a o½Df¶£ã @s¨ddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl m Z ddl Z ddlmZddlmZddlZddlmZddlmZddlmZmZddlmZmZmZddlmZd d lmZd d l m!Z!d d l"m#Z#m$Z$m%Z%m&Z&m'Z'd d l(m)Z)d dl*m+Z+m,Z,e -e.¡Z/dZ0dZ1dd„Z2dd„Z3dd„Z4dd„Z5Gdd„dej6jeƒZ7Gdd„de7ƒZ8Gdd„de8ƒZ9Gdd „d e8ƒZ:Gd!d"„d"e7ƒZ;Gd#d$„d$e7ƒZGd)d*„d*e7ƒZ?Gd+d,„d,e7ƒZ@Gd-d.„d.e7ƒZAGd/d0„d0e7ƒZBGd1d2„d2eƒZCGd3d4„d4ej6jƒZDGd5d6„d6eƒZEGd7d8„d8eEƒZFe=e?e@eeAe9e:d9œ ZGe!d:ƒD]ZHeH I¡eGeHjJ<qteKeG L¡ƒejM Nd;¡d<_NdS)=éN)Úurlsafe_b64encode)Úpartial)Ú AuthProvider)Ú OAuth2Mixin)Ú HTTPErrorÚ HTTPRequest)rÚRequestHandlerÚdecode_signed_value)ÚWebSocketHandleré)Úconfig)Úentry_points_for)ÚBASIC_LOGIN_TEMPLATEÚCDN_DISTÚERROR_TEMPLATEÚLOGOUT_TEMPLATEÚ_env)Ústate)Úbase64url_encodeÚ decode_tokenzpanel-oauth-statezpanel-oauth-codecCs^zt |jd¡}Wn ty2t |jd¡}Yn0t dd|¡}t dd|¡}t |¡}|S)z° Decodes the JSON-format response body Arguments --------- response: tornado.httpclient.HTTPResponse Returns ------- Decoded response content Úasciiúutf-8ú"ú')ÚcodecsÚdecodeÚbodyÚ ExceptionÚreÚsubÚjsonÚloads)Úresponser©r#úW/nfs/NAS7/SABIOD/METHODE/ermites/ermites_venv/lib/python3.9/site-packages/panel/auth.pyÚdecode_response_body&s   r%cCs | || d|›dg¡¡dS)zH Extracts a request argument from a urllib.parse.parse_qs dict. z/?Nr)Úget)ÚargsÚkeyr#r#r$Úextract_urlparam=sr)cCs t |¡}t | d¡¡ d¡S)zCSerialize OAuth state to a base64 string after passing through JSONÚutf8r)r ÚdumpsÚbase64rÚencoder)rÚ json_stater#r#r$Ú_serialize_stateDs r/cCs€t|tƒr| d¡}zt |¡ d¡}Wn"tyJt d|¡iYS0z t   |¡WStyzt d|¡iYS0dS)z9Deserialize OAuth state as serialized in _serialize_staterr*zFailed to b64-decode state: %rzFailed to json-decode state: %rN) Ú isinstanceÚstrr-r,Úurlsafe_b64decoderÚ ValueErrorÚlogÚerrorr r!)Z b64_stater.r#r#r$Ú_deserialize_stateJs        r6c@sªeZdZdddœZgd¢ZddiZdZdZeZ dZ e d d „ƒZ d$d d „Z d%d d„Zdd„Zdd„Zdd„Zdd„Zdd„Zdd„Zdd„Zd&dd„Zd'd d!„Zd"d#„ZdS)(ÚOAuthLoginHandlerúapplication/jsonú Tornado OAuth©ÚAcceptz User-Agent)ÚopenidÚemailÚprofileZoffline_accessÚ grant_typeÚauthorization_codeNú/logincCs>dtjvrtjdSdtjvr$|jSdd„tjd d¡DƒS)NÚscopeZPANEL_OAUTH_SCOPEcSsg|]}|‘qSr#r#)Ú.0rBr#r#r$Ú uóz,OAuthLoginHandler._SCOPE..ú,)r Úoauth_extra_paramsÚosÚenvironÚ_DEFAULT_SCOPESÚsplit©Úselfr#r#r$Ú_SCOPEos    zOAuthLoginHandler._SCOPEc Ãsª|r(|j||||dIdH\}}}}|S|||dd|idœ}dtjvrXtjd|dd<|jdurl|j|d<dtjvr„tjd|d<t d t|ƒj¡|jfi|¤ŽdS) aÓ Fetches the authenticated user Arguments --------- redirect_uri: (str) The OAuth redirect URI client_id: (str) The OAuth client ID state: (str) The unguessable random string to protect against cross-site request forgery attacks client_secret: (str, optional) The client secret code: (str, optional) The response code from the server )Ú client_secretÚcodeNrPr)Ú redirect_uriÚ client_idrOÚ response_typeÚ extra_paramsZaudiencerTrBz%s making authorize request) Ú_fetch_access_tokenr rGrNr4ÚdebugÚtypeÚ__name__Zauthorize_redirect) rMrQrRrrOrPÚuserÚ_Úparamsr#r#r$Úget_authenticated_userws.üÿû    z(OAuthLoginHandler.get_authenticated_userc Ãs:t dt|ƒj¡d|i|j¥}|r,||d<|jrBd |j¡|d<|rN||d<|rhd} ||d<d|d <nd } |rz||d <n |rŽ|j||d n | ¡|d <|  ¡} t |j dt   |¡|jd} z|  | ¡IdH} WnHty} z.t dt|ƒj¡|j| jddWYd} ~ n d} ~ 00| jr0t| ƒ}sLt dt|ƒj¡| | ¡d|vr‚|rrt dt|ƒj¡dS|j| |dd| d¡}|ršt|ƒ}|d| d¡}}| rÀd|||fS| d¡}rz| ||||¡}WntyøYn 0t dt|ƒj¡||||fSt|jƒ}|jr¬|jrN|j}|j |d¡|d<nd |j|d¡}t dt|ƒj¡z | j||dIdH}t|ƒ}Wntyªd}Yn0|s t dt|ƒj¡zt|dƒ}Wn6ty t d t|ƒj¡|j| |ddYn0t d!t|ƒj¡| ||||¡}||||fS)"aµ Fetches the access token. Arguments --------- client_id: The client ID redirect_uri: The redirect URI code: The response code from the server client_secret: The client secret refresh_token: A token used for refreshing the access_token username: A username password: A password z%s making access token request.rRrQú rBrPTÚ refresh_tokenr?FrO)ÚusernameÚpasswordÚ code_verifierÚPOST)ÚmethodrÚheadersNz%s access token request failed.é‘)Ústatusz6%s token endpoint did not return a valid access token.Ú access_tokenz2%s token endpoint did not reissue an access token.)NNNÚ expires_inÚid_tokenz3%s successfully obtained access_token and id_token.Ú Authorizationz{}{}z%s requesting OpenID userinfo.)rdz¾%s could not fetch user information, the token endpoint did not return an id_token and no OpenID user info endpoint was provided. Attempting to code access_token to resolve user information.z!%s could not decode access_token.z3%s successfully obtained access_token and userinfo.)r4rVrWrXÚ_EXTRA_TOKEN_PARAMSrNÚjoinÚupdateÚget_code_cookieZget_auth_http_clientrÚ_OAUTH_ACCESS_TOKEN_URLÚurlparseÚ urlencodeÚ_API_BASE_HEADERSÚfetchÚHTTPClientErrorÚ _raise_errorr"rr%r&ÚintÚ_on_authrÚdictÚ_OAUTH_USER_URLÚ_access_token_headerÚformatrr)rMrRrQrOrPr^r_r`r[Z refreshingÚhttpÚreqr"ÚerrhrgrirYZ user_headersZuser_urlZ user_responser#r#r$rU¥s¢ÿþ   ü&      ÿ   üz%OAuthLoginHandler._fetch_access_tokencCs8|jdur2|jttjdpd dd¡|_| t¡|jS)z[Get OAuth state from cookies To be compared with the value in redirect URL N©Z max_age_daysrEr*Úreplace)Ú _state_cookieÚget_secure_cookieÚSTATE_COOKIE_NAMEr Ú oauth_expiryrÚ clear_cookierLr#r#r$Úget_state_cookie!s ÿþ z"OAuthLoginHandler.get_state_cookiecCs|jt|tjdddS©NT)Ú expires_daysÚhttponly)Úset_secure_cookierƒr r„)rMrr#r#r$Úset_state_cookie,s ÿz"OAuthLoginHandler.set_state_cookiecCs|jj |jd¡}| d|¡}}|rx| dt d¡¡}t |¡}|jddd|j  d¡d  ¡}||krxt   d||¡t t ¡j|pˆddœƒS)NÚÚnextú\ú/)ÚschemeÚnetlocÚpathzIgnoring next_url %r, using %r)Zstate_idÚnext_url)ÚrequestÚurir€Ú_login_endpointÚ get_argumentrpÚquoteÚ_replacer’ÚlstripÚgeturlr4Úwarningr/ÚuuidÚuuid4Úhex)rMZroot_urlr“Zoriginal_next_urlZurlinfor#r#r$Ú get_state1s ÿ ÿÿzOAuthLoginHandler.get_statecCsPt ¡jt ¡jt ¡j}t | d¡¡ ¡}t|ƒ d¡  dd¡}||fS)Nrú=rŒ) rržrŸÚhashlibÚsha256r-Údigestrrr€)rMraZhashed_code_verifierÚcode_challenger#r#r$Úget_codeEszOAuthLoginHandler.get_codecCs*|jttjdpd dd¡}| t¡|S)NrrEr*r€)r‚ÚCODE_COOKIE_NAMEr r„rr…©rMrPr#r#r$rnKs z!OAuthLoginHandler.get_code_cookiecCs|jt|tjdddSr‡)rŠr§r r„r¨r#r#r$Úset_code_cookiePs ÿz!OAuthLoginHandler.set_code_cookiec Ãsºt dt|ƒj¡tjr tj}nd |jj|jj ¡}|tj dœ}|  di¡}|rlt   |¡}dd„| ¡Dƒ}|  dt|dƒ¡}|  dt|dƒ¡}|  d t|d ƒ¡}|duræ|  d t|d ƒ¡}|sÄ|}t d t|ƒj|¡td ||d ‚| ¡}|r†||krt d||¡td ddd ‚t|ƒ} | tj||dœ¡|jfi|¤ŽIdH} | dur`tddƒ‚t dt|ƒj¡| |  dd¡¡n0| ¡|d<} | | ¡|jfi|¤ŽIdHdS)Nz%s received login requestz {0}://{1})rQrRrcSs i|]\}}| d¡d|“qS)ú?éÿÿÿÿ)rK)rCÚargÚvaluer#r#r$Ú grEz)OAuthLoginHandler.get..rPrr5Úerror_descriptionz2%s failed to authenticate with following error: %sre©ÚreasonúOAuth state mismatch: %s != %sz=OAuth state mismatch. Please restart the authentication flow.zstate mismatch)rOrPré“zPermissions unknown.ú'%s authorized user, redirecting to app.r“r)r4rVrWrXr Úoauth_redirect_urir{r”ÚprotocolÚhostÚ oauth_keyr—rpÚparse_qsÚitemsr)r5rr†rœr6rmÚ oauth_secretr\Úredirectr&r r‹) rMrQr[Únext_argrPÚ url_stater5Ú error_msgÚ cookie_staterrYr#r#r$r&Us^þþ   ÿ þ ý   zOAuthLoginHandler.getc CsPt|tƒrt|ƒ}n|}tt |¡ƒ}tjp0|j}||vrD||}nt   dt |ƒj |¡t ddƒ‚| d¡|jd|tjdtjr¾tj | d¡¡}tj | d¡¡}|r¾tj | d¡¡}|jd|tjd|jd |tjd|rtj tjj¡ ¡}|jd tt||ƒƒtjd|r2|jd |tjd|tjvrLtj |d¡|S) Nz-%s token payload did not contain expected %r.rez,OAuth token payload missing user informationÚis_guestrY©rˆrrgrir„r^)r0r1rrr r+r Zoauth_jwt_userÚ _USER_KEYr4r5rWrXrr…rŠr„rÚ encryptionÚencryptr-ÚdtÚdatetimeÚnowÚtimezoneÚutcÚ timestamprvÚ_oauth_user_overridesÚpop) rMrirgr^rhÚdecodedZuser_keyrYÚnow_tsr#r#r$rw“s8     ÿ   zOAuthLoginHandler._on_authécCsœz|p t|ƒ}Wntjjy*|}Yn0|jj dd¡}|jr`t |›d|j›d|›¡nt  |›d|›d¡t ||  dt |ƒ¡|  dd ¡d ‚dS) NÚ LoginHandlerrŒz OAuth provider returned a z error. The full response was: zN OAuth provider failed to fully authenticate returning the following response:Ú.r¯r5z Unknown errorr°) r%r ÚdecoderÚJSONDecodeErrorÚ __class__rXr€r5r4rœrr&r1)rMr"rrfÚproviderr#r#r$ru²s" ÿ  þ  ýzOAuthLoginHandler._raise_errorc KsŠ|d\}}}| ¡| dd¡t|tƒr<|j|j}}n,|jj dd¡}t   |›d|›¡d\}}|  |j j tjdd ||d ¡dS) NÚexc_infoú Content-Typez text/htmlrÑrŒz. OAuth provider encountered unexpected error: )z500: Internal Server Errorz&Server encountered unexpected problem.zPanel: Authentication ErrorzAuthentication Error)Únpm_cdnÚtitleZ error_typer5r¿)Zclear_all_cookiesZ set_headerr0rr±Ú log_messagerÕrXr€r4r5ÚwriteÚ_error_templateÚrenderr rÙ)rMÚ status_codeÚkwargsrZr~r5r¿rÖr#r#r$Ú write_errorÅs&  ÿÿ ûzOAuthLoginHandler.write_error)NN)NNNNNN)NN)NrÐ)rXÚ __module__Ú __qualname__rrrJrkrzrrrÝr–ÚpropertyrNr\rUr†r‹r r¦rnr©r&rwrurár#r#r#r$r7Zs6þÿ ÿ /þ | >  r7c@sHeZdZdZddiZedd„ƒZedd„ƒZedd „ƒZed d „ƒZ d S) ÚGenericLoginHandlerú Bearer {}r?r@cCstj dtj d¡¡S)NZ TOKEN_URLZPANEL_OAUTH_TOKEN_URL©r rGr&rHrIrLr#r#r$roæsz+GenericLoginHandler._OAUTH_ACCESS_TOKEN_URLcCstj dtj d¡¡S)NZ AUTHORIZE_URLZPANEL_OAUTH_AUTHORIZE_URLrçrLr#r#r$Ú_OAUTH_AUTHORIZE_URLêsz(GenericLoginHandler._OAUTH_AUTHORIZE_URLcCstj dtj d¡¡S)NZUSER_URLZPANEL_OAUTH_USER_URLrçrLr#r#r$ryîsz#GenericLoginHandler._OAUTH_USER_URLcCstj dtj dd¡¡S)NZUSER_KEYZPANEL_USER_KEYr=rçrLr#r#r$rÃòszGenericLoginHandler._USER_KEYN) rXrârãrzrkrärorèryrÃr#r#r#r$råÞsÿ   råc@s$eZdZddiZdd„Zdd„ZdS)ÚPasswordLoginHandlerr?r`cCs`z| d¡}Wnty$d}Yn0| dd¡}|rB| d|¡|jj|td}| |¡dS©Nr5rŒrr“)Ú errormessageÚ PANEL_CDN©r—rÚ set_cookieÚ_login_templaterÞrrÜ©rMrër“Úhtmlr#r#r$r&ýs    þzPasswordLoginHandler.getcÃsz| dd¡}| dd¡}tjr&tj}n|jj›d|jj›|j›}|jtj|||dIdH\}}}}|sldS|  d¡dS)Nr_rŒr`ú://)rRrQr_r`r) r—r rµr”r¶r·r–rUr¸r¼)rMr_r`rQrYrZr#r#r$Úpost s  üzPasswordLoginHandler.postN)rXrârãrkr&rór#r#r#r$ré÷sÿréc@seZdZdd„Zdd„ZdS)ÚCodeChallengeLoginHandlercÃsÚ| dd¡}| dd¡}tjr&tj}n|jj›d|jj›|j›}|rJ|sX| |¡dS| ¡}||kr€t   d||¡t ddƒ‚t |ƒ}|j |tj||dIdH}|dur²t d ƒ‚t  d t|ƒj¡| | d d ¡¡dS) NrPrŒrròr²rÐzOAuth state mismatch)rPr³r´r“r)r—r rµr”r¶r·r–Ú_authorize_redirectr†r4rœrr6r\r¸rVrWrXr¼r&)rMrPr¾rQrÀrrYr#r#r$r& s$    zCodeChallengeLoginHandler.getc Csl| ¡}| |¡| ¡\}}| |¡tjdd |j¡|d|d|dœ}t  |¡}|  |j ›d|›¡dS)NrPr]ÚqueryZS256)rRrSrBrZ response_moder¥Zcode_challenge_methodrQrª) r r‹r¦r©r r¸rlrNrprqr¼rè)rMrQrrar¥r[Z query_paramsr#r#r$rõ8s    ø z-CodeChallengeLoginHandler._authorize_redirectN)rXrârãr&rõr#r#r#r$rôsrôc@s$eZdZdZdZdZdZdZdZdS)ÚGithubLoginHandlerz»GitHub OAuth2 Authentication To authenticate with GitHub, first register your application at https://github.com/settings/applications/new to get the client ID and secret. z+https://github.com/login/oauth/access_tokenz(https://github.com/login/oauth/authorizezhttps://api.github.com/userztoken {}ÚloginN) rXrârãÚ__doc__rorèryrzrÃr#r#r#r$r÷Ls r÷c@s$eZdZddiZdZdZdZdZdS)ÚBitbucketLoginHandlerr;r8z.https://bitbucket.org/site/oauth2/access_tokenz+https://bitbucket.org/site/oauth2/authorizez0https://api.bitbucket.org/2.0/user?access_token=r_N)rXrârãrrrorèryrÃr#r#r#r$rú\s ÿrúc@sDeZdZdZdZdZdZdZedd„ƒZ edd „ƒZ ed d „ƒZ d S) Ú Auth0Handlerræz!https://{0}.auth0.com/oauth/tokenzhttps://{0}.auth0.com/authorizezhttps://{0}.auth0.com/userinfor=cCstj dd¡}|j |¡S©NZ subdomainZexample©r rGr&Ú_OAUTH_ACCESS_TOKEN_URL_r{©rMÚurlr#r#r$rossz$Auth0Handler._OAUTH_ACCESS_TOKEN_URLcCstj dd¡}|j |¡Srü©r rGr&Ú_OAUTH_AUTHORIZE_URL_r{rÿr#r#r$rèxsz!Auth0Handler._OAUTH_AUTHORIZE_URLcCstj dd¡}|j |¡Srü©r rGr&Ú_OAUTH_USER_URL_r{rÿr#r#r$ry}szAuth0Handler._OAUTH_USER_URLN) rXrârãrzrþrrrÃrärorèryr#r#r#r$rûis  rûc@sTeZdZddiZddiZdZdZdZdZd Z e d d „ƒZ e d d „ƒZ e dd„ƒZ dS)ÚGitLabLoginHandlerr;r8r?r@zhttps://{0}/oauth/tokenzhttps://{0}/oauth/authorizezhttps://{0}/api/v4/userrær_cCstj dd¡}|j |¡S©Nrz gitlab.comrýrÿr#r#r$ro–sz*GitLabLoginHandler._OAUTH_ACCESS_TOKEN_URLcCstj dd¡}|j |¡Srrrÿr#r#r$rè›sz'GitLabLoginHandler._OAUTH_AUTHORIZE_URLcCstj dd¡}|j |¡Srrrÿr#r#r$ry sz"GitLabLoginHandler._OAUTH_USER_URLN)rXrârãrrrkrþrrrzrÃrärorèryr#r#r#r$r„sÿÿ  rc@sJeZdZdddœZdZdZdZdZedd „ƒZ ed d „ƒZ ed d „ƒZ dS)ÚAzureAdLoginHandlerr8r9r:z7https://login.microsoftonline.com/{tenant}/oauth2/tokenz;https://login.microsoftonline.com/{tenant}/oauth2/authorizerŒZ unique_namecCs&tj dtj dd¡¡}|jj|dS©NZ AAD_TENANT_IDÚtenantÚcommon)r ©rHrIr&r rGrþr{©rMr r#r#r$ro³sz+AzureAdLoginHandler._OAUTH_ACCESS_TOKEN_URLcCs&tj dtj dd¡¡}|jj|dSr©rHrIr&r rGrr{r r#r#r$rè¸sz(AzureAdLoginHandler._OAUTH_AUTHORIZE_URLcCs|jjfitj¤ŽS©N©rr{r rGrLr#r#r$ry½sz#AzureAdLoginHandler._OAUTH_USER_URLN© rXrârãrrrþrrrÃrärorèryr#r#r#r$r¦sþ  rc@sJeZdZdddœZdZdZdZdZedd „ƒZ ed d „ƒZ ed d „ƒZ dS)ÚAzureAdV2LoginHandlerr8r9r:ztj dd¡}tj dd¡}|r.|j ||¡S|j |¡SdS©Nrzokta.comÚserverÚdefault)r rGr&rþr{Ú_OAUTH_ACCESS_TOKEN_URL__©rMrrr#r#r$roós z(OktaLoginHandler._OAUTH_ACCESS_TOKEN_URLcCs>tj dd¡}tj dd¡}|r.|j ||¡S|j |¡SdSr)r rGr&rr{Ú_OAUTH_AUTHORIZE_URL__rr#r#r$rèüs z%OktaLoginHandler._OAUTH_AUTHORIZE_URLcCs@tj dd¡}tj dd¡}|r.|j ||¡S|j ||¡SdSr)r rGr&rr{Ú_OAUTH_USER_URL__rr#r#r$rys z OktaLoginHandler._OAUTH_USER_URLN)rXrârãrùrkrþrrrrrrÃrärorèryr#r#r#r$rÞs"þ  rc@s(eZdZddiZgd¢ZdZdZdZdS)ÚGoogleLoginHandlerrØz0application/x-www-form-urlencoded; charset=utf-8)r<r=r>z,https://accounts.google.com/o/oauth2/v2/authz*https://accounts.google.com/o/oauth2/tokenr=N)rXrârãrrrJrèrorÃr#r#r#r$rs ÿrc@s0eZdZeZdd„Zdd„Zdd„Zdd„Zd S) ÚBasicLoginHandlercCs`z| d¡}Wnty$d}Yn0| dd¡}|rB| d|¡|jj|td}| |¡dSrêrírðr#r#r$r&s    þzBasicLoginHandler.getcCs®dtj |ji¡vr&tj|jd}ntj}t|tƒr|tj   |¡r|t |dd}t   | ¡¡}Wdƒn1sr0Yt|tƒrž||vr’dS|||kS||krªdSdS)NÚ basic_authr)ÚencodingFT)rZ_server_configr&Ú applicationr rr0r1rHr’ÚisfileÚopenr r!Úreadrx)rMr_r`Z auth_infoZ auth_filer#r#r$Ú _validate-s,  zBasicLoginHandler._validatecCsp| dd¡}| dd¡}| ||¡}|rJ| |¡| dd¡}| |¡n"dtj d¡}| |jj |¡dS)Nr_rŒr`r“rz?error=zInvalid username or password!) r—r"Úset_current_userZ get_cookier¼ÚtornadoÚescapeZ url_escaper”r•)rMr_r`Úauthr“r¿r#r#r$ró=s      zBasicLoginHandler.postcCsx|s| d¡| d¡dS| d¡|jd|tjdtt d|i¡ƒ}tjrbtj  |  d¡¡}|jd|tjddS)NrÁrYrÂrri) r…rŠr r„rr r+rrÄrÅr-)rMrYrir#r#r$r#Is   z"BasicLoginHandler.set_current_userN) rXrârãrrïr&r"rór#r#r#r#r$rs  rc@seZdZdZeZdd„ZdS)Ú LogoutHandlerrAcCs\| d¡| d¡| d¡| d¡| d¡| t¡|jjt|jd}| |¡dS)NrYrirgr^r„)rìZLOGIN_ENDPOINT)r…rƒÚ_logout_templaterÞrr–rÜ)rMrñr#r#r$r&\s      þzLogoutHandler.getN)rXrârãr–rr(r&r#r#r#r$r'Vsr'csneZdZdZd‡fdd„ Zdd„Zdd„Zed d „ƒZed d „ƒZ ed d„ƒZ edd„ƒZ edd„ƒZ ‡Z S)ÚBasicAuthProviderzF An AuthProvider which serves a simple login and logout page. Ncs|durt|_n8t|ƒ }t | ¡¡|_Wdƒn1s>0Y|durXt|_n8t|ƒ }t | ¡¡|_Wdƒn1s†0Y|dur t|_ n8t|ƒ }t | ¡¡|_ Wdƒn1sÎ0Y|pÞd|_ |pèd|_ |pòg|_ t  |j¡tƒ ¡dS)NrAz/logout)rrÝr rZ from_stringr!rr(rrïr–Ú_logout_endpointÚ_guest_endpointsrZon_session_destroyedÚ _remove_userÚsuperÚ__init__)rMZlogin_endpointZlogout_endpointZlogin_templateZlogout_templateÚerror_templateZguest_endpointsÚf©rÕr#r$r.os" . . .    zBasicAuthProvider.__init__cCs||jj d¡}|jj d¡}|r&d}n&|rHttjd|ƒ}|rL| d¡}nd}|sTdStj|d8<tj|sxtj|=dS©NrÁrYÚguestrr ) r”Úcookiesr&r r Ú cookie_secretrrÚ _active_users©rMZsession_contextZ guest_cookieZ user_cookierYr#r#r$r,Šs ÿ  zBasicAuthProvider._remove_usercCs6tjr||jksd|vsdS| dd¡|jvr2dSdS)Nz?code=Tz/wsrŒF)r Zoauth_optionalr–r€r+)rMr•r#r#r$Ú _allow_guestszBasicAuthProvider._allow_guestcs‡fdd„}|S)Ncs~|jdtjd}|r | d¡}n:ˆ |jj¡rZd}d|jjd<t|t ƒsZ|j ddtjd|rzt|t ƒrzt j |d7<|S) NrYrrr3Ú1rÁrÂr ) r‚r r„rr8r”r•r4r0r rîrr6)Zrequest_handlerrYrLr#r$Úget_user¤s   z,BasicAuthProvider.get_user..get_userr#©rMr:r#rLr$r:¢s zBasicAuthProvider.get_usercCs|jSr)r–rLr#r#r$Ú login_url³szBasicAuthProvider.login_urlcCs|jt_|jt_tSr)r–rrïrLr#r#r$Ú login_handler·szBasicAuthProvider.login_handlercCs|jSr)r*rLr#r#r$Ú logout_url½szBasicAuthProvider.logout_urlcCs|jr|jt_|jt_tSr)r(r'r–rLr#r#r$Úlogout_handlerÁsz BasicAuthProvider.logout_handler)NNNNNN)rXrârãrùr.r,r8rär:r<r=r>r?Ú __classcell__r#r#r1r$r)js"ý    r)cs\eZdZdZedd„ƒZe‡fdd„ƒZedd„ƒZdd „Zd d „Z d d „Z dd„Z ‡Z S)Ú OAuthProviderz~ An AuthProvider using specific OAuth implementation selected via the global config.oauth_provider configuration. cCsdSrr#rLr#r#r$r:ÏszOAuthProvider.get_usercs‡‡fdd„}|S)Nc “sttˆƒ |¡}tjr|dur"|Stj tjj ¡  ¡}d}|t j vr„t j |s`t  d¡IdHqDt j |}|d}|dr°|d}n,|jdtjd}|s¦t d¡dSt  |¡}|durzt|ƒ}|d}Wn@ty|jdtjd}|dur t d¡|YSYn0|t j vr,t j |d }n@|jd tjd} | rht  | ¡}ˆ |d|||j|j¡nd}||kr„t d ¡|S|r¾zt|ƒ} | d|kr¦d}Wnty¼Yn0|durÞt d tˆƒj¡dSt d tˆƒj¡ˆ |||j|j¡IdH|S) Nçš™™™™™¹?rgÚexpiryrz:No access token available, forcing user to reauthenticate.Úexpr„zCaccess_token is not a valid JWT token. Expiry cannot be determined.r^z1Fully authenticated and access_token still valid.z[%s access_token is expired and refresh_token not available, forcing user to reauthenticate.ú%s refreshing token)r-rAr:r Zoauth_refresh_tokensrÆrÇrÈrÉrÊrËrrÌÚasyncioÚsleepr‚r„r4rVZ_decrypt_cookierrÚ_schedule_refreshrr”rWrXÚ_refresh_access_token) ÚhandlerrYrÏrCÚ user_statergZ access_cookieZ access_jsonr^Zrefresh_cookieZ refresh_json)rÕrMr#r$r:Õsb               z.OAuthProvider.get_user_async..get_userr#r;r1rLr$Úget_user_asyncÓs>zOAuthProvider.get_user_asynccCs,ttj}|jr|j|_|j|_|j|_|Sr)ÚAUTH_PROVIDERSr Zoauth_providerrÝrïr–)rMrJr#r#r$r=s  zOAuthProvider.login_handlercCsŽ|jj d¡}|jj d¡}|r&d}n&|rHttjd|ƒ}|rL| d¡}nd}|sTdStj|d8<tj|sŠtj|=|tj vrŠtj |=dSr2) r”r4r&r r r5rrr6rÌr7r#r#r$r,s$ÿ   zOAuthProvider._remove_userc CsÚtj |¡sdStj tjj¡ ¡}||d}t   dt |ƒj |¡tj ¡tj |d}t|j||||ƒ} |dkr‚t | ¡dS|›d} z6zt | ¡Wnty®Yn0Wtj| | |dntj| | |d0dS)Né z)%s scheduling token refresh in %d seconds)Úsecondsrz-refresh-access-tokens)Úat)rr6r&rÆrÇrÈrÉrÊrËr4rVrWrXÚ timedeltarÚ_scheduled_refreshÚexecuteZ cancel_taskÚKeyErrorZ schedule_task) rMZ expiry_tsrYr^rr”rÏZexpiry_secondsZ expiry_dateZ refresh_cbZtaskr#r#r$rH3s      zOAuthProvider._schedule_refreshcÃsf| ||||¡IdHtj|}|d|d}}|drD|d}n t|ƒd}| |||||¡dS)Nrgr^rCrD)rIrrÌrrH)rMrYr^rr”rKrgrCr#r#r$rRFs   z OAuthProvider._scheduled_refreshc ÃsÒ|tjvrBtj|s4tj|s0t d¡IdHqdStj|d}t dt|ƒj¡itj|<|j||d}|j t j t j |dIdH\}}}}|rÆt j t jj¡ ¡} |||r¶| |nddœtj|<ntj|=dS)NrBr^rE)rr”)rRrOr^)rgr^rC)rrÌrFrGr4rVrWrXr=rUr r¸r»rÆrÇrÈrÉrÊrË) rMrYr^rr”Z auth_handlerrZrgrhrÏr#r#r$rIPs*    ýýz#OAuthProvider._refresh_access_token) rXrârãrùrär:rLr=r,rHrRrIr@r#r#r1r$rAÉs A  rA) Zauth0ZazureZazurev2Z bitbucketZgenericZgoogleZgithubZgitlabZoktar`Z auth_codez panel.authFZ_oauth_provider)OrFr,rrÇrÆr¢r ÚloggingrHrÚ urllib.parseÚparserprrÚ functoolsrr$Zbokeh.server.auth_providerrZ tornado.authrZtornado.httpclientrrtrZ tornado.webrr Ztornado.websocketr r Z entry_pointsr Z io.resourcesrrrrrZio.staterÚutilrrÚ getLoggerrXr4rƒr§r%r)r/r6Zwebr7rårérôr÷rúrûrrrrrrr'r)rArMÚ entry_pointÚloadÚnameÚlistÚkeysÚparamZobjectsr#r#r#r$Ús‚          '. "1 <_%õ