Revert commit a094be8

Author: jwindgassen

jupyter_server_proxy/standalone/__init__.py

@@ -5,21 +5,10 @@
 from tornado import ioloop
 from tornado.httpserver import HTTPServer
 from tornado.log import app_log as log
-from tornado.log import enable_pretty_logging
+from tornado.log import enable_pretty_logging, gen_log
 
 from .activity import start_activity_update
-from .proxy import get_port_from_env, make_proxy_app
-
-
-def _use_jupyterhub(overwrite):
-    """
-    Try to determine if we are launched by a JupyterHub via the environment variables.
-    See jupyterhub/spawner.py#L1035
-    """
-    if overwrite is not None:
-        return overwrite
-
-    return "JUPYTERHUB_API_TOKEN" in os.environ and "JUPYTERHUB_API_URL" in os.environ
+from .proxy import configure_ssl, make_proxy_app, get_port_from_env
 
 
 def run(
@@ -33,7 +22,7 @@ def run(
     mappath: list[tuple[str, str]] | None,
     debug: bool,
     # logs: bool,
-    overwrite_authentication: bool | None,
+    skip_authentication: bool,
     timeout: int,
     activity_interval: int,
     # progressive: bool,
@@ -43,13 +32,13 @@ def run(
     enable_pretty_logging(logger=log)
     if debug:
         log.setLevel(logging.DEBUG)
+        gen_log.setLevel(logging.DEBUG)
 
     if not port:
         port = get_port_from_env()
 
-    use_jupyterhub = _use_jupyterhub(overwrite_authentication)
-    if use_jupyterhub:
-        log.info("Enabling Authentication with JupyterHub")
+    if skip_authentication:
+        log.warn("Disabling Authentication with JuypterHub Server!")
 
     prefix = os.environ.get("JUPYTERHUB_SERVICE_PREFIX", "/")
 
@@ -61,18 +50,13 @@ def run(
         dict(environment),
         dict(mappath),
         timeout,
-        use_jupyterhub,
+        skip_authentication,
         debug,
         # progressive,
         websocket_max_message_size,
     )
 
-    ssl_options = None
-    if use_jupyterhub:
-        from .hub import configure_ssl
-
-        ssl_options = configure_ssl()
-
+    ssl_options = configure_ssl()
     http_server = HTTPServer(app, ssl_options=ssl_options, xheaders=True)
     http_server.listen(port, address)
 
@@ -81,9 +65,9 @@ def run(
     log.info(f"Command: {' '.join(command)!r}")
 
     # Periodically send JupyterHub Notifications, that we are still running
-    if use_jupyterhub and activity_interval > 0:
+    if activity_interval > 0:
         log.info(
-            f"Sending Acitivity Notivication to JupyterHub with interval={activity_interval}"
+            f"Sending Acitivity Notivication to JupyterHub with interval={activity_interval}s"
         )
         start_activity_update(activity_interval)
 
@@ -165,10 +149,9 @@ def main():
     #     help="Display logs generated by the subprocess.",
     # )
     parser.add_argument(
-        "--overwrite-authentication",
-        default=None,
-        type=lambda v: None if v is None else bool(v),
-        help="Forcefully enable/disable authentication with JupyterHub.",
+        "--skip-authentication",
+        action="store_true",
+        help="Do not enforce authentication with the JupyterHub Server.",
     )
     parser.add_argument(
         "--timeout",

jupyter_server_proxy/standalone/hub.py

@@ -3,30 +3,61 @@
 from logging import Logger
 from urllib.parse import urlparse
 
+from jupyterhub import __version__ as __jh_version__
+from jupyterhub.services.auth import HubOAuthCallbackHandler, HubOAuthenticated
+from jupyterhub.utils import make_ssl_context
+from tornado import httpclient, web
 from tornado.log import app_log
 from tornado.web import Application
 from tornado.websocket import WebSocketHandler
 
 from ..handlers import SuperviseAndProxyHandler
 
 
-class StandaloneProxyHandler(SuperviseAndProxyHandler):
+class StandaloneHubProxyHandler(HubOAuthenticated, SuperviseAndProxyHandler):
     """
-    Base class for standalone proxies. Will not ensure any authentication!
+    Base class for standalone proxies.
+    Will restrict access to the application by authentication with the JupyterHub API.
     """
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.environment = {}
         self.timeout = 60
+        self.skip_authentication = False
 
     @property
     def log(self) -> Logger:
         return app_log
 
+    @property
+    def hub_users(self):
+        if "hub_user" in self.settings:
+            return {self.settings["hub_user"]}
+        return set()
+
+    @property
+    def hub_groups(self):
+        if "hub_group" in self.settings:
+            return {self.settings["hub_group"]}
+        return set()
+
+    def set_default_headers(self):
+        self.set_header("X-JupyterHub-Version", __jh_version__)
+
     def prepare(self, *args, **kwargs):
         pass
 
+    async def proxy(self, port, path):
+        if self.skip_authentication:
+            return await super().proxy(port, path)
+        else:
+            return await self.oauth_proxy(port, path)
+
+    @web.authenticated
+    async def oauth_proxy(self, port, path):
+        return await super().proxy(port, path)
+
     def check_origin(self, origin: str = None):
         # Skip JupyterHandler.check_origin
         return WebSocketHandler.check_origin(self, origin)
@@ -38,6 +69,23 @@ def get_timeout(self):
         return self.timeout
 
 
+def configure_ssl():
+    keyfile = os.environ.get("JUPYTERHUB_SSL_KEYFILE")
+    certfile = os.environ.get("JUPYTERHUB_SSL_CERTFILE")
+    cafile = os.environ.get("JUPYTERHUB_SSL_CLIENT_CA")
+
+    if not (keyfile and certfile and cafile):
+        app_log.warn("Could not configure SSL")
+        return None
+
+    ssl_context = make_ssl_context(keyfile, certfile, cafile)
+
+    # Configure HTTPClient to use SSL for Proxy Requests
+    httpclient.AsyncHTTPClient.configure(None, defaults={"ssl_options": ssl_context})
+
+    return ssl_context
+
+
 def make_proxy_app(
     command: list[str],
     prefix: str,
@@ -46,25 +94,17 @@ def make_proxy_app(
     environment: dict[str, str],
     mappath: dict[str, str],
     timeout: int,
-    use_jupyterhub: bool,
+    skip_authentication: bool,
     debug: bool,
     # progressive: bool,
     websocket_max_message_size: int,
 ):
-    # Determine base class, whether or not to authenticate with JupyterHub
-    if use_jupyterhub:
-        from .hub import StandaloneHubProxyHandler
-
-        proxy_base = StandaloneHubProxyHandler
-    else:
-        proxy_base = StandaloneProxyHandler
-
     app_log.debug(f"Process will use {port = }")
     app_log.debug(f"Process will use {unix_socket = }")
     app_log.debug(f"Process environment: {environment}")
     app_log.debug(f"Proxy mappath: {mappath}")
 
-    class Proxy(proxy_base):
+    class Proxy(StandaloneHubProxyHandler):
         def __init__(self, *args, **kwargs):
             super().__init__(*args, **kwargs)
             self.name = f"{command[0]!r} Process"
@@ -75,6 +115,7 @@ def __init__(self, *args, **kwargs):
             self.command = command
             self.environment = environment
             self.timeout = timeout
+            self.skip_authentication = skip_authentication
 
     settings = dict(
         debug=debug,
@@ -97,25 +138,15 @@ def __init__(self, *args, **kwargs):
                     state={},
                     # ToDo: progressive=progressive
                 ),
-            )
+            ),
+            (
+                r"^" + re.escape(prefix) + r"/oauth_callback",
+                HubOAuthCallbackHandler,
+            ),
         ],
         **settings,
     )
 
-    if use_jupyterhub:
-        from jupyterhub.services.auth import HubOAuthCallbackHandler
-
-        # The OAuth Callback required to redirect when we successfully authenticated with JupyterHub
-        app.add_handlers(
-            ".*",
-            [
-                (
-                    r"^" + re.escape(prefix) + r"/oauth_callback",
-                    HubOAuthCallbackHandler,
-                ),
-            ],
-        )
-
     return app
 
 

jupyter_server_proxy/standalone/proxy.py

@@ -73,7 +73,7 @@ lab = [
     "nbclassic",
     "notebook >=7",
 ]
-hub = [
+standalone = [
     "jupyterhub"
 ]