0Fie+6ddlmZddlZddlZddlZddlZddlZddlZddlZddl m Z dZ ej dks ej dkr dd ZddZnddZddZGddZdS)) annotationsN) get_template)Security) )rrctxssl.SSLContextversionssl.TLSVersionreturnNonec||_dSN)minimum_versionr r s 4lib/python3.11/site-packages/distributed/security.py_set_minimum_versionr%c||_dSr)maximum_versionrs r_set_maximum_versionrrrc|tjjurtd||xjtjtjztjztjzzc_dSNzUnsupported TLS/SSL version: ) ssl TLSVersionTLSv1_2 ValueErroroptions OP_NO_SSLv2 OP_NO_SSLv3 OP_NO_TLSv1 OP_NO_TLSv1_1rs rrr$sZ #.0 0 0HWHHII I Oco - ?#BS S rcP|tjjurtd|dSr)rrrr rs rrr/s3 #.0 0 0HWHHII I 1 0rcleZdZdZdZddZedZdZddZ dZ d Z d Z d Z d Zd ZdZdS)ra4Security configuration for a Dask cluster. Default values are loaded from Dask's configuration files, and can be overridden in the constructor. Parameters ---------- require_encryption : bool, optional Whether TLS encryption is required for all connections. tls_ca_file : str, optional Path to a CA certificate file encoded in PEM format. tls_ciphers : str, optional An OpenSSL cipher string of allowed ciphers. If not provided, the system defaults will be used. tls_min_version : ssl.TLSVersion, optional The minimum TLS version to support. Defaults to TLS 1.2. tls_max_version : ssl.TLSVersion, optional The maximum TLS version to support. Defaults to the maximum version supported. tls_client_cert : str, optional Path to a certificate file for the client, encoded in PEM format. tls_client_key : str, optional Path to a key file for the client, encoded in PEM format. Alternatively, the key may be appended to the cert file, and this parameter be omitted. tls_scheduler_cert : str, optional Path to a certificate file for the scheduler, encoded in PEM format. tls_scheduler_key : str, optional Path to a key file for the scheduler, encoded in PEM format. Alternatively, the key may be appended to the cert file, and this parameter be omitted. tls_worker_cert : str, optional Path to a certificate file for a worker, encoded in PEM format. tls_worker_key : str, optional Path to a key file for a worker, encoded in PEM format. Alternatively, the key may be appended to the cert file, and this parameter be omitted. extra_conn_args : mapping, optional Mapping with keyword arguments to pass down to connections. ) require_encryption tls_ca_file tls_cipherstls_min_versiontls_max_versiontls_client_keytls_client_certtls_scheduler_keytls_scheduler_certtls_worker_keytls_worker_certextra_conn_argsNc tjdkr(tjdtjdt t ||j}|rtdt|z| di|_ |tjd}|t!|}||_||dd||d d tjj||d d ||d d||dd||dd||dd||dd||dd||dddS)N)rrrz support for z7 is deprecated, and will be removed in a future releasezUnknown parameters: %rr3z#distributed.comm.require-encryptionr*zdistributed.comm.tls.ciphersr+z distributed.comm.tls.min-versionr,z distributed.comm.tls.max-versionr)zdistributed.comm.tls.ca-filer-zdistributed.comm.tls.client.keyr.z distributed.comm.tls.client.certr/z"distributed.comm.tls.scheduler.keyr0z#distributed.comm.tls.scheduler.certr1zdistributed.comm.tls.worker.keyr2z distributed.comm.tls.worker.cert)rOPENSSL_VERSION_INFOwarningswarnOPENSSL_VERSIONDeprecationWarningset difference __slots__ TypeErrorsortedpopr3daskconfiggetboolr( _set_field_set_tls_version_fieldrr)selfr(kwargsextras r__init__zSecurity.__init__rs  #i / / M;s2;;;"    F &&t~66  F4ve}}DEE E%zz*;R@@  %!%1V!W!W   %!%f "4  /MNNN ##   . N "    ##   .    /MNNN  02STTT  13UVVV  ')M     (*O     02STTT  13UVVVVVrc " ddlm}ddlm}ddlm}m}ddlm}ddl m }n#t$rtdwxYw| dd | }| |jj|jj| } |||jd g} ||d g} t2jt2jj d} ||  | !| d"|"#|$%| &| t3j'dz(||)|} | *|jj}|dd|| || || |d|S)aJCreate a new temporary Security object. This creates a new self-signed key/cert pair suitable for securing communication for all roles in a Dask cluster. These keys/certs exist only in memory, and are stored in this object. This method requires the library ``cryptography`` be installed. r)x509)default_backend)hashes serialization)rsa)NameOIDz_Using `Security.temporary` requires `cryptography`, please install it using either pip or condaii)public_exponentkey_sizebackend)encodingformatencryption_algorithmz dask-internal)tzN)tzinfoF)criticalim)daysT)r(r)r-r.r/r0r1r2)+ cryptographyrKcryptography.hazmat.backendsrLcryptography.hazmat.primitivesrMrN)cryptography.hazmat.primitives.asymmetricrOcryptography.x509.oidrP ImportErrorgenerate_private_key private_bytesEncodingPEM PrivateFormatPKCS8 NoEncryptiondecodeName NameAttribute COMMON_NAMESubjectAlternativeNameDNSNamedatetimenowtimezoneutcreplaceCertificateBuilder subject_name issuer_name add_extension public_key serial_numberrandom_serial_numbernot_valid_beforenot_valid_after timedeltasignSHA256 public_bytes)clsrGrKrLrMrNrOrPkey key_contents dask_internalaltnamesrpcert cert_contentss r temporaryzSecurity.temporarys  ) ) ) ) ) ) D D D D D D L L L L L L L L E E E E E E 5 5 5 5 5 5 5   7   &&!D//:K:K'  (("+/ .4!.!;!;!=!=)   &((      3_ E E F  .. _0M0M/NOO##x'8'<#==EETERR  # # % % \- ( ( [ ' ' ]8e] 4 4 Z(( ) ) ]44466 7 7  c " " _S8#53#?#?#?? @ @ T#v}}(9(9 : : ))-*@*DEELLNN s  #%')*,')      s #=c||vr ||}ntj|}t|||dSr)r@rArBsetattr)rFrGfield config_namevals rrDzSecurity._set_fieldsA F??-CC+//+..CeS!!!!!rc ||vrX||}dtjjtjjh}||vr$t |d|dt |||}nt|tjjtjjd}t j|}||vr ||}n$t |d|dt |t|||dS)N=z# is not supported, expected one of )Ng333333?g?) rrrTLSv1_3r listr@rArBr)rFrGrrdefaultrvalids rrEzSecurity._set_tls_version_fields  F??-C3>13>3IJE% VVsVVeVV{^+^+E +//+..Ce||Cj "\\S\\tTY{{\\ eS!!!!!rcJt|j}|di}|D]t}t||}|`t |t r d|vrd||<3t |t r'dt j|d||<o|||<u|S)Nr3 zTemporary (In-memory)zLocal ()) r>r<removegetattr isinstancestrospathabspath)rFkeysattrkrs r _attr_to_dictzSecurity._attr_to_dictsdn%% %&&& " "A$""Cc3''"DCKK5DGGS))"?(<(<???DGG!DG rc|}ddd|DzdzS)Nz Security(z, c3*K|]\}}|d|VdS)rNr[).0rvalues r z$Security.__repr__..s4HHZS%3((((HHHHHHrr)rjoinitems)rFrs r__repr__zSecurity.__repr__ sO!!## iiHH4::<<HHHHH I  rcltd|S)Nzsecurity.html.j2)security)rrenderr)rFs r _repr_html_zSecurity._repr_html_s..//66@R@R@T@T6UUUrc|dvrtd||j|jt|d|zt|d|zdS)zR Return the TLS configuration for the given role, as a flat dict. >clientworker schedulerz unknown role z tls_%s_certz tls_%s_key)ca_fileciphersrr)r r)r*r)rFroles rget_tls_config_for_rolez Security.get_tls_config_for_rolesf 8 8 85T5566 6''D-$"6774!455    rct|dr|dr |d}|dx}}|dx}}d|vrtj||}ntj||}t||j|jt ||jd|v} |duod|v} | s| rtj5} | r]tj | d}t|d5} | |dddn #1swxYwY| r]tj | d }t|d5} | |dddn #1swxYwY|||dddn #1swxYwYn|||tj|_d |_|d r(||d |SdSdS) Nrrrr)purposecadata)rcafilezdask.crtwzdask.pemFr)rBrcreate_default_contextrr+r,rtempfileTemporaryDirectoryrrropenwriteload_cert_chain CERT_REQUIRED verify_modecheck_hostname set_ciphers) rFtlsrca cert_pathrkey_pathrr cert_in_memory key_in_memorytempdirfs r_get_tls_contextzSecurity._get_tls_context"s 779  * #''&//* YB"6{ *I WWU^^ +Hsrzz0LLL0LLL !d&: ; ; ;#/$S$*>???!T\NtO; M 9 9022 =g%*$&GLL*$E$E !)S11*QGGDMMM***************$)#%7<<#D#D!(C00)AGGCLLL)))))))))))))))'' 8<<< = = = = = = = = = = = = = = =##Ix888"/CO"'C wwy!! 4 2 2333JU* * * * sZ3F=D1% F=1D5 5F=8D5 95F=.F F=F F=F F==GGc||}||tjj|j|jdS)zh Get the *connection_args* argument for a connect() call with the given *role*. ) ssl_contextr(r3)rrrPurpose SERVER_AUTHr(r3rFrrs rget_connection_argszSecurity.get_connection_argsOsJ **40000ck6MNN"&"9#3   rc||}||tjj|jdS)zg Get the *connection_args* argument for a listen() call with the given *role*. )rr()rrrr CLIENT_AUTHr(rs rget_listen_argszSecurity.get_listen_args[sD **40000ck6MNN"&"9   rr)__name__ __module__ __qualname____doc__r<rI classmethodrrDrErrrrrrrr[rrrr9s''R I&W&W&W&WP: : [: x"""""""4$   VVV    +++Z          rr)r r r r rr) __future__rrorrsysrr6r@ dask.widgetsr__all__ version_infor5rrrr[rrrs""""""  %%%%%% w#":l"J"J&&&&&&&&&     JJJJk k k k k k k k k k r