use github.com/icholy/digest to impl digest auth

Signed-off-by: roc <roc@imroc.cc>

Author: imroc

digest.go

@@ -2,16 +2,13 @@ package req
 
 import (
 	"crypto/md5"
-	"crypto/rand"
 	"crypto/sha256"
 	"crypto/sha512"
 	"errors"
-	"fmt"
 	"hash"
-	"io"
 	"net/http"
-	"strings"
 
+	"github.com/icholy/digest"
 	"github.com/imroc/req/v3/internal/header"
 )
 
@@ -38,7 +35,7 @@ func handleDigestAuthFunc(username, password string) ResponseMiddleware {
 		if resp.Err != nil || resp.StatusCode != http.StatusUnauthorized {
 			return nil
 		}
-		auth, err := createDigestAuth(resp.Response, username, password)
+		auth, err := createDigestAuth(resp.Request.RawRequest, resp.Response, username, password)
 		if err != nil {
 			return err
 		}
@@ -62,217 +59,26 @@ func handleDigestAuthFunc(username, password string) ResponseMiddleware {
 			req.Header = make(http.Header)
 		}
 		req.Header.Set(header.Authorization, auth)
-		resp.Response, err = client.GetTransport().RoundTrip(&req)
+		resp.Response, err = client.httpClient.Do(&req)
 		return err
 	}
 }
 
-func createDigestAuth(resp *http.Response, username, password string) (auth string, err error) {
-	chal := resp.Header.Get(header.WwwAuthenticate)
-	if chal == "" {
-		return "", errDigestBadChallenge
-	}
-
-	c, err := parseChallenge(chal)
+func createDigestAuth(req *http.Request, resp *http.Response, username, password string) (auth string, err error) {
+	chal, err := digest.FindChallenge(resp.Header)
 	if err != nil {
 		return "", err
 	}
-
-	// Form credentials based on the challenge
-	cr := newCredentials(resp.Request.URL.RequestURI(), resp.Request.Method, username, password, c)
-	auth, err = cr.authorize()
-	return
-}
-
-func newCredentials(digestURI, method, username, password string, c *challenge) *credentials {
-	return &credentials{
-		username:   username,
-		userhash:   c.userhash,
-		realm:      c.realm,
-		nonce:      c.nonce,
-		digestURI:  digestURI,
-		algorithm:  c.algorithm,
-		sessionAlg: strings.HasSuffix(c.algorithm, "-sess"),
-		opaque:     c.opaque,
-		messageQop: c.qop,
-		nc:         0,
-		method:     method,
-		password:   password,
-	}
-}
-
-type challenge struct {
-	realm     string
-	domain    string
-	nonce     string
-	opaque    string
-	stale     string
-	algorithm string
-	qop       string
-	userhash  string
-}
-
-func parseChallenge(input string) (*challenge, error) {
-	const ws = " \n\r\t"
-	const qs = `"`
-	s := strings.Trim(input, ws)
-	if !strings.HasPrefix(s, "Digest ") {
-		return nil, errDigestBadChallenge
-	}
-	s = strings.Trim(s[7:], ws)
-	sl := strings.Split(s, ",")
-	c := &challenge{}
-	var r []string
-	for i := range sl {
-		r = strings.SplitN(strings.TrimSpace(sl[i]), "=", 2)
-		if len(r) != 2 {
-			return nil, errDigestBadChallenge
-		}
-		switch r[0] {
-		case "realm":
-			c.realm = strings.Trim(r[1], qs)
-		case "domain":
-			c.domain = strings.Trim(r[1], qs)
-		case "nonce":
-			c.nonce = strings.Trim(r[1], qs)
-		case "opaque":
-			c.opaque = strings.Trim(r[1], qs)
-		case "stale":
-			c.stale = strings.Trim(r[1], qs)
-		case "algorithm":
-			c.algorithm = strings.Trim(r[1], qs)
-		case "qop":
-			c.qop = strings.Trim(r[1], qs)
-		case "charset":
-			if strings.ToUpper(strings.Trim(r[1], qs)) != "UTF-8" {
-				return nil, errDigestCharset
-			}
-		case "userhash":
-			c.userhash = strings.Trim(r[1], qs)
-		default:
-			return nil, errDigestBadChallenge
-		}
-	}
-	return c, nil
-}
-
-type credentials struct {
-	username   string
-	userhash   string
-	realm      string
-	nonce      string
-	digestURI  string
-	algorithm  string
-	sessionAlg bool
-	cNonce     string
-	opaque     string
-	messageQop string
-	nc         int
-	method     string
-	password   string
-}
-
-func (c *credentials) authorize() (string, error) {
-	if _, ok := hashFuncs[c.algorithm]; !ok {
-		return "", errDigestAlgNotSupported
-	}
-
-	if err := c.validateQop(); err != nil {
-		return "", err
-	}
-
-	resp, err := c.resp()
+	cred, err := digest.Digest(chal, digest.Options{
+		Username: username,
+		Password: password,
+		Method:   req.Method,
+		URI:      req.URL.RequestURI(),
+		GetBody:  req.GetBody,
+		Count:    1,
+	})
 	if err != nil {
 		return "", err
 	}
-
-	sl := make([]string, 0, 10)
-	if c.userhash == "true" {
-		// RFC 7616 3.4.4
-		c.username = c.h(fmt.Sprintf("%s:%s", c.username, c.realm))
-		sl = append(sl, fmt.Sprintf(`userhash=%s`, c.userhash))
-	}
-	sl = append(sl, fmt.Sprintf(`username="%s"`, c.username))
-	sl = append(sl, fmt.Sprintf(`realm="%s"`, c.realm))
-	sl = append(sl, fmt.Sprintf(`nonce="%s"`, c.nonce))
-	sl = append(sl, fmt.Sprintf(`uri="%s"`, c.digestURI))
-	sl = append(sl, fmt.Sprintf(`response="%s"`, resp))
-	sl = append(sl, fmt.Sprintf(`algorithm=%s`, c.algorithm))
-	if c.opaque != "" {
-		sl = append(sl, fmt.Sprintf(`opaque="%s"`, c.opaque))
-	}
-	if c.messageQop != "" {
-		sl = append(sl, fmt.Sprintf("qop=%s", c.messageQop))
-		sl = append(sl, fmt.Sprintf("nc=%08x", c.nc))
-		sl = append(sl, fmt.Sprintf(`cnonce="%s"`, c.cNonce))
-	}
-
-	return fmt.Sprintf("Digest %s", strings.Join(sl, ", ")), nil
-}
-
-func (c *credentials) validateQop() error {
-	// Currently only supporting auth quality of protection. TODO: add auth-int support
-	if c.messageQop == "" {
-		return nil
-	}
-	possibleQops := strings.Split(c.messageQop, ", ")
-	var authSupport bool
-	for _, qop := range possibleQops {
-		if qop == "auth" {
-			authSupport = true
-			break
-		}
-	}
-	if !authSupport {
-		return errDigestQopNotSupported
-	}
-
-	return nil
-}
-
-func (c *credentials) h(data string) string {
-	hfCtor := hashFuncs[c.algorithm]
-	hf := hfCtor()
-	_, _ = hf.Write([]byte(data)) // Hash.Write never returns an error
-	return fmt.Sprintf("%x", hf.Sum(nil))
-}
-
-func (c *credentials) resp() (string, error) {
-	c.nc++
-
-	b := make([]byte, 16)
-	_, err := io.ReadFull(rand.Reader, b)
-	if err != nil {
-		return "", err
-	}
-	c.cNonce = fmt.Sprintf("%x", b)[:32]
-
-	ha1 := c.ha1()
-	ha2 := c.ha2()
-
-	if len(c.messageQop) == 0 {
-		return c.h(fmt.Sprintf("%s:%s:%s", ha1, c.nonce, ha2)), nil
-	}
-	return c.kd(ha1, fmt.Sprintf("%s:%08x:%s:%s:%s",
-		c.nonce, c.nc, c.cNonce, c.messageQop, ha2)), nil
-}
-
-func (c *credentials) kd(secret, data string) string {
-	return c.h(fmt.Sprintf("%s:%s", secret, data))
-}
-
-// RFC 7616 3.4.2
-func (c *credentials) ha1() string {
-	ret := c.h(fmt.Sprintf("%s:%s:%s", c.username, c.realm, c.password))
-	if c.sessionAlg {
-		return c.h(fmt.Sprintf("%s:%s:%s", ret, c.nonce, c.cNonce))
-	}
-
-	return ret
-}
-
-// RFC 7616 3.4.3
-func (c *credentials) ha2() string {
-	// currently no auth-int support
-	return c.h(fmt.Sprintf("%s:%s", c.method, c.digestURI))
+	return cred.String(), nil
 }

go.mod

@@ -5,6 +5,7 @@ go 1.23.0
 require (
 	github.com/andybalholm/brotli v1.1.1
 	github.com/hashicorp/go-multierror v1.1.1
+	github.com/icholy/digest v1.1.0
 	github.com/klauspost/compress v1.18.0
 	github.com/quic-go/qpack v0.5.1
 	github.com/quic-go/quic-go v0.51.0

go.sum

@@ -17,6 +17,8 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/icholy/digest v1.1.0 h1:HfGg9Irj7i+IX1o1QAmPfIBNu/Q5A5Tu3n/MED9k9H4=
+github.com/icholy/digest v1.1.0/go.mod h1:QNrsSGQ5v7v9cReDI0+eyjsXGUoRSUZQHeQ5C4XLa0Y=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
@@ -59,3 +61,5 @@ google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwl
 google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
+gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=