cubicweb: cubicweb/pyramid/session.py@fb6aecd654a3 (annotated)

11967 83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	1	# copyright 2017 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	2	# copyright 2014-2016 UNLISH S.A.S. (Montpellier, FRANCE), all rights reserved.
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	3	#
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	4	# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	5	#
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	6	# This file is part of CubicWeb.
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	7	#
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	8	# CubicWeb is free software: you can redistribute it and/or modify it under the
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	9	# terms of the GNU Lesser General Public License as published by the Free
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	10	# Software Foundation, either version 2.1 of the License, or (at your option)
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	11	# any later version.
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	12	#
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	13	# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	14	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	15	# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	16	# details.
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	17	#
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	18	# You should have received a copy of the GNU Lesser General Public License along
83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	19	# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
12108 1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	20	"""
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	21	Web session when using pyramid
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	22	------------------------------
11967 83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	23
12108 1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	24	CubicWeb ``CWSession`` entity type so that sessions can be
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	25	stored in the database, which allows to run a Cubicweb instance
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	26	without having to set up a session storage (like redis or memcache)
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	27	solution.
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	28
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	29	However, for production systems, it is greatly advised to use such a
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	30	storage solution for the sessions.
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	31
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	32	The handling of the sessions is made by pyramid (see the
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	33	`pyramid's documentation on sessions`_ for more details).
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	34
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	35	For example, to set up a redis based session storage, you need the
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	36	`pyramid-redis-session`_ package, then you must configure pyramid to
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	37	use this backend, by configuring the pyramid configuration file:
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	38
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	39
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	40	.. code-block:: ini
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	41
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	42	[main]
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	43	cubicweb.defaults = no # we do not want to load the default cw session handling
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	44
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	45	cubicweb.auth.authtkt.session.secret = <secret1>
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	46	cubicweb.auth.authtkt.persistent.secret = <secret2>
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	47	cubicweb.auth.authtkt.session.secure = yes
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	48	cubicweb.auth.authtkt.persistent.secure = yes
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	49
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	50	redis.sessions.secret = <secret3>
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	51	redis.sessions.prefix = <my-app>:
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	52
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	53	redis.sessions.url = redis://localhost:6379/0
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	54
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	55	pyramid.includes =
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	56	pyramid_redis_sessions
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	57	cubicweb.pyramid.auth
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	58	cubicweb.pyramid.login
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	59
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	60
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	61	.. Warning:: If you want to be able to log in a CubicWeb application
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	62	served by pyramid on a unsecured stream (typically when
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	63	you start an instance in dev mode using a simple
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	64	``cubicweb-ctl pyramid -D -linfo myinstance``), you
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	65	must set ``cubicweb.auth.authtkt.session.secure`` to
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	66	``no``.
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	67
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	68	Secrets
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	69	~~~~~~~
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	70
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	71	There are a number of secrets to configure in ``pyramid.ini``. They
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	72	should be different one from each other, as explained in `Pyramid's
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	73	documentation`_.
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	74
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	75	For the record, regarding session handling:
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	76
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	77	:cubicweb.session.secret: This secret is used to encrypt the session's
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	78	data ID (data themselved are stored in the backend, database or
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	79	redis) when using the integrated (``CWSession`` based) session data
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	80	storage.
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	81
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	82	:redis.session.secret: This secret is used to encrypt the session's
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	83	data ID (data themselved are stored in the backend, database or
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	84	redis) when using redis as backend.
1a5fc93c81db [doc] Move content of former README.pyramid into relevant modules Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11993 diff changeset	85	"""
11967 83739be20fab [pyramid] Add a copyright and docstring to all modules Denis Laxalde <denis.laxalde@logilab.fr> parents: 11896 diff changeset	86
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	87	import warnings
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	88	import logging
11629 0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	89	from contextlib import contextmanager
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	90
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	91	from pyramid.compat import pickle
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	92	from pyramid.session import SignedCookieSessionFactory
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	93
12278 77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	94	from cubicweb import (
77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	95	Binary,
77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	96	UnknownEid,
77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	97	)
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	98
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	99
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	100	log = logging.getLogger(__name__)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	101
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	102
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	103	def logerrors(logger):
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	104	def wrap(fn):
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	105	def newfn(args, *kw):
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	106	try:
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	107	return fn(args, *kw)
12225 a8ed10f80a85 [pyramid] Get rid of a couple of bare "except" Denis Laxalde <denis.laxalde@logilab.fr> parents: 12108 diff changeset	108	except Exception:
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	109	logger.exception("Error in %s" % fn.__name__)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	110	return newfn
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	111	return wrap
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	112
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	113
11629 0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	114	@contextmanager
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	115	def unsafe_cnx_context_manager(request):
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	116	"""Return a connection for use as a context manager, with security disabled
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	117
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	118	If request has an attached connection, its security will be deactived in the context manager's
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	119	scope, else a new internal connection is returned.
11896 327585fd7670 [pyramid] Don't use unsafe_cnx_context_manager for write queries Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11631 diff changeset	120
327585fd7670 [pyramid] Don't use unsafe_cnx_context_manager for write queries Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11631 diff changeset	121	This should be used for read-only queries, not if you intend to commit/rollback some data.
11629 0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	122	"""
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	123	cnx = request.cw_cnx
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	124	if cnx is None:
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	125	with request.registry['cubicweb.repository'].internal_cnx() as cnx:
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	126	yield cnx
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	127	else:
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	128	with cnx.security_enabled(read=False, write=False):
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	129	yield cnx
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	130
0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	131
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	132	def CWSessionFactory(
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	133	secret,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	134	cookie_name='session',
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	135	max_age=None,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	136	path='/',
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	137	domain=None,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	138	secure=False,
11579 78ba3e88a549 set httponly on session cookie Julien Cristau <julien.cristau@logilab.fr> parents: 11537 diff changeset	139	httponly=True,
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	140	set_on_exception=True,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	141	timeout=1200,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	142	reissue_time=120,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	143	hashalg='sha512',
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	144	salt='pyramid.session.',
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	145	serializer=None):
11537 caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	146	""" A pyramid session factory that store session data in the CubicWeb
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	147	database.
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	148
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	149	Storage is done with the 'CWSession' entity, which is provided by the
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	150	'pyramid' cube.
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	151
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	152	.. warning::
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	153
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	154	Although it provides a sane default behavior, this session storage has
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	155	a serious overhead because it uses RQL to access the database.
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	156
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	157	Using pure SQL would improve a bit (it is roughly twice faster), but it
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	158	is still pretty slow and thus not an immediate priority.
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	159
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	160	It is recommended to use faster session factory
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	161	(pyramid_redis_sessions_ for example) if you need speed.
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	162
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	163	.. _pyramid_redis_sessions: http://pyramid-redis-sessions.readthedocs.org/
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	164	en/latest/index.html
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	165	"""
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	166
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	167	SignedCookieSession = SignedCookieSessionFactory(
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	168	secret,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	169	cookie_name=cookie_name,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	170	max_age=max_age,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	171	path=path,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	172	domain=domain,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	173	secure=secure,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	174	httponly=httponly,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	175	set_on_exception=set_on_exception,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	176	timeout=timeout,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	177	reissue_time=reissue_time,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	178	hashalg=hashalg,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	179	salt=salt,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	180	serializer=serializer)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	181
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	182	class CWSession(SignedCookieSession):
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	183	def __init__(self, request):
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	184	# _set_accessed will be called by the super __init__.
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	185	# Setting _loaded to True inhibates it.
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	186	self._loaded = True
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	187
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	188	# the super __init__ will load a single value in the dictionnary,
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	189	# the session id.
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	190	super(CWSession, self).__init__(request)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	191
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	192	# Remove the session id from the dict
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	193	self.sessioneid = self.pop('sessioneid', None)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	194	self.repo = request.registry['cubicweb.repository']
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	195
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	196	# We need to lazy-load only for existing sessions
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	197	self._loaded = self.sessioneid is None
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	198
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	199	@logerrors(log)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	200	def _set_accessed(self, value):
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	201	self._accessed = value
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	202
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	203	if self._loaded:
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	204	return
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	205
11629 0459094d9728 Use opened connections as much as possible Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11625 diff changeset	206	with unsafe_cnx_context_manager(self.request) as cnx:
11625 b23d60a9ea84 retrieve session data in a single query Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11606 diff changeset	207	value_rset = cnx.execute('Any D WHERE X eid %(x)s, X cwsessiondata D',
b23d60a9ea84 retrieve session data in a single query Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11606 diff changeset	208	{'x': self.sessioneid})
b23d60a9ea84 retrieve session data in a single query Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11606 diff changeset	209	value = value_rset[0][0]
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	210	if value:
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	211	# Use directly dict.update to avoir _set_accessed to be
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	212	# recursively called
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	213	dict.update(self, pickle.load(value))
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	214
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	215	self._loaded = True
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	216
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	217	def _get_accessed(self):
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	218	return self._accessed
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	219
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	220	accessed = property(_get_accessed, _set_accessed)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	221
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	222	@logerrors(log)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	223	def _set_cookie(self, response):
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	224	# Save the value in the database
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	225	data = Binary(pickle.dumps(dict(self)))
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	226	sessioneid = self.sessioneid
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	227
11896 327585fd7670 [pyramid] Don't use unsafe_cnx_context_manager for write queries Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11631 diff changeset	228	with self.request.registry['cubicweb.repository'].internal_cnx() as cnx:
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	229	if not sessioneid:
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	230	session = cnx.create_entity(
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	231	'CWSession', cwsessiondata=data)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	232	sessioneid = session.eid
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	233	else:
12278 77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	234	try:
77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	235	session = cnx.entity_from_eid(sessioneid)
77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	236	except UnknownEid:
77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	237	# Might occur if CWSession entity got dropped (e.g.
77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	238	# the whole db got recreated) while user's cookie is
77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	239	# still valid. We recreate the CWSession in this case.
77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	240	sessioneid = cnx.create_entity(
77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	241	'CWSession', cwsessiondata=data).eid
77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	242	else:
77a543e7878a [pyramid] Recreate CWSession entity when eid no longer exists Denis Laxalde <denis.laxalde@logilab.fr> parents: 12243 diff changeset	243	session.cw_set(cwsessiondata=data)
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	244	cnx.commit()
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	245
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	246	# Only if needed actually set the cookie
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	247	if self.new or self.accessed - self.renewed > self._reissue_time:
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	248	dict.clear(self)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	249	dict.__setitem__(self, 'sessioneid', sessioneid)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	250	return super(CWSession, self)._set_cookie(response)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	251
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	252	return True
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	253
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	254	return CWSession
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	255
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	256
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	257	def includeme(config):
11537 caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	258	""" Activate the CubicWeb session factory.
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	259
11631 faf279e33298 Merge with pyramid-cubicweb Yann Voté <yann.vote@logilab.fr> parents: 11629 diff changeset	260	Usually called via ``config.include('cubicweb.pyramid.auth')``.
11537 caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	261
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	262	See also :ref:`defaults_module`
caf268942436 Initial documentation. Christophe de Vienne <christophe@unlish.com> parents: 11506 diff changeset	263	"""
11606 e245680acce3 [config] move config of the secret used to encrypt session's data ID in pyramid.ini (closes #11689082) David Douard <david.douard@logilab.fr> parents: 11579 diff changeset	264	settings = config.registry.settings
11993 07af2c2c264b [pyramid] Drop retrieval of auth/session secret in all-in-one.conf Denis Laxalde <denis.laxalde@logilab.fr> parents: 11967 diff changeset	265	try:
07af2c2c264b [pyramid] Drop retrieval of auth/session secret in all-in-one.conf Denis Laxalde <denis.laxalde@logilab.fr> parents: 11967 diff changeset	266	secret = settings['cubicweb.session.secret']
07af2c2c264b [pyramid] Drop retrieval of auth/session secret in all-in-one.conf Denis Laxalde <denis.laxalde@logilab.fr> parents: 11967 diff changeset	267	except KeyError:
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	268	secret = 'notsosecret'
12243 a46fb3f58ea2 [pyramid] Do not issue security warnings in test mode Denis Laxalde <denis.laxalde@logilab.fr> parents: 12225 diff changeset	269	if config.registry['cubicweb.config'].mode != 'test':
a46fb3f58ea2 [pyramid] Do not issue security warnings in test mode Denis Laxalde <denis.laxalde@logilab.fr> parents: 12225 diff changeset	270	warnings.warn('''
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	271
12243 a46fb3f58ea2 [pyramid] Do not issue security warnings in test mode Denis Laxalde <denis.laxalde@logilab.fr> parents: 12225 diff changeset	272	!! WARNING !! !! WARNING !!
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	273
12243 a46fb3f58ea2 [pyramid] Do not issue security warnings in test mode Denis Laxalde <denis.laxalde@logilab.fr> parents: 12225 diff changeset	274	The session cookies are signed with a static secret key.
a46fb3f58ea2 [pyramid] Do not issue security warnings in test mode Denis Laxalde <denis.laxalde@logilab.fr> parents: 12225 diff changeset	275	To put your own secret key, edit your pyramid.ini file
a46fb3f58ea2 [pyramid] Do not issue security warnings in test mode Denis Laxalde <denis.laxalde@logilab.fr> parents: 12225 diff changeset	276	and set the 'cubicweb.session.secret' key.
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	277
12243 a46fb3f58ea2 [pyramid] Do not issue security warnings in test mode Denis Laxalde <denis.laxalde@logilab.fr> parents: 12225 diff changeset	278	YOU SHOULD STOP THIS INSTANCE unless your really know what you
a46fb3f58ea2 [pyramid] Do not issue security warnings in test mode Denis Laxalde <denis.laxalde@logilab.fr> parents: 12225 diff changeset	279	are doing !!
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	280
12243 a46fb3f58ea2 [pyramid] Do not issue security warnings in test mode Denis Laxalde <denis.laxalde@logilab.fr> parents: 12225 diff changeset	281	''')
11506 bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	282	session_factory = CWSessionFactory(secret)
bfc1aa1dba30 DB-saved session data Christophe de Vienne <christophe@unlish.com> parents: diff changeset	283	config.set_session_factory(session_factory)

author	Philippe Pepiot <philippe.pepiot@logilab.fr>
	Thu, 05 Mar 2020 10:41:14 +0100
branch	3.26
changeset 12905	fb6aecd654a3
parent 12278	77a543e7878a
child 12588	fa292e905edc
permissions	-rw-r--r--