cubicweb: cubicweb/pyramid/auth.py@efb8250e37fb (annotated)

11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	1	import datetime
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	2	import logging
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	3	import warnings
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	4
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	5	from zope.interface import implementer
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	6
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	7	from pyramid.settings import asbool
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	8	from pyramid.authorization import ACLAuthorizationPolicy
11631 faf279e33298 Merge with pyramid-cubicweb Yann Voté <yann.vote@logilab.fr> parents: 11593 diff changeset	9	from cubicweb.pyramid.core import get_principals
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	10	from pyramid_multiauth import MultiAuthenticationPolicy
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	11
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	12	from pyramid.authentication import AuthTktAuthenticationPolicy
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	13
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	14	from pyramid.interfaces import IAuthenticationPolicy
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	15
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	16	log = logging.getLogger(__name__)
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	17
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	18
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	19	@implementer(IAuthenticationPolicy)
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	20	class UpdateLoginTimeAuthenticationPolicy(object):
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	21	"""An authentication policy that update the user last_login_time.
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	22
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	23	The update is done in the 'remember' method, which is called by the login
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	24	views login,
11537 caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11533 diff changeset	25
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11533 diff changeset	26	Usually used via :func:`includeme`.
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	27	"""
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	28
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	29	def authenticated_userid(self, request):
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	30	pass
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	31
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	32	def effective_principals(self, request):
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	33	return ()
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	34
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	35	def remember(self, request, principal, **kw):
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	36	try:
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	37	repo = request.registry['cubicweb.repository']
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	38	with repo.internal_cnx() as cnx:
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	39	cnx.execute(
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	40	"SET U last_login_time %(now)s WHERE U eid %(user)s", {
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	41	'now': datetime.datetime.now(),
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	42	'user': principal})
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	43	cnx.commit()
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	44	except:
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	45	log.exception("Failed to update last_login_time")
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	46	return ()
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	47
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	48	def forget(self, request):
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	49	return ()
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	50
4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	51
11562 a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	52	class CWAuthTktAuthenticationPolicy(AuthTktAuthenticationPolicy):
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	53	"""
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	54	An authentication policy that inhibate the call the 'remember' if a
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	55	'persistent' argument is passed to it, and is equal to the value that
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	56	was passed to the constructor.
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	57
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	58	This allow to combine two policies with different settings and select them
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	59	by just setting this argument.
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	60	"""
11592 197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	61	def __init__(self, secret, persistent, defaults={}, prefix='', **settings):
11562 a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	62	self.persistent = persistent
11592 197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	63	unset = object()
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	64	kw = {}
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	65	# load string settings
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	66	for name in ('cookie_name', 'path', 'domain', 'hashalg'):
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	67	value = settings.get(prefix + name, defaults.get(name, unset))
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	68	if value is not unset:
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	69	kw[name] = value
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	70	# load boolean settings
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	71	for name in ('secure', 'include_ip', 'http_only', 'wild_domain',
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	72	'parent_domain', 'debug'):
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	73	value = settings.get(prefix + name, defaults.get(name, unset))
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	74	if value is not unset:
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	75	kw[name] = asbool(value)
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	76	# load int settings
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	77	for name in ('timeout', 'reissue_time', 'max_age'):
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	78	value = settings.get(prefix + name, defaults.get(name, unset))
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	79	if value is not unset:
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	80	kw[name] = int(value)
11562 a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	81	super(CWAuthTktAuthenticationPolicy, self).__init__(secret, **kw)
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	82
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	83	def remember(self, request, principals, **kw):
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	84	if 'persistent' not in kw or kw.pop('persistent') == self.persistent:
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	85	return super(CWAuthTktAuthenticationPolicy, self).remember(
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	86	request, principals, **kw)
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	87	else:
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	88	return ()
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	89
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	90
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	91	def includeme(config):
11537 caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11533 diff changeset	92	""" Activate the CubicWeb AuthTkt authentication policy.
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11533 diff changeset	93
11631 faf279e33298 Merge with pyramid-cubicweb Yann Voté <yann.vote@logilab.fr> parents: 11593 diff changeset	94	Usually called via ``config.include('cubicweb.pyramid.auth')``.
11537 caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11533 diff changeset	95
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11533 diff changeset	96	See also :ref:`defaults_module`
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11533 diff changeset	97	"""
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	98	settings = config.registry.settings
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	99
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	100	policies = []
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	101
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	102	if asbool(settings.get('cubicweb.auth.update_login_time', True)):
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	103	policies.append(UpdateLoginTimeAuthenticationPolicy())
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	104
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	105	if asbool(settings.get('cubicweb.auth.authtkt', True)):
11592 197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	106	session_prefix = 'cubicweb.auth.authtkt.session.'
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	107	persistent_prefix = 'cubicweb.auth.authtkt.persistent.'
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	108
11592 197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	109	try:
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	110	secret = config.registry['cubicweb.config']['pyramid-auth-secret']
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	111	warnings.warn(
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	112	"pyramid-auth-secret from all-in-one is now "
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	113	"cubicweb.auth.authtkt.[session\|persistent].secret",
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	114	DeprecationWarning)
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	115	except:
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	116	secret = 'notsosecret'
11592 197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	117
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	118	session_secret = settings.get(
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	119	session_prefix + 'secret', secret)
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	120	persistent_secret = settings.get(
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	121	persistent_prefix + 'secret', secret)
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	122
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	123	if 'notsosecret' in (session_secret, persistent_secret):
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	124	warnings.warn('''
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	125
11592 197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	126	!! SECURITY WARNING !!
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	127
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	128	The authentication cookies are signed with a static secret key.
11592 197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	129
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	130	Configure the following options in your pyramid.ini file:
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	131
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	132	- cubicweb.auth.authtkt.session.secret
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	133	- cubicweb.auth.authtkt.persistent.secret
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	134
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	135	YOU SHOULD STOP THIS INSTANCE unless your really know what you
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	136	are doing !!
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	137
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	138	''')
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	139
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	140	policies.append(
11562 a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	141	CWAuthTktAuthenticationPolicy(
11592 197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	142	session_secret, False,
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	143	defaults={
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	144	'hashalg': 'sha512',
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	145	'cookie_name': 'auth_tkt',
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	146	'timeout': 1200,
11593 73bf8377a3d5 [auth] Authtkt http_only and secure by default Christophe de Vienne <cdevienne@gmail.com> parents: 11592 diff changeset	147	'reissue_time': 120,
73bf8377a3d5 [auth] Authtkt http_only and secure by default Christophe de Vienne <cdevienne@gmail.com> parents: 11592 diff changeset	148	'http_only': True,
73bf8377a3d5 [auth] Authtkt http_only and secure by default Christophe de Vienne <cdevienne@gmail.com> parents: 11592 diff changeset	149	'secure': True
11592 197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	150	},
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	151	prefix=session_prefix,
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	152	**settings
11562 a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	153	)
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	154	)
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	155
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	156	policies.append(
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	157	CWAuthTktAuthenticationPolicy(
11592 197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	158	persistent_secret, True,
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	159	defaults={
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	160	'hashalg': 'sha512',
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	161	'cookie_name': 'pauth_tkt',
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	162	'max_age': 36002430,
11593 73bf8377a3d5 [auth] Authtkt http_only and secure by default Christophe de Vienne <cdevienne@gmail.com> parents: 11592 diff changeset	163	'reissue_time': 3600*24,
73bf8377a3d5 [auth] Authtkt http_only and secure by default Christophe de Vienne <cdevienne@gmail.com> parents: 11592 diff changeset	164	'http_only': True,
73bf8377a3d5 [auth] Authtkt http_only and secure by default Christophe de Vienne <cdevienne@gmail.com> parents: 11592 diff changeset	165	'secure': True
11592 197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	166	},
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	167	prefix=persistent_prefix,
197e10cb74f7 [auth] Make the configuration cookies completely configurable Christophe de Vienne <cdevienne@gmail.com> parents: 11562 diff changeset	168	**settings
11562 a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	169	)
a49f08423f02 [auth] Use a second authtkt policy for 'rememberme' Christophe de Vienne <christophe@unlish.com> parents: 11561 diff changeset	170	)
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	171
11561 25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	172	kw = {}
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	173	if asbool(settings.get('cubicweb.auth.groups_principals', True)):
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	174	kw['callback'] = get_principals
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	175
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	176	authpolicy = MultiAuthenticationPolicy(policies, **kw)
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	177	config.registry['cubicweb.authpolicy'] = authpolicy
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	178
25d93d14f8b6 [auth] Use pyramid_multiauth Christophe de Vienne <christophe@unlish.com> parents: 11537 diff changeset	179	config.set_authentication_policy(authpolicy)
11533 4ced3782b90f Move auth-related configuration to a dedicated module. Christophe de Vienne <christophe@unlish.com> parents: diff changeset	180	config.set_authorization_policy(ACLAuthorizationPolicy())

author	Sylvain Thénault <sylvain.thenault@logilab.fr>
	Thu, 29 Sep 2016 23:11:38 +0200
changeset 11760	efb8250e37fb
parent 11631	faf279e33298
child 11811	f09efeead7f9
permissions	-rw-r--r--