KehdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl m Z m Z ddl mZddlmZmZmZddlmZmZmZddlmZmZmZmZmZdd lmZdd lm Z d d l!m"Z"m#Z#d d l$m%Z%erddl&m'Z'm(Z(ddl)m*Z*ej+dZ,e GddZ-ddZ.GddeZ/Gdde/Z0Gdde0Z1dS)zIdentity Provider interface This defines the _authentication_ layer of Jupyter Server, to be used in combination with Authorizer for _authorization_. .. versionadded:: 2.0 ) annotationsN)asdict dataclass)Morsel) TYPE_CHECKINGAny Awaitable)escapehttputilweb)BoolDictTypeUnicodedefault)LoggingConfigurable)_i18n) passwd_check set_password)get_anonymous_username)AuthenticatedHandlerJupyterHandler) ServerAppz [^A-Za-z0-9]cpeZdZUdZded<dZded<dZded<dZded <dZded <dZ ded <d Z d Z dS)UserziObject representing a User This or a subclass should be returned from IdentityProvider.get_user strusernamename display_nameN str | Noneinitials avatar_urlcolorc.|dSN) fill_defaultsselfs s c|jsd|}t||js |j|_|js|j|_dSdS)zFill out default fields in the identity model - Ensures all values are defined - Fills out derivative values for name fields fields - Fills out null values for optional fields z!user.username must not be empty: N)r ValueErrorr r!)r*msgs r+r(zUser.fill_defaultsAsa} ">&>> ! , , ,222CS//t + ,/H..oos / A;; BceZdZUdZeddedZded<ededZ e d dded  Z d ed <ededZ eded dZded<edejdedZedejdedZdZeddZe dZd ed<dId ZdJd"ZdKd&ZdLd(ZdMd*ZdNd,ZdOd.ZdPd0Z dQdRd6Z dSd7Z!dId8Z"e#j$d9e#j%Z&dTd:Z'dJd;Z(dUd<Z)dVd>Z*dVd?Z+ dWdXdDZ,dJdEZ-e.dFZ/e.dGZ0e.dHZ1d S)YIdentityProvideraC Interface for providing identity management and authentication. Two principle methods: - :meth:`~jupyter_server.auth.IdentityProvider.get_user` returns a :class:`~.User` object for successful authentication, or None for no-identity-found. - :meth:`~jupyter_server.auth.IdentityProvider.identity_model` turns a :class:`~jupyter_server.auth.User` into a JSONable dict. The default is to use :py:meth:`dataclasses.asdict`, and usually shouldn't need override. Additional methods can customize authentication. .. versionadded:: 2.0 rTzJName of the cookie to set for persisting login. Default: username-${Host}.confighelpz str | Unicode cookie_nameziExtra keyword arguments to pass to `set_secure_cookie`. See tornado's set_secure_cookie docs for details.NzSpecify whether login cookie should have the `secure` property (HTTPS-only).Only needed when protocol-detection gives the wrong answer due to proxies.) allow_nonerDrEz bool | Bool secure_cookieziExtra keyword arguments to pass to `get_secure_cookie`. See tornado's get_secure_cookie docs for details.z aToken used for authenticating first-time connections to the server. The token can be read from the file referenced by JUPYTER_TOKEN_FILE or set directly with the JUPYTER_TOKEN environment variable. When no password is enabled, the default is to generate a new, random token. Setting to an empty string disables authentication altogether, which is NOT RECOMMENDED. Prior to 2.0: configured as ServerApp.token )rE)rDtokenz*jupyter_server.auth.login.LoginFormHandlerz'The login handler class to use, if any.) default_valueklassrDrEz(jupyter_server.auth.logout.LogoutHandlerz The logout handler class to use.Fctjdrd|_tjdStjdrRd|_t tjd5}|cdddS#1swxYwY|js d|_dSd|_tjtj d dS)N JUPYTER_TOKENFJUPYTER_TOKEN_FILErTascii) osgetenvtoken_generatedenvironopenread need_tokenbinasciihexlifyurandomdecode)r* token_files r+_token_defaultzIdentityProvider._token_defaults 9_ % % /#(D :o. . 9) * * )#(D bj!5677 ):!(( ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) D#(D 2#'D #BJrNN33::7CC Cs(B  B B rWhandlerrr8$User | None | Awaitable[User | None]c,||S)zGet the authenticated user for a request Must return a :class:`jupyter_server.auth.User`, though it may be a subclass. Return None if the request is not authenticated. _may_ be a coroutine ) _get_userr*r^s r+get_userzIdentityProvider.get_users~~g&&&r- User | NonecKt|ddr|jS||}t|tr|d{V}|}||}t|tr|d{V}|}|p|}|%|#||kr|||d|_|||}| |}|2|j d|| ||j s+||}||||S) Get the user._jupyter_current_userNTz&Clearing invalid/expired login cookie )getattrrgget_user_tokenr:r get_user_cookieset_login_cookie_token_authenticatedget_cookie_name get_cookielogwarningclear_login_cookie auth_enabledgenerate_anonymous_user) r*r^ _token_user token_user _cookie_user cookie_useruserrFcookies r+razIdentityProvider._get_users 73T : : 10 0<@>yv  &%F8 <)<)<)>)>?????r-ci}||j|d|j}||}||||r|dkr|||dSdSdS)z - in header: Authorization: token rIr Authorization) get_argumentauth_header_patmatchrheadersgetgroup)r*r^ user_tokenms r+ get_tokenzIdentityProvider.get_tokensj))'266  ($**7?+B+F+FXZ+[+[\\A (WWQZZ r-cFK|j}|sdS||}d}||kr'|jd|jjd}|rM||}t|tr|d{V}|}|| |}|SdS)zIdentify the user based on a token in the URL or Authorization header Returns: - uuid if authenticated - None if not NFz-Accepting token-authenticated request from %sT) rIrrorr remote_iprjr:r rs)r*r^rIr authenticated_userrxs r+rizIdentityProvider.get_user_tokens  4^^G,,     HNN?)   !M  ((11E%++ $#  %D|33G<<K4r-ctjj}t}d|x}}d|d}d}|jd|t ||||d|S)zGenerate a random anonymous user. For use when a single shared token is used, but does not identify a user. z Anonymous ArNz5Generating new user for token-authenticated request: )uuiduuid4hexrrorr)r*r^user_idmoonr r!r#r%s r+rsz(IdentityProvider.generate_anonymous_users{ *,,"%''14111| tAw== [RY[[\\\GT<4GGGr-boolc.|| S)a3Should the Handler check for CORS origin validation? Origin check should be skipped for token-authenticated requests. Returns: - True, if Handler must check for valid CORS origin. - False, if Handler should skip origin check since requests are token-authenticated. )is_token_authenticatedrbs r+should_check_originz$IdentityProvider.should_check_origins..w7777r-c2|jt|ddS)zReturns True if handler has been token authenticated. Otherwise, False. Login with a token is used to signal certain things, such as: - permit access to REST API - xsrf protection - skip origin-checks for scripts rlF) current_userrhrbs r+rz'IdentityProvider.is_token_authenticateds  w 6>>>r-appr ssl_options dict | Nonec|jsId}||j|d|js|j|ddSdS|js|jddSdS)z~Check the application's security. Show messages, or abort if necessary, based on the security configuration. zJupyter servers are configured to only be run with a password.1Hint: run the following command to set a password) $ python -m jupyter_server.auth passwordrN) superrpassword_requiredrrocriticalrsysexit)r*rr __class__s r+rz*PasswordIdentityProvider.validate_securitys !!#{333  ! 4+?  H  VWW    H  e$WXX Y Y Y H  e$PQQ R R R HQKKKKK     r-)r8rrr'r)r1r2r3r4rrrr r rrrrr~rrrrr __classcell__)rs@r+rr7sl''g  U    O   U     !D  U      W\...!!!X!888X8<<<6$(           r-rceZdZdZeZeddZeddZe dZ dd Z e d Z ddZ ddZ dddZdS)LegacyIdentityProviderzLegacy IdentityProvider for use with custom LoginHandlers Login configuration has moved from LoginHandler to IdentityProvider in Jupyter Server 2.0. rc |j|jdS)N)rIr)rIrr)s r+_default_settingsz(LegacyIdentityProvider._default_settingssZ,   r-rcddlm}|S)Nr)LegacyLoginHandler)loginr)r*rs r+_default_login_handler_classz3LegacyIdentityProvider._default_login_handler_classs------!!r-c|jSr')r~r)s r+rrz#LegacyIdentityProvider.auth_enableds ##r-r^rr8rdc\|j|}|dSt|S)rfN)rrcr@)r*r^rxs r+rczLegacyIdentityProvider.get_users0'0099 <4$T***r-c@|j|jSr')rget_login_availablerr)s r+r~z&LegacyIdentityProvider.login_availables"';; M   r-rrc6|j|S)zWhether we should check origin.)rrrbs r+rz*LegacyIdentityProvider.should_check_origins';;GDDDr-c6|j|S)z#Whether we are token authenticated.)rrrbs r+rz-LegacyIdentityProvider.is_token_authenticateds'>>wGGGr-Nrrrrrcf|jr|js|jt d|jt d|jt dt jd|j||S)zValidate security.rr r r) r rror rrrrr)r*rrs r+rz(LegacyIdentityProvider.validate_securitys  ! 4+?  H  VWW    H  e$WXX Y Y Y H  e$PQQ R R R HQKKK'99    r-rrr'r)r1r2r3r4rrrrrrrrrcr~rrrr6r-r+rrstvvH WZ    W "##""$#" $$X$++++  X EEEEHHHH$(       r-r)r7rr8r)2r4 __future__rrXrrrQrrr dataclassesrr http.cookiesrtypingrrr tornador r r traitletsr rrrrtraitlets.configrjupyter_server.transutilsrsecurityrrutilsrjupyter_server.base.handlersrrjupyter_server.serverapprrrrr@rBrrr6r-r+r-sk#""""" ))))))))0000000000))))))))))88888888888888000000++++++00000000))))))3QQQQQQQQ222222 ?++  +*+*+*+*+*+*+* +*\:BBBBB*BBBJjjjjj/jjjZ? ? ? ? ? 5? ? ? ? ? r-