;g ddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl m Z ddl Z ddlmZddlmZddlmZddlZddlmZddlmZddlmZddlmZmZdd lmZmZm Z dd l!m"Z"d d l#m#Z#d d l$m%Z%d dl&m'Z'm(Z(m)Z)m*Z*m+Z+d dl,m-Z-d dl.m/Z/m0Z0ejbe2Z3dZ4dZ5dZ6dZ7dZ8dZ9Gddejtj>eZ;Gdde;Z<Gdde<Z=Gdde<Z>Gdd e;Z?Gd!d"e;Z@Gd#d$e;ZAGd%d&e;ZBGd'd(e;ZCGd)d*e;ZDGd+d,e;ZEGd-d.e;ZFGd/d0eZGGd1d2ejtj>ZHGd3d4eZIGd5d6eIZJGd7d8eGZKeAeCeDe@eeKd9 ZLe%d:D]ZMeMjeLeMj<!ePeLje#jjd;d<_Sy)=N)urlsafe_b64encode)partial)ClassVar) AuthProvider)get_token_payload) OAuth2Mixin) HTTPError HTTPRequest)r RequestHandlerdecode_signed_value)WebSocketHandler)config)entry_points_for)BASIC_LOGIN_TEMPLATECDN_DISTERROR_TEMPLATELOGOUT_TEMPLATE_env)state)base64url_encode decode_tokenzpanel-oauth-statezpanel-oauth-codecZ tj|jd}t j dd|}t j dd|}t j dd|}t j|}|S#t$r#tj|jd}YwxYw)z Decodes the JSON-format response body Parameters ---------- response: tornado.httpclient.HTTPResponse Returns ------- Decoded response content asciiutf-8'z\"")codecsdecodebody Exceptionresubjsonloads)responser s *lib/python3.12/site-packages/panel/auth.pydecode_response_bodyr((s5}}X]]G4 66$t $D 66#tT "D 66#sD !D ::d D K 5}}X]]G45s A>>)B*)B*cT|j||jd|dgdS)zH Extracts a request argument from a urllib.parse.parse_qs dict. z/?Nr)get)argskeys r'extract_urlparamr-@s- 88CBse*tf5 6q 99ctj|}tj|j dj dS)zCSerialize OAuth state to a base64 string after passing through JSONutf8r)r$dumpsbase64rencoder)r json_states r'_serialize_stater5Gs7E"J  # #J$5$5f$= > E Eg NNr.cVt|tr|jd} tj|j d} tj|S#t $rtjd|icYSwxYw#t $rtjd|icYSwxYw)z9Deserialize OAuth state as serialized in _serialize_staterr0zFailed to b64-decode state: %rzFailed to json-decode state: %r) isinstancestrr3r2urlsafe_b64decoder ValueErrorlogerrorr$r%) b64_stater4s r'_deserialize_stater>Ms)S!$$W- --i8??G zz*%%  2I>   3Z@ s#$AB!BB!B('B(ceZdZUdddZgdZddiZdZeedze d<dZ eedze d <e Z d Z eee d <ed Z dd Z ddZdZdZdZdZdZdZdZeddZddZdZy)OAuthLoginHandlerapplication/json Tornado OAuthAcceptz User-Agent)openidemailprofileoffline_access grant_typeauthorization_codeN_access_token_header _state_cookie/login_login_endpointcdtjvrtjdSdtjvr |jStjdj dDcgc]}|c}Scc}w)NscopePANEL_OAUTH_SCOPE,)roauth_extra_paramsosenviron_DEFAULT_SCOPESsplit)selfrPs r'_SCOPEzOAuthLoginHandler._SCOPErsh f// /,,W5 5  2'' '#%::.A#B#H#H#MN#M%#MNNNs( A4cK|r$|j||||d{\}}}}|S|||dd|id}dtjvrtjd|dd<|j|j|d<dtjvrtjd|d<tj d t |j|jd i|y7w) a Fetches the authenticated user Parameters ---------- redirect_uri: (str) The OAuth redirect URI client_id: (str) The OAuth client ID state: (str) The unguessable random string to protect against cross-site request forgery attacks client_secret: (str, optional) The client secret code: (str, optional) The response code from the server ) client_secretcodeNr\r) redirect_uri client_idr[ response_type extra_paramsaudiencer`rPz%s making authorize request) _fetch_access_tokenrrSrYr;debugtype__name__authorize_redirect) rXr]r^rr[r\user_paramss r'get_authenticated_userz(OAuthLoginHandler.get_authenticated_userzs& "&":":+ #;#MD!Q K)%*#   22 2171J1J:1VF> ": . ;; ""kkF7O f// /$77@F7O /d1D1DE)&)1sCCCCcKtjdt|jd|i|j}|r||d<|j rdj |j |d<|r||d<|r d} ||d<d|d <nd } |r||d <n)|r|j|| n|j|d <|j} t|jdtj||j} | j| d{}  j&r t)| x}s:tjdt|j|j#| dvr@|r*tjdt|jy|j#| |d|j+d}|r t-|}|d|j+d}}| rd|||fS|j+dx}rI t.j1|||||}tjdt|j||||fSt5|j}|j6r|j8r.|j6}|j8j;|d|d<ndj;|j6|d}tjdt|j | j||d{}t)|}|s8tjdt|j t=|d}tjd!t|jt.j1|||||}||||fS7#t $rQ} tjdt|j|j#| j$dYd} ~ d} ~ wwxYw#t2$rYwxYw7#t $rd}YwxYw#t>$rAtjd t|j|j#| |dYwxYww)"a Fetches the access token. Parameters ---------- client_id: The client ID redirect_uri: The redirect URI code: The response code from the server client_secret: The client secret refresh_token: A token used for refreshing the access_token username: A username password: A password z%s making access token request.r^r] rPr\T refresh_tokenrIFr[)usernamepassword code_verifierPOST)methodr headersNz%s access token request failed.)statusz6%s token endpoint did not return a valid access token. access_tokenz2%s token endpoint did not reissue an access token.NNN expires_inid_tokenz3%s successfully obtained access_token and id_token. Authorizationz{}{}z%s requesting OpenID userinfo.)rtz%s could not fetch user information, the token endpoint did not return an id_token and no OpenID user info endpoint was provided. Attempting to code access_token to resolve user information.z!%s could not decode access_token.z3%s successfully obtained access_token and userinfo.) r;rdrerf_EXTRA_TOKEN_PARAMSrYjoinupdateget_code_cookieget_auth_http_clientr _OAUTH_ACCESS_TOKEN_URLurlparse urlencode_API_BASE_HEADERSfetchHTTPClientError _raise_errorr&r r(r*intr@set_auth_cookiesr dict_OAUTH_USER_URLrKformatrr!)rXr^r]r[r\rnrorprj refreshinghttpreqr&er ryrwrzrh user_headersuser_url user_responses r'rcz%OAuthLoginHandler._fetch_access_tokens0 3T$Z5H5HI  &&  %1F> " ;;!hht{{3F7O !F6N J&3F? ##2F< J &3F? #  MM8hM ?&*&:&:&&:DHH_ IIOT ##    >'^(<= GdI\I\] 11$,P]_ij\=*< =tDz?R?RS!!(D!= >sC:Q#=NNNC&Q#=O1CQ#)P?PP+Q#;P AQ#N O.AO)#Q#)O..Q#1 O>:Q#=O>>Q#P PQ#PQ#AQ Q#Q  Q#c|jS|jttjxsdj dd|_|j t|jS)z[Get OAuth state from cookies To be compared with the value in redirect URL  max_age_daysr.r0replace)rLget_secure_cookieSTATE_COOKIE_NAMEr oauth_expiryr clear_cookierXs r'get_state_cookiez"OAuthLoginHandler.get_state_cookie$sa    %&&'8vGZGZ&[b_bfVY'     / 0!!!r.cR|jt|tjdyNT expires_dayshttponly)set_secure_cookierrr)rXrs r'set_state_cookiez"OAuthLoginHandler.set_state_cookie/s%  u63F3FQU  r.c|jjj|jd}|j d|x}}|r|jdt j d}t j |}|jddd|jjdzj}||k7rtjd||ttjj |xsddS)Nnext\/)schemenetlocpathzIgnoring next_url %r, using %r)state_idnext_url)requesturirrN get_argumentrquote_replacerlstripgeturlr;warningr5uuiduuid4hex)rXroot_urlroriginal_next_urlurlinfos r' get_statezOAuthLoginHandler.get_state4s<<##++D,@,@"E'+'8'8'JJ$ ''hnnT.BCH''1G''"31D1DS1I+I(fh ,, 46G ))x3 G  r.cztjjtjjztjjz}tj|j dj }t|jdjdd}||fS)Nr=r) rrrhashlibsha256r3digestrrr)rXrqhashed_code_verifiercode_challenges r'get_codezOAuthLoginHandler.get_codeHs ((4::<+;+;;djjl>N>NN &~~m.B.B7.KLSSU*+?@GGPXXY\^`an,,r.c|jttjxsdj dd}|j t|S)Nrr.r0r)rCODE_COOKIE_NAMErrrrrXr\s r'rz!OAuthLoginHandler.get_code_cookieNsG&&'7fFYFY&Za^aiijpr{| *+ r.cR|jt|tjdyr)rrrrrs r'set_code_cookiez!OAuthLoginHandler.set_code_cookieSs$  d1D1Dt  r.cKtjdt|jtj rtj }n/|j jd|j j}|tjd}|jdi}|rJtj|}|jDcic]\}}|jdd|}}}|jdt|d}|jdt|d}|jd t|d }|X|jd t|d } | s|} tj!d t|j|t#d | | |j%} |r| |k7r%tj'd| |t#d dd t)|} |j+tj,||d|j.di|d{} | t#ddtjdt|j|j1| j2ddy|j5x|d<} |j7| |j.di|d{ycc}}w77 w)Nz%s received login request://)r]r^r?r\rr<error_descriptionz2%s failed to authenticate with following error: %sru)reasonOAuth state mismatch: %s != %sz=OAuth state mismatch. Please restart the authentication flow.zstate mismatch)r[r\rzPermissions unknown.'%s authorized user, redirecting to app.rrrb)r;rdrerfroauth_redirect_urirprotocolhost oauth_keyrrparse_qsitemsrWr-r<r rrr>r~ oauth_secretrkredirectr*rr) rXr]rjnext_argargvaluer\ url_stater< error_msg cookie_staterrhs r'r*zOAuthLoginHandler.getXs -tDz/B/BC  $ $!44L"ll334C 8I8I7JKL(",,  $$VR0 ((2HDLNNDTUDTjc5 #r*E1DTHU  )9(F)KL%%g/?'/RS !!'+;Hg+NO  ))#%5h@S%TVI! IIDT ##U C59 9,,. y( v>>D|%;<< II?dATAT U MM)%))J4 5'+nn&6 6F7Oe  ! !% (-$--77 7 7UVB? 8s2C K J:*D0KKBK4K5 KKc (|rt|tr t|}n |}tt j |}t jxs |j}||vr||}n6tjdt|j|tdd|jd|jd|t j dnd}t"j$rt"j$j'|j)d}|r.t"j$j'|j)d}|r.t"j$j'|j)d}|jd |t j d|r#|jd |t j d|r}t*j,j/t*j0j2j5}|jd tt7||zt j d|r#|jd |t j d|r2|t"j8vr t"j8j;|d|S) Nz-%s token payload did not contain expected %r.ruz,OAuth token payload missing user informationis_guestrhTrrrwrzrrn)r7r8rrr$r1roauth_jwt_user _USER_KEYr;r<rerfr rrrr encryptionencryptr3dtdatetimenowtimezoneutc timestampr_oauth_user_overridespop) handlerrzrwrnrydecodeduser_keyrhnow_tss r'rz"OAuthLoginHandler.set_auth_cookiess  (C(&x0"+DJJx,@A,,A0A0AH7"x( Iw-00(<%STT   ,  % %fdATAT_c % dD    ++33L4G4G4PQL ++33HOOG4LM % 0 0 8 89M9Mg9V W !!.,VM`M`ko!p   % %j(I\I\gk % l [[__R[[__5??AF  % %nc#fz>Q:R6SbhbubuAE % F   % %o}SYSfSfqu % v DE777  ' ' + +D$ 7 r.c |xs t|}|jj j dd}|jr(tj|d|jd|ntj|d|dt|dr.|jdt|}|jd d }n t|}d }t||| #tjj$r|}YwxYw) N LoginHandlerrz OAuth provider returned a z error. The full response was: zN OAuth provider failed to fully authenticate returning the following response:.r*rr<z Unknown errorz Unknown Error) log_messager)r(r$decoderJSONDecodeError __class__rfrr<r;rhasattrr*r8r )rXr&r rvproviderrrs r'rzOAuthLoginHandler._raise_errors 9/9D>>**22>2F >> II "=hnn=MN77;f> ? KK8*%I&# $ 4 ((#6D BKXXg7Fh-K$F #  #||++ D sCC=<C=c |d\}}}|j|jddt|tr|j|j }}nE|j jjdd}tj|d|d\}}|j|jjtjdd || y) Nexc_info Content-Typez text/htmlrrz. OAuth provider encountered unexpected error: )z500: Internal Server Errorz&Server encountered unexpected problem.zPanel: Authentication ErrorzAuthentication Error)npm_cdntitle error_typer<r)clear_all_cookies set_headerr7r rrrrfrr;r<write_error_templaterenderrr)rX status_codekwargsrirr<rrs r' write_errorzOAuthLoginHandler.write_errors$1a    4 a # xx9E~~..66~rJH II*   E9 4''..NN/- /  r.)NNNNNNNN)N)rf __module__ __qualname__rrVr|rKrr8__annotations__rLrrrNpropertyrYrkrcrrrrrrr* staticmethodrrr rbr.r'r@r@]s%% GO -26(3:.5*.M8C$J'.$O%-OXc]- OO?C,*^FJ48z=x "  (-   98v##J 4 r.r@cXeZdZdZddiZedZedZedZedZ y) GenericLoginHandler Bearer {}rIrJc|tjjdtjjdS)N TOKEN_URLPANEL_OAUTH_TOKEN_URLrrSr*rTrUrs r'rz+GenericLoginHandler._OAUTH_ACCESS_TOKEN_URLs)((,,["**..I`:abbr.c|tjjdtjjdS)N AUTHORIZE_URLPANEL_OAUTH_AUTHORIZE_URLrrs r'_OAUTH_AUTHORIZE_URLz(GenericLoginHandler._OAUTH_AUTHORIZE_URLs)((,,_bjjnnMh>ijjr.c|tjjdtjjdS)NUSER_URLPANEL_OAUTH_USER_URLrrs r'rz#GenericLoginHandler._OAUTH_USER_URLs)((,,ZH^9_``r.c~tjjdtjjddS)NUSER_KEYPANEL_USER_KEYrFrrs r'rzGenericLoginHandler._USER_KEYs,((,,ZHXZa9bccr.N) rfr rrKr|rrrrrrbr.r'rrsp& *cckkaaddr.rc eZdZddiZdZdZy)PasswordLoginHandlerrIrpc |jd}|jdd}|r|jd||jj |t }|j |y#t$rd}YfwxYwNr<rrr) errormessage PANEL_CDNrr! set_cookie_login_templaterrrrXr'rhtmls r'r*zPasswordLoginHandler.get  ,,W5L$$VT2  OOJ 1##**%+  4 L A,, A:9A:cK|jdd}|jdd}tjrtj}n;|jjd|jj |j }|jtj|||d{\}}}}|sy|jdy7w)Nrorrpr)r^r]rorpr) rrrrrrrNrcrr)rXrorpr]rhris r'postzPasswordLoginHandler.posts$$Z4$$Z4  $ $!44L"ll334C 8I8I7J4K_K_J`aL"66&&% 7  aA   c sB'C )C*C N)rfr rr|r*r1rbr.r'r$r$s j r.r$ceZdZdZdZy)CodeChallengeLoginHandlercK|jdd}|jdd}tjrtj}n;|jjd|jj |j }|r|s|j|y|j}||k7r#tjd||tddt|}|j|tj||d{}| td tjd t!|j"|j%|j&d d y7]w) Nr\rrrrr zOAuth state mismatch)r\rrrr)rrrrrrrN_authorize_redirectrr;rr r>rkrrdrerfrr*)rXr\rr]rrrhs r'r*zCodeChallengeLoginHandler.get.s/  ,%%gr2  $ $!44L"ll334C 8I8I7J4K_K_J`aL9  $ $\ 2 ,,. 9 $ KK8, RC!78 8"9-00v?O?OQZae0ff <C.  ;T$Z=P=PQ ieii C01 gsDE"E AE"c \|j}|j||j\}}|j|tj ddj |j|d|d|d}tj|}|j|jd|y)Nr\rmqueryS256)r^r_rPr response_modercode_challenge_methodr]r) rrrrrrr}rYrrrr)rXr]rrqrrj query_paramss r'r5z-CodeChallengeLoginHandler._authorize_redirectFs  e$(, % ~ ]+))#XXdkk*$,%+(   ))&1  2231\NCDr.N)rfr rr*r5rbr.r'r3r3,s 20Er.r3c$eZdZdZdZdZdZdZdZy)GithubLoginHandlerzGitHub OAuth2 Authentication To authenticate with GitHub, first register your application at https://github.com/settings/applications/new to get the client ID and secret. z+https://github.com/login/oauth/access_tokenz(https://github.com/login/oauth/authorizezhttps://api.github.com/userztoken {}loginN) rfr r__doc__rrrrKrrbr.r'r=r=Zs& LE3O%Ir.r=c$eZdZddiZdZdZdZdZy)BitbucketLoginHandlerrDrAz.https://bitbucket.org/site/oauth2/access_tokenz+https://bitbucket.org/site/oauth2/authorizez0https://api.bitbucket.org/2.0/user?access_token=roN)rfr rrrrrrrbr.r'rArAjs+ $OHHOIr.rAcPeZdZdZdZdZdZdZedZ edZ edZ y ) Auth0Handlerrz!https://{0}.auth0.com/oauth/tokenzhttps://{0}.auth0.com/authorizezhttps://{0}.auth0.com/userinforFcxtjjdd}|jj |SN subdomainexamplerrSr*_OAUTH_ACCESS_TOKEN_URL_rrXurls r'rz$Auth0Handler._OAUTH_ACCESS_TOKEN_URLs1''++KC,,33C88r.cxtjjdd}|jj |SrErrSr*_OAUTH_AUTHORIZE_URL_rrJs r'rz!Auth0Handler._OAUTH_AUTHORIZE_URLs1''++KC))0055r.cxtjjdd}|jj |SrErrSr*_OAUTH_USER_URL_rrJs r'rzAuth0Handler._OAUTH_USER_URLs1''++KC$$++C00r.N) rfr rrKrIrNrQrrrrrrbr.r'rCrCwsY&B=7I 996611r.rCc`eZdZddiZddiZdZdZdZdZd Z e d Z e d Z e d Z y )GitLabLoginHandlerrDrArIrJzhttps://{0}/oauth/tokenzhttps://{0}/oauth/authorizezhttps://{0}/api/v4/userrrocxtjjdd}|jj |SNrKz gitlab.comrHrJs r'rz*GitLabLoginHandler._OAUTH_ACCESS_TOKEN_URLs1''++E<@,,33C88r.cxtjjdd}|jj |SrUrMrJs r'rz'GitLabLoginHandler._OAUTH_AUTHORIZE_URLs1''++E<@))0055r.cxtjjdd}|jj |SrUrPrJs r'rz"GitLabLoginHandler._OAUTH_USER_URLs1''++E<@$$++C00r.N)rfr rrr|rIrNrQrKrrrrrrbr.r'rSrSs{ $ * 990&I 996611r.rScVeZdZdddZdZdZdZdZedZ ed Z ed Z y ) AzureAdLoginHandlerrArBrCz7https://login.microsoftonline.com/{tenant}/oauth2/tokenz;https://login.microsoftonline.com/{tenant}/oauth2/authorizer unique_namectjjdtjjdd}|j j |SN AAD_TENANT_IDtenantcommon)r^rTrUr*rrSrIrrXr^s r'rz+AzureAdLoginHandler._OAUTH_ACCESS_TOKEN_URLD1J1J1N1NxYa1bc,,3363BBr.ctjjdtjjdd}|j j |Sr\rTrUr*rrSrNrras r'rz(AzureAdLoginHandler._OAUTH_AUTHORIZE_URLD1J1J1N1NxYa1bc))000??r.cV|jjditjSNrbrQrrrSrs r'rz#AzureAdLoginHandler._OAUTH_USER_URL$+t$$++Hf.G.GHHr.N rfr rrrIrNrQrrrrrrbr.r'rYrYsl%% YYI CC@@IIr.rYcVeZdZdddZdZdZdZdZedZ ed Z ed Z y ) AzureAdV2LoginHandlerrArBrCz**..xC 0077VD D1188= =r.ctjjdd}tjjdd}|r|jj ||S|j j |Srs)rrSr*rNr_OAUTH_AUTHORIZE_URL__rws r'rz%OktaLoginHandler._OAUTH_AUTHORIZE_URL se''++E:>**..xC --44S&A A..55c: :r.ctjjdd}tjjdd}|r|jj ||S|j j ||Srs)rrSr*rQr_OAUTH_USER_URL__rws r'rz OktaLoginHandler._OAUTH_USER_URLsg''++E:>**..xC ((//V< <))00f= =r.N)rfr rr?r|rIrvrNryrQr{rrrrrrbr.r'rqrqs}.. A =A>IFI >>;;>>r.rqc(eZdZddiZgdZdZdZdZy)GoogleLoginHandlerrz0application/x-www-form-urlencoded; charset=utf-8)rErFrGz,https://accounts.google.com/o/oauth2/v2/authz*https://accounts.google.com/o/oauth2/tokenrFN)rfr rrrVrrrrbr.r'r}r}s* J5OIJIr.r}c(eZdZeZdZdZdZdZy)BasicLoginHandlerc |jd}|jdd}|r|jd||jj |t }|j |y#t$rd}YfwxYwr&r)r,s r'r*zBasicLoginHandler.get,r.r/cdtjj|jivr!tj|jd}ntj }t |trXtjj|r9t|d5}tj|j}dddt |tr ||vry|||k(S||k(ryy#1swY-xYw)N basic_authr)encodingFT)r_server_configr* applicationrrr7r8rTrisfileopenr$r%readr)rXrorp auth_info auth_files r' _validatezBasicLoginHandler._validate;s 5//33D4D4DbI I,,T-=-=>|LI))I i %"''..*Ci'2i JJy~~'78 3 i &y(y22 2  "32s $C**C3cr|jdd}|jdd}|j||}|r5|j||jdd}|j |ydt j jdz}|j |jj|zy)Nrorrprrz?error=zInvalid username or password!) rrset_current_user get_cookiertornadoescape url_escaperr)rXrorpauthrrs r'r1zBasicLoginHandler.postKs$$Z4$$Z4~~h1   ! !( +z37H MM( #!GNN$=$=>]$^^I MM$,,**Y6 7r.c|s#|jd|jdy|jd|jd|tjdt t j d|i}tjr.tjj|jd}|jd|tjdy)NrrhTrrrz) rrrrrr$r1rrrr3)rXrhrzs r'rz"BasicLoginHandler.set_current_userWs   j )   f %  *% vt&:M:MX\]#DJJ~$>?   ''//0HIH z8&BUBU`der.N) rfr rrr+r*rr1rrbr.r'rr(s*O  8 fr.rceZdZdZeZdZy) LogoutHandlerrMcP|jd|jd|jd|jd|jd|jt|jjt|j }|j |y)Nrhrzrwrnr)r(LOGIN_ENDPOINT)rr_logout_templaterrrNr)rXr-s r'r*zLogoutHandler.getjs &! *% .) /* .) +,$$++//,  4r.N)rfr rrNrrr*rbr.r'rrdsO& r.rceZdZdZ d fd ZdZdZedZedZ edZ edZ ed Z xZ S) BasicAuthProviderzF An AuthProvider which serves a simple login and logout page. c| t|_n.get_users"44V&J]J]4^D{{7+""?#:#:#>#>?>A''// ;!/3CD#..z3VM`M`.a ?4DE##D)Q.)Kr.rb)rXrs` r'rzBasicAuthProvider.get_users r.c|jSN)rNrs r' login_urlzBasicAuthProvider.login_urls###r.cb|jt_|jt_tSr)rNrr+rs r' login_handlerzBasicAuthProvider.login_handlers&,0,@,@),0,@,@)  r.c|jSr)rrs r' logout_urlzBasicAuthProvider.logout_urls$$$r.cz|jr|jt_|jt_tSr)rrrNrs r'logout_handlerz BasicAuthProvider.logout_handlers-  -1-B-BM *(,(<(< %r.r )rfr rr?rrrrrrrrr __classcell__rs@r'rrxs 48BF6*&R  $$!! %%r.rcfeZdZdZedZefdZedZdZdZ d dZ dZ xZ S) OAuthProviderz~ An AuthProvider using specific OAuth implementation selected via the global config.oauth_provider configuration. cyrrbrs r'rzOAuthProvider.get_usersr.cfd}|S)NcxKtt |}tjr||St |t }|rd|jjvr|jjd}|jd\}}t|}d|vrk|d}tjr.tjj|jd}tj |}|tj"|<t$j&j)t$j*j,j/}d} |tj"vrgtj"|s1t1j2dd{tj"|s1tj"|} | d} | drT| d} nN|j5dtj6} | st8j;d ytj<| } t?| } | d } tC| } | :|j5d tj6} | t8j;d |S|tj"vrtj"|d }n;|j5d tj6}|rtj<|}nd}| |kDrb|r`t8j;d|r)jE| |||jF|j| |z }tHjK|d| |||S|r t?|}|d |krd}|*t8j;dtMjNyt8j;dtMjNjQ|||jF|j|d{\} }} |tj"vry| |z }tHjK|d| |||S7#t@$rYwxYw#t@$rd} YwxYw#t@$rYwxYw7ow)NzSec-Websocket-Protocolz, user_datar皙?rwexpiryrz:No access token available, forcing user to reauthenticate.exprzCaccess_token is not a valid JWT token. Expiry cannot be determined.rnz+Fully authenticated and tokens still valid.z[%s access_token is expired and refresh_token not available, forcing user to reauthenticate.zFaccess_token has expired, %s using refresh_token to obtain new tokens.) reschedule))rrrroauth_refresh_tokensr7r rrtrWrrrdecryptrr$r%rrrrrrrasynciosleeprrr;rd_decrypt_cookierr!float_schedule_refreshrr@rrerf_scheduled_refresh)rrhis_wsprotocol_headerritokenpayloadrrr user_staterw access_cookie access_jsonrnrefresh_cookiery refresh_jsonrrXs r'rz.OAuthProvider.get_user_async..get_users6w?D..$, w(89E1W__5L5LL")//"9"9:R"S*0065+E2') ' 4I''$)$4$4$<$ ).9 h''1F ' 9 9.W]WjWj 9 k $IIZ[$44]C  *<8 $U+  v~ 22>PVPcPc2d>IIcdKu222 % ; ;D A/ R !(!:!:?Y_YlYl!:!m!$)$9$9.$IM$(M= GH**64H[H[]d]l]lm#f_ !22T<  #/ #>L#E*V3(, $ wy}CzDzMzMN II^`dei`j`s`s t8<8O8OmW%8%8'// 9P93 /L- 5666&J  . .|]J K]-"     D!3sE=P:PP:A1P: P P'D P:1P)BP:P8 ,.##D)))k7)S ;G;[;[&& --'<\< 6 2<  II>T @S@S T[[__R[[__5??AF ,!./9&+t1E ' ' - II94:;N;N O++D1--6 s,AGGG,BGGCGG)T) rfr rr?rrrrrrrrrrs@r'rrs\ ggR6.B( 32r.rceZdZdZdZy)PAMLoginHandlerz: A LoginHandler that authenticates users via PAM. c ddl} |j ||y#t$r}tjd|d}~wwxYw#|j $rYywxYw)Nrz`PAM authentication requires the pamela package. Please install it with e.g. 'pip install pamela'FT)pamela ImportErrorr;r< authenticatePAMError)rXrorprrs r'rzPAMLoginHandler._validatesc       ( 3  IIr G    s!A ?:?AAN)rfr rr?rrbr.r'rrs  r.r) auth0azureazurev2 bitbucketgenericgooglegithubgitlaboktarp auth_codepamz panel.authF_oauth_provider)Trr2rrrrr$loggingrTr" urllib.parseparserrr functoolsrtypingrrbokeh.server.auth_providerrbokeh.util.tokenr tornado.authrtornado.httpclientr rr tornado.webr r tornado.websocketr r entry_pointsr io.resourcesrrrrrio.staterutilrr getLoggerrfr;rrr(r-r5r>webr@rr$r3r=rArCrSrYrlrqr}rrrrrr entry_pointloadnamelistkeysparamobjectsrbr.r'r$s    $3.$HFF.*0g!'%0:O  L  22KL ^ d+d2$.$N*E 3*E\ *  - 1$161*1DI+I8I-I8.>(.>b*9f9fxGKK..(\ \~Q2%Q2h'* $&"   $*   $L1K'2'7'7'9N;##$2:>n>Q>Q>S9T U-.6r.