def make_faswho_middleware(app, log_stream, login_handler='/login_handler',
login_form_url='/login', logout_handler='/logout_handler',
post_login_url='/post_login', post_logout_url=None):
faswho = FASWhoPlugin(FAS_URL)
csrf_mdprovider = CSRFMetadataProvider(login_handler=login_handler)
form = FriendlyFormPlugin(login_form_url,
login_handler,
post_login_url,
logout_handler,
post_logout_url,
rememberer_name='fasident')
form.classifications = { IIdentifier: ['browser'],
IChallenger: ['browser'] } # only for browser
identifiers = [('form', form), ('fasident', faswho)]
authenticators = [('fasauth', faswho)]
challengers = [('form', form)]
mdproviders = [('fasmd', faswho), ('csrfmd', csrf_mdprovider)]
if os.environ.get('FAS_WHO_LOG'):
log_stream = sys.stdout
app = CSRFProtectionMiddleware(app)
app = PluggableAuthenticationMiddleware(
app,
identifiers,
authenticators,
challengers,
mdproviders,
default_request_classifier,
default_challenge_decider,
log_stream = log_stream,
)
return app
def make_faswho_middleware(app,
log_stream=None,
login_handler='/login_handler',
login_form_url='/login',
logout_handler='/logout_handler',
post_login_url='/post_login',
post_logout_url=None,
fas_url=FAS_URL,
insecure=False,
ssl_cookie=True,
httponly=True):
'''
:arg app: WSGI app that is being wrapped
:kwarg log_stream: :class:`logging.Logger` to log auth messages
:kwarg login_handler: URL where the login form is submitted
:kwarg login_form_url: URL where the login form is displayed
:kwarg logout_handler: URL where the logout form is submitted
:kwarg post_login_url: URL to redirect the user to after login
:kwarg post_logout_url: URL to redirect the user to after logout
:kwarg fas_url: Base URL to the FAS server
:kwarg insecure: Allow connecting to a fas server without checking the
server's SSL certificate. Opens you up to MITM attacks but can be
useful when testing. *Do not enable this in production*
:kwarg ssl_cookie: If :data:`True` (default), tell the browser to only
send the session cookie back over https.
:kwarg httponly: If :data:`True` (default), tell the browser that the
session cookie should only be read for sending to a server, not for
access by JavaScript or other clientside technology. This prevents
using the session cookie to pass information to JavaScript clients but
also prevents XSS attacks from stealing the session cookie
information.
'''
# Because of the way we override values (via a dict in AppConfig), we
# need to make this a keyword arg and then check it here to make it act
# like a positional arg.
if not log_stream:
raise TypeError(
'log_stream must be set when calling make_fasauth_middleware()')
faswho = FASWhoPlugin(fas_url,
insecure=insecure,
ssl_cookie=ssl_cookie,
httponly=httponly)
csrf_mdprovider = CSRFMetadataProvider()
form = FriendlyFormPlugin(login_form_url,
login_handler,
post_login_url,
logout_handler,
post_logout_url,
rememberer_name='fasident',
charset='utf-8')
form.classifications = {
IIdentifier: ['browser'],
IChallenger: ['browser']
} # only for browser
basicauth = BasicAuthPlugin('repoze.who')
identifiers = [('form', form), ('fasident', faswho),
('basicauth', basicauth)]
authenticators = [('fasauth', faswho)]
challengers = [('form', form), ('basicauth', basicauth)]
mdproviders = [('fasmd', faswho), ('csrfmd', csrf_mdprovider)]
if os.environ.get('FAS_WHO_LOG'):
log_stream = sys.stdout
app = CSRFProtectionMiddleware(app)
app = PluggableAuthenticationMiddleware(
app,
identifiers,
authenticators,
challengers,
mdproviders,
fas_request_classifier,
default_challenge_decider,
log_stream=log_stream,
)
return app
def make_faswho_middleware(
app, log_stream=None,
login_handler='/login_handler',
login_form_url='/login',
logout_handler='/logout_handler',
post_login_url='/post_login', post_logout_url=None, fas_url=FAS_URL,
insecure=False, ssl_cookie=True, httponly=True):
'''
:arg app: WSGI app that is being wrapped
:kwarg log_stream: :class:`logging.Logger` to log auth messages
:kwarg login_handler: URL where the login form is submitted
:kwarg login_form_url: URL where the login form is displayed
:kwarg logout_handler: URL where the logout form is submitted
:kwarg post_login_url: URL to redirect the user to after login
:kwarg post_logout_url: URL to redirect the user to after logout
:kwarg fas_url: Base URL to the FAS server
:kwarg insecure: Allow connecting to a fas server without checking the
server's SSL certificate. Opens you up to MITM attacks but can be
useful when testing. *Do not enable this in production*
:kwarg ssl_cookie: If :data:`True` (default), tell the browser to only
send the session cookie back over https.
:kwarg httponly: If :data:`True` (default), tell the browser that the
session cookie should only be read for sending to a server, not for
access by JavaScript or other clientside technology. This prevents
using the session cookie to pass information to JavaScript clients but
also prevents XSS attacks from stealing the session cookie
information.
'''
# Because of the way we override values (via a dict in AppConfig), we
# need to make this a keyword arg and then check it here to make it act
# like a positional arg.
if not log_stream:
raise TypeError(
'log_stream must be set when calling make_fasauth_middleware()')
faswho = FASWhoPlugin(fas_url, insecure=insecure, ssl_cookie=ssl_cookie,
httponly=httponly)
csrf_mdprovider = CSRFMetadataProvider()
form = FriendlyFormPlugin(login_form_url,
login_handler,
post_login_url,
logout_handler,
post_logout_url,
rememberer_name='fasident',
charset='utf-8')
form.classifications = {IIdentifier: ['browser'],
IChallenger: ['browser']} # only for browser
basicauth = BasicAuthPlugin('repoze.who')
identifiers = [
('form', form),
('fasident', faswho),
('basicauth', basicauth)
]
authenticators = [('fasauth', faswho)]
challengers = [('form', form), ('basicauth', basicauth)]
mdproviders = [('fasmd', faswho), ('csrfmd', csrf_mdprovider)]
if os.environ.get('FAS_WHO_LOG'):
log_stream = sys.stdout
app = CSRFProtectionMiddleware(app)
app = PluggableAuthenticationMiddleware(
app,
identifiers,
authenticators,
challengers,
mdproviders,
fas_request_classifier,
default_challenge_decider,
log_stream=log_stream,
)
return app
def make_app(global_conf, full_stack=True, **app_conf):
"""
Set munkireport up with the settings found in the PasteDeploy configuration
file used.
:param global_conf: The global settings for munkireport (those
defined under the ``[DEFAULT]`` section).
:type global_conf: dict
:param full_stack: Should the whole TG2 stack be set up?
:type full_stack: str or bool
:return: The munkireport application with all the relevant middleware
loaded.
This is the PasteDeploy factory for the munkireport application.
``app_conf`` contains all the application-specific settings (those defined
under ``[app:main]``.
"""
app = make_base_app(global_conf, full_stack=True, **app_conf)
# Wrap your base TurboGears 2 application with custom middleware here
# Initialize repoze.what plugins.
groups_path = os.path.join(global_conf.get("appsupport_dir"), "groups.ini")
groups = {
"ini_groups": INIGroupAdapter(app_conf.get("what.groups_file", groups_path)),
"dscl_groups": MacOSXGroupAdapter()
}
permissions_path = os.path.join(global_conf.get("appsupport_dir"), "permissions.ini")
permissions = {
"ini_permissions": INIPermissionsAdapter(app_conf.get("what.permissions_file", permissions_path))
}
# Initialize repoze.who plugins.
friendlyform = FriendlyFormPlugin(
"/login",
"/login_handler",
None,
"/logout_handler",
None,
"auth_tkt",
login_counter_name=None
)
friendlyform.classifications = {
IIdentifier: ['browser'],
IChallenger: ['browser']
}
auth_tkt = AuthTktPlugin(secret=app_conf["beaker.session.secret"])
macosx_authenticator = MacOSXAuthenticator()
macosx_metadataprovider = MacOSXMetadataProvider()
file_authenticator = FileAuthenticator()
file_metadataprovider = FileMetadataProvider()
# Configuration for repoze.who.
identifiers = [
('friendlyform', friendlyform),
('auth_tkt', auth_tkt)
]
authenticators = [
('macosx_authenticator', macosx_authenticator),
('file_authenticator', file_authenticator)
]
challengers = [
('friendlyform', friendlyform)
]
mdproviders = [
('macosx_metadataprovider', macosx_metadataprovider),
('file_metadataprovider', file_metadataprovider)
]
# Setup authentication and authorization through repoze.what.
app = setup_auth(
app,
groups,
permissions,
identifiers=identifiers,
authenticators=authenticators,
challengers=challengers,
mdproviders=mdproviders,
#log_stream=sys.stdout,
#log_level=logging.DEBUG
)
return app
