§
    !¾<iÍ  ã                   óv   — d dl Z d dlmZ d dlmZ ddlmZ dZ e j        e	¦  «        Z
 G d„ d¦  «        Zd	„ ZdS )
é    N)Újwt)Ú	JoseErroré   )ÚInvalidClientErrorz6urn:ietf:params:oauth:client-assertion-type:jwt-bearerc                   óL   — e Zd ZdZeZdZdd„Zd„ Zd„ Z	d„ Z
d	„ Zd
„ Zd„ Zd„ ZdS )ÚJWTBearerClientAssertionz]Implementation of Using JWTs for Client Authentication, which is
    defined by RFC7523.
    Úclient_assertion_jwtTé<   c                 ó0   — || _         || _        || _        d S )N)Ú	token_urlÚ_validate_jtiÚleeway)Úselfr   Úvalidate_jtir   s       ú˜/Users/kimhansen/Desktop/03 Workspace/ceo-agents/chl-effectiveness/mcp-servers/whoop/.venv/lib/python3.11/site-packages/authlib/oauth2/rfc7523/client.pyÚ__init__z!JWTBearerClientAssertion.__init__   s   € Ø"ˆŒØ)ˆÔð ˆŒˆˆó    c                 óN  — |j         }|                     d¦  «        }|                     d¦  «        }|t          k    rH|rF|                      ||¦  «        }|                      ||¦  «         |                      |j        ¦  «        S t                               d| j	        ¦  «         d S )NÚclient_assertion_typeÚclient_assertionzAuthenticate via %r failed)
ÚformÚgetÚASSERTION_TYPEÚcreate_resolve_key_funcÚprocess_assertion_claimsÚauthenticate_clientÚclientÚlogÚdebugÚCLIENT_AUTH_METHOD)r   Úquery_clientÚrequestÚdataÚassertion_typeÚ	assertionÚresolve_keys          r   Ú__call__z!JWTBearerClientAssertion.__call__   sœ   € ØŒ|ˆØŸšÐ"9Ñ:Ô:ˆØ—H’HÐ/Ñ0Ô0ˆ	Ø^Ò+Ð+°	Ð+Ø×6Ò6°|ÀWÑMÔMˆKØ×)Ò)¨)°[ÑAÔAÐAØ×+Ò+¨G¬NÑ;Ô;Ð;Ý	Š	Ð.°Ô0GÑHÔHÐHÐHÐHr   c                 ód   — dt           dœddid| j        dœddidœ}| j        rd| j        dœ|d<   |S )zCreate a claims_options for verify JWT payload claims. Developers
        MAY overwrite this method to create a more strict options.
        T)Ú	essentialÚvalidater)   )r)   Úvalue)ÚissÚsubÚaudÚexpÚjti)Ú_validate_issr   r   r   )r   Úoptionss     r   Úcreate_claims_optionsz.JWTBearerClientAssertion.create_claims_options'   s_   € ð "&µ=ÐAÐAØ Ð&Ø!%°´Ð?Ð?Ø Ð&ð	
ð 
ˆð Ôð 	PØ+/¸TÔ=NÐOÐOˆGE‰NØˆr   c                 ó  — 	 t          j        |||                      ¦   «         ¬¦  «        }|                     | j        ¬¦  «         nC# t
          $ r6}t                               d|¦  «         t          |j	        ¬¦  «        |‚d}~ww xY w|S )aa  Extract JWT payload claims from request "assertion", per
        `Section 3.1`_.

        :param assertion: assertion string value in the request
        :param resolve_key: function to resolve the sign key
        :return: JWTClaims
        :raise: InvalidClientError

        .. _`Section 3.1`: https://tools.ietf.org/html/rfc7523#section-3.1
        )Úclaims_options)r   zAssertion Error: %r©ÚdescriptionN)
r   Údecoder3   r*   r   r   r   r   r   r7   )r   r%   r&   ÚclaimsÚes        r   r   z1JWTBearerClientAssertion.process_assertion_claims7   s    € ð	GÝ”ZØ˜;°t×7QÒ7QÑ7SÔ7Sðñ ô ˆFð OŠO 4¤;ˆOÑ/Ô/Ð/Ð/øÝð 	Gð 	Gð 	GÝIŠIÐ+¨QÑ/Ô/Ð/Ý$°´Ð?Ñ?Ô?ÀQÐFøøøøð	Gøøøð ˆs   ‚AA Á
BÁ1BÂBc                 ól   — |                      | j        d¦  «        r|S t          d| j        › ¬¦  «        ‚)NÚtokenz,The client cannot authenticate with method: r6   )Úcheck_endpoint_auth_methodr    r   )r   r   s     r   r   z,JWTBearerClientAssertion.authenticate_clientL   sG   € Ø×,Ò,¨TÔ-DÀgÑNÔNð 	ØˆMÝ Ø`ÀtÔG^Ð`Ð`ð
ñ 
ô 
ð 	
r   c                 ó   ‡ ‡‡— ˆˆˆ fd„}|S )Nc                 óˆ   •— |d         } ‰|¦  «        }|st          d¬¦  «        ‚|‰_        ‰                     || ¦  «        S )Nr-   z)The client does not exist on this server.r6   )r   r   Úresolve_client_public_key)ÚheadersÚpayloadÚ	client_idr   r!   r"   r   s       €€€r   r&   zEJWTBearerClientAssertion.create_resolve_key_func.<locals>.resolve_keyT   s^   ø€ ð   œˆIØ!\ )Ñ,Ô,ˆFØð Ý(Ø Kðñ ô ð ð $ˆGŒNØ×1Ò1°&¸'ÑBÔBÐBr   © )r   r!   r"   r&   s   ``` r   r   z0JWTBearerClientAssertion.create_resolve_key_funcS   s7   øøø€ ð	Cð 	Cð 	Cð 	Cð 	Cð 	Cð 	Cð Ðr   c                 ó   — t          ¦   «         ‚)af  Validate if the given ``jti`` value is used before. Developers
        MUST implement this method::

            def validate_jti(self, claims, jti):
                key = "jti:{}-{}".format(claims["sub"], jti)
                if redis.get(key):
                    return False
                redis.set(key, 1, ex=3600)
                return True
        ©ÚNotImplementedError)r   r9   r0   s      r   r   z%JWTBearerClientAssertion.validate_jtic   s   € õ "Ñ#Ô#Ð#r   c                 ó   — t          ¦   «         ‚)aN  Resolve the client public key for verifying the JWT signature.
        A client may have many public keys, in this case, we can retrieve it
        via ``kid`` value in headers. Developers MUST implement this method::

            def resolve_client_public_key(self, client, headers):
                return client.public_key
        rF   )r   r   rA   s      r   r@   z2JWTBearerClientAssertion.resolve_client_public_keyp   s   € õ "Ñ#Ô#Ð#r   N)Tr
   )Ú__name__Ú
__module__Ú__qualname__Ú__doc__r   ÚCLIENT_ASSERTION_TYPEr    r   r'   r3   r   r   r   r   r@   rD   r   r   r   r      s¬   € € € € € ðð ð
 +Ðà/Ððð ð ð ðIð Ið Iðð ð ð ð ð ð*
ð 
ð 
ðð ð ð $ð $ð $ð$ð $ð $ð $ð $r   r   c                 ó   — | d         |k    S )Nr-   rD   )r9   r,   s     r   r1   r1   {   s   € Ø%Œ=˜CÒÐr   )ÚloggingÚauthlib.joser   Úauthlib.jose.errorsr   Úrfc6749r   r   Ú	getLoggerrI   r   r   r1   rD   r   r   ú<module>rT      s¥   ðØ €€€à Ð Ð Ð Ð Ð Ø )Ð )Ð )Ð )Ð )Ð )à (Ð (Ð (Ð (Ð (Ð (àI€Ø€gÔ˜Ñ!Ô!€ðl$ð l$ð l$ð l$ð l$ñ l$ô l$ð l$ð^ ð  ð  ð  ð  r   