6IiFSSKrSSKrSSKJr SSKJrJrJrJr SSK J r J r J r J r SSKJr SSKJr SSKJrJr SSKJr SS KJr SS KJr SS KJr \ "S S SS9r\ "SS9r\ "SSS9r\ "5r!S\"\#4Sjr$"SS5r%g)N)Optional)Depends HTTPExceptionRequestSecurity) APIKeyHeaderHTTPAuthorizationCredentials HTTPBasicOAuth2PasswordBearer)FormData)config) get_api_keyupdate_key_last_used)extract_generic_body)AuthenticatedEntity)Admin)get_role_by_role_namez X-API-KEYzAPI KeyF)name scheme_name auto_error)rtoken)tokenUrlrreturncb/n[H"nSHnURUSU35 M M$ U$)z8 Get all scopes Returns: list: The list of scopes. )readwritedeleteupdate:) ALL_RESOURCESappend)scopesresourceactions K/venv/lib/python3.13/site-packages/keep/identitymanager/authverifierbase.pyget_all_scopesr&s;F!;F MMVHAhZ0 1<" Mc \rSrSrSr/4S\\SS4Sjjr\"\ 5\"\ 5\ "\ 5\ "\ 54S\S\\S \\S \\S \\-\-S\4 S jjrSS\S\\S \\S \\S \\\-\-S\4 S jjrS\SS4SjrS\SS4SjrS\S\S \S\4Sjr\"\ 5\"\ 54S\S\S \S\4SjjrSrS \S\4SjrSrg)AuthVerifierBase+a Base class for authentication and authorization verification. This class provides a framework for implementing authentication and authorization in FastAPI applications. It supports multiple authentication methods including API keys, HTTP Basic Auth, and OAuth2 bearer tokens. Subclasses can override the following methods to customize the authentication and authorization process: - _verify_bearer_token: Implement token-based authentication - _verify_api_key: Customize API key verification - _authorize: Implement custom authorization logic The main entry point is the __call__ method, which handles the entire authentication and authorization flow. Attributes: scopes (list[str]): A list of required scopes for authorization. logger (logging.Logger): Logger for this class. r"rNcT[RUVs/sHo"RS5SPM sn5 Xl[R "[ 5Ul[SSS9S:HUl [SSS9Ul [S S S9Ul [S SS9S:HUl [S S S9Ul 0Ul[SSS9S:HUl[SSS9UlUR RS5UlUR(aUR (d [#S5eggs snf)NrKEEP_IMPERSONATION_ENABLEDfalsedefaulttrueKEEP_IMPERSONATION_USER_HEADERz X-KEEP-USERKEEP_IMPERSONATION_ROLE_HEADERz X-KEEP-ROLE!KEEP_IMPERSONATION_AUTO_PROVISIONKEEP_UPDATE_KEY_INTERVAL<KEEP_READ_ONLYKEEP_READ_ONLY_BYPASS_KEY,zBKEEP_READ_ONLY_BYPASS_KEY must be set if KEEP_READ_ONLY is enabled)r rsplitr"logging getLogger__name__loggerr impersonation_enabledimpersonation_user_headerimpersonation_role_headerimpersonation_auto_provisionupdate_key_intervalkey_last_used_updates read_onlyread_only_bypass_keys ValueError)selfr"scopes r%__init__AuthVerifierBase.__init__Bs vFvekk#.q1vFG ''1 / AV K "*0 ,m* &*0 ,m* & 6 HF R ) $**Db#Q %'" 0'BfL%+,GQS%T"%)%?%?%E%Ec%J" >>$"<"<T #=>1GsD%requestapi_key authorizationrbodyc>URRS5 UR(asX R;ad[ UR Vs/sHofR S5SS:gPM sn5(a%URRS5 [SSS9eURXX4U5nURRSU35 URRS 5 URU5 URRS 5 U$s snf) a Main entry point for authentication and authorization. Args: request (Request): The incoming request. api_key (Optional[str]): The API key from the header. authorization (Optional[HTTPAuthorizationCredentials]): The HTTP basic auth credentials. token (Optional[str]): The OAuth2 token. Returns: AuthenticatedEntity: The authenticated entity. Raises: HTTPException: If authentication or authorization fails. zStarting authentication processrrrz1Read only instance, but non-read scopes requested status_codedetailz&Authentication successful for entity: zStarting authorization processzAuthorization successful) r?debugrFrGanyr"r;errorr authenticate authorize)rIrMrNrOrrPrJauthenticated_entitys r%__call__AuthVerifierBase.__call__`s. ;< >>g-G-GGt{{K{eKK$Q'61{KLL !!"UV# #N $00=Y]^ 45I4J K  :; +, 45##!Ls DcURRS5 U(a-URRS5 URU5$UR XU5n[U[5(aU$U(a.URRS5 URXU5$URRS URUS .S 9 [SS S9e![a e[a& URR S5 [SSS9ef=f![a e[a& URR S5 [SSS9ef=f) a Authenticate the request using either token, API key, or HTTP basic auth. Args: request (Request): The incoming request. api_key (Optional[str]): The API key from the header. authorization (Optional[HTTPAuthorizationCredentials]): The HTTP basic auth credentials. token (Optional[str]): The OAuth2 token. body (Optional[dict | bytes | FormData]): incoming request body got logs Returns: AuthenticatedEntity: The authenticated entity. Raises: HTTPException: If authentication fails. zAttempting authenticationz,Attempting to authenticate with bearer tokenzFailed to validate tokenz"Invalid authentication credentialsrSz'Attempting to authenticate with API keyzFailed to validate API Keyz$No valid authentication method found)headersrPextraz"Missing authentication credentials) r?rV_verify_bearer_tokenr Exception exception_extract_api_key isinstancer_verify_api_keyrXr`)rIrMrNrOrrPs r%rYAuthVerifierBase.authenticates[0 56  KK  L M 0077''-H g2 3 3N  KK  G H ++GmLL  2"??  $H  ?!   %%&@A# #,P !   %%&BC# #,P sCD:D:Er[cbURRSU35 URU5 g)z Authorize the authenticated entity. Args: authenticated_entity (AuthenticatedEntity): The authenticated entity to authorize. Raises: HTTPException: If authorization fails. zAuthorizing entity: N)r?rV _authorize)rIr[s r%rZAuthVerifierBase.authorizes- 01E0FGH ,-r'c*[UR5nURRSU35 UR UR 5(d@URR SUR 35 [SSUR S3S9eg)z Internal method to perform authorization. Args: authenticated_entity (AuthenticatedEntity): The authenticated entity to authorize. Raises: HTTPException: If the entity doesn't have the required scopes. zChecking scopes for role: z'Authorization failed. Required scopes: rRzMYou don't have the required scopes to access this resource [required scopes: ]rSN)rroler?rV has_scopesr"warningr)rIr[ros r%rkAuthVerifierBase._authorizes%%9%>%>? 6tf=>t{{++ KK  "I$++ W Xfgkgrgrfsstu ,r'cURRS5 U=(d URRSS5nU(GdU(dSURRSS5;aURR S5 [ SS S 9nU(aqURRRS 5(aGURRS S 5nURRSUS35 [USSSS9$[SSS0SS9eURRS5nURS5upxn UR#5S:Xa UR$nOkUR#5S:Xa/U (d%URRS 5 [S!S S9eU nO(URRS"U35 [SSS9eURRS#5 U$![aT URRS[!UR5URRS5S.S9 [SSS9ef=f)$aU Extract the API key from various sources in the request. Args: request (Request): The incoming request. api_key (str): The API key from the header. authorization (HTTPAuthorizationCredentials): The HTTP basic auth credentials. Returns: str: The extracted API key. Raises: HTTPException: If no valid API key is found. zExtracting API keyrNNz(Amazon Simple Notification Service Agent user-agentr9z#Got an SNS request without any authKEEP_CLOUDWATCH_DISABLE_API_KEYFr/z/alerts/event/cloudwatch tenant_idkeepz,Allowing unauthenticated access for tenant: z for CloudWatchsystemwebhookrvemail api_key_nameror_zWWW-AuthenticateBasiczMissing API Key)rTr`rU Authorization z$Failed to parse Authorization header)urlrtrarSbasicdigestzInvalid Digest credentialsrRz#Unsupported authentication scheme: zAPI key extracted successfully)r?rV query_paramsgetr`rqr rpathendswithinforr partitionrdrXstrlowerpassword) rIrMrNrO allow_unauthrv auth_headerscheme_ credentialss r%rf!AuthVerifierBase._extract_api_keys8( ./FW1155iF">??&&|R89 ##$IJ%&GQVW GKK$4$4$=$=.%%!( 4 4 8 8f MIKK$$FykQ`a/"+&%.&  $ #/9, "//--o>K O)4)>)>s)C&;||~('008+"KK%%&BC'$'0L*G !!$Gx"PQ#;V;V %%))+**%//0.2M2M1NO KK  F G#1":":  9.:R:R9STU))&(())++##  OO''(F(FG ""4#A#AB&(())++##   -.OO''(F(FG ""4#A#ABC8WX X   )"4"4"6 6 KK  M N(W   , , KK  7 {C D  !9!99 K KK  uYK/HI J 9:"$..   ] H KK ! !"F G HsEP%QQc^[SRURR55e)z Create a user for impersonation. Args: tenant_api_key: The API key used for impersonation. user_name: The name of the user to create. role: The role of the user to create. z(User provisioning not implemented for {})NotImplementedErrorformat __class__r>)rIrrros r%r AuthVerifierBase._provision_users*" fT^^445  r'cURRS5 [SRURR 55e)a Verify the bearer token and return an authenticated entity. Args: token (str): The bearer token to verify. Returns: AuthenticatedEntity: The authenticated entity. Raises: NotImplementedError: This method needs to be implemented in subclasses. z-_verify_bearer_token() method not implementedz4_verify_bearer_token() method not implemented for {})r?rXrrrr>)rIrs r%rc%AuthVerifierBase._verify_bearer_tokens= IJ! fT^^445  r') rCr@rBrArEr?rFrGr"rD)N)r> __module__ __qualname____firstlineno____doc__listrrKrr http_basicr oauth2_schemerrrr dictbytesr rr\rYrZrkrfrhrrc__static_attributes__r'r%r)r)+s,,.tCy$B"*+!6@H@T&}5(/0D(E *$*$#*$ <= *$ } *$ UlX% *$ *$d37 > > #>  <= > } > te|h./ >  > @ ..A .d ./Bt&MMM4 M Md ,6>z6J g g g 4 g  g R   # 2E r'r))&rr<typingrfastapirrrrfastapi.securityrr r r starlette.datastructuresr keep.api.core.configr keep.api.core.dbrrkeep.api.core.dependenciesr(keep.identitymanager.authenticatedentityrkeep.identitymanager.rbacrrrrrrsetr rrr&r)rr'r%rs|== .'>;H8; uU % ( $g%H   S X X r'