nebius.base.token

module documentation

(source)

Token Sanitizer Module.

This module provides functionality for sanitizing sensitive tokens such as access tokens and credentials by masking their signatures or sensitive parts without masking the non-sensitive but useful parts. It supports various token formats including Nebius IAM tokens and JWT tokens.

The module defines token versions with their prefixes, delimiters, and signature positions, allowing for flexible sanitization based on token type.

Class	`DefaultTokenVersionExtractor`	Default implementation of TokenVersionExtractor using predefined versions.
Class	`TokenSanitizer`	Main class for sanitizing tokens based on extracted version information.
Class	`TokenVersion`	Represents a token version with its structural properties.
Class	`TokenVersionExtractor`	Abstract base class for extracting token version from a token string.
Function	`sanitize_no_signature`	Sanitize tokens without signatures by limiting visible payload length.
Function	`sanitize_unrecognized`	Sanitize unrecognized tokens by masking after a certain length.
Constant	`ACCESS_TOKEN_VERSIONS`	Predefined token formats for access tokens.
Constant	`CREDENTIALS_VERSIONS`	Predefined token formats for all types of credentials.
Constant	`MASK_STRING`	The mask printed instead of sensitive parts of tokens.
Constant	`MAX_VISIBLE_PAYLOAD_LENGTH`	Maximum length of visible payload before masking.
Constant	`NO_SIGNATURE`	Constant indicating no signature position in the token.

def sanitize_no_signature(token: str, prefix: str) -> str: (source) ¶

Sanitize tokens without signatures by limiting visible payload length.

For tokens without a signature, this function shows the full token if it's short enough, otherwise masks the excess with MASK_STRING.

Parameters
token:`str`	The full token string.
prefix:`str`	The prefix of the token version.
Returns
`str`	The sanitized token.

def sanitize_unrecognized(token: str) -> str: (source) ¶

Sanitize unrecognized tokens by masking after a certain length.

For tokens that don't match any known format, this function shows a portion of the token and masks the rest.

Parameters
token:`str`	The token string to sanitize.
Returns
`str`	The sanitized token.

ACCESS_TOKEN_VERSIONS: dict[str, TokenVersion] = (source) ¶

Predefined token formats for access tokens.

This dictionary maps version names to TokenVersion objects for supported access token formats.

Value

{'V0': TokenVersion(prefix='v0.',
                    delimiter='.',
                    signature_position=NO_SIGNATURE,
                    token_parts_count=1),
 'NE1': TokenVersion(prefix='ne1',
                     delimiter='.',
                     signature_position=1,
...

CREDENTIALS_VERSIONS: dict[str, TokenVersion] = (source) ¶

Predefined token formats for all types of credentials.

This dictionary includes all access token versions plus additional credential formats like DE1 and JWT.

Value

{**ACCESS_TOKEN_VERSIONS,
 'DE1': TokenVersion(prefix='nd1',
                     delimiter='.',
                     signature_position=1,
                     token_parts_count=2),
 'JWT': TokenVersion(prefix='eyJ',
                     delimiter='.',
...

MASK_STRING: str = (source) ¶

The mask printed instead of sensitive parts of tokens.

Value

'**'

MAX_VISIBLE_PAYLOAD_LENGTH: int = (source) ¶

Maximum length of visible payload before masking.

Value

NO_SIGNATURE: int = (source) ¶

Constant indicating no signature position in the token.

Value

-1

nebius.base.token_sanitizer

`nebius.base.token_sanitizer`