def _makeApp(self, groups, permissions, **who_args): cookie = AuthTktCookiePlugin('secret', 'authtkt') form = RedirectingFormPlugin('/login', '/login_handler', '/logout_handler', rememberer_name='cookie') identifiers = [('main_identifier', form), ('cookie', cookie)] authenticators = [('fake_authenticator', FakeAuthenticator())] challengers = [('form', form)] if groups is None: app_with_auth = setup_auth( DummyApp(), identifiers=identifiers, authenticators=authenticators, challengers=challengers, **who_args ) else: app_with_auth = setup_auth( DummyApp(), groups, permissions, identifiers=identifiers, authenticators=authenticators, challengers=challengers, **who_args ) return app_with_auth
def _makeApp(self, groups, permissions, **who_args): cookie = AuthTktCookiePlugin('secret', 'authtkt') form = RedirectingFormPlugin('/login', '/login_handler', '/logout_handler', rememberer_name='cookie') identifiers = [('main_identifier', form), ('cookie', cookie)] authenticators = [('fake_authenticator', FakeAuthenticator())] challengers = [('form', form)] if groups is None: app_with_auth = setup_auth(DummyApp(), identifiers=identifiers, authenticators=authenticators, challengers=challengers, **who_args) else: app_with_auth = setup_auth(DummyApp(), groups, permissions, identifiers=identifiers, authenticators=authenticators, challengers=challengers, **who_args) return app_with_auth
def make_auth_basic(app, global_config, conn=None, **local_conf): """Paste entry point for auth basic middleware using repoze.what""" if not conn: section = local_conf.get('section', 'ldap') config_file = local_conf.get('config', os.path.expanduser('~/.ldap.cfg')) conn = Connection(section, filename=config_file) basicauth = BasicAuthPlugin('Private web site') identifiers = [("basicauth", basicauth)] challengers = [("basicauth", basicauth)] authenticators = [("accounts", auth.Authenticator(conn, **local_conf))] groups = {'all_groups': auth.GroupAdapter(conn, **local_conf)} permissions = {'all_perms': auth.PermissionAdapter(conn, **local_conf)} mdproviders = [("accounts", auth.MDPlugin(conn, **local_conf))] return setup_auth(app, groups, permissions, identifiers=identifiers, authenticators=authenticators, challengers=challengers, mdproviders=mdproviders)
def AuthBasicMiddleware(app, global_config, **local_conf): if 'couchdb.uri' not in local_conf: local_conf['couchdb.uri'] = 'http://127.0.0.1:5984' server = couchdbkit.Server(local_conf['couchdb.uri']) db = server.get_or_create_db(local_conf['couchdb.db_name']) authenticator = couchdbkit.Authenticator(db) groups = couchdbkit.GroupAdapter(db) groups = {'all_groups': groups} basicauth = BasicAuthPlugin('Private web site') identifiers = [("basicauth", basicauth)] challengers = [("basicauth", basicauth)] authenticators = [("accounts", authenticator)] mdproviders = [("accounts", couchdbkit.MDPlugin(db))] permissions = {'all_perms': couchdbkit.PermissionAdapter(db)} return setup_auth(app, groups, permissions, identifiers=identifiers, authenticators=authenticators, challengers=challengers, mdproviders=mdproviders)
def make_app(controller_klass, environ={}, with_errors=False): """Creates a ``TestApp`` instance.""" # The basic middleware: app = ControllerWrap(controller_klass) app = SetupCacheGlobal(app, environ, setup_cache=True, setup_session=True) if with_errors: app = ErrorHandler(app, {}, debug=False) app = StatusCodeRedirect(app, [403, 404, 500]) app = RegistryManager(app) app = SessionMiddleware(app, {}, data_dir=session_dir) app = CacheMiddleware(app, {}, data_dir=os.path.join(data_dir, 'cache')) # We're not going to use groups or permissions-related predicates here: groups_adapters = None permissions_adapters = None # Setting repoze.who up: cookie = AuthTktCookiePlugin('secret', 'authtkt') identifiers = [('cookie', cookie)] app = setup_auth(app, groups_adapters, permissions_adapters, identifiers=identifiers, authenticators=[], challengers=[], skip_authentication=True) app = httpexceptions.make_middleware(app) return TestApp(app)
def make_app(controller_klass, environ={}): """Creates a ``TestApp`` instance.""" # The basic middleware: app = ControllerWrap(controller_klass) app = SetupCacheGlobal(app, environ, setup_cache=True, setup_session=True) app = RegistryManager(app) app = SessionMiddleware(app, {}, data_dir=session_dir) app = CacheMiddleware(app, {}, data_dir=os.path.join(data_dir, 'cache')) # We're not going to use groups or permissions-related predicates here: groups_adapters = None permissions_adapters = None # Setting repoze.who up: cookie = AuthTktCookiePlugin('secret', 'authtkt') identifiers = [('cookie', cookie)] app = setup_auth(app, groups_adapters, permissions_adapters, identifiers=identifiers, authenticators=[], challengers=[], skip_authentication=True) app = httpexceptions.make_middleware(app) return TestApp(app)
def add_auth(app): # We need to set up the repoze.who components used by repoze.what for # authentication from repoze.who.plugins.htpasswd import HTPasswdPlugin, crypt_check from repoze.who.plugins.basicauth import BasicAuthPlugin htpasswd = HTPasswdPlugin('passwd', crypt_check) basicauth = BasicAuthPlugin('Alerts') identifiers = [('basicauth', basicauth)] authenticators = [('htpasswd', htpasswd)] challengers = [('basicauth', basicauth)] mdproviders = [] # We'll use group and permission based exclusively on INI files from repoze.what.plugins.ini import INIGroupAdapter from repoze.what.plugins.ini import INIPermissionsAdapter groups = {'all_groups': INIGroupAdapter('groups.ini')} permissions = {'all_perms': INIPermissionsAdapter('permissions.ini')} # Finally, we create the repoze.what middleware import logging from repoze.what.middleware import setup_auth middleware = setup_auth(app=app, group_adapters=groups, permission_adapters=permissions, identifiers=identifiers, authenticators=authenticators, challengers=challengers, mdproviders=mdproviders, log_level=logging.DEBUG) return middleware
def AuthBasicMiddleware(app, global_config, **local_conf): if 'couchdb.uri' not in local_conf: local_conf['couchdb.uri'] = 'http://127.0.0.1:5984' server = couchdbkit.Server(local_conf['couchdb.uri']) db = server.get_or_create_db(local_conf['couchdb.db_name']) authenticator=couchdbkit.Authenticator(db) groups = couchdbkit.GroupAdapter(db) groups = {'all_groups': groups} basicauth = BasicAuthPlugin('Private web site') identifiers=[("basicauth", basicauth)] challengers=[("basicauth", basicauth)] authenticators=[("accounts", authenticator)] mdproviders=[("accounts", couchdbkit.MDPlugin(db))] permissions = {'all_perms': couchdbkit.PermissionAdapter(db)} return setup_auth(app, groups, permissions, identifiers=identifiers, authenticators=authenticators, challengers=challengers, mdproviders=mdproviders)
def add_auth(app, config): """Add authentication and authorization middleware to the ``app``.""" groups_adapter = SqlGroupsAdapter(Group, User, DBSession) groups_adapter.translations['item_name'] = 'user_id' permission_adapter = SqlPermissionsAdapter(Permission, Group, DBSession) return setup_auth(app, {'sql_groups': groups_adapter}, {'sql_permissions': permission_adapter}, **who_config(config))
def make_app(controller_klass, environ={}): """Creates a ``TestApp`` instance.""" # The basic middleware: app = ControllerWrap(controller_klass) app = SetupCacheGlobal(app, environ, setup_cache=True, setup_session=True) app = RegistryManager(app) app = SessionMiddleware(app, {}, data_dir=session_dir) app = CacheMiddleware(app, {}, data_dir=os.path.join(data_dir, "cache")) # We're not going to use groups or permissions-related predicates here: groups_adapters = None permissions_adapters = None # Setting repoze.who up: cookie = AuthTktCookiePlugin("secret", "authtkt") identifiers = [("cookie", cookie)] app = setup_auth( app, groups_adapters, permissions_adapters, identifiers=identifiers, authenticators=[], challengers=[], skip_authentication=True, ) app = httpexceptions.make_middleware(app) return TestApp(app)
def _make_app(self): r"""Create a demo app with the WSGI-like stack applied on top""" self.plugin = self._makeOne(realm='OAuthRealm') app = DemoApp() # Apply repoze on top app = setup_auth(app, group_adapters=None, permission_adapters=None, identifiers=[('oauth', self.plugin)], authenticators=[('oauth', self.plugin)], challengers=[('oauth', self.plugin)]) self.app = TestApp(app) return self.app
def add_auth(app): """ Add authentication and authorization middleware to the ``app``. :param app: The WSGI application. :return: The same WSGI application, with authentication and authorization middleware. People will login using HTTP Authentication and their credentials are kept in an ``Htpasswd`` file. For authorization through repoze.what, we load our groups stored in an ``Htgroups`` file and our permissions stored in an ``.ini`` file. """ from repoze.who.plugins.basicauth import BasicAuthPlugin #from repoze.who.plugins.htpasswd import HTPasswdPlugin, crypt_check from repoze.what.middleware import setup_auth from repoze.what.plugins.sql import SQLPermissionsAdapter # Defining the group adapters; you may add as much as you need: groups = {'all_groups': SqlGroupsAdapter(Group, User, DBSession)} # Defining the permission adapters; you may add as much as you need: permissions = {'all_perms': SqlPermissionsAdapter(Permission, Group, DBSession)} # repoze.who identifiers; you may add as much as you need: basicauth = BasicAuthPlugin('Private web site') identifiers = [('basicauth', basicauth)] # repoze.who authenticators; you may add as much as you need: htpasswd_auth = HTPasswdPlugin('/path/to/users.htpasswd', crypt_check) authenticators = [('htpasswd', htpasswd_auth)] # repoze.who challengers; you may add as much as you need: challengers = [('basicauth', basicauth)] app_with_auth = setup_auth( app, groups, permissions, identifiers=identifiers, authenticators=authenticators, challengers=challengers) return app_with_auth
def AuthBasicMiddleware(app, conf, user_class): groups = GroupAdapter(user_class) groups = {'all_groups': groups} permissions = {'all_perms': PermissionAdapter(conf["couchdb.db"])} basicauth = BasicAuth() cookie = AuthTktCookiePlugin(conf['cookies.secret']) who_args = {} who_args['authenticators'] = [('accounts', Authenticator(user_class))] who_args['challengers'] = [('basicauth', basicauth)] who_args['identifiers'] = [('basicauth', basicauth), ('cookie', cookie)] who_args['mdproviders'] = [('accounts', MDPlugin(user_class))] who_args['log_stream'] = sys.stdout who_args['log_level'] = logging.DEBUG return setup_auth(app, groups, permissions, **who_args)
def AuthenticationMiddleware(app, config): from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin from repoze.who.plugins.basicauth import BasicAuthPlugin from repoze.who.plugins.friendlyform import FriendlyFormPlugin from repoze.who.plugins.cookie import InsecureCookiePlugin from repoze.what.plugins.ini import INIPermissionsAdapter from repoze.what.middleware import setup_auth conn = ldap.get_conn() cookie = InsecureCookiePlugin('__ac') loginform = FriendlyFormPlugin(login_form_url="/login", login_handler_path="/do_login", post_login_url="/login", logout_handler_path="/logout", post_logout_url="/login", rememberer_name="_ac") authenticator = auth.Authenticator(conn) groups = auth.GroupAdapter(conn) groups = {'all_groups': groups} basicauth = BasicAuthPlugin('Private web site') if 'auth.basic' in config: identifiers = [("basicauth", basicauth)] challengers = [("basicauth", basicauth)] else: identifiers = [("loginform", loginform), ("_ac", cookie), ("basicauth", basicauth)] challengers = [("loginform", loginform)] authenticators = [("accounts", authenticator)] mdproviders = [("accounts", auth.MDPlugin(conn))] permissions = { 'all_perms': INIPermissionsAdapter(config['auth.permissions']) } return setup_auth(app, groups, permissions, identifiers=identifiers, authenticators=authenticators, challengers=challengers, mdproviders=mdproviders)
def add_auth(app, config): """ Add authentication and authorization middleware to the ``app``. :param app: The WSGI application. :return: The same WSGI application, with authentication and authorization middleware. People will login using HTTP Authentication and their credentials are kept in an ``Htpasswd`` file. For authorization through repoze.what, we load our groups stored in an ``Htgroups`` file and our permissions stored in an ``.ini`` file. """ OAuthTwitterConsumer.consumer_key = config['oauth.consumer_key'] OAuthTwitterConsumer.consumer_secret = config['oauth.consumer_secret'] oauth = OAuthIdentificationPlugin(OAuthTwitterConsumer, login_handler_path = '/login', logout_handler_path = '/logout', login_form_url = '/login_form', logged_in_url = '/', logged_out_url = '/', came_from_field = 'came_from', rememberer_name='auth_tkt') identifiers = [('oauth', oauth), ('auth_tkt', AuthTktCookiePlugin('secret', 'auth_tkt'))] authenticators = [('oauth', oauth)] # repoze.who challengers; you may add as much as you need: challengers = [('oauth', oauth)] permissions = {} groups = {} app_with_auth = setup_auth( app, identifiers=identifiers, authenticators=authenticators, challengers=challengers, challenge_decider=oauth_challenge_decider) return app_with_auth
def make_app(controller_klass, environ={}): """Creates a `TestApp` instance.""" app = ControllerWrap(controller_klass) app = SetupCacheGlobal(app, environ, setup_cache=True, setup_session=True) app = RegistryManager(app) app = SessionMiddleware(app, {}, data_dir=session_dir) app = CacheMiddleware(app, {}, data_dir=os.path.join(data_dir, 'cache')) # Setting up the source adapters: groups_adapters = {'my_groups': FakeGroupSourceAdapter()} permissions_adapters = {'my_permissions': FakePermissionSourceAdapter()} # Setting up repoze.who: cookie = AuthTktCookiePlugin('secret', 'authtkt') identifiers = [('cookie', cookie)] app = setup_auth(app, groups_adapters, permissions_adapters, identifiers=identifiers, authenticators=[], challengers=[], skip_authentication=True) app = httpexceptions.make_middleware(app) return TestApp(app)
def make_middleware_with_config(app, global_conf, config_file, who_config_file = '', log_file=None, log_level=None): if not who_config_file: who_config_file = config_file who_parser = WhoConfig(global_conf['here']) who_parser.parse(open(who_config_file)) what_parser = WhatConfig(global_conf['here']) what_parser.parse(open(config_file)) log_stream = None if log_file is not None: if log_file.lower() == 'stdout': log_stream = sys.stdout else: log_stream = open(log_file, 'wb') if log_level is None: log_level = logging.INFO else: log_level = _LEVELS[log_level.lower()] return setup_auth(app, group_adapters=what_parser.group_adapters, permission_adapters=what_parser.permission_adapters, identifiers=who_parser.identifiers, authenticators=who_parser.authenticators, challengers=who_parser.challengers, mdproviders=who_parser.mdproviders, classifier=who_parser.request_classifier, challenge_decider=who_parser.challenge_decider, log_stream = log_stream, log_level = log_level, remote_user_key = who_parser.remote_user_key, )
def setup_sql_auth(app, user_class, group_class, permission_class, dbsession, form_plugin=None, form_identifies=True, cookie_secret='secret', cookie_name='authtkt', login_url='/login', login_handler='/login_handler', post_login_url=None, logout_handler='/logout_handler', post_logout_url=None, login_counter_name=None, translations={}, **who_args): """ Configure :mod:`repoze.who` and :mod:`repoze.what` with SQL-only authentication and authorization, respectively. :param app: Your WSGI application. :param user_class: The SQLAlchemy/Elixir class for the users. :param group_class: The SQLAlchemy/Elixir class for the groups. :param permission_class: The SQLAlchemy/Elixir class for the permissions. :param dbsession: The SQLAlchemy/Elixir session. :param form_plugin: The main :mod:`repoze.who` challenger plugin; this is usually a login form. :param form_identifies: Whether the ``form_plugin`` may and should act as an :mod:`repoze.who` identifier. :type form_identifies: bool :param cookie_secret: The "secret" for the AuthTktCookiePlugin. :type cookie_secret: str :param cookie_name: The name for the AuthTktCookiePlugin. :type cookie_name: str :param login_url: The URL where the login form is displayed. :type login_url: str :param login_handler: The URL where the login form is submitted. :type login_handler: str :param post_login_url: The URL/path where users should be redirected to after login. :type post_login_url: str :param logout_handler: The URL where the logout is handled. :type login_handler: str :param post_logout_url: The URL/path where users should be redirected to after logout. :type post_logout_url: str :param login_counter_name: The name of the variable in the query string that represents the login counter; defaults to ``__logins``. :type login_counter_name: str :param translations: The model translations. :type translations: dict :return: The WSGI application with authentication and authorization middleware. It configures :mod:`repoze.who` with the following plugins: * Identifiers: * :class:`repoze.who.plugins.friendlyform.FriendlyFormPlugin` as the first identifier and challenger -- using ``login`` as the URL/path where the login form will be displayed, ``login_handler`` as the URL/path where the form will be sent and ``logout_handler`` as the URL/path where the user will be logged out. The so-called *rememberer* of such an identifier will be the identifier below. If ``post_login_url`` is defined, the user will be redirected to that page after login. Likewise, if ``post_logout_url`` is defined, the user will be redirected to that page after logout. You can override the :class:`repoze.who.plugins.friendlyform.FriendlyFormPlugin`'s login counter variable name (which defaults to ``__logins``) by defining ``login_counter_name``. .. tip:: This plugin may be overridden with the ``form_plugin`` argument. See also the ``form_identifies`` argument. * :class:`repoze.who.plugins.auth_tkt.AuthTktCookiePlugin`. You can customize the cookie name and secret using the ``cookie_name`` and ``cookie_secret`` arguments, respectively. Then it will append the identifiers you pass through the ``identifiers`` keyword argument, if any. * Authenticators: * :class:`repoze.who.plugins.sa.SQLAlchemyAuthenticatorPlugin`, using the ``user_class`` and ``dbsession`` arguments as its user class and DB session, respectively. Then it will append the authenticators you pass through the ``authenticators`` keyword argument, if any. * Challengers: * The same Form-based plugin used in the identifiers. Then it will append the challengers you pass through the ``challengers`` keyword argument, if any. * Metadata providers: * :class:`repoze.who.plugins.sa.SQLAlchemyUserMDPlugin`, using the ``user_class`` and ``dbsession`` arguments as its user class and DB session, respectively. Then it will append the metadata providers you pass through the ``mdproviders`` keyword argument, if any. Additional keyword arguments will be passed to :class:`repoze.who.middleware.PluggableAuthenticationMiddleware`. .. note:: If you don't want to use the groups/permissions-based authorization pattern, then set ``group_class`` and ``permission_class`` to ``None``. """ plugin_translations = find_plugin_translations(translations) if group_class is None or permission_class is None: group_adapters = permission_adapters = None else: source_adapters = configure_sql_adapters( user_class, group_class, permission_class, dbsession, plugin_translations['group_adapter'], plugin_translations['permission_adapter']) group_adapters = {'sql_auth': source_adapters['group']} permission_adapters = {'sql_auth': source_adapters['permission']} # Setting the repoze.who authenticators: sqlauth = SQLAlchemyAuthenticatorPlugin(user_class, dbsession) sqlauth.translations.update(plugin_translations['authenticator']) if 'authenticators' not in who_args: who_args['authenticators'] = [] who_args['authenticators'].append(('sqlauth', sqlauth)) cookie = AuthTktCookiePlugin(cookie_secret, cookie_name) # Setting the repoze.who identifiers if 'identifiers' not in who_args: who_args['identifiers'] = [] who_args['identifiers'].append(('cookie', cookie)) if form_plugin is None: form = FriendlyFormPlugin(login_url, login_handler, post_login_url, logout_handler, post_logout_url, login_counter_name=login_counter_name, rememberer_name='cookie') else: form = form_plugin if form_identifies: who_args['identifiers'].insert(0, ('main_identifier', form)) # Setting the repoze.who challengers: if 'challengers' not in who_args: who_args['challengers'] = [] who_args['challengers'].append(('form', form)) # Setting up the repoze.who mdproviders: sql_user_md = SQLAlchemyUserMDPlugin(user_class, dbsession) sql_user_md.translations.update(plugin_translations['mdprovider']) if 'mdproviders' not in who_args: who_args['mdproviders'] = [] who_args['mdproviders'].append(('sql_user_md', sql_user_md)) middleware = setup_auth(app, group_adapters, permission_adapters, **who_args) return middleware
def setup_sql_auth(app, user_class, group_class, permission_class, dbsession, form_plugin=None, form_identifies=True, cookie_secret='secret', cookie_name='authtkt', login_url='/login', login_handler='/login_handler', post_login_url=None, logout_handler='/logout_handler', post_logout_url=None, login_counter_name=None, translations={}, **who_args): """ Configure :mod:`repoze.who` and :mod:`repoze.what` with SQL-only authentication and authorization, respectively. :param app: Your WSGI application. :param user_class: The SQLAlchemy/Elixir class for the users. :param group_class: The SQLAlchemy/Elixir class for the groups. :param permission_class: The SQLAlchemy/Elixir class for the permissions. :param dbsession: The SQLAlchemy/Elixir session. :param form_plugin: The main :mod:`repoze.who` challenger plugin; this is usually a login form. :param form_identifies: Whether the ``form_plugin`` may and should act as an :mod:`repoze.who` identifier. :type form_identifies: bool :param cookie_secret: The "secret" for the AuthTktCookiePlugin. :type cookie_secret: str :param cookie_name: The name for the AuthTktCookiePlugin. :type cookie_name: str :param login_url: The URL where the login form is displayed. :type login_url: str :param login_handler: The URL where the login form is submitted. :type login_handler: str :param post_login_url: The URL/path where users should be redirected to after login. :type post_login_url: str :param logout_handler: The URL where the logout is handled. :type login_handler: str :param post_logout_url: The URL/path where users should be redirected to after logout. :type post_logout_url: str :param login_counter_name: The name of the variable in the query string that represents the login counter; defaults to ``__logins``. :type login_counter_name: str :param translations: The model translations. :type translations: dict :return: The WSGI application with authentication and authorization middleware. It configures :mod:`repoze.who` with the following plugins: * Identifiers: * :class:`repoze.who.plugins.friendlyform.FriendlyFormPlugin` as the first identifier and challenger -- using ``login`` as the URL/path where the login form will be displayed, ``login_handler`` as the URL/path where the form will be sent and ``logout_handler`` as the URL/path where the user will be logged out. The so-called *rememberer* of such an identifier will be the identifier below. If ``post_login_url`` is defined, the user will be redirected to that page after login. Likewise, if ``post_logout_url`` is defined, the user will be redirected to that page after logout. You can override the :class:`repoze.who.plugins.friendlyform.FriendlyFormPlugin`'s login counter variable name (which defaults to ``__logins``) by defining ``login_counter_name``. .. tip:: This plugin may be overridden with the ``form_plugin`` argument. See also the ``form_identifies`` argument. * :class:`repoze.who.plugins.auth_tkt.AuthTktCookiePlugin`. You can customize the cookie name and secret using the ``cookie_name`` and ``cookie_secret`` arguments, respectively. Then it will append the identifiers you pass through the ``identifiers`` keyword argument, if any. * Authenticators: * :class:`repoze.who.plugins.sa.SQLAlchemyAuthenticatorPlugin`, using the ``user_class`` and ``dbsession`` arguments as its user class and DB session, respectively. Then it will append the authenticators you pass through the ``authenticators`` keyword argument, if any. * Challengers: * The same Form-based plugin used in the identifiers. Then it will append the challengers you pass through the ``challengers`` keyword argument, if any. * Metadata providers: * :class:`repoze.who.plugins.sa.SQLAlchemyUserMDPlugin`, using the ``user_class`` and ``dbsession`` arguments as its user class and DB session, respectively. Then it will append the metadata providers you pass through the ``mdproviders`` keyword argument, if any. Additional keyword arguments will be passed to :class:`repoze.who.middleware.PluggableAuthenticationMiddleware`. .. note:: If you don't want to use the groups/permissions-based authorization pattern, then set ``group_class`` and ``permission_class`` to ``None``. """ plugin_translations = find_plugin_translations(translations) if group_class is None or permission_class is None: group_adapters = permission_adapters = None else: source_adapters = configure_sql_adapters( user_class, group_class, permission_class, dbsession, plugin_translations['group_adapter'], plugin_translations['permission_adapter']) group_adapters = {'sql_auth': source_adapters['group']} permission_adapters = {'sql_auth': source_adapters['permission']} # Setting the repoze.who authenticators: sqlauth = SQLAlchemyAuthenticatorPlugin(user_class, dbsession) sqlauth.translations.update(plugin_translations['authenticator']) if 'authenticators' not in who_args: who_args['authenticators'] = [] who_args['authenticators'].append(('sqlauth', sqlauth)) cookie = AuthTktCookiePlugin(cookie_secret, cookie_name) # Setting the repoze.who identifiers if 'identifiers' not in who_args: who_args['identifiers'] = [] who_args['identifiers'].append(('cookie', cookie)) if form_plugin is None: form = FriendlyFormPlugin( login_url, login_handler, post_login_url, logout_handler, post_logout_url, login_counter_name=login_counter_name, rememberer_name='cookie') else: form = form_plugin if form_identifies: who_args['identifiers'].insert(0, ('main_identifier', form)) # Setting the repoze.who challengers: if 'challengers' not in who_args: who_args['challengers'] = [] who_args['challengers'].append(('form', form)) # Setting up the repoze.who mdproviders: sql_user_md = SQLAlchemyUserMDPlugin(user_class, dbsession) sql_user_md.translations.update(plugin_translations['mdprovider']) #if 'mdproviders' not in who_args: # who_args['mdproviders'] = [] #who_args['mdproviders'].append(('sql_user_md', sql_user_md)) middleware = setup_auth(app, group_adapters, permission_adapters, **who_args) return middleware
'edit': set(['older']), 'delete': set(['male', 'older']), } groups = {'all_groups': DictGroupSource(group_dict)} permissions = {'all_permissions': DictPermissionSource(permission_dict)} cookieident = AuthTktCookiePlugin('mySuperSecretSecret') formauth = RedirectingFormPlugin('/login', '/do_login', '/do_logout', rememberer_name='cookieident') identifiers = [('formauth', formauth), ('cookieident', cookieident)] challengers = [('formauth', formauth)] authenticators = [('mapauth', DictAuthenticator(user_dict))] auth_app = setup_auth(app, groups, permissions, identifiers=identifiers, authenticators=authenticators, challengers=challengers, ) # mount the application cherrypy.tree.graft(auth_app, '/') cherrypy.engine.start() cherrypy.engine.block()
def setup_couch_auth(app, user_class=None, group_class=None, permission_class=None, form_plugin=None, form_identities=True, cookie_secret='secret', cookie_name='authtkt', cookie_timeout=None, cookie_reissue_time=None, charset='utf-8', login_url='/login', login_handler='/login_handler', post_login_url=None, logout_handler='/logout_handler', post_logout_url=None, login_counter_name=None, translations=None, **who_args): """ Quickly configure repoze.who and repoze.what to use CouchDB for authentication and authorization. With the exception of app, all parameters are options. :param app: The WSGI application. :param user_class: The class to use for the User document. :param group_class: The class to use for the Group document. :param permission_class: The class to use for the Permission document. :param form_plugin: The form plugin to use. Defaults to FriendlyFormPlugin. :param form_identities: Whether or not to use the form plugin as an identity plugin. :param cookie_secret: The cookie secret to use for the authtkt plugin. :param cookie_name: The name of the cookie for the authtkt plugin. :param cookie_timeout: The cookie timeout for the authtkt plugin. :param cookie_reissue_time: How often to reissue the cookie for the authtkt plugin. :param charset: The character set for the authtkt plugin. :param login_url: The page that will be used to display the login form. :param login_handler: The URL where repoze.who will process logins. :param post_login_url: The URL to redirect to after login. :param logout_handler: The URL where repoze.who will process logouts. :param post_logout_url: The URL to redirect to after logout. :param login_counter_name: The name to use for the login counter. :param translations: The translations used to map CouchDB documents inside the wrapper classes. :param who_args: Additional configuration arguments to pass to repoze.who. :return: The modified WSGI application. """ t11 = default_translations if translations is not None: for k, v in translations.iteritems(): t11[k] = v t11['user_class'] = User if user_class is None else user_class t11['group_class'] = Group if group_class is None else group_class t11['perm_class'] = Permission if permission_class is None else permission_class if form_plugin is None: form_plugin = FriendlyFormPlugin(login_url, login_handler, post_login_url, logout_handler, post_logout_url, login_counter_name=login_counter_name, rememberer_name='cookie', charset=charset) group_adapters = {'couch_auth': GroupAdapter(t11)} perm_adapters = {'couch_auth': PermissionAdapter(t11)} authenticator = ('couch_auth', AuthenticatorPlugin(t11)) metadata = ('couch_auth', MetadataPlugin(t11)) identifier = ('cookie', AuthTktCookiePlugin(cookie_secret, cookie_name, timeout=cookie_timeout, reissue_time=cookie_reissue_time)) challenger = ('form', form_plugin) if 'authenticators' not in who_args: who_args['authenticators'] = [] if 'identifiers' not in who_args: who_args['identifiers'] = [] if 'challengers' not in who_args: who_args['challengers'] = [] if 'mdproviders' not in who_args: who_args['mdproviders'] = [] if form_identities: who_args['identifiers'].insert(0, ('main_identifier', form_plugin)) who_args['authenticators'].append(authenticator) who_args['mdproviders'].append(metadata) who_args['identifiers'].append(identifier) who_args['challengers'].append(challenger) return setup_auth(app, group_adapters, perm_adapters, **who_args)
def add_auth(app, sitename, sessionname, sessionsecret, password_file, groups_file, permissions_file): """ Add authentication and authorization middleware to the ``app``. :param app: The WSGI application. :param sitename: the site name used in basic auth box. :param sessionname: basic auth name and cookie name. :param sessionsecret: unique secret string used to protect sessions. :param groups_file: the ini file source for the groups information. :param passwd_file: the ini file source for the permission information. :return: The same WSGI application, with authentication and authorization middleware. """ site = sitename cookie_secret = sessionsecret cookie_name = 'authtkt' login_url = url_for('/login') login_handler = url_for('/login_handler') post_login_url = None logout_handler = url_for('/logout_handler') post_logout_url = None login_counter_name = None get_log().info("add_auth: adding user/group/permission file based setup.") if not os.path.isfile(password_file): raise ValueError("Unable to find password file '%s'!" % password_file) else: user_data_file = os.path.abspath(password_file) if not os.path.isfile(groups_file): raise ValueError("Unable to find groups file '%s'!" % groups_file) else: groups = os.path.abspath(groups_file) if not os.path.isfile(permissions_file): raise ValueError("Unable to find password file '%s'!" % permissions_file) else: permissions = os.path.abspath(permissions_file) basicauth = BasicAuthPlugin(site) # Recover the User details and load it for the CSV repoze plugin to handle: fd = open(user_data_file, 'r') user_data = fd.read() fd.close() passauth_and_metadata = plain.PlainAuthenticatorMetadataProvider(user_data) form = FriendlyFormPlugin( login_url, login_handler, post_login_url, logout_handler, post_logout_url, login_counter_name=login_counter_name, rememberer_name='cookie' ) cookie = AuthTktCookiePlugin(cookie_secret, cookie_name) identifiers = [('main_identifier', form), ('basicauth', basicauth), ('cookie', cookie)] challengers = [('form', form), ('basicauth', basicauth)] authenticators = [('htpasswd', passauth_and_metadata)] mdproviders = [('simplemeta', passauth_and_metadata)] groups = {'all_groups': INIGroupAdapter(groups)} permissions = {'all_perms': INIPermissionsAdapter(permissions)} app_with_auth = setup_auth( app = app, group_adapters = groups, permission_adapters = permissions, identifiers = identifiers, authenticators = authenticators, challengers = challengers, mdproviders = mdproviders, log_level = logging.DEBUG ) get_log().info("add_auth: user/group/permission setup OK.") return app_with_auth
def setup_sql_auth(app, user_class, group_class, permission_class, dbsession, form_plugin=None, form_identifies=True, cookie_secret='secret', cookie_name='authtkt', login_url='/login', login_handler='/login_handler', post_login_url=None, logout_handler='/logout_handler', post_logout_url=None, login_counter_name=None, translations={}, cookie_timeout=None, cookie_reissue_time=None, charset="iso-8859-1", use_default_authenticator=True, **who_args): """ Configure :mod:`repoze.who` and :mod:`repoze.what` with SQL-only authentication and authorization, respectively. :param app: Your WSGI application. :param user_class: The SQLAlchemy/Elixir class for the users. :param group_class: The SQLAlchemy/Elixir class for the groups. :param permission_class: The SQLAlchemy/Elixir class for the permissions. :param dbsession: The SQLAlchemy/Elixir session. :param form_plugin: The main :mod:`repoze.who` challenger plugin; this is usually a login form. :param form_identifies: Whether the ``form_plugin`` may and should act as an :mod:`repoze.who` identifier. :type form_identifies: bool :param cookie_secret: The "secret" for the AuthTktCookiePlugin (**set a custom one!**). :type cookie_secret: str :param cookie_name: The name for the AuthTktCookiePlugin. :type cookie_name: str :param login_url: The URL where the login form is displayed. :type login_url: str :param login_handler: The URL where the login form is submitted. :type login_handler: str :param post_login_url: The URL/path where users should be redirected to after login. :type post_login_url: str :param logout_handler: The URL where the logout is handled. :type login_handler: str :param post_logout_url: The URL/path where users should be redirected to after logout. :type post_logout_url: str :param login_counter_name: The name of the variable in the query string that represents the login counter; defaults to ``__logins``. :type login_counter_name: str :param translations: The model translations. :type translations: dict :param cookie_timeout: The time (in seconds) during which the session cookie would be valid. :type cookie_timeout: :class:`int` :param cookie_reissue_time: How often should the session cookie be reissued (in seconds); must be less than ``timeout``. :type cookie_reissue_time: :class:`int` :param use_default_authenticator: Whether the default SQL authenticator should be used. :type use_default_authenticator: :class:`bool` :return: The WSGI application with authentication and authorization middleware. It configures :mod:`repoze.who` with the following plugins: * Identifiers: * :class:`repoze.who.plugins.friendlyform.FriendlyFormPlugin` as the first identifier and challenger -- using ``login`` as the URL/path where the login form will be displayed, ``login_handler`` as the URL/path where the form will be sent and ``logout_handler`` as the URL/path where the user will be logged out. The so-called *rememberer* of such an identifier will be the identifier below. If ``post_login_url`` is defined, the user will be redirected to that page after login. Likewise, if ``post_logout_url`` is defined, the user will be redirected to that page after logout. You can override the :class:`repoze.who.plugins.friendlyform.FriendlyFormPlugin`'s login counter variable name (which defaults to ``__logins``) by defining ``login_counter_name``. .. tip:: This plugin may be overridden with the ``form_plugin`` argument. See also the ``form_identifies`` argument. * :class:`repoze.who.plugins.auth_tkt.AuthTktCookiePlugin`. You can customize the cookie name and secret using the ``cookie_name`` and ``cookie_secret`` arguments, respectively. Then it will append the identifiers you pass through the ``identifiers`` keyword argument, if any. * Authenticators: * :class:`repoze.who.plugins.sa.SQLAlchemyAuthenticatorPlugin` (unless ``use_default_authenticator`` is ``False``), using the ``user_class`` and ``dbsession`` arguments as its user class and DB session, respectively. Then it will be appended to the authenticators you pass through the ``authenticators`` keyword argument, if any. The default authenticator would have the lowest precedence. * Challengers: * The same Form-based plugin used in the identifiers. Then it will append the challengers you pass through the ``challengers`` keyword argument, if any. * Metadata providers: * :class:`repoze.who.plugins.sa.SQLAlchemyUserMDPlugin`, using the ``user_class`` and ``dbsession`` arguments as its user class and DB session, respectively. Then it will append the metadata providers you pass through the ``mdproviders`` keyword argument, if any. The ``charset`` is passed to any component which needs to decode/encode data to/from the user. At present, only :class:`~repoze.who.plugins.friendlyform.FriendlyFormPlugin` does. Additional keyword arguments will be passed to :class:`repoze.who.middleware.PluggableAuthenticationMiddleware`. .. warning:: It's very important to set a custom ``cookie_secret``! It's the key to encrypt *and* decrypt the cookies, so you shouldn't leave the default one. .. note:: If you don't want to use the groups/permissions-based authorization pattern, then set ``group_class`` and ``permission_class`` to ``None``. .. versionchanged:: 1.0.5 Introduced the ``cookie_timeout`` and ``cookie_reissue_time`` arguments. .. versionchanged:: 1.0.6 Introduced the ``charset`` argument. .. versionchanged:: 1.0.8 Introduced the ``use_default_authenticator`` argument. """ plugin_translations = find_plugin_translations(translations) source_adapters = configure_sql_adapters( user_class, group_class, permission_class, dbsession, plugin_translations['group_adapter'], plugin_translations['permission_adapter']) group_adapters= {} group_adapter = source_adapters.get('group') if group_adapter: group_adapters = {'sql_auth': group_adapter} permission_adapters = {} permission_adapter = source_adapters.get('permission') if permission_adapter: permission_adapters = {'sql_auth': permission_adapter} # Setting the repoze.who authenticators: if 'authenticators' not in who_args: who_args['authenticators'] = [] if use_default_authenticator: sqlauth = SQLAlchemyAuthenticatorPlugin(user_class, dbsession) sqlauth.translations.update(plugin_translations['authenticator']) who_args['authenticators'].append(('sqlauth', sqlauth)) cookie = AuthTktCookiePlugin(cookie_secret, cookie_name, timeout=cookie_timeout, reissue_time=cookie_reissue_time) # Setting the repoze.who identifiers if 'identifiers' not in who_args: who_args['identifiers'] = [] who_args['identifiers'].append(('cookie', cookie)) if form_plugin is None: form = FriendlyFormPlugin( login_url, login_handler, post_login_url, logout_handler, post_logout_url, login_counter_name=login_counter_name, rememberer_name='cookie', charset=charset, ) else: form = form_plugin if form_identifies: who_args['identifiers'].insert(0, ('main_identifier', form)) # Setting the repoze.who challengers: if 'challengers' not in who_args: who_args['challengers'] = [] who_args['challengers'].append(('form', form)) # Setting up the repoze.who mdproviders: sql_user_md = SQLAlchemyUserMDPlugin(user_class, dbsession) sql_user_md.translations.update(plugin_translations['mdprovider']) if 'mdproviders' not in who_args: who_args['mdproviders'] = [] who_args['mdproviders'].append(('sql_user_md', sql_user_md)) # Including logging log_file = who_args.pop('log_file', None) if log_file is not None: if log_file.lower() == 'stdout': log_stream = sys.stdout elif log_file.lower() == 'stderr': log_stream = sys.stderr else: log_stream = open(log_file, 'wb') who_args['log_stream'] = log_stream log_level = who_args.get('log_level', None) if log_level is None: log_level = logging.INFO else: log_level = _LEVELS[log_level.lower()] who_args['log_level'] = log_level middleware = setup_auth(app, group_adapters, permission_adapters, **who_args) return middleware
def add_auth(app, config): """ Wrap authentication and authorization middleware around the ``app``. We're going to define post-login and post-logout pages to do some cool things. TODO Create a new validation authenticator and challenger that support username, password, company For documentation on repoze.who and repoze.what, see http://docs.repoze.org/who/1.0/ """ log.debug("add_auth()") log.debug("Configuring repoze.who") form_plugin = form.make_plugin( config.get('repoze.who.login_form_qs'), rememberer_name='auth_tkt', formcallable='example_app.lib.auth.auth:display_login_form' ) form.classifications = { IIdentifier: ['browser'], IChallenger: ['browser'] } auth_tkt_plugin = auth_tkt.make_plugin( secret=config.get('repoze.who.cookie.secret'), secretfile=config.get('repoze.who.cookie.secretfile'), cookie_name=config.get('repoze.who.cookie.cookie_name'), secure=config.get('repoze.who.cookie.secure'), include_ip=config.get('repoze.who.cookie.include_ip'), timeout=config.get('repoze.who.cookie.timeout'), reissue_time=config.get('repoze.who.cookie.reissue_time'), userid_checker='example_app.lib.auth.auth:userid_checker' ) sa_user_company_auth_plugin = sa_user_company.make_plugin(User, Company, Session) sa_userid_auth_plugin = sa_userid.make_authenticator_plugin(User, Session) sa_user_mdprovider_plugin = sa_userid.make_metadata_plugin(User, Session) identifiers = [('form', form_plugin), ('auth_tkt', auth_tkt_plugin)] authenticators = [('sa_user_compan_auth', sa_user_company_auth_plugin), ('sa_userid_auth', sa_userid_auth_plugin)] challengers = [('form', form_plugin)] mdproviders = [('sa_user', sa_user_mdprovider_plugin)] from repoze.who.classifiers import default_request_classifier from repoze.who.classifiers import default_challenge_decider log.debug("Configuring repoze.what") acl_plugin = adapters.configure_sql_adapters( User, AclGroup, AclPermission, Session, group_translations={'section_name': 'id', 'items': 'users', 'item_name': 'id', 'sections': 'groups'}, permission_translations={'section_name': 'id', 'items': 'groups', 'item_name': 'id', 'sections': 'permissions'} ) log.debug("Initializing middleware: repoze.what and repoze.who") return setup_auth( app, {'all_groups': acl_plugin['group']}, {'all_permissions': acl_plugin['permission']}, identifiers=identifiers, challengers=challengers, authenticators=authenticators, mdproviders=mdproviders, classifier=default_request_classifier, challenge_decider=default_challenge_decider, log_stream=log, log_level=logging.DEBUG )
def add_auth(app, site_name, cookie_name, cookie_secret, login_url, login_handler_url, authenticators, mdproviders, groups, permissions): """ Add authentication and authorization middleware to the ``app``. :param app: The WSGI application. :param site_name: the site name used in basic auth box. :param cookie_name: basic auth name and cookie name. :param cookie_secret: unique secret string used to protect sessions. :param login_url: the url for the login page :param login_handler_url: the url for the login handler :param authenticators: list of authenticator plugins :param mdproviders: list of mdprovider plugins :param groups: list of groups plugins :param permissions: list of permissions plugins :return: The same WSGI application, with authentication and authorization middleware. """ get_log().info("add_auth: intialising Repoze") if not authenticators: raise ValueError("No authenticators provided") if not mdproviders: raise ValueError("No mdproviders provided") if not groups: raise ValueError("No groups provided") if not permissions: raise ValueError("No permissions provided") # If we ever change default behavior for challengers and identifiers, # move these to the above function logout_handler = None form = RedirectingFormPlugin( login_url, login_handler_url, logout_handler, rememberer_name='cookie', ) cookie = AuthTktCookiePlugin(cookie_secret, cookie_name) #identifiers = [('main_identifier', form), ('basicauth', basicauth),\ # ('cookie', cookie)] #identifiers = [('basicauth', basicauth), ('cookie', cookie)] identifiers = [('form', form), ('cookie', cookie)] #challengers = [('form', form), ('basicauth', basicauth)] #challengers = [('basicauth', basicauth)] challengers = [('form', form)] #get_log().info(dict(groups)) #get_log().info( dict(permissions)) #get_log().info( identifiers) #get_log().info( authenticators) #get_log().info( challengers ) #get_log().info( mdproviders) app_with_auth = setup_auth( app=app, # # why these are dicts where all the other are lists... group_adapters=dict(groups), permission_adapters=dict(permissions), identifiers=identifiers, authenticators=authenticators, challengers=challengers, mdproviders=mdproviders, log_level=logging.DEBUG ) get_log().info("add_auth: user/group/permission setup OK.") return app_with_auth
def make_app(global_conf, full_stack=True, **app_conf): """ Set munkireport up with the settings found in the PasteDeploy configuration file used. :param global_conf: The global settings for munkireport (those defined under the ``[DEFAULT]`` section). :type global_conf: dict :param full_stack: Should the whole TG2 stack be set up? :type full_stack: str or bool :return: The munkireport application with all the relevant middleware loaded. This is the PasteDeploy factory for the munkireport application. ``app_conf`` contains all the application-specific settings (those defined under ``[app:main]``. """ app = make_base_app(global_conf, full_stack=True, **app_conf) # Wrap your base TurboGears 2 application with custom middleware here # Initialize repoze.what plugins. groups_path = os.path.join(global_conf.get("appsupport_dir"), "groups.ini") groups = { "ini_groups": INIGroupAdapter(app_conf.get("what.groups_file", groups_path)), "dscl_groups": MacOSXGroupAdapter() } permissions_path = os.path.join(global_conf.get("appsupport_dir"), "permissions.ini") permissions = { "ini_permissions": INIPermissionsAdapter(app_conf.get("what.permissions_file", permissions_path)) } # Initialize repoze.who plugins. friendlyform = FriendlyFormPlugin( "/login", "/login_handler", None, "/logout_handler", None, "auth_tkt", login_counter_name=None ) friendlyform.classifications = { IIdentifier: ['browser'], IChallenger: ['browser'] } auth_tkt = AuthTktPlugin(secret=app_conf["beaker.session.secret"]) macosx_authenticator = MacOSXAuthenticator() macosx_metadataprovider = MacOSXMetadataProvider() file_authenticator = FileAuthenticator() file_metadataprovider = FileMetadataProvider() # Configuration for repoze.who. identifiers = [ ('friendlyform', friendlyform), ('auth_tkt', auth_tkt) ] authenticators = [ ('macosx_authenticator', macosx_authenticator), ('file_authenticator', file_authenticator) ] challengers = [ ('friendlyform', friendlyform) ] mdproviders = [ ('macosx_metadataprovider', macosx_metadataprovider), ('file_metadataprovider', file_metadataprovider) ] # Setup authentication and authorization through repoze.what. app = setup_auth( app, groups, permissions, identifiers=identifiers, authenticators=authenticators, challengers=challengers, mdproviders=mdproviders, #log_stream=sys.stdout, #log_level=logging.DEBUG ) return app