--- a/pyramid_cubicweb/auth.py Mon Aug 03 18:11:10 2015 +0200
+++ b/pyramid_cubicweb/auth.py Fri Aug 07 11:52:08 2015 +0200
@@ -58,8 +58,26 @@
This allow to combine two policies with different settings and select them
by just setting this argument.
"""
- def __init__(self, secret, persistent, **kw):
+ def __init__(self, secret, persistent, defaults={}, prefix='', **settings):
self.persistent = persistent
+ unset = object()
+ kw = {}
+ # load string settings
+ for name in ('cookie_name', 'path', 'domain', 'hashalg'):
+ value = settings.get(prefix + name, defaults.get(name, unset))
+ if value is not unset:
+ kw[name] = value
+ # load boolean settings
+ for name in ('secure', 'include_ip', 'http_only', 'wild_domain',
+ 'parent_domain', 'debug'):
+ value = settings.get(prefix + name, defaults.get(name, unset))
+ if value is not unset:
+ kw[name] = asbool(value)
+ # load int settings
+ for name in ('timeout', 'reissue_time', 'max_age'):
+ value = settings.get(prefix + name, defaults.get(name, unset))
+ if value is not unset:
+ kw[name] = int(value)
super(CWAuthTktAuthenticationPolicy, self).__init__(secret, **kw)
def remember(self, request, principals, **kw):
@@ -85,17 +103,34 @@
policies.append(UpdateLoginTimeAuthenticationPolicy())
if asbool(settings.get('cubicweb.auth.authtkt', True)):
- secret = config.registry['cubicweb.config']['pyramid-auth-secret']
+ session_prefix = 'cubicweb.auth.authtkt.session.'
+ persistent_prefix = 'cubicweb.auth.authtkt.persistent.'
- if not secret:
+ try:
+ secret = config.registry['cubicweb.config']['pyramid-auth-secret']
+ warnings.warn(
+ "pyramid-auth-secret from all-in-one is now "
+ "cubicweb.auth.authtkt.[session|persistent].secret",
+ DeprecationWarning)
+ except:
secret = 'notsosecret'
+
+ session_secret = settings.get(
+ session_prefix + 'secret', secret)
+ persistent_secret = settings.get(
+ persistent_prefix + 'secret', secret)
+
+ if 'notsosecret' in (session_secret, persistent_secret):
warnings.warn('''
- !! WARNING !! !! WARNING !!
+ !! SECURITY WARNING !!
The authentication cookies are signed with a static secret key.
- To put your own secret key, edit your all-in-one.conf file
- and set the 'pyramid-auth-secret' key.
+
+ Configure the following options in your pyramid.ini file:
+
+ - cubicweb.auth.authtkt.session.secret
+ - cubicweb.auth.authtkt.persistent.secret
YOU SHOULD STOP THIS INSTANCE unless your really know what you
are doing !!
@@ -104,33 +139,29 @@
policies.append(
CWAuthTktAuthenticationPolicy(
- secret, False, hashalg='sha512',
- cookie_name=settings.get(
- 'cubicweb.auth.authtkt.session.cookie_name',
- 'auth_tkt'),
- timeout=int(settings.get(
- 'cubicweb.auth.authtkt.session.timeout',
- 1200)),
- reissue_time=int(settings.get(
- 'cubicweb.auth.authtkt.session.reissue_time',
- 120))
+ session_secret, False,
+ defaults={
+ 'hashalg': 'sha512',
+ 'cookie_name': 'auth_tkt',
+ 'timeout': 1200,
+ 'reissue_time': 120
+ },
+ prefix=session_prefix,
+ **settings
)
)
policies.append(
CWAuthTktAuthenticationPolicy(
- secret, True, hashalg='sha512',
- cookie_name=settings.get(
- 'cubicweb.auth.authtkt.persistent.cookie_name',
- 'pauth_tkt'),
- max_age=int(settings.get(
- 'cubicweb.auth.authtkt.persistent.max_age',
- 3600*24*30 # defaults to 1 month
- )),
- reissue_time=int(settings.get(
- 'cubicweb.auth.authtkt.persistent.reissue_time',
- 3600*24
- ))
+ persistent_secret, True,
+ defaults={
+ 'hashalg': 'sha512',
+ 'cookie_name': 'pauth_tkt',
+ 'max_age': 3600*24*30,
+ 'reissue_time': 3600*24
+ },
+ prefix=persistent_prefix,
+ **settings
)
)