shell bypass 403
a
����\��`�(����������������������@���s����d�Z�ddlZddlZddlZddlmZ�ddlmZ�ddlm Z m
Z
�ddl
m
Z
�dd l
mZ�dd
lmZ�e�e�ZG�d
d
��d
e �ZdS�)
z�
oauthlib.oauth2.rfc6749.endpoint.metadata
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
An implementation of the `OAuth 2.0 Authorization Server Metadata`.
.. _`OAuth 2.0 Authorization Server Metadata`: https://tools.ietf.org/html/rfc8414
�����N����)�
grant_types����)�AuthorizationEndpoint)�
BaseEndpoint� catch_errors_and_unavailability)�IntrospectEndpoint)�RevocationEndpoint)�
TokenEndpointc�������������������@���s^���e�Zd�ZdZi�dfdd�Zeddd��Zdd
d
�Zd
d
��Zdd��Z dd��Z
dd��Z
dd��Z
dS�)�MetadataEndpointa���OAuth2.0 Authorization Server Metadata endpoint.
This specification generalizes the metadata format defined by
`OpenID Connect Discovery 1.0` in a way that is compatible
with OpenID Connect Discovery while being applicable to a wider set
of OAuth 2.0 use cases. This is intentionally parallel to the way
that OAuth 2.0 Dynamic Client Registration Protocol [`RFC7591`_]
generalized the dynamic client registration mechanisms defined by
OpenID Connect Dynamic Client Registration 1.0
in a way that is compatible with it.
.. _`OpenID Connect Discovery 1.0`: https://openid.net/specs/openid-connect-discovery-1_0.html
.. _`RFC7591`: https://tools.ietf.org/html/rfc7591
Tc�����������������C���sP���t�|t�sJ��|D�]}t�|t�sJ��qt�|���||�_||�_||�_|����|�_d�S�)N) �
isinstance�dictr����__init__�
raise_errors� endpoints�initial_claims�validate_metadata_server�claims)�selfr���r���r����endpoint��r����N/usr/lib/python3.9/site-packages/oauthlib/oauth2/rfc6749/endpoints/metadata.pyr���(���s����
zMetadataEndpoint.__init__�GETNc�����������������C���s���ddi}|t��|�j�dfS�)z!Create metadata response
z
Content-Typezapplication/json�����)�json�dumpsr���)r���ZuriZ
http_method�bodyZheadersr���r���r����create_metadata_response3���s�����z)MetadataEndpoint.create_metadata_responseFc�����������������C���s��|�j�s
d�S�||vr&|r$td�|���n�|r�||��d�sLtd�|||����d||�v�spd||�v�spd||�v�r�td�|||����n~|r�||��d�s�td �|||����nV|�rt||�t�s�td
�|||����||�D�]$}t|t�s�td
�|||�|���q�d�S�)
Nz key {} is a mandatory metadata.�httpsz key {}: {} must be an HTTPS URL�?�&�#z8key {}: {} must not contain query or fragment components�httpzkey {}: {} must be an URLzkey {}: {} must be an Arrayz/array {}: {} must contains only string (not {}))r����
ValueError�format�
startswithr
����list�str)r���Zarray�key�
is_required�is_list�is_url� is_issuer�elemr���r���r����validate_metadata=���s&����$
z"MetadataEndpoint.validate_metadatac�����������������C���sX���|�j��|j������|�dddg��|�j|ddd��|�j|ddd��|�j|dddd��d S�)
z�
If the token endpoint is used in the grant type, the value of this
parameter MUST be the same as the value of the "grant_type"
parameter passed to the token endpoint defined in the grant type
definition.
Z%token_endpoint_auth_methods_supported�client_secret_post�client_secret_basicT�r*���Z0token_endpoint_auth_signing_alg_values_supportedZtoken_endpoint�r)���r+���N)�
_grant_types�extend�keys�
setdefaultr.����r���r���r���r���r���r����validate_metadata_tokenV���s
����z(MetadataEndpoint.validate_metadata_tokenc�����������������C���s����|��dttdd��|j�������|��dddg��d|d�v�rH|�j�d��|�j|dd d d
��|�j|dd d
��d
|d�v�r�|jd
�}t|t j
�s�t
|d
�r�|j
}|��dt|j
������|�j|dd d
��|�j|dd d d��d�S�)NZresponse_types_supportedc�����������������S���s���|�dkS�)NZnoner���)�xr���r���r����<lambda>f��������zBMetadataEndpoint.validate_metadata_authorization.<locals>.<lambda>Zresponse_modes_supported�query�fragment�tokenZimplicitT)r)���r*���r1����code�
default_grantZ code_challenge_methods_supportedZauthorization_endpointr2���)r6���r&����filterZ_response_typesr5���r3����appendr.���r
���r���ZAuthorizationCodeGrant�hasattrr@���Z_code_challenge_methods)r���r���r���Z
code_grantr���r���r���� validate_metadata_authorizationd���s"�����
�z0MetadataEndpoint.validate_metadata_authorizationc�����������������C���sF���|��dddg��|�j|ddd��|�j|ddd��|�j|dddd��d�S�) NZ*revocation_endpoint_auth_methods_supportedr/���r0���Tr1���Z5revocation_endpoint_auth_signing_alg_values_supportedZrevocation_endpointr2����r6���r.���r7���r���r���r����
validate_metadata_revocation{���s
�����z-MetadataEndpoint.validate_metadata_revocationc�����������������C���sF���|��dddg��|�j|ddd��|�j|ddd��|�j|dddd��d�S�) NZ-introspection_endpoint_auth_methods_supportedr/���r0���Tr1���Z8introspection_endpoint_auth_signing_alg_values_supportedZintrospection_endpointr2���rE���r7���r���r���r���� validate_metadata_introspection����s
�����z0MetadataEndpoint.validate_metadata_introspectionc�����������������C���s
��t��|�j�}|�j|dddd��|�j|ddd��|�j|ddd��|�j|ddd��|�j|d dd��|�j|d
dd��|�j|d
dd��g�|�_|�jD�]\}t|t�r�|��||��t|t �r�|��
||��t|t
�r�|��
||��t|t
�r�|��||��q�|�d
|�j��|�j|d
dd��|S�)
a� ��
Authorization servers can have metadata describing their
configuration. The following authorization server metadata values
are used by this specification. More details can be found in
`RFC8414 section 2`_ :
issuer
REQUIRED
authorization_endpoint
URL of the authorization server's authorization endpoint
[`RFC6749#Authorization`_]. This is REQUIRED unless no grant types are supported
that use the authorization endpoint.
token_endpoint
URL of the authorization server's token endpoint [`RFC6749#Token`_]. This
is REQUIRED unless only the implicit grant type is supported.
scopes_supported
RECOMMENDED.
response_types_supported
REQUIRED.
Other OPTIONAL fields:
jwks_uri,
registration_endpoint,
response_modes_supported
grant_types_supported
OPTIONAL. JSON array containing a list of the OAuth 2.0 grant
type values that this authorization server supports. The array
values used are the same as those used with the "grant_types"
parameter defined by "OAuth 2.0 Dynamic Client Registration
Protocol" [`RFC7591`_]. If omitted, the default value is
"["authorization_code", "implicit"]".
token_endpoint_auth_methods_supported
token_endpoint_auth_signing_alg_values_supported
service_documentation
ui_locales_supported
op_policy_uri
op_tos_uri
revocation_endpoint
revocation_endpoint_auth_methods_supported
revocation_endpoint_auth_signing_alg_values_supported
introspection_endpoint
introspection_endpoint_auth_methods_supported
introspection_endpoint_auth_signing_alg_values_supported
code_challenge_methods_supported
Additional authorization server metadata parameters MAY also be used.
Some are defined by other specifications, such as OpenID Connect
Discovery 1.0 [`OpenID.Discovery`_].
.. _`RFC8414 section 2`: https://tools.ietf.org/html/rfc8414#section-2
.. _`RFC6749#Authorization`: https://tools.ietf.org/html/rfc6749#section-3.1
.. _`RFC6749#Token`: https://tools.ietf.org/html/rfc6749#section-3.2
.. _`RFC7591`: https://tools.ietf.org/html/rfc7591
.. _`OpenID.Discovery`: https://openid.net/specs/openid-connect-discovery-1_0.html
ZissuerT)r)���r,���Zjwks_uri)r+���Zscopes_supportedr1���Zservice_documentationZui_locales_supportedZ
op_policy_uriZ
op_tos_uriZgrant_types_supported)�copy�deepcopyr���r.���r3���r���r
���r
���r8���r���rD���r ���rF���r���rG���r6���r7���r���r���r���r�������s*����J
z)MetadataEndpoint.validate_metadata_server)r���NN)FFFF)
�__name__�
__module__�
__qualname__�__doc__r���r���r
���r.���r8���rD���rF���rG���r���r���r���r���r���r
������s���
���
r
���)rM���rH���r���Zlogging��r���Z
authorizationr����baser���r���Z
introspectr���Z
revocationr ���r>���r
���Z getLoggerrJ����logr
���r���r���r���r����<module>���s���