| author | Julien Cristau <julien.cristau@logilab.fr> |
| Tue, 11 Mar 2014 15:56:05 +0100 | |
| changeset 9580 | abaae1496ba4 |
| parent 9175 | a7412e884d7b |
| child 10333 | 569324f890d7 |
| permissions | -rw-r--r-- |
|
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
1 |
.. -*- coding: utf-8 -*- |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
2 |
|
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
3 |
Sessions |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
4 |
======== |
|
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
5 |
|
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
6 |
Sessions are objects linked to an authenticated user. The `Session.new_cnx` |
|
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
7 |
method returns a new Connection linked to that session. |
|
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
8 |
|
|
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
9 |
Connections |
|
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
10 |
=========== |
|
6311
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
11 |
|
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
12 |
Connections provide the `.execute` method to query the data sources. |
|
6311
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
13 |
|
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
14 |
Kinds of connections |
|
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
15 |
-------------------- |
|
2112
df86450ca65d
[doc] a note on sessions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
16 |
|
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
17 |
There are two kinds of connections. |
|
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
18 |
|
|
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
19 |
* `normal connections` are the most common: they are related to users and |
|
2112
df86450ca65d
[doc] a note on sessions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
20 |
carry security checks coming with user credentials |
|
df86450ca65d
[doc] a note on sessions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
21 |
|
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
22 |
* `internal connections` have all the powers; they are also used in only a |
|
2112
df86450ca65d
[doc] a note on sessions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
23 |
few situations where you don't already have an adequate session at |
|
df86450ca65d
[doc] a note on sessions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
24 |
hand, like: user authentication, data synchronisation in |
|
df86450ca65d
[doc] a note on sessions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
25 |
multi-source contexts |
|
df86450ca65d
[doc] a note on sessions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
26 |
|
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
27 |
Normal connections are typically named `_cw` in most appobjects or |
|
6311
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
28 |
sometimes just `session`. |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
29 |
|
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
30 |
Internal connections are available from the `Repository` object and are |
|
6311
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
31 |
to be used like this: |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
32 |
|
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
33 |
.. sourcecode:: python |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
34 |
|
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
35 |
with self.repo.internal_cnx() as cnx: |
|
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
36 |
do_stuff_with(cnx) |
|
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
37 |
cnx.commit() |
|
6311
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
38 |
|
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
39 |
Connections should always be used as context managers, to avoid leaks. |
|
6311
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
40 |
|
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
41 |
Authentication and management of sessions |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
42 |
----------------------------------------- |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
43 |
|
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
44 |
The authentication process is a ballet involving a few dancers: |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
45 |
|
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
46 |
* through its `get_session` method the top-level application object (the |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
47 |
`CubicWebPublisher`) will open a session whenever a web request |
|
6311
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
48 |
comes in; it asks the `session manager` to open a session (giving |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
49 |
the web request object as context) using `open_session` |
|
2112
df86450ca65d
[doc] a note on sessions
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
50 |
|
|
6311
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
51 |
* the session manager asks its authentication manager (which is a |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
52 |
`component`) to authenticate the request (using `authenticate`) |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
53 |
|
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
54 |
* the authentication manager asks, in order, to its authentication |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
55 |
information retrievers, a login and an opaque object containing |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
56 |
other credentials elements (calling `authentication_information`), |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
57 |
giving the request object each time |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
58 |
|
|
9175
a7412e884d7b
fix typos in docstring, doc and comments
Julien Cristau <julien.cristau@logilab.fr>
parents:
8760
diff
changeset
|
59 |
* the default retriever (named `LoginPasswordRetriever`) |
|
7751
50f89f05ae0a
[doc/book] fix ref to trustedauth cube
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6320
diff
changeset
|
60 |
will in turn defer login and password fetching to the request |
|
50f89f05ae0a
[doc/book] fix ref to trustedauth cube
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6320
diff
changeset
|
61 |
object (which, depending on the authentication mode (`cookie` |
|
50f89f05ae0a
[doc/book] fix ref to trustedauth cube
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6320
diff
changeset
|
62 |
or `http`), will do the appropriate things and return a login |
|
50f89f05ae0a
[doc/book] fix ref to trustedauth cube
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6320
diff
changeset
|
63 |
and a password) |
|
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
64 |
|
|
6311
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
65 |
* the authentication manager, on success, asks the `Repository` |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
66 |
object to connect with the found credentials (using `connect`) |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
67 |
|
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
68 |
* the repository object asks authentication to all of its |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
69 |
sources which support the `CWUser` entity with the given |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
70 |
credentials; when successful it can build the cwuser entity, |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
71 |
from which a regular `Session` object is made; it returns the |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
72 |
session id |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
73 |
|
|
7751
50f89f05ae0a
[doc/book] fix ref to trustedauth cube
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6320
diff
changeset
|
74 |
* the source in turn will delegate work to an authentifier |
|
50f89f05ae0a
[doc/book] fix ref to trustedauth cube
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6320
diff
changeset
|
75 |
class that defines the ultimate `authenticate` method (for |
|
50f89f05ae0a
[doc/book] fix ref to trustedauth cube
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6320
diff
changeset
|
76 |
instance the native source will query the database against |
|
50f89f05ae0a
[doc/book] fix ref to trustedauth cube
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6320
diff
changeset
|
77 |
the provided credentials) |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
78 |
|
|
6311
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
79 |
* the authentication manager, on success, will call back _all_ |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
80 |
retrievers with `authenticated` and return its authentication |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
81 |
data (on failure, it will try the anonymous login or, if the |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
82 |
configuration forbids it, raise an `AuthenticationError`) |
|
afd6a9e45489
[doc/book] tell a more complete story on sessions and the authentication process
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6298
diff
changeset
|
83 |
|
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
84 |
Writing authentication plugins |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
85 |
------------------------------ |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
86 |
|
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
87 |
Sometimes CubicWeb's out-of-the-box authentication schemes (cookie and |
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
88 |
http) are not sufficient. Nowadays there is a plethora of such schemes |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
89 |
and the framework cannot provide them all, but as the sequence above |
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
90 |
shows, it is extensible. |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
91 |
|
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
92 |
Two levels have to be considered when writing an authentication |
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
93 |
plugin: the web client and the repository. |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
94 |
|
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
95 |
We invented a scenario where it makes sense to have a new plugin in |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
96 |
each side: some middleware will do pre-authentication and under the |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
97 |
right circumstances add a new HTTP `x-foo-user` header to the query |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
98 |
before it reaches the CubicWeb instance. For a concrete example of |
|
7751
50f89f05ae0a
[doc/book] fix ref to trustedauth cube
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6320
diff
changeset
|
99 |
this, see the `trustedauth`_ cube. |
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
100 |
|
|
7751
50f89f05ae0a
[doc/book] fix ref to trustedauth cube
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6320
diff
changeset
|
101 |
.. _`trustedauth`: http://www.cubicweb.org/project/cubicweb-trustedauth |
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
102 |
|
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
103 |
Repository authentication plugins |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
104 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
105 |
|
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
106 |
On the repository side, it is possible to register a source |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
107 |
authentifier using the following kind of code: |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
108 |
|
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
109 |
.. sourcecode:: python |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
110 |
|
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
111 |
from cubicweb.server.sources import native |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
112 |
|
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
113 |
class FooAuthentifier(native.LoginPasswordAuthentifier): |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
114 |
""" a source authentifier plugin |
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
115 |
if 'foo' in authentication information, no need to check |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
116 |
password |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
117 |
""" |
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
118 |
auth_rql = 'Any X WHERE X is CWUser, X login %(login)s' |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
119 |
|
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
120 |
def authenticate(self, session, login, **kwargs): |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
121 |
"""return CWUser eid for the given login |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
122 |
if this account is defined in this source, |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
123 |
else raise `AuthenticationError` |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
124 |
""" |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
125 |
session.debug('authentication by %s', self.__class__.__name__) |
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
126 |
if 'foo' not in kwargs: |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
127 |
return super(FooAuthentifier, self).authenticate(session, login, **kwargs) |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
128 |
try: |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
129 |
rset = session.execute(self.auth_rql, {'login': login}) |
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
130 |
return rset[0][0] |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
131 |
except Exception, exc: |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
132 |
session.debug('authentication failure (%s)', exc) |
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
133 |
raise AuthenticationError('foo user is unknown to us') |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
134 |
|
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
135 |
Since repository authentifiers are not appobjects, we have to register |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
136 |
them through a `server_startup` hook. |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
137 |
|
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
138 |
.. sourcecode:: python |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
139 |
|
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
140 |
class ServerStartupHook(hook.Hook): |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
141 |
""" register the foo authenticator """ |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
142 |
__regid__ = 'fooauthenticatorregisterer' |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
143 |
events = ('server_startup',) |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
144 |
|
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
145 |
def __call__(self): |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
146 |
self.debug('registering foo authentifier') |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
147 |
self.repo.system_source.add_authentifier(FooAuthentifier()) |
|
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
148 |
|
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
149 |
Web authentication plugins |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
150 |
~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
6313
b3fd91524132
[doc/book] begin an howto write auth plugins chapter
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6311
diff
changeset
|
151 |
|
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
152 |
.. sourcecode:: python |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
153 |
|
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
154 |
class XFooUserRetriever(authentication.LoginPasswordRetriever): |
|
6319
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
155 |
""" authenticate by the x-foo-user http header |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
156 |
or just do normal login/password authentication |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
157 |
""" |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
158 |
__regid__ = 'x-foo-user' |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
159 |
order = 0 |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
160 |
|
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
161 |
def authentication_information(self, req): |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
162 |
"""retrieve authentication information from the given request, raise |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
163 |
NoAuthInfo if expected information is not found |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
164 |
""" |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
165 |
self.debug('web authenticator building auth info') |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
166 |
try: |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
167 |
login = req.get_header('x-foo-user') |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
168 |
if login: |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
169 |
return login, {'foo': True} |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
170 |
else: |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
171 |
return super(XFooUserRetriever, self).authentication_information(self, req) |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
172 |
except Exception, exc: |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
173 |
self.debug('web authenticator failed (%s)', exc) |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
174 |
raise authentication.NoAuthInfo() |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
175 |
|
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
176 |
def authenticated(self, retriever, req, cnx, login, authinfo): |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
177 |
"""callback when return authentication information have opened a |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
178 |
repository connection successfully. Take care req has no session |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
179 |
attached yet, hence req.execute isn't available. |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
180 |
|
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
181 |
Here we set a flag on the request to indicate that the user is |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
182 |
foo-authenticated. Can be used by a selector |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
183 |
""" |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
184 |
self.debug('web authenticator running post authentication callback') |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
185 |
cnx.foo_user = authinfo.get('foo') |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
186 |
|
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
187 |
In the `authenticated` method we add (in an admitedly slightly hackish |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
188 |
way) an attribute to the connection object. This, in turn, can be used |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
189 |
to build a selector dispatching on the fact that the user was |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
190 |
preauthenticated or not. |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
191 |
|
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
192 |
.. sourcecode:: python |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
193 |
|
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
194 |
@objectify_selector |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
195 |
def foo_authenticated(cls, req, rset=None, **kwargs): |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
196 |
if hasattr(req.cnx, 'foo_user') and req.foo_user: |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
197 |
return 1 |
|
20a7399ed58d
[doc/book] complete section on authentication plugins
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
6313
diff
changeset
|
198 |
return 0 |
|
8760
17994bf95d6a
[doc] update Session documentation
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
7751
diff
changeset
|
199 |
|
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
200 |
Full Session and Connection API |
|
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
201 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
8760
17994bf95d6a
[doc] update Session documentation
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
7751
diff
changeset
|
202 |
|
|
17994bf95d6a
[doc] update Session documentation
Pierre-Yves David <pierre-yves.david@logilab.fr>
parents:
7751
diff
changeset
|
203 |
.. autoclass:: cubicweb.server.session.Session |
|
9580
abaae1496ba4
[book] Update documentation for new repoapi
Julien Cristau <julien.cristau@logilab.fr>
parents:
9175
diff
changeset
|
204 |
.. autoclass:: cubicweb.server.session.Connection |