o ^it@sDdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z mZddlmZddlmZmZmZddlmZmZmZmZmZmZmZmZmZddlm Z dd l!m"Z"d d l#m$Z$m%Z%d d l&m'Z'e(d Z)e j*dZ+eGdddZ,dddZ-Gddde Z.Gddde.Z/Gddde/Z0dS)zIdentity Provider interface This defines the _authentication_ layer of Jupyter Server, to be used in combination with Authorizer for _authorization_. .. versionadded:: 2.0 ) annotationsN)asdict dataclass)Morsel)escapehttputilweb) BoolDictEnumList TraitErrorTypeUnicodedefaultvalidate)LoggingConfigurable)_i18n) passwd_check set_password)get_anonymous_usernamez [^A-Za-z0-9]name display_nameinitials avatar_urlcolorc@sfeZdZUdZded<dZded<dZded<dZded <dZded <dZ ded <d d Z ddZ dS)UserziObject representing a User This or a subclass should be returned from IdentityProvider.get_user strusernamerrN str | NonerrrcCs |dSN) fill_defaultsselfr'W/home/ubuntu/hpml_nyu/venv/lib/python3.10/site-packages/jupyter_server/auth/identity.py __post_init__>s zUser.__post_init__cCs<|js d|}t||js|j|_|js|j|_dSdS)zFill out default fields in the identity model - Ensures all values are defined - Fills out derivative values for name fields fields - Fills out null values for optional fields z!user.username must not be empty: N)r ValueErrorrr)r&msgr'r'r(r$As  zUser.fill_defaults) __name__ __module__ __qualname____doc____annotations__rrrrrr)r$r'r'r'r(r&s       rgot_usert.AnyreturncCst|tr t|dSt|trIi}d|vrd|vr|d|d<tjD] }||vr.||||<q"ztdi|WStyHd|}t|dwd|}t|)a Backward-compatibility for LoginHandler.get_user Prior to 2.0, LoginHandler.get_user could return anything truthy. Typically, this was either a simple string username, or a simple dict. Make some effort to allow common patterns to keep working. )r r rzUnrecognized user: Nr') isinstancerrdict__dataclass_fields__ TypeErrorr*)r1kwargsfieldr+r'r'r(_backward_compat_userUs$         r:c@s"eZdZUdZeddeddZded<ededdZ e d dded d Z d ed <ededdZ ededdj ddZded<edejdeddZedejdeddZeeeeedgdeddZdZedddZedd d!Ze dZ d"ed#<dpd(d)Z!dqd+d,Z"drd0d1Z#dsd3d4Z$dtd6d7Z%dud8d9Z&dvdd S)IdentityProvideraC Interface for providing identity management and authentication. Two principle methods: - :meth:`~jupyter_server.auth.IdentityProvider.get_user` returns a :class:`~.User` object for successful authentication, or None for no-identity-found. - :meth:`~jupyter_server.auth.IdentityProvider.identity_model` turns a :class:`~jupyter_server.auth.User` into a JSONable dict. The default is to use :py:meth:`dataclasses.asdict`, and usually shouldn't need override. Additional methods can customize authentication. .. versionadded:: 2.0 r!TzJName of the cookie to set for persisting login. Default: username-${Host}.confighelpzstr | Unicode[str, str | bytes] cookie_nameziExtra keyword arguments to pass to `set_secure_cookie`. See tornado's set_secure_cookie docs for details.NzSpecify whether login cookie should have the `secure` property (HTTPS-only).Only needed when protocol-detection gives the wrong answer due to proxies.) allow_noner=r>z+bool | Bool[bool | None, bool | int | None] secure_cookieziExtra keyword arguments to pass to `get_secure_cookie`. See tornado's get_secure_cookie docs for details.z aToken used for authenticating first-time connections to the server. The token can be read from the file referenced by JUPYTER_TOKEN_FILE or set directly with the JUPYTER_TOKEN environment variable. When no password is enabled, the default is to generate a new, random token. Setting to an empty string disables authentication altogether, which is NOT RECOMMENDED. Prior to 2.0: configured as ServerApp.token )r>)r=tokenz*jupyter_server.auth.login.LoginFormHandlerz'The login handler class to use, if any.) default_valueklassr=r>z(jupyter_server.auth.logout.LogoutHandlerz The logout handler class to use.rz5List of fields in the User model that can be updated.)traitrCr=r>FcCstdr d|_tjdStdr0d|_ttjd }|WdS1s+wY|js8d|_dSd|_tt d dS)N JUPYTER_TOKENFJUPYTER_TOKEN_FILEr!Tascii) osgetenvtoken_generatedenvironopenread need_tokenbinasciihexlifyurandomdecode)r& token_filer'r'r(_token_defaults    zIdentityProvider._token_defaultupdatable_fieldscsBtttfdd|dD}|rd|}t||dS)z7Validate that all fields in updatable_fields are valid.csg|]}|vr|qSr'r').0r9valid_updatable_fieldsr'r( sz?IdentityProvider._validate_updatable_fields..valuez$Invalid fields in updatable_fields: )listtget_argsUpdatableFieldr )r&proposalinvalid_fieldsr+r'rYr(_validate_updatable_fieldss  z+IdentityProvider._validate_updatable_fieldsz%bool | Bool[bool, t.Union[bool, int]]rPhandlerweb.RequestHandlerr3&User | None | t.Awaitable[User | None]cCs ||S)zGet the authenticated user for a request Must return a :class:`jupyter_server.auth.User`, though it may be a subclass. Return None if the request is not authenticated. _may_ be a coroutine ) _get_userr&rdr'r'r(get_users zIdentityProvider.get_user User | Nonec st|ddrtt|jS||}t|tjr|IdH}|}||}t|tjr0|IdH}|}|p5|}|durK|durK||krH| ||d|_ |dury| |}| |}|durk|j d||||jsy||}| |||S) Get the user._jupyter_current_userNTz&Clearing invalid/expired login cookie )getattrr^castrrlget_user_tokenr4 Awaitableget_user_cookieset_login_cookie_token_authenticatedget_cookie_name get_cookielogwarningclear_login_cookie auth_enabledgenerate_anonymous_user) r&rd _token_user token_user _cookie_user cookie_useruserr?cookier'r'r(rgs4             zIdentityProvider._get_user user_datadict[UpdatableField, str]rcCs2||tt|j}|||}|||S)z3Update user information and persist the user model.) check_updater^rnr current_userupdate_user_modelpersist_user_model)r&rdrr updated_userr'r'r( update_user(s   zIdentityProvider.update_userNonecCs,|D]}||jvrd|d}t|qdS)z2Raises if some fields to update are not updatable.zField z is not updatableN)rWr*)r&rr9r+r'r'r(r2s   zIdentityProvider.check_updatercCtzUpdate user information.NotImplementedError)r&rrr'r'r(r9z"IdentityProvider.update_user_modelcCr)z'Persist the user model (i.e. a cookie).rrhr'r'r(r=rz#IdentityProvider.persist_user_modelrdict[str, t.Any]cCst|S)z"Return a User as an Identity model)r)r&rr'r'r(identity_modelAszIdentityProvider.identity_modellist[tuple[str, object]]cCs4g}|jr |d|jf|jr|d|jf|S)zwReturn list of additional handlers for this identity provider For example, an OAuth callback handler. z/loginz/logout)login_availableappendlogin_handler_classlogout_availablelogout_handler_class)r&handlersr'r'r( get_handlersFs zIdentityProvider.get_handlersrcCs$t|j|j|j|j|jd}|S)zSerialize a user to a string for storage in a cookie If overriding in a subclass, make sure to define user_from_cookie as well. Default is just the user's username. )r rrrr)jsondumpsr rrrr)r&rrr'r'r(user_to_cookieRs zIdentityProvider.user_to_cookie cookie_valuecCs0t|}t|d|d|d|dd|dS)zInverse of user_to_cookier rrrNr)rloadsr)r&rrr'r'r(user_from_cookiees z!IdentityProvider.user_from_cookiecCs"|jr|jStdd|jjS)zReturn the login cookie name Uses IdentityProvider.cookie_name, if defined. Default is to generate a string taking host into account to avoid collisions for multiple servers on one hostname with different ports. -z username-)r? _non_alphanumsubrequesthostrhr'r'r(rtqsz IdentityProvider.get_cookie_namecCs|i}||j|dd|j}|dur|jjdk}|r#|dd|d|j||}|j|| |fi|dS)z9Call this on handlers to set the login cookie for successhttponlyTNhttpssecurepath) updatecookie_options setdefaultrArprotocolbase_urlrtset_secure_cookier)r&rdrrrAr?r'r'r(rr}s     z!IdentityProvider.set_login_cookie/rrdomainr"cCsrt|}tjjtjjdtjdd}t}||ddt ||d<||d<|r/||d<| d | d S) aDeletes the cookie with the given name. Tornado's cookie handling currently (Jan 2018) stores cookies in a dict keyed by name, so it can only modify one cookie with a given name per response. The browser can store multiple cookies with the same name but different domains and/or paths. This method lets us clear multiple cookies with the same name. Due to limitations of the cookie protocol, you must pass the same path and domain to clear a cookie as were used when that cookie was set (but there is no way to find out on the server side which values were used for a given cookie). )tzim)daysr!z""expiresrrz Set-CookieN) r native_strdatetimenowtimezoneutc timedeltarsetrformat_timestamp add_header OutputString)r&rdrrrrmorselr'r'r(_force_clear_cookies z$IdentityProvider._force_clear_cookiecCsZi}||j|d|j}||}|j||d|r)|dkr+|||dSdSdS)z - in header: Authorization: token rBr! Authorization) get_argumentauth_header_patmatchrheadersgetgroup)r&rd user_tokenmr'r'r( get_tokens  zIdentityProvider.get_tokencstd|j}|s dS||}d}||kr"|jd|jjd}|rA||}t |tj r4|IdH}|}|dur?| |}|SdS)zIdentify the user based on a token in the URL or Authorization header Returns: - uuid if authenticated - None if not r"NFz-Accepting token-authenticated request from %sT) r^rnrBrrvrr remote_iprqr4rprz)r&rdrBr authenticated_userrr'r'r(ros*     zIdentityProvider.get_user_tokencCsTtj}t}d|}}d|d}d}|jd|t||||d|S)zGenerate a random anonymous user. For use when a single shared token is used, but does not identify a user. z Anonymous ArNz5Generating new user for token-authenticated request: )uuiduuid4hexrrvrr)r&rduser_idmoonrrrrr'r'r(rzs z(IdentityProvider.generate_anonymous_userboolcCs || S)a3Should the Handler check for CORS origin validation? Origin check should be skipped for token-authenticated requests. Returns: - True, if Handler must check for valid CORS origin. - False, if Handler should skip origin check since requests are token-authenticated. )is_token_authenticatedrhr'r'r(should_check_origins z$IdentityProvider.should_check_origincCs|jt|ddS)zReturns True if handler has been token authenticated. Otherwise, False. Login with a token is used to signal certain things, such as: - permit access to REST API - xsrf protection - skip origin-checks for scripts rsF)rrmrhr'r'r(rs z'IdentityProvider.is_token_authenticatedappr2 ssl_optionsdict[str, t.Any] | NonecCs^|js"d}|dur|j|d|js |j|ddSdS|js-|jddSdS)z~Check the application's security. Show messages, or abort if necessary, based on the security configuration. zJupyter servers are configured to only be run with a password.1Hint: run the following command to set a password) $ python -m jupyter_server.auth passwordrN) superrpassword_requiredrrvcriticalrsysexitr&rr __class__r'r(rs z*PasswordIdentityProvider.validate_securityr3rrrrr#r)r,r-r.r/rrrr rrrrrrrryrrrrr __classcell__r'r'rr(rfsJ       rc@s|eZdZdZeZedddZedddZe dd Z dddZ e d ddZ d!ddZ d!ddZ d"d#ddZdS)$LegacyIdentityProviderzLegacy IdentityProvider for use with custom LoginHandlers Login configuration has moved from LoginHandler to IdentityProvider in Jupyter Server 2.0. rcCs|j|jdS)N)rBr)rBrr%r'r'r(_default_settingssz(LegacyIdentityProvider._default_settingsrcCsddlm}|S)Nr)LegacyLoginHandler)loginr)r&rr'r'r(_default_login_handler_classs z3LegacyIdentityProvider._default_login_handler_classcCrr#)rr%r'r'r(rysz#LegacyIdentityProvider.auth_enabledrdrer3rjcCs |j|}|dur dSt|S)rkN)rrir:)r&rdrr'r'r(ris zLegacyIdentityProvider.get_userrcCst|j|jSr#)rrget_login_availablerr%r'r'r(r s z&LegacyIdentityProvider.login_availablecCt|j|S)zWhether we should check origin.)rrrrhr'r'r(rz*LegacyIdentityProvider.should_check_origincCr)z#Whether we are token authenticated.)rrrrhr'r'r(rrz-LegacyIdentityProvider.is_token_authenticatedNrr2rrrcCsX|jr#|js#|jtd|jtd|jtdtd|j||dS)zValidate security.r r r rN) rrrvrrrrrrrr'r'r(rs  z(LegacyIdentityProvider.validate_securityrrrr#r)r,r-r.r/r rrrrrryrirrrrr'r'r'r(rs        r)r1r2r3r)1r/ __future__rrQrrrJrrtypingr^r dataclassesrr http.cookiesrtornadorrr traitletsr r r r r rrrrtraitlets.configrjupyter_server.transutilsrsecurityrrutilsrrrLiteralr`rr:r;rrr'r'r'r(s<  ,      .w