U d&3@sddlZddlZddlZddlZddlmZddlZddlZddl Zddl m Z ddl m Z ddlmZGdddeejjZGd d d eZGd d d eejjZGd ddeejjZGdddeejjZdS)N) urlencode)options) instantiate) BaseHandlerc@s0eZdZdZejjddZejjddZdS)GoogleAuth2LoginHandleroauthccsn|j|jd}|ddr@|j||ddV}||Vn*|j||j|jdddgddd id VdS) N redirect_uricodeFr r keyZprofileemailapproval_promptr client_idZscopeZ response_typeZ extra_paramssettings_OAUTH_SETTINGS_KEY get_argumentget_authenticated_user_on_authauthorize_redirectselfr userr5/tmp/pip-unpacked-wheel-3pokl8eb/flower/views/auth.pygets zGoogleAuth2LoginHandler.getc cs|stjdd|d}z |jddd|idV}Wn4tk rn}ztjdd|W5d}~XYnXt|j d d }t |j j j|sd j|d }tjd||d t||d|j j jpd}|j j jr|ddkrd|}||dS)NzGoogle auth failed access_tokenz)https://www.googleapis.com/userinfo/v2/me Authorizationz Bearer %sheaderszGoogle auth failed: %sutf-8r zlAccess denied to '{email}'. Please use another account or ask your admin to add your email to flower --auth.)r rnext/r)tornadoweb HTTPErrorget_auth_http_clientfetch Exceptionjsonloadsbodydecoderematch applicationrauthformatset_secure_cookiestrr url_prefixredirect)rrr responseer messagenext_rrrr&s, $z GoogleAuth2LoginHandler._on_authN) __name__ __module__ __qualname__rr'gen coroutinerrrrrrrs  rc@seZdZddZdS) LoginHandlercOsttjf||S)N)rrZ auth_provider)clsargskwargsrrr__new__EszLoginHandler.__new__N)r>r?r@rGrrrrrCDsrCc@sLeZdZdZdZdZdZejj ddZ ejj ddZ ejj d d Z d S) GithubLoginHandlerz(https://github.com/login/oauth/authorizez+https://github.com/login/oauth/access_tokenFrccst|||j|jd|j|jddd}|j|jdddd|d V}|jrftj d t |tj t |jd dS Nr secretauthorization_coder r rZ client_secretZ grant_typePOST!application/x-www-form-urlencodedapplication/jsonz Content-TypeAcceptmethodr#r/OAuth authenticator error: %sr$rrrr*r+_OAUTH_ACCESS_TOKEN_URLerrorr'r4 AuthErrorr7rAReturnr-r.r/r0rr r r/r:rrrrPs( z)GithubLoginHandler.get_authenticated_userccsl|j|jd}|ddr@|j||ddV}||Vn(|j||j|jddgdddid VdS) Nr r Fr r z user:emailrrrrrrrrrfs zGithubLoginHandler.getc#s|stjdd|d}jdd|dddV}fd d t|jd D}|snd }tjd | dt |  dj jjpd}j jjr|ddkrd|}|dS)NOAuth authentication failedr z"https://api.github.com/user/emailsztoken Tornado authr!z User-agentr"cs6g|].}|drtjjj|dr|dqS)Zverifiedr )r1r2r3rr4lower).0r rrr sz/GithubLoginHandler._on_auth..r$_Access denied. Please use another account or ask your admin to add your email to flower --auth.rrr%r&r)r'r(r)r*r+r-r.r/r0r6r7poprr3rr8r9)rrr r:Zemailsr<r=rrarrxs& zGithubLoginHandler._on_authN) r>r?r@_OAUTH_AUTHORIZE_URLrV_OAUTH_NO_CALLBACKSrr'rArBrrrrrrrrHIs  rHc@sHeZdZdZdZdZejjddZ ejjddZ ejjdd Z d S) GitLabLoginHandlerz"https://gitlab.com/oauth/authorizezhttps://gitlab.com/oauth/tokenFccst|||jdd|jdddd}|j|jdddd |d V}|jrbtjd t |tj t |jd dS) Nrr rJrKrLrMrNrOrPrRrTr$)rrr*r+rVrWr'r4rXr7rArYr-r.r/r0rZrrrrs$  z)GitLabLoginHandler.get_authenticated_userccsh|jdd}|ddr>|j||ddV}||Vn&|j||jdddgddd id VdS) Nrr r Fr r Zread_apirrr)rrrrrrrrrrs  zGitLabLoginHandler.getc #s|stjdd|d}tjdddddDz"|jd d |d d d V}Wn4t k r}ztjdd|W5d}~XYnXt |j dd}t|jjj|}g}rtjdd}|jd|fd |d d d V}fddt |j dD}|r2rDt|dkrDd} tjd| |dt||d|jjjphd} |jjjr| ddkrd| } || dS)Nr[r\r Z!FLOWER_GITLAB_AUTH_ALLOWED_GROUPSrcSsg|]}|r|qSr)stripr`grouprrrrbsz/GitLabLoginHandler._on_auth..,zhttps://gitlab.com/api/v4/userBearer r]r^r"rzGitLab auth failed: %sr$r ZFLOWER_GITLAB_MIN_ACCESS_LEVELZ20z4https://gitlab.com/api/v4/groups?min_access_level=%scs g|]}|dkr|dqS) full_pathidrriZallowed_groupsrrrbs rz@Access denied. Please use another account or contact your admin.rr%r&)r'r(r)osenvironrsplitr*r+r,r-r.r/r0r1r2r3rr4lenr6r7rr8r9) rrr r:r;Z user_emailZ email_allowedZmatching_groupsZmin_access_levelr<r=rrorrsH $ zGitLabLoginHandler._on_authN) r>r?r@rerVrfr'rArBrrrrrrrrgs  rgc@steZdZdZdZeddZeddZeddZed d Z e j j d d Z e j j d dZe j j ddZdS)OktaLoginHandlerFrcCs tjdS)NZFLOWER_OAUTH2_OKTA_BASE_URL)rprqrrarrrbase_urlszOktaLoginHandler.base_urlcCs d|jS)Nz{}/v1/authorizer5rurarrrresz%OktaLoginHandler._OAUTH_AUTHORIZE_URLcCs d|jS)Nz {}/v1/tokenrvrarrrrVsz(OktaLoginHandler._OAUTH_ACCESS_TOKEN_URLcCs d|jS)Nz{}/v1/userinforvrarrr_OAUTH_USER_INFO_URLsz%OktaLoginHandler._OAUTH_USER_INFO_URLccst|||j|jd|j|jddd}|j|jdddd|d V}|jrftj d t |tj t |jd dSrIrUrZrrrget_access_tokens( z!OktaLoginHandler.get_access_tokenccs|j|jd}|ddrz|dp(dd}|d}|dksJ||krVtjd|j||dd V}| |Vn@t t }| d||j||j|jd d gdd|id VdS) Nr r F oauth_stater$statez4OAuth authenticator error: State tokens do not matchr r z openid emailr)rrrZget_secure_cookier0r'r4rXrxrr7uuidZuuid4r6r)rr Zexpected_stateZreturned_stateaccess_token_responser{rrrrs,    zOktaLoginHandler.getc cs|stjdd|d}|j|jd|dddV}t|j d}| d pXd }| d oxt |jjj|}|sd }tjd ||dt||d|d|jjjpd}|jjjr|ddkrd|}||dS)Nr[r\r rlr]r^r"r$r remail_verifiedrcrrryr%r&r)r'r(r)r*r+rwr-r.r/r0rrhr1r2r3rr4r6r7Z clear_cookierr8r9) rr}r r:Z decoded_bodyr r~r<r=rrrr7s0  zOktaLoginHandler._on_authN)r>r?r@rfrpropertyrurerVrwr'rArBrxrrrrrrrts       rt)r-r1rpr| urllib.parserZ tornado.genr'Z tornado.webZ tornado.authZtornado.optionsrZcelery.utils.importsrZviewsrr4ZGoogleOAuth2MixinrrCZ OAuth2MixinrHrgrtrrrrs    3L]