o ȕh4@sddlZddlZddlZddlZddlmZddlZddlZddl Zddl m Z ddl m Z ddlmZddlmZdd Zd d ZGd d d eejjZGdddeZGdddeejjZGdddeejjZGdddeejjZdS)N) urlencode) instantiate)options) BaseHandler)NotFoundErrorHandlercCsDd|vr ||dvSd|vrt|dd}t||S||kS)N|*z\.\*z![A-Za-z0-9!#$%&'*+/=?^_`{|}~.\-]*)splitreescapereplace fullmatch)patternemailrN/var/www/Befach/backend/venv/lib/python3.10/site-packages/flower/views/auth.py authenticates  rcCsB|ddkr dSd|vrd|vrdSd|dddvrdSdS)Nr Fr@T)countrsplit)rrrrvalidate_auth_optionsrc@s eZdZdZddZddZdS)GoogleAuth2LoginHandleroauthcsx|j|jd}|ddr&|j||ddIdH}||IdHdS|j||j|jdddgddd id dS) N redirect_uricodeFrrkeyprofilerapproval_promptr client_idscope response_type extra_paramssettings_OAUTH_SETTINGS_KEY get_argumentget_authenticated_user_on_authauthorize_redirectselfruserrrrget)s   zGoogleAuth2LoginHandler.getc s|s tjdd|d}z|jddd|idIdH}Wnty7}z tjdd|d}~wwt|j d d }t |j j j |sXd |d }tjd||d t||d|j j jpid}|j j jrz|ddkrzd|}||dS)NzGoogle auth failed access_tokenz)https://www.googleapis.com/userinfo/v2/me AuthorizationBearer headerszGoogle auth failed: utf-8rzAccess denied to 'zS'. Please use another account or ask your admin to add your email to flower --auth.r1next/r)tornadoweb HTTPErrorget_auth_http_clientfetch Exceptionjsonloadsbodydecoder applicationrauthset_secure_cookiestrr+ url_prefixredirect)r0r1r4responseermessagenext_rrrr-:s,  z GoogleAuth2LoginHandler._on_authN)__name__ __module__ __qualname__r*r2r-rrrrr&s rc@seZdZddZdS) LoginHandlercOsttjptg|Ri|S)N)rr auth_providerr)clsargskwargsrrr__new__UszLoginHandler.__new__N)rPrQrRrXrrrrrSTs rSc@sPeZdZeddZdedZdedZdZdZ dd Z d d Z d d Z dS)GithubLoginHandlerFLOWER_GITHUB_OAUTH_DOMAINz github.comhttps://z/login/oauth/authorizez/login/oauth/access_tokenFrc|t|||j|jd|j|jddd}|j|jdddd|d IdH}|jr5tj d |t |j d S Nrsecretauthorization_coderrr$ client_secret grant_typePOST!application/x-www-form-urlencodedapplication/jsonz Content-TypeAcceptmethodr8rDOAuth authenticator error: r9rr)r*r?r@_OAUTH_ACCESS_TOKEN_URLerrorr<rG AuthErrorrBrCrDrEr0rrrDrLrrrr,b& z)GithubLoginHandler.get_authenticated_usercsv|j|jd}|ddr&|j||ddIdH}||IdHdS|j||j|jddgdddid dS) NrrFrrz user:emailr!r"r#r(r/rrrr2vs   zGithubLoginHandler.getcs|s tjdd|d}jdjdd|ddd IdH}fd d t|j d D}|s?d }tjd| dt |  djjjpRd}jjjrc|ddkrcd|}|dS)NOAuth authentication failedr4z https://api.z /user/emailsztoken Tornado authr5z User-agentr7cs4g|]}|drtjjj|dr|dqS)verifiedr)rrFrrGlower).0rr0rr s z/GithubLoginHandler._on_auth..r9_Access denied. Please use another account or ask your admin to add your email to flower --auth.r3r1r:r;r)r<r=r>r?r@ _OAUTH_DOMAINrBrCrDrErHrIpopr+rFrrJrK)r0r1r4rLemailsrNrOrrxrr-s(  zGithubLoginHandler._on_authN) rPrQrRosgetenvr{_OAUTH_AUTHORIZE_URLrl_OAUTH_NO_CALLBACKSr*r,r2r-rrrrrYYs   rYc@sLeZdZeddZdedZdedZdZddZ d d Z d d Z d S)GitLabLoginHandlerFLOWER_GITLAB_OAUTH_DOMAINz gitlab.comr[z/oauth/authorizez /oauth/tokenFcsxt|||jdd|jdddd}|j|jdddd |d IdH}|jr3tjd |t |j d S) Nrrr^r_r`rcrdrerfrhrjr9) rr)r?r@rlrmr<rGrnrBrCrDrErorrrr,s&   z)GitLabLoginHandler.get_authenticated_usercsr|jdd}|ddr%|j||ddIdH}||IdHdS|j||jdddgddd id dS) NrrrFrrread_apir!r"r#)r)r+r,r-r.r/rrrr2s    zGitLabLoginHandler.getc s|s tjdd|d}tjdddddDz|jd |j d d |d d dIdH}Wnt yM}z tjdd|d}~wwt |j dd}t|jjj|}g}rtjdd}|jd |j d|d |d d dIdH}fddt |j dD}|rrt|dkrd} tjd| |dt||d|jjjpd} |jjjr| ddkrd| } || dS)Nrqrrr4!FLOWER_GITLAB_AUTH_ALLOWED_GROUPSr"cSsg|]}|r|qSr)striprwgrouprrrrysz/GitLabLoginHandler._on_auth..,r[z /api/v4/userr6rsrtr7r3zGitLab auth failed: r9rFLOWER_GITLAB_MIN_ACCESS_LEVEL20z /api/v4/groups?min_access_level=cs g|] }|dvr|dqS) full_pathidrrallowed_groupsrrrys  rz@Access denied. Please use another account or contact your admin.r1r:r;)r<r=r>r~environr2r r?r@_OAUTH_GITLAB_DOMAINrArBrCrDrErrFrrGlenrHrIr+rJrK) r0r1r4rLrM user_email email_allowedmatching_groupsmin_access_levelrNrOrrrr-sN  zGitLabLoginHandler._on_authN) rPrQrRr~rrrrlrr,r2r-rrrrrs   rc@s\eZdZdZdZeddZeddZeddZed d Z d d Z d dZ ddZ dS)OktaLoginHandlerFrcCs tjdS)NFLOWER_OAUTH2_OKTA_BASE_URL)r~rr2rxrrrbase_url zOktaLoginHandler.base_urlcC |jdS)Nz /v1/authorizerrxrrrrrz%OktaLoginHandler._OAUTH_AUTHORIZE_URLcCr)Nz /v1/tokenrrxrrrrl rz(OktaLoginHandler._OAUTH_ACCESS_TOKEN_URLcCr)Nz /v1/userinforrxrrr_OAUTH_USER_INFO_URLrz%OktaLoginHandler._OAUTH_USER_INFO_URLcr\r]rkrorrrget_access_tokenrpz!OktaLoginHandler.get_access_tokencs|j|jd}|ddrC|dpdd}|d}|dus&||kr,tjd|j||dd IdH}| |IdHdSt t }| d||j||j|jd d gdd|id dS) NrrF oauth_stater9statez4OAuth authenticator error: State tokens do not matchrrz openid emailr#)r)r*r+get_secure_cookierEr<rGrnrr-rIuuiduuid4rHr.)r0rexpected_statereturned_stateaccess_token_responserrrrr2's.      zOktaLoginHandler.getc s|s tjdd|d}|j|jd|dddIdH}t|j d}| d p/d }| d o>t |j jj|}|sJd }tjd ||dt||d|d|j jjp`d}|j jjrq|ddkrqd|}||dS)Nrqrrr4r6rsrtr7r9rr"email_verifiedrzr3r1rr:r;r)r<r=r>r?r@rrBrCrDrEr2rrrFrrGrHrI clear_cookier+rJrK) r0rr4rL decoded_bodyrrrNrOrrrr-As2   zOktaLoginHandler._on_authN) rPrQrRrr*propertyrrrlrrr2r-rrrrrs     r)rBr~r r urllib.parser tornado.authr< tornado.gen tornado.webcelery.utils.importsrtornado.optionsrviewsr views.errorrrrrGGoogleOAuth2MixinrrS OAuth2MixinrYrrrrrrs&       .J\