U /e6@sddlmZddlZddlZddlZddlZddlZddlZddlZddl m Z dZ ej dkshej dkrddd d d d Zddd d d dZn$ddd d dd Zddd d ddZGdddZdS)) annotationsN) get_template)Security) )rrzssl.SSLContextzssl.TLSVersionNone)ctxversionreturncCs ||_dSN)minimum_versionr r r8/tmp/pip-unpacked-wheel-g426oqom/distributed/security.py_set_minimum_versionsrcCs ||_dSr )maximum_versionrrrr_set_maximum_versionsrcCs@|tjjk rtd||jtjtjBtjBtjBO_dSNzUnsupported TLS/SSL version: ) ssl TLSVersionTLSv1_2 ValueErroroptions OP_NO_SSLv2 OP_NO_SSLv3 OP_NO_TLSv1 OP_NO_TLSv1_1rrrrr$s  cCs|tjjk rtd|dSr)rrrrrrrrr/s c@steZdZdZdZdddZeddZdd Zdd d Z d d Z ddZ ddZ ddZ ddZddZddZdS)ra4Security configuration for a Dask cluster. Default values are loaded from Dask's configuration files, and can be overridden in the constructor. Parameters ---------- require_encryption : bool, optional Whether TLS encryption is required for all connections. tls_ca_file : str, optional Path to a CA certificate file encoded in PEM format. tls_ciphers : str, optional An OpenSSL cipher string of allowed ciphers. If not provided, the system defaults will be used. tls_min_version : ssl.TLSVersion, optional The minimum TLS version to support. Defaults to TLS 1.2. tls_max_version : ssl.TLSVersion, optional The maximum TLS version to support. Defaults to the maximum version supported. tls_client_cert : str, optional Path to a certificate file for the client, encoded in PEM format. tls_client_key : str, optional Path to a key file for the client, encoded in PEM format. Alternatively, the key may be appended to the cert file, and this parameter be omitted. tls_scheduler_cert : str, optional Path to a certificate file for the scheduler, encoded in PEM format. tls_scheduler_key : str, optional Path to a key file for the scheduler, encoded in PEM format. Alternatively, the key may be appended to the cert file, and this parameter be omitted. tls_worker_cert : str, optional Path to a certificate file for a worker, encoded in PEM format. tls_worker_key : str, optional Path to a key file for a worker, encoded in PEM format. Alternatively, the key may be appended to the cert file, and this parameter be omitted. extra_conn_args : mapping, optional Mapping with keyword arguments to pass down to connections. ) require_encryption tls_ca_file tls_cipherstls_min_versiontls_max_versiontls_client_keytls_client_certtls_scheduler_keytls_scheduler_certtls_worker_keytls_worker_certextra_conn_argsNcKstjdkr tdtjdtt||j}|rDt dt || di|_ |dkrft jd}|dkrvt|}||_||dd||d d tjj||d d ||d d||dd||dd||dd||dd||dd||dddS)N)rrrz support for z7 is deprecated, and will be removed in a future releasezUnknown parameters: %rr*z#distributed.comm.require-encryptionr!zdistributed.comm.tls.ciphersr"z distributed.comm.tls.min-versionr#z distributed.comm.tls.max-versionr zdistributed.comm.tls.ca-filer$zdistributed.comm.tls.client.keyr%z distributed.comm.tls.client.certr&z"distributed.comm.tls.scheduler.keyr'z#distributed.comm.tls.scheduler.certr(zdistributed.comm.tls.worker.keyr)z distributed.comm.tls.worker.cert)rOPENSSL_VERSION_INFOwarningswarnOPENSSL_VERSIONDeprecationWarningset difference __slots__ TypeErrorsortedpopr*daskconfiggetboolr _set_field_set_tls_version_fieldrr)selfrkwargsextrarrr__init__rsR   zSecurity.__init__c KsRzDddlm}ddlm}ddlm}m}ddlm}ddl m }Wnt k r`t dYnX|j dd |d }|j |jj|jj|d } |||jd g} ||d g} tj} || | j| d d| |!"| #| tj$dd%||&|} | '|jj}|fd|| || || |d|S)aJCreate a new temporary Security object. This creates a new self-signed key/cert pair suitable for securing communication for all roles in a Dask cluster. These keys/certs exist only in memory, and are stored in this object. This method requires the library ``cryptography`` be installed. r)x509)default_backend)hashes serialization)rsa)NameOIDz_Using `Security.temporary` requires `cryptography`, please install it using either pip or condaii)Zpublic_exponentZkey_sizebackend)encodingformatZencryption_algorithmz dask-internalF)criticalim)daysT)rr r$r%r&r'r(r))(Z cryptographyr@Zcryptography.hazmat.backendsrAZcryptography.hazmat.primitivesrBrCZ)cryptography.hazmat.primitives.asymmetricrDZcryptography.x509.oidrE ImportErrorZgenerate_private_keyZ private_bytesEncodingZPEMZ PrivateFormatZPKCS8Z NoEncryptiondecodeNameZ NameAttributeZ COMMON_NAMEZSubjectAlternativeNameZDNSNamedatetimeutcnowZCertificateBuilderZ subject_nameZ issuer_name add_extensionZ public_keyZ serial_numberZrandom_serial_numberZnot_valid_beforeZnot_valid_after timedeltasignSHA256Z public_bytes)clsr=r@rArBrCrDrEkeyZ key_contentsZ dask_internalZaltnamesnowcertZ cert_contentsrrr temporarysv         zSecurity.temporarycCs.||kr||}n tj|}t|||dSr )r6r7r8setattr)r<r=field config_namevalrrrr:s  zSecurity._set_fieldcCs||krT||}dtjjtjjh}||krFt|d|dt||dkr|}nN|tjjtjjd}tj|}||kr||}nt|d|dt|t |||dS)N=z# is not supported, expected one of )Ng333333?g?) rrrTLSv1_3rlistr6r7r8rZ)r<r=r[r\defaultr]Zvalidrrrr;s(  zSecurity._set_tls_version_fieldcCst|j}|di}|D]^}t||}|dk rt|trNd|krNd||<qt|trrdtj|d||<q|||<q|S)Nr* zTemporary (In-memory)zLocal ()) r4r2removegetattr isinstancestrospathabspath)r<keysattrkr]rrr _attr_to_dicts      zSecurity._attr_to_dictcCs(|}dddd|DdS)Nz Security(z, css |]\}}|d|VqdS)r^Nr).0rVvaluerrr sz$Security.__repr__..rc)rnjoinitems)r<rlrrr__repr__ szSecurity.__repr__cCstdj|dS)Nzsecurity.html.j2)security)rrenderrn)r<rrr _repr_html_szSecurity._repr_html_cCs<|dkrtd||j|jt|d|t|d|dS)zR Return the TLS configuration for the given role, as a flat dict. >client schedulerworkerz unknown role z tls_%s_certz tls_%s_key)ca_fileciphersrXrV)rr r!re)r<rolerrrget_tls_config_for_roles  z Security.get_tls_config_for_rolec Csj|drf|drf|d}|d}}|d}}d|krRtj||d}ntj||d}t||j|jdk rt||jd|k} |dk od|k} | s| r,tx} | rt j | d}t |d} | |W5QRX| rt j | d }t |d} | |W5QRX|||W5QRXn |||tj|_d |_|d rb||d |SdS) Nr{rXrVrb)purposecadata)rcafilezdask.crtwzdask.pemFr|)r8rcreate_default_contextrr"r#rtempfileTemporaryDirectoryrhrirropenwriteload_cert_chain CERT_REQUIRED verify_modecheck_hostname set_ciphers) r<tlsrcaZ cert_pathrXZkey_pathrVr Zcert_in_memoryZ key_in_memorytempdirfrrr_get_tls_context"s:          zSecurity._get_tls_contextcCs&||}||tjj|j|jdS)zh Get the *connection_args* argument for a connect() call with the given *role*. ) ssl_contextrr*)r~rrPurpose SERVER_AUTHrr*r<r}rrrrget_connection_argsOs  zSecurity.get_connection_argscCs"||}||tjj|jdS)zg Get the *connection_args* argument for a listen() call with the given *role*. )rr)r~rrr CLIENT_AUTHrrrrrget_listen_args[s zSecurity.get_listen_args)N)N)__name__ __module__ __qualname____doc__r2r? classmethodrYr:r;rnrtrwr~rrrrrrrr9s) ( <  - r) __future__rrOrhrsysrr,r6Z dask.widgetsr__all__ version_infor+rrrrrrrs