a 2`/b,@sfddlZddlZddlZz ddlZWney:dZYn0ddlZddlmZdZGdddZ dS)N) get_template)Securityc@steZdZdZdZdddZeddZdd Zdd d Z d d Z ddZ ddZ ddZ ddZddZddZdS)ra4Security configuration for a Dask cluster. Default values are loaded from Dask's configuration files, and can be overridden in the constructor. Parameters ---------- require_encryption : bool, optional Whether TLS encryption is required for all connections. tls_ca_file : str, optional Path to a CA certificate file encoded in PEM format. tls_ciphers : str, optional An OpenSSL cipher string of allowed ciphers. If not provided, the system defaults will be used. tls_min_version : ssl.TLSVersion, optional The minimum TLS version to support. Defaults to TLS 1.2. tls_max_version : ssl.TLSVersion, optional The maximum TLS version to support. Defaults to the maximum version supported. tls_client_cert : str, optional Path to a certificate file for the client, encoded in PEM format. tls_client_key : str, optional Path to a key file for the client, encoded in PEM format. Alternatively, the key may be appended to the cert file, and this parameter be omitted. tls_scheduler_cert : str, optional Path to a certificate file for the scheduler, encoded in PEM format. tls_scheduler_key : str, optional Path to a key file for the scheduler, encoded in PEM format. Alternatively, the key may be appended to the cert file, and this parameter be omitted. tls_worker_cert : str, optional Path to a certificate file for a worker, encoded in PEM format. tls_worker_key : str, optional Path to a key file for a worker, encoded in PEM format. Alternatively, the key may be appended to the cert file, and this parameter be omitted. extra_conn_args : mapping, optional Mapping with keyword arguments to pass down to connections. ) require_encryption tls_ca_file tls_cipherstls_min_versiontls_max_versiontls_client_keytls_client_certtls_scheduler_keytls_scheduler_certtls_worker_keytls_worker_certextra_conn_argsNcKst||j}|r$tdt||di|_|durFtj d}|durVt |}||_ | |dd| |ddtjj| |dd | |d d | |d d | |dd| |dd| |dd| |dd| |dddS)NzUnknown parameters: %rrz#distributed.comm.require-encryptionrzdistributed.comm.tls.ciphersrz distributed.comm.tls.min-versionrz distributed.comm.tls.max-versionrzdistributed.comm.tls.ca-filer zdistributed.comm.tls.client.keyr z distributed.comm.tls.client.certr z"distributed.comm.tls.scheduler.keyr z#distributed.comm.tls.scheduler.certr zdistributed.comm.tls.worker.keyrz distributed.comm.tls.worker.cert)set difference __slots__ TypeErrorsortedpoprdaskconfiggetboolr _set_field_set_tls_version_fieldssl TLSVersionTLSv1_2)selfrkwargsZextrar!3lib/python3.9/site-packages/distributed/security.py__init__Is@ zSecurity.__init__c KsPzDddlm}ddlm}ddlm}m}ddlm}ddl m }Wnt y^t dYn0|j dd |d }|j |jj|jj|d } |||jd g} ||d g} tj} || | j| d d| |!"| #| tj$dd%||&|} | '|jj}|fd|| || || |d|S)aJCreate a new temporary Security object. This creates a new self-signed key/cert pair suitable for securing communication for all roles in a Dask cluster. These keys/certs exist only in memory, and are stored in this object. This method requires the library ``cryptography`` be installed. r)x509)default_backend)hashes serialization)rsa)NameOIDz_Using `Security.temporary` requires `cryptography`, please install it using either pip or condaii)Zpublic_exponentZkey_sizeZbackend)encodingformatZencryption_algorithmz dask-internalF)Zcriticalim)ZdaysT)rrr r r r r r)(Z cryptographyr$Zcryptography.hazmat.backendsr%Zcryptography.hazmat.primitivesr&r'Z)cryptography.hazmat.primitives.asymmetricr(Zcryptography.x509.oidr) ImportErrorZgenerate_private_keyZ private_bytesZEncodingZPEMZ PrivateFormatZPKCS8Z NoEncryptiondecodeNameZ NameAttributeZ COMMON_NAMEZSubjectAlternativeNameZDNSNamedatetimeZutcnowZCertificateBuilderZ subject_nameZ issuer_name add_extensionZ public_keyZ serial_numberZrandom_serial_numberZnot_valid_beforeZnot_valid_afterZ timedeltasignZSHA256Z public_bytes)clsr r$r%r&r'r(r)keyZ key_contentsZ dask_internalZaltnamesZnowcertZ cert_contentsr!r!r" temporaryksl           zSecurity.temporarycCs.||vr||}n tj|}t|||dS)N)rrrsetattr)rr field config_namevalr!r!r"rs  zSecurity._set_fieldcCs||vrT||}dtjjtjjh}||vrFt|d|dt||dur|}nN|tjjtjjd}tj|}||vr||}nt|d|dt|t |||dS)N=z# is not supported, expected one of )Ng333333?g?) rrrZTLSv1_3 ValueErrorlistrrrr6)rr r7r8defaultr9Zvalidr!r!r"rs(  zSecurity._set_tls_version_fieldcCst|j}|di}|D]^}t||}|durt|trNd|vrNd||<qt|trrdtj|d||<q|||<q|S)Nr zTemporary (In-memory)zLocal ()) rrremovegetattr isinstancestrospathabspath)rkeysattrkr9r!r!r" _attr_to_dicts      zSecurity._attr_to_dictcCs(|}dddd|DdS)Nz Security(z, css |]\}}|d|VqdS)r:Nr!).0r3valuer!r!r" z$Security.__repr__..r?)rJjoinitems)rrHr!r!r"__repr__szSecurity.__repr__cCstdj|dS)Nzsecurity.html.j2)Zsecurity)rZrenderrJ)rr!r!r" _repr_html_szSecurity._repr_html_cCs<|dvrtd||j|jt|d|t|d|dS)zR Return the TLS configuration for the given role, as a flat dict. >Z schedulerZclientZworkerz unknown role z tls_%s_certz tls_%s_key)ca_fileciphersr4r3)r;rrrA)rroler!r!r"get_tls_config_for_roles  z Security.get_tls_config_for_rolec Cs|dr|dr|d}|d}}|d}}d|vrRtj||d}ntj||d}|jdurr|j|_|jdur|j|_d|v} |duod|v} | s| rnt} | rt j | d}t |d} | |Wdn1s0Y| r@t j | d }t |d} | |Wdn1s60Y|||Wdn1sb0Yn |||tj|_d |_|d r||d |SdS) NrSr4r3r>)purposeZcadata)rWZcafilezdask.crtwzdask.pemFrT)rrZcreate_default_contextrZminimum_versionrZmaximum_versiontempfileZTemporaryDirectoryrDrErOopenwriteZload_cert_chainZ CERT_REQUIREDZ verify_modeZcheck_hostnameZ set_ciphers) rtlsrWcaZ cert_pathr4Zkey_pathr3ctxZcert_in_memoryZ key_in_memoryZtempdirfr!r!r"_get_tls_contexts<      ( *.  zSecurity._get_tls_contextcCs&||}||tjj|j|jdS)zh Get the *connection_args* argument for a connect() call with the given *role*. ) ssl_contextrr)rVr`rPurposeZ SERVER_AUTHrrrrUr\r!r!r"get_connection_argss  zSecurity.get_connection_argscCs"||}||tjj|jdS)zg Get the *connection_args* argument for a listen() call with the given *role*. )rar)rVr`rrbZ CLIENT_AUTHrrcr!r!r"get_listen_args+s zSecurity.get_listen_args)N)N)__name__ __module__ __qualname____doc__rr# classmethodr5rrrJrQrRrVr`rdrer!r!r!r"rs) " <  , r) r/rDrYrr,rZ dask.widgetsr__all__rr!r!r!r"s