VvgVFddlmZddlmZddlmZddlmZddlm Z m Z m Z m Z m Z ddlmZddlmZmZddlmZmZmZmZdd lmZmZdd lmZdd lmZdd lm Z dd l!m"Z"ee#Z$ ddl%Z&dZ'n #e($rdZ'YnwxYwdefdZ)dde-fd2Z? d) timedelta)sha256) getLogger)Template)CallableOptionalTypeUnionList) urlencode) BaseCachecaches) HttpRequest HttpResponse JsonResponse QueryDict)redirectrender) force_bytes) import_string)settings) AccessBaseNTFreturncDtttddS)zy Get the cache instance Axes is configured to use with ``settings.AXES_CACHE`` and use ``'default'`` if not set. AXES_CACHEdefault)rgetattrrI/var/www/pixelcanvas.ch/venv/lib/python3.11/site-packages/axes/helpers.py get_cacher!s '(L)<< ==rrequestcjt|}|dSt|S)a Return the cache timeout interpreted from settings.AXES_COOLOFF_TIME. The cache timeout can be either None if not configured or integer of seconds if configured. Notice that the settings.AXES_COOLOFF_TIME can be None, timedelta, float, integer, callable, or str path, and this function offers a unified _integer or None_ representation of that configuration for use with the Django cache backends. N) get_cool_offint total_seconds)r"cool_offs r get_cache_timeoutr(#s6G$$Ht x%%'' ( ((rcJtj}t|trt |St|t rt |dzSt|t rt|}||St|r ||S|S)a Return the login cool off time interpreted from settings.AXES_COOLOFF_TIME. The return value is either None or timedelta. Notice that the settings.AXES_COOLOFF_TIME is either None, timedelta, integer/float of hours, a path to a callable or a callable taking 1 argument (the request). This function offers a unified _timedelta or None_ representation of that configuration for use with the Axes internal implementations. :exception TypeError: if settings.AXES_COOLOFF_TIME is of wrong type. )hours<)minutes) rAXES_COOLOFF_TIME isinstancer%rfloatstrrcallable)r"r' cool_off_funcs r r$r$4s)H(C  )x(((((E""0B////(C  &%h// }W%%%!x   Ordeltac|}t|d\}}t|d\}}t|d\}}|r|ddnd}dd|dg|dg|d gfD}|rd |d |Sd |S) zh Return datetime.timedelta translated to ISO 8601 formatted duration for use in e.g. cool offs. r+.0fDc3.K|]\}}||d|VdS)r6Nr).0value designators r z'get_cool_off_iso8601..]sN E:  ""j""rHMSPT)r&divmodjoin)r3secondsr,r*daysdays_strtime_strs r get_cool_off_iso8601rIQs !!##Ggr**GWGR((NE7##KD%!%-$~~~~~2Hww#(#,##!OH )(8((h((( x>>rusernamec Ltj|i}|||S)a Calculate credentials for Axes to use internally from given username and kwargs. Axes will set the username value into the key defined with ``settings.AXES_USERNAME_FORM_FIELD`` and update the credentials dictionary with the kwargs given on top of that. )rAXES_USERNAME_FORM_FIELDupdate)rJkwargs credentialss r get_credentialsrPhs+4h?Kv rrOcdtjrtdt tjrtj||St tjt r#ttj||Std|r:td| tj dStdt|d|j }| tj dS)a Resolve client username from the given request or credentials if supplied. The order of preference for fetching the username is as follows: 1. If configured, use ``AXES_USERNAME_CALLABLE``, and supply ``request, credentials`` as arguments 2. If given, use ``credentials`` and fetch username from ``AXES_USERNAME_FORM_FIELD`` (defaults to ``username``) 3. Use request.POST and fetch username from ``AXES_USERNAME_FORM_FIELD`` (defaults to ``username``) :param request: incoming Django ``HttpRequest`` or similar object from authentication backend or other source :param credentials: incoming credentials ``dict`` or similar object from authentication backend or other source z5Using settings.AXES_USERNAME_CALLABLE to get usernamezHsettings.AXES_USERNAME_CALLABLE needs to be a string, callable, or None.zVUsing parameter credentials to get username with key settings.AXES_USERNAME_FORM_FIELDNzWUsing parameter request.POST to get username with key settings.AXES_USERNAME_FORM_FIELDdata) rAXES_USERNAME_CALLABLElogdebugr1r.r0r TypeErrorgetrLrPOST)r"rO request_datas r get_client_usernamerZus &   IJJJ H3 4 4 2  h5s ; ; XA=!@AA';WW W V   H d   x@$GGGIIa7FGL99L   H=t D DDr use_ipwarectjrtdt tjrtj|St tjt r"ttj|Std|t}|rktdtj |tj tjtjtj\}}|Std|jddS)a Get client IP address as configured by the user. The order of preference for address resolution is as follows: 1. If configured, use ``AXES_CLIENT_IP_CALLABLE``, and supply ``request`` as argument 2. If available, use django-ipware package (parameters can be configured in the Axes package) 3. Use ``request.META.get('REMOTE_ADDR', None)`` as a fallback :param request: incoming Django ``HttpRequest`` or similar object from authentication backend or other source z?Using settings.AXES_CLIENT_IP_CALLABLE to get client IP addresszIsettings.AXES_CLIENT_IP_CALLABLE needs to be a string, callable, or None.Nz,Using django-ipware to get client IP address) proxy_order proxy_countproxy_trusted_ipsrequest_header_orderzTUsing request.META.get('REMOTE_ADDR', None) fallback method to get client IP address REMOTE_ADDR)rAXES_CLIENT_IP_CALLABLErTrUr1r.r0rrVIPWARE_INSTALLEDipwareip get_client_ipAXES_IPWARE_PROXY_ORDERAXES_IPWARE_PROXY_COUNTAXES_IPWARE_PROXY_TRUSTED_IPS!AXES_IPWARE_META_PRECEDENCE_ORDERMETArW)r"r[client_ip_address_s r get_client_ip_addressrns5 '   STTT H4 5 5 3  h6 < < LB=!ABB7KK K W   %  ! @AAA%y66  8 8&D!)!K 7  1! II^ <  M4 0 00rcH|jddddS)NHTTP_USER_AGENT rkrWr"s r get_client_user_agentrus$ <  -{ ; ;DSD AArcH|jddddS)N PATH_INFOrqrrrsrts r get_client_path_inforxs# <  K 5 5dsd ;;rcH|jddddS)N HTTP_ACCEPTrqirsrts r get_client_http_acceptr{s# <  M; 7 7 >>rrequest_or_attemptcVttjrtj||Sttjtr#t tj||Sttjt r tjStd)NzCsettings.AXES_LOCKOUT_PARAMETERS needs to be a callable or iterable)r1rAXES_LOCKOUT_PARAMETERSr.r0rlistrV)r|rOs r get_lockout_parametersrs011Q/0BKPPP(2C88 >}X=>>     (2D990// M  r ip_address user_agentc t||}|||d g}|D]} t|tr | |i}n fd|D}||G#t$r[} | dd } t| t| | d} ~ wwxYw|S)a< Get query parameters for filtering AccessAttempt queryset. This method returns a dict that guarantees iteration order for keys and values, and can so be used in e.g. the generation of hash keys or other deterministic functions. Returns list of dict, every item of list are separate parameters )rJrrc"i|] }|| Srr)r:combined_parameterparameters_dicts r z)get_client_parameters..s1   *'8J(K   rz7 lockout parameter is not allowed. Allowed parameters: , N) rr.r0appendKeyErrorrDkeysrT exception ValueError) rJrrr|rOlockout_parameters filter_kwargs parameter filter_kwarge error_msgrs @r get_client_parametersrs200BKPP  O M'//  /)S))  )?9+EF     .7       . . . . / / /KK'+yy1E1E1G1G'H'HKK  MM) $ $ $Y''Q .  / sAA## C-ACCfilter_kwargs_listc g}|D]~}dd|D}t|}|d||S)Nr8c3K|]}||V dSNr)r:r;s r r=z&make_cache_key_list..%s;' ' ' ' ' ' ' ' ' rzaxes-)rDvaluesrencode hexdigestr)r cache_keysrcache_key_componentscache_key_digests r make_cache_key_listr"sJ+66 !ww' ' ,3355' ' '   ""6"="="?"?@@JJLL4"2445555 rct|tr|j}|j}|j}n.t ||}t |}t|}t|||||}t|S)a Build cache key name from request or AccessAttempt object. :param request_or_attempt: HttpRequest or AccessAttempt object :param credentials: credentials containing user information :return cache_key: Hash key that is usable for Django cache backends ) r.rrJrrrZrnrurr)r|rOrJrrrs r get_client_cache_keysr-s$j11?%.'2 '2 &'9;GG*+=>> *+=>> .*j*z"get_client_str..{s$ D D D1Q # # D D Drrc3BK|]}|VdSr substituter:itemtemplates r r=z!get_client_str..|s1GG8..t44GGGGGGr{})rAXES_CLIENT_STR_CALLABLErTrUr1r.r0rrV AXES_VERBOSErrMcleanse_parameterscopytuplerritemsrD) rJrrrr" client_dict client_listclientr client_strrs @r get_client_strrIs(   QRRR H5 6 6 4*j)W  h7 = = C=!BCC*j)W  W   K '"* J$. L!$. L!!,Hj*gVV  ! ' 'F   v & & & &$[%5%5%7%788K!Z E4=99!aL (K ())H D D 0A0A0C0C D D DEGGGGGGGGGJz!C'J rparamscdgtjz}tjr|tj|r$|}|D] }||vrd||< |S|S)a Replace sensitive parameter values in a parameter dict with a safe placeholder value. Parameters name ``'password'`` will always be cleansed. Additionally, parameters named in ``settings.AXES_SENSITIVE_PARAMETERS`` and ``settings.AXES_PASSWORD_FORM_FIELD will be cleansed. This is used to prevent passwords and similar values from being logged in cleartext. passwordz********************)rAXES_SENSITIVE_PARAMETERSAXES_PASSWORD_FORM_FIELDrr)rsensitive_parameterscleansedparams r rrsz'<(*LL(G##H$EFFF;;==) 9 9E  "8 Mrquery max_lengthct|}tdd|D}dfd|D}|d|S)a~ Turns a query dictionary into an easy-to-read list of key-value pairs. If a field is called either ``'password'`` or ``settings.AXES_PASSWORD_FORM_FIELD`` or if the fieldname is included in ``settings.AXES_SENSITIVE_PARAMETERS`` its value will be masked. The length of the output is limited to max_length to avoid a DoS attack via excessively large payloads. z $key=$valuecg|] \}}||d Srrrs r rz!get_query_str..s$ C C C1Q # # C C Cr c3BK|]}|VdSrrrs r r=z get_query_str..s1FF(--d33FFFFFFrN)rrrrrD)rr query_dictr query_strrs @r get_query_strrs{$EJJLL11J &&H C C 0@0@0B0B C C CE FFFFFFFFFI [j[ !!rcVttjrtj||Sttjtr#t tj||Sttjt r tjStd)Nz@settings.AXES_FAILURE_LIMIT needs to be a callable or an integer)r1rAXES_FAILURE_LIMITr.r0rr%rV)r"rOs r get_failure_limitrs+,, * [   (-s33P9}X899';OOO(-s33+** V W WWrcJtjr tjStjSr)rr-AXES_COOLOFF_MESSAGEAXES_PERMALOCK_MESSAGErrr get_lockout_messagers!-,,  **rctjrttjrtj||Sttjtr#t tj||St dtj}t||t||pdd}t|}|r%| t||d|j ddkr,t||}tj|d<d |d <d |d <|Stjrt%|tj||Stjr9tj}t)d |d i}|d|}t+|St-t/|S)NzGsettings.AXES_LOCKOUT_CALLABLE needs to be a string, callable, or None.r8) failure_limitrJ) cooloff_timecooloff_timedeltaHTTP_X_REQUESTED_WITHXMLHttpRequest)statuszAccess-Control-Allow-Originz POST, OPTIONSzAccess-Control-Allow-Methodsz=Origin, Content-Type, Accept, Authorization, x-requested-withzAccess-Control-Allow-HeadersrJ?)rAXES_LOCKOUT_CALLABLEr1r.r0rrVAXES_HTTP_RESPONSE_CODErrZr$rMrIrkrWrAXES_ALLOWED_CORS_ORIGINSAXES_LOCKOUT_TEMPLATErAXES_LOCKOUT_URLr rrr) r"rOrcontextr' json_response lockout_url query_stringurls r get_lockout_responsers%  H2 3 3 1  h4c : : W@=!?@@+VV V U    -F*7K@@'==CG G$$H  4!!&.      |/004DDD$WV<<<  . 349H 45 K 45%Wgx=wvVVVV /  *gj.A!BCC --|--}} +--f = = ==rc:tjsdS|tjvSNF)rAXES_IP_WHITELISTrs r is_ip_address_in_whitelistr$  %u h00rc:tjsdS|tjvSr)rAXES_IP_BLACKLISTrs r is_ip_address_in_blacklistrrrctjrt|jrdStjrt|jrdSdS)z@ Check if the given request refers to a whitelisted IP. TF)rAXES_NEVER_LOCKOUT_WHITELISTraxes_ip_addressAXES_ONLY_WHITELISTrts r is_client_ip_address_whitelistedrs] ,1K22t#(B))t 5rcvt|jrdStjrt |jsdSdS)z@ Check if the given request refers to a blacklisted IP. TF)rrrrrrts r is_client_ip_address_blacklistedrsK "'"9::t#,F--t 5rc8tjr |jdkrdSdS)z? Check if the given request uses a whitelisted method. GETTF)rAXES_NEVER_LOCKOUT_GETmethodrts r is_client_method_whitelistedr)s% &7>U+B+Bt 5rctj}|dSt|r |||St|trt |||St d)a Check if the given request or credentials refer to a whitelisted username. This method invokes the ``settings.AXES_WHITELIST`` callable with ``request`` and ``credentials`` arguments. This function could use the following implementation for checking the lockout flags from a specific property in the user object: .. code-block: python username_value = get_client_username(request, credentials) username_field = getattr( get_user_model(), "USERNAME_FIELD", "username" ) kwargs = {username_field: username_value} user_model = get_user_model() user = user_model.objects.get(**kwargs) return user.nolockout NFzIsettings.AXES_WHITELIST_CALLABLE needs to be a string, callable, or None.)rAXES_WHITELIST_CALLABLEr1r.r0rrV)r"rOwhitelist_callables r is_user_attempt_whitelistedr4s6"9!u"##8!!';777$c**G0}/00+FFF S  rcfd}|S)a: Decorator that toggles function execution based on settings. If the ``settings.AXES_ENABLED`` flag is set to ``False`` the decorated function never runs and a None is returned. This decorator is only suitable for functions that do not require return values to be passed back to callers. c0tjr|i|SdSr)r AXES_ENABLED)argsrNfuncs r innerztoggleable..innergs-   )4((( ( ) )rr)rrs` r toggleabler \s#))))) Lrc |j}n#t$rYdSwxYw|j|t t |jS)z Get client session and returns the SHA256 hash of session key, forcing session creation if required. If no session is available on request returns an empty string. r8)sessionAttributeError session_keycreaterrr)r"r s r get_client_session_hashrnsr / rr" +g122 3 3 = = ? ??s  r)r)Idatetimerhashlibrloggingrstringrtypingrrr r r urllib.parser django.core.cacher r django.httprrrrdjango.shortcutsrrdjango.utils.encodingrdjango.utils.module_loadingr axes.confr axes.modelsr__name__rT ipware.iprdrc ImportErrorr!r%r(r$r0rIdictrPrZboolrnrurxr{rrrrrrrrrrrrrrrrr rrrr r"s88888888888888""""""////////JJJJJJJJJJJJ--------------555555""""""i>9>>>>))x 4) ))))"(;/8I;N: c.  hsm     9=(E(E (E'/~(E(E(E(E(EZ"&0101 0101c]01010101fB;B3BBBB<+<#<<<<?K?C???? #'k:56$ %T#Y  2#' ,,,,,k:56 , $ ,  $Z ,,,,^DJ49#'33k:563$3 #Y333385555 5  5  5555pt2""i"c"S""""& X{ XC X X X X+S++++9=3>3> 3>'/~3>3>3>3>3>l3434k$ k d     +$9=%% %'/~% %%%%P$@[@S@@@@@@s-A44A>=A>