56 was passed to the constructor. |
56 was passed to the constructor. |
57 |
57 |
58 This allow to combine two policies with different settings and select them |
58 This allow to combine two policies with different settings and select them |
59 by just setting this argument. |
59 by just setting this argument. |
60 """ |
60 """ |
61 def __init__(self, secret, persistent, **kw): |
61 def __init__(self, secret, persistent, defaults={}, prefix='', **settings): |
62 self.persistent = persistent |
62 self.persistent = persistent |
|
63 unset = object() |
|
64 kw = {} |
|
65 # load string settings |
|
66 for name in ('cookie_name', 'path', 'domain', 'hashalg'): |
|
67 value = settings.get(prefix + name, defaults.get(name, unset)) |
|
68 if value is not unset: |
|
69 kw[name] = value |
|
70 # load boolean settings |
|
71 for name in ('secure', 'include_ip', 'http_only', 'wild_domain', |
|
72 'parent_domain', 'debug'): |
|
73 value = settings.get(prefix + name, defaults.get(name, unset)) |
|
74 if value is not unset: |
|
75 kw[name] = asbool(value) |
|
76 # load int settings |
|
77 for name in ('timeout', 'reissue_time', 'max_age'): |
|
78 value = settings.get(prefix + name, defaults.get(name, unset)) |
|
79 if value is not unset: |
|
80 kw[name] = int(value) |
63 super(CWAuthTktAuthenticationPolicy, self).__init__(secret, **kw) |
81 super(CWAuthTktAuthenticationPolicy, self).__init__(secret, **kw) |
64 |
82 |
65 def remember(self, request, principals, **kw): |
83 def remember(self, request, principals, **kw): |
66 if 'persistent' not in kw or kw.pop('persistent') == self.persistent: |
84 if 'persistent' not in kw or kw.pop('persistent') == self.persistent: |
67 return super(CWAuthTktAuthenticationPolicy, self).remember( |
85 return super(CWAuthTktAuthenticationPolicy, self).remember( |
83 |
101 |
84 if asbool(settings.get('cubicweb.auth.update_login_time', True)): |
102 if asbool(settings.get('cubicweb.auth.update_login_time', True)): |
85 policies.append(UpdateLoginTimeAuthenticationPolicy()) |
103 policies.append(UpdateLoginTimeAuthenticationPolicy()) |
86 |
104 |
87 if asbool(settings.get('cubicweb.auth.authtkt', True)): |
105 if asbool(settings.get('cubicweb.auth.authtkt', True)): |
88 secret = config.registry['cubicweb.config']['pyramid-auth-secret'] |
106 session_prefix = 'cubicweb.auth.authtkt.session.' |
|
107 persistent_prefix = 'cubicweb.auth.authtkt.persistent.' |
89 |
108 |
90 if not secret: |
109 try: |
|
110 secret = config.registry['cubicweb.config']['pyramid-auth-secret'] |
|
111 warnings.warn( |
|
112 "pyramid-auth-secret from all-in-one is now " |
|
113 "cubicweb.auth.authtkt.[session|persistent].secret", |
|
114 DeprecationWarning) |
|
115 except: |
91 secret = 'notsosecret' |
116 secret = 'notsosecret' |
|
117 |
|
118 session_secret = settings.get( |
|
119 session_prefix + 'secret', secret) |
|
120 persistent_secret = settings.get( |
|
121 persistent_prefix + 'secret', secret) |
|
122 |
|
123 if 'notsosecret' in (session_secret, persistent_secret): |
92 warnings.warn(''' |
124 warnings.warn(''' |
93 |
125 |
94 !! WARNING !! !! WARNING !! |
126 !! SECURITY WARNING !! |
95 |
127 |
96 The authentication cookies are signed with a static secret key. |
128 The authentication cookies are signed with a static secret key. |
97 To put your own secret key, edit your all-in-one.conf file |
129 |
98 and set the 'pyramid-auth-secret' key. |
130 Configure the following options in your pyramid.ini file: |
|
131 |
|
132 - cubicweb.auth.authtkt.session.secret |
|
133 - cubicweb.auth.authtkt.persistent.secret |
99 |
134 |
100 YOU SHOULD STOP THIS INSTANCE unless your really know what you |
135 YOU SHOULD STOP THIS INSTANCE unless your really know what you |
101 are doing !! |
136 are doing !! |
102 |
137 |
103 ''') |
138 ''') |
104 |
139 |
105 policies.append( |
140 policies.append( |
106 CWAuthTktAuthenticationPolicy( |
141 CWAuthTktAuthenticationPolicy( |
107 secret, False, hashalg='sha512', |
142 session_secret, False, |
108 cookie_name=settings.get( |
143 defaults={ |
109 'cubicweb.auth.authtkt.session.cookie_name', |
144 'hashalg': 'sha512', |
110 'auth_tkt'), |
145 'cookie_name': 'auth_tkt', |
111 timeout=int(settings.get( |
146 'timeout': 1200, |
112 'cubicweb.auth.authtkt.session.timeout', |
147 'reissue_time': 120 |
113 1200)), |
148 }, |
114 reissue_time=int(settings.get( |
149 prefix=session_prefix, |
115 'cubicweb.auth.authtkt.session.reissue_time', |
150 **settings |
116 120)) |
|
117 ) |
151 ) |
118 ) |
152 ) |
119 |
153 |
120 policies.append( |
154 policies.append( |
121 CWAuthTktAuthenticationPolicy( |
155 CWAuthTktAuthenticationPolicy( |
122 secret, True, hashalg='sha512', |
156 persistent_secret, True, |
123 cookie_name=settings.get( |
157 defaults={ |
124 'cubicweb.auth.authtkt.persistent.cookie_name', |
158 'hashalg': 'sha512', |
125 'pauth_tkt'), |
159 'cookie_name': 'pauth_tkt', |
126 max_age=int(settings.get( |
160 'max_age': 3600*24*30, |
127 'cubicweb.auth.authtkt.persistent.max_age', |
161 'reissue_time': 3600*24 |
128 3600*24*30 # defaults to 1 month |
162 }, |
129 )), |
163 prefix=persistent_prefix, |
130 reissue_time=int(settings.get( |
164 **settings |
131 'cubicweb.auth.authtkt.persistent.reissue_time', |
|
132 3600*24 |
|
133 )) |
|
134 ) |
165 ) |
135 ) |
166 ) |
136 |
167 |
137 kw = {} |
168 kw = {} |
138 if asbool(settings.get('cubicweb.auth.groups_principals', True)): |
169 if asbool(settings.get('cubicweb.auth.groups_principals', True)): |