author | Laurent Peuch <cortex@worlddomination.be> |
Tue, 12 Feb 2019 16:11:54 +0100 | |
branch | 3.26 |
changeset 12371 | 923f9c9f56c5 |
parent 12243 | a46fb3f58ea2 |
permissions | -rw-r--r-- |
11967
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
1 |
# copyright 2017 LOGILAB S.A. (Paris, FRANCE), all rights reserved. |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
2 |
# copyright 2014-2016 UNLISH S.A.S. (Montpellier, FRANCE), all rights reserved. |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
3 |
# |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
4 |
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
5 |
# |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
6 |
# This file is part of CubicWeb. |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
7 |
# |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
8 |
# CubicWeb is free software: you can redistribute it and/or modify it under the |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
9 |
# terms of the GNU Lesser General Public License as published by the Free |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
10 |
# Software Foundation, either version 2.1 of the License, or (at your option) |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
11 |
# any later version. |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
12 |
# |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
13 |
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
14 |
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
15 |
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
16 |
# details. |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
17 |
# |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
18 |
# You should have received a copy of the GNU Lesser General Public License along |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
19 |
# with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
12108
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
20 |
""" |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
21 |
CubicWeb AuthTkt authentication policy |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
22 |
-------------------------------------- |
11967
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
23 |
|
12108
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
24 |
When using the `cubicweb.pyramid.auth` module, which is the default in most |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
25 |
cases, you may have to configure the behaviour of these authentication |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
26 |
policies using standard's Pyramid configuration. You may want to configure in |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
27 |
your pyramid configuration file: |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
28 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
29 |
:Session Authentication: |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
30 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
31 |
This is a `AuthTktAuthenticationPolicy`_ so you may overwrite default |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
32 |
configuration values by adding configuration entries using the prefix |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
33 |
``cubicweb.auth.authtkt.session``. Default values are: |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
34 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
35 |
:: |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
36 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
37 |
cubicweb.auth.authtkt.session.hashalg = sha512 |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
38 |
cubicweb.auth.authtkt.session.cookie_name = auth_tkt |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
39 |
cubicweb.auth.authtkt.session.timeout = 1200 |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
40 |
cubicweb.auth.authtkt.session.reissue_time = 120 |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
41 |
cubicweb.auth.authtkt.session.http_only = True |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
42 |
cubicweb.auth.authtkt.session.secure = True |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
43 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
44 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
45 |
:Persistent Authentication: |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
46 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
47 |
This is also a `AuthTktAuthenticationPolicy`_. It is used when persistent |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
48 |
sessions are activated (typically when using the cubicweb-rememberme_ |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
49 |
cube). You may overwrite default configuration values by adding |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
50 |
configuration entries using the prefix |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
51 |
``cubicweb.auth.authtkt.persistent``. Default values are: |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
52 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
53 |
:: |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
54 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
55 |
cubicweb.auth.authtkt.persistent.hashalg = sha512 |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
56 |
cubicweb.auth.authtkt.persistent.cookie_name = pauth_tkt |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
57 |
cubicweb.auth.authtkt.persistent.max_age = 3600*24*30 |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
58 |
cubicweb.auth.authtkt.persistent.reissue_time = 3600*24 |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
59 |
cubicweb.auth.authtkt.persistent.http_only = True |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
60 |
cubicweb.auth.authtkt.persistent.secure = True |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
61 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
62 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
63 |
.. Warning:: Legacy timeout values from the instance's |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
64 |
``all-in-one.conf`` are **not** used at all (`` |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
65 |
http-session-time`` and ``cleanup-session-time``) |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
66 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
67 |
.. _CubicWeb: https://www.cubicweb.org/ |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
68 |
.. _`cubicweb-rememberme`: \ |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
69 |
https://www.cubicweb.org/project/cubicweb-rememberme |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
70 |
.. _AuthTktAuthenticationPolicy: \ |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
71 |
http://docs.pylonsproject.org/projects/pyramid/en/latest/api/authentication.html#pyramid.authentication.AuthTktAuthenticationPolicy |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
72 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
73 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
74 |
Secrets |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
75 |
~~~~~~~ |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
76 |
There are a number of secrets to configure in ``pyramid.ini``. They |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
77 |
should be different one from each other, as explained in `Pyramid's |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
78 |
documentation`_. |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
79 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
80 |
For the record, regarding authentication: |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
81 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
82 |
:cubicweb.auth.authtkt.session.secret: This secret is used to encrypt |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
83 |
the authentication cookie. |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
84 |
|
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
85 |
:cubicweb.auth.authtkt.persistent.secret: This secret is used to |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
86 |
encrypt the persistent authentication cookie. |
1a5fc93c81db
[doc] Move content of former README.pyramid into relevant modules
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11993
diff
changeset
|
87 |
""" |
11967
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
88 |
|
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
89 |
import datetime |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
90 |
import logging |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
91 |
import warnings |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
92 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
93 |
from zope.interface import implementer |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
94 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
95 |
from pyramid.settings import asbool |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
96 |
from pyramid.authorization import ACLAuthorizationPolicy |
11631
faf279e33298
Merge with pyramid-cubicweb
Yann Voté <yann.vote@logilab.fr>
parents:
11593
diff
changeset
|
97 |
from cubicweb.pyramid.core import get_principals |
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
98 |
from pyramid_multiauth import MultiAuthenticationPolicy |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
99 |
|
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
100 |
from pyramid.authentication import AuthTktAuthenticationPolicy |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
101 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
102 |
from pyramid.interfaces import IAuthenticationPolicy |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
103 |
|
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
104 |
log = logging.getLogger(__name__) |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
105 |
|
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
106 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
107 |
@implementer(IAuthenticationPolicy) |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
108 |
class UpdateLoginTimeAuthenticationPolicy(object): |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
109 |
"""An authentication policy that update the user last_login_time. |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
110 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
111 |
The update is done in the 'remember' method, which is called by the login |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
112 |
views login, |
11537
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
113 |
|
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
114 |
Usually used via :func:`includeme`. |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
115 |
""" |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
116 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
117 |
def authenticated_userid(self, request): |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
118 |
pass |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
119 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
120 |
def effective_principals(self, request): |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
121 |
return () |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
122 |
|
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
123 |
def remember(self, request, principal, **kw): |
12224
5c066dc7307b
[pyramid] Get rid of a bare "except" in UpdateLoginTimeAuthenticationPolicy
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
12108
diff
changeset
|
124 |
repo = request.registry['cubicweb.repository'] |
5c066dc7307b
[pyramid] Get rid of a bare "except" in UpdateLoginTimeAuthenticationPolicy
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
12108
diff
changeset
|
125 |
with repo.internal_cnx() as cnx: |
5c066dc7307b
[pyramid] Get rid of a bare "except" in UpdateLoginTimeAuthenticationPolicy
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
12108
diff
changeset
|
126 |
try: |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
127 |
cnx.execute( |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
128 |
"SET U last_login_time %(now)s WHERE U eid %(user)s", { |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
129 |
'now': datetime.datetime.now(), |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
130 |
'user': principal}) |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
131 |
cnx.commit() |
12224
5c066dc7307b
[pyramid] Get rid of a bare "except" in UpdateLoginTimeAuthenticationPolicy
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
12108
diff
changeset
|
132 |
except Exception: |
5c066dc7307b
[pyramid] Get rid of a bare "except" in UpdateLoginTimeAuthenticationPolicy
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
12108
diff
changeset
|
133 |
log.exception("Failed to update last_login_time") |
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
134 |
return () |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
135 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
136 |
def forget(self, request): |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
137 |
return () |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
138 |
|
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
139 |
|
11562
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
140 |
class CWAuthTktAuthenticationPolicy(AuthTktAuthenticationPolicy): |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
141 |
""" |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
142 |
An authentication policy that inhibate the call the 'remember' if a |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
143 |
'persistent' argument is passed to it, and is equal to the value that |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
144 |
was passed to the constructor. |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
145 |
|
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
146 |
This allow to combine two policies with different settings and select them |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
147 |
by just setting this argument. |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
148 |
""" |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
149 |
def __init__(self, secret, persistent, defaults={}, prefix='', **settings): |
11562
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
150 |
self.persistent = persistent |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
151 |
unset = object() |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
152 |
kw = {} |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
153 |
# load string settings |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
154 |
for name in ('cookie_name', 'path', 'domain', 'hashalg'): |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
155 |
value = settings.get(prefix + name, defaults.get(name, unset)) |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
156 |
if value is not unset: |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
157 |
kw[name] = value |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
158 |
# load boolean settings |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
159 |
for name in ('secure', 'include_ip', 'http_only', 'wild_domain', |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
160 |
'parent_domain', 'debug'): |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
161 |
value = settings.get(prefix + name, defaults.get(name, unset)) |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
162 |
if value is not unset: |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
163 |
kw[name] = asbool(value) |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
164 |
# load int settings |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
165 |
for name in ('timeout', 'reissue_time', 'max_age'): |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
166 |
value = settings.get(prefix + name, defaults.get(name, unset)) |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
167 |
if value is not unset: |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
168 |
kw[name] = int(value) |
11562
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
169 |
super(CWAuthTktAuthenticationPolicy, self).__init__(secret, **kw) |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
170 |
|
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
171 |
def remember(self, request, principals, **kw): |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
172 |
if 'persistent' not in kw or kw.pop('persistent') == self.persistent: |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
173 |
return super(CWAuthTktAuthenticationPolicy, self).remember( |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
174 |
request, principals, **kw) |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
175 |
else: |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
176 |
return () |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
177 |
|
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
178 |
|
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
179 |
def includeme(config): |
11537
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
180 |
""" Activate the CubicWeb AuthTkt authentication policy. |
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
181 |
|
11631
faf279e33298
Merge with pyramid-cubicweb
Yann Voté <yann.vote@logilab.fr>
parents:
11593
diff
changeset
|
182 |
Usually called via ``config.include('cubicweb.pyramid.auth')``. |
11537
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
183 |
|
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
184 |
See also :ref:`defaults_module` |
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
185 |
""" |
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
186 |
settings = config.registry.settings |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
187 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
188 |
policies = [] |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
189 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
190 |
if asbool(settings.get('cubicweb.auth.update_login_time', True)): |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
191 |
policies.append(UpdateLoginTimeAuthenticationPolicy()) |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
192 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
193 |
if asbool(settings.get('cubicweb.auth.authtkt', True)): |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
194 |
session_prefix = 'cubicweb.auth.authtkt.session.' |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
195 |
persistent_prefix = 'cubicweb.auth.authtkt.persistent.' |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
196 |
|
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
197 |
session_secret = settings.get( |
11993
07af2c2c264b
[pyramid] Drop retrieval of auth/session secret in all-in-one.conf
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11967
diff
changeset
|
198 |
session_prefix + 'secret', 'notsosecret') |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
199 |
persistent_secret = settings.get( |
11993
07af2c2c264b
[pyramid] Drop retrieval of auth/session secret in all-in-one.conf
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11967
diff
changeset
|
200 |
persistent_prefix + 'secret', 'notsosecret') |
12243
a46fb3f58ea2
[pyramid] Do not issue security warnings in test mode
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
12224
diff
changeset
|
201 |
if ('notsosecret' in (session_secret, persistent_secret) |
a46fb3f58ea2
[pyramid] Do not issue security warnings in test mode
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
12224
diff
changeset
|
202 |
and config.registry['cubicweb.config'].mode != 'test'): |
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
203 |
warnings.warn(''' |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
204 |
|
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
205 |
!! SECURITY WARNING !! |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
206 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
207 |
The authentication cookies are signed with a static secret key. |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
208 |
|
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
209 |
Configure the following options in your pyramid.ini file: |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
210 |
|
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
211 |
- cubicweb.auth.authtkt.session.secret |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
212 |
- cubicweb.auth.authtkt.persistent.secret |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
213 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
214 |
YOU SHOULD STOP THIS INSTANCE unless your really know what you |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
215 |
are doing !! |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
216 |
|
12371
923f9c9f56c5
[pyramid] improve pyramid warning with link to doc on how to write pyramid.ini file
Laurent Peuch <cortex@worlddomination.be>
parents:
12243
diff
changeset
|
217 |
Please refer to to cubicweb-pyramid documentation on how to |
923f9c9f56c5
[pyramid] improve pyramid warning with link to doc on how to write pyramid.ini file
Laurent Peuch <cortex@worlddomination.be>
parents:
12243
diff
changeset
|
218 |
write this pyramid.ini file: |
923f9c9f56c5
[pyramid] improve pyramid warning with link to doc on how to write pyramid.ini file
Laurent Peuch <cortex@worlddomination.be>
parents:
12243
diff
changeset
|
219 |
https://cubicweb.readthedocs.io/en/latest/book/pyramid/settings/#pyramid-settings-file |
923f9c9f56c5
[pyramid] improve pyramid warning with link to doc on how to write pyramid.ini file
Laurent Peuch <cortex@worlddomination.be>
parents:
12243
diff
changeset
|
220 |
Without it authentication WON'T work. |
923f9c9f56c5
[pyramid] improve pyramid warning with link to doc on how to write pyramid.ini file
Laurent Peuch <cortex@worlddomination.be>
parents:
12243
diff
changeset
|
221 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
222 |
''') |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
223 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
224 |
policies.append( |
11562
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
225 |
CWAuthTktAuthenticationPolicy( |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
226 |
session_secret, False, |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
227 |
defaults={ |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
228 |
'hashalg': 'sha512', |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
229 |
'cookie_name': 'auth_tkt', |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
230 |
'timeout': 1200, |
11593
73bf8377a3d5
[auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents:
11592
diff
changeset
|
231 |
'reissue_time': 120, |
73bf8377a3d5
[auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents:
11592
diff
changeset
|
232 |
'http_only': True, |
73bf8377a3d5
[auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents:
11592
diff
changeset
|
233 |
'secure': True |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
234 |
}, |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
235 |
prefix=session_prefix, |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
236 |
**settings |
11562
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
237 |
) |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
238 |
) |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
239 |
|
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
240 |
policies.append( |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
241 |
CWAuthTktAuthenticationPolicy( |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
242 |
persistent_secret, True, |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
243 |
defaults={ |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
244 |
'hashalg': 'sha512', |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
245 |
'cookie_name': 'pauth_tkt', |
11811
f09efeead7f9
Fix broken flake8 configuration
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11631
diff
changeset
|
246 |
'max_age': 3600 * 24 * 30, |
f09efeead7f9
Fix broken flake8 configuration
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11631
diff
changeset
|
247 |
'reissue_time': 3600 * 24, |
11593
73bf8377a3d5
[auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents:
11592
diff
changeset
|
248 |
'http_only': True, |
73bf8377a3d5
[auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents:
11592
diff
changeset
|
249 |
'secure': True |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
250 |
}, |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
251 |
prefix=persistent_prefix, |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
252 |
**settings |
11562
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
253 |
) |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
254 |
) |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
255 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
256 |
kw = {} |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
257 |
if asbool(settings.get('cubicweb.auth.groups_principals', True)): |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
258 |
kw['callback'] = get_principals |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
259 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
260 |
authpolicy = MultiAuthenticationPolicy(policies, **kw) |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
261 |
config.registry['cubicweb.authpolicy'] = authpolicy |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
262 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
263 |
config.set_authentication_policy(authpolicy) |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
264 |
config.set_authorization_policy(ACLAuthorizationPolicy()) |