Mhi|dZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z mZddlmZddlmZmZmZddlmZmZmZmZmZddlmZdd lmZd d lm Z m!Z!d d l"m#Z#ej$d Z%eGddZ&ddZ'GddeZ(Gdde(Z)Gdde)Z*dS)zIdentity Provider interface This defines the _authentication_ layer of Jupyter Server, to be used in combination with Authorizer for _authorization_. .. versionadded:: 2.0 ) annotationsN)asdict dataclass)Morsel)escapehttputilweb)BoolDictTypeUnicodedefault)LoggingConfigurable)_i18n) passwd_check set_password)get_anonymous_usernamez [^A-Za-z0-9]cpeZdZUdZded<dZded<dZded<dZded <dZded <dZ ded <d Z d Z dS)UserziObject representing a User This or a subclass should be returned from IdentityProvider.get_user strusernamename display_nameN str | Noneinitials avatar_urlcolorc.|dSN) fill_defaultsselfs \/var/www/html/test/jupyter/venv/lib/python3.11/site-packages/jupyter_server/auth/identity.py __post_init__zUser.__post_init__:s c|jsd|}t||js |j|_|js|j|_dSdS)zFill out default fields in the identity model - Ensures all values are defined - Fills out derivative values for name fields fields - Fills out null values for optional fields z!user.username must not be empty: N)r ValueErrorrr)r$msgs r%r"zUser.fill_defaults=sa} ">&>> ! , , ,222CS//t + ,/H..oos / A;; BceZdZUdZeddedZded<ededZ e d dded  Z d ed <ededZ eded dZded<edejdedZedejdedZdZeddZe dZded<dId!ZdJd#ZdKd'ZdLd)ZdMd+ZdNd-ZdOd.ZdPd0Z dQdRd6Z dSd7Z!dId8Z"e#j$d9e#j%Z&dTd:Z'dJd;Z(dUd<Z)dVd>Z*dVd?Z+ dWdXdDZ,dJdEZ-e.dFZ/e.dGZ0e.dHZ1d S)YIdentityProvideraC Interface for providing identity management and authentication. Two principle methods: - :meth:`~jupyter_server.auth.IdentityProvider.get_user` returns a :class:`~.User` object for successful authentication, or None for no-identity-found. - :meth:`~jupyter_server.auth.IdentityProvider.identity_model` turns a :class:`~jupyter_server.auth.User` into a JSONable dict. The default is to use :py:meth:`dataclasses.asdict`, and usually shouldn't need override. Additional methods can customize authentication. .. versionadded:: 2.0 rTzJName of the cookie to set for persisting login. Default: username-${Host}.confighelpzstr | Unicode[str, str | bytes] cookie_nameziExtra keyword arguments to pass to `set_secure_cookie`. See tornado's set_secure_cookie docs for details.NzSpecify whether login cookie should have the `secure` property (HTTPS-only).Only needed when protocol-detection gives the wrong answer due to proxies.) allow_noner?r@z+bool | Bool[bool | None, bool | int | None] secure_cookieziExtra keyword arguments to pass to `get_secure_cookie`. See tornado's get_secure_cookie docs for details.z aToken used for authenticating first-time connections to the server. The token can be read from the file referenced by JUPYTER_TOKEN_FILE or set directly with the JUPYTER_TOKEN environment variable. When no password is enabled, the default is to generate a new, random token. Setting to an empty string disables authentication altogether, which is NOT RECOMMENDED. Prior to 2.0: configured as ServerApp.token )r@)r?tokenz*jupyter_server.auth.login.LoginFormHandlerz'The login handler class to use, if any.) default_valueklassr?r@z(jupyter_server.auth.logout.LogoutHandlerz The logout handler class to use.Fctjdrd|_tjdStjdrRd|_t tjd5}|cdddS#1swxYwY|js d|_dSd|_tjtj d dS)N JUPYTER_TOKENFJUPYTER_TOKEN_FILErTascii) osgetenvtoken_generatedenvironopenread need_tokenbinasciihexlifyurandomdecode)r$ token_files r%_token_defaultzIdentityProvider._token_defaults 9_ % % /#(D :o. . 9) * * )#(D bj!5677 ):!(( ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) D#(D 2#'D #BJrNN33::7CC Cs(B  B B z%bool | Bool[bool, t.Union[bool, int]]rRhandlerweb.RequestHandlerr3&User | None | t.Awaitable[User | None]c,||S)zGet the authenticated user for a request Must return a :class:`jupyter_server.auth.User`, though it may be a subclass. Return None if the request is not authenticated. _may_ be a coroutine ) _get_userr$rYs r%get_userzIdentityProvider.get_users~~g&&&r' User | NonecKt|ddrtjt|jS||}t |tjr|d{V}|}||}t |tjr|d{V}|}|p|}|%|#||kr| ||d|_ || |}| |}|2|j d||||js+||}| |||S) Get the user._jupyter_current_userNTz&Clearing invalid/expired login cookie )getattrtcastrrcget_user_tokenr5 Awaitableget_user_cookieset_login_cookie_token_authenticatedget_cookie_name get_cookielogwarningclear_login_cookie auth_enabledgenerate_anonymous_user) r$rY _token_user token_user _cookie_user cookie_useruserrAcookies r%r]zIdentityProvider._get_users 73T : : ?6$ =>> >>B>Q>QRY>Z>Z k1; / / , +++++++K"- ++G44 lAK 0 0 .!-------L#/ ([   6{""%%gt444,0G ( <..w77K'' 44F!  !W+!W!WXXX''000$ 533G<<%%gt444 r'rwrdict[str, t.Any]c t|S)z"Return a User as an Identity model)r)r$rws r%identity_modelzIdentityProvider.identity_modelsd||r'list[tuple[str, object]]cg}|jr|d|jf|jr|d|jf|S)zwReturn list of additional handlers for this identity provider For example, an OAuth callback handler. z/loginz/logout)login_availableappendlogin_handler_classlogout_availablelogout_handler_class)r$handlerss r% get_handlerszIdentityProvider.get_handlerssZ    C OOY(@A B B B   E OOZ)BC D D Dr'rcltj|j|j|j|j|jd}|S)zSerialize a user to a string for storage in a cookie If overriding in a subclass, make sure to define user_from_cookie as well. Default is just the user's username. )rrrrr)jsondumpsrrrrr)r$rwrxs r%user_to_cookiezIdentityProvider.user_to_cookie!s@ M $ 1 M      r' cookie_valuec tj|}t|d|d|d|dd|dS)zInverse of user_to_cookierrrrNr)rloadsr)r$rrws r%user_from_cookiez!IdentityProvider.user_from_cookie4sLz,''   L     M    r'cn|jr|jStdd|jjS)zReturn the login cookie name Uses IdentityProvider.cookie_name, if defined. Default is to generate a string taking host into account to avoid collisions for multiple servers on one hostname with different ports. -z username-)rA _non_alphanumsubrequesthostr^s r%rlz IdentityProvider.get_cookie_name@s=   N# # $$S*Lgo6J*L*LMM Mr'Nonecpi}||j|dd|j}||jjdk}|r|dd|d|j||}|j|| |fi|dS)z9Call this on handlers to set the login cookie for successhttponlyTNhttpssecurepath) updatecookie_options setdefaultrCrprotocolbase_urlrlset_secure_cookier)r$rYrwrrCrAs r%rjz!IdentityProvider.set_login_cookieLsd1222!!*d333*  #O4?M  6  % %h 5 5 5!!&'*:;;;**733 !!+t/B/B4/H/H[[N[[[[[r'/rrdomainrctj|}tjtjjtjdz }t}||ddtj ||d<||d<|r||d<| d | d S) aDeletes the cookie with the given name. Tornado's cookie handling currently (Jan 2018) stores cookies in a dict keyed by name, so it can only modify one cookie with a given name per response. The browser can store multiple cookies with the same name but different domains and/or paths. This method lets us clear multiple cookies with the same name. Due to limitations of the cookie protocol, you must pass the same path and domain to clear a cookie as were used when that cookie was set (but there is no way to find out on the server side which values were used for a given cookie). )tzim)daysrz""expiresrrz Set-CookieN) r native_strdatetimenowtimezoneutc timedeltarsetrformat_timestamp add_header OutputString)r$rYrrrrmorsels r%_force_clear_cookiez$IdentityProvider._force_clear_cookie\s  &&#''8+<+@'AAHDV\_D`D`D`` & 4T"""$5g>>yv  &%F8 <)<)<)>)>?????r'ci}||j|d|j}||}||||r|dkr|||dSdSdS)z - in header: Authorization: token rDr Authorization) get_argumentauth_header_patmatchrheadersgetgroup)r$rY user_tokenms r% get_tokenzIdentityProvider.get_tokensj))'266  ($**7?+B+F+FXZ+[+[\\A (WWQZZ r'cvKtjd|j}|sdS||}d}||kr'|jd|jjd}|rR||}t|tj r|d{V}|}|| |}|SdS)zIdentify the user based on a token in the URL or Authorization header Returns: - uuid if authenticated - None if not rNFz-Accepting token-authenticated request from %sT) rerfrDrrnrr remote_iprir5rhrr)r$rYrDr authenticated_userrws r%rgzIdentityProvider.get_user_tokens|W]33 4^^G,,     HNN?)   !M  ((11E%-- $#  %D|33G<<K4r'ctjj}t}d|x}}d|d}d}|jd|t ||||d|S)zGenerate a random anonymous user. For use when a single shared token is used, but does not identify a user. z Anonymous ArNz5Generating new user for token-authenticated request: )uuiduuid4hexrrnrr)r$rYuser_idmoonrrrrs r%rrz(IdentityProvider.generate_anonymous_users{ *,,"%''14111| tAw== [RY[[\\\GT<4GGGr'boolc.|| S)a3Should the Handler check for CORS origin validation? Origin check should be skipped for token-authenticated requests. Returns: - True, if Handler must check for valid CORS origin. - False, if Handler should skip origin check since requests are token-authenticated. )is_token_authenticatedr^s r%should_check_originz$IdentityProvider.should_check_origins..w7777r'c2|jt|ddS)zReturns True if handler has been token authenticated. Otherwise, False. Login with a token is used to signal certain things, such as: - permit access to REST API - xsrf protection - skip origin-checks for scripts rkF) current_userrdr^s r%rz'IdentityProvider.is_token_authenticateds  w 6>>>r'appr2 ssl_optionsdict[str, t.Any] | Nonec|jsId}||j|d|js|j|ddSdS|js|jddSdS)z~Check the application's security. Show messages, or abort if necessary, based on the security configuration. zFao Forces users to use a password for the Jupyter server. This is useful in a multi user environment, for instance when everybody in the LAN can access each other's machine through ssh. In such a case, serving on localhost is not secure since any user can connect to the Jupyter server via ssh. a Allow password to be changed at login for the Jupyter server. While logging in with a token, the Jupyter server UI will give the opportunity to the user to enter a new password at the same time that will replace the token login mechanism. This can be set to False to prevent changing password from the UI/API. rRc,t|j Sr!)rhashed_passwordr#s r%_need_token_defaultz,PasswordIdentityProvider._need_token_defaulths,----r'r3rc|jSrrr#s r%r~z(PasswordIdentityProvider.login_availablelrr'c8t|jp|jS)z"Return whether any auth is enabled)rrrDr#s r%rqz%PasswordIdentityProvider.auth_enabledqsD(6DJ777r'c,t|j|S)z1Check password against our stored hashed password)rr)r$rs r%rz%PasswordIdentityProvider.passwd_checkvsD0(;;;r'rYrZr`c|dd}|dd}d}|js/|jd||S||r|s||S|jr|j|kr||}|r|jr|j dd}tj |d}t|| |_|jt!d | |S) rrrr new_passwordNr config_dirzjupyter_server_config.json) config_filezWrote hashed password to {file})file)rrqrnrorrrrDallow_password_changesettingsrrLrjoinrrinforformat)r$rYrrrwrrs r%rz+PasswordIdentityProvider.process_login_formzsW !--j"-EE++NB+GG   9 H  U V V V//88 8   ^ , , a\ a//88 8 Z aDJ.88//88D a : a$-11,CC  gll:7STT '3Lk'Z'Z'Z$ e$EFFMMS^M__``` r'Nrr2rrrct|||jr|js|jt d|jt d|jt dtjddSdSdS)zHandle security validation.>Jupyter servers are configured to only be run with a password.1Hint: run the following command to set a password) $ python -m jupyter_server.auth passwordrN) superrpassword_requiredrrncriticalrsysexit)r$rr __class__s r%rz*PasswordIdentityProvider.validate_securitys !!#{333  ! 4+?  H  VWW    H  e$WXX Y Y Y H  e$PQQ R R R HQKKKKK     r'r3rrr!r)r+r,r-r.r rrr rrrrrr~rqrrr __classcell__)rs@r%rr5sl''g  U    O   U     !D  U      W\...!!!X!888X8<<<604           r'rceZdZdZeZeddZeddZe dZ dd Z e dd Z ddZ ddZ dddZdS)LegacyIdentityProviderzLegacy IdentityProvider for use with custom LoginHandlers Login configuration has moved from LoginHandler to IdentityProvider in Jupyter Server 2.0. rc |j|jdS)N)rDr)rDrr#s r%_default_settingsz(LegacyIdentityProvider._default_settingssZ,   r'rcddlm}|S)Nr)LegacyLoginHandler)loginr)r$rs r%_default_login_handler_classz3LegacyIdentityProvider._default_login_handler_classs------!!r'c|jSr!)r~r#s r%rqz#LegacyIdentityProvider.auth_enableds ##r'rYrZr3r`c\|j|}|dSt|S)rbN)rr_r;)r$rYrws r%r_zLegacyIdentityProvider.get_users0'0099 <4$T***r'rcZt|j|jSr!)rrget_login_availablerr#s r%r~z&LegacyIdentityProvider.login_availables/  $ 8 8      r'cPt|j|S)zWhether we should check origin.)rrrr^s r%rz*LegacyIdentityProvider.should_check_origins!D,@@IIJJJr'cPt|j|S)z#Whether we are token authenticated.)rrrr^s r%rz-LegacyIdentityProvider.is_token_authenticateds!D,CCGLLMMMr'Nrr2rrrcj|jr|js|jt d|jt d|jt dt jd|j||dS)zValidate security.r r r rN) rrrnrrrrrr)r$rrs r%rz(LegacyIdentityProvider.validate_securitys  ! 4+?  H  VWW    H  e$WXX Y Y Y H  e$PQQ R R R HQKKK  22      r'rrrr!r)r+r,r-r.r rrrrrrqr_r~rrrr0r'r%rrstvvH WZ    W "##""$#" $$X$++++   X KKKKNNNN04       r'r)r1r2r3r)+r. __future__rrSrrrLrrtypingrer dataclassesrr http.cookiesrtornadorrr traitletsr r r r rtraitlets.configrjupyter_server.transutilsrsecurityrrutilsrrrrr;r=rrr0r'r%r.s/#"""""  ))))))))))))))))))88888888888888000000++++++00000000)))))) ?++  +*+*+*+*+*+*+* +*\:DDDDD*DDDNjjjjj/jjjZA A A A A 5A A A A A r'