upstream/ipython Commit - r17153:8449bcd6

Backport PR : make CORS configurable...

MinRK -

r17153:8449bcd6

parent child

IPython/html/base/handlers.py

0 +42 0

             """Base Tornado handlers for the notebook.
             Authors:
             * Brian Granger
             """
             #-----------------------------------------------------------------------------
             #  Copyright (C) 2011  The IPython Development Team
             #
             #  Distributed under the terms of the BSD License.  The full license is in
             #  the file COPYING, distributed as part of this software.
             #-----------------------------------------------------------------------------
             #-----------------------------------------------------------------------------
             # Imports
             #-----------------------------------------------------------------------------
             import functools
             import json
             import logging
             import os
             import re
             import sys
             import traceback
             try:
                 # py3
                 from http.client import responses
             except ImportError:
                 from httplib import responses
             from jinja2 import TemplateNotFound
             from tornado import web
             try:
                 from tornado.log import app_log
             except ImportError:
                 app_log = logging.getLogger()
             from IPython.config import Application
             from IPython.utils.path import filefind
             from IPython.utils.py3compat import string_types
             from IPython.html.utils import is_hidden
             #-----------------------------------------------------------------------------
             # Top-level handlers
             #-----------------------------------------------------------------------------
             non_alphanum = re.compile(r'[^A-Za-z0-9]')
             class AuthenticatedHandler(web.RequestHandler):
                 """A RequestHandler with an authenticated user."""
                 def set_default_headers(self):
                     headers = self.settings.get('headers', {})
                     for header_name,value in headers.items() :
                         try:
                             self.set_header(header_name, value)
                         except Exception:
                             # tornado raise Exception (not a subclass)
                             # if method is unsupported (websocket and Access-Control-Allow-Origin
                             # for example, so just ignore)
                             pass
                 def clear_login_cookie(self):
                     self.clear_cookie(self.cookie_name)
                 def get_current_user(self):
                     user_id = self.get_secure_cookie(self.cookie_name)
                     # For now the user_id should not return empty, but it could eventually
                     if user_id == '':
                         user_id = 'anonymous'
                     if user_id is None:
                         # prevent extra Invalid cookie sig warnings:
                         self.clear_login_cookie()
                         if not self.login_available:
                             user_id = 'anonymous'
                     return user_id
                 @property
                 def cookie_name(self):
                     default_cookie_name = non_alphanum.sub('-', 'username-{}'.format(
                         self.request.host
                     ))
                     return self.settings.get('cookie_name', default_cookie_name)
                 @property
                 def password(self):
                     """our password"""
                     return self.settings.get('password', '')
                 @property
                 def logged_in(self):
                     """Is a user currently logged in?
                     """
                     user = self.get_current_user()
                     return (user and not user == 'anonymous')
                 @property
                 def login_available(self):
                     """May a user proceed to log in?
                     This returns True if login capability is available, irrespective of
                     whether the user is already logged in or not.
                     """
                     return bool(self.settings.get('password', ''))
             class IPythonHandler(AuthenticatedHandler):
                 """IPython-specific extensions to authenticated handling
                 Mostly property shortcuts to IPython-specific settings.
                 """
                 @property
                 def config(self):
                     return self.settings.get('config', None)
                 @property
                 def log(self):
                     """use the IPython log by default, falling back on tornado's logger"""
                     if Application.initialized():
                         return Application.instance().log
                     else:
                         return app_log
                 #---------------------------------------------------------------
                 # URLs
                 #---------------------------------------------------------------
                 @property
                 def mathjax_url(self):
                     return self.settings.get('mathjax_url', '')
                 @property
                 def base_url(self):
                     return self.settings.get('base_url', '/')
                 #---------------------------------------------------------------
                 # Manager objects
                 #---------------------------------------------------------------
                 @property
                 def kernel_manager(self):
                     return self.settings['kernel_manager']
                 @property
                 def notebook_manager(self):
                     return self.settings['notebook_manager']
                 @property
                 def cluster_manager(self):
                     return self.settings['cluster_manager']
                 @property
                 def session_manager(self):
                     return self.settings['session_manager']
                 @property
                 def project_dir(self):
                     return self.notebook_manager.notebook_dir
                 #---------------------------------------------------------------
+                # CORS
+                #---------------------------------------------------------------
+                @property
+                def allow_origin(self):
+                    """Normal Access-Control-Allow-Origin"""
+                    return self.settings.get('allow_origin', '')
+                @property
+                def allow_origin_pat(self):
+                    """Regular expression version of allow_origin"""
+                    return self.settings.get('allow_origin_pat', None)
+                @property
+                def allow_credentials(self):
+                    """Whether to set Access-Control-Allow-Credentials"""
+                    return self.settings.get('allow_credentials', False)
+                def set_default_headers(self):
+                    """Add CORS headers, if defined"""
+                    super(IPythonHandler, self).set_default_headers()
+                    if self.allow_origin:
+                        self.set_header("Access-Control-Allow-Origin", self.allow_origin)
+                    elif self.allow_origin_pat:
+                        origin = self.get_origin()
+                        if origin and self.allow_origin_pat.match(origin):
+                            self.set_header("Access-Control-Allow-Origin", origin)
+                    if self.allow_credentials:
+                        self.set_header("Access-Control-Allow-Credentials", 'true')
+                def get_origin(self):
+                    # Handle WebSocket Origin naming convention differences
+                    # The difference between version 8 and 13 is that in 8 the
+                    # client sends a "Sec-Websocket-Origin" header and in 13 it's
+                    # simply "Origin".
+                    if "Origin" in self.request.headers:
+                        origin = self.request.headers.get("Origin")
+                    else:
+                        origin = self.request.headers.get("Sec-Websocket-Origin", None)
+                    return origin
+                #---------------------------------------------------------------
                 # template rendering
                 #---------------------------------------------------------------
                 def get_template(self, name):
                     """Return the jinja template object for a given name"""
                     return self.settings['jinja2_env'].get_template(name)
                 def render_template(self, name, **ns):
                     ns.update(self.template_namespace)
                     template = self.get_template(name)
                     return template.render(**ns)
                 @property
                 def template_namespace(self):
                     return dict(
                         base_url=self.base_url,
                         logged_in=self.logged_in,
                         login_available=self.login_available,
                         static_url=self.static_url,
                     )
                 def get_json_body(self):
                     """Return the body of the request as JSON data."""
                     if not self.request.body:
                         return None
                     # Do we need to call body.decode('utf-8') here?
                     body = self.request.body.strip().decode(u'utf-8')
                     try:
                         model = json.loads(body)
                     except Exception:
                         self.log.debug("Bad JSON: %r", body)
                         self.log.error("Couldn't parse JSON", exc_info=True)
                         raise web.HTTPError(400, u'Invalid JSON in body of request')
                     return model
                 def get_error_html(self, status_code, **kwargs):
                     """render custom error pages"""
                     exception = kwargs.get('exception')
                     message = ''
                     status_message = responses.get(status_code, 'Unknown HTTP Error')
                     if exception:
                         # get the custom message, if defined
                         try:
                             message = exception.log_message % exception.args
                         except Exception:
                             pass
                         # construct the custom reason, if defined
                         reason = getattr(exception, 'reason', '')
                         if reason:
                             status_message = reason
                     # build template namespace
                     ns = dict(
                         status_code=status_code,
                         status_message=status_message,
                         message=message,
                         exception=exception,
                     )
                     # render the template
                     try:
                         html = self.render_template('%s.html' % status_code, **ns)
                     except TemplateNotFound:
                         self.log.debug("No template for %d", status_code)
                         html = self.render_template('error.html', **ns)
                     return html
             class Template404(IPythonHandler):
                 """Render our 404 template"""
                 def prepare(self):
                     raise web.HTTPError(404)
             class AuthenticatedFileHandler(IPythonHandler, web.StaticFileHandler):
                 """static files should only be accessible when logged in"""
                 @web.authenticated
                 def get(self, path):
                     if os.path.splitext(path)[1] == '.ipynb':
                         name = os.path.basename(path)
                         self.set_header('Content-Type', 'application/json')
                         self.set_header('Content-Disposition','attachment; filename="%s"' % name)
                     return web.StaticFileHandler.get(self, path)
                 def compute_etag(self):
                     return None
                 def validate_absolute_path(self, root, absolute_path):
                     """Validate and return the absolute path.
                     Requires tornado 3.1
                     Adding to tornado's own handling, forbids the serving of hidden files.
                     """
                     abs_path = super(AuthenticatedFileHandler, self).validate_absolute_path(root, absolute_path)
                     abs_root = os.path.abspath(root)
                     if is_hidden(abs_path, abs_root):
                         self.log.info("Refusing to serve hidden file, via 404 Error")
                         raise web.HTTPError(404)
                     return abs_path
             def json_errors(method):
                 """Decorate methods with this to return GitHub style JSON errors.
                 This should be used on any JSON API on any handler method that can raise HTTPErrors.
                 This will grab the latest HTTPError exception using sys.exc_info
                 and then:
 . Set the HTTP status code based on the HTTPError
 . Create and return a JSON body with a message field describing
                    the error in a human readable form.
                 """
                 @functools.wraps(method)
                 def wrapper(self, *args, **kwargs):
                     try:
                         result = method(self, *args, **kwargs)
                     except web.HTTPError as e:
                         status = e.status_code
                         message = e.log_message
                         self.log.warn(message)
                         self.set_status(e.status_code)
                         self.finish(json.dumps(dict(message=message)))
                     except Exception:
                         self.log.error("Unhandled error in API request", exc_info=True)
                         status = 500
                         message = "Unknown server error"
                         t, value, tb = sys.exc_info()
                         self.set_status(status)
                         tb_text = ''.join(traceback.format_exception(t, value, tb))
                         reply = dict(message=message, traceback=tb_text)
                         self.finish(json.dumps(reply))
                     else:
                         return result
                 return wrapper
             #-----------------------------------------------------------------------------
             # File handler
             #-----------------------------------------------------------------------------
             # to minimize subclass changes:
             HTTPError = web.HTTPError
             class FileFindHandler(web.StaticFileHandler):
                 """subclass of StaticFileHandler for serving files from a search path"""
                 # cache search results, don't search for files more than once
                 _static_paths = {}
                 def initialize(self, path, default_filename=None):
                     if isinstance(path, string_types):
                         path = [path]
                     self.root = tuple(
                         os.path.abspath(os.path.expanduser(p)) + os.sep for p in path
                     )
                     self.default_filename = default_filename
                 def compute_etag(self):
                     return None
                 @classmethod
                 def get_absolute_path(cls, roots, path):
                     """locate a file to serve on our static file search path"""
                     with cls._lock:
                         if path in cls._static_paths:
                             return cls._static_paths[path]
                         try:
                             abspath = os.path.abspath(filefind(path, roots))
                         except IOError:
                             # IOError means not found
                             return ''
                         cls._static_paths[path] = abspath
                         return abspath
                 def validate_absolute_path(self, root, absolute_path):
                     """check if the file should be served (raises 404, 403, etc.)"""
                     if absolute_path == '':
                         raise web.HTTPError(404)
                     for root in self.root:
                         if (absolute_path + os.sep).startswith(root):
                             break
                     return super(FileFindHandler, self).validate_absolute_path(root, absolute_path)
             class TrailingSlashHandler(web.RequestHandler):
                 """Simple redirect handler that strips trailing slashes
                 This should be the first, highest priority handler.
                 """
                 SUPPORTED_METHODS = ['GET']
                 def get(self):
                     self.redirect(self.request.uri.rstrip('/'))
             #-----------------------------------------------------------------------------
             # URL pattern fragments for re-use
             #-----------------------------------------------------------------------------
             path_regex = r"(?P<path>(?:/.*)*)"
             notebook_name_regex = r"(?P<name>[^/]+\.ipynb)"
             notebook_path_regex = "%s/%s" % (path_regex, notebook_name_regex)
             #-----------------------------------------------------------------------------
             # URL to handler mappings
             #-----------------------------------------------------------------------------
             default_handlers = [
                 (r".*/", TrailingSlashHandler)
             ]

IPython/html/base/zmqhandlers.py

0 +34 -17

             """Tornado handlers for WebSocket <-> ZMQ sockets.
             Authors:
             * Brian Granger
             """
             #-----------------------------------------------------------------------------
             #  Copyright (C) 2008-2011  The IPython Development Team
             #
             #  Distributed under the terms of the BSD License.  The full license is in
             #  the file COPYING, distributed as part of this software.
             #-----------------------------------------------------------------------------
             #-----------------------------------------------------------------------------
             # Imports
             #-----------------------------------------------------------------------------
             try:
                 from urllib.parse import urlparse # Py 3
             except ImportError:
                 from urlparse import urlparse # Py 2
             try:
                 from http.cookies import SimpleCookie  # Py 3
             except ImportError:
                 from Cookie import SimpleCookie  # Py 2
             import logging
+            import tornado
             from tornado import web
             from tornado import websocket
             from zmq.utils import jsonapi
             from IPython.kernel.zmq.session import Session
             from IPython.utils.jsonutil import date_default
             from IPython.utils.py3compat import PY3, cast_unicode
             from .handlers import IPythonHandler
             #-----------------------------------------------------------------------------
             # ZMQ handlers
             #-----------------------------------------------------------------------------
             class ZMQStreamHandler(websocket.WebSocketHandler):
-                def same_origin(self):
+                def check_origin(self, origin):
-                    """Check to see that origin and host match in the headers."""
+                    """Check Origin == Host or Access-Control-Allow-Origin.
-                    # The difference between version 8 and 13 is that in 8 the
+                    Tornado >= 4 calls this method automatically, raising 403 if it returns False.
-                    # client sends a "Sec-Websocket-Origin" header and in 13 it's
+                    We call it explicitly in `open` on Tornado < 4.
-                    # simply "Origin".
+                    """
-                    if self.request.headers.get("Sec-WebSocket-Version") in ("7", "8"):
+                    if self.allow_origin == '*':
-                        origin_header = self.request.headers.get("Sec-Websocket-Origin")
+                        return True
-                    else:
-                        origin_header = self.request.headers.get("Origin")
                     host = self.request.headers.get("Host")
                     # If no header is provided, assume we can't verify origin
-                    if(origin_header is None or host is None):
+                    if(origin is None or host is None):
                         return False
-                    parsed_origin = urlparse(origin_header)
+                    host_origin = "{0}://{1}".format(self.request.protocol, host)
-                    origin = parsed_origin.netloc
-                    # Check to see that origin matches host directly, including ports
+                    # OK if origin matches host
-                    return origin == host
+                    if origin == host_origin:
+                        return True
+                    # Check CORS headers
+                    if self.allow_origin:
+                        return self.allow_origin == origin
+                    elif self.allow_origin_pat:
+                        return bool(self.allow_origin_pat.match(origin))
+                    else:
+                        # No CORS headers deny the request
+                        return False
                 def clear_cookie(self, *args, **kwargs):
                     """meaningless for websockets"""
                     pass
                 def _reserialize_reply(self, msg_list):
                     """Reserialize a reply message using JSON.
                     This takes the msg list from the ZMQ socket, unserializes it using
                     self.session and then serializes the result using JSON. This method
                     should be used by self._on_zmq_reply to build messages that can
                     be sent back to the browser.
                     """
                     idents, msg_list = self.session.feed_identities(msg_list)
                     msg = self.session.unserialize(msg_list)
                     try:
                         msg['header'].pop('date')
                     except KeyError:
                         pass
                     try:
                         msg['parent_header'].pop('date')
                     except KeyError:
                         pass
                     msg.pop('buffers')
                     return jsonapi.dumps(msg, default=date_default)
                 def _on_zmq_reply(self, msg_list):
                     # Sometimes this gets triggered when the on_close method is scheduled in the
                     # eventloop but hasn't been called.
                     if self.stream.closed(): return
                     try:
                         msg = self._reserialize_reply(msg_list)
                     except Exception:
                         self.log.critical("Malformed message: %r" % msg_list, exc_info=True)
                     else:
                         self.write_message(msg)
                 def allow_draft76(self):
                     """Allow draft 76, until browsers such as Safari update to RFC 6455.
                     This has been disabled by default in tornado in release 2.2.0, and
                     support will be removed in later versions.
                     """
                     return True
             class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):
+                def set_default_headers(self):
+                    """Undo the set_default_headers in IPythonHandler
+                    which doesn't make sense for websockets
+                    """
+                    pass
                 def open(self, kernel_id):
                     self.kernel_id = cast_unicode(kernel_id, 'ascii')
                     # Check to see that origin matches host directly, including ports
-                    if not self.same_origin():
+                    # Tornado 4 already does CORS checking
-                        self.log.warn("Cross Origin WebSocket Attempt.")
+                    if tornado.version_info[0] < 4:
-                        raise web.HTTPError(404)
+                        if not self.check_origin(self.get_origin()):
+                            self.log.warn("Cross Origin WebSocket Attempt from %s", self.get_origin())
+                            raise web.HTTPError(403)
                     self.session = Session(config=self.config)
                     self.save_on_message = self.on_message
                     self.on_message = self.on_first_message
                 def _inject_cookie_message(self, msg):
                     """Inject the first message, which is the document cookie,
                     for authentication."""
                     if not PY3 and isinstance(msg, unicode):
                         # Cookie constructor doesn't accept unicode strings
                         # under Python 2.x for some reason
                         msg = msg.encode('utf8', 'replace')
                     try:
                         identity, msg = msg.split(':', 1)
                         self.session.session = cast_unicode(identity, 'ascii')
                     except Exception:
                         logging.error("First ws message didn't have the form 'identity:[cookie]' - %r", msg)
                     try:
                         self.request._cookies = SimpleCookie(msg)
                     except:
                         self.log.warn("couldn't parse cookie string: %s",msg, exc_info=True)
                 def on_first_message(self, msg):
                     self._inject_cookie_message(msg)
                     if self.get_current_user() is None:
                         self.log.warn("Couldn't authenticate WebSocket connection")
                         raise web.HTTPError(403)
                     self.on_message = self.save_on_message

IPython/html/notebookapp.py

0 +32 -1

             # coding: utf-8
             """A tornado based IPython notebook server.
             Authors:
             * Brian Granger
             """
             from __future__ import print_function
             #-----------------------------------------------------------------------------
             #  Copyright (C) 2013  The IPython Development Team
             #
             #  Distributed under the terms of the BSD License.  The full license is in
             #  the file COPYING, distributed as part of this software.
             #-----------------------------------------------------------------------------
             #-----------------------------------------------------------------------------
             # Imports
             #-----------------------------------------------------------------------------
             # stdlib
             import errno
             import io
             import json
             import logging
             import os
             import random
+            import re
             import select
             import signal
             import socket
             import sys
             import threading
             import time
             import webbrowser
             # Third party
             # check for pyzmq 2.1.11
             from IPython.utils.zmqrelated import check_for_zmq
             check_for_zmq('2.1.11', 'IPython.html')
             from jinja2 import Environment, FileSystemLoader
             # Install the pyzmq ioloop. This has to be done before anything else from
             # tornado is imported.
             from zmq.eventloop import ioloop
             ioloop.install()
             # check for tornado 3.1.0
             msg = "The IPython Notebook requires tornado >= 3.1.0"
             try:
                 import tornado
             except ImportError:
                 raise ImportError(msg)
             try:
                 version_info = tornado.version_info
             except AttributeError:
                 raise ImportError(msg + ", but you have < 1.1.0")
             if version_info < (3,1,0):
                 raise ImportError(msg + ", but you have %s" % tornado.version)
             from tornado import httpserver
             from tornado import web
             # Our own libraries
             from IPython.html import DEFAULT_STATIC_FILES_PATH
             from .base.handlers import Template404
             from .log import log_request
             from .services.kernels.kernelmanager import MappingKernelManager
             from .services.notebooks.nbmanager import NotebookManager
             from .services.notebooks.filenbmanager import FileNotebookManager
             from .services.clusters.clustermanager import ClusterManager
             from .services.sessions.sessionmanager import SessionManager
             from .base.handlers import AuthenticatedFileHandler, FileFindHandler
             from IPython.config import Config
             from IPython.config.application import catch_config_error, boolean_flag
             from IPython.core.application import BaseIPythonApplication
             from IPython.core.profiledir import ProfileDir
             from IPython.consoleapp import IPythonConsoleApp
             from IPython.kernel import swallow_argv
             from IPython.kernel.zmq.session import default_secure
             from IPython.kernel.zmq.kernelapp import (
                 kernel_flags,
                 kernel_aliases,
             )
             from IPython.nbformat.sign import NotebookNotary
             from IPython.utils.importstring import import_item
             from IPython.utils import submodule
             from IPython.utils.traitlets import (
                 Dict, Unicode, Integer, List, Bool, Bytes,
                 DottedObjectName, TraitError,
             )
             from IPython.utils import py3compat
             from IPython.utils.path import filefind, get_ipython_dir
             from .utils import url_path_join
             #-----------------------------------------------------------------------------
             # Module globals
             #-----------------------------------------------------------------------------
             _examples = """
             ipython notebook                       # start the notebook
             ipython notebook --profile=sympy       # use the sympy profile
             ipython notebook --certfile=mycert.pem # use SSL/TLS certificate
             """
             #-----------------------------------------------------------------------------
             # Helper functions
             #-----------------------------------------------------------------------------
             def random_ports(port, n):
                 """Generate a list of n random ports near the given port.
                 The first 5 ports will be sequential, and the remaining n-5 will be
                 randomly selected in the range [port-2*n, port+2*n].
                 """
                 for i in range(min(5, n)):
                     yield port + i
                 for i in range(n-5):
                     yield max(1, port + random.randint(-2*n, 2*n))
             def load_handlers(name):
                 """Load the (URL pattern, handler) tuples for each component."""
                 name = 'IPython.html.' + name
                 mod = __import__(name, fromlist=['default_handlers'])
                 return mod.default_handlers
             #-----------------------------------------------------------------------------
             # The Tornado web application
             #-----------------------------------------------------------------------------
             class NotebookWebApplication(web.Application):
                 def __init__(self, ipython_app, kernel_manager, notebook_manager,
                              cluster_manager, session_manager, log, base_url,
                              settings_overrides, jinja_env_options):
                     settings = self.init_settings(
                         ipython_app, kernel_manager, notebook_manager, cluster_manager,
                         session_manager, log, base_url, settings_overrides, jinja_env_options)
                     handlers = self.init_handlers(settings)
                     super(NotebookWebApplication, self).__init__(handlers, **settings)
                 def init_settings(self, ipython_app, kernel_manager, notebook_manager,
                                   cluster_manager, session_manager, log, base_url,
                                   settings_overrides, jinja_env_options=None):
                     # Python < 2.6.5 doesn't accept unicode keys in f(**kwargs), and
                     # base_url will always be unicode, which will in turn
                     # make the patterns unicode, and ultimately result in unicode
                     # keys in kwargs to handler._execute(**kwargs) in tornado.
                     # This enforces that base_url be ascii in that situation.
                     #
                     # Note that the URLs these patterns check against are escaped,
                     # and thus guaranteed to be ASCII: 'héllo' is really 'h%C3%A9llo'.
                     base_url = py3compat.unicode_to_str(base_url, 'ascii')
                     template_path = settings_overrides.get("template_path", os.path.join(os.path.dirname(__file__), "templates"))
                     jenv_opt = jinja_env_options if jinja_env_options else {}
                     env = Environment(loader=FileSystemLoader(template_path),**jenv_opt )
                     settings = dict(
                         # basics
                         log_function=log_request,
                         base_url=base_url,
                         template_path=template_path,
                         static_path=ipython_app.static_file_path,
                         static_handler_class = FileFindHandler,
                         static_url_prefix = url_path_join(base_url,'/static/'),
                         # authentication
                         cookie_secret=ipython_app.cookie_secret,
                         login_url=url_path_join(base_url,'/login'),
                         password=ipython_app.password,
                         # managers
                         kernel_manager=kernel_manager,
                         notebook_manager=notebook_manager,
                         cluster_manager=cluster_manager,
                         session_manager=session_manager,
                         # IPython stuff
                         nbextensions_path = ipython_app.nbextensions_path,
                         mathjax_url=ipython_app.mathjax_url,
                         config=ipython_app.config,
                         jinja2_env=env,
                     )
                     # allow custom overrides for the tornado web app.
                     settings.update(settings_overrides)
                     return settings
                 def init_handlers(self, settings):
                     # Load the (URL pattern, handler) tuples for each component.
                     handlers = []
                     handlers.extend(load_handlers('base.handlers'))
                     handlers.extend(load_handlers('tree.handlers'))
                     handlers.extend(load_handlers('auth.login'))
                     handlers.extend(load_handlers('auth.logout'))
                     handlers.extend(load_handlers('notebook.handlers'))
                     handlers.extend(load_handlers('nbconvert.handlers'))
                     handlers.extend(load_handlers('services.kernels.handlers'))
                     handlers.extend(load_handlers('services.notebooks.handlers'))
                     handlers.extend(load_handlers('services.clusters.handlers'))
                     handlers.extend(load_handlers('services.sessions.handlers'))
                     handlers.extend(load_handlers('services.nbconvert.handlers'))
                     # FIXME: /files/ should be handled by the Contents service when it exists
                     nbm = settings['notebook_manager']
                     if hasattr(nbm, 'notebook_dir'):
                         handlers.extend([
                         (r"/files/(.*)", AuthenticatedFileHandler, {'path' : nbm.notebook_dir}),
                         (r"/nbextensions/(.*)", FileFindHandler, {'path' : settings['nbextensions_path']}),
                     ])
                     # prepend base_url onto the patterns that we match
                     new_handlers = []
                     for handler in handlers:
                         pattern = url_path_join(settings['base_url'], handler[0])
                         new_handler = tuple([pattern] + list(handler[1:]))
                         new_handlers.append(new_handler)
                     # add 404 on the end, which will catch everything that falls through
                     new_handlers.append((r'(.*)', Template404))
                     return new_handlers
             class NbserverListApp(BaseIPythonApplication):
                 description="List currently running notebook servers in this profile."
                 flags = dict(
                     json=({'NbserverListApp': {'json': True}},
                           "Produce machine-readable JSON output."),
                 )
                 json = Bool(False, config=True,
                       help="If True, each line of output will be a JSON object with the "
                               "details from the server info file.")
                 def start(self):
                     if not self.json:
                         print("Currently running servers:")
                     for serverinfo in list_running_servers(self.profile):
                         if self.json:
                             print(json.dumps(serverinfo))
                         else:
                             print(serverinfo['url'], "::", serverinfo['notebook_dir'])
             #-----------------------------------------------------------------------------
             # Aliases and Flags
             #-----------------------------------------------------------------------------
             flags = dict(kernel_flags)
             flags['no-browser']=(
                 {'NotebookApp' : {'open_browser' : False}},
                 "Don't open the notebook in a browser after startup."
             )
             flags['no-mathjax']=(
                 {'NotebookApp' : {'enable_mathjax' : False}},
                 """Disable MathJax
                 MathJax is the javascript library IPython uses to render math/LaTeX. It is
                 very large, so you may want to disable it if you have a slow internet
                 connection, or for offline use of the notebook.
                 When disabled, equations etc. will appear as their untransformed TeX source.
                 """
             )
             # Add notebook manager flags
             flags.update(boolean_flag('script', 'FileNotebookManager.save_script',
                            'Auto-save a .py script everytime the .ipynb notebook is saved',
                            'Do not auto-save .py scripts for every notebook'))
             # the flags that are specific to the frontend
             # these must be scrubbed before being passed to the kernel,
             # or it will raise an error on unrecognized flags
             notebook_flags = ['no-browser', 'no-mathjax', 'script', 'no-script']
             aliases = dict(kernel_aliases)
             aliases.update({
                 'ip': 'NotebookApp.ip',
                 'port': 'NotebookApp.port',
                 'port-retries': 'NotebookApp.port_retries',
                 'transport': 'KernelManager.transport',
                 'keyfile': 'NotebookApp.keyfile',
                 'certfile': 'NotebookApp.certfile',
                 'notebook-dir': 'NotebookApp.notebook_dir',
                 'browser': 'NotebookApp.browser',
             })
             # remove ipkernel flags that are singletons, and don't make sense in
             # multi-kernel evironment:
             aliases.pop('f', None)
             notebook_aliases = [u'port', u'port-retries', u'ip', u'keyfile', u'certfile',
                                 u'notebook-dir', u'profile', u'profile-dir', 'browser']
             #-----------------------------------------------------------------------------
             # NotebookApp
             #-----------------------------------------------------------------------------
             class NotebookApp(BaseIPythonApplication):
                 name = 'ipython-notebook'
                 description = """
                     The IPython HTML Notebook.
                     This launches a Tornado based HTML Notebook Server that serves up an
                     HTML5/Javascript Notebook client.
                 """
                 examples = _examples
                 classes = IPythonConsoleApp.classes + [MappingKernelManager, NotebookManager,
                     FileNotebookManager, NotebookNotary]
                 flags = Dict(flags)
                 aliases = Dict(aliases)
                 subcommands = dict(
                     list=(NbserverListApp, NbserverListApp.description.splitlines()[0]),
                 )
                 kernel_argv = List(Unicode)
                 def _log_level_default(self):
                     return logging.INFO
                 def _log_format_default(self):
                     """override default log format to include time"""
                     return u"%(asctime)s.%(msecs).03d [%(name)s]%(highlevel)s %(message)s"
                 # create requested profiles by default, if they don't exist:
                 auto_create = Bool(True)
                 # file to be opened in the notebook server
                 file_to_run = Unicode('', config=True)
                 def _file_to_run_changed(self, name, old, new):
                     path, base = os.path.split(new)
                     if path:
                         self.file_to_run = base
                         self.notebook_dir = path
-                # Network related information.
+                # Network related information
+                allow_origin = Unicode('', config=True,
+                    help="""Set the Access-Control-Allow-Origin header
+                    Use '*' to allow any origin to access your server.
+                    Takes precedence over allow_origin_pat.
+                    """
+                )
+                allow_origin_pat = Unicode('', config=True,
+                    help="""Use a regular expression for the Access-Control-Allow-Origin header
+                    Requests from an origin matching the expression will get replies with:
+                        Access-Control-Allow-Origin: origin
+                    where `origin` is the origin of the request.
+                    Ignored if allow_origin is set.
+                    """
+                )
+                allow_credentials = Bool(False, config=True,
+                    help="Set the Access-Control-Allow-Credentials: true header"
+                )
                 ip = Unicode('localhost', config=True,
                     help="The IP address the notebook server will listen on."
                 )
                 def _ip_changed(self, name, old, new):
                     if new == u'*': self.ip = u''
                 port = Integer(8888, config=True,
                     help="The port the notebook server will listen on."
                 )
                 port_retries = Integer(50, config=True,
                     help="The number of additional ports to try if the specified port is not available."
                 )
                 certfile = Unicode(u'', config=True,
                     help="""The full path to an SSL/TLS certificate file."""
                 )
                 keyfile = Unicode(u'', config=True,
                     help="""The full path to a private key file for usage with SSL/TLS."""
                 )
                 cookie_secret = Bytes(b'', config=True,
                     help="""The random bytes used to secure cookies.
                     By default this is a new random number every time you start the Notebook.
                     Set it to a value in a config file to enable logins to persist across server sessions.
                     Note: Cookie secrets should be kept private, do not share config files with
                     cookie_secret stored in plaintext (you can read the value from a file).
                     """
                 )
                 def _cookie_secret_default(self):
                     return os.urandom(1024)
                 password = Unicode(u'', config=True,
                                   help="""Hashed password to use for web authentication.
                                   To generate, type in a python/IPython shell:
                                     from IPython.lib import passwd; passwd()
                                   The string should be of the form type:salt:hashed-password.
                                   """
                 )
                 open_browser = Bool(True, config=True,
                                     help="""Whether to open in a browser after starting.
                                     The specific browser used is platform dependent and
                                     determined by the python standard library `webbrowser`
                                     module, unless it is overridden using the --browser
                                     (NotebookApp.browser) configuration option.
                                     """)
                 browser = Unicode(u'', config=True,
                                   help="""Specify what command to use to invoke a web
                                   browser when opening the notebook. If not specified, the
                                   default browser will be determined by the `webbrowser`
                                   standard library module, which allows setting of the
                                   BROWSER environment variable to override it.
                                   """)
                 webapp_settings = Dict(config=True,
                         help="Supply overrides for the tornado.web.Application that the "
                              "IPython notebook uses.")
                 jinja_environment_options = Dict(config=True,
                         help="Supply extra arguments that will be passed to Jinja environment.")
                 enable_mathjax = Bool(True, config=True,
                     help="""Whether to enable MathJax for typesetting math/TeX
                     MathJax is the javascript library IPython uses to render math/LaTeX. It is
                     very large, so you may want to disable it if you have a slow internet
                     connection, or for offline use of the notebook.
                     When disabled, equations etc. will appear as their untransformed TeX source.
                     """
                 )
                 def _enable_mathjax_changed(self, name, old, new):
                     """set mathjax url to empty if mathjax is disabled"""
                     if not new:
                         self.mathjax_url = u''
                 base_url = Unicode('/', config=True,
                                            help='''The base URL for the notebook server.
                                            Leading and trailing slashes can be omitted,
                                            and will automatically be added.
                                            ''')
                 def _base_url_changed(self, name, old, new):
                     if not new.startswith('/'):
                         self.base_url = '/'+new
                     elif not new.endswith('/'):
                         self.base_url = new+'/'
                 base_project_url = Unicode('/', config=True, help="""DEPRECATED use base_url""")
                 def _base_project_url_changed(self, name, old, new):
                     self.log.warn("base_project_url is deprecated, use base_url")
                     self.base_url = new
                 extra_static_paths = List(Unicode, config=True,
                     help="""Extra paths to search for serving static files.
                     This allows adding javascript/css to be available from the notebook server machine,
                     or overriding individual files in the IPython"""
                 )
                 def _extra_static_paths_default(self):
                     return [os.path.join(self.profile_dir.location, 'static')]
                 @property
                 def static_file_path(self):
                     """return extra paths + the default location"""
                     return self.extra_static_paths + [DEFAULT_STATIC_FILES_PATH]
                 nbextensions_path = List(Unicode, config=True,
                     help="""paths for Javascript extensions. By default, this is just IPYTHONDIR/nbextensions"""
                 )
                 def _nbextensions_path_default(self):
                     return [os.path.join(get_ipython_dir(), 'nbextensions')]
                 mathjax_url = Unicode("", config=True,
                     help="""The url for MathJax.js."""
                 )
                 def _mathjax_url_default(self):
                     if not self.enable_mathjax:
                         return u''
                     static_url_prefix = self.webapp_settings.get("static_url_prefix",
                                      url_path_join(self.base_url, "static")
                     )
                     # try local mathjax, either in nbextensions/mathjax or static/mathjax
                     for (url_prefix, search_path) in [
                         (url_path_join(self.base_url, "nbextensions"), self.nbextensions_path),
                         (static_url_prefix, self.static_file_path),
                     ]:
                         self.log.debug("searching for local mathjax in %s", search_path)
                         try:
                             mathjax = filefind(os.path.join('mathjax', 'MathJax.js'), search_path)
                         except IOError:
                             continue
                         else:
                             url = url_path_join(url_prefix, u"mathjax/MathJax.js")
                             self.log.info("Serving local MathJax from %s at %s", mathjax, url)
                             return url
                     # no local mathjax, serve from CDN
                     if self.certfile:
                         # HTTPS: load from Rackspace CDN, because SSL certificate requires it
                         host = u"https://c328740.ssl.cf1.rackcdn.com"
                     else:
                         host = u"http://cdn.mathjax.org"
                     url = host + u"/mathjax/latest/MathJax.js"
                     self.log.info("Using MathJax from CDN: %s", url)
                     return url
                 def _mathjax_url_changed(self, name, old, new):
                     if new and not self.enable_mathjax:
                         # enable_mathjax=False overrides mathjax_url
                         self.mathjax_url = u''
                     else:
                         self.log.info("Using MathJax: %s", new)
                 notebook_manager_class = DottedObjectName('IPython.html.services.notebooks.filenbmanager.FileNotebookManager',
                     config=True,
                     help='The notebook manager class to use.')
                 trust_xheaders = Bool(False, config=True,
                     help=("Whether to trust or not X-Scheme/X-Forwarded-Proto and X-Real-Ip/X-Forwarded-For headers"
                           "sent by the upstream reverse proxy. Necessary if the proxy handles SSL")
                 )
                 info_file = Unicode()
                 def _info_file_default(self):
                     info_file = "nbserver-%s.json"%os.getpid()
                     return os.path.join(self.profile_dir.security_dir, info_file)
                 notebook_dir = Unicode(py3compat.getcwd(), config=True,
                     help="The directory to use for notebooks and kernels."
                 )
                 def _notebook_dir_changed(self, name, old, new):
                     """Do a bit of validation of the notebook dir."""
                     if not os.path.isabs(new):
                         # If we receive a non-absolute path, make it absolute.
                         self.notebook_dir = os.path.abspath(new)
                         return
                     if not os.path.isdir(new):
                         raise TraitError("No such notebook dir: %r" % new)
                     # setting App.notebook_dir implies setting notebook and kernel dirs as well
                     self.config.FileNotebookManager.notebook_dir = new
                     self.config.MappingKernelManager.root_dir = new
                 def parse_command_line(self, argv=None):
                     super(NotebookApp, self).parse_command_line(argv)
                     if self.extra_args:
                         arg0 = self.extra_args[0]
                         f = os.path.abspath(arg0)
                         self.argv.remove(arg0)
                         if not os.path.exists(f):
                             self.log.critical("No such file or directory: %s", f)
                             self.exit(1)
                         # Use config here, to ensure that it takes higher priority than
                         # anything that comes from the profile.
                         c = Config()
                         if os.path.isdir(f):
                             c.NotebookApp.notebook_dir = f
                         elif os.path.isfile(f):
                             c.NotebookApp.file_to_run = f
                         self.update_config(c)
                 def init_kernel_argv(self):
                     """construct the kernel arguments"""
                     # Scrub frontend-specific flags
                     self.kernel_argv = swallow_argv(self.argv, notebook_aliases, notebook_flags)
                     if any(arg.startswith(u'--pylab') for arg in self.kernel_argv):
                         self.log.warn('\n    '.join([
                             "Starting all kernels in pylab mode is not recommended,",
                             "and will be disabled in a future release.",
                             "Please use the %matplotlib magic to enable matplotlib instead.",
                             "pylab implies many imports, which can have confusing side effects",
                             "and harm the reproducibility of your notebooks.",
                         ]))
                     # Kernel should inherit default config file from frontend
                     self.kernel_argv.append("--IPKernelApp.parent_appname='%s'" % self.name)
                     # Kernel should get *absolute* path to profile directory
                     self.kernel_argv.extend(["--profile-dir", self.profile_dir.location])
                 def init_configurables(self):
                     # force Session default to be secure
                     default_secure(self.config)
                     self.kernel_manager = MappingKernelManager(
                         parent=self, log=self.log, kernel_argv=self.kernel_argv,
                         connection_dir = self.profile_dir.security_dir,
                     )
                     kls = import_item(self.notebook_manager_class)
                     self.notebook_manager = kls(parent=self, log=self.log)
                     self.session_manager = SessionManager(parent=self, log=self.log)
                     self.cluster_manager = ClusterManager(parent=self, log=self.log)
                     self.cluster_manager.update_profiles()
                 def init_logging(self):
                     # This prevents double log messages because tornado use a root logger that
                     # self.log is a child of. The logging module dipatches log messages to a log
                     # and all of its ancenstors until propagate is set to False.
                     self.log.propagate = False
                     # hook up tornado 3's loggers to our app handlers
                     for name in ('access', 'application', 'general'):
                         logger = logging.getLogger('tornado.%s' % name)
                         logger.parent = self.log
                         logger.setLevel(self.log.level)
                 def init_webapp(self):
                     """initialize tornado webapp and httpserver"""
+                    self.webapp_settings['allow_origin'] = self.allow_origin
+                    self.webapp_settings['allow_origin_pat'] = re.compile(self.allow_origin_pat)
+                    self.webapp_settings['allow_credentials'] = self.allow_credentials
                     self.web_app = NotebookWebApplication(
                         self, self.kernel_manager, self.notebook_manager,
                         self.cluster_manager, self.session_manager,
                         self.log, self.base_url, self.webapp_settings,
                         self.jinja_environment_options
                     )
                     if self.certfile:
                         ssl_options = dict(certfile=self.certfile)
                         if self.keyfile:
                             ssl_options['keyfile'] = self.keyfile
                     else:
                         ssl_options = None
                     self.web_app.password = self.password
                     self.http_server = httpserver.HTTPServer(self.web_app, ssl_options=ssl_options,
                                                              xheaders=self.trust_xheaders)
                     if not self.ip:
                         warning = "WARNING: The notebook server is listening on all IP addresses"
                         if ssl_options is None:
                             self.log.critical(warning + " and not using encryption. This "
                                 "is not recommended.")
                         if not self.password:
                             self.log.critical(warning + " and not using authentication. "
                                 "This is highly insecure and not recommended.")
                     success = None
                     for port in random_ports(self.port, self.port_retries+1):
                         try:
                             self.http_server.listen(port, self.ip)
                         except socket.error as e:
                             if e.errno == errno.EADDRINUSE:
                                 self.log.info('The port %i is already in use, trying another random port.' % port)
                                 continue
                             elif e.errno in (errno.EACCES, getattr(errno, 'WSAEACCES', errno.EACCES)):
                                 self.log.warn("Permission to listen on port %i denied" % port)
                                 continue
                             else:
                                 raise
                         else:
                             self.port = port
                             success = True
                             break
                     if not success:
                         self.log.critical('ERROR: the notebook server could not be started because '
                                           'no available port could be found.')
                         self.exit(1)
                 @property
                 def display_url(self):
                     ip = self.ip if self.ip else '[all ip addresses on your system]'
                     return self._url(ip)
                 @property
                 def connection_url(self):
                     ip = self.ip if self.ip else 'localhost'
                     return self._url(ip)
                 def _url(self, ip):
                     proto = 'https' if self.certfile else 'http'
                     return "%s://%s:%i%s" % (proto, ip, self.port, self.base_url)
                 def init_signal(self):
                     if not sys.platform.startswith('win'):
                         signal.signal(signal.SIGINT, self._handle_sigint)
                     signal.signal(signal.SIGTERM, self._signal_stop)
                     if hasattr(signal, 'SIGUSR1'):
                         # Windows doesn't support SIGUSR1
                         signal.signal(signal.SIGUSR1, self._signal_info)
                     if hasattr(signal, 'SIGINFO'):
                         # only on BSD-based systems
                         signal.signal(signal.SIGINFO, self._signal_info)
                 def _handle_sigint(self, sig, frame):
                     """SIGINT handler spawns confirmation dialog"""
                     # register more forceful signal handler for ^C^C case
                     signal.signal(signal.SIGINT, self._signal_stop)
                     # request confirmation dialog in bg thread, to avoid
                     # blocking the App
                     thread = threading.Thread(target=self._confirm_exit)
                     thread.daemon = True
                     thread.start()
                 def _restore_sigint_handler(self):
                     """callback for restoring original SIGINT handler"""
                     signal.signal(signal.SIGINT, self._handle_sigint)
                 def _confirm_exit(self):
                     """confirm shutdown on ^C
                     A second ^C, or answering 'y' within 5s will cause shutdown,
                     otherwise original SIGINT handler will be restored.
                     This doesn't work on Windows.
                     """
                     # FIXME: remove this delay when pyzmq dependency is >= 2.1.11
                     time.sleep(0.1)
                     info = self.log.info
                     info('interrupted')
                     print(self.notebook_info())
                     sys.stdout.write("Shutdown this notebook server (y/[n])? ")
                     sys.stdout.flush()
                     r,w,x = select.select([sys.stdin], [], [], 5)
                     if r:
                         line = sys.stdin.readline()
                         if line.lower().startswith('y') and 'n' not in line.lower():
                             self.log.critical("Shutdown confirmed")
                             ioloop.IOLoop.instance().stop()
                             return
                     else:
                         print("No answer for 5s:", end=' ')
                     print("resuming operation...")
                     # no answer, or answer is no:
                     # set it back to original SIGINT handler
                     # use IOLoop.add_callback because signal.signal must be called
                     # from main thread
                     ioloop.IOLoop.instance().add_callback(self._restore_sigint_handler)
                 def _signal_stop(self, sig, frame):
                     self.log.critical("received signal %s, stopping", sig)
                     ioloop.IOLoop.instance().stop()
                 def _signal_info(self, sig, frame):
                     print(self.notebook_info())
                 def init_components(self):
                     """Check the components submodule, and warn if it's unclean"""
                     status = submodule.check_submodule_status()
                     if status == 'missing':
                         self.log.warn("components submodule missing, running `git submodule update`")
                         submodule.update_submodules(submodule.ipython_parent())
                     elif status == 'unclean':
                         self.log.warn("components submodule unclean, you may see 404s on static/components")
                         self.log.warn("run `setup.py submodule` or `git submodule update` to update")
                 @catch_config_error
                 def initialize(self, argv=None):
                     super(NotebookApp, self).initialize(argv)
                     self.init_logging()
                     self.init_kernel_argv()
                     self.init_configurables()
                     self.init_components()
                     self.init_webapp()
                     self.init_signal()
                 def cleanup_kernels(self):
                     """Shutdown all kernels.
                     The kernels will shutdown themselves when this process no longer exists,
                     but explicit shutdown allows the KernelManagers to cleanup the connection files.
                     """
                     self.log.info('Shutting down kernels')
                     self.kernel_manager.shutdown_all()
                 def notebook_info(self):
                     "Return the current working directory and the server url information"
                     info = self.notebook_manager.info_string() + "\n"
                     info += "%d active kernels \n" % len(self.kernel_manager._kernels)
                     return info + "The IPython Notebook is running at: %s" % self.display_url
                 def server_info(self):
                     """Return a JSONable dict of information about this server."""
                     return {'url': self.connection_url,
                             'hostname': self.ip if self.ip else 'localhost',
                             'port': self.port,
                             'secure': bool(self.certfile),
                             'base_url': self.base_url,
                             'notebook_dir': os.path.abspath(self.notebook_dir),
                            }
                 def write_server_info_file(self):
                     """Write the result of server_info() to the JSON file info_file."""
                     with open(self.info_file, 'w') as f:
                         json.dump(self.server_info(), f, indent=2)
                 def remove_server_info_file(self):
                     """Remove the nbserver-<pid>.json file created for this server.
                     Ignores the error raised when the file has already been removed.
                     """
                     try:
                         os.unlink(self.info_file)
                     except OSError as e:
                         if e.errno != errno.ENOENT:
                             raise
                 def start(self):
                     """ Start the IPython Notebook server app, after initialization
                     This method takes no arguments so all configuration and initialization
                     must be done prior to calling this method."""
                     if self.subapp is not None:
                         return self.subapp.start()
                     info = self.log.info
                     for line in self.notebook_info().split("\n"):
                         info(line)
                     info("Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).")
                     self.write_server_info_file()
                     if self.open_browser or self.file_to_run:
                         try:
                             browser = webbrowser.get(self.browser or None)
                         except webbrowser.Error as e:
                             self.log.warn('No web browser found: %s.' % e)
                             browser = None
                         if self.file_to_run:
                             fullpath = os.path.join(self.notebook_dir, self.file_to_run)
                             if not os.path.exists(fullpath):
                                 self.log.critical("%s does not exist" % fullpath)
                                 self.exit(1)
                             uri = url_path_join('notebooks', self.file_to_run)
                         else:
                             uri = 'tree'
                         if browser:
                             b = lambda : browser.open(url_path_join(self.connection_url, uri),
                                                       new=2)
                             threading.Thread(target=b).start()
                     try:
                         ioloop.IOLoop.instance().start()
                     except KeyboardInterrupt:
                         info("Interrupted...")
                     finally:
                         self.cleanup_kernels()
                         self.remove_server_info_file()
             def list_running_servers(profile='default'):
                 """Iterate over the server info files of running notebook servers.
                 Given a profile name, find nbserver-* files in the security directory of
                 that profile, and yield dicts of their information, each one pertaining to
                 a currently running notebook server instance.
                 """
                 pd = ProfileDir.find_profile_dir_by_name(get_ipython_dir(), name=profile)
                 for file in os.listdir(pd.security_dir):
                     if file.startswith('nbserver-'):
                         with io.open(os.path.join(pd.security_dir, file), encoding='utf-8') as f:
                             yield json.load(f)
             #-----------------------------------------------------------------------------
             # Main entry point
             #-----------------------------------------------------------------------------
             launch_new_instance = NotebookApp.launch_instance

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages