[auth] Use pyramid_multiauth
It makes it easier to finely tune what parts of the default authentication stack
we want to use or not.
It also makes it possible for any cube to add its own policy in addition to the
others.
Related to #4985962
--- a/pyramid_cubicweb/auth.py Thu Apr 09 23:58:38 2015 +0200
+++ b/pyramid_cubicweb/auth.py Thu Feb 12 19:21:39 2015 +0100
@@ -2,29 +2,37 @@
import logging
import warnings
+from zope.interface import implementer
+
+from pyramid.settings import asbool
from pyramid.authorization import ACLAuthorizationPolicy
from pyramid_cubicweb.core import get_principals
+from pyramid_multiauth import MultiAuthenticationPolicy
from pyramid.authentication import AuthTktAuthenticationPolicy
+from pyramid.interfaces import IAuthenticationPolicy
+
log = logging.getLogger(__name__)
-class CubicWebAuthTktAuthenticationPolicy(AuthTktAuthenticationPolicy):
+@implementer(IAuthenticationPolicy)
+class UpdateLoginTimeAuthenticationPolicy(object):
"""An authentication policy that update the user last_login_time.
- The update is done in the 'remember' method, which is called on login,
- and each time the authentication ticket is reissued.
-
- Meaning, the last_login_time is updated reissue_time seconds (maximum)
- before the last request by the user.
+ The update is done in the 'remember' method, which is called by the login
+ views login,
Usually used via :func:`includeme`.
"""
+ def authenticated_userid(self, request):
+ pass
+
+ def effective_principals(self, request):
+ return ()
+
def remember(self, request, principal, **kw):
- headers = super(CubicWebAuthTktAuthenticationPolicy, self).remember(
- request, principal, **kw)
try:
repo = request.registry['cubicweb.repository']
with repo.internal_cnx() as cnx:
@@ -35,7 +43,10 @@
cnx.commit()
except:
log.exception("Failed to update last_login_time")
- return headers
+ return ()
+
+ def forget(self, request):
+ return ()
def includeme(config):
@@ -45,25 +56,41 @@
See also :ref:`defaults_module`
"""
- secret = config.registry['cubicweb.config']['pyramid-auth-secret']
+ settings = config.registry.settings
+
+ policies = []
+
+ if asbool(settings.get('cubicweb.auth.update_login_time', True)):
+ policies.append(UpdateLoginTimeAuthenticationPolicy())
- if not secret:
- secret = 'notsosecret'
- warnings.warn('''
+ if asbool(settings.get('cubicweb.auth.authtkt', True)):
+ secret = config.registry['cubicweb.config']['pyramid-auth-secret']
- !! WARNING !! !! WARNING !!
+ if not secret:
+ secret = 'notsosecret'
+ warnings.warn('''
+
+ !! WARNING !! !! WARNING !!
- The authentication cookies are signed with a static secret key.
- To put your own secret key, edit your all-in-one.conf file
- and set the 'pyramid-auth-secret' key.
+ The authentication cookies are signed with a static secret key.
+ To put your own secret key, edit your all-in-one.conf file
+ and set the 'pyramid-auth-secret' key.
- YOU SHOULD STOP THIS INSTANCE unless your really know what you
- are doing !!
+ YOU SHOULD STOP THIS INSTANCE unless your really know what you
+ are doing !!
+
+ ''')
- ''')
+ policies.append(
+ AuthTktAuthenticationPolicy(
+ secret, hashalg='sha512', reissue_time=3600))
- config.set_authentication_policy(
- CubicWebAuthTktAuthenticationPolicy(
- secret, callback=get_principals, hashalg='sha512',
- reissue_time=3600))
+ kw = {}
+ if asbool(settings.get('cubicweb.auth.groups_principals', True)):
+ kw['callback'] = get_principals
+
+ authpolicy = MultiAuthenticationPolicy(policies, **kw)
+ config.registry['cubicweb.authpolicy'] = authpolicy
+
+ config.set_authentication_policy(authpolicy)
config.set_authorization_policy(ACLAuthorizationPolicy())
--- a/setup.py Thu Apr 09 23:58:38 2015 +0200
+++ b/setup.py Thu Feb 12 19:21:39 2015 +0100
@@ -30,6 +30,7 @@
'pyramid >= 1.5.0',
'waitress >= 0.8.9',
'cubicweb >= 3.19.3',
- 'wsgicors >= 0.3'
+ 'wsgicors >= 0.3',
+ 'pyramid_multiauth',
]
)