o ig@sRdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl m Z m Z ddl mZddlmZmZmZddlmZmZmZddlmZmZmZmZmZdd lmZdd lm Z d d l!m"Z"m#Z#d d l$m%Z%er|ddl&m'Z'ddl(m)Z)e*dZ+e GdddZ,dddZ-GdddeZ.Gddde.Z/Gddde/Z0dS)zIdentity Provider interface This defines the _authentication_ layer of Jupyter Server, to be used in combination with Authorizer for _authorization_. .. versionadded:: 2.0 ) annotationsN)asdict dataclass)Morsel) TYPE_CHECKINGAny Awaitable)escapehttputilweb)BoolDictTypeUnicodedefault)LoggingConfigurable)_i18n) passwd_check set_password)get_anonymous_username)JupyterHandler) ServerAppz [^A-Za-z0-9]c@sfeZdZUdZded<dZded<dZded<dZded <dZded <dZ ded <d d Z ddZ dS)UserziObject representing a User This or a subclass should be returned from IdentityProvider.get_user strusernamename display_nameN str | Noneinitials avatar_urlcolorcCs |dSN) fill_defaultsselfr'W/var/www/edux/Edux_v2/venv/lib/python3.10/site-packages/jupyter_server/auth/identity.py __post_init__>s zUser.__post_init__cCs<|js d|}t||js|j|_|js|j|_dSdS)zFill out default fields in the identity model - Ensures all values are defined - Fills out derivative values for name fields fields - Fills out null values for optional fields z!user.username must not be empty: N)r ValueErrorrr)r&msgr'r'r(r$As  zUser.fill_defaults) __name__ __module__ __qualname____doc____annotations__rrr r!r"r)r$r'r'r'r(r&s       rgot_userrreturncCst|tr t|dSt|trIi}d|vrd|vr|d|d<tjD] }||vr.||||<q"ztdi|WStyHd|}t|dwd|}t|)a Backward-compatibility for LoginHandler.get_user Prior to 2.0, LoginHandler.get_user could return anything truthy. Typically, this was either a simple string username, or a simple dict. Make some effort to allow common patterns to keep working. )rrrzUnrecognized user: Nr') isinstancerrdict__dataclass_fields__ TypeErrorr*)r1kwargsfieldr+r'r'r(_backward_compat_userUs$         r9c@seZdZUdZeddeddZded<ededdZ e d dded d Z d ed <ededdZ ededdj ddZded<edejdeddZedejdeddZdZedddZe dZd ed<d^d!d"Zd_d$d%Zd`d)d*Zdad,d-Zdbd/d0Zdcd2d3Zddd4d5Zded7d8Z dfdgd>d?Z dhd@dAZ!d^dBdCZ"e#$dDe#j%Z&didEdFZ'd_dGdHZ(djdIdJZ)dkdLdMZ*dkdNdOZ+ dldmdTdUZ,d_dVdWZ-e.dXdYZ/e.dZd[Z0e.d\d]Z1d S)nIdentityProvideraC Interface for providing identity management and authentication. Two principle methods: - :meth:`~jupyter_server.auth.IdentityProvider.get_user` returns a :class:`~.User` object for successful authentication, or None for no-identity-found. - :meth:`~jupyter_server.auth.IdentityProvider.identity_model` turns a :class:`~jupyter_server.auth.User` into a JSONable dict. The default is to use :py:meth:`dataclasses.asdict`, and usually shouldn't need override. Additional methods can customize authentication. .. versionadded:: 2.0 rTzJName of the cookie to set for persisting login. Default: username-${Host}.confighelpz str | Unicode cookie_nameziExtra keyword arguments to pass to `set_secure_cookie`. See tornado's set_secure_cookie docs for details.NzSpecify whether login cookie should have the `secure` property (HTTPS-only).Only needed when protocol-detection gives the wrong answer due to proxies.) allow_noner<r=z bool | Bool secure_cookieziExtra keyword arguments to pass to `get_secure_cookie`. See tornado's get_secure_cookie docs for details.z aToken used for authenticating first-time connections to the server. The token can be read from the file referenced by JUPYTER_TOKEN_FILE or set directly with the JUPYTER_TOKEN environment variable. When no password is enabled, the default is to generate a new, random token. Setting to an empty string disables authentication altogether, which is NOT RECOMMENDED. Prior to 2.0: configured as ServerApp.token )r=)r<tokenz*jupyter_server.auth.login.LoginFormHandlerz'The login handler class to use, if any.) default_valueklassr<r=z(jupyter_server.auth.logout.LogoutHandlerz The logout handler class to use.FcCstdr d|_tjdStdr0d|_ttjd }|WdS1s+wY|js8d|_dSd|_tt d dS)N JUPYTER_TOKENFJUPYTER_TOKEN_FILErTascii) osgetenvtoken_generatedenvironopenread need_tokenbinasciihexlifyurandomdecode)r& token_filer'r'r(_token_defaults    zIdentityProvider._token_defaultrNhandlerrr2$User | None | Awaitable[User | None]cCs ||S)zGet the authenticated user for a request Must return a :class:`jupyter_server.auth.User`, though it may be a subclass. Return None if the request is not authenticated. _may_ be a coroutine ) _get_userr&rUr'r'r(get_users zIdentityProvider.get_user User | Nonec st|ddr |jS||}t|tr|IdH}|}||}t|tr*|IdH}|}|p/|}|durE|durE||krB|||d|_|durs||}| |}|dure|j d|| ||j ss||}||||S) Get the user._jupyter_current_userNTz&Clearing invalid/expired login cookie )getattrr\get_user_tokenr3rget_user_cookieset_login_cookie_token_authenticatedget_cookie_name get_cookielogwarningclear_login_cookie auth_enabledgenerate_anonymous_user) r&rU _token_user token_user _cookie_user cookie_useruserr>cookier'r'r(rWs4             zIdentityProvider._get_userrmrr4cCst|S)z"Return a User as an Identity model)r)r&rmr'r'r(identity_modelszIdentityProvider.identity_modellistcCs4g}|jr |d|jf|jr|d|jf|S)zwReturn list of additional handlers for this identity provider For example, an OAuth callback handler. z/loginz/logout)login_availableappendlogin_handler_classlogout_availablelogout_handler_class)r&handlersr'r'r( get_handlerss zIdentityProvider.get_handlersrcCs$t|j|j|j|j|jd}|S)zSerialize a user to a string for storage in a cookie If overriding in a subclass, make sure to define user_from_cookie as well. Default is just the user's username. )rrrr r")jsondumpsrrrr r")r&rmrnr'r'r(user_to_cookie%s zIdentityProvider.user_to_cookie cookie_valuecCs0t|}t|d|d|d|dd|dS)zInverse of user_to_cookierrrr Nr")rxloadsr)r&r{rmr'r'r(user_from_cookie8s z!IdentityProvider.user_from_cookiecCs"|jr|jStdd|jjS)zReturn the login cookie name Uses IdentityProvider.cookie_name, if defined. Default is to generate a string taking host into account to avoid collisions for multiple servers on one hostname with different ports. -z username-)r> _non_alphanumsubrequesthostrXr'r'r(rbDsz IdentityProvider.get_cookie_nameNonecCs|i}||j|dd|j}|dur|jjdk}|r#|dd|d|j||}|j|| |fi|dS)z9Call this on handlers to set the login cookie for successhttponlyTNhttpssecurepath) updatecookie_options setdefaultr@rprotocolbase_urlrbset_secure_cookierz)r&rUrmrr@r>r'r'r(r`Ps     z!IdentityProvider.set_login_cookie/rrdomainrcCsrt|}tjjtjjdtjdd}t}||ddt ||d<||d<|r/||d<| d | d S) aDeletes the cookie with the given name. Tornado's cookie handling currently (Jan 2018) stores cookies in a dict keyed by name, so it can only modify one cookie with a given name per response. The browser can store multiple cookies with the same name but different domains and/or paths. This method lets us clear multiple cookies with the same name. Due to limitations of the cookie protocol, you must pass the same path and domain to clear a cookie as were used when that cookie was set (but there is no way to find out on the server side which values were used for a given cookie). )tzim)daysrz""expiresrrz Set-CookieN) r native_strdatetimenowtimezoneutc timedeltarsetr format_timestamp add_header OutputString)r&rUrrrrmorselr'r'r(_force_clear_cookie`s z$IdentityProvider._force_clear_cookiecCsZi}||j|d|j}||}|j||d|r)|dkr+|||dSdSdS)zr'r'r(rf{s   z#IdentityProvider.clear_login_cookiec Cs|j||fi|j}|sdS|}z||WStyB}z|jjd|dd|jd|WYd}~dSd}~ww)z[Get user from a cookie Calls user_from_cookie to deserialize cookie value Nz)Error unpacking user from cookie: cookie=T)exc_infoz"Error unpacking user from cookie: ) get_secure_cookierbget_secure_cookie_kwargsrRr} Exceptionrddebugerror)r&rU _user_cookie user_cookieer'r'r(r_s  z IdentityProvider.get_user_cookiez(token|bearer)\s+(.+)cCs:|dd}|s|j|jjdd}|r|d}|S)zGet the user token from a request Default: - in URL parameters: ?token= - in header: Authorization: token rAr Authorization) get_argumentauth_header_patmatchrheadersgetgroup)r&rU user_tokenmr'r'r( get_tokens  zIdentityProvider.get_tokencs||j}|sdS||}d}||kr|jd|jjd}|r<||}t|tr/|IdH}|}|dur:| |}|SdS)zIdentify the user based on a token in the URL or Authorization header Returns: - uuid if authenticated - None if not NFz-Accepting token-authenticated request from %sT) rArrdrr remote_ipr_r3rrh)r&rUrAr authenticated_userrmr'r'r(r^s*     zIdentityProvider.get_user_tokencCsTtj}t}d|}}d|d}d}|jd|t||||d|S)zGenerate a random anonymous user. For use when a single shared token is used, but does not identify a user. z Anonymous ArNz5Generating new user for token-authenticated request: )uuiduuid4hexrrdinfor)r&rUuser_idmoonrrr r"r'r'r(rhs z(IdentityProvider.generate_anonymous_userboolcCs || S)a3Should the Handler check for CORS origin validation? Origin check should be skipped for token-authenticated requests. Returns: - True, if Handler must check for valid CORS origin. - False, if Handler should skip origin check since requests are token-authenticated. )is_token_authenticatedrXr'r'r(should_check_origins z$IdentityProvider.should_check_origincCs|jt|ddS)zReturns True if handler has been token authenticated. Otherwise, False. Login with a token is used to signal certain things, such as: - permit access to REST API - xsrf protection - skip origin-checks for scripts raF) current_userr]rXr'r'r(rs z'IdentityProvider.is_token_authenticatedappr ssl_options dict | NonecCs^|js"d}|dur|j|d|js |j|ddSdS|js-|jddSdS)z~Check the application's security. Show messages, or abort if necessary, based on the security configuration. zr0r rr r@rtagrArr RequestHandlerrsrurJrrTrNrYrWrorwrzr}rbr`rrfr_recompile IGNORECASErrr^rhrrrrpropertyrgrqrtr'r'r'r(r:rs      -        #     r:cseZdZdZeddeddZeddeddZeddeddZ e d d d Z e d!ddZ e d!ddZddZd"ddZ d#d$fdd ZZS)%PasswordIdentityProviderzA password identity provider.rTa  Hashed password to use for web authentication. To generate, type in a python/IPython shell: from jupyter_server.auth import passwd; passwd() The string should be of the form type:salt:hashed-password. r;Fao Forces users to use a password for the Jupyter server. This is useful in a multi user environment, for instance when everybody in the LAN can access each other's machine through ssh. In such a case, serving on localhost is not secure since any user can connect to the Jupyter server via ssh. a Allow password to be changed at login for the Jupyter server. While logging in with a token, the Jupyter server UI will give the opportunity to the user to enter a new password at the same time that will replace the token login mechanism. This can be set to False to prevent changing password from the UI/API. rNcCs t|j Sr#)rhashed_passwordr%r'r'r(_need_token_defaultj z,PasswordIdentityProvider._need_token_defaultr2rcCrrrr%r'r'r(rqnrz(PasswordIdentityProvider.login_availablecCst|jp|jS)z"Return whether any auth is enabled)rrrAr%r'r'r(rgssz%PasswordIdentityProvider.auth_enabledcCs t|j|S)z1Check password against our stored hashed password)rr)r&rr'r'r(rxrz%PasswordIdentityProvider.passwd_checkrUrrZcCs|jddd}|jddd}d}|js|jd||S||r*|s*||S|jr\|j|kr\||}|r\|jr\|j dd}t j |d}t ||d |_|jtd ||S) rrrr new_passwordNr config_dirzjupyter_server_config.json) config_filezWrote hashed password to )rrgrdrerhrrAallow_password_changesettingsrrHrjoinrrrr)r&rUrrrmrrr'r'r(r|s      z+PasswordIdentityProvider.process_login_formNrrrrrcs`t|||jr,|js.|jtd|jtd|jtdtddSdSdS)zHandle security validation.>Jupyter servers are configured to only be run with a password.1Hint: run the following command to set a password) $ python -m jupyter_server.auth passwordrN) superrpassword_requiredrrdcriticalrsysexitr&rr __class__r'r(rs z*PasswordIdentityProvider.validate_security)r2rrr#r)r,r-r.r/rrrr rrrrrrqrgrrr __classcell__r'r'rr(r7sB    rc@szeZdZdZeZedddZedddZe dd Z dddZ e ddZ d ddZ d ddZ d!d"ddZdS)#LegacyIdentityProviderzLegacy IdentityProvider for use with custom LoginHandlers Login configuration has moved from LoginHandler to IdentityProvider in Jupyter Server 2.0. rcCs|j|jdS)N)rAr)rArr%r'r'r(_default_settingssz(LegacyIdentityProvider._default_settingsrscCsddlm}|S)Nr)LegacyLoginHandler)loginr)r&rr'r'r(_default_login_handler_classs z3LegacyIdentityProvider._default_login_handler_classcCrr#)rqr%r'r'r(rgsz#LegacyIdentityProvider.auth_enabledrUrr2rZcCs |j|}|dur dSt|S)r[N)rsrYr9)r&rUrmr'r'r(rYs zLegacyIdentityProvider.get_usercCs|j|jSr#)rsget_login_availablerr%r'r'r(rqsz&LegacyIdentityProvider.login_availablercC |j|S)zWhether we should check origin.)rsrrXr'r'r(rrz*LegacyIdentityProvider.should_check_origincCr)z#Whether we are token authenticated.)rsrrXr'r'r(rrz-LegacyIdentityProvider.is_token_authenticatedNrrrrrcCsT|jr#|js#|jtd|jtd|jtdtd|j||S)zValidate security.rrrr) rrrdrrrrrsrrr'r'r(rs  z(LegacyIdentityProvider.validate_securityrrr#r)r,r-r.r/r rrrrrrgrYrqrrrr'r'r'r(rs        r)r1rr2r)1r/ __future__rrOrrxrHrrr dataclassesrr http.cookiesrtypingrrrtornador r r traitletsr r rrrtraitlets.configrjupyter_server.transutilsrsecurityrrutilsrjupyter_server.base.handlersrjupyter_server.serverapprrrrr9r:rrr'r'r'r(s>         .Hm