3i .SSKrSSKrSSKrSSKrSSKrSSKrSSKJr SSKJ r J r J r J r J r Jr SSKJr SSKJr SSKrSSKJrJrJrJrJr SSKJr SSKJr SS KJrJ r \"S 5r!\RD"\#5r$/S Qr%"S S \&\5r'\("\RR\RT-\RV-5r,S\&SS4Sjr-\'R\R^\'R`R^/r1S\&SS4Sjr2"SS\5r3"SS\ 5r4"SS\5r5g)N)Enum)castDictListOptional TypedDictTypeVar)override) SecretStr)ServerAuthenticationProviderClientAuthProviderClientAuthHeaders UserIdentity AuthError)System)ChromaAuthError)OpenTelemetryGranularity trace_methodT)!TokenAuthenticationServerProviderTokenAuthClientProviderTokenTransportHeaderc \rSrSrSrSrSrSrg)r(z& Accceptable token transport headers. AuthorizationzX-Chroma-TokenN)__name__ __module__ __qualname____firstlineno____doc__ AUTHORIZATIONX_CHROMA_TOKEN__static_attributes__r\/home/james-whalen/.local/lib/python3.13/site-packages/chromadb/auth/token_authn/__init__.pyrr(s$M%Nr%rtokenreturnc^[U5n[SU55(d [S5eg)Nc32# UH o[;v M g7f)N)valid_token_chars).0cs r& _check_token..:s9y!%%yszHInvalid token. Must contain only ASCII letters, digits, and punctuation.)strall ValueError)r' token_strs r& _check_tokenr48s1E I 9y9 9 9 V   :r% token_headercBU[;a[SUS[35eg)Nz Invalid token transport header: z. Must be one of )allowed_token_headersr2)r5s r&_check_allowed_token_headersr8Fs400.|n=34 6  1r%cP^\rSrSrSrS\SS4U4Sjjr\S\4Sj5r Sr U=r $) rNz Client auth provider for token-based auth. Header key will be either "Authorization" or "X-Chroma-Token" depending on `chroma_auth_token_transport_header`. If the header is "Authorization", the token is passed as a bearer token. systemr(Nc>[TU]U5 URUlURR S5 [ [ URR55Ul[URR55 URR(aD[URR5 [URR5Ulg[RUlg)Nchroma_client_auth_credentials)super__init__settings _settingsrequirer r0r=_tokenr4get_secret_value"chroma_auth_token_transport_headerr8r_token_transport_headerr")selfr; __class__s r&r? TokenAuthClientProvider.__init__Vs   @AFOO$R$R ST T[[1134 ?? = = (BB ,@BB,D (,@+M+MD (r%cURR5nUR[R:XaSU3nURR [ U50$)NBearer )rCrDrFrr"valuer )rGvals r& authenticate$TokenAuthClientProvider.authenticatehsSkk**,  ' '+?+M+M MC5/C  ( ( . . #  r%)rArCrF) rrrr r!rr?r rrNr$ __classcell__rHs@r&rrNs:NvN$N$ /  r%rcd\rSrSr%Sr\\S'\\S'\\\S'\\\\S'\\\S'Sr g ) Userrz A simple User class for use in this module only. If you need a generic way to represent a User, please use UserIdentity as this class keeps track of sensitive tokens. idroletenant databasestokensrN) rrrr r!r0__annotations__rrr$rr%r&rSrSrs6 G I SMS "" Ir%rSc^\rSrSrSrS\SS4U4Sjjr\"S\R5\ S\ \ \ 4S\ 4S j55rS rU=r$) ray Server authentication provider for token-based auth. The provider will - On initialization, read the users from the file specified in `chroma_server_authn_credentials_file`. This file must be a well-formed YAML file with a top-level array called `users`. Each user must have an `id` field and a `tokens` (string array) field. - On each request, check the token in the header specified by `chroma_auth_token_transport_header`. If the configured header is "Authorization", the token is expected to be a bearer token. - If the token is valid, the server will return the user identity associated with the token. r;r(Nc >[TU]U5 URUlURR(aD[ URR5 [ URR5UlO[ RUl0Ul UR5n[U5S:Xa#[SSS/SUS/S9URUS'g[[[[R "SR#U55S5UlUR$HnSU;a ['S 5eS U;aSUS 'S U;aS/US 'USHbn[)U5 X@R;a7URUU:wa$['S US USSURU35eX0RU'Md M g)N anonymous*r)rUrWrXrVrY usersrYzUser missing tokensrWrXzToken z+ already in use: wanted to use it for user rUz! but it's already in use by user )r>r?r@rArEr8rrFr"_token_user_mappingread_creds_or_creds_filelenrSrryaml safe_loadjoin_usersr2r4)rGr;credsuserr'rHs r&r?*TokenAuthenticationServerProvider.__init__s   ?? = = (BB ,@BB,D (,@+M+MD (46 --/ u:?15% az 2D $ $U1X . 4:t~~dii6F'G'PQ KKDt# !677t#!$X$&%(E[!hU#5550074?$ ( $T |, $ 8 8 ?@B 37((/( r%z.TokenAuthenticationServerProvider.authenticateheadersc nURRR5UR5;a#[ SURRS35eXRRR5nUR[ R :Xa9URS5(d [ S5e[R"SSU5nUR5n[U5 X R;a [ S5e[URUSURUS URUS S 9nU$![a+n[RS [!U535 SnAOSnAf["axn[$R&"UR(5nUS nUR*nUR,n[RS[/U5R0SUSU35 SnAOSnAff=f[2R4"[6R8"SS55 [;5e)NzAuthorization header 'z ' not foundrKz(Bearer not found in Authorization headerz^Bearer z%Invalid credentials: Token not found}rUrWrX)user_idrWrXz7TokenAuthenticationServerProvider.authenticate failed: zNTokenAuthenticationServerProvider.authenticate failed: Failed to authenticate z at :gMbP?g{Gzt?)rFrLlowerkeysrrr" startswithresubstripr4rcrloggerdebugrepr Exception traceback extract_tb __traceback__linenofilenametypertimesleeprandomuniformr) rGrmr' user_identityetblast_call_stack line_numberrs r&authenticate_or_raise7TokenAuthenticationServerProvider.authenticate_or_raises $ ++11779O,T-I-I-O-O,PP[\88>>DDFGE++/C/Q/QQ'' 22#$NOO{B6KKME  444 GHH(007=//6x@2259+FM !   LLI$q'S   %%aoo6B fO)00K&//H LL**.q'*:*:);4z;-Y    NN5% ( s%EE G?!E:: G?A.G::G?)rArFrcri)rrrr r!rr?rrALLr rr0rrr$rPrQs@r&rrsa .7v.7$.7`8:R:V:V) T#s(^) ) ) r%r)6loggingrrvstringrr}enumrtypingrrrrrr overridesr pydanticr rf chromadb.authr r rrrchromadb.configrchromadb.errorsr chromadb.telemetry.opentelemetryrrr getLoggerrry__all__r0rsetdigits ascii_letters punctuationr+r4r"rLr#r7r8rrSrrr%r&rs AA #+  CL   8 $  &3 & (<(<