B
    !`                 @   s   d Z ddlmZ ddlmZ ddlmZ ddlZddlmZ ddlm	Z	 ddl
mZ ed	d
dgZe ZdZdZddgddgdgdgdZdd ZG dd deZdS )z0Validates responses and their security features.    )absolute_import)division)print_functionN)Headers)http)
tb_logging	Directivenamevaluez	text/htmlzdefault-srcz'unsafe-inline'zdata:zblob:z'unsafe-eval')z	style-srczimg-srcz
script-srczfont-srcc             C   s   t d|   d S )Nz-In 3.0, this warning will become an error:
%s)loggerwarning)	error_msg r   U/home/dcms/DCMS/lib/python3.7/site-packages/tensorboard/backend/security_validator.py_maybe_raise_value_error0   s    r   c               @   sP   e Zd ZdZdd Zdd Zdd Zdd	 Zd
d Zdd Z	dd Z
dd ZdS )SecurityValidatorMiddlewarea  WSGI middleware validating security on response.

    It validates:
    - responses have Content-Type
    - responses have X-Content-Type-Options: nosniff
    - text/html responses have CSP header. It also validates whether the CSP
      headers pass basic requirement. e.g., default-src should be present, cannot
      use "*" directive, and others. For more complete list, please refer to
      _validate_csp_policies.

    Instances of this class are WSGI applications (see PEP 3333).
    c             C   s
   || _ dS )zInitializes an `SecurityValidatorMiddleware`.

        Args:
          application: The WSGI application to wrap (see PEP 3333).
        N)_application)selfZapplicationr   r   r   __init__C   s    z$SecurityValidatorMiddleware.__init__c                s   d fdd	}  ||S )Nc                s     | | ||S )N)_validate_headers)statusheadersexc_info)r   start_responser   r   start_response_proxyL   s    
zBSecurityValidatorMiddleware.__call__.<locals>.start_response_proxy)N)r   )r   environr   r   r   )r   r   r   __call__K   s    z$SecurityValidatorMiddleware.__call__c             C   s*   t |}| | | | | | d S )N)r   _validate_content_type _validate_x_content_type_options_validate_csp_headers)r   Zheaders_listr   r   r   r   r   R   s    

z-SecurityValidatorMiddleware._validate_headersc             C   s   | drd S td d S )NzContent-Typez&Content-Type is required on a Response)getr   )r   r   r   r   r   r   X   s    
z2SecurityValidatorMiddleware._validate_content_typec             C   s"   | d}|dkrd S td d S )NzX-Content-Type-OptionsZnosniffz2X-Content-Type-Options is required to be "nosniff")r    r   )r   r   optionr   r   r   r   ^   s
    
z<SecurityValidatorMiddleware._validate_x_content_type_optionsc             C   sX   t |d\}}|tkr d S |d}g }x|D ]}|| |7 }q4W | | d S )NzContent-TypezContent-Security-Policy)r   Zparse_options_headerr    _HTML_MIME_TYPEget_all_parse_serialized_csp_validate_csp_policies)r   r   Z	mime_type_Z	csp_textspoliciescsp_textr   r   r   r   g   s    

z1SecurityValidatorMiddleware._validate_csp_headersc             C   s   d}g }x~|D ]v}|j }xj|jD ]`}|p.|tk}|t|g krBq |dks |dks |ds |drhq dj||d}|| q W qW |s|d |rtd		| d S )
NFz'self'z'none'zhttps:z'sha256-z3Illegal Content-Security-Policy for {name}: {value})r	   r
   z0Requires default-src for Content-Security-Policy
)
r	   r
   _CSP_DEFAULT_SRC_CSP_IGNOREr    
startswithformatappendr   join)r   r'   Zhas_default_srcZ
violations	directiver	   r
   msgr   r   r   r%   t   s*    



z2SecurityValidatorMiddleware._validate_csp_policiesc       
      C   s   | d}g }xl|D ]d}| }|s&q| d d}|d }t|dkrN|d nd}| }|  }t||d}	||	 qW |S )N;   r       )r	   r
   )splitstriplenlowerr   r.   )
r   r(   Zcsp_srcspolicytokenZ
token_fragr	   valuesr
   r0   r   r   r   r$      s    

z1SecurityValidatorMiddleware._parse_serialized_cspN)__name__
__module____qualname____doc__r   r   r   r   r   r   r%   r$   r   r   r   r   r   5   s   	*r   )r@   
__future__r   r   r   collectionsZwerkzeug.datastructuresr   Zwerkzeugr   Ztensorboard.utilr   
namedtupler   Z
get_loggerr   r"   r*   r+   r   objectr   r   r   r   r   <module>   s"   
