# HG changeset patch # User Christophe de Vienne # Date 1423765299 -3600 # Node ID 25d93d14f8b6cc2a92f41af8f82e92e0d68a9451 # Parent 1a816189ceeebd3d4212c696f7f664e516ea9fbc [auth] Use pyramid_multiauth It makes it easier to finely tune what parts of the default authentication stack we want to use or not. It also makes it possible for any cube to add its own policy in addition to the others. Related to #4985962 diff -r 1a816189ceee -r 25d93d14f8b6 pyramid_cubicweb/auth.py --- a/pyramid_cubicweb/auth.py Thu Apr 09 23:58:38 2015 +0200 +++ b/pyramid_cubicweb/auth.py Thu Feb 12 19:21:39 2015 +0100 @@ -2,29 +2,37 @@ import logging import warnings +from zope.interface import implementer + +from pyramid.settings import asbool from pyramid.authorization import ACLAuthorizationPolicy from pyramid_cubicweb.core import get_principals +from pyramid_multiauth import MultiAuthenticationPolicy from pyramid.authentication import AuthTktAuthenticationPolicy +from pyramid.interfaces import IAuthenticationPolicy + log = logging.getLogger(__name__) -class CubicWebAuthTktAuthenticationPolicy(AuthTktAuthenticationPolicy): +@implementer(IAuthenticationPolicy) +class UpdateLoginTimeAuthenticationPolicy(object): """An authentication policy that update the user last_login_time. - The update is done in the 'remember' method, which is called on login, - and each time the authentication ticket is reissued. - - Meaning, the last_login_time is updated reissue_time seconds (maximum) - before the last request by the user. + The update is done in the 'remember' method, which is called by the login + views login, Usually used via :func:`includeme`. """ + def authenticated_userid(self, request): + pass + + def effective_principals(self, request): + return () + def remember(self, request, principal, **kw): - headers = super(CubicWebAuthTktAuthenticationPolicy, self).remember( - request, principal, **kw) try: repo = request.registry['cubicweb.repository'] with repo.internal_cnx() as cnx: @@ -35,7 +43,10 @@ cnx.commit() except: log.exception("Failed to update last_login_time") - return headers + return () + + def forget(self, request): + return () def includeme(config): @@ -45,25 +56,41 @@ See also :ref:`defaults_module` """ - secret = config.registry['cubicweb.config']['pyramid-auth-secret'] + settings = config.registry.settings + + policies = [] + + if asbool(settings.get('cubicweb.auth.update_login_time', True)): + policies.append(UpdateLoginTimeAuthenticationPolicy()) - if not secret: - secret = 'notsosecret' - warnings.warn(''' + if asbool(settings.get('cubicweb.auth.authtkt', True)): + secret = config.registry['cubicweb.config']['pyramid-auth-secret'] - !! WARNING !! !! WARNING !! + if not secret: + secret = 'notsosecret' + warnings.warn(''' + + !! WARNING !! !! WARNING !! - The authentication cookies are signed with a static secret key. - To put your own secret key, edit your all-in-one.conf file - and set the 'pyramid-auth-secret' key. + The authentication cookies are signed with a static secret key. + To put your own secret key, edit your all-in-one.conf file + and set the 'pyramid-auth-secret' key. - YOU SHOULD STOP THIS INSTANCE unless your really know what you - are doing !! + YOU SHOULD STOP THIS INSTANCE unless your really know what you + are doing !! + + ''') - ''') + policies.append( + AuthTktAuthenticationPolicy( + secret, hashalg='sha512', reissue_time=3600)) - config.set_authentication_policy( - CubicWebAuthTktAuthenticationPolicy( - secret, callback=get_principals, hashalg='sha512', - reissue_time=3600)) + kw = {} + if asbool(settings.get('cubicweb.auth.groups_principals', True)): + kw['callback'] = get_principals + + authpolicy = MultiAuthenticationPolicy(policies, **kw) + config.registry['cubicweb.authpolicy'] = authpolicy + + config.set_authentication_policy(authpolicy) config.set_authorization_policy(ACLAuthorizationPolicy()) diff -r 1a816189ceee -r 25d93d14f8b6 setup.py --- a/setup.py Thu Apr 09 23:58:38 2015 +0200 +++ b/setup.py Thu Feb 12 19:21:39 2015 +0100 @@ -30,6 +30,7 @@ 'pyramid >= 1.5.0', 'waitress >= 0.8.9', 'cubicweb >= 3.19.3', - 'wsgicors >= 0.3' + 'wsgicors >= 0.3', + 'pyramid_multiauth', ] )