o T۷i!@sddlmZddlZddlZddlmZddlmZddl m Z ddl m Z m Z ddlmZmZdd lmZdd lmZmZdd lmZGd d d ZdS)) annotationsN) lru_cache) SSLContext)Any) HTTPErrorURLError)PyJWKPyJWKSet)decode_complete)PyJWKClientConnectionErrorPyJWKClientError) JWKSetCachec@sjeZdZ       d.d/ddZd0ddZd1d2ddZd1d3d d!Zd4d$d%Zd5d(d)Ze d6d,d-Z dS)7 PyJWKClientFT,Nuristr cache_keysboolmax_cached_keysint cache_jwk_setlifespanfloatheadersdict[str, Any] | Nonetimeout ssl_contextSSLContext | Nonec Csz|duri}||_d|_||_||_||_|r)|dkr#td|dt||_nd|_|r;t|d|j} | |_dSdS)uA client for retrieving signing keys from a JWKS endpoint. ``PyJWKClient`` uses a two-tier caching system to avoid unnecessary network requests: **Tier 1 — JWK Set cache** (enabled by default): Caches the entire JSON Web Key Set response from the endpoint. Controlled by: - ``cache_jwk_set``: Set to ``True`` (the default) to enable this cache. When enabled, the JWK Set is fetched from the network only when the cache is empty or expired. - ``lifespan``: Time in seconds before the cached JWK Set expires. Defaults to ``300`` (5 minutes). Must be greater than 0. **Tier 2 — Signing key cache** (disabled by default): Caches individual signing keys (looked up by ``kid``) using an LRU cache with **no time-based expiration**. Keys are evicted only when the cache reaches its maximum size. Controlled by: - ``cache_keys``: Set to ``True`` to enable this cache. Defaults to ``False``. - ``max_cached_keys``: Maximum number of signing keys to keep in the LRU cache. Defaults to ``16``. :param uri: The URL of the JWKS endpoint. :type uri: str :param cache_keys: Enable the per-key LRU cache (Tier 2). :type cache_keys: bool :param max_cached_keys: Max entries in the signing key LRU cache. :type max_cached_keys: int :param cache_jwk_set: Enable the JWK Set response cache (Tier 1). :type cache_jwk_set: bool :param lifespan: TTL in seconds for the JWK Set cache. :type lifespan: float :param headers: Optional HTTP headers to include in requests. :type headers: dict or None :param timeout: HTTP request timeout in seconds. :type timeout: float :param ssl_context: Optional SSL context for the request. :type ssl_context: ssl.SSLContext or None Nrz/Lifespan must be greater than 0, the input is "")maxsize) r jwk_set_cacherrrr rrget_signing_key) selfrrrrrrrrr$r&E/home/ubuntu/vllm_env/lib/python3.10/site-packages/jwt/jwks_client.py__init__s$5   zPyJWKClient.__init__returnrc Csd}z\z,tjj|j|jd}tjj||j|jd }t |}Wdn1s)wYWn t t fyO}zt |t rB|td|d|d}~ww|W|jdur^|j|SS|jdurk|j|ww)aeFetch the JWK Set from the JWKS endpoint. Makes an HTTP request to the configured ``uri`` and returns the parsed JSON response. If the JWK Set cache is enabled, the response is stored in the cache. :returns: The parsed JWK Set as a dictionary. :raises PyJWKClientConnectionError: If the HTTP request fails. N)urlr)rcontextz'Fail to fetch data from the url, err: "r!)urllibrequestRequestrrurlopenrrjsonloadr TimeoutError isinstancercloser r#put)r%jwk_setrresponseer&r&r' fetch_data_s4       zPyJWKClient.fetch_datarefreshr cCsHd}|jdur|s|j}|dur|}t|tstdt|S)aNReturn the JWK Set, using the cache when available. :param refresh: Force a fresh fetch from the endpoint, bypassing the cache. :type refresh: bool :returns: The JWK Set. :rtype: PyJWKSet :raises PyJWKClientError: If the endpoint does not return a JSON object. Nz.The JWKS endpoint did not return a JSON object)r#getr:r3dictr r from_dict)r%r;datar&r&r' get_jwk_set|s    zPyJWKClient.get_jwk_set list[PyJWK]cCs*||}dd|jD}|std|S)aReturn all signing keys from the JWK Set. Filters the JWK Set to keys whose ``use`` is ``"sig"`` (or unspecified) and that have a ``kid``. :param refresh: Force a fresh fetch from the endpoint, bypassing the cache. :type refresh: bool :returns: A list of signing keys. :rtype: list[PyJWK] :raises PyJWKClientError: If no signing keys are found. cSs g|] }|jdvr|jr|qS))sigN)public_key_usekey_id).0 jwk_set_keyr&r&r' s z0PyJWKClient.get_signing_keys..z2The JWKS endpoint did not contain any signing keys)r@keysr )r%r;r6 signing_keysr&r&r'get_signing_keyss zPyJWKClient.get_signing_keyskidr cCsH|}|||}|s"|jdd}|||}|s"td|d|S)aReturn the signing key matching the given ``kid``. If no match is found in the current JWK Set, the set is refreshed from the endpoint and the lookup is retried once. :param kid: The key ID to look up. :type kid: str :returns: The matching signing key. :rtype: PyJWK :raises PyJWKClientError: If no matching key is found after refreshing. T)r;z,Unable to find a signing key that matches: "r!)rJ match_kidr )r%rKrI signing_keyr&r&r'r$s    zPyJWKClient.get_signing_keytoken str | bytescCs(t|ddid}|d}||dS)aGReturn the signing key for a JWT by reading its ``kid`` header. Extracts the ``kid`` from the token's unverified header and delegates to :meth:`get_signing_key`. :param token: The encoded JWT. :type token: str or bytes :returns: The matching signing key. :rtype: PyJWK verify_signatureF)optionsheaderrK) decode_tokenr$r<)r%rN unverifiedrRr&r&r'get_signing_key_from_jwts z$PyJWKClient.get_signing_key_from_jwtrI PyJWK | NonecCs&d}|D] }|j|kr|}|Sq|S)a7Find a key in *signing_keys* that matches *kid*. :param signing_keys: The list of keys to search. :type signing_keys: list[PyJWK] :param kid: The key ID to match. :type kid: str :returns: The matching key, or ``None`` if not found. :rtype: PyJWK or None N)rD)rIrKrMkeyr&r&r'rLs  zPyJWKClient.match_kid)FrTrNrN)rrrrrrrrrrrrrrrr )r)r)F)r;rr)r )r;rr)rA)rKrr)r )rNrOr)r )rIrArKrr)rV) __name__ __module__ __qualname__r(r:r@rJr$rU staticmethodrLr&r&r&r'rs  N    r) __future__rr0urllib.requestr, functoolsrsslrtypingr urllib.errorrrapi_jwkr r api_jwtr rS exceptionsr r r#rrr&r&r&r's