ug *ddlZddlZddlZddlZddlZddlZddlmZddlm Z m Z m Z m Z m Z mZddlmZddlmZddlZddlmZmZmZmZmZddlmZddlmZdd lmZm Z ed Z!ejDe#Z$gd Z%Gd d e&eZ'e(ejRejTzejVzZ,de&ddfdZ-e'j\j^e'j`j^gZ1de&ddfdZ2GddeZ3Gdde Z4GddeZ5y)N)Enum)castDictListOptional TypedDictTypeVar)override) SecretStr)ServerAuthenticationProviderClientAuthProviderClientAuthHeaders UserIdentity AuthError)System)ChromaAuthError)OpenTelemetryGranularity trace_methodT)!TokenAuthenticationServerProviderTokenAuthClientProviderTokenTransportHeaderceZdZdZdZdZy)rz. Accceptable token transport headers. AuthorizationzX-Chroma-TokenN)__name__ __module__ __qualname____doc__ AUTHORIZATIONX_CHROMA_TOKENW/var/www/openai/venv/lib/python3.12/site-packages/chromadb/auth/token_authn/__init__.pyrr(s$M%Nr"rtokenreturncTt|}td|Ds tdy)Nc3,K|] }|tvyw)N)valid_token_chars).0cs r# z_check_token..:s9y!q%%yszHInvalid token. Must contain only ASCII letters, digits, and punctuation.)strall ValueError)r$ token_strs r# _check_tokenr08s.E I 9y9 9 V   :r" token_headerc>|tvrtd|dty)Nz Invalid token transport header: z. Must be one of )allowed_token_headersr.)r1s r#_check_allowed_token_headersr4Fs400.|n=34 6  1r"cBeZdZdZdeddffd ZedefdZxZ S)rz Client auth provider for token-based auth. Header key will be either "Authorization" or "X-Chroma-Token" depending on `chroma_auth_token_transport_header`. If the header is "Authorization", the token is passed as a bearer token. systemr%Nct|||j|_|jj dt t |jj|_t|jj|jjrDt|jjt|jj|_ytj|_y)Nchroma_client_auth_credentials)super__init__settings _settingsrequirer r,r8_tokenr0get_secret_value"chroma_auth_token_transport_headerr4r_token_transport_headerr)selfr6 __class__s r#r:z TokenAuthClientProvider.__init__Vs   @AFOO$R$R ST T[[1134 ?? = = (BB ,@BB,D (,@+M+MD (r"c|jj}|jtjk(rd|}|jj t |iS)NBearer )r>r?rArrvaluer )rBvals r# authenticatez$TokenAuthClientProvider.authenticatehsSkk**,  ' '+?+M+M MC5/C  ( ( . . #  r") rrrrrr:r rrH __classcell__rCs@r#rrNs:NvN$N$ /  r"rc\eZdZUdZeed<eed<eeed<eeeed<eeed<y)Userz A simple User class for use in this module only. If you need a generic way to represent a User, please use UserIdentity as this class keeps track of sensitive tokens. idroletenant databasestokensN)rrrrr,__annotations__rrr!r"r#rLrLrs6 G I SMS "" Ir"rLc|eZdZdZdeddffd Zedeje de e e fde fdZ xZS) ra Server authentication provider for token-based auth. The provider will - On initialization, read the users from the file specified in `chroma_server_authn_credentials_file`. This file must be a well-formed YAML file with a top-level array called `users`. Each user must have an `id` field and a `tokens` (string array) field. - On each request, check the token in the header specified by `chroma_auth_token_transport_header`. If the configured header is "Authorization", the token is expected to be a bearer token. - If the token is valid, the server will return the user identity associated with the token. r6r%Nc rt|||j|_|jjrDt |jjt |jj|_nt j|_i|_ |j}t|dk(r&tdddgd|dg|j|d<yttttj dj#|d|_|j$D]}d|vr t'd d |vrd|d <d |vrdg|d <|dD]`}t)|||jvr6|j||k7r$t'd |d |dd|j|||j|<by)N anonymous*r)rMrOrPrNrQ usersrQzUser missing tokensrOrPzToken z+ already in use: wanted to use it for user rMz! but it's already in use by user )r9r:r;r<r@r4rrAr_token_user_mappingread_creds_or_creds_filelenrLrryaml safe_loadjoin_usersr.r0)rBr6credsuserr$rCs r#r:z*TokenAuthenticationServerProvider.__init__s   ?? = = (BB ,@BB,D (,@+M+MD (46 --/ u:?15% az 2D $ $U1X . 4:t~~dii6F'G'PQ KKDt# !677t#!$X$&%(E[!hU#T5550074?$ ( $T |, $ 8 8 ?@B 37((/( r"z.TokenAuthenticationServerProvider.authenticateheadersc X |jjj|jvr#t d|jjd||jjj}|jt j k(r3|jds t dtjdd|}|j}t|||jvr t dt|j|d|j|d |j|d  }|S#t$r+}tjd t!|Yd}~nd}~wt"$rw}t%j&|j(}|d }|j*}|j,}tjdt/|j0d|d|Yd}~nd}~wwxYwt3j4t7j8ddt;)NzAuthorization header 'z ' not foundrEz(Bearer not found in Authorization headerz^Bearer z%Invalid credentials: Token not found}rMrOrP)user_idrOrPz7TokenAuthenticationServerProvider.authenticate failed: zNTokenAuthenticationServerProvider.authenticate failed: Failed to authenticate z at :gMbP?g{Gzt?)rArFlowerkeysrrr startswithresubstripr0rZrloggerdebugrepr Exception traceback extract_tb __traceback__linenofilenametypertimesleeprandomuniformr) rBrcr$ user_identityetblast_call_stack line_numberrws r#authenticate_or_raisez7TokenAuthenticationServerProvider.authenticate_or_raises $ ++11779O,T-I-I-O-O,PP[\D88>>DDFGE++/C/Q/QQ'' 2#$NOO{B6KKME  D444 GHH(007=//6x@2259+FM !   LLI$q'S   %%aoo6B fO)00K&//H LL**.q'*:*:);4z;-Y    NN5% ( s%EE G6 !E33 G6?A-G11G6)rrrrrr:rrALLr rr,rrrIrJs@r#rrsa .7v.7$.7`8:R:V:V) T#s(^) ) ) r"r)6loggingr{rlstringryrsenumrtypingrrrrrr overridesr pydanticr r] chromadb.authr r rrrchromadb.configrchromadb.errorsr chromadb.telemetry.opentelemetryrrr getLoggerrro__all__r,rsetdigits ascii_letters punctuationr(r0rrFr r3r4rrLrr!r"r#rs AA #+  CL   8 $  &3 & (<(<