o iF@s@dZddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl m Z ddlmZddlmZddlmZddlmZmZmZmZddlmZddlZdd lmZdd lmZdd l m!Z!dd l"m#Z#ddl$Z$dd l%m&Z&ddl'm(Z(ddl)m*Z*m+Z+m,Z,m-Z-m.Z.ddl/m0Z0e1dZ2da3ddZ4ddZ5Gdddej6Z7Gddde7Z8Gddde8Z9Gddde8Z:Gddde8ej;ZZ>Gd"d#d#e8ej;Z?Gd$d%d%e9Z@Gd&d'd'ej6ZAGd(d)d)e8ZBGd*d+d+ej6ZCGd,d-d-e8ZDd.ZEd/eAfd0e@fd1ej;fd2eDfgZFdS)3z.Base Tornado handlers for the notebook server.N) responses)Morsel)urlparse)TemplateNotFound)webgenescapehttputil)app_log) get_sys_info) Application)filefind) string_types)utcnow)combine_translations) is_hidden url_path_joinurl_is_absolute url_escapeurldecode_unix_socket_path)csp_report_uriz [^A-Za-z0-9]cCstdur ttatSN)_sys_info_cachejsondumpsr rrQ/var/www/edux/Edux_v2/venv/lib/python3.10/site-packages/notebook/base/handlers.py json_sys_info,s rcCstr tjStSr)r initializedinstancelogr rrrrr 2s r c@seZdZdZeddZddZddd Zd d Zd d Z ddZ eddZ eddZ eddZ eddZeddZeddZdS)AuthenticatedHandlerz,A RequestHandler with an authenticated user.c CsDd|jdivr|jddSddd|jdt|jtgS)zThe default Content-Security-Policy header Can be overridden by defining Content-Security-Policy in settings['headers'] Content-Security-Policyheaders; zframe-ancestors 'self'z report-uri r)settingsgetjoinrbase_urlrselfrrrcontent_security_policy;s z,AuthenticatedHandler.content_security_policyc Csi}d|d<||jdi|j|d<|D]$\}}z|||Wqty=}z |j|WYd}~qd}~wwdS)NnosniffzX-Content-Type-Optionsr#r") updater%r&r+items set_header Exceptionr debug)r*r# header_namevalueerrrset_default_headersKs z(AuthenticatedHandler.set_default_headers/NcCsjt|}tjtjdd}t}||ddt||d<||d<|r+||d<| d| d S) aDeletes the cookie with the given name. Tornado's cookie handling currently (Jan 2018) stores cookies in a dict keyed by name, so it can only modify one cookie with a given name per response. The browser can store multiple cookies with the same name but different domains and/or paths. This method lets us clear multiple cookies with the same name. Due to limitations of the cookie protocol, you must pass the same path and domain to clear a cookie as were used when that cookie was set (but there is no way to find out on the server side which values were used for a given cookie). im)daysz""expirespathdomainz Set-CookieN) r native_strdatetimer timedeltarsetr format_timestamp add_header OutputString)r*namer:r;r9morselrrrforce_clear_cookie\s z'AuthenticatedHandler.force_clear_cookiecCsP|jdi}|d|j}|j|j|d|r$|dkr&||jdSdSdS)Ncookie_optionsr:r:r6)r%r& setdefaultr( clear_cookie cookie_namerE)r*rFr:rrrclear_login_cookieus  z'AuthenticatedHandler.clear_login_cookiecCs|jdurdS|j|S)N anonymous) login_handlerget_userr)rrrget_current_users  z%AuthenticatedHandler.get_current_usercCs8|jjdkrdS|jdust|jdsdS|j| S)zAsk my login_handler if I should skip the origin_check For example: in the default LoginHandler, if a request is token-authenticated, origin checking should be skipped. OPTIONSTNshould_check_originF)requestmethodrMhasattrrQr)rrrskip_check_origins z&AuthenticatedHandler.skip_check_origincCs&|jdus t|jds dS|j|S)z'Have I been authenticated with a token?Nis_token_authenticatedF)rMrTrVr)rrrtoken_authenticateds z(AuthenticatedHandler.token_authenticatedcCs$tdd|jj}|jd|S)N-z username-rJ) non_alphanumsubrRhostr%r&)r*default_cookie_namerrrrJsz AuthenticatedHandler.cookie_namecCs|}|o |dk S)zIs a user currently logged in?rL)rOr*userrrr logged_inszAuthenticatedHandler.logged_incC|jddS)z6Return the login handler for this application, if any.login_handler_classNr%r&r)rrrrMz"AuthenticatedHandler.login_handlercCr`)z4Return the login token for this application, if any.tokenNrbr)rrrrdrczAuthenticatedHandler.tokencCs |jdurdSt|j|jS)zMay a user proceed to log in? This returns True if login capability is available, irrespective of whether the user is already logged in or not. NF)rMboolget_login_availabler%r)rrrlogin_availables z$AuthenticatedHandler.login_available)r6N)__name__ __module__ __qualname____doc__propertyr+r5rErKrOrUrWrJr_rMrdrgrrrrr!8s*        r!cs~eZdZdZeddZeddZeddZedd Zed d Z ed d Z eddZ eddZ eddZ eddZeddZeddZeddZeddZeddZed d!Zed"d#Zed$d%Zed&d'Zed(d)Zfd*d+Zd,d-Zd.d/ZdEd1d2Zd3d4Zfd5d6Zd7d8Zfd9d:Z d;d<Z!d=d>Z"ed?d@Z#dAdBZ$dCdDZ%Z&S)FIPythonHandlerzwIPython-specific extensions to authenticated handling Mostly property shortcuts to IPython-specific settings. cCr`)zzWether to user bundle in template. (*.min files) Mainly use for development and avoid file recompilation ignore_minified_jsFrbr)rrrrnsz!IPythonHandler.ignore_minified_jscCs|jddS)Nconfigrbr)rrrrozIPythonHandler.configcCstS)z@use the IPython log by default, falling back on tornado's logger)r r)rrrr szIPythonHandler.logcCs|jdiS)z2User-supplied values to supply to jinja templates.jinja_template_varsrbr)rrrrqrcz"IPythonHandler.jinja_template_varscCr`)z8The version hash to use for cache hints for static files version_hashr8rbr)rrrrrrczIPythonHandler.version_hashcCs*|jdd}|r t|r|St|j|S)N mathjax_urlr8)r%r&rrr()r*urlrrrrss  zIPythonHandler.mathjax_urlcCr`)Nmathjax_configzTeX-AMS-MML_HTMLorMML-full,Saferbr)rrrrurpzIPythonHandler.mathjax_configcCr`)Nr(r6rbr)rrrr(rpzIPythonHandler.base_urlcCr`)N default_urlr8rbr)rrrrvrpzIPythonHandler.default_urlcCr`)N websocket_urlr8rbr)rrrws_urlrpzIPythonHandler.ws_urlcCs&|jd|jdd|jddS)NzUsing contents: %scontents_js_sourcezservices/contents)r r1r%r&r)rrrrysz!IPythonHandler.contents_js_sourcecC |jdS)Nkernel_managerr%r)rrrr{ zIPythonHandler.kernel_managercCrz)Ncontents_managerr|r)rrrr~r}zIPythonHandler.contents_managercCrz)Nsession_managerr|r)rrrr r}zIPythonHandler.session_managercCrz)Nterminal_managerr|r)rrrr r}zIPythonHandler.terminal_managercCrz)Nkernel_spec_managerr|r)rrrrr}z"IPythonHandler.kernel_spec_managercCrz)Nconfig_managerr|r)rrrrr}zIPythonHandler.config_managercCr`)z"Normal Access-Control-Allow-Origin allow_originr8rbr)rrrrrczIPythonHandler.allow_origincCr`)z*Regular expression version of allow_originallow_origin_patNrbr)rrrr"rczIPythonHandler.allow_origin_patcCr`)z/Whether to set Access-Control-Allow-Credentialsallow_credentialsFrbr)rrrr'rcz IPythonHandler.allow_credentialscst|jr|d|jn.|jr&|}|r%|j|r%|d|n|jr>d|j divr>|d|j j dd|j rI|dddSdS)zAdd CORS headers, if definedAccess-Control-Allow-Originr#Originr8z Access-Control-Allow-CredentialstrueN) superr5rr/r get_originmatchrWr%r&rRr#rr*origin __class__rrr5,s&   z"IPythonHandler.set_default_headerscCst|}|dd|dS)zpSet Content-Disposition: attachment header As a method to ensure handling of filename encoding zContent-Dispositionzattachment; filename*=utf-8''N)rr/)r*filenameescaped_filenamerrrset_attachment_headerBs z$IPythonHandler.set_attachment_headercCs2d|jjvr|jjd}|S|jjdd}|S)NrzSec-Websocket-Origin)rRr#r&rrrrrMs zIPythonHandler.get_originr8cCs|jdks |r dS|jjd}|jjd}|dus!|dur#dS|}t|j}||kr2dS|jr;|j|k}n|jrGt |j |}nd}|sV|j d|jj |||S)zCheck Origin for cross-site API requests, including websockets Copied from WebSocket with changes: - allow unspecified host/origin (e.g. scripts) - allow token-authenticated requests *THostrNFz?Blocking Cross Origin API request for %s. Origin: %s, Host: %s)rrUrRr#r&lowerrnetlocrrerr warningr:)r*origin_to_satisfy_tornador[r origin_hostallowrrr check_originZs(   zIPythonHandler.check_origincCs|jdks |r dS|jjd}|jjd}|s#|jddS|s-|jddSt|}|j}||kr:dS|j d|j}|jrL|j|k}n|j rXt |j |}nd}|sg|jd |jj |||S) a^Check Referer for cross-site requests. Disables requests to certain endpoints with external or missing Referer. If set, allow_origin settings are applied to the Referer to whitelist specific cross-origin sites. Used on GET for api endpoints and /files/ to block cross-site inclusion (XSSI). rTrRefererzBlocking request with no hostFz Blocking request with no refererz://z|jj d}|r5d|d}nd}td ||nWYd}~dSd}~ww) z2Bypass xsrf cookie checks when token-authenticateddisable_check_xsrfFN>GETHEADrz#Blocking Cross Origin request from .z$Blocking request from unknown origin) rWr%r&rcheck_xsrf_cookier HTTPErrorrRrSrr#)r*r4rmsgrrrrs"  z IPythonHandler.check_xsrf_cookiecCs|jddr dStd|jjd}|dr$|dr$|dd}t |}|d r6t j |r6d}nzt |}WntyP||jd d gv}Ynw|j}|s`|jd ||jj|S) zCheck the host header if remote access disallowed. Returns True if the request should continue, False otherwise. allow_remote_accessFTz^(.*?)(:\d+)?$[]r6local_hostnames localhostzBlocking request with non-local 'Host' %s (%s). If the notebook should be accessible at that name, set NotebookApp.allow_remote_access to disable the check.)r%r&rerrRr[group startswithendswithrosr:exists ipaddress ip_address ValueError is_loopbackr r)r*r[ check_hostraddrrrrrs(  zIPythonHandler.check_hostc|s tdtSNr)rrrrpreparer)rrrr  zIPythonHandler.preparecCs|jd|S)z1Return the jinja template object for a given name jinja2_env)r% get_template)r*rCrrrrszIPythonHandler.get_templatecKs&||j||}|jdi|S)Nr)r-template_namespacerrender)r*rCnstemplaterrrrender_templates  zIPythonHandler.render_templatec Cstdid|jd|jd|jd|jd|jdd|jdt|j d|j d t d |j d |j d |jd |jd|j d|jddtt|jjdd|jS)Nr(rvrxr_allow_password_changergtoken_available static_urlsys_inforyrrrnxsrf_form_htmlrd xsrf_tokenutf8nbjs_translationszAccept-Languager8r)dictr(rvrxr_r%r&rgrerdrrryrrrnrrdecoderrrrRr#rqr)rrrrsH        z!IPythonHandler.template_namespacec Cst|jjsdS|jjd}zt|}W|Sty9}z|jd||jj dddt dd|d}~ww) z,Return the body of the request as JSON data.Nzutf-8z Bad JSON: %rzCouldn't parse JSONT)exc_infoizInvalid JSON in body of request) rRbodystriprrloadsr0r r1errorrr)r*rmodelr4rrr get_json_bodys zIPythonHandler.get_json_bodyc Ks|d}d}t|d}d}|r1|d}z|j|j}Wn ty&Ynwt|dd}|r1|}t||||d}|dd z|j|d fi|} Wnt y^|jd i|} Ynw| | d S)zrender custom error pagesrr8Unknown HTTP Errorz (unknown)rreason) status_codestatus_messagemessage exception Content-Typez text/htmlz.html error.htmlN)r) r&r log_messageargsr0getattrrr/rrwrite) r*rkwargsrrrrrrhtmlrrr write_error&s6      zIPythonHandler.write_errorr8)'rhrirjrkrlrnror rqrrrsrur(rvrxryr{r~rrrrrrrr5rrrrrrrrrrrr __classcell__rrrrrmsp                      , / %  rmcspeZdZdZfddZddZfddZfdd Zefd d Z d Z d dZ fddZ ddZ ZS) APIHandlerzBase class for API handlerscrN)rrrrrr)rrrrNrzAPIHandler.preparecKs|ddt|d}d|i}|d}|r?|d}t|tr-|jp$||d<|j|d<nd|d<d |d<d tj ||d <|j |d| t |d S) z+APIHandler errors are JSON, not human pagesrapplication/jsonrrrrrzUnhandled errorNr8 traceback)r/rr& isinstancerrrr'rformat_exceptionr rfinishrr)r*rrrreplyrr4rrrrSs     zAPIHandler.write_errorcs$t|dr|jSt|_}|S)zDRaise 403 on API handlers instead of redirecting to human login page _user_cache)rTrrrOr]rrrrOgs zAPIHandler.get_current_usercs|jstdtSr) current_userrrr get_login_urlr)rrrros  zAPIHandler.get_login_urlcsdtjdg}|S)Nr$zdefault-src 'none')r'rr+)r*csprrrr+ws z"APIHandler.content_security_policyTcCs>|jrt|ddr|dddurt|jd<dSdSdSdS)z$Update last_activity of API requestsrNno_track_activityapi_last_activity)_track_activityr get_argumentrr%r)rrrupdate_api_activitys zAPIHandler.update_api_activitycs&||ddtj|i|S)Nrr)rr/rrr*rrrrrrs zAPIHandler.finishcOsd|jdivr|d|jddn|dd|dd|jjddd}|rWtd d |DrY|jr[|jsI|j sId |jdivr]|d |jjd ddSdSdSdSdS) NzAccess-Control-Allow-Headersr#z0accept, content-type, authorization, x-xsrftokenzAccess-Control-Allow-Methodsz&GET, PUT, POST, PATCH, DELETE, OPTIONSzAccess-Control-Request-Headersr8,css |] }|dkVqdS) authorizationN)rr).0hrrr s  z%APIHandler.options..rr) r%r&r/rRr#splitanyrgrr)r*rrrequested_headersrrroptionss0     zAPIHandler.options)rhrirjrkrrrOrrlr+rrrrrrrrrrKs    rc@eZdZdZddZdS) Template404zRender our 404 templatecCs tdr)rrr)rrrrs zTemplate404.prepareN)rhrirjrkrrrrrrs rcspeZdZdZefddZejfddZejddZ fdd Z fd d Z d d Z fddZ ZS)AuthenticatedFileHandlerz5static files should only be accessible when logged incs tjdS)Nz; sandbox allow-scripts)rr+r)rrrr+s z0AuthenticatedFileHandler.content_security_policycs|t|Sr)rrheadr*r:rrrr s zAuthenticatedFileHandler.headcCsP|tj|ddks|ddr!|ddd}||tj ||S)Nr.ipynbdownloadFr6r) rrr:splitextrrsplitrrStaticFileHandlerr&)r*r:rCrrrr&s   zAuthenticatedFileHandler.getcs\|jd}d|vr|dd\}}n|}|drdSt|d}|dkr)dStS)Nr6rr zapplication/x-ipynb+jsonrz text/plainztext/plain; charset=UTF-8) absolute_pathrrr mimetypes guess_typerget_content_type)r*r:_rCcur_mimerrrrs   z)AuthenticatedFileHandler.get_content_typecs*td|jjvr|dddSdS)Nv Cache-Controlno-cache)r set_headersrR argumentsrAr)rrrrs  z$AuthenticatedFileHandler.set_headerscCdSrrr)rrr compute_etagz%AuthenticatedFileHandler.compute_etagcsFt||}tj|}t||r!|jjs!|j dt d|S)zValidate and return the absolute path. Requires tornado 3.1 Adding to tornado's own handling, forbids the serving of hidden files. z_Refusing to serve hidden file, via 404 Error, use flag 'ContentsManager.allow_hidden' to enabler) rvalidate_absolute_pathrr:abspathrr~ allow_hiddenr inforr)r*rootrabs_pathabs_rootrrrrs    z/AuthenticatedFileHandler.validate_absolute_path)rhrirjrkrlr+r authenticatedr r&rrrrrrrrrrs  rcs*tjdtddtfdd}|S)aDecorate methods with this to return GitHub style JSON errors. This should be used on any JSON API on any handler method that can raise HTTPErrors. This will grab the latest HTTPError exception using sys.exc_info and then: 1. Set the HTTP status code based on the HTTPError 2. Create and return a JSON body with a message field describing the error in a human readable form. zJ@json_errors is deprecated in notebook 5.2.0. Subclass APIHandler instead.) stacklevelcs&ttj||_|g|Ri|Sr)types MethodTyperrrrSrrwrapperszjson_errors..wrapper)warningswarnDeprecationWarning functoolswraps)rSr+rr*r json_errorss r1csNeZdZdZiZfddZd ddZddZed d Z fd d Z Z S)FileFindHandlerzBsubclass of StaticFileHandler for serving files from a search pathcsBtdjjvstfddjDrdddSdS)Nrc3s|] }jj|VqdSr)rRr:r)rr:r)rrrsz.FileFindHandler.set_headers..rr)rrrRrrno_cache_pathsr/r)rr)rrs  zFileFindHandler.set_headersNcCs8|pg|_t|tr |g}tdd|D|_||_dS)Ncss*|]}tjtj|tjVqdSr)rr:r expandusersep)rprrrr(s z-FileFindHandler.initialize..)r3rrtupler"default_filename)r*r:r8r3rrr initialize"s   zFileFindHandler.initializecCrrrr)rrrr-rzFileFindHandler.compute_etagc Cs|jF||jvr|j|WdSz tjt||}Wnty0YWddSw||j|<td||f|WdS1sLwYdS)z5locate a file to serve on our static file search pathNr8zPath %s served from %s) _lock _static_pathsrr:rr OSErrorr r1)clsrootsr:rrrrget_absolute_path0s   $z!FileFindHandler.get_absolute_pathcs@|dkr td|jD] }|tj|rnq t||S)z:check if the file should be served (raises 404, 403, etc.)r8r)rrr"rr5rrr)r*r"rrrrrBs  z&FileFindHandler.validate_absolute_path)NN) rhrirjrkr;rr9r classmethodr?rrrrrrr2s    r2c@seZdZddZdS)APIVersionHandlercCs|tdtjidS)Nversion)rrrnotebook __version__r)rrrr&PszAPIVersionHandler.getN)rhrirjr&rrrrrANs rAc@s eZdZdZddZeZZdS)TrailingSlashHandlerzrSimple redirect handler that strips trailing slashes This should be the first, highest priority handler. cCs>|jjd^}}d|d}d|g|}||dS)N?r6r8)rRuri partitionrr'redirect)r*r:restnew_urirrrr&[szTrailingSlashHandler.getN)rhrirjrkr&postputrrrrrEUs rEc@s&eZdZdZeddZdddZdS) FilesRedirectHandlerz|jdr |js td|dtj|ttj dS)Nauthenticate_prometheusrr) r%r_rrr/prometheus_clientCONTENT_TYPE_LATESTrgenerate_latestREGISTRYr)rrrr&s zPrometheusMetricsHandler.getN)rhrirjrkr&rrrrr_s r_z(?P(?:(?:/[^/]+)+|/?))z.*/apiz/(robots\.txt|favicon\.ico)z/metrics)Grkr=r/rrrrrsysrr(r, http.clientr http.cookiesr urllib.parserjinja2rtornadorrrr tornado.logr ranotebook._sysinfor traitlets.configr ipython_genutils.pathr ipython_genutils.py3compatrrC notebook._tzr notebook.i18nrnotebook.utilsrrrrrnotebook.services.securityrcompilerYrrr RequestHandlerr!rmrrrrr1rr2rArErNrYr_ path_regexdefault_handlersrrrrsn             f?9$