matlab-proxy 0.5.3__py3-none-any.whl → 0.30.1__py3-none-any.whl

matlab_proxy/util/mwi/logger.py

@@ -1,12 +1,19 @@
-# Copyright (c) 2020-2022 The MathWorks, Inc.
-"""Functions to access & control the logging behavior of the app
-"""
+# Copyright 2020-2025 The MathWorks, Inc.
+"""Functions to access & control the logging behavior of the app"""
 
 import logging
 import os
+import sys
+import time
+from pathlib import Path
+
+from rich.console import Console
+from rich.table import Table
 
 from . import environment_variables as mwi_env
 
+logging.getLogger("aiohttp_session").setLevel(logging.ERROR)
+
 
 def get(init=False):
     """Get the logger used by this application.
@@ -44,28 +51,65 @@ def __set_logging_configuration():
     Returns:
         Logger: Logger object with the set configuration.
     """
-    # query for user specified environment variables
-    log_level, log_file = __query_environment()
+    # Create the Logger for MATLABProxy
+    logger = __get_mw_logger()
+
+    # log_level is either set by environment or is the default value.
+    log_level = os.getenv(
+        mwi_env.get_env_name_logging_level(), __get_default_log_level()
+    ).upper()
+
+    if __is_invalid_log_level(log_level):
+        default_log_level = __get_default_log_level()
+        logging.warning(
+            f"Unknown log level '{log_level}' set. Defaulting to log level '{default_log_level}'..."
+        )
+        log_level = default_log_level
 
     ## Set logging object
-    logger = __get_mw_logger()
-    if log_file is not None:
-        logger.info(f"Initializing logger with log_file:{log_file}")
-        file_handler = logging.FileHandler(filename=log_file)
-        formatter = logging.Formatter(
-            fmt="%(asctime)s - %(name)s - %(levelname)s - %(message)s"
+    if mwi_env.Experimental.use_rich_logger():
+        from rich.logging import RichHandler
+
+        rich_handler = RichHandler(
+            keywords=[__get_mw_logger_name()],
         )
-        file_handler.setFormatter(formatter)
-        file_handler.setLevel(log_level)
-        logger.addHandler(file_handler)
+        rich_handler.setFormatter(logging.Formatter("%(name)s %(message)s"))
+        logger.addHandler(rich_handler)
+    else:
+        colored_formatter = _ColoredFormatter(
+            "%(color)s[%(levelname)1.1s %(asctime)s %(name)s]%(end_color)s %(message)s"
+        )
+        stream_handler = logging.StreamHandler()
+        stream_handler.setFormatter(colored_formatter)
+        logger.addHandler(stream_handler)
 
-    # log_level is either set by environment or is the default value.
-    logger.info(f"Initializing logger with log_level: {log_level}")
     logger.setLevel(log_level)
 
-    # Allow other libraries used by this integration to
-    # also print their logs at the specified level
-    logging.basicConfig(level=log_level)
+    log_file = os.getenv(mwi_env.get_env_name_log_file(), None)
+    if log_file:
+        try:
+            log_file = Path(log_file)
+            # Need to create the file if it doesn't exist or else logging.FileHandler
+            # would open it in 'write' mode instead of 'append' mode.
+            log_file.touch(exist_ok=True)
+            logger.info(f"Initializing logger with log file:{log_file}")
+            file_handler = logging.FileHandler(filename=log_file, mode="a")
+            formatter = logging.Formatter(
+                fmt="[%(levelname)s %(asctime)s %(name)s] %(message)s"
+            )
+            file_handler.setFormatter(formatter)
+            file_handler.setLevel(log_level)
+            logger.addHandler(file_handler)
+
+        except PermissionError:
+            print(
+                f"PermissionError: Permission denied to create log file at: {log_file}"
+            )
+            sys.exit(1)
+
+        except Exception as err:
+            print(f"Failed to use log file: {log_file} with error: {err}")
+            sys.exit(1)
 
     return logger
 
@@ -91,14 +135,84 @@ def __get_default_log_level():
     return "INFO"
 
 
-def __query_environment():
-    """Private function to query environment variables
-        to control logging
+def __is_invalid_log_level(log_level):
+    """Helper to check if the log level is valid.
 
     Returns:
-        tuple: Log level & Log file as found in the environment
+        Boolean: Whether log level  exists
     """
-    env_var_log_level, env_var_log_file = get_environment_variable_names()
-    log_level = os.environ.get(env_var_log_level, __get_default_log_level())
-    log_file = os.environ.get(env_var_log_file)
-    return log_level, log_file
+
+    return not hasattr(logging, log_level)
+
+
+def log_startup_info(title=None, matlab_urls=[]):
+    """Logs the startup information to the console and log file if specified."""
+    logger = __get_mw_logger()
+    print_as_table = False
+    header_info = "Access MATLAB at:"
+
+    if sys.stdout.isatty():
+        # Width cannot be determined in non-interactive sessions
+        console = Console()
+        # Number of additional characters used by the table
+        padding = 4
+        print_as_table = all(len(url) + padding <= console.width for url in matlab_urls)
+
+    if print_as_table:
+        table = Table(
+            caption=title,
+            show_header=False,
+            show_lines=True,
+            show_edge=True,
+            highlight=True,
+            expand=True,
+        )
+        table.add_column(overflow="fold", style="bold green", justify="center")
+        table.add_row(header_info)
+        for url in matlab_urls:
+            table.add_row(url)
+        console.print(table)
+
+    if os.getenv(mwi_env.get_env_name_log_file(), None) or not print_as_table:
+        urls = "\n\t".join(matlab_urls)
+        logger.critical(f"{header_info}\n\t{urls}")
+
+
+class _ColoredFormatter(logging.Formatter):
+    """Custom formatter to add colors based on log level and modify time format."""
+
+    def format(self, record):
+        # Example: Add 'color' and 'end_color' attributes based on log level
+        if record.levelno == logging.INFO:
+            record.color = "\033[32m"  # Green
+            record.end_color = "\033[0m"
+        elif record.levelno == logging.DEBUG:
+            record.color = "\033[94m"  # Blue
+            record.end_color = "\033[0m"
+        elif record.levelno == logging.WARNING:
+            record.color = "\033[93m"  # Yellow
+            record.end_color = "\033[0m"
+        elif record.levelno == logging.ERROR:
+            record.color = "\033[91m"  # Red
+            record.end_color = "\033[0m"
+        elif record.levelno == logging.CRITICAL:
+            record.color = "\033[35m"  # Magenta
+            record.end_color = "\033[0m"
+        else:
+            record.color = ""
+            record.end_color = ""
+
+        # Call the original format method
+        return super().format(record)
+
+    def formatTime(self, record, datefmt=None):
+        # Default behavior of formatTime
+        ct = self.converter(record.created)
+        if datefmt:
+            s = time.strftime(datefmt, ct)
+        else:
+            t = time.strftime("%Y-%m-%d %H:%M:%S", ct)
+            s = "%s,%03d" % (t, record.msecs)
+
+        # Replace the comma with a period
+        return s.replace(",", ".")

matlab_proxy/util/mwi/session_name.py

@@ -0,0 +1,28 @@
+# Copyright 2025 The MathWorks, Inc.
+"""This file provides functions to set a session name for the MATLAB Proxy instance."""
+
+import os
+from matlab_proxy.util.mwi import environment_variables as mwi_env
+from matlab_proxy.util.mwi import logger as mwi_logger
+
+logger = mwi_logger.get()
+
+
+def _get_session_name():
+    """Get the session name for the MATLAB Proxy instance.
+
+    Returns:
+        str: returns the user-defined session name if set, otherwise returns None.
+    """
+    return os.getenv(mwi_env.get_env_name_session_name(), None)
+
+
+def get_browser_title(matlab_version) -> str:
+    """Get the browser title for the MATLAB Proxy instance."""
+
+    browser_title = "MATLAB " + (matlab_version or "")
+    session_name = _get_session_name()
+    if session_name:
+        browser_title = session_name + " - " + browser_title
+        logger.info("Session Name set to : %s", session_name)
+    return browser_title

matlab_proxy/util/mwi/token_auth.py

@@ -1,65 +1,65 @@
-# Copyright (c) 2020-2022 The MathWorks, Inc.
+# Copyright 2020-2025 The MathWorks, Inc.
 
 # This file contains functions required to enable token based authentication in the server.
 
 import os
 import secrets
+from hashlib import sha256
+from hmac import compare_digest
+from urllib.parse import parse_qs
 
 from aiohttp import web
-from aiohttp_session import get_session, new_session, setup
-from aiohttp_session.cookie_storage import EncryptedCookieStorage
-from matlab_proxy.util.mwi import environment_variables as mwi_env
+from aiohttp_session import get_session, new_session
 
-from . import logger as mwi_logger
+from matlab_proxy.util.mwi import environment_variables as mwi_env
+from matlab_proxy.util.mwi import logger as mwi_logger
 
 logger = mwi_logger.get()
 
+## Module Public Methods:
 
-def decorator_authenticate_access(endpoint):
-    """Decorates any endpoint function with token authentication checks."""
-    logger.debug("inside decorator_authenticate_access")
 
-    async def authenticate_access(request):
-        """
-        If Authentication is enabled, this function expects the token to be present either in
-             the URL or in the session cookie.
-        If token is provided and matches the expected secret, then the request is considered authentic,
-            and the token is saved into the session cookie.
-        """
-        logger.debug(f" inside authenticate_access for request:{request}")
-        app_settings = request.app["settings"]
-        base_url = app_settings["base_url"]
+def generate_mwi_auth_token_and_hash():
+    """
+    Generate the MWI Token and a hash for that token to be used by the server,
+    based on the environment variables that control it.
 
-        if await authenticate_request(request):
-            logger.debug(
-                f" Request is authenticated, proceed to endpoint:{endpoint}{request}"
-            )
-            return await endpoint(request)
-        else:
-            # This branch intends to redirect users to the error page asking for TOKEN.
-            # However, we need to tell this page which page to redirect to on successful validation.
+    Token Auth is enabled by default, unless MWI_ENABLE_TOKEN_AUTH is explicitly set to False.
 
-            attempted_url = str(request.rel_url)
+    If MWI_ENABLE_TOKEN_AUTH is set, and MWI_AUTH_TOKEN is unset, then generate a token
+    else if MWI_AUTH_TOKEN is set, use that token for authentication.
 
-            # Strip URL paramters
-            attempted_url = attempted_url.split("?", 1)[0]
-            logger.debug(f"attempted_url: {attempted_url}")
-            return web.HTTPFound(
-                f"{base_url}/authorization.html?attempted_url={request.rel_url}"
-            )
+    Returns the Token and its hash to be used for authentication if enabled.
+    Returns None, if Token-Based Authentication is not enabled by user.
+    """
+    env_name_enable_mwi_token_auth = mwi_env.get_env_name_enable_mwi_auth_token()
+    env_name_mwi_auth_token = mwi_env.get_env_name_mwi_auth_token()
+    enable_token_auth = os.getenv(env_name_enable_mwi_token_auth, "").lower()
+    auth_token = os.getenv(env_name_mwi_auth_token, "")
 
-    return authenticate_access
+    if enable_token_auth == "false":
+        if auth_token:
+            logger.warning(
+                f"Ignoring {env_name_mwi_auth_token}, as {env_name_enable_mwi_token_auth} explicitly set to false"
+            )
+        return _format_token_as_dictionary(None)
 
+    if auth_token:
+        auth_token = auth_token.strip()
+        logger.debug(f"Using provided {env_name_mwi_auth_token}.")
+        return _format_token_as_dictionary(auth_token)
 
-def is_mwi_token_auth_enabled(app_settings):
-    """Returns True/False based on whether the mwi_auth_token_auth is enabled."""
-    return app_settings["mwi_is_mwi_token_auth_enabled"]
+    # default catch-all for when the env variables are not set or above conditions are not met.
+    # This path will be executed if MWI_ENABLE_TOKEN_AUTH is set to true/Any value (default workflow)
+    generated_token = secrets.token_urlsafe()
+    logger.debug("Using auto-generated token.")
+    return _format_token_as_dictionary(generated_token)
 
 
 def get_mwi_auth_token_access_str(app_settings):
     """Returns formatted string with mwi token for use with server URL"""
-    if is_mwi_token_auth_enabled(app_settings):
-        mwi_auth_token_name = app_settings["mwi_auth_token_name"]
+    if app_settings["mwi_is_token_auth_enabled"]:
+        mwi_auth_token_name = app_settings["mwi_auth_token_name_for_http"]
         mwi_auth_token = app_settings["mwi_auth_token"]
         return f"?{mwi_auth_token_name}={mwi_auth_token}"
 
@@ -68,93 +68,236 @@ def get_mwi_auth_token_access_str(app_settings):
 
 
 async def authenticate_request(request):
-    """Returns True/False based on whether the server is authenticated."""
+    """Authenticates incoming request by verifying whether the expected token is in the request.
 
-    logger.debug(f" inside authenticate_request for request:{request}")
-    # Get information from APP
-    app_settings = request.app["settings"]
-    # Verify that the request contains the authorization token
-    if is_mwi_token_auth_enabled(app_settings):
-        logger.debug(" Token Authentication is Enabled!!")
-        the_secret_token = app_settings["mwi_auth_token"]
-        token_name = app_settings["mwi_auth_token_name"]
-        base_url = app_settings["base_url"]
-
-        # get token if present in URL
-        parsed_url_token = request.rel_url.query.get(token_name, None)
-
-        if parsed_url_token is None:
-            logger.debug("No Token found in URL. Checking session cookie...")
-
-            # Check to see if there are cookies?
-            session = await get_session(request)
-            logger.debug(f"Got session cookie : {session}")
-
-            if token_name in session:
-                stored_session_token = session[token_name]
-                logger.debug(f"Found token with value: {stored_session_token}")
-                # Verify that token contains expected value
-                if stored_session_token == the_secret_token:
-                    logger.debug("Token validation success!")
-                    return True
-                else:
-                    logger.info("Invalid Token found in session!")
-                    logger.debug(f"Expected: {the_secret_token}    ")
-                    logger.debug(f"Actual  : {stored_session_token}")
-                    return False
-            else:
-                logger.info(f"{token_name} not found in session cookie.")
-                return False
+    The mwi_auth_token must be present either in:
+    a. session cookie
+    b. request's query parameters
+    c. or the request's headers.
+
+    Returns True/False based on whether the request is authenticated.
+    Returns True when authentication is disabled.
+    """
+
+    logger.debug(f"<======== Authenticate request: {request}")
+
+    if _is_mwi_token_auth_enabled(request):
+        logger.debug("Authentication is Enabled.")
+        is_authenticated = (
+            await _is_valid_token_in_session_cookie(request)
+            or await _is_valid_token_in_headers(request)
+            or await _is_valid_token_in_url_query(request)
+        )
+        if is_authenticated:
+            logger.debug("Authentication successful. ========>")
         else:
-            logger.debug(f"Token found in URL with value: {parsed_url_token}")
-            # Token is being provided, check it and stash it.
-            if parsed_url_token == the_secret_token:
-                logger.debug("Token validation success!")
-                # Stash token in session for other endpoints
-                # Always use `new_session` during login to guard against
-                # Session Fixation. See aiohttp-session#281
-                session = await new_session(request)
-                session[token_name] = the_secret_token
-                logger.debug(f"Created session : {session} and saved cookie")
-                return True
-            else:
-                logger.info("Invalid Token found in URL!")
-                logger.debug(f"Expected: {the_secret_token}    ")
-                logger.debug(f"Actual  : {parsed_url_token}")
-                return False
-    else:
-        # Token Authentication is not enabled
-        logger.debug(" Token Authentication is NOT Enabled!!")
-        return True
-
-
-def generate_mwi_auth_token():
+            logger.error("Token Authentication failed. ========>")
+
+        return is_authenticated
+
+    logger.debug("Token Authentication disabled.========>")
+    return True
+
+
+def authenticate_access_decorator(endpoint):
+    """This decorator verifies that the request to an endpoint exposed by matlab-proxy
+    contains the correct MWI_AUTH_TOKEN before servicing an endpoint."""
+
+    async def protect_endpoint(request):
+        """Passes request to the endpoint after validating the token
+
+        Args:
+            request (HTTPRequest) : Web Request to endpoint
+
+        Raises:
+            web.HTTPForbidden: Thrown when validation of token fails
+        """
+        if await authenticate_request(request):
+            # request is authentic, proceed to execute the endpoint
+            return await endpoint(request)
+        else:
+            raise web.HTTPForbidden(reason="Unauthorized access to matlab-proxy.")
+
+    return protect_endpoint
+
+
+## Module Private Methods:
+
+
+async def _get_token_name(request):
+    """Gets the name of the token from settings.
+
+    Args:
+        request (HTTPRequest) : Used to get to app settings
+
+    Returns:
+        str : token name
     """
-    Generate the MWI Token to be used by the server,
-    based on the environment variables that control it.
+    app_settings = request.app["settings"]
+    return app_settings["mwi_auth_token_name_for_env"]
 
-    Returns None, if Token-Based Authentication is not enabled by user.
+
+def _get_token_name_for_http(request):
+    """Gets the name of the token from settings.
+
+    Args:
+        request (HTTPRequest) : Used to get to app settings
+
+    Returns:
+        str : token name
+    """
+    app_settings = request.app["settings"]
+    return app_settings["mwi_auth_token_name_for_http"]
+
+
+async def _get_token(request):
+    """Gets the value of secret token from settings.
+
+    Args:
+        request (HTTPRequest) : Used to get to app settings
+
+    Returns:
+        str : token value
+    """
+    app_settings = request.app["settings"]
+    return app_settings[await _get_token_name(request)]
+
+
+async def _get_token_hash(request):
+    """Gets the hashed value of secret token from settings.
+
+    Args:
+        request (HTTPRequest) : Used to get to app settings
+
+    Returns:
+        str : token hash
+    """
+    app_settings = request.app["settings"]
+    return app_settings["mwi_auth_token_hash"]
+
+
+async def _store_token_hash_into_session(request):
+    """Stores the token hash into the session cookie."""
+    # Always use `new_session` during login to guard against
+    # Session Fixation. See aiohttp-session#281
+    session = await new_session(request)
+
+    # Stash token hash in session for other endpoints
+    session[await _get_token_name(request)] = await _get_token_hash(request)
+    logger.debug(f"Created session and saved cookie.")
+
+
+def _is_mwi_token_auth_enabled(request):
+    """Returns True/False based on whether the mwi_auth_token_auth is enabled in app settings
+
+    Args:
+        request (HTTPRequest) : Used to get access to app settings
+    """
+    app_settings = request.app["settings"]
+    return app_settings["mwi_is_token_auth_enabled"]
+
+
+async def _is_valid_token(token, request):
+    """Checks if token contains expected value.
+
+    Args:
+        token (str): Token string to validate
+        request (HTTPRequest) : Used to access app settings
+
+    Returns:
+        _type_: True is token is valid, false otherwise.
     """
-    is_mwi_auth_token_enabled = (
-        os.getenv(mwi_env.get_env_name_enable_mwi_auth_token(), "false").lower()
-        == "true"
+    # Check if the token provided in the request matches the hash or the original token
+    # equivalent to a == b, but protects against timing attacks
+    is_valid = compare_digest(token, await _get_token_hash(request)) or compare_digest(
+        token, await _get_token(request)
     )
-    mwi_auth_token = os.getenv(mwi_env.get_env_name_mwi_auth_token(), None)
+    logger.debug("Token validation " + ("successful." if is_valid else "failed."))
+    return is_valid
+
+
+async def _is_valid_token_in_session_cookie(request):
+    """Checks the session cookie for auth token
+
+    Args:
+        request (HTTPRequest) : Used to access app settings
+
+    Returns:
+        Boolean : True if valid token is found
+    """
+    logger.debug("Checking for token in session cookie...")
+    session = await get_session(request)
+    logger.debug(f"Got session cookie.")
+    token_name = await _get_token_name(request)
+    if token_name in session:
+        stored_session_token = session[token_name]
+        logger.debug(f"Found token in session cookie, validating...")
+        return await _is_valid_token(stored_session_token, request)
+
+    logger.debug("Token not found in session cookie.")
+    return False
+
+
+async def _is_valid_token_in_url_query(request):
+    """Checks the url_query parameter for auth token
+
+    Args:
+        request (HTTPRequest) : Used to access app settings
+
+    Returns:
+        Boolean : True if valid token is found
+    """
+    logger.debug("Checking for token in url query...")
+    query_string = request.query_string
+    logger.debug(f"url query parameters found:{query_string}")
+    if query_string:
+        token_name = _get_token_name_for_http(request)
+        parsed_token = parse_qs(request.query_string).get(token_name)
+        if parsed_token:
+            parsed_token = parsed_token[0]
+            logger.debug("parsed_token from url query string.")
+            return await _is_valid_token(parsed_token, request)
+
+    logger.debug("Token not found in url query.")
+    return False
+
+
+async def _is_valid_token_in_headers(request):
+    """Checks the request headers for auth token
+    Additionally, save token into session cookie when a token is found.
+    This is done to avoid the front end from having to send the token in every header.
+
+    Args:
+        request (HTTPRequest) : Used to access app settings
+
+    Returns:
+        Boolean : True if valid token is found
+    """
+    logger.debug("Checking for token in request headers...")
+    headers = request.headers
+    token_name = _get_token_name_for_http(request)
+    if token_name in headers:
+        logger.debug(f"Token found in headers: {token_name}")
+        is_valid_token = await _is_valid_token(headers[token_name], request)
+        if is_valid_token:
+            await _store_token_hash_into_session(request)
+        return is_valid_token
+
+    logger.debug("Token not found in request headers.")
+    return False
+
+
+def _generate_hash(message):
+    """Util function to generate a sha256 hash for a message
+
+    Args:
+        message (str): message to be hashed
+
+    Returns:
+        str: sha256 hash for a given message
+    """
+    return sha256(message.encode()).hexdigest() if message is not None else None
 
-    if is_mwi_auth_token_enabled:
-        if mwi_auth_token and mwi_auth_token.strip():
-            # Use the provided MWI token, after stripping leading and trailing whitespaces
-            mwi_auth_token = mwi_auth_token.strip()
-            logger.debug(f"Using provided mwi_auth_token: {mwi_auth_token.strip()}")
-        else:
-            # Generate a token
-            mwi_auth_token = secrets.token_urlsafe()
-    else:
-        # Token Authentication must be enabled to provide custom tokens.
-        if mwi_auth_token is not None:
-            logger.error(
-                "Ignoring MWI_AUTH_TOKEN. To enable, set MWI_ENABLE_TOKEN_AUTH to True !!!"
-            )
-            mwi_auth_token = None
 
-    return mwi_auth_token
+def _format_token_as_dictionary(token):
+    return {"token": token, "token_hash": _generate_hash(token)}