author | Denis Laxalde <denis.laxalde@logilab.fr> |
Thu, 09 Mar 2017 16:36:33 +0100 | |
changeset 12053 | c3c9f2e1424c |
parent 11993 | 07af2c2c264b |
child 12108 | 1a5fc93c81db |
permissions | -rw-r--r-- |
11967
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
1 |
# copyright 2017 LOGILAB S.A. (Paris, FRANCE), all rights reserved. |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
2 |
# copyright 2014-2016 UNLISH S.A.S. (Montpellier, FRANCE), all rights reserved. |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
3 |
# |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
4 |
# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
5 |
# |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
6 |
# This file is part of CubicWeb. |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
7 |
# |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
8 |
# CubicWeb is free software: you can redistribute it and/or modify it under the |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
9 |
# terms of the GNU Lesser General Public License as published by the Free |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
10 |
# Software Foundation, either version 2.1 of the License, or (at your option) |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
11 |
# any later version. |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
12 |
# |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
13 |
# CubicWeb is distributed in the hope that it will be useful, but WITHOUT |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
14 |
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
15 |
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
16 |
# details. |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
17 |
# |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
18 |
# You should have received a copy of the GNU Lesser General Public License along |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
19 |
# with CubicWeb. If not, see <http://www.gnu.org/licenses/>. |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
20 |
|
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
21 |
"""Authentication policies for cubicweb.pyramid.""" |
83739be20fab
[pyramid] Add a copyright and docstring to all modules
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11811
diff
changeset
|
22 |
|
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
23 |
import datetime |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
24 |
import logging |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
25 |
import warnings |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
26 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
27 |
from zope.interface import implementer |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
28 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
29 |
from pyramid.settings import asbool |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
30 |
from pyramid.authorization import ACLAuthorizationPolicy |
11631
faf279e33298
Merge with pyramid-cubicweb
Yann Voté <yann.vote@logilab.fr>
parents:
11593
diff
changeset
|
31 |
from cubicweb.pyramid.core import get_principals |
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
32 |
from pyramid_multiauth import MultiAuthenticationPolicy |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
33 |
|
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
34 |
from pyramid.authentication import AuthTktAuthenticationPolicy |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
35 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
36 |
from pyramid.interfaces import IAuthenticationPolicy |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
37 |
|
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
38 |
log = logging.getLogger(__name__) |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
39 |
|
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
40 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
41 |
@implementer(IAuthenticationPolicy) |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
42 |
class UpdateLoginTimeAuthenticationPolicy(object): |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
43 |
"""An authentication policy that update the user last_login_time. |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
44 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
45 |
The update is done in the 'remember' method, which is called by the login |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
46 |
views login, |
11537
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
47 |
|
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
48 |
Usually used via :func:`includeme`. |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
49 |
""" |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
50 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
51 |
def authenticated_userid(self, request): |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
52 |
pass |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
53 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
54 |
def effective_principals(self, request): |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
55 |
return () |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
56 |
|
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
57 |
def remember(self, request, principal, **kw): |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
58 |
try: |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
59 |
repo = request.registry['cubicweb.repository'] |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
60 |
with repo.internal_cnx() as cnx: |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
61 |
cnx.execute( |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
62 |
"SET U last_login_time %(now)s WHERE U eid %(user)s", { |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
63 |
'now': datetime.datetime.now(), |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
64 |
'user': principal}) |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
65 |
cnx.commit() |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
66 |
except: |
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
67 |
log.exception("Failed to update last_login_time") |
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
68 |
return () |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
69 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
70 |
def forget(self, request): |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
71 |
return () |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
72 |
|
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
73 |
|
11562
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
74 |
class CWAuthTktAuthenticationPolicy(AuthTktAuthenticationPolicy): |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
75 |
""" |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
76 |
An authentication policy that inhibate the call the 'remember' if a |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
77 |
'persistent' argument is passed to it, and is equal to the value that |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
78 |
was passed to the constructor. |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
79 |
|
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
80 |
This allow to combine two policies with different settings and select them |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
81 |
by just setting this argument. |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
82 |
""" |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
83 |
def __init__(self, secret, persistent, defaults={}, prefix='', **settings): |
11562
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
84 |
self.persistent = persistent |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
85 |
unset = object() |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
86 |
kw = {} |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
87 |
# load string settings |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
88 |
for name in ('cookie_name', 'path', 'domain', 'hashalg'): |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
89 |
value = settings.get(prefix + name, defaults.get(name, unset)) |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
90 |
if value is not unset: |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
91 |
kw[name] = value |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
92 |
# load boolean settings |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
93 |
for name in ('secure', 'include_ip', 'http_only', 'wild_domain', |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
94 |
'parent_domain', 'debug'): |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
95 |
value = settings.get(prefix + name, defaults.get(name, unset)) |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
96 |
if value is not unset: |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
97 |
kw[name] = asbool(value) |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
98 |
# load int settings |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
99 |
for name in ('timeout', 'reissue_time', 'max_age'): |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
100 |
value = settings.get(prefix + name, defaults.get(name, unset)) |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
101 |
if value is not unset: |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
102 |
kw[name] = int(value) |
11562
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
103 |
super(CWAuthTktAuthenticationPolicy, self).__init__(secret, **kw) |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
104 |
|
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
105 |
def remember(self, request, principals, **kw): |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
106 |
if 'persistent' not in kw or kw.pop('persistent') == self.persistent: |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
107 |
return super(CWAuthTktAuthenticationPolicy, self).remember( |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
108 |
request, principals, **kw) |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
109 |
else: |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
110 |
return () |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
111 |
|
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
112 |
|
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
113 |
def includeme(config): |
11537
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
114 |
""" Activate the CubicWeb AuthTkt authentication policy. |
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
115 |
|
11631
faf279e33298
Merge with pyramid-cubicweb
Yann Voté <yann.vote@logilab.fr>
parents:
11593
diff
changeset
|
116 |
Usually called via ``config.include('cubicweb.pyramid.auth')``. |
11537
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
117 |
|
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
118 |
See also :ref:`defaults_module` |
caf268942436
Initial documentation.
Christophe de Vienne <christophe@unlish.com>
parents:
11533
diff
changeset
|
119 |
""" |
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
120 |
settings = config.registry.settings |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
121 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
122 |
policies = [] |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
123 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
124 |
if asbool(settings.get('cubicweb.auth.update_login_time', True)): |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
125 |
policies.append(UpdateLoginTimeAuthenticationPolicy()) |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
126 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
127 |
if asbool(settings.get('cubicweb.auth.authtkt', True)): |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
128 |
session_prefix = 'cubicweb.auth.authtkt.session.' |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
129 |
persistent_prefix = 'cubicweb.auth.authtkt.persistent.' |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
130 |
|
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
131 |
session_secret = settings.get( |
11993
07af2c2c264b
[pyramid] Drop retrieval of auth/session secret in all-in-one.conf
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11967
diff
changeset
|
132 |
session_prefix + 'secret', 'notsosecret') |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
133 |
persistent_secret = settings.get( |
11993
07af2c2c264b
[pyramid] Drop retrieval of auth/session secret in all-in-one.conf
Denis Laxalde <denis.laxalde@logilab.fr>
parents:
11967
diff
changeset
|
134 |
persistent_prefix + 'secret', 'notsosecret') |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
135 |
if 'notsosecret' in (session_secret, persistent_secret): |
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
136 |
warnings.warn(''' |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
137 |
|
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
138 |
!! SECURITY WARNING !! |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
139 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
140 |
The authentication cookies are signed with a static secret key. |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
141 |
|
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
142 |
Configure the following options in your pyramid.ini file: |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
143 |
|
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
144 |
- cubicweb.auth.authtkt.session.secret |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
145 |
- cubicweb.auth.authtkt.persistent.secret |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
146 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
147 |
YOU SHOULD STOP THIS INSTANCE unless your really know what you |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
148 |
are doing !! |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
149 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
150 |
''') |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
151 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
152 |
policies.append( |
11562
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
153 |
CWAuthTktAuthenticationPolicy( |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
154 |
session_secret, False, |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
155 |
defaults={ |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
156 |
'hashalg': 'sha512', |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
157 |
'cookie_name': 'auth_tkt', |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
158 |
'timeout': 1200, |
11593
73bf8377a3d5
[auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents:
11592
diff
changeset
|
159 |
'reissue_time': 120, |
73bf8377a3d5
[auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents:
11592
diff
changeset
|
160 |
'http_only': True, |
73bf8377a3d5
[auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents:
11592
diff
changeset
|
161 |
'secure': True |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
162 |
}, |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
163 |
prefix=session_prefix, |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
164 |
**settings |
11562
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
165 |
) |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
166 |
) |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
167 |
|
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
168 |
policies.append( |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
169 |
CWAuthTktAuthenticationPolicy( |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
170 |
persistent_secret, True, |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
171 |
defaults={ |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
172 |
'hashalg': 'sha512', |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
173 |
'cookie_name': 'pauth_tkt', |
11811
f09efeead7f9
Fix broken flake8 configuration
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11631
diff
changeset
|
174 |
'max_age': 3600 * 24 * 30, |
f09efeead7f9
Fix broken flake8 configuration
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
11631
diff
changeset
|
175 |
'reissue_time': 3600 * 24, |
11593
73bf8377a3d5
[auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents:
11592
diff
changeset
|
176 |
'http_only': True, |
73bf8377a3d5
[auth] Authtkt http_only and secure by default
Christophe de Vienne <cdevienne@gmail.com>
parents:
11592
diff
changeset
|
177 |
'secure': True |
11592
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
178 |
}, |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
179 |
prefix=persistent_prefix, |
197e10cb74f7
[auth] Make the configuration cookies completely configurable
Christophe de Vienne <cdevienne@gmail.com>
parents:
11562
diff
changeset
|
180 |
**settings |
11562
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
181 |
) |
a49f08423f02
[auth] Use a second authtkt policy for 'rememberme'
Christophe de Vienne <christophe@unlish.com>
parents:
11561
diff
changeset
|
182 |
) |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
183 |
|
11561
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
184 |
kw = {} |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
185 |
if asbool(settings.get('cubicweb.auth.groups_principals', True)): |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
186 |
kw['callback'] = get_principals |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
187 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
188 |
authpolicy = MultiAuthenticationPolicy(policies, **kw) |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
189 |
config.registry['cubicweb.authpolicy'] = authpolicy |
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
190 |
|
25d93d14f8b6
[auth] Use pyramid_multiauth
Christophe de Vienne <christophe@unlish.com>
parents:
11537
diff
changeset
|
191 |
config.set_authentication_policy(authpolicy) |
11533
4ced3782b90f
Move auth-related configuration to a dedicated module.
Christophe de Vienne <christophe@unlish.com>
parents:
diff
changeset
|
192 |
config.set_authorization_policy(ACLAuthorizationPolicy()) |