dH2UdZddlmZddlZejeZddlZddlZddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlmZmZddlmZddlmZdd lmZerdd lmZd Zd ZeeefZd e d<d=dZ!ej"ej#fd>dZ$ej"ej#ddfd?dZ%d@d Z&dAd!Z'ej"ej#fdBd"Z(ej"ej#fdCd$Z)Gd%d&ej*Z+Gd'd(ej,Z-dDd*Z.dEd,Z/dFd/Z0dGd2Z1dHd5Z2dId7Z3d8d9ej"fdJd<Z4e.\Z5Z6dS)Kz Utilities for generating and manipulating session IDs. A session ID would typically be associated with each browser tab viewing an application or plot. Each session has its own state separate from any other sessions hosted by the server. ) annotationsN) TYPE_CHECKINGAny)ID)settings)warn) TypeAlias)check_session_id_signaturecheck_token_signaturegenerate_secret_keygenerate_jwt_tokengenerate_session_idget_session_idget_token_payload __bk__zlib_r TokenPayloadreturnstrctS)z Generate a new securely-generated secret key appropriate for SHA-256 HMAC signatures. This key could be used to sign Bokeh server session IDs, for example. )_get_random_string0lib/python3.11/site-packages/bokeh/util/token.pyrrEs   r secret_key bytes | Nonesignedboolrct}|r%d|t||g}t|S)a Generate a random session ID. Typically, each browser tab connected to a Bokeh application has its own session ID. In production deployments of a Bokeh app, session IDs should be random and unguessable - otherwise users of the app could interfere with one another. .)rjoin _signaturer)rr session_ids rrrMsD$%%J PXXz:j*+M+MNOO j>>ri,r$ extra_payloadTokenPayload | None expirationintc tjtj}|||zd}|rnd|vrt dtj|t d}tj |d}t||t<ttj|} t|}|s| S| dzt!| |zS) av Generates a JWT token given a session_id and additional payload. Args: session_id (str): The session id to add to the token secret_key (str, optional) : Secret key (default: value of BOKEH_SECRET_KEY environment variable) signed (bool, optional) : Whether to sign the session ID (default: value of BOKEH_SIGN_SESSIONS environment variable) extra_payload (dict, optional) : Extra key/value pairs to include in the Bokeh session token expiration (int, optional) : Expiration time Returns: str )r$session_expiryr$z=extra_payload for session tokens may not contain 'session_id'clsutf-8 )levelr!)calendartimegmdtdatetimeutcnow utctimetuple RuntimeErrorjsondumps _BytesEncoderencodezlibcompress_base64_encode_TOKEN_ZLIB_KEY _ensure_bytesr#) r$rrr%r'nowpayloadextra_payload_str compressedtokens rrr[s6 /"+,,..;;== > >C'3;KLLG> = ( (^__ _ J}-HHHOOPWXX]#4A>>> #1*#=#= 4:g.. / /Ez**J  3;E:66 66rrDctjt|dd}|dS)zExtracts the session id from a JWT token. Args: token (str): A JWT token containing the session_id and other data. Returns: str r!rr$)r7loads_base64_decodesplit)rDdecodeds rrrs7j C(8(8(;<<==G <  rcVtjt|dd}t|vrbt jt|t}|t=|tj|t|d=|S)zExtract the payload from the token. Args: token (str): A JWT token containing the session_id and other data. Returns: dict r!rr+r$) r7rFrGrHr>r; decompressupdate _BytesDecoder)rDrI decompresseds rrrsj C(8(8(;<<==G'!!~go6N'O'OPP O $tz,MBBBCCC  Nrc0t|}|r|dd}t|dkrdS|d}|d}t||}t j||}t |}t|||} |o| SdS)auCheck the signature of a token and the contained signature. The server uses this function to check whether a token and the contained session id was generated with the correct secret key. If signed sessions are disabled, this function always returns True. Args: token (str) : The token to check secret_key (str, optional) : Secret key (default: value of BOKEH_SECRET_KEY environment variable) signed (bool, optional) : Whether to check anything (default: value of BOKEH_SIGN_SESSIONS environment variable) Returns: bool r!r rFrT)r?rHlenr#hmaccompare_digestrr ) rDrr token_pieces base_tokenprovided_token_signatureexpected_token_signature token_validr$session_id_valids rr r s0z**J 0{{3** |   ! !5!!_ #/? #-j*#E#E ) $&>  $E** 5j*fUU/// 4r bool | Nonect|}|r^|dd}t|dkrdS|d}t|d|}t j||SdS)zCheck the signature of a session ID, returning True if it's valid. The server uses this function to check whether a session ID was generated with the correct secret key. If signed sessions are disabled, this function always returns True. r!r rFrT)r?rHrPr#rQrR)r$rr id_piecesprovided_id_signatureexpected_id_signatures rr r sz**J  $$S!,, y>>Q  5 )!  *9Q< D D" !#8    4rc eZdZdfd ZxZS)r9orrct|trtt|St |S)N)bytes) isinstanceradictr=superdefault)selfr_ __class__s rrez_BytesEncoder.defaultsD a   1nQ//000 0wwq!!!r)r_rrr)__name__ __module__ __qualname__re __classcell__rgs@rr9r9s=""""""""""rr9c(eZdZd fd Zd d ZxZS) rMargsrkwargsrNonecHtj|d|ji|dS)N object_hook)rd__init__bytes_object_hook)rfrnrorgs rrsz_BytesDecoder.__init__s-$MD,BMfMMMMMrobjdict[Any, Any]c|t|dhkrt|dS|S)Nra)setkeysrG)rfrus rrtz_BytesDecoder.bytes_object_hooks4 sxxzz??wi ' '!#g,// / r)rnrrorrrp)rurvrr)rhrirjrsrtrkrls@rrMrMsWNNNNNNrrMtuple[Any, bool]cddl} |}d}||fS#t$r:tdt jtdd}||fcYSwxYw)NrTzjA secure pseudo-random number generator is not available on your system. Falling back to Mersenne Twister.zA secure pseudo-random number generator is not available and no BOKEH_SECRET_KEY has been set. Setting a secret key will mitigate the lack of a secure generator.F)random SystemRandomNotImplementedErrorr rr)r| sysrandomusing_sysrandoms r_get_sysrandomrs MMM ''')) /)) ''' A B B B   ( E F F F &&&&'s AA$#A$str | bytes | Nonecb|dSt|tr|Stj|dSNr-)rbracodecsr:)rs rr?r? s7t J & &2}Z111rrrpc,t|}|sttj|}tt j|dSdSN) r?r|getstatetimer:seedhashlibsha256digest)rrdatas r_reseed_if_neededrsz**J 3//##@TY[[@*@@GGII GN4((//112222233rrI bytes | strct|}tjtj|d}t |dS)Nascii=)r?rdecodebase64urlsafe_b64encoderrstrip)rIdecoded_as_bytesencodeds rr=r=#sK%W--mF45EFFPPG w~~c"" # ##rrract|trtj|dn|}t |dz}|dkr |dd|z zz}t |dzdksJt j|S)Nrr=)rbrrr:rPrurlsafe_b64decode)rencoded_as_bytesmods rrGrG.s:DWc:R:R_v}Wg666X_   ! #C axx+tq3w/?@  ! !A %! + + + +  #$4 5 55rbase_idct|}tj|d}|Jtj||t j}t|Sr) r?rr:rQnewrrr=r)rrbase_id_encodedsigners rr#r#8sWz**JmGW55O  ! ! ! Xj/7> B BF &--// * **r,>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789length allowed_charsct|}tt|dfdt |DS)z Return a securely generated random string. With the a-z, A-Z, 0-9 character set: Length 12 is a 71-bit value. log_2((26+26+10)^12) =~ 71 Length 44 is a 261-bit value. log_2((26+26+10)^44) = 261 c3LK|]}tVdSr)r|choice).0_rs r z%_get_random_string..Ls/GGA6==//GGGGGGr)r?rrr"range)rrrs ` rrr?sOz**Joz222 77GGGGvGGG G GGr)rr)rrrrrr) r$rrrrrr%r&r'r(rr)rDrrr)rDrrr)rDrrrrrrr)r$rrrrrYrr)rrz)rrrr)rrrrrrp)rIrrr)rrrra)rrrrrr)rr(rrrrrr)7__doc__ __future__rlogging getLoggerrhlogrr0rr3r2rrQr7rr;typingrr core.typesrrwarningsr typing_extensionsr __all__r>rcrr__annotations__rsecret_key_bytes sign_sessionsrrrrr r JSONEncoderr9 JSONDecoderrMrr?rr=rGr#rr|rrrrrsn#"""""g!!   %%%%%%%%,++++++    sCx. ((((    4M83L3N3N'=x'='?'?     3L(2K2M2M&&><@), '7'7'7'7'7R ! ! ! !&6OX5N5P5P)?)?)A)A(((((V;T(:S:U:U5KX5K5M5M:"""""D$""" D$''''(2222 3 3 3 3$$$$6666++++]#<8#<#>#> H H H H H&).**r