-eT2UdZddlmZddlZejeZddlZddlZddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlmZmZddlmZddlmZdd lmZerdd lmZd Zd ZeeefZd e d<d=dZ!ej"ej#fd>dZ$ej"ej#ddfd?dZ%d@d Z&dAd!Z'ej"ej#fdBd"Z(ej"ej#fdCd$Z)Gd%d&ej*Z+Gd'd(ej,Z-dDd*Z.dEd,Z/dFd/Z0dGd2Z1dHd5Z2dId7Z3d8d9ej"fdJd<Z4e.\Z5Z6dS)Kz Utilities for generating and manipulating session IDs. A session ID would typically be associated with each browser tab viewing an application or plot. Each session has its own state separate from any other sessions hosted by the server. ) annotationsN) TYPE_CHECKINGAny)ID)settings)warn) TypeAlias)check_session_id_signaturecheck_token_signaturegenerate_secret_keygenerate_jwt_tokengenerate_session_idget_session_idget_token_payload __bk__zlib_r TokenPayloadreturnstrctS)z Generate a new securely-generated secret key appropriate for SHA-256 HMAC signatures. This key could be used to sign Bokeh server session IDs, for example. )_get_random_string0lib/python3.11/site-packages/bokeh/util/token.pyrrEs   r secret_key bytes | Nonesignedboolrct}|r%d|t||g}t|S)a Generate a random session ID. Typically, each browser tab connected to a Bokeh application has its own session ID. In production deployments of a Bokeh app, session IDs should be random and unguessable - otherwise users of the app could interfere with one another. .)rjoin _signaturer)rr session_ids rrrMsD$%%J PXXz:j*+M+MNOO j>>ri,r$ extra_payloadTokenPayload | None expirationintc,tjtjtjj}|||zd}|rnd|vrtdtj |t d}tj|d}t||t <ttj |} t#|}|s| S| d zt%| |zS) av Generates a JWT token given a session_id and additional payload. Args: session_id (str): The session id to add to the token secret_key (str, optional) : Secret key (default: value of BOKEH_SECRET_KEY environment variable) signed (bool, optional) : Whether to sign the session ID (default: value of BOKEH_SIGN_SESSIONS environment variable) extra_payload (dict, optional) : Extra key/value pairs to include in the Bokeh session token expiration (int, optional) : Expiration time Returns: str )tz)r$session_expiryr$z=extra_payload for session tokens may not contain 'session_id'clsutf-8 )levelr!)calendartimegmdtdatetimenowtimezoneutc timetuple RuntimeErrorjsondumps _BytesEncoderencodezlibcompress_base64_encode_TOKEN_ZLIB_KEY _ensure_bytesr#) r$rrr%r'r5payloadextra_payload_str compressedtokens rrr[s6 /"+//R[_/==GGII J JC'3;KLLG> = ( (^__ _ J}-HHHOOPWXX]#4A>>> #1*#=#= 4:g.. / /Ez**J  3;E:66 66rrFctjt|dd}|dS)zExtracts the session id from a JWT token. Args: token (str): A JWT token containing the session_id and other data. Returns: str r!rr$)r:loads_base64_decodesplit)rFdecodeds rrrs7j C(8(8(;<<==G <  rcVtjt|dd}t|vrbt jt|t}|t=|tj|t|d=|S)zExtract the payload from the token. Args: token (str): A JWT token containing the session_id and other data. Returns: dict r!rr,r$) r:rHrIrJrAr> decompressupdate _BytesDecoder)rFrK decompresseds rrrsj C(8(8(;<<==G'!!~go6N'O'OPP O $tz,MBBBCCC  Nrc0t|}|r|dd}t|dkrdS|d}|d}t||}t j||}t |}t|||} |o| SdS)auCheck the signature of a token and the contained signature. The server uses this function to check whether a token and the contained session id was generated with the correct secret key. If signed sessions are disabled, this function always returns True. Args: token (str) : The token to check secret_key (str, optional) : Secret key (default: value of BOKEH_SECRET_KEY environment variable) signed (bool, optional) : Whether to check anything (default: value of BOKEH_SIGN_SESSIONS environment variable) Returns: bool r!r rFrT)rBrJlenr#hmaccompare_digestrr ) rFrr token_pieces base_tokenprovided_token_signatureexpected_token_signature token_validr$session_id_valids rr r s0z**J 0{{3** |   ! !5!!_ #/? #-j*#E#E ) $&>  $E** 5j*fUU/// 4r bool | Nonect|}|r^|dd}t|dkrdS|d}t|d|}t j||SdS)zCheck the signature of a session ID, returning True if it's valid. The server uses this function to check whether a session ID was generated with the correct secret key. If signed sessions are disabled, this function always returns True. r!r rFrT)rBrJrRr#rSrT)r$rr id_piecesprovided_id_signatureexpected_id_signatures rr r sz**J  $$S!,, y>>Q  5 )!  *9Q< D D" !#8    4rc eZdZdfd ZxZS)r<orrct|trtt|St |S)N)bytes) isinstancercdictr@superdefault)selfra __class__s rrgz_BytesEncoder.defaultsD a   1nQ//000 0wwq!!!r)rarrr)__name__ __module__ __qualname__rg __classcell__ris@rr<r<s=""""""""""rr<c(eZdZd fd Zd d ZxZS) rOargsrkwargsrNonecHtj|d|ji|dS)N object_hook)rf__init__bytes_object_hook)rhrprqris rruz_BytesDecoder.__init__s-$MD,BMfMMMMMrobjdict[Any, Any]c|t|dhkrt|dS|S)Nrc)setkeysrI)rhrws rrvz_BytesDecoder.bytes_object_hooks4 sxxzz??wi ' '!#g,// / r)rprrqrrrr)rwrxrr)rjrkrlrurvrmrns@rrOrOsWNNNNNNrrOtuple[Any, bool]cddl} |}d}||fS#t$r:tdt jtdd}||fcYSwxYw)NrTzjA secure pseudo-random number generator is not available on your system. Falling back to Mersenne Twister.zA secure pseudo-random number generator is not available and no BOKEH_SECRET_KEY has been set. Setting a secret key will mitigate the lack of a secure generator.F)random SystemRandomNotImplementedErrorr rr)r~ sysrandomusing_sysrandoms r_get_sysrandomrs MMM ''')) /)) ''' A B B B   ( E F F F &&&&'s AA$#A$str | bytes | Nonecb|dSt|tr|Stj|dSNr.)rdrccodecsr=)rs rrBrB s7t J & &2}Z111rrrrc,t|}|sttj|}tt j|dSdSN) rBr~getstatetimer=seedhashlibsha256digest)rrdatas r_reseed_if_neededrsz**J 3//##@TY[[@*@@GGII GN4((//112222233rrK bytes | strct|}tjtj|d}t |dS)Nascii=)rBrdecodebase64urlsafe_b64encoderrstrip)rKdecoded_as_bytesencodeds rr@r@#sK%W--mF45EFFPPG w~~c"" # ##rrrcct|trtj|dn|}t |dz}|dkr |dd|z zz}t |dzdksJt j|S)Nrr=)rdrrr=rRrurlsafe_b64decode)rencoded_as_bytesmods rrIrI.s:DWc:R:R_v}Wg666X_   ! #C axx+tq3w/?@  ! !A %! + + + +  #$4 5 55rbase_idct|}tj|d}|Jtj||t j}t|Sr) rBrr=rSnewrrr@r)rrbase_id_encodedsigners rr#r#8sWz**JmGW55O  ! ! ! Xj/7> B BF &--// * **r,>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789length allowed_charsct|}tt|dfdt |DS)z Return a securely generated random string. With the a-z, A-Z, 0-9 character set: Length 12 is a 71-bit value. log_2((26+26+10)^12) =~ 71 Length 44 is a 261-bit value. log_2((26+26+10)^44) = 261 c3LK|]}tVdSr)r~choice).0_rs r z%_get_random_string..Ls/GGA6==//GGGGGGr)rBrrr"range)rrrs ` rrr?sOz**Joz222 77GGGGvGGG G GGr)rr)rrrrrr) r$rrrrrr%r&r'r(rr)rFrrr)rFrrr)rFrrrrrrr)r$rrrrr[rr)rr|)rrrr)rrrrrrr)rKrrr)rrrrc)rrrrrr)rr(rrrrrr)7__doc__ __future__rlogging getLoggerrjlogrr1rr4r3rrSr:rr>typingrr core.typesrrwarningsr typing_extensionsr __all__rArerr__annotations__rsecret_key_bytes sign_sessionsrrrrr r JSONEncoderr< JSONDecoderrOrrBrr@rIr#rr~rrrrrsn#"""""g!!   %%%%%%%%,++++++    sCx. ((((    4M83L3N3N'=x'='?'?     3L(2K2M2M&&><@), '7'7'7'7'7R ! ! ! !&6OX5N5P5P)?)?)A)A(((((V;T(:S:U:U5KX5K5M5M:"""""D$""" D$''''(2222 3 3 3 3$$$$6666++++]#<8#<#>#> H H H H H&).**r