U /e0@sdZddlmZddlZeeZddlZddlZddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlmZmZmZmZddlmZddlmZdZd ZeeefZd d d d ZeefddddddZ eeddfdddddd dddZ!d ddddZ"d ddddZ#eefd dddd d!d"Z$eefd dd#dd$d%d&Z%d'd d(d)Z&d*dd+d,d-Z'ddd.d/d0d1Z(d2d d3d4d5Z)d2d6d7d8d9Z*d dd d:d;d<Z+d=d>efdd dd d?d@dAZ,e&\Z-Z.dS)Bz Utilities for generating and manipulating session IDs. A session ID would typically be associated with each browser tab viewing an application or plot. Each session has its own state separate from any other sessions hosted by the server. ) annotationsN)AnyDictTupleUnion)ID)settings)check_session_id_signaturecheck_token_signaturegenerate_secret_keygenerate_jwt_tokengenerate_session_idget_session_idget_token_payloadZ __bk__zlib_str)returncCstS)z Generate a new securely-generated secret key appropriate for SHA-256 HMAC signatures. This key could be used to sign Bokeh server session IDs, for example. )_get_random_stringrr4/tmp/pip-unpacked-wheel-f5fndrjf/bokeh/util/token.pyr Fsr z bytes | Noneboolr) secret_keysignedrcCs&t}|rd|t||g}t|S)a Generate a random session ID. Typically, each browser tab connected to a Bokeh application has its own session ID. In production deployments of a Bokeh app, session IDs should be random and unguessable - otherwise users of the app could interfere with one another. .)rjoin _signaturer)rr session_idrrrrNs ri,zTokenPayload | Noneint)rrr extra_payload expirationrc Csttj}|||d}|r`d|kr6tdt| d}t j |dd}t ||t <t t|} t|}|s~| S| dt| |S)axGenerates a JWT token given a session_id and additional payload. Args: session_id (str): The session id to add to the token secret_key (str, optional) : Secret key (default: value of BOKEH_SECRET_KEY environment varariable) signed (bool, optional) : Whether to sign the session ID (default: value of BOKEH_SIGN_SESSIONS envronment varariable) extra_payload (dict, optional) : Extra key/value pairs to include in the Bokeh session token expiration (int, optional) : Expiration time Returns: str )rZsession_expiryrz=extra_payload for session tokens may not contain 'session_id'utf-8 )levelr)calendartimegmdtdatetimeutcnow utctimetuple RuntimeErrorjsondumpsencodezlibcompress_base64_encode_TOKEN_ZLIB_KEY _ensure_bytesr) rrrrrnowpayloadZextra_payload_str compressedtokenrrrr \s r )r5rcCs tt|dd}|dS)zExtracts the session id from a JWT token. Args: token (str): A JWT token containing the session_id and other data. Returns: str rrr)r*loads_base64_decodesplit)r5decodedrrrrs r TokenPayloadcCsRtt|dd}t|krHtt|t}|t=|t||d=|S)zExtract the payload from the token. Args: token (str): A JWT token containing the session_id and other data. Returns: dict rrr)r*r6r7r8r0r- decompressupdate)r5r9 decompressedrrrrs r)r5rrrc Csnt|}|rj|dd}t|dkr(dS|d}|d}t||}t||}t|}t|||} |oh| SdS)auCheck the signature of a token and the contained signature. The server uses this function to check whether a token and the contained session id was generated with the correct secret key. If signed sessions are disabled, this function always returns True. Args: token (str) : The token to check secret_key (str, optional) : Secret key (default: value of BOKEH_SECRET_KEY environment variable) signed (bool, optional) : Whether to check anything (default: value of BOKEH_SIGN_SESSIONS environment variable) Returns: bool rrFrT)r1r8lenrhmaccompare_digestrr ) r5rrZ token_piecesZ base_tokenZprovided_token_signatureZexpected_token_signatureZ token_validrZsession_id_validrrrr s     r z bool | None)rrrrcCsNt|}|rJ|dd}t|dkr(dS|d}t|d|}t||SdS)zCheck the signature of a session ID, returning True if it's valid. The server uses this function to check whether a session ID was generated with the correct secret key. If signed sessions are disabled, this function always returns True. rr>rFrT)r1r8r?rr@rA)rrrZ id_piecesZprovided_id_signatureZexpected_id_signaturerrrr s   r zTuple[Any, bool]cCslddl}z|}d}||fWStk rfddl}|dtdkrV|dd}||fYSXdS)NrTzjA secure pseudo-random number generator is not available on your system. Falling back to Mersenne Twister.zA secure pseudo-random number generator is not available and no BOKEH_SECRET_KEY has been set. Setting a secret key will mitigate the lack of a secure generator.F)random SystemRandomNotImplementedErrorwarningswarnr r)rBZ sysrandomusing_sysrandomrErrr_get_sysrandoms    rHzUnion[str, bytes, None])rrcCs*|dkr dSt|tr|St|dSdSNr ) isinstancebytescodecsr,)rrrrr1s  r1None)rGrrcCsBt|}|s>tt|d}tt|dSrI) r1rBgetstatetimer,seedhashlibsha256digest)rGrdatarrr_reseed_if_needed srUzUnion[bytes, str])r9rcCs(t|}tt|d}t|dS)Nascii=)r1rLdecodebase64urlsafe_b64encoderrstrip)r9Zdecoded_as_bytesencodedrrrr/sr/rK)r\rcCs\t|trt|dn|}t|d}|dkr>|dd|}t|ddksRtt|S)NrVr=)rJrrLr,r?AssertionErrorrYurlsafe_b64decode)r\Zencoded_as_bytesmodrrrr7!s  r7)base_idrrcCs<t|}t|d}|dk s tt||tj}t| SrI) r1rLr,r_r@newrQrRr/rS)rbrZbase_id_encodedZsignerrrrr+s   r,Z>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789)length allowed_charsrrcs.t|}tt|dfddt|DS)z Return a securely generated random string. With the a-z, A-Z, 0-9 character set: Length 12 is a 71-bit value. log_2((26+26+10)^12) =~ 71 Length 44 is a 261-bit value. log_2((26+26+10)^44) = 261 c3s|]}tVqdS)N)rBchoice).0_rfrr >sz%_get_random_string..)r1rUrGrrange)rerfrrrkrr2s  r)/__doc__ __future__rlogging getLogger__name__logrYr#rLr&r%rQr@r*rOr-typingrrrrZ core.typesrr __all__r0rr:r Zsecret_key_bytesZ sign_sessionsrr rrr r rHr1rUr/r7rrrBrGrrrrs\      ) +