XhtdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z mZddlmZddlmZmZmZddlmZmZmZmZmZmZmZmZmZddlm Z dd l!m"Z"d d l#m$Z$m%Z%d d l&m'Z'ejPd Z)e jTdZ+eGddZ,ddZ-Gdde Z.Gdde.Z/Gdde/Z0y)zIdentity Provider interface This defines the _authentication_ layer of Jupyter Server, to be used in combination with Authorizer for _authorization_. .. versionadded:: 2.0 ) annotationsN)asdict dataclass)Morsel)escapehttputilweb) BoolDictEnumList TraitErrorTypeUnicodedefaultvalidate)LoggingConfigurable)_i18n) passwd_check set_password)get_anonymous_usernamez [^A-Za-z0-9]name display_nameinitials avatar_urlcolorcneZdZUdZded<dZded<dZded<dZded <dZded <dZ ded <d Z d Z y)UserziObject representing a User This or a subclass should be returned from IdentityProvider.get_user strusernamerrN str | Nonerrrc$|jyN) fill_defaultsselfs P/var/www/html/myenv/lib/python3.12/site-packages/jupyter_server/auth/identity.py __post_init__zUser.__post_init__>s c|jsd|}t||js|j|_|js|j|_yy)zFill out default fields in the identity model - Ensures all values are defined - Fills out derivative values for name fields fields - Fills out null values for optional fields z!user.username must not be empty: N)r" ValueErrorrr)r)msgs r*r'zUser.fill_defaultsAsO}}5dVUs(C X&& Hd # X %&H*&> ! $H:.o  ,'z2CS/t + ,s " A==Bc leZdZUdZeddedZded<ededZ e d dded  Z d ed <ededZ ededjdZded<edej"dedZedej"dedZeeeej0edgdedZdZeddZeddZe dZ d ed!<dd$Z#d?d%Z$d@d&Z%dAd'Z&dBd(Z'dCd)Z(dDd*Z)dEd+Z*dFd,Z+dGd-Z, dH dId.Z-dAd/Z. dy )OIdentityProvideraC Interface for providing identity management and authentication. Two principle methods: - :meth:`~jupyter_server.auth.IdentityProvider.get_user` returns a :class:`~.User` object for successful authentication, or None for no-identity-found. - :meth:`~jupyter_server.auth.IdentityProvider.identity_model` turns a :class:`~jupyter_server.auth.User` into a JSONable dict. The default is to use :py:meth:`dataclasses.asdict`, and usually shouldn't need override. Additional methods can customize authentication. .. versionadded:: 2.0 r#TzJName of the cookie to set for persisting login. Default: username-${Host}.confighelpzstr | Unicode[str, str | bytes] cookie_nameziExtra keyword arguments to pass to `set_secure_cookie`. See tornado's set_secure_cookie docs for details.NzSpecify whether login cookie should have the `secure` property (HTTPS-only).Only needed when protocol-detection gives the wrong answer due to proxies.) allow_nonerBrCz+bool | Bool[bool | None, bool | int | None] secure_cookieziExtra keyword arguments to pass to `get_secure_cookie`. See tornado's get_secure_cookie docs for details.z aToken used for authenticating first-time connections to the server. The token can be read from the file referenced by JUPYTER_TOKEN_FILE or set directly with the JUPYTER_TOKEN environment variable. When no password is enabled, the default is to generate a new, random token. Setting to an empty string disables authentication altogether, which is NOT RECOMMENDED. Prior to 2.0: configured as ServerApp.token )rC)rBtokenz*jupyter_server.auth.login.LoginFormHandlerz'The login handler class to use, if any.) default_valueklassrBrCz(jupyter_server.auth.logout.LogoutHandlerz The logout handler class to use.rz5List of fields in the User model that can be updated.)traitrHrBrCFctjdrd|_tjdStjdr=d|_t tjd5}|j cdddS|j sd|_yd|_tjtjdjdS#1swY[xYw)N JUPYTER_TOKENFJUPYTER_TOKEN_FILEr#Tascii) osgetenvtoken_generatedenvironopenread need_tokenbinasciihexlifyurandomdecode)r) token_files r*_token_defaultzIdentityProvider._token_defaults 99_ %#(D ::o. . 99) *#(D bjj!567 ):!( ) )#(D #'D ##BJJrN3::7C C ) )s (CCupdatable_fieldscttjt}|dDcgc] }||vs| }}|rd|}t ||dScc}w)z7Validate that all fields in updatable_fields are valid.valuez$Invalid fields in updatable_fields: )listtget_argsUpdatableFieldr)r)proposalvalid_updatable_fieldsr=invalid_fieldsr/s r*_validate_updatable_fieldsz+IdentityProvider._validate_updatable_fieldssk"&ajj&@!A'0 EAW4WE   88HICS/ !   s AAz%bool | Bool[bool, t.Union[bool, int]]rVc$|j|S)zGet the authenticated user for a request Must return a :class:`jupyter_server.auth.User`, though it may be a subclass. Return None if the request is not authenticated. _may_ be a coroutine ) _get_userr)handlers r*get_userzIdentityProvider.get_users~~g&&r,cKt|ddr$tjt|jS|j |}t |tjr |d{}|}|j|}t |tjr |d{}|}|xs|}| |||k7r|j||d|_ ||j|}|j|}|/|jjd||j||j s#|j#|}|j|||S77w) Get the user._jupyter_current_userNTz&Clearing invalid/expired login cookie )getattrracastr roget_user_tokenr7 Awaitableget_user_cookieset_login_cookie_token_authenticatedget_cookie_name get_cookielogwarningclear_login_cookie auth_enabledgenerate_anonymous_user) r)rk _token_user token_user _cookie_user cookie_useruserrDcookies r*rizIdentityProvider._get_usersO 73T :66$ = => >>B>Q>QRY>Z k1;; / ++K"- ++G4 lAKK 0!--L#/ ([   6{"%%gt4,0G ( <..w7K'' 4F!  #I+!WX''0$$33G<%%gt4 I,.s%A"E$E%6EEB5EEc|j|tjt|j}|j ||}|j ||S)z3Update user information and persist the user model.) check_updaterarqr current_userupdate_user_modelpersist_user_model)r)rk user_datar updated_users r* update_userzIdentityProvider.update_user(sN )$vvdG$8$89 --lIF  (r,cP|D]!}||jvsd|d}t|y)z2Raises if some fields to update are not updatable.zField z is not updatableN)r]r.)r)rr=r/s r*rzIdentityProvider.check_update2s8 &ED111ug%67 o% &r,ctzUpdate user information.NotImplementedError)r)rrs r*rz"IdentityProvider.update_user_model9!!r,ct)z'Persist the user model (i.e. a cookie).rrjs r*rz#IdentityProvider.persist_user_model=rr,ct|S)z"Return a User as an Identity model)r)r)rs r*identity_modelzIdentityProvider.identity_modelAsd|r,cg}|jr|jd|jf|jr|jd|jf|S)zwReturn list of additional handlers for this identity provider For example, an OAuth callback handler. z/loginz/logout)login_availableappendlogin_handler_classlogout_availablelogout_handler_class)r)handlerss r* get_handlerszIdentityProvider.get_handlersFsN     OOY(@(@A B  OOZ)B)BC Dr,ctj|j|j|j|j |j d}|S)zSerialize a user to a string for storage in a cookie If overriding in a subclass, make sure to define user_from_cookie as well. Default is just the user's username. )r"rrrr)jsondumpsr"rrrr)r)rrs r*user_to_cookiezIdentityProvider.user_to_cookieRsC MM $ 1 1 MM    r,c jtj|}t|d|d|d|dd|dS)zInverse of user_to_cookier"rrrNr)rloadsr )r) cookie_valuers r*user_from_cookiez!IdentityProvider.user_from_cookieesFzz,'   L     M   r,c|jr |jStjdd|jjS)zReturn the login cookie name Uses IdentityProvider.cookie_name, if defined. Default is to generate a string taking host into account to avoid collisions for multiple servers on one hostname with different ports. -z username-)rD _non_alphanumsubrequesthostrjs r*rwz IdentityProvider.get_cookie_nameqs>   ## # $$SIgoo6J6J5K*LM Mr,cxi}|j|j|jdd|j}||jj dk(}|r|jdd|jd|j |j|}|j||j|fi|y)z9Call this on handlers to set the login cookie for successhttponlyTNhttpssecurepath) updatecookie_options setdefaultrFrprotocolbase_urlrwset_secure_cookier)r)rkrrrFrDs r*ruz!IdentityProvider.set_login_cookie}sd112!!*d3**  #OO44?M   % %h 5!!&'*:*:;**73 !!!+t/B/B4/H[N[r,ctj|}tjjtjj tj dz }t}|j|ddtj||d<||d<|r||d<|jd |jy ) aDeletes the cookie with the given name. Tornado's cookie handling currently (Jan 2018) stores cookies in a dict keyed by name, so it can only modify one cookie with a given name per response. The browser can store multiple cookies with the same name but different domains and/or paths. This method lets us clear multiple cookies with the same name. Due to limitations of the cookie protocol, you must pass the same path and domain to clear a cookie as were used when that cookie was set (but there is no way to find out on the server side which values were used for a given cookie). )tzim)daysr#z""expiresrdomainz Set-CookieN) r native_strdatetimenowtimezoneutc timedeltarsetrformat_timestamp add_header OutputString)r)rkrrrrmorsels r*_force_clear_cookiez$IdentityProvider._force_clear_cookies   &##''8+<+<+@+@'AHDVDV\_D`` & 4T"$55g>yv %F8 <)<)<)>?r,ci}|j|j|jd|j}|j |}|j |||r|dk7r|j ||yyy)zBB#z(token|bearer)\s+(.+)c|jdd}|sR|jj|jjj dd}|r|j d}|S)zGet the user token from a request Default: - in URL parameters: ?token= - in header: Authorization: token rGr# Authorization) get_argumentauth_header_patmatchrheadersgetgroup)r)rk user_tokenms r* get_tokenzIdentityProvider.get_tokens]))'26 $$**7??+B+B+F+FXZ+[\AWWQZ r,cKtjd|j}|sy|j|}d}||k(r2|jj d|j jd}|rL|j|}t|tjr |d{}|}||j|}|Sy7w)zIdentify the user based on a token in the URL or Authorization header Returns: - uuid if authenticated - None if not r$NFz-Accepting token-authenticated request from %sT) rarqrGrryrr remote_iprtr7rsr})r)rkrGr authenticated_userrs r*rrzIdentityProvider.get_user_tokens|W]]3^^G,    HHNN?)) !M ((1E%-#  %D|33G<K $sB C"B?#Cctjj}t}d|x}}d|d}d}|jj d|t ||||d|S)zGenerate a random anonymous user. For use when a single shared token is used, but does not identify a user. z Anonymous ArNz5Generating new user for token-authenticated request: )uuiduuid4hexrryrr )r)rkuser_idmoonrrrrs r*r}z(IdentityProvider.generate_anonymous_userss **,""%' *4&11|tAwi= QRYQZ[\GT<4GGr,c&|j| S)a3Should the Handler check for CORS origin validation? Origin check should be skipped for token-authenticated requests. Returns: - True, if Handler must check for valid CORS origin. - False, if Handler should skip origin check since requests are token-authenticated. )is_token_authenticatedrjs r*should_check_originz$IdentityProvider.should_check_origins..w777r,c4|jt|ddS)zReturns True if handler has been token authenticated. Otherwise, False. Login with a token is used to signal certain things, such as: - permit access to REST API - xsrf protection - skip origin-checks for scripts rvF)rrprjs r*rz'IdentityProvider.is_token_authenticateds w 6>>r,c|jsNd}||jj|d|js|jj|dyy|js|jjdyy)z~Check the application's security. Show messages, or abort if necessary, based on the security configuration. z $  A  .5    .  cc! *$B   < =  @   5 6 4  >234i J K O WDD  ! !" !9=T J5B '+Z)6O &"" &   N\"]a@)@14@ ?r,c<|j||jy)z#Persist the user model to a cookie.N)rurrjs r*rz+PasswordIdentityProvider.persist_user_models gw';';Jupyter servers are configured to only be run with a password.1Hint: run the following command to set a password) $ python -m jupyter_server.auth passwordrN) superrpassword_requiredrrycriticalrsysexit)r)rr __class__s r*rz*PasswordIdentityProvider.validate_securitys !#{3  ! !4+?+? HH  VW  HH  e$WX Y HH  e$PQ R HHQK ,@ !r,rr rr rr&r )r0r1r2r3rrrr r0r&rrrrrr|rrrrr __classcell__)r4s@r*rrfs'     O       !       \..   ! !!88=<604   -    r,rceZdZdZeZeddZeddZe dZ d dZ e ddZ dd Z dd Z d dd Zy )LegacyIdentityProviderzLegacy IdentityProvider for use with custom LoginHandlers Login configuration has moved from LoginHandler to IdentityProvider in Jupyter Server 2.0. r'c4|j|jdS)N)rGr)rGrr(s r*_default_settingsz(LegacyIdentityProvider._default_settingssZZ,,  r,rcddlm}|S)Nr)LegacyLoginHandler)loginr<)r)r<s r*_default_login_handler_classz3LegacyIdentityProvider._default_login_handler_classs -!!r,c|jSr&)rr(s r*r|z#LegacyIdentityProvider.auth_enableds###r,cT|jj|}|yt|S)rnN)rrlr>)r)rkrs r*rlzLegacyIdentityProvider.get_users+''009 <$T**r,c^t|jj|jSr&)r rget_login_availabler'r(s r*rz&LegacyIdentityProvider.login_available s*  $ $ 8 8    r,cJt|jj|S)zWhether we should check origin.)r rrrjs r*rz*LegacyIdentityProvider.should_check_originsD,,@@IJJr,cJt|jj|S)z#Whether we are token authenticated.)r rrrjs r*rz-LegacyIdentityProvider.is_token_authenticatedsD,,CCGLMMr,Ncn|jr|js|jjt d|jjt d|jjt dt j d|jj||y)zValidate security.r,r-r.rN) r0rryr1rr2r3rr)r)rrs r*rz(LegacyIdentityProvider.validate_securitys  ! !4+?+? HH  VW  HH  e$WX Y HH  e$PQ R HHQK   22  r,rr5r r&r )r0r1r2r3r r'rr:r>rr|rlrrrrr5r,r*r8r8svH Z   "#"$" $$+  KN04  -    r,r8)r;r rr )1r3 __future__rrWrrrPrr2typingrar dataclassesrr http.cookiesrtornadorrr traitletsr r r r rrrrrtraitlets.configrjupyter_server.transutilsrsecurityrrutilsrrrLiteralrcr r>r@rr8r5r,r*rQs#  )))ZZZ0+0) ?+ TU +*+* +*\:q*qh/DA 5A r,