def forget(self, request):
"""Get headers to forget the identify of the given request.
This method calls the repoze.who logout() method, which in turn calls
the forget() method on all configured repoze.who plugins.
"""
api = get_api(request, self.api_factory)
return api.logout() or []
def forget(self, request):
"""Get headers to forget the identify of the given request.
This method calls the repoze.who logout() method, which in turn calls
the forget() method on all configured repoze.who plugins.
"""
api = get_api(request, self.api_factory)
return api.logout() or []
def remember(self, request, principal, **kw):
"""Get headers to remember the given principal.
This method calls the remember() method on all configured repoze.who
plugins, and returns the combined list of headers.
"""
identity = {"repoze.who.userid": principal}
api = get_api(request, self.api_factory)
# Give all IIdentifiers a chance to remember the login.
# This is the same logic as inside the api.login() method,
# but without repeating the authentication step.
headers = []
for name, plugin in api.identifiers:
i_headers = plugin.remember(request.environ, identity)
if i_headers is not None:
headers.extend(i_headers)
return headers
def remember(self, request, principal, **kw):
"""Get headers to remember the given principal.
This method calls the remember() method on all configured repoze.who
plugins, and returns the combined list of headers.
"""
identity = {"repoze.who.userid": principal}
api = get_api(request, self.api_factory)
# Give all IIdentifiers a chance to remember the login.
# This is the same logic as inside the api.login() method,
# but without repeating the authentication step.
headers = []
for name, plugin in api.identifiers:
i_headers = plugin.remember(request.environ, identity)
if i_headers is not None:
headers.extend(i_headers)
return headers
def challenge(request, *challenge_args):
"""View that challenges for credentials using repoze.who.
This method provides a pyramid view that uses the repoze.who challenge
API to prompt for credentials. If no challenge can be generated then
it displays a "403 Forbidden" page.
You might like to use this as pyramid's "Forbidden View".
"""
response = None
api = get_api(request)
challenge_app = api.challenge(*challenge_args)
if challenge_app is not None:
response = request.get_response(challenge_app)
else:
response = Response("<h1>Forbidden</h1>", status="403 Forbidden")
response.headerlist.extend(security.forget(request))
return response
def unauthenticated_userid(self, request):
"""Get the unauthenticated userid for the given request.
This method extracts the claimed userid from the request. Since
repoze.who does not provide an API to extract the userid without
authenticating it, the only different between this method and the
authenticated version is that it does not invoke the groupfinder
callback function.
"""
identity = request.environ.get("repoze.who.identity")
if identity is None:
api = get_api(request, self.api_factory)
# Call the repoze.who API to authenticate.
# If it sets environ["repoze.who.application"] then raise an
# exception so that this can be taken care of upstream.
app = request.environ.get("repoze.who.application")
identity = api.authenticate()
if app is not request.environ.get("repoze.who.application"):
raise ApplicationRedirectException
if identity is None:
return None
return identity["repoze.who.userid"]
def unauthenticated_userid(self, request):
"""Get the unauthenticated userid for the given request.
This method extracts the claimed userid from the request. Since
repoze.who does not provide an API to extract the userid without
authenticating it, the only different between this method and the
authenticated version is that it does not invoke the groupfinder
callback function.
"""
identity = request.environ.get("repoze.who.identity")
if identity is None:
api = get_api(request, self.api_factory)
# Call the repoze.who API to authenticate.
# If it sets environ["repoze.who.application"] then raise an
# exception so that this can be taken care of upstream.
app = request.environ.get("repoze.who.application")
identity = api.authenticate()
if app is not request.environ.get("repoze.who.application"):
raise ApplicationRedirectException
if identity is None:
return None
return identity["repoze.who.userid"]
def login(request):
"""View to process login credentials and remember the user.
This method provides a pyramid view that uses the repoze.who API
to authenticate any submitted credentials, then redirects to
whatever page the user was trying to view. You can use it as
a convenient redirection point for plugins that need to submit
credentials via POST, or as the target for a custom login form.
"""
came_from = request.params.get("came_from", request.referer or "/")
# Try to authenticate, either via standard plugin auth
# or by using the request parameters at the identity.
userid = security.authenticated_userid(request)
if userid is not None:
headers = security.remember(request, userid)
else:
api = get_api(request)
userid, headers = api.login(dict(request.params))
# If that worked, send them back to where they came from.
if userid is not None:
return HTTPFound(location=came_from, headers=headers)
# If not, trigger the usual forbidden view.
# In theory this should eventually post back to us again.
raise HTTPForbidden()
def whoauth_tween(request):
# We have nothing to do on ingress, since the application will call
# into the repoze.who API as it needs. Just call the downstream app.
try:
# If we're asked to access a non-existent URL, it might be
# a repoze.who plugin trying to do an internal redirection.
# to an unknown URL. Trigger the AuthnPolicy so that it gets
# a chance to set things up and raise ApplicationRedirectException.
try:
response = handler(request)
except NotFound:
if "repoze.who.api" not in request.environ:
security.unauthenticated_userid(request)
raise
else:
if response.status.startswith("404 "):
if "repoze.who.api" not in request.environ:
security.unauthenticated_userid(request)
except ApplicationRedirectException:
# The AuthnPolicy throws this to indicate that a plugin wants to
# take control of the response. Respect any WSGI app that it
# has put into environ["repoze.who.application"]
app = request.environ["repoze.who.application"]
response = request.get_response(app)
# If there is an identity, make sure it gets remembered.
# Some plugins depend on this being called on every response rather
# than explicitly when a new identity is issued.
identity = request.environ.get("repoze.who.identity")
if identity:
api = get_api(request)
# Give all plugins a chance to remember the login if there is one.
for name, plugin in api.identifiers:
i_headers = plugin.remember(request.environ, identity)
if i_headers is not None:
response.headerlist.extend(i_headers)
return response
