B 3¢\ú'ã@s’dZddlZddlZyddlmZmZWn$ek rLddlmZmZYnXddlZddlm Z ddl m Z m Z ddl mZGd d „d eƒZdS) z/Tornado handlers for logging into the notebook.éN)ÚurlparseÚ urlunparse)Ú url_escapeé)Ú passwd_checkÚ set_passwordé)ÚIPythonHandlerc@sÆeZdZdZd"dd„Zd#dd„Zdd„Zed d „ƒZd d „Z d d„Z e d$dd„ƒZ e  de j¡Ze dd„ƒZe dd„ƒZe dd„ƒZe dd„ƒZe dd„ƒZe d%dd„ƒZe dd„ƒZe d d!„ƒZdS)&Ú LoginHandlerzfThe basic tornado login handler authenticates with a hashed password from the configuration. Nc Cs*| |jdt|jd|jdƒ|d¡dS)Nz login.htmlÚnext)Údefault)r Úmessage)ÚwriteZrender_templaterÚ get_argumentÚbase_url)Úselfr ©rú2lib/python3.7/site-packages/notebook/auth/login.pyÚ_renders zLoginHandler._rendercCsÞ|dkr|j}| dd¡}t|ƒ}t|jdddƒ}||ksN|jd |j¡sÐd}||kr¸d|j|jf}|  ¡}|d|j j |j j fkrd }n(|j r¢|j |k}n|jr¸t|j |¡ƒ}|sÐ|j d |¡|}| |¡dS) z¶Redirect if url is on our PATH Full-domain redirects are allowed if they pass our CORS origin checks. Otherwise use default (self.base_url if unspecified). Nú\z%5CÚ)ÚnetlocÚschemeú/Fz%s://%sTz!Not allowing login redirect to %r)rÚreplacerrÚ_replaceÚpathÚ startswithrrÚlowerÚrequestÚprotocolZhostZ allow_originZallow_origin_patÚboolÚmatchÚlogÚwarningZredirect)rZurlr ZparsedZ path_onlyZallowÚoriginrrrÚ_redirect_safe!s(  zLoginHandler._redirect_safecCs.|jr"|jd|jd}| |¡n| ¡dS)Nr )r )Z current_userrrr&r)rÚnext_urlrrrÚgetDs zLoginHandler.getcCs | |j¡S)N)Úpassword_from_settingsÚsettings)rrrrÚhashed_passwordKszLoginHandler.hashed_passwordcCs t||ƒS)N)r)rÚaÚbrrrrOszLoginHandler.passwd_checkcCsô|jddd}|jddd}| |j¡rÖ| |j|¡rN|sN| |t ¡j¡nˆ|j r¸|j |kr¸| |t ¡j¡|rÖ|j  d¡rÖ|j  d¡}t j   |d¡}t||d|j d |¡n| d ¡|jd d id dS|jd|jd}| |¡dS)NÚpasswordr)r Ú new_passwordZallow_password_changeÚ config_dirzjupyter_notebook_config.json)Ú config_filezWrote hashed password to %si‘ÚerrorzInvalid credentials)r r )rÚget_login_availabler*rr+Úset_login_cookieÚuuidÚuuid4ÚhexÚtokenr(ÚosrÚjoinrr#ÚinfoZ set_statusrrr&)rZtyped_passwordr/r0r1r'rrrÚpostRs"    zLoginHandler.postcCs`|j di¡}| dd¡|j d|jjdk¡r<| dd¡| d|j¡|j|j|f|Ž|S)z9Call this on handlers to set the login cookie for successÚcookie_optionsZhttponlyTZ secure_cookieZhttpsZsecurer)r*r(Ú setdefaultrr rZset_secure_cookieÚ cookie_name)ÚclsÚhandlerÚuser_idr=rrrr4ks  zLoginHandler.set_login_cookiez token\s+(.+)cCs:| dd¡}|s6|j |jj dd¡¡}|r6| d¡}|S)z›Get the user token from a request Default: - in URL parameters: ?token= - in header: Authorization: token r8rZ Authorizationr)rÚauth_header_patr"rZheadersr(Úgroup)r@rAÚ user_tokenÚmrrrÚ get_tokenzs  zLoginHandler.get_tokencCs | |¡ S)a3Should the Handler check for CORS origin validation? Origin check should be skipped for token-authenticated requests. Returns: - True, if Handler must check for valid CORS origin. - False, if Handler should skip origin check since requests are token-authenticated. )Úis_token_authenticated)r@rArrrÚshould_check_originŒs z LoginHandler.should_check_origincCs$t|ddƒdkr| ¡t|ddƒS)zÿReturns True if handler has been token authenticated. Otherwise, False. Login with a token is used to signal certain things, such as: - permit access to REST API - xsrf protection - skip origin-checks for scripts Ú_user_idNÚ_token_authenticatedF)ÚgetattrZget_current_user)r@rArrrrH˜s z#LoginHandler.is_token_authenticatedcCsšt|ddƒr|jS| |¡}|dkrD|j di¡}|j|jf|Ž}n| ||¡d|_|dkr|  |j¡dk r†|j   d|j¡|  ¡|j sd}||_|S)z”Called by handlers.get_current_user for identifying the current user. See tornado.web.RequestHandler.get_current_user for details. rJNÚget_secure_cookie_kwargsTz(Clearing invalid/expired login cookie %sZ anonymous)rLrJÚget_user_tokenr*r(Zget_secure_cookier?r4rKZ get_cookier#r$Zclear_login_cookieZlogin_available)r@rArBrMrrrÚget_user§s    zLoginHandler.get_usercCsP|j}|sdS| |¡}d}||kr:|j d|jj¡d}|rHt ¡jSdSdS)zžIdentify the user based on a token in the URL or Authorization header Returns: - uuid if authenticated - None if not NFz0Accepting token-authenticated connection from %sT) r8rGr#ÚdebugrZ remote_ipr5r6r7)r@rAr8rEZ authenticatedrrrrNÊs  zLoginHandler.get_user_tokencCs\|js@d}|dkr"|j |d¡|jsX|jsX|j |d¡n|jsX|jsX|j d¡dS)z‡Check the notebook application's security. Show messages, or abort if necessary, based on the security configuration. z=WARNING: The notebook server is listening on all IP addressesNz3 and not using encryption. This is not recommended.zK and not using authentication. This is highly insecure and not recommended.z`All authentication is disabled. Anyone who can connect to this server will be able to run code.)Zipr#r$r.r8)r@ZappZ ssl_optionsr$rrrÚvalidate_securityãs  zLoginHandler.validate_securitycCs | dd¡S)zReturn the hashed password from the tornado settings. If there is no configured password, an empty string will be returned. r.r)r()r@r*rrrr)÷sz#LoginHandler.password_from_settingscCst| |¡p| d¡ƒS)z_Whether this LoginHandler is needed - and therefore whether the login page should be displayed.r8)r!r)r()r@r*rrrr3ÿsz LoginHandler.get_login_available)N)N)N)N)Ú__name__Ú __module__Ú __qualname__Ú__doc__rr&r(Úpropertyr+rr<Ú classmethodr4ÚreÚcompileÚ IGNORECASErCrGrIrHrOrNrQr)r3rrrrr s&  #     #   r )rUrXr9Z urllib.parserrÚ ImportErrorr5Ztornado.escaperZsecurityrrZ base.handlersr r rrrrÚs