o tfi@s*dZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z mZddlmZddlmZmZmZddlmZmZmZmZmZddlmZdd lmZd d lm Z m!Z!d d l"m#Z#e$d Z%eGdddZ&dddZ'GdddeZ(Gddde(Z)Gddde)Z*dS)zIdentity Provider interface This defines the _authentication_ layer of Jupyter Server, to be used in combination with Authorizer for _authorization_. .. versionadded:: 2.0 ) annotationsN)asdict dataclass)Morsel)escapehttputilweb)BoolDictTypeUnicodedefault)LoggingConfigurable)_i18n) passwd_check set_password)get_anonymous_usernamez [^A-Za-z0-9]c@sfeZdZUdZded<dZded<dZded<dZded <dZded <dZ ded <d d Z ddZ dS)UserziObject representing a User This or a subclass should be returned from IdentityProvider.get_user strusernamename display_nameN str | Noneinitials avatar_urlcolorcCs |dSN) fill_defaultsselfr"e/var/www/html/software/conda/envs/catlas/lib/python3.10/site-packages/jupyter_server/auth/identity.py __post_init__:s zUser.__post_init__cCs<|js d|}t||js|j|_|js|j|_dSdS)zFill out default fields in the identity model - Ensures all values are defined - Fills out derivative values for name fields fields - Fills out null values for optional fields z!user.username must not be empty: N)r ValueErrorrr)r!msgr"r"r#r=s  zUser.fill_defaults) __name__ __module__ __qualname____doc____annotations__rrrrrr$rr"r"r"r#r"s       rgot_usert.AnyreturncCst|tr t|dSt|trIi}d|vrd|vr|d|d<tjD] }||vr.||||<q"ztdi|WStyHd|}t|dwd|}t|)a Backward-compatibility for LoginHandler.get_user Prior to 2.0, LoginHandler.get_user could return anything truthy. Typically, this was either a simple string username, or a simple dict. Make some effort to allow common patterns to keep working. )rrrzUnrecognized user: Nr") isinstancerrdict__dataclass_fields__ TypeErrorr%)r,kwargsfieldr&r"r"r#_backward_compat_userQs$         r5c@seZdZUdZeddeddZded<ededdZ e d dded d Z d ed <ededdZ ededdj ddZded<edejdeddZedejdeddZdZedddZe dZded<d_d"d#Zd`d%d&Zdad*d+Zdbd-d.Zdcd0d1Zddd3d4Zded5d6Zdfd8d9Z dgdhd?d@Z didAdBZ!d_dCdDZ"e#$dEe#j%Z&djdFdGZ'd`dHdIZ(dkdJdKZ)dldMdNZ*dldOdPZ+ dmdndUdVZ,d`dWdXZ-e.dYdZZ/e.d[d\Z0e.d]d^Z1d S)oIdentityProvideraC Interface for providing identity management and authentication. Two principle methods: - :meth:`~jupyter_server.auth.IdentityProvider.get_user` returns a :class:`~.User` object for successful authentication, or None for no-identity-found. - :meth:`~jupyter_server.auth.IdentityProvider.identity_model` turns a :class:`~jupyter_server.auth.User` into a JSONable dict. The default is to use :py:meth:`dataclasses.asdict`, and usually shouldn't need override. Additional methods can customize authentication. .. versionadded:: 2.0 rTzJName of the cookie to set for persisting login. Default: username-${Host}.confighelpzstr | Unicode[str, str | bytes] cookie_nameziExtra keyword arguments to pass to `set_secure_cookie`. See tornado's set_secure_cookie docs for details.NzSpecify whether login cookie should have the `secure` property (HTTPS-only).Only needed when protocol-detection gives the wrong answer due to proxies.) allow_noner8r9z+bool | Bool[bool | None, bool | int | None] secure_cookieziExtra keyword arguments to pass to `get_secure_cookie`. See tornado's get_secure_cookie docs for details.z aToken used for authenticating first-time connections to the server. The token can be read from the file referenced by JUPYTER_TOKEN_FILE or set directly with the JUPYTER_TOKEN environment variable. When no password is enabled, the default is to generate a new, random token. Setting to an empty string disables authentication altogether, which is NOT RECOMMENDED. Prior to 2.0: configured as ServerApp.token )r9)r8tokenz*jupyter_server.auth.login.LoginFormHandlerz'The login handler class to use, if any.) default_valueklassr8r9z(jupyter_server.auth.logout.LogoutHandlerz The logout handler class to use.FcCstdr d|_tjdStdr0d|_ttjd }|WdS1s+wY|js8d|_dSd|_tt d dS)NZ JUPYTER_TOKENFZJUPYTER_TOKEN_FILErTascii) osgetenvtoken_generatedenvironopenread need_tokenbinasciihexlifyurandomdecode)r!Z token_filer"r"r#_token_defaults    zIdentityProvider._token_defaultz%bool | Bool[bool, t.Union[bool, int]]rHhandlerweb.RequestHandlerr.&User | None | t.Awaitable[User | None]cCs ||S)zGet the authenticated user for a request Must return a :class:`jupyter_server.auth.User`, though it may be a subclass. Return None if the request is not authenticated. _may_ be a coroutine ) _get_userr!rNr"r"r#get_users zIdentityProvider.get_user User | Nonec st|ddrtt|jS||}t|tjr|IdH}|}||}t|tjr0|IdH}|}|p5|}|durK|durK||krH| ||d|_ |dury| |}| |}|durk|j d||||jsy||}| |||S) Get the user._jupyter_current_userNTz&Clearing invalid/expired login cookie )getattrtcastrrVget_user_tokenr/ Awaitableget_user_cookieset_login_cookie_token_authenticatedget_cookie_nameZ get_cookielogwarningclear_login_cookie auth_enabledgenerate_anonymous_user) r!rNZ _token_userZ token_userZ _cookie_userZ cookie_useruserr:cookier"r"r#rQs4             zIdentityProvider._get_userrerdict[str, t.Any]cCst|S)z"Return a User as an Identity model)r)r!rer"r"r#identity_modelszIdentityProvider.identity_modellist[tuple[str, object]]cCs4g}|jr |d|jf|jr|d|jf|S)zwReturn list of additional handlers for this identity provider For example, an OAuth callback handler. z/loginz/logout)login_availableappendlogin_handler_classlogout_availablelogout_handler_class)r!handlersr"r"r# get_handlerss zIdentityProvider.get_handlersrcCs$t|j|j|j|j|jd}|S)zSerialize a user to a string for storage in a cookie If overriding in a subclass, make sure to define user_from_cookie as well. Default is just the user's username. )rrrrr)jsondumpsrrrrr)r!rerfr"r"r#user_to_cookie!s zIdentityProvider.user_to_cookie cookie_valuecCs0t|}t|d|d|d|dd|dS)zInverse of user_to_cookierrrrNr)rqloadsr)r!rtrer"r"r#user_from_cookie4s z!IdentityProvider.user_from_cookiecCs"|jr|jStdd|jjS)zReturn the login cookie name Uses IdentityProvider.cookie_name, if defined. Default is to generate a string taking host into account to avoid collisions for multiple servers on one hostname with different ports. -z username-)r: _non_alphanumsubrequesthostrRr"r"r#r_@sz IdentityProvider.get_cookie_nameNonecCs|i}||j|dd|j}|dur|jjdk}|r#|dd|d|j||}|j|| |fi|dS)z9Call this on handlers to set the login cookie for successhttponlyTNhttpssecurepath) updatecookie_options setdefaultr<rzprotocolbase_urlr_Zset_secure_cookiers)r!rNrerr<r:r"r"r#r]Ls     z!IdentityProvider.set_login_cookie/rrdomainrcCsrt|}tjjtjjdtjdd}t}||ddt ||d<||d<|r/||d<| d | d S) aDeletes the cookie with the given name. Tornado's cookie handling currently (Jan 2018) stores cookies in a dict keyed by name, so it can only modify one cookie with a given name per response. The browser can store multiple cookies with the same name but different domains and/or paths. This method lets us clear multiple cookies with the same name. Due to limitations of the cookie protocol, you must pass the same path and domain to clear a cookie as were used when that cookie was set (but there is no way to find out on the server side which values were used for a given cookie). )tzim)daysrz""expiresrrz Set-CookieN) rZ native_strdatetimenowtimezoneutc timedeltarsetrZformat_timestamp add_header OutputString)r!rNrrrrmorselr"r"r#_force_clear_cookie\s z$IdentityProvider._force_clear_cookiecCsZi}||j|d|j}||}|j||d|r)|dkr+|||dSdSdS)z - in header: Authorization: token r=r Authorization) get_argumentauth_header_patmatchrzheadersgetgroup)r!rN user_tokenmr"r"r# get_tokens  zIdentityProvider.get_tokencstd|j}|s dS||}d}||kr"|jd|jjd}|rA||}t |tj r4|IdH}|}|dur?| |}|SdS)zIdentify the user based on a token in the URL or Authorization header Returns: - uuid if authenticated - None if not rNFz-Accepting token-authenticated request from %sT) rXrYr=rr`rrzZ remote_ipr\r/r[rd)r!rNr=r authenticated_userrer"r"r#rZs*     zIdentityProvider.get_user_tokencCsTtj}t}d|}}d|d}d}|jd|t||||d|S)zGenerate a random anonymous user. For use when a single shared token is used, but does not identify a user. z Anonymous ArNz5Generating new user for token-authenticated request: )uuiduuid4hexrr`rr)r!rNZuser_idmoonrrrrr"r"r#rds z(IdentityProvider.generate_anonymous_userboolcCs || S)a3Should the Handler check for CORS origin validation? Origin check should be skipped for token-authenticated requests. Returns: - True, if Handler must check for valid CORS origin. - False, if Handler should skip origin check since requests are token-authenticated. )is_token_authenticatedrRr"r"r#should_check_origins z$IdentityProvider.should_check_origincCs|jt|ddS)zReturns True if handler has been token authenticated. Otherwise, False. Login with a token is used to signal certain things, such as: - permit access to REST API - xsrf protection - skip origin-checks for scripts r^F) current_userrWrRr"r"r#rs z'IdentityProvider.is_token_authenticatedappr- ssl_optionsdict[str, t.Any] | NonecCs^|js"d}|dur|j|d|js |j|ddSdS|js-|jddSdS)z~Check the application's security. Show messages, or abort if necessary, based on the security configuration. zJupyter servers are configured to only be run with a password.1Hint: run the following command to set a password) $ python -m jupyter_server.auth passwordrN) superrpassword_requiredrr`criticalrsysexitr!rr __class__r"r#rs z*PasswordIdentityProvider.validate_securityr.rrrr)r'r(r)r*r rrr rrr rrrjrcrrr __classcell__r"r"rr#r5sB    rc@s|eZdZdZeZedddZedddZe dd Z dddZ e d ddZ d!ddZ d!ddZ d"d#ddZdS)$LegacyIdentityProviderzLegacy IdentityProvider for use with custom LoginHandlers Login configuration has moved from LoginHandler to IdentityProvider in Jupyter Server 2.0. rcCs|j|jdS)N)r=r)r=rr r"r"r#_default_settingssz(LegacyIdentityProvider._default_settingsrlcCsddlm}|S)Nr)LegacyLoginHandler)loginr)r!rr"r"r#_default_login_handler_classs z3LegacyIdentityProvider._default_login_handler_classcCrr)rjr r"r"r#rcsz#LegacyIdentityProvider.auth_enabledrNrOr.rTcCs |j|}|dur dSt|S)rUN)rlrSr5)r!rNrer"r"r#rSs zLegacyIdentityProvider.get_userrcCst|j|jSr)rrlZget_login_availablerr r"r"r#rjs z&LegacyIdentityProvider.login_availablecCt|j|S)zWhether we should check origin.)rrlrrRr"r"r#rz*LegacyIdentityProvider.should_check_origincCr)z#Whether we are token authenticated.)rrlrrRr"r"r#rrz-LegacyIdentityProvider.is_token_authenticatedNrr-rrr|cCsX|jr#|js#|jtd|jtd|jtdtd|j||dS)zValidate security.rrrrN) rrr`rrrrrlrrr"r"r#rs  z(LegacyIdentityProvider.validate_securityrrrrr)r'r(r)r*r rr rrrrcrSrjrrrr"r"r"r#rs        r)r,r-r.r)+r* __future__rrIrrqrBrrtypingrXr dataclassesrr http.cookiesrtornadorrrZ traitletsr r r r r Ztraitlets.configrZjupyter_server.transutilsrsecurityrrutilsrrrxrr5r6rrr"r"r"r#s8       .Jm