Show More
| @@ -1,101 +1,109 b'' | |||
|
|
1 | 1 | """Tornado handlers for logging into the notebook.""" |
|
|
2 | 2 | |
|
|
3 | 3 | # Copyright (c) IPython Development Team. |
|
|
4 | 4 | # Distributed under the terms of the Modified BSD License. |
|
|
5 | 5 | |
|
|
6 | 6 | import uuid |
|
|
7 | 7 | |
|
|
8 | 8 | from tornado.escape import url_escape |
|
|
9 | 9 | |
|
|
10 | 10 | from IPython.lib.security import passwd_check |
|
|
11 | 11 | |
|
|
12 | 12 | from ..base.handlers import IPythonHandler |
|
|
13 | 13 | |
|
|
14 | 14 | |
|
|
15 | 15 | class LoginHandler(IPythonHandler): |
|
|
16 | 16 | """The basic tornado login handler |
|
|
17 | 17 | |
|
|
18 | 18 | authenticates with a hashed password from the configuration. |
|
|
19 | 19 | """ |
|
|
20 | 20 | def _render(self, message=None): |
|
|
21 | 21 | self.write(self.render_template('login.html', |
|
|
22 | 22 | next=url_escape(self.get_argument('next', default=self.base_url)), |
|
|
23 | 23 | message=message, |
|
|
24 | 24 | )) |
|
|
25 | 25 | |
|
|
26 | 26 | def get(self): |
|
|
27 | 27 | if self.current_user: |
|
|
28 |
|
|
|
|
28 | next_url = self.get_argument('next', default=self.base_url) | |
|
|
29 | if not next_url.startswith(self.base_url): | |
|
|
30 | # require that next_url be absolute path within our path | |
|
|
31 | next_url = self.base_url | |
|
|
32 | self.redirect(next_url) | |
|
|
29 | 33 | else: |
|
|
30 | 34 | self._render() |
|
|
31 | 35 | |
|
|
32 | 36 | @property |
|
|
33 | 37 | def hashed_password(self): |
|
|
34 | 38 | return self.password_from_settings(self.settings) |
|
|
35 | 39 | |
|
|
36 | 40 | def post(self): |
|
|
37 | 41 | typed_password = self.get_argument('password', default=u'') |
|
|
38 | 42 | if self.login_available(self.settings): |
|
|
39 | 43 | if passwd_check(self.hashed_password, typed_password): |
|
|
40 | 44 | # tornado <4.2 have a bug that consider secure==True as soon as |
|
|
41 | 45 | # 'secure' kwarg is passed to set_secure_cookie |
|
|
42 | 46 | if self.settings.get('secure_cookie', self.request.protocol == 'https'): |
|
|
43 | 47 | kwargs = {'secure':True} |
|
|
44 | 48 | else: |
|
|
45 | 49 | kwargs = {} |
|
|
46 | 50 | self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()), **kwargs) |
|
|
47 | 51 | else: |
|
|
48 | 52 | self._render(message={'error': 'Invalid password'}) |
|
|
49 | 53 | return |
|
|
50 | ||
|
|
51 |
|
|
|
|
54 | ||
|
|
55 | next_url = self.get_argument('next', default=self.base_url) | |
|
|
56 | if not next_url.startswith(self.base_url): | |
|
|
57 | # require that next_url be absolute path within our path | |
|
|
58 | next_url = self.base_url | |
|
|
59 | self.redirect(next_url) | |
|
|
52 | 60 | |
|
|
53 | 61 | @classmethod |
|
|
54 | 62 | def get_user(cls, handler): |
|
|
55 | 63 | """Called by handlers.get_current_user for identifying the current user. |
|
|
56 | 64 | |
|
|
57 | 65 | See tornado.web.RequestHandler.get_current_user for details. |
|
|
58 | 66 | """ |
|
|
59 | 67 | # Can't call this get_current_user because it will collide when |
|
|
60 | 68 | # called on LoginHandler itself. |
|
|
61 | 69 | |
|
|
62 | 70 | user_id = handler.get_secure_cookie(handler.cookie_name) |
|
|
63 | 71 | # For now the user_id should not return empty, but it could, eventually. |
|
|
64 | 72 | if user_id == '': |
|
|
65 | 73 | user_id = 'anonymous' |
|
|
66 | 74 | if user_id is None: |
|
|
67 | 75 | # prevent extra Invalid cookie sig warnings: |
|
|
68 | 76 | handler.clear_login_cookie() |
|
|
69 | 77 | if not handler.login_available: |
|
|
70 | 78 | user_id = 'anonymous' |
|
|
71 | 79 | return user_id |
|
|
72 | 80 | |
|
|
73 | 81 | |
|
|
74 | 82 | @classmethod |
|
|
75 | 83 | def validate_security(cls, app, ssl_options=None): |
|
|
76 | 84 | """Check the notebook application's security. |
|
|
77 | 85 | |
|
|
78 | 86 | Show messages, or abort if necessary, based on the security configuration. |
|
|
79 | 87 | """ |
|
|
80 | 88 | if not app.ip: |
|
|
81 | 89 | warning = "WARNING: The notebook server is listening on all IP addresses" |
|
|
82 | 90 | if ssl_options is None: |
|
|
83 | 91 | app.log.warning(warning + " and not using encryption. This " |
|
|
84 | 92 | "is not recommended.") |
|
|
85 | 93 | if not app.password: |
|
|
86 | 94 | app.log.warning(warning + " and not using authentication. " |
|
|
87 | 95 | "This is highly insecure and not recommended.") |
|
|
88 | 96 | |
|
|
89 | 97 | @classmethod |
|
|
90 | 98 | def password_from_settings(cls, settings): |
|
|
91 | 99 | """Return the hashed password from the tornado settings. |
|
|
92 | 100 | |
|
|
93 | 101 | If there is no configured password, an empty string will be returned. |
|
|
94 | 102 | """ |
|
|
95 | 103 | return settings.get('password', u'') |
|
|
96 | 104 | |
|
|
97 | 105 | @classmethod |
|
|
98 | 106 | def login_available(cls, settings): |
|
|
99 | 107 | """Whether this LoginHandler is needed - and therefore whether the login page should be displayed.""" |
|
|
100 | 108 | return bool(cls.password_from_settings(settings)) |
|
|
101 | 109 | |
General Comments 0
You need to be logged in to leave comments.
Login now