ugJddlmZddlmZddlmZddlmZmZm Z m Z m Z m Z ddl mZddlmZddlmZmZe dZe d ZGd d eZe eefZGd d eZeGddZGddeZGddeeZeGddZGddeZy)) annotations)abstractmethod)Enum)AnyListOptionalDictTupleTypeVar) dataclass) SecretStr) ComponentSystemTSc eZdZy) AuthErrorN)__name__ __module__ __qualname__K/var/www/openai/venv/lib/python3.12/site-packages/chromadb/auth/__init__.pyrrsrrc6eZdZdZdfd ZeddZxZS)ClientAuthProviderz ClientAuthProvider is responsible for providing authentication headers for client requests. Client implementations (in our case, just the FastAPI client) must inject these headers into their requests. c$t||yNsuper__init__selfsystem __class__s rr zClientAuthProvider.__init__(  rcyrr)r"s r authenticatezClientAuthProvider.authenticate+ rr#rreturnNone)r*ClientAuthHeaders)rrr__doc__r rr' __classcell__r$s@rrr!s! !  rrcFeZdZUdZded<dZded<dZded<dZd ed <y) UserIdentitya UserIdentity represents the identity of a user. In general, not all fields will be populated, and the fields that are populated will depend on the authentication provider. The idea is that the AuthenticationProvider is responsible for populating _all_ information known about the user, and the AuthorizationProvider is responsible for making decisions based on that information. struser_idN Optional[str]tenantzOptional[List[str]] databaseszOptional[Dict[str, Any]] attributes)rrrr-__annotations__r5r6r7rrrr1r10s0L FM %)I"),0J(/rr1cVeZdZdZdfd ZeddZd dZd dZ d dZ xZ S) ServerAuthenticationProvidera ServerAuthenticationProvider is responsible for authenticating requests. If a ServerAuthenticationProvider is configured, it will be called by the server to authenticate requests. If no ServerAuthenticationProvider is configured, all requests will be authenticated. The ServerAuthenticationProvider should return a UserIdentity object if the request is authenticated for use by the ServerAuthorizationProvider. ct|||jj|_|jj |_yr)rr settingschroma_server_auth_ignore_paths_ignore_auth_paths;chroma_overwrite_singleton_tenant_database_access_from_auth4overwrite_singleton_tenant_database_access_from_authr!s rr z%ServerAuthenticationProvider.__init__Ps>   OO ; ;  OO W W Arcyrr)r"headerss rauthenticate_or_raisez2ServerAuthenticationProvider.authenticate_or_raiseYr(rc|||jjvr |j|j|vryy)NTF)r>keysupper)r"verbpaths rignore_operationz-ServerAuthenticationProvider.ignore_operation]s8 D++002 2  7 7 ==rc2d}d}|jjjr"t|jjd}|jjjr"t|jjd}|s |s t d|r |r t d|r"|j dDcgc]}|s| c}S|r&t|d5}|jcdddSt dcc}w#1swYt dxYw)N$chroma_server_authn_credentials_filechroma_server_authn_credentialszNNo credentials file or credentials found in [chroma_server_authn_credentials].zDBoth credentials file and credentials found.Please provide only one. rShould never happen) _systemr<rKr2rL ValueErrorsplitopen readlines)r" _creds_file_credscfs rread_creds_or_creds_filez5ServerAuthenticationProvider.read_creds_or_creds_filees  << E E %%&LMK << @ @../PQRF65  6+  %||D171!QA17 7 k3'1{{}('.// 8'.//s<C>C>DDc|jr|syd}d}|jr|jdk7r |j}|jr9t|jdk(r!|jddk7r|jd}||fS)aR If settings.chroma_overwrite_singleton_tenant_database_access_from_auth is False, this function always returns (None, None). If settings.chroma_overwrite_singleton_tenant_database_access_from_auth is True, follows the following logic: - If the user only has access to a single tenant, this function will return that tenant as its first return value. - If the user only has access to a single database, this function will return that database as its second return value. If the user has access to multiple tenants and/or databases, including "*", this function will return None for the corresponding value(s). - If the user has access to multiple tenants and/or databases this function will return None for the corresponding value(s). )NNN*r)r@r5r6len)r"userr5databases r'singleton_tenant_database_if_applicablezDServerAuthenticationProvider.singleton_tenant_database_if_applicablesy$HHPT ;;4;;#-[[F >>c$..1Q64>>!;LPS;S~~a(Hxrr))rBzDict[str, str]r*r1)rGr2rHr2r*boolr*z List[str])r^zOptional[UserIdentity]r*z#Tuple[Optional[str], Optional[str]]) rrrr-r rrCrIrYr`r.r/s@rr:r:Es@   06 * , rr:cdeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZy) AuthzActionzR The set of actions that can be authorized by the authorization provider. z system:resetztenant:create_tenantztenant:get_tenantzdb:create_databasezdb:get_databasezdb:delete_databasezdb:list_databaseszdb:list_collectionszdb:count_collectionszdb:create_collectionzdb:get_or_create_collectionzcollection:get_collectionzcollection:delete_collectionzcollection:update_collectionzcollection:addzcollection:deletezcollection:getzcollection:queryzcollection:countzcollection:updatezcollection:upsertN)rrrr-RESET CREATE_TENANT GET_TENANTCREATE_DATABASE GET_DATABASEDELETE_DATABASELIST_DATABASESLIST_COLLECTIONSCOUNT_COLLECTIONSCREATE_COLLECTIONGET_OR_CREATE_COLLECTIONGET_COLLECTIONDELETE_COLLECTIONUPDATE_COLLECTIONADDDELETEGETQUERYCOUNTUPDATEUPSERTrrrrdrdsx E*M$J*O$L*O(N,..<0N66 C F C E E F Frrdc0eZdZUdZded<ded<ded<y) AuthzResourcezB The resource being accessed in an authorization request. r4r5r_ collectionN)rrrr-r8rrrr{r{s rr{cNeZdZdZdfd Ze ddZddZxZS)ServerAuthorizationProviderat ServerAuthorizationProvider is responsible for authorizing requests. If a ServerAuthorizationProvider is configured, it will be called by the server to authorize requests. If no ServerAuthorizationProvider is configured, all requests will be authorized. ServerAuthorizationProvider should raise an exception if the request is not authorized. c$t||yrrr!s rr z$ServerAuthorizationProvider.__init__r%rcyrr)r"r^actionresources rauthorize_or_raisez.ServerAuthorizationProvider.authorize_or_raises rc d}d}|jjjr|jjd}|jjjr"t |jjd}|s |s t d|r |r t d|r"|j dDcgc]}|s| c}S|r&t|d5}|jcdddSt dcc}w#1swYt dxYw)Nchroma_server_authz_config_filechroma_server_authz_configz9No authz configuration file or authz configuration found.zTBoth authz configuration file and authz configuration found.Please provide only one.rMrNrO) rPr<rrr2rQrRrSrT)r" _config_file_configrWrXs rread_config_or_config_filez6ServerAuthorizationProvider.read_config_or_config_files  << @ @<<001RSL << ; ;$,,//0LMNGGK  G+  &}}T282!aA28 8 lC(A{{})(.// 9(.//s3C5;C5C::D r))r^r1rrdrr{r*r+rb) rrrr-r rrrr.r/s@rr~r~sF!   *5 AN   0rr~N) __future__rabcrenumrtypingrrrr r r dataclassesr pydanticr chromadb.configrrrr Exceptionrr2r,rr1r:rdr{r~rrrrs""  CL CL  i(     00 0(U 9U p!#t!8  )0))0r