}tfi`dZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z mZddlmZddlmZmZmZddlmZmZmZmZmZddlmZdd lmZd d lm Z m!Z!d d l"m#Z#ejHd Z%eGddZ&ddZ'GddeZ(Gdde(Z)Gdde)Z*y)zIdentity Provider interface This defines the _authentication_ layer of Jupyter Server, to be used in combination with Authorizer for _authorization_. .. versionadded:: 2.0 ) annotationsN)asdict dataclass)Morsel)escapehttputilweb)BoolDictTypeUnicodedefault)LoggingConfigurable)_i18n) passwd_check set_password)get_anonymous_usernamez [^A-Za-z0-9]cneZdZUdZded<dZded<dZded<dZded <dZded <dZ ded <d Z d Z y)UserziObject representing a User This or a subclass should be returned from IdentityProvider.get_user strusernamename display_nameN str | Noneinitials avatar_urlcolorc$|jyN) fill_defaultsselfs f/var/www/html/software/conda/envs/higlass/lib/python3.12/site-packages/jupyter_server/auth/identity.py __post_init__zUser.__post_init__:s c|jsd|}t||js|j|_|js|j|_yy)zFill out default fields in the identity model - Ensures all values are defined - Fills out derivative values for name fields fields - Fills out null values for optional fields z!user.username must not be empty: N)r ValueErrorrr)r$msgs r%r"zUser.fill_defaults=sO}}5dV&> ! $H:.o  ,'z2CS/t + ,s " A==BceZdZUdZeddedZded<ededZ e d dded  Z d ed <ededZ ededjdZded<edej"dedZedej"dedZdZeddZe dZded<d3dZd4dZd5dZd6d Zd7d!Zd8d"Zd9d#Zd:d$Z d; dd)Z'd4d*Z(d?d+Z)d@d,Z*d@d-Z+ dA dBd.Z,d4d/Z-e.d0Z/e.d1Z0e.d2Z1y )CIdentityProvideraC Interface for providing identity management and authentication. Two principle methods: - :meth:`~jupyter_server.auth.IdentityProvider.get_user` returns a :class:`~.User` object for successful authentication, or None for no-identity-found. - :meth:`~jupyter_server.auth.IdentityProvider.identity_model` turns a :class:`~jupyter_server.auth.User` into a JSONable dict. The default is to use :py:meth:`dataclasses.asdict`, and usually shouldn't need override. Additional methods can customize authentication. .. versionadded:: 2.0 rTzJName of the cookie to set for persisting login. Default: username-${Host}.confighelpzstr | Unicode[str, str | bytes] cookie_nameziExtra keyword arguments to pass to `set_secure_cookie`. See tornado's set_secure_cookie docs for details.NzSpecify whether login cookie should have the `secure` property (HTTPS-only).Only needed when protocol-detection gives the wrong answer due to proxies.) allow_noner=r>z+bool | Bool[bool | None, bool | int | None] secure_cookieziExtra keyword arguments to pass to `get_secure_cookie`. See tornado's get_secure_cookie docs for details.z aToken used for authenticating first-time connections to the server. The token can be read from the file referenced by JUPYTER_TOKEN_FILE or set directly with the JUPYTER_TOKEN environment variable. When no password is enabled, the default is to generate a new, random token. Setting to an empty string disables authentication altogether, which is NOT RECOMMENDED. Prior to 2.0: configured as ServerApp.token )r>)r=tokenz*jupyter_server.auth.login.LoginFormHandlerz'The login handler class to use, if any.) default_valueklassr=r>z(jupyter_server.auth.logout.LogoutHandlerz The logout handler class to use.Fctjdrd|_tjdStjdr=d|_t tjd5}|j cdddS|j sd|_yd|_tjtjdjdS#1swY[xYw)N JUPYTER_TOKENFJUPYTER_TOKEN_FILErTascii) osgetenvtoken_generatedenvironopenread need_tokenbinasciihexlifyurandomdecode)r$ token_files r%_token_defaultzIdentityProvider._token_defaults 99_ %#(D ::o. . 99) *#(D bjj!567 ):!( ) )#(D #'D ##BJJrN3::7C C ) )s (CCz%bool | Bool[bool, t.Union[bool, int]]rPc$|j|S)zGet the authenticated user for a request Must return a :class:`jupyter_server.auth.User`, though it may be a subclass. Return None if the request is not authenticated. _may_ be a coroutine ) _get_userr$handlers r%get_userzIdentityProvider.get_users~~g&&r'cKt|ddr$tjt|jS|j |}t |tjr |d{}|}|j|}t |tjr |d{}|}|xs|}| |||k7r|j||d|_ ||j|}|j|}|/|jjd||j||j s#|j#|}|j|||S77w) Get the user._jupyter_current_userNTz&Clearing invalid/expired login cookie )getattrtcastrr^get_user_tokenr2 Awaitableget_user_cookieset_login_cookie_token_authenticatedget_cookie_name get_cookielogwarningclear_login_cookie auth_enabledgenerate_anonymous_user) r$rZ _token_user token_user _cookie_user cookie_useruserr?cookies r%rXzIdentityProvider._get_usersO 73T :66$ = => >>B>Q>QRY>Z k1;; / ++K"- ++G4 lAKK 0!--L#/ ([   6{"%%gt4,0G ( <..w7K'' 4F!  #I+!WX''0$$33G<%%gt4 I,.s%A"E$E%6EEB5EEct|S)z"Return a User as an Identity model)r)r$rrs r%identity_modelzIdentityProvider.identity_modelsd|r'cg}|jr|jd|jf|jr|jd|jf|S)zwReturn list of additional handlers for this identity provider For example, an OAuth callback handler. z/loginz/logout)login_availableappendlogin_handler_classlogout_availablelogout_handler_class)r$handlerss r% get_handlerszIdentityProvider.get_handlerssN     OOY(@(@A B  OOZ)B)BC Dr'ctj|j|j|j|j |j d}|S)zSerialize a user to a string for storage in a cookie If overriding in a subclass, make sure to define user_from_cookie as well. Default is just the user's username. )rrrrr)jsondumpsrrrrr)r$rrrss r%user_to_cookiezIdentityProvider.user_to_cookie!sC MM $ 1 1 MM    r'c jtj|}t|d|d|d|dd|dS)zInverse of user_to_cookierrrrNr)rloadsr)r$ cookie_valuerrs r%user_from_cookiez!IdentityProvider.user_from_cookie4sFzz,'   L     M   r'c|jr |jStjdd|jjS)zReturn the login cookie name Uses IdentityProvider.cookie_name, if defined. Default is to generate a string taking host into account to avoid collisions for multiple servers on one hostname with different ports. -z username-)r? _non_alphanumsubrequesthostrYs r%rgz IdentityProvider.get_cookie_name@s>   ## # $$SIgoo6J6J5K*LM Mr'cxi}|j|j|jdd|j}||jj dk(}|r|jdd|jd|j |j|}|j||j|fi|y)z9Call this on handlers to set the login cookie for successhttponlyTNhttpssecurepath) updatecookie_options setdefaultrArprotocolbase_urlrgset_secure_cookier)r$rZrrrrAr?s r%rez!IdentityProvider.set_login_cookieLsd112!!*d3**  #OO44?M   % %h 5!!&'*:*:;**73 !!!+t/B/B4/H[N[r'ctj|}tjjtjj tj dz }t}|j|ddtj||d<||d<|r||d<|jd |jy ) aDeletes the cookie with the given name. Tornado's cookie handling currently (Jan 2018) stores cookies in a dict keyed by name, so it can only modify one cookie with a given name per response. The browser can store multiple cookies with the same name but different domains and/or paths. This method lets us clear multiple cookies with the same name. Due to limitations of the cookie protocol, you must pass the same path and domain to clear a cookie as were used when that cookie was set (but there is no way to find out on the server side which values were used for a given cookie). )tzim)daysrz""expiresrdomainz Set-CookieN) r native_strdatetimenowtimezoneutc timedeltarsetrformat_timestamp add_header OutputString)r$rZrrrrmorsels r%_force_clear_cookiez$IdentityProvider._force_clear_cookie\s   &##''8+<+<+@+@'AHDVDV\_D`` & 4T"$55g>yv %F8 <)<)<)>?r'ci}|j|j|jd|j}|j |}|j |||r|dk7r|j ||yyy)zBB#z(token|bearer)\s+(.+)c|jdd}|sR|jj|jjj dd}|r|j d}|S)zGet the user token from a request Default: - in URL parameters: ?token= - in header: Authorization: token rBr Authorization) get_argumentauth_header_patmatchrheadersgetgroup)r$rZ user_tokenms r% get_tokenzIdentityProvider.get_tokens]))'26 $$**7??+B+B+F+FXZ+[\AWWQZ r'cKtjd|j}|sy|j|}d}||k(r2|jj d|j jd}|rL|j|}t|tjr |d{}|}||j|}|Sy7w)zIdentify the user based on a token in the URL or Authorization header Returns: - uuid if authenticated - None if not rNFz-Accepting token-authenticated request from %sT) r`rarBrrirr remote_iprdr2rcrm)r$rZrBr authenticated_userrrs r%rbzIdentityProvider.get_user_tokens|W]]3^^G,    HHNN?)) !M ((1E%-#  %D|33G<K $sB C"B?#Cctjj}t}d|x}}d|d}d}|jj d|t ||||d|S)zGenerate a random anonymous user. For use when a single shared token is used, but does not identify a user. z Anonymous ArNz5Generating new user for token-authenticated request: )uuiduuid4hexrrirr)r$rZuser_idmoonrrrrs r%rmz(IdentityProvider.generate_anonymous_userss **,""%' *4&11|tAwi= QRYQZ[\GT<4GGr'c&|j| S)a3Should the Handler check for CORS origin validation? Origin check should be skipped for token-authenticated requests. Returns: - True, if Handler must check for valid CORS origin. - False, if Handler should skip origin check since requests are token-authenticated. )is_token_authenticatedrYs r%should_check_originz$IdentityProvider.should_check_origins..w777r'c4|jt|ddS)zReturns True if handler has been token authenticated. Otherwise, False. Login with a token is used to signal certain things, such as: - permit access to REST API - xsrf protection - skip origin-checks for scripts rfF) current_userr_rYs r%rz'IdentityProvider.is_token_authenticateds w 6>>r'c|jsNd}||jj|d|js|jj|dyy|js|jjdyy)z~Check the application's security. Show messages, or abort if necessary, based on the security configuration. z $  A  .5    .  cc! *$B   < =  @   5 6 O WDD 9=T J5B '+Z &   N\"]a@)@14@Jupyter servers are configured to only be run with a password.1Hint: run the following command to set a password) $ python -m jupyter_server.auth passwordrN) superrpassword_requiredrricriticalrsysexit)r$rr __class__s r%rz*PasswordIdentityProvider.validate_securitys !#{3  ! !4+?+? HH  VW  HH  e$WX Y HH  e$PQ R HHQK ,@ !r'rrrr!r)r+r,r-r.r rrr rrrrrrwrlrrr __classcell__)r s@r%rr5s'     O       !       \..!!88<604   -    r'rceZdZdZeZeddZeddZe dZ d dZ e ddZ dd Z dd Z d dd Zy )LegacyIdentityProviderzLegacy IdentityProvider for use with custom LoginHandlers Login configuration has moved from LoginHandler to IdentityProvider in Jupyter Server 2.0. rc4|j|jdS)N)rBr)rBrr#s r%_default_settingsz(LegacyIdentityProvider._default_settingssZZ,,  r'rycddlm}|S)Nr)LegacyLoginHandler)loginr)r$rs r%_default_login_handler_classz3LegacyIdentityProvider._default_login_handler_classs -!!r'c|jSr!)rwr#s r%rlz#LegacyIdentityProvider.auth_enableds###r'cT|jj|}|yt|S)r]N)ryr[r9)r$rZrrs r%r[zLegacyIdentityProvider.get_users+''009 <$T**r'c^t|jj|jSr!)rryget_login_availablerr#s r%rwz&LegacyIdentityProvider.login_availables*  $ $ 8 8    r'cJt|jj|S)zWhether we should check origin.)rryrrYs r%rz*LegacyIdentityProvider.should_check_originsD,,@@IJJr'cJt|jj|S)z#Whether we are token authenticated.)rryrrYs r%rz-LegacyIdentityProvider.is_token_authenticatedsD,,CCGLMMr'Ncn|jr|js|jjt d|jjt d|jjt dt j d|jj||y)zValidate security.rrrrN) rrrir rr r ryr)r$rrs r%rz(LegacyIdentityProvider.validate_securitys  ! !4+?+? HH  VW  HH  e$WX Y HH  e$PQ R HHQK   22  r'rr rr!r)r+r,r-r.r rrrrrrlr[rwrrrr0r'r%rrsvH Z   "#"$" $$+  KN04  -    r'r)r6rrr)+r. __future__rrQrrrJrr typingr`r dataclassesrr http.cookiesrtornadorrr traitletsr r r r rtraitlets.configrjupyter_server.transutilsrsecurityrrutilsrrrrr9r;rrr0r'r%r(s#  )))880+0) ?+  +*+* +*\:D*DNj/jZA 5A r'