw bytes
)�_keyr�s r?rR�TOTP.keyps��
�y�y�rAc��[U[5(d[R"U[S5eXlS=UlUlg)NrR)rZrQrr[r�_encrypted_key�_keyed_hmac)r{rHs  r?rRrws=���%��'�'��'�'��u�e�<�<��	�26�5���d�.rAc��URnUc?URnU(d[S5eURUR5=olU$)z�
secret key, encrypted using application secret.
this match the output of :meth:`AppWallet.encrypt_key`,
and should be treated as an opaque json serializable object.
z6no application secrets present, can't encrypt TOTP key)rr�rrr�rR)r{r�r�s   r?r��TOTP.encrypted_key�sK���$�$���>��[�[�F��� X�Y�Y�+1�+=�+=�d�h�h�+G�G�F�(��
rAc��URnU(d[S5eURU5uUlnU(aSUlgXlg)Nz6no application secrets present, can't decrypt TOTP keyT)r�rrr�rRr�r)r{rHr�r�s    r?r�r�sC��������T�U�U�"(�"4�"4�U�";����-���D�L�#(�rAc�p�[[R"UR55R	5$)z*
secret key encoded as hexadecimal string
)r!r_�	b16encoderR�lowerr�s r?�hex_key�TOTP.hex_key�s'��
�V�-�-�d�h�h�7�8�>�>�@�@rAc�,�[UR5$)z%
secret key encoded as base32 string
)rrRr�s r?�
base32_key�TOTP.base32_key�s��
����"�"rAc��US:XdUS:Xa
URnO"US:Xa
URnO[SU<35eU(a[X25nU$)am
pretty-print the secret key.

This is mainly useful for situations where the user cannot get the qrcode to work,
and must enter the key manually into their TOTP client. It tries to format
the key in a manner that is easier for humans to read.

:param format:
    format to output secret key. ``"hex"`` and ``"base32"`` are both accepted.

:param sep:
    separator to insert to break up key visually.
    can be any of ``"-"`` (the default), ``" "``, or ``False`` (no separator).

:return:
    key as native string.

Usage example::

    >>> t = TOTP('s3jdvb7qd2r7jpxx')
    >>> t.pretty_key()
    'S3JD-VB7Q-D2R7-JPXX'
rVrWrXrY)rr rbrN)r{rdrMrRs    r?�
pretty_key�TOTP.pretty_key�sL��0�U�?�f��0��,�,�C�
�x�
��/�/�C��6�K�L�L���s�(�C��
rAc�B�[U[5(aU$[U[5(a[U5$Uc[UR	55$[US5(a$[R"UR55$[R"USS5e)a+
Normalize time value to unix epoch seconds.

:arg time:
    Can be ``None``, :class:`!datetime`,
    or unix epoch timestamp as :class:`!float` or :class:`!int`.
    If ``None``, uses current system time.
    Naive datetimes are treated as UTC.

:returns:
    unix epoch timestamp as :class:`int`.
�utctimetuplezint, float, or datetime�time)rZr"�floatrpr��hasattr�calendar�timegmr&rr[)r�r's  r?�normalize_time�TOTP.normalize_time�s���d�I�&�&��K�
��e�
$�
$��t�9��
�\��s�w�w�y�>�!�
�T�>�
*�
*��?�?�4�#4�#4�#6�7�7��'�'��.G��P�PrAc��XR-$)z9
convert timestamp to HOTP counter using :attr:`period`.
�r�)r{r's  r?�_time_to_counter�TOTP._time_to_counter�s���{�{�"�"rAc��XR-$)z9
convert HOTP counter to timestamp using :attr:`period`.
r/)r{�counters  r?�_counter_to_time�TOTP._counter_to_time�s�����$�$rAc�4�URn[U[5(a[S5X!4-nOI[	USS9n[
R
[S5U5nUR5(d[S5e[U5U:wa[SU-5eU$)az
Normalize OTP token representation:
strips whitespace, converts integers to a zero-padded string,
validates token content & number of digits.

This is a hybrid method -- it can be called at the class level,
as ``TOTP.normalize_token()``, or the instance level as ``TOTP().normalize_token()``.
It will normalize to the instance-specific number of :attr:`~TOTP.digits`,
or use the class default.

:arg token:
    token as ascii bytes, unicode, or an integer.

:raises ValueError:
    if token has wrong number of digits, or contains non-numeric characters.

:returns:
    token as :class:`!unicode` string, containing only digits 0-9.
�%0*d�tokenrSrUz&Token must contain only the digits 0-9z!Token must have exactly %d digits)
r�rZr"rrr\r]rmrrK)�self_or_clsr8r�s   r?�normalize_token�TOTP.normalize_tokens���*�#�#���e�Y�'�'��f�I���/�E��u�G�4�E��M�M�!�B�%��/�E��=�=�?�?�)�*R�S�S��u�:���%�&I�F�&R�S�S��rAc��URU5nURU5nUS:a[S5eURU5n[	XU5$)a�
Generate token for specified time
(uses current time if none specified).

:arg time:
    Can be ``None``, a :class:`!datetime`,
    or class:`!float` / :class:`!int` unix epoch timestamp.
    If ``None`` (the default), uses current system time.
    Naive datetimes are treated as UTC.

:returns:

    A :class:`TotpToken` instance, which can be treated
    as a sequence of ``(token, expire_time)`` -- see that class
    for more details.

Usage example::

    >>> # generate a new token, wrapped in a TotpToken instance...
    >>> otp = TOTP('s3jdvb7qd2r7jpxx')
    >>> otp.generate(1419622739)
    <TotpToken token='897212' expire_time=1419622740>

    >>> # when you just need the token...
    >>> otp.generate(1419622739).token
    '897212'
rztimestamp must be >= 0)r,r0rb�	_generater0)r{r'r3r8s    r?�generate�
TOTP.generate.sR��8�"�"�4�(���'�'��-���Q�;��5�6�6����w�'����g�.�.rAc��[U[5(dS5eUS:�dS5eURnUc&[URUR
5=o lU"[
U55nURRn[U5U:XdS5eUS:�dS5e[US5S	-n[X5US
-5SS-nURnSUs=:aS:dS
5e S
5e[S5Xv4-U*S$)z�
base implementation of HOTP token generation algorithm.

:arg counter: HOTP counter, as non-negative integer
:returns: token as unicode string
zcounter must be integerrzcounter must be non-negativeNz digest_size: sanity check failed�z"digest_size: sanity check 2 failed����r4i����zdigits: sanity check failedr7)rZr"rr+r�rR�_pack_uint64�digest_infor�rKr%�_unpack_uint32r�r)r{r3�
keyed_hmac�digestr��offsetrHr�s        r?r=�TOTP._generateQs���'�9�-�-�H�/H�H�-��!�|�;�;�;�|��%�%�
���,8����4�8�8�,L�L�J�)��L��1�2�� �,�,�8�8���6�{�k�)�M�+M�M�)��b� �F�"F�F� � ����,�s�2���v�V�A�X�6�7��:�Z�G�������6��B��=� =�=��=� =�=���&�	�V�O�+�f�W�X�6�6rAc�F�URU5R"U40UD6$)a$
Convenience wrapper around :meth:`TOTP.from_source` and :meth:`TOTP.match`.

This parses a TOTP key & configuration from the specified source,
and tries and match the token.
It's designed to parallel the :meth:`passlib.ifc.PasswordHash.verify` method.

:param token:
    Token string to match.

:param source:
    Serialized TOTP key.
    Can be anything accepted by :meth:`TOTP.from_source`.

:param \\*\\*kwds:
    All additional keywords passed to :meth:`TOTP.match`.

:return:
    A :class:`TotpMatch` instance, or raises a :exc:`TokenError`.
)�from_sourcer�)r�r8r�r�s    r?�verify�TOTP.verifyss#��,���v�&�,�,�U�;�d�;�;rAc�N�URU5nURUS5 X$-nUcSn[XPRXc-
55nURXc-5S-nUR	XU5n	X�:�dS5eX�:Xa[US-UR-S9e[X	X#5$)a�

Match TOTP token against specified timestamp.
Searches within a window before & after the provided time,
in order to account for transmission delay and small amounts of skew in the client's clock.

:arg token:
    Token to validate.
    may be integer or string (whitespace and hyphens are ignored).

:param time:
    Unix epoch timestamp, can be any of :class:`!float`, :class:`!int`, or :class:`!datetime`.
    if ``None`` (the default), uses current system time.
    *this should correspond to the time the token was received from the client*.

:param int window:
    How far backward and forward in time to search for a match.
    Measured in seconds. Defaults to ``30``.  Typically only useful if set
    to multiples of :attr:`period`.

:param int skew:
    Adjust timestamp by specified value, to account for excessive
    client clock skew. Measured in seconds. Defaults to ``0``.

    Negative skew (the common case) indicates transmission delay,
    and/or that the client clock is running behind the server.

    Positive skew indicates the client clock is running ahead of the server
    (and by enough that it cancels out any negative skew added by
    the transmission delay).

    You should ensure the server clock uses a reliable time source such as NTP,
    so that only the client clock's inaccuracy needs to be accounted for.

    This is an advanced parameter that should usually be left at ``0``;
    The **window** parameter is usually enough to account
    for any observed transmission delay.

:param last_counter:
    Optional value of last counter value that was successfully used.
    If specified, verify will never search earlier counters,
    no matter how large the window is.

    Useful when client has previously authenticated,
    and thus should never provide a token older than previously
    verified value.

:raises ~passlib.exc.TokenError:

    If the token is malformed, fails to match, or has already been used.

:returns TotpMatch:

    Returns a :class:`TotpMatch` instance on successful match.
    Can be treated as tuple of ``(counter, time)``.
    Raises error if token is malformed / can't be verified.

Usage example::

    >>> totp = TOTP('s3jdvb7qd2r7jpxx')

    >>> # valid token for this time period
    >>> totp.match('897212', 1419622729)
    <TotpMatch counter=47320757 time=1419622729 cache_seconds=60>

    >>> # token from counter step 30 sec ago (within allowed window)
    >>> totp.match('000492', 1419622729)
    <TotpMatch counter=47320756 time=1419622729 cache_seconds=60>

    >>> # invalid token -- token from 60 sec ago (outside of window)
    >>> totp.match('760389', 1419622729)
    Traceback:
        ...
    InvalidTokenError: Token did not match
�windowrBr�z*sanity check failed: counter went backward)�expire_time)r,rryr0�_find_matchrr�r1)
r{r8r'rQ�skew�last_counter�client_time�start�endr3s
          r?r��
TOTP.match�s���V�"�"�4�(�����6�8�,��k�����L��L�"7�"7��8L�"M�N���#�#�K�$8�9�A�=���"�"�5��5���&�T�(T�T�&��"� �l�Q�.>�$�+�+�-M�N�N����5�5rAc��URU5nUS:aSnX2::a
[5eURnUbXB:d[X"U55(aU$UnXc:a$[X"U55(aU$US-
nXc:aM$[5e)a�
helper for verify() --
returns counter value within specified range that matches token.

:arg token:
    token value to match (will be normalized internally)

:arg start:
    starting counter value to check

:arg end:
    check up to (but not including) this counter value

:arg expected:
    optional expected value where search should start,
    to help speed up searches.

:raises ~passlib.exc.TokenError:
    If the token is malformed, or fails to verify.

:returns:
    counter value that matched
rr�)r:rr=r)r{r8rWrX�expectedr>r3s       r?rS�TOTP._find_match�s���0�$�$�U�+���1�9��E��<�#�%�%��>�>��� �H�$4�'�%��RZ�I[�:\�:\��O����m��u�h�w�/�0�0����q�L�G��m� �!�!rAc�R�[U[5(a+URUR:XaU$URSS9n[U[5(aURU5$[
USS9nURS5(aURU5$URU5$)aK
Load / create a TOTP object from a serialized source.
This acts as a wrapper for the various deserialization methods:

* TOTP URIs are handed off to :meth:`from_uri`
* Any other strings are handed off to :meth:`from_json`
* Dicts are handed off to :meth:`from_dict`

:param source:
    Serialized TOTP object.

:raises ValueError:
    If the key has been encrypted, but the application secret isn't available;
    or if the string cannot be recognized, parsed, or decoded.

    See :meth:`TOTP.using()` for how to configure application secrets.

:returns:
    a :class:`TOTP` instance.
F��encryptztotp sourcerSz
otpauth://)
rZr/r��to_dictr��	from_dictrr��from_uri�	from_json�r�r�s  r?rM�TOTP.from_source%s���,�f�d�#�#��z�z�V�]�]�*��
��^�^�E�^�2�F��f�d�#�#��=�=��(�(��F�-�8�����\�*�*��<�<��'�'��=�=��(�(rAc���[USS9R5n[U5nURS:waUR	S5eURUR5 URU5$)a
create an OTP instance from a URI (such as returned by :meth:`to_uri`).

:returns:
    :class:`TOTP` instance.

:raises ValueError:
    if the uri cannot be parsed or contains errors.

.. seealso:: :ref:`totp-configuring-clients` tutorial for a usage example
�urirSr6zwrong uri scheme)rr�r�scheme�_uri_parse_error�_check_otp_type�netloc�_from_parsed_uri)r�rg�results   r?rb�
TOTP.from_uriMse����E�*�0�0�2���#����=�=�I�%��&�&�'9�:�:�	���F�M�M�*��#�#�F�+�+rAc�N�US:XagUS:Xa[S5e[SU-5e)zO
validate otp URI type is supported.
returns True or raises appropriate error.
�totpT�hotpzHOTP not supportedzunknown otp type: %r)�NotImplementedErrorrb)r�r�s  r?rj�TOTP._check_otp_typeds2���6�>���6�>�%�&:�;�;��/�$�6�7�7rAc	�l�URnURS5(a[U5S:�a[USS5nOUR	S5eSU;aURS5up2OSnU(aUR5=(d Sn[US9n[UR5H"upVXT;aUR	SU-5eXdU'M$ U(a%S	U;aX4S	'OUS	U:waUR	S
5eU"S0UR"S0UD6D6$![a UR	S5ef=f)z�
internal from_uri() helper --
handles parsing a validated TOTP URI

:param result:
    a urlparse() instance

:returns:
    cls instance
�/r�Nz
missing labelr�zmalformed labelr
zduplicate parameter (%r)r�zconflicting issuer identifiersrE)�pathr�rKr
rir�rbr�r�r�query�_adapt_uri_params)r�rmrr��paramsr�r�s       r?rl�TOTP._from_parsed_urips<���������C� � �S��Z�!�^��E�!�"�I�&�E��&�&��7�7��%�<�
>� %���C� 0�
����F���K�K�M�)�T�E��E�"���f�l�l�+�D�A��{��*�*�+E��+I�J�J��1�I�,���v�%�#)�x� ���!�V�+��*�*�+K�L�L��5�S�*�*�4�V�4�5�5��/�
>��*�*�+<�=�=�
>�s�D�D3c�>�U(dS5eU(dURS5e[XUSS9nU(aURUS5US'U(aXXS'U(aURUS5US'U(a![U<SU<3[R
5 U$)	zA
from_uri() helper --
converts uri params into constructor args.
z"from_uri() failed to provide labelzmissing 'secret' parameterrX)rr�rRrdr�r�r�z0: unexpected parameters encountered in otp uri: )rir��_uri_parse_intrr�PasslibRuntimeWarning)	r�rr�r�r��	algorithmr��extrar�s	         r?rx�TOTP._adapt_uri_params�s����:�:�:�u���&�&�'C�D�D��%�F�8�L��� �/�/���A�D��N��#��K�� �/�/���A�D��N��
��u��"�8�8�
:��rAc� �[SU<35$)z8uri parsing helper -- creates preformatted error messagezInvalid otpauth uri: r��reasons r?ri�TOTP._uri_parse_error�s���v�?�@�@rAc�^�[U5$![a URSU-5ef=f)z#uri parsing helper -- int() wrapperzMalformed %r parameter)rprbri)r�r�rTs   r?r|�TOTP._uri_parse_int�s:��	I��v�;����	I��&�&�'?�%�'G�H�H�	I�s�

�,c��UcURnU(d[S5eURU5 [US5nUR	5nUcUR
nU(a7UR
U5 [US5<SU<3nURSU45 [S5RSU55nU(dS5e[S5X4-$)	a�
Serialize key and configuration into a URI, per
Google Auth's `KeyUriFormat <http://code.google.com/p/google-authenticator/wiki/KeyUriFormat>`_.

:param str label:
    Label to associate with this token when generating a URI.
    Displayed to user by most OTP client applications (e.g. Google Authenticator),
    and typically has format such as ``"John Smith"`` or ``"[email protected]"``.

    Defaults to **label** constructor argument. Must be provided in one or the other location.
    May not contain ``:``.

:param str issuer:
    String identifying the token issuer (e.g. the domain or canonical name of your service).
    Optional but strongly recommended if you're rendering to a URI.
    Used internally by some OTP client applications (e.g. Google Authenticator) to distinguish entries
    which otherwise have the same label.

    Defaults to **issuer** constructor argument, or ``None``.
    May not contain ``:``.

:raises ValueError:
    * if a label was not provided either as an argument, or in the constructor.
    * if the label or issuer contains invalid characters.

:returns:
    all the configuration information for this OTP token generator,
    encoded into a URI.

These URIs are frequently converted to a QRCode for transferring
to a TOTP client application such as Google Auth.
Usage example::

    >>> from passlib.totp import TOTP
    >>> tp = TOTP('s3jdvb7qd2r7jpxx')
    >>> uri = tp.to_uri("[email protected]", "myservice.another-example.org")
    >>> uri
    'otpauth://totp/[email protected]?secret=S3JDVB7QD2R7JPXX&issuer=myservice.another-example.org'

.. versionchanged:: 1.7.2

    This method now prepends the issuer URI label.  This is recommended by the KeyURI
    specification, for compatibility with older clients.
z<a label must be specified as argument, or in the constructor�@r�r��&c3�Z# �UH!up[S5U[US54-v� M# g7f)z%s=%srUN)rr	)rFrRrHs   r?rI�TOTP.to_uri.<locals>.<genexpr>s)���^�W]����'�
�c�5���3C�-D� D�W]�s�)+zparam_str should never be emptyzotpauth://totp/%s?%s)
rrbrr	�_to_uri_paramsr�r�appendrrL)r{rr�ry�	param_strs     r?�to_uri�TOTP.to_uri�s���\�=��J�J�E���[�\�\����%� ��e�S�!���$�$�&���>��[�[�F�����v�&�
 %�V�S�1�5�9�E��M�M�8�V�,�-��c�F�K�K�^�W]�^�^�	��;�;�;�y��'�(�E�+=�=�=rAc�r�SUR4/nURS:wa+URSURR545 URS:wa&URS[UR545 URS:wa&URS[UR545 U$)z+return list of (key, param) entries for URIr�r�r~r7r�r�r�)r r�r�rar�r�r��r{�argss  r?r��TOTP._to_uri_paramss����4�?�?�+�,���8�8�v���K�K��d�h�h�n�n�&6�7�8��;�;�!���K�K��3�t�{�{�#3�4�5��;�;�"���K�K��3�t�{�{�#3�4�5��rAc�`�[USS9nUR[R"U55$)a
Load / create an OTP object from a serialized json string
(as generated by :meth:`to_json`).

:arg json:
    Serialized output from :meth:`to_json`, as unicode or ascii bytes.

:raises ValueError:
    If the key has been encrypted, but the application secret isn't available;
    or if the string cannot be recognized, parsed, or decoded.

    See :meth:`TOTP.using()` for how to configure application secrets.

:returns:
    a :class:`TOTP` instance.

.. seealso:: :ref:`totp-storing-instances` tutorial for a usage example
zjson sourcerS)rrar�r�rds  r?rc�TOTP.from_json&s(��(�F�-�8���}�}�T�Z�Z��/�0�0rAc�L�URUS9n[R"USSS9$)z�
Serialize configuration & internal state to a json string,
mainly useful for persisting client-specific state in a database.
All keywords passed to :meth:`to_dict`.

:returns:
    json string containing serializes configuration & state.
r^T)�,r�)�	sort_keys�
separators)r`r��dumps)r{r_�states   r?�to_json�TOTP.to_json=s'�����W��-���z�z�%�4�J�G�GrAc	��[U[5(aSU;aURS5eU"S0UR"S0UD6D6$)a�
Load / create a TOTP object from a dictionary
(as generated by :meth:`to_dict`)

:param source:
    dict containing serialized TOTP key & configuration.

:raises ValueError:
    If the key has been encrypted, but the application secret isn't available;
    or if the dict cannot be recognized, parsed, or decoded.

    See :meth:`TOTP.using()` for how to configure application secrets.

:returns:
    A :class:`TOTP` instance.

.. seealso:: :ref:`totp-storing-instances` tutorial for a usage example
r�zunrecognized formatrE)rZr��_dict_parse_error�_adapt_dict_kwdsrds  r?ra�TOTP.from_dictMsF��(�&�$�'�'�6��+?��'�'�(=�>�>��4�S�)�)�3�F�3�4�4rAc��URU5(deURSS5nU(aX0R:dX0R:�aUR	SU<S35eX0R:waSUS'SU;a(SU;deURURS5S	S
9 OSU;aUR	S5eURSS5 U$)
z\
Internal helper for .from_json() --
Adapts serialized json dict into constructor keywords.
r�Nzmissing/unsupported version (�)Tr�r�rRr�rczmissing 'enckey' / 'key'rU)rj�pop�min_json_version�json_versionr�r�)r�r�r��vers    r?r��TOTP._adapt_dict_kwdses����"�"�4�(�(�(�(��h�h�s�D�!���c�0�0�0�C�:J�:J�4J��'�'�c�(S�T�T�
�$�$�
$�"�D��O��t����$�$�$��K�K�D�H�H�X�.�{�K�C�
�$�
��'�'�(B�C�C�	
�����&��rAc� �[SU<35$)z9dict parsing helper -- creates preformatted error messagezInvalid totp data: rr�s r?r��TOTP._dict_parse_error�s���V�=�>�>rAc��[URSS9nURS:waURUS'URS:waURUS'URS:waURUS'UR
(aUR
US	'URnU(aU[U5R:waX2S
'Uc!URnU=(a URnU(aURUS'U$URUS'U$)
a
Serialize configuration & internal state to a dict,
mainly useful for persisting client-specific state in a database.

:param encrypt:
    Whether to output should be encrypted.

    * ``None`` (the default) -- uses encrypted key if application
      secrets are available, otherwise uses plaintext key.
    * ``True`` -- uses encrypted key, or raises TypeError
      if application secret wasn't provided to OTP constructor.
    * ``False`` -- uses raw key.

:returns:
    dictionary, containing basic (json serializable) datatypes.
rp)r�r�r�r�r7r�r�r�rr�r�rR)r�r�r�r�r�rr�r�r�r�r�r )r{r_r�r�r�s     r?r`�TOTP.to_dict�s���&�t�(�(�v�6���8�8�v���8�8�E�%�L��;�;�!��"�k�k�E�(�O��;�;�"��"�k�k�E�(�O��:�:�!�Z�Z�E�'�N������f��T�
� 1� 1�1�$�(�O��?��[�[�F��3��!3�!3�G��"�0�0�E�(�O��� �?�?�E�%�L�
�rA)rrrr�r�r�r�r�rRrr�)NNNNNN)
NrXFNNNNNNF)r)rX�-rD)Nr�rN)NN)?r�r�r�r�r�r�r�r�r��_timer'r�rrrr�r�rr�r�r��classmethodr�r�r~r�rrrr�rR�setterr�rr r#r,r0r4r(r:r>r=rNr�rSrMrbrjrlrxrir|r�r�rcr�rar�r�r`r��
__classcell__)rs@r?r/r/s����F�Z�M�'(�'��|��F��*�*�C��D��N�
�K��F��C�
�E��F�
�F��G�
�15�,0�b��b�P�%��%�)1�EI�27�G!�Z�C��C��:��:��;��;�����	�Z�Z�6��6��������
(��
(� �A��A��#��#� �L�Q��Q�6#�%�����Z!/�F7�D�<��<�.`6�D*"�p�")��")�N�,��,�,�	8��	8��.6��.6�`�?C�>B����0�A��A��I��I�K>�Z	��1��1�,
H� �5��5�.����<�?��?�,�,rAr/c�v�\rSrSrSrSrSrSrSr\	S5r
\	S5r\S5r
\S5rS	rS
rSrg)r0i�a
Object returned by :meth:`TOTP.generate`.
It can be treated as a sequence of ``(token, expire_time)``,
or accessed via the following attributes:

.. autoattribute:: token
.. autoattribute:: expire_time
.. autoattribute:: counter
.. autoattribute:: remaining
.. autoattribute:: valid
Nc�(�XlX lX0lg�z]
.. warning::
    the constructor signature is an internal detail, and is subject to change.
N)rpr8r3)r{rpr8r3s    r?r~�TotpToken.__init__�s��
�	��
��rAc�L�URRUR5$)z9Timestamp marking beginning of period when token is valid�rpr4r3r�s r?�
start_time�TotpToken.start_time�s���y�y�)�)�$�,�,�7�7rAc�R�URRURS-5$�z3Timestamp marking end of period when token is validr�r�r�s r?rR�TotpToken.expire_time��"���y�y�)�)�$�,�,��*:�;�;rAc�d�[SURURR5-
5$)z.number of (float) seconds before token expiresr)ryrRrpr�r�s r?�	remaining�TotpToken.remaining�s&���1�d�&�&�������8�9�9rAc�,�[UR5$)zwhether token is still valid)�boolr�r�s r?�valid�TotpToken.valid�s���D�N�N�#�#rAc�2�URUR4$rD)r8rRr�s r?�	_as_tuple�TotpToken._as_tuple�s���z�z�4�+�+�+�+rAc�d�UR(aSOSnSURURU4-$)NrUz expiredz'<TotpToken token='%s' expire_time=%d%s>)r�r8rR)r{�expireds  r?�__repr__�TotpToken.__repr__�s0�����"�J��8��
�
�D�,�,�g�6�7�	7rA)r3r8rp)r�r�r�r�r�rpr8r3r~r)r�rRr�r�r�r�r�r�rErAr?r0r0�s{��
��D�
�E��G���8��8��<��<��:��:��$��$�,�7rAr0c��\rSrSrSrSrSrSrSrSSjr	\
S5r\
S5r\
S	5r
\
S
5r\
S5rSrS
rSrg)r1i�a\
Object returned by :meth:`TOTP.match` and :meth:`TOTP.verify` on a successful match.

It can be treated as a sequence of ``(counter, time)``,
or accessed via the following attributes:

.. autoattribute:: counter
    :annotation: = 0

.. autoattribute:: time
    :annotation: = 0

.. autoattribute:: expected_counter
    :annotation: = 0

.. autoattribute:: skipped
    :annotation: = 0

.. autoattribute:: expire_time
    :annotation: = 0

.. autoattribute:: cache_seconds
    :annotation: = 60

.. autoattribute:: cache_time
    :annotation: = 0

This object will always have a ``True`` boolean value.
Nrr�c�4�XlX lX0lX@lgr�)rpr3r'rQ)r{rpr3r'rQs     r?r~�TotpMatch.__init__&s��
�	����	��rAc�L�URRUR5$)z'
Counter value expected for timestamp.
)rpr0r'r�s r?�expected_counter�TotpMatch.expected_counter0s��
�y�y�)�)�$�)�)�4�4rAc�4�URUR-
$)zu
How many steps were skipped between expected and actual matched counter
value (may be positive, zero, or negative).
)r3r�r�s r?�skipped�TotpMatch.skipped7s���|�|�d�3�3�3�3rAc�R�URRURS-5$r�r�r�s r?rR�TotpMatch.expire_timeDr�rAc�H�URRUR-$)zr
Number of seconds counter should be cached
before it's guaranteed to have passed outside of verification window.
)rpr�rQr�s r?�
cache_seconds�TotpMatch.cache_secondsIs���y�y���$�+�+�-�-rAc�4�URUR-$)zK
Timestamp marking when counter has passed outside of verification window.
)rRrQr�s r?�
cache_time�TotpMatch.cache_timeSs��
���$�+�+�-�-rAc�2�URUR4$rD)r3r'r�s r?r��TotpMatch._as_tupleZs���|�|�T�Y�Y�&�&rAc�R�URURUR4nSU-$)Nz/<TotpMatch counter=%d time=%d cache_seconds=%d>)r3r'r�r�s  r?r��TotpMatch.__repr__]s'�����d�i�i��);�);�<��@�4�G�GrA)r3r'rprQ)r�)r�r�r�r�r�rpr3r'rQr~r)r�r�rRr�r�r�r�r�rErAr?r1r1�s����>�D�
�G�
�D��F���5��5��4��4��<��<��.��.��.��.�'�HrAr1����c���US:�de[U5S:�de[[R"U[R"S[U55-55n[[X5$)z�
generate a random string suitable for use as an
:class:`AppWallet` application secret.

:param entropy:
    number of bits of entropy (controls size/complexity of password).
rr�r2)rKrp�math�ceil�logrr)�entropy�charset�counts   r?�generate_secretr�esV���Q�;��;��w�<�!������	�	�'�D�H�H�Q��G��$=�=�>�?�E��c�7�*�*rA)r�)hr��
__future__rrr�passlib.utils.compatrr_r*r��logging�	getLoggerr�r�r��struct�sysr'r��re�urllib.parserrr	r
�urllib�warningsr�cryptography.hazmat.backendsrr��1cryptography.hazmat.primitives.ciphers.algorithms�cryptography�,cryptography.hazmat.primitives.ciphers.modes�cryptography.hazmat.primitivesr
r��ImportError�debug�passlibr�passlib.excrrrr�
passlib.utilsrrrrrrrr�passlib.utils.binaryrrrrrr r!r"r#r$r%r&r'�passlib.utils.decorr(r)�passlib.crypto.digestr*r+r,�passlib.hashr-�__all__�version_infor5r��compile�Ur\r:r@rNrer��AES_SUPPORTr��objectr.�Struct�packrE�unpackrGr�r/r0r1r�rErAr?�<module>r
s���F�A�@�$�
����g�'�'��1���
�
��	��@�@�%�,��	-�S�<�7�E��
�Z�Z�T�T�T�C�C�V�V�V�@�H�H�&���.���g��#��
�"����)�$��	�	�H�I��
�J�J�q��}�b�d�d�+�	����&D�I�4�;���
�*�*�1�
2��Z"��Z"�J�}�}�T�"�'�'�����t�$�+�+���
�p�6�p�r%87�
�87�vfH�
�fH�X ��c�r�):�+��M:�-��I�I�M�N�(,�,�K�%�-�s�4G*�*H	�H
Name	Type	Size	Permission
__init__.cpython-313.pyc	File	248 B	0644
apache.cpython-313.pyc	File	40.22 KB	0644
apps.cpython-313.pyc	File	4.14 KB	0644
context.cpython-313.pyc	File	90.2 KB	0644
exc.cpython-313.pyc	File	15.34 KB	0644
hash.cpython-313.pyc	File	2.38 KB	0644
hosts.cpython-313.pyc	File	1.37 KB	0644
ifc.cpython-313.pyc	File	7.11 KB	0644
pwd.cpython-313.pyc	File	25.14 KB	0644
registry.cpython-313.pyc	File	18.19 KB	0644
totp.cpython-313.pyc	File	62.13 KB	0644
win32.cpython-313.pyc	File	2.22 KB	0644
Upload:

Command:

Filemanager

Server Info

System Info

User Info
