cubicweb: doc/book/en/devrepo/repo/sessions.rst@2659f8529a43 (annotated)

1714 a721966779be new book layout, do not compile yet sylvain.thenault@logilab.fr parents: diff changeset	1	.. -- coding: utf-8 --
a721966779be new book layout, do not compile yet sylvain.thenault@logilab.fr parents: diff changeset	2
a721966779be new book layout, do not compile yet sylvain.thenault@logilab.fr parents: diff changeset	3	Sessions
a721966779be new book layout, do not compile yet sylvain.thenault@logilab.fr parents: diff changeset	4	========
a721966779be new book layout, do not compile yet sylvain.thenault@logilab.fr parents: diff changeset	5
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	6	Sessions are objects linked to an authenticated user. The `Session.new_cnx`
abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	7	method returns a new Connection linked to that session.
abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	8
abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	9	Connections
abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	10	===========
6311 afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	11
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	12	Connections provide the `.execute` method to query the data sources.
6311 afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	13
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	14	Kinds of connections
abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	15	--------------------
2112 df86450ca65d [doc] a note on sessions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	16
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	17	There are two kinds of connections.
abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	18
abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	19	* `normal connections` are the most common: they are related to users and
2112 df86450ca65d [doc] a note on sessions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	20	carry security checks coming with user credentials
df86450ca65d [doc] a note on sessions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	21
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	22	* `internal connections` have all the powers; they are also used in only a
2112 df86450ca65d [doc] a note on sessions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	23	few situations where you don't already have an adequate session at
df86450ca65d [doc] a note on sessions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	24	hand, like: user authentication, data synchronisation in
df86450ca65d [doc] a note on sessions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	25	multi-source contexts
df86450ca65d [doc] a note on sessions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	26
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	27	Normal connections are typically named `_cw` in most appobjects or
6311 afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	28	sometimes just `session`.
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	29
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	30	Internal connections are available from the `Repository` object and are
6311 afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	31	to be used like this:
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	32
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	33	.. sourcecode:: python
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	34
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	35	with self.repo.internal_cnx() as cnx:
abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	36	do_stuff_with(cnx)
abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	37	cnx.commit()
6311 afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	38
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	39	Connections should always be used as context managers, to avoid leaks.
6311 afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	40
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	41	Authentication and management of sessions
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	42	-----------------------------------------
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	43
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	44	The authentication process is a ballet involving a few dancers:
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	45
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	46	* through its `get_session` method the top-level application object (the
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	47	`CubicWebPublisher`) will open a session whenever a web request
6311 afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	48	comes in; it asks the `session manager` to open a session (giving
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	49	the web request object as context) using `open_session`
2112 df86450ca65d [doc] a note on sessions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	50
6311 afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	51	* the session manager asks its authentication manager (which is a
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	52	`component`) to authenticate the request (using `authenticate`)
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	53
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	54	* the authentication manager asks, in order, to its authentication
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	55	information retrievers, a login and an opaque object containing
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	56	other credentials elements (calling `authentication_information`),
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	57	giving the request object each time
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	58
9175 a7412e884d7b fix typos in docstring, doc and comments Julien Cristau <julien.cristau@logilab.fr> parents: 8760 diff changeset	59	* the default retriever (named `LoginPasswordRetriever`)
7751 50f89f05ae0a [doc/book] fix ref to trustedauth cube Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6320 diff changeset	60	will in turn defer login and password fetching to the request
50f89f05ae0a [doc/book] fix ref to trustedauth cube Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6320 diff changeset	61	object (which, depending on the authentication mode (`cookie`
50f89f05ae0a [doc/book] fix ref to trustedauth cube Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6320 diff changeset	62	or `http`), will do the appropriate things and return a login
50f89f05ae0a [doc/book] fix ref to trustedauth cube Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6320 diff changeset	63	and a password)
1714 a721966779be new book layout, do not compile yet sylvain.thenault@logilab.fr parents: diff changeset	64
6311 afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	65	* the authentication manager, on success, asks the `Repository`
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	66	object to connect with the found credentials (using `connect`)
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	67
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	68	* the repository object asks authentication to all of its
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	69	sources which support the `CWUser` entity with the given
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	70	credentials; when successful it can build the cwuser entity,
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	71	from which a regular `Session` object is made; it returns the
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	72	session id
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	73
7751 50f89f05ae0a [doc/book] fix ref to trustedauth cube Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6320 diff changeset	74	* the source in turn will delegate work to an authentifier
50f89f05ae0a [doc/book] fix ref to trustedauth cube Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6320 diff changeset	75	class that defines the ultimate `authenticate` method (for
50f89f05ae0a [doc/book] fix ref to trustedauth cube Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6320 diff changeset	76	instance the native source will query the database against
50f89f05ae0a [doc/book] fix ref to trustedauth cube Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6320 diff changeset	77	the provided credentials)
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	78
6311 afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	79	* the authentication manager, on success, will call back _all_
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	80	retrievers with `authenticated` and return its authentication
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	81	data (on failure, it will try the anonymous login or, if the
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	82	configuration forbids it, raise an `AuthenticationError`)
afd6a9e45489 [doc/book] tell a more complete story on sessions and the authentication process Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6298 diff changeset	83
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	84	Writing authentication plugins
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	85	------------------------------
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	86
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	87	Sometimes CubicWeb's out-of-the-box authentication schemes (cookie and
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	88	http) are not sufficient. Nowadays there is a plethora of such schemes
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	89	and the framework cannot provide them all, but as the sequence above
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	90	shows, it is extensible.
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	91
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	92	Two levels have to be considered when writing an authentication
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	93	plugin: the web client and the repository.
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	94
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	95	We invented a scenario where it makes sense to have a new plugin in
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	96	each side: some middleware will do pre-authentication and under the
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	97	right circumstances add a new HTTP `x-foo-user` header to the query
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	98	before it reaches the CubicWeb instance. For a concrete example of
7751 50f89f05ae0a [doc/book] fix ref to trustedauth cube Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6320 diff changeset	99	this, see the `trustedauth`_ cube.
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	100
7751 50f89f05ae0a [doc/book] fix ref to trustedauth cube Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6320 diff changeset	101	.. _`trustedauth`: http://www.cubicweb.org/project/cubicweb-trustedauth
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	102
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	103	Repository authentication plugins
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	104	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	105
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	106	On the repository side, it is possible to register a source
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	107	authentifier using the following kind of code:
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	108
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	109	.. sourcecode:: python
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	110
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	111	from cubicweb.server.sources import native
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	112
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	113	class FooAuthentifier(native.LoginPasswordAuthentifier):
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	114	""" a source authentifier plugin
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	115	if 'foo' in authentication information, no need to check
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	116	password
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	117	"""
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	118	auth_rql = 'Any X WHERE X is CWUser, X login %(login)s'
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	119
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	120	def authenticate(self, session, login, **kwargs):
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	121	"""return CWUser eid for the given login
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	122	if this account is defined in this source,
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	123	else raise `AuthenticationError`
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	124	"""
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	125	session.debug('authentication by %s', self.__class__.__name__)
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	126	if 'foo' not in kwargs:
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	127	return super(FooAuthentifier, self).authenticate(session, login, **kwargs)
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	128	try:
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	129	rset = session.execute(self.auth_rql, {'login': login})
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	130	return rset[0][0]
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	131	except Exception, exc:
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	132	session.debug('authentication failure (%s)', exc)
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	133	raise AuthenticationError('foo user is unknown to us')
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	134
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	135	Since repository authentifiers are not appobjects, we have to register
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	136	them through a `server_startup` hook.
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	137
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	138	.. sourcecode:: python
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	139
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	140	class ServerStartupHook(hook.Hook):
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	141	""" register the foo authenticator """
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	142	__regid__ = 'fooauthenticatorregisterer'
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	143	events = ('server_startup',)
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	144
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	145	def __call__(self):
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	146	self.debug('registering foo authentifier')
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	147	self.repo.system_source.add_authentifier(FooAuthentifier())
b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	148
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	149	Web authentication plugins
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	150	~~~~~~~~~~~~~~~~~~~~~~~~~~
6313 b3fd91524132 [doc/book] begin an howto write auth plugins chapter Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6311 diff changeset	151
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	152	.. sourcecode:: python
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	153
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	154	class XFooUserRetriever(authentication.LoginPasswordRetriever):
6319 20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	155	""" authenticate by the x-foo-user http header
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	156	or just do normal login/password authentication
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	157	"""
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	158	__regid__ = 'x-foo-user'
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	159	order = 0
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	160
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	161	def authentication_information(self, req):
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	162	"""retrieve authentication information from the given request, raise
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	163	NoAuthInfo if expected information is not found
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	164	"""
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	165	self.debug('web authenticator building auth info')
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	166	try:
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	167	login = req.get_header('x-foo-user')
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	168	if login:
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	169	return login, {'foo': True}
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	170	else:
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	171	return super(XFooUserRetriever, self).authentication_information(self, req)
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	172	except Exception, exc:
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	173	self.debug('web authenticator failed (%s)', exc)
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	174	raise authentication.NoAuthInfo()
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	175
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	176	def authenticated(self, retriever, req, cnx, login, authinfo):
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	177	"""callback when return authentication information have opened a
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	178	repository connection successfully. Take care req has no session
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	179	attached yet, hence req.execute isn't available.
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	180
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	181	Here we set a flag on the request to indicate that the user is
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	182	foo-authenticated. Can be used by a selector
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	183	"""
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	184	self.debug('web authenticator running post authentication callback')
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	185	cnx.foo_user = authinfo.get('foo')
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	186
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	187	In the `authenticated` method we add (in an admitedly slightly hackish
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	188	way) an attribute to the connection object. This, in turn, can be used
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	189	to build a selector dispatching on the fact that the user was
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	190	preauthenticated or not.
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	191
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	192	.. sourcecode:: python
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	193
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	194	@objectify_selector
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	195	def foo_authenticated(cls, req, rset=None, **kwargs):
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	196	if hasattr(req.cnx, 'foo_user') and req.foo_user:
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	197	return 1
20a7399ed58d [doc/book] complete section on authentication plugins Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 6313 diff changeset	198	return 0
8760 17994bf95d6a [doc] update Session documentation Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 7751 diff changeset	199
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	200	Full Session and Connection API
abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	201	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
8760 17994bf95d6a [doc] update Session documentation Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 7751 diff changeset	202
17994bf95d6a [doc] update Session documentation Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 7751 diff changeset	203	.. autoclass:: cubicweb.server.session.Session
9580 abaae1496ba4 [book] Update documentation for new repoapi Julien Cristau <julien.cristau@logilab.fr> parents: 9175 diff changeset	204	.. autoclass:: cubicweb.server.session.Connection

author	Christophe de Vienne <christophe@unlish.com>
	Wed, 28 Jan 2015 14:03:00 +0100
changeset 10175	2659f8529a43
parent 9580	abaae1496ba4
child 10333	569324f890d7
permissions	-rw-r--r--