pyramid_cubicweb/auth.py
author Christophe de Vienne <cdevienne@gmail.com>
Fri, 07 Aug 2015 11:59:07 +0200
changeset 11593 73bf8377a3d5
parent 11592 197e10cb74f7
permissions -rw-r--r--
[auth] Authtkt http_only and secure by default The test suite is now full 'https'. Closes #4731765
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
     1
import datetime
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
     2
import logging
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
     3
import warnings
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
     4
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
     5
from zope.interface import implementer
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
     6
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
     7
from pyramid.settings import asbool
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
     8
from pyramid.authorization import ACLAuthorizationPolicy
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
     9
from pyramid_cubicweb.core import get_principals
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    10
from pyramid_multiauth import MultiAuthenticationPolicy
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    11
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    12
from pyramid.authentication import AuthTktAuthenticationPolicy
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    13
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    14
from pyramid.interfaces import IAuthenticationPolicy
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    15
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    16
log = logging.getLogger(__name__)
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    17
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    18
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    19
@implementer(IAuthenticationPolicy)
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    20
class UpdateLoginTimeAuthenticationPolicy(object):
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    21
    """An authentication policy that update the user last_login_time.
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    22
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    23
    The update is done in the 'remember' method, which is called by the login
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    24
    views login,
11537
caf268942436 Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents: 11533
diff changeset
    25
caf268942436 Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents: 11533
diff changeset
    26
    Usually used via :func:`includeme`.
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    27
    """
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    28
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    29
    def authenticated_userid(self, request):
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    30
        pass
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    31
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    32
    def effective_principals(self, request):
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    33
        return ()
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    34
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    35
    def remember(self, request, principal, **kw):
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    36
        try:
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    37
            repo = request.registry['cubicweb.repository']
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    38
            with repo.internal_cnx() as cnx:
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    39
                cnx.execute(
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    40
                    "SET U last_login_time %(now)s WHERE U eid %(user)s", {
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    41
                        'now': datetime.datetime.now(),
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    42
                        'user': principal})
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    43
                cnx.commit()
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    44
        except:
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    45
            log.exception("Failed to update last_login_time")
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    46
        return ()
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    47
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    48
    def forget(self, request):
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    49
        return ()
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    50
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    51
11562
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    52
class CWAuthTktAuthenticationPolicy(AuthTktAuthenticationPolicy):
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    53
    """
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    54
    An authentication policy that inhibate the call the 'remember' if a
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    55
    'persistent' argument is passed to it, and is equal to the value that
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    56
    was passed to the constructor.
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    57
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    58
    This allow to combine two policies with different settings and select them
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    59
    by just setting this argument.
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    60
    """
11592
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    61
    def __init__(self, secret, persistent, defaults={}, prefix='', **settings):
11562
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    62
        self.persistent = persistent
11592
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    63
        unset = object()
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    64
        kw = {}
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    65
        # load string settings
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    66
        for name in ('cookie_name', 'path', 'domain', 'hashalg'):
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    67
            value = settings.get(prefix + name, defaults.get(name, unset))
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    68
            if value is not unset:
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    69
                kw[name] = value
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    70
        # load boolean settings
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    71
        for name in ('secure', 'include_ip', 'http_only', 'wild_domain',
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    72
                     'parent_domain', 'debug'):
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    73
            value = settings.get(prefix + name, defaults.get(name, unset))
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    74
            if value is not unset:
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    75
                kw[name] = asbool(value)
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    76
        # load int settings
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    77
        for name in ('timeout', 'reissue_time', 'max_age'):
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    78
            value = settings.get(prefix + name, defaults.get(name, unset))
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    79
            if value is not unset:
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
    80
                kw[name] = int(value)
11562
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    81
        super(CWAuthTktAuthenticationPolicy, self).__init__(secret, **kw)
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    82
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    83
    def remember(self, request, principals, **kw):
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    84
        if 'persistent' not in kw or kw.pop('persistent') == self.persistent:
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    85
            return super(CWAuthTktAuthenticationPolicy, self).remember(
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    86
                request, principals, **kw)
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    87
        else:
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    88
            return ()
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    89
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
    90
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
    91
def includeme(config):
11537
caf268942436 Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents: 11533
diff changeset
    92
    """ Activate the CubicWeb AuthTkt authentication policy.
caf268942436 Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents: 11533
diff changeset
    93
caf268942436 Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents: 11533
diff changeset
    94
    Usually called via ``config.include('pyramid_cubicweb.auth')``.
caf268942436 Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents: 11533
diff changeset
    95
caf268942436 Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents: 11533
diff changeset
    96
    See also :ref:`defaults_module`
caf268942436 Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents: 11533
diff changeset
    97
    """
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    98
    settings = config.registry.settings
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
    99
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   100
    policies = []
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   101
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   102
    if asbool(settings.get('cubicweb.auth.update_login_time', True)):
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   103
        policies.append(UpdateLoginTimeAuthenticationPolicy())
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
   104
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   105
    if asbool(settings.get('cubicweb.auth.authtkt', True)):
11592
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   106
        session_prefix = 'cubicweb.auth.authtkt.session.'
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   107
        persistent_prefix = 'cubicweb.auth.authtkt.persistent.'
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
   108
11592
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   109
        try:
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   110
            secret = config.registry['cubicweb.config']['pyramid-auth-secret']
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   111
            warnings.warn(
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   112
                "pyramid-auth-secret from all-in-one is now "
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   113
                "cubicweb.auth.authtkt.[session|persistent].secret",
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   114
                DeprecationWarning)
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   115
        except:
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   116
            secret = 'notsosecret'
11592
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   117
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   118
        session_secret = settings.get(
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   119
            session_prefix + 'secret', secret)
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   120
        persistent_secret = settings.get(
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   121
            persistent_prefix + 'secret', secret)
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   122
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   123
        if 'notsosecret' in (session_secret, persistent_secret):
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   124
            warnings.warn('''
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   125
11592
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   126
                !! SECURITY WARNING !!
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
   127
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   128
                The authentication cookies are signed with a static secret key.
11592
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   129
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   130
                Configure the following options in your pyramid.ini file:
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   131
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   132
                - cubicweb.auth.authtkt.session.secret
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   133
                - cubicweb.auth.authtkt.persistent.secret
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
   134
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   135
                YOU SHOULD STOP THIS INSTANCE unless your really know what you
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   136
                are doing !!
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   137
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   138
            ''')
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
   139
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   140
        policies.append(
11562
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
   141
            CWAuthTktAuthenticationPolicy(
11592
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   142
                session_secret, False,
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   143
                defaults={
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   144
                    'hashalg': 'sha512',
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   145
                    'cookie_name': 'auth_tkt',
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   146
                    'timeout': 1200,
11593
73bf8377a3d5 [auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents: 11592
diff changeset
   147
                    'reissue_time': 120,
73bf8377a3d5 [auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents: 11592
diff changeset
   148
                    'http_only': True,
73bf8377a3d5 [auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents: 11592
diff changeset
   149
                    'secure': True
11592
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   150
                },
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   151
                prefix=session_prefix,
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   152
                **settings
11562
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
   153
            )
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
   154
        )
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
   155
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
   156
        policies.append(
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
   157
            CWAuthTktAuthenticationPolicy(
11592
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   158
                persistent_secret, True,
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   159
                defaults={
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   160
                    'hashalg': 'sha512',
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   161
                    'cookie_name': 'pauth_tkt',
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   162
                    'max_age': 3600*24*30,
11593
73bf8377a3d5 [auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents: 11592
diff changeset
   163
                    'reissue_time': 3600*24,
73bf8377a3d5 [auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents: 11592
diff changeset
   164
                    'http_only': True,
73bf8377a3d5 [auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents: 11592
diff changeset
   165
                    'secure': True
11592
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   166
                },
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   167
                prefix=persistent_prefix,
197e10cb74f7 [auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents: 11562
diff changeset
   168
                **settings
11562
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
   169
            )
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents: 11561
diff changeset
   170
        )
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
   171
11561
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   172
    kw = {}
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   173
    if asbool(settings.get('cubicweb.auth.groups_principals', True)):
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   174
        kw['callback'] = get_principals
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   175
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   176
    authpolicy = MultiAuthenticationPolicy(policies, **kw)
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   177
    config.registry['cubicweb.authpolicy'] = authpolicy
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   178
25d93d14f8b6 [auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents: 11537
diff changeset
   179
    config.set_authentication_policy(authpolicy)
11533
4ced3782b90f Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff changeset
   180
    config.set_authorization_policy(ACLAuthorizationPolicy())