[auth] Make the configuration cookies completely configurable
authorChristophe de Vienne <cdevienne@gmail.com>
Fri, 07 Aug 2015 11:52:08 +0200
changeset 11592 197e10cb74f7
parent 11591 0bad6416e32a
child 11593 73bf8377a3d5
[auth] Make the configuration cookies completely configurable Also transfert the secret setting from all-in-one.conf to pyramid.ini, with backward compatibility. Closes #5999625
pyramid_cubicweb/auth.py
--- a/pyramid_cubicweb/auth.py	Mon Aug 03 18:11:10 2015 +0200
+++ b/pyramid_cubicweb/auth.py	Fri Aug 07 11:52:08 2015 +0200
@@ -58,8 +58,26 @@
     This allow to combine two policies with different settings and select them
     by just setting this argument.
     """
-    def __init__(self, secret, persistent, **kw):
+    def __init__(self, secret, persistent, defaults={}, prefix='', **settings):
         self.persistent = persistent
+        unset = object()
+        kw = {}
+        # load string settings
+        for name in ('cookie_name', 'path', 'domain', 'hashalg'):
+            value = settings.get(prefix + name, defaults.get(name, unset))
+            if value is not unset:
+                kw[name] = value
+        # load boolean settings
+        for name in ('secure', 'include_ip', 'http_only', 'wild_domain',
+                     'parent_domain', 'debug'):
+            value = settings.get(prefix + name, defaults.get(name, unset))
+            if value is not unset:
+                kw[name] = asbool(value)
+        # load int settings
+        for name in ('timeout', 'reissue_time', 'max_age'):
+            value = settings.get(prefix + name, defaults.get(name, unset))
+            if value is not unset:
+                kw[name] = int(value)
         super(CWAuthTktAuthenticationPolicy, self).__init__(secret, **kw)
 
     def remember(self, request, principals, **kw):
@@ -85,17 +103,34 @@
         policies.append(UpdateLoginTimeAuthenticationPolicy())
 
     if asbool(settings.get('cubicweb.auth.authtkt', True)):
-        secret = config.registry['cubicweb.config']['pyramid-auth-secret']
+        session_prefix = 'cubicweb.auth.authtkt.session.'
+        persistent_prefix = 'cubicweb.auth.authtkt.persistent.'
 
-        if not secret:
+        try:
+            secret = config.registry['cubicweb.config']['pyramid-auth-secret']
+            warnings.warn(
+                "pyramid-auth-secret from all-in-one is now "
+                "cubicweb.auth.authtkt.[session|persistent].secret",
+                DeprecationWarning)
+        except:
             secret = 'notsosecret'
+
+        session_secret = settings.get(
+            session_prefix + 'secret', secret)
+        persistent_secret = settings.get(
+            persistent_prefix + 'secret', secret)
+
+        if 'notsosecret' in (session_secret, persistent_secret):
             warnings.warn('''
 
-                !! WARNING !! !! WARNING !!
+                !! SECURITY WARNING !!
 
                 The authentication cookies are signed with a static secret key.
-                To put your own secret key, edit your all-in-one.conf file
-                and set the 'pyramid-auth-secret' key.
+
+                Configure the following options in your pyramid.ini file:
+
+                - cubicweb.auth.authtkt.session.secret
+                - cubicweb.auth.authtkt.persistent.secret
 
                 YOU SHOULD STOP THIS INSTANCE unless your really know what you
                 are doing !!
@@ -104,33 +139,29 @@
 
         policies.append(
             CWAuthTktAuthenticationPolicy(
-                secret, False, hashalg='sha512',
-                cookie_name=settings.get(
-                    'cubicweb.auth.authtkt.session.cookie_name',
-                    'auth_tkt'),
-                timeout=int(settings.get(
-                    'cubicweb.auth.authtkt.session.timeout',
-                    1200)),
-                reissue_time=int(settings.get(
-                    'cubicweb.auth.authtkt.session.reissue_time',
-                    120))
+                session_secret, False,
+                defaults={
+                    'hashalg': 'sha512',
+                    'cookie_name': 'auth_tkt',
+                    'timeout': 1200,
+                    'reissue_time': 120
+                },
+                prefix=session_prefix,
+                **settings
             )
         )
 
         policies.append(
             CWAuthTktAuthenticationPolicy(
-                secret, True, hashalg='sha512',
-                cookie_name=settings.get(
-                    'cubicweb.auth.authtkt.persistent.cookie_name',
-                    'pauth_tkt'),
-                max_age=int(settings.get(
-                    'cubicweb.auth.authtkt.persistent.max_age',
-                    3600*24*30  # defaults to 1 month
-                )),
-                reissue_time=int(settings.get(
-                    'cubicweb.auth.authtkt.persistent.reissue_time',
-                    3600*24
-                ))
+                persistent_secret, True,
+                defaults={
+                    'hashalg': 'sha512',
+                    'cookie_name': 'pauth_tkt',
+                    'max_age': 3600*24*30,
+                    'reissue_time': 3600*24
+                },
+                prefix=persistent_prefix,
+                **settings
             )
         )