def test_only_unauthenticated_userid_with_groupfinder(self): policies = [TestAuthnPolicyUnauthOnly()] policy = MultiAuthenticationPolicy(policies, testgroupfinder) request = DummyRequest() self.assertEquals(policy.unauthenticated_userid(request), "test3") self.assertEquals(policy.authenticated_userid(request), None) self.assertEquals(policy.effective_principals(request), [Everyone])
def test_stacking_of_authenticated_userid_with_groupdfinder(self): policies = [TestAuthnPolicy2(), TestAuthnPolicy3()] policy = MultiAuthenticationPolicy(policies, testgroupfinder) request = DummyRequest() self.assertEquals(policy.authenticated_userid(request), "test3") policies.reverse() self.assertEquals(policy.unauthenticated_userid(request), "test3")
def test_authenticated_userid_unauthenticated_with_groupfinder(self): policies = [TestAuthnPolicy2()] policy = MultiAuthenticationPolicy(policies, testgroupfinder) request = DummyRequest() self.assertEquals(policy.authenticated_userid(request), None) self.assertEquals(sorted(policy.effective_principals(request)), [Everyone, 'test2'])
def test_stacking_of_authenticated_userid(self): policies = [TestAuthnPolicy2(), TestAuthnPolicy3()] policy = MultiAuthenticationPolicy(policies) request = DummyRequest() self.assertEquals(policy.authenticated_userid(request), "test2") policies.reverse() self.assertEquals(policy.authenticated_userid(request), "test3")
def test_basic_stacking(self): policies = [TestAuthnPolicy1(), TestAuthnPolicy2()] policy = MultiAuthenticationPolicy(policies) request = DummyRequest() self.assertEquals(policy.authenticated_userid(request), "test2") self.assertEquals(sorted(policy.effective_principals(request)), [Authenticated, Everyone, "test1", "test2"])
def test_policy_selected_event(self): from pyramid.testing import testConfig from pyramid_multiauth import MultiAuthPolicySelected policies = [TestAuthnPolicy2(), TestAuthnPolicy3()] policy = MultiAuthenticationPolicy(policies) # Simulate loading from config: policies[0]._pyramid_multiauth_name = "name" with testConfig() as config: request = DummyRequest() selected_policy = [] def track_policy(event): selected_policy.append(event) config.add_subscriber(track_policy, MultiAuthPolicySelected) self.assertEquals(policy.authenticated_userid(request), "test2") self.assertEquals(selected_policy[0].policy, policies[0]) self.assertEquals(selected_policy[0].policy_name, "name") self.assertEquals(selected_policy[0].userid, "test2") self.assertEquals(selected_policy[0].request, request) self.assertEquals(len(selected_policy), 1) # Effective principals also triggers an event when groupfinder # is provided. policy_with_group = MultiAuthenticationPolicy(policies, lambda u, r: ['foo']) policy_with_group.effective_principals(request) self.assertEquals(len(selected_policy), 2)
def test_stacking_of_effective_principals(self): policies = [TestAuthnPolicy2(), TestAuthnPolicy3()] policy = MultiAuthenticationPolicy(policies) request = DummyRequest() self.assertEquals(sorted(policy.effective_principals(request)), [Authenticated, Everyone, "test2", "test3", "test4"]) policies.reverse() self.assertEquals(sorted(policy.effective_principals(request)), [Authenticated, Everyone, "test2", "test3", "test4"]) policies.append(TestAuthnPolicy1()) self.assertEquals( sorted(policy.effective_principals(request)), [Authenticated, Everyone, "test1", "test2", "test3", "test4"])
def test_stacking_of_effective_principals(self): policies = [TestAuthnPolicy2(), TestAuthnPolicy3()] policy = MultiAuthenticationPolicy(policies) request = DummyRequest() self.assertEquals(sorted(policy.effective_principals(request)), [Authenticated, Everyone, "test2", "test3", "test4"]) policies.reverse() self.assertEquals(sorted(policy.effective_principals(request)), [Authenticated, Everyone, "test2", "test3", "test4"]) policies.append(TestAuthnPolicy1()) self.assertEquals(sorted(policy.effective_principals(request)), [Authenticated, Everyone, "test1", "test2", "test3", "test4"])
def test_stacking_of_remember_and_forget(self): policies = [TestAuthnPolicy1(), TestAuthnPolicy2(), TestAuthnPolicy3()] policy = MultiAuthenticationPolicy(policies) request = DummyRequest() self.assertEquals(policy.remember(request, "ha"), [("X-Remember", "ha"), ("X-Remember-2", "ha")]) self.assertEquals(policy.forget(request), [("X-Forget", "foo"), ("X-Forget", "bar")]) policies.reverse() self.assertEquals(policy.remember(request, "ha"), [("X-Remember-2", "ha"), ("X-Remember", "ha")]) self.assertEquals(policy.forget(request), [("X-Forget", "bar"), ("X-Forget", "foo")])
def includeme(config): # Register our login service config.register_service_factory(database_login_factory, IUserService) # Register our token services config.register_service_factory(TokenServiceFactory(name="password"), ITokenService, name="password") config.register_service_factory(TokenServiceFactory(name="email"), ITokenService, name="email") # Register our password breach detection service. config.register_service_factory(hibp_password_breach_factory, IPasswordBreachedService) # Register our authentication and authorization policies config.set_authentication_policy( MultiAuthenticationPolicy([ SessionAuthenticationPolicy(callback=_authenticate), BasicAuthAuthenticationPolicy(check=_login_via_basic_auth), ])) config.set_authorization_policy(ACLAuthorizationPolicy()) # Add a request method which will allow people to access the user object. config.add_request_method(_user, name="user", reify=True) # Register the rate limits that we're going to be using for our login # attempts config.register_service_factory(RateLimit("10 per 5 minutes"), IRateLimiter, name="user.login") config.register_service_factory(RateLimit("1000 per 5 minutes"), IRateLimiter, name="global.login")
def create_authentication(settings): timeout = settings.get("authtkt_timeout") timeout = None if timeout is None else int(timeout) reissue_time = settings.get("reissue_time") reissue_time = None if reissue_time is None else int(reissue_time) http_only = settings.get("authtkt_http_only", "True") http_only = http_only.lower() in ("true", "yes", "1") secure = settings.get("authtkt_secure", "True") secure = secure.lower() in ("true", "yes", "1") samesite = settings.get("authtkt_samesite", "Lax") secret = settings["authtkt_secret"] if len(secret) < 64: raise Exception( '"authtkt_secret should be at least 64 characters.' 'See https://docs.pylonsproject.org/projects/pyramid/en/latest/api/session.html' ) cookie_authentication_policy = AuthTktAuthenticationPolicy( secret, callback=defaultgroupsfinder, cookie_name=settings["authtkt_cookie_name"], samesite=None if samesite == '' else samesite, timeout=timeout, max_age=timeout, reissue_time=reissue_time, hashalg="sha512", http_only=http_only, secure=secure, ) basic_authentication_policy = BasicAuthAuthenticationPolicy( c2cgeoportal_check) policies = [cookie_authentication_policy, basic_authentication_policy] return MultiAuthenticationPolicy(policies)
def test_access_token(self, time): time.return_value = 1355000000.000000 request = testing.DummyRequest() request.user = User('bob', 'Bob Example', '*****@*****.**') # mock auth from pyramid.authorization import ACLAuthorizationPolicy from pyramid_macauth import MACAuthenticationPolicy from pyramid_multiauth import MultiAuthenticationPolicy self.config.set_authorization_policy(ACLAuthorizationPolicy()) policy = Mock(MACAuthenticationPolicy) policy.encode_mac_id.return_value = 'id', 'key' mpolicy = MultiAuthenticationPolicy([policy]) self.config.set_authentication_policy(mpolicy) views = Views(request) response = views.access_token() expected_response = { "acesss_token": 'id', "mac_key": 'key', "expires_in": 360, "token_type": "mac", "mac_algorithm": "hmac-sha-1" } self.assertDictEqual(response, expected_response) self.assertEqual(request.response.headers['Cache-Control'], "no-store") policy.encode_mac_id.assert_called_with(request, 'bob', expires=1355000360)
def create_app(global_config, **settings): config = configure(settings=settings) config.add_request_method(features.Client, name='feature', reify=True) config.set_authorization_policy(ACLAuthorizationPolicy()) policy = MultiAuthenticationPolicy([ TokenAuthenticationPolicy(callback=groupfinder), SessionAuthenticationPolicy(callback=groupfinder), ]) config.set_authentication_policy(policy) config.include('h.auth') config.include('h.sentry') config.include('h.stats') # We have to include models and db to set up sqlalchemy metadata. config.include('h.models') config.include('h.db') config.include('h.api.db') # We have to include search to set up the `request.es` property. config.include('h.api.search') config.include('h.streamer') return config.make_wsgi_app()
def includeme(config): # Register our login service config.register_service_factory(database_login_factory, IUserService) config.register_service_factory(user_token_factory, IUserTokenService) # Register our authentication and authorization policies config.set_authentication_policy( MultiAuthenticationPolicy([ SessionAuthenticationPolicy(callback=_authenticate), BasicAuthAuthenticationPolicy(check=_login), ]), ) config.set_authorization_policy(ACLAuthorizationPolicy()) # Add a request method which will allow people to access the user object. config.add_request_method(_user, name="user", reify=True) # Register the rate limits that we're going to be using for our login # attempts config.register_service_factory( RateLimit("10 per 5 minutes"), IRateLimiter, name="user.login", ) config.register_service_factory( RateLimit("1000 per 5 minutes"), IRateLimiter, name="global.login", )
def includeme(config): global DEFAULT_POLICY global WEBSOCKET_POLICY # Set up authsanity settings = config.registry.settings settings['authsanity.source'] = 'cookie' settings['authsanity.cookie.max_age'] = 2592000 settings['authsanity.cookie.httponly'] = True settings['authsanity.secret'] = derive_key(settings['secret_key'], b'h.auth.cookie_secret') config.include('pyramid_authsanity') if config.registry.settings.get('h.proxy_auth'): log.warn('Enabling proxy authentication mode: you MUST ensure that ' 'the X-Forwarded-User request header can ONLY be set by ' 'trusted downstream reverse proxies! Failure to heed this ' 'warning will result in ALL DATA stored by this service ' 'being available to ANYONE!') DEFAULT_POLICY = AuthenticationPolicy(api_policy=TOKEN_POLICY, fallback_policy=PROXY_POLICY) WEBSOCKET_POLICY = MultiAuthenticationPolicy([TOKEN_POLICY, PROXY_POLICY]) # Set the default authentication policy. This can be overridden by modules # that include this one. config.set_authentication_policy(DEFAULT_POLICY) # Allow retrieval of the auth_domain from the request object. config.add_request_method(auth_domain, name='auth_domain', reify=True) # Allow retrieval of the auth token (if present) from the request object. config.add_request_method('.tokens.auth_token', reify=True)
def includeme(config): global DEFAULT_POLICY global WEBSOCKET_POLICY if config.registry.settings.get('h.proxy_auth'): log.warn('Enabling proxy authentication mode: you MUST ensure that ' 'the X-Forwarded-User request header can ONLY be set by ' 'trusted downstream reverse proxies! Failure to heed this ' 'warning will result in ALL DATA stored by this service ' 'being available to ANYONE!') DEFAULT_POLICY = AuthenticationPolicy(api_policy=TOKEN_POLICY, fallback_policy=PROXY_POLICY) WEBSOCKET_POLICY = MultiAuthenticationPolicy( [TOKEN_POLICY, PROXY_POLICY]) # Set the default authentication policy. This can be overridden by modules # that include this one. config.set_authentication_policy(DEFAULT_POLICY) # Allow retrieval of the auth_domain from the request object. config.add_request_method(auth_domain, name='auth_domain', reify=True) # Allow retrieval of the auth token (if present) from the request object. config.add_request_method(auth_token, reify=True)
def main(global_config, **settings): """Application factory""" config = Configurator(settings=settings, root_factory=RootFactory) declare_routes(config) session_factory = SignedCookieSessionFactory( settings.get('session_key', 'itsaseekreet')) config.set_session_factory(session_factory) global cache cache = CacheManager(**parse_cache_config_options(settings)) from .authnz import APIKeyAuthenticationPolicy api_key_authn_policy = APIKeyAuthenticationPolicy() config.include('openstax_accounts') openstax_authn_policy = config.registry.getUtility( IOpenstaxAccountsAuthenticationPolicy) policies = [api_key_authn_policy, openstax_authn_policy] authn_policy = MultiAuthenticationPolicy(policies) config.set_authentication_policy(authn_policy) authz_policy = ACLAuthorizationPolicy() config.set_authorization_policy(authz_policy) config.scan(ignore='cnxpublishing.tests') return config.make_wsgi_app()
def test_policy_selected_event(self): from pyramid.testing import testConfig from pyramid_multiauth import MultiAuthPolicySelected policies = [TestAuthnPolicy2(), TestAuthnPolicy3()] policy = MultiAuthenticationPolicy(policies) # Simulate loading from config: policies[0]._pyramid_multiauth_name = "name" with testConfig() as config: request = DummyRequest() selected_policy = [] def track_policy(event): selected_policy.append(event) config.add_subscriber(track_policy, MultiAuthPolicySelected) self.assertEquals(policy.authenticated_userid(request), "test2") self.assertEquals(selected_policy[0].policy, policies[0]) self.assertEquals(selected_policy[0].policy_name, "name") self.assertEquals(selected_policy[0].userid, "test2") self.assertEquals(selected_policy[0].request, request) self.assertEquals(len(selected_policy), 1) # Effective principals also triggers an event when groupfinder # is provided. policy_with_group = MultiAuthenticationPolicy( policies, lambda u, r: ['foo']) policy_with_group.effective_principals(request) self.assertEquals(len(selected_policy), 2)
def configure_authentication(self): """Set up authentication and authorization policies. """ import pyramid.tweens from pyramid.authorization import ACLAuthorizationPolicy from pyramid.authentication import SessionAuthenticationPolicy from pyramid_jwt import create_jwt_authentication_policy from pyramid_multiauth import MultiAuthenticationPolicy from elixr2.web.auth.principals import ( resolve_principals as get_principals, get_request_user ) from .api.security import jwt_principals_finder authz_policy = ACLAuthorizationPolicy() ses_authn_policy = SessionAuthenticationPolicy(callback=get_principals) jwt_authn_policy = create_jwt_authentication_policy(self.config, callback=jwt_principals_finder) multi_auth_args = [jwt_authn_policy, ses_authn_policy] authn_policy = MultiAuthenticationPolicy(multi_auth_args) self.config.set_authentication_policy(authn_policy) self.config.set_authorization_policy(authz_policy) # We need to carefully be above TM view, but below exc view so that # internal server error page doesn't trigger session authentication # that accesses the database self.config.add_tween( "elixr2.web.auth.tweens.SessionInvalidationTweenFactory", under="pyramid_tm.tm_tween_factory") # # TODO: Grab incoming auth details changed events # from websauna.system.auth import subscribers # self.config.scan(subscribers) # Experimental support for transaction aware properties try: from pyramid_tm.reify import transaction_aware_reify self.config.add_request_method( callable=transaction_aware_reify(self.config, get_request_user), name="user", property=True, reify=False) except ImportError: self.config.add_request_method(get_request_user, 'user', reify=True) ## request method for jwt def create_jwt_token(request, principal, expiration=None, **claims): return jwt_authn_policy.create_token(principal, expiration, **claims) def jwt_claims(request): return jwt_authn_policy.get_claims(request) self.config.add_request_method(create_jwt_token, 'create_jwt_token') self.config.add_request_method(jwt_claims, 'jwt_claims', reify=True)
def main(global_config, **settings): """ This function returns a Pyramid WSGI application. """ config = Configurator(settings=settings, root_factory=root_factory) config.include('substanced') config.include('.catalog') config.include('.evolution') config.add_workflow(workflow, ('Document',)) config.scan() # paster serve entry point settings['debug_templates'] = 'true' config.add_route('deformdemo', '/deformdemo*traverse') config.add_route('ubikdbsocket', 'socket.io/*remaining') config.add_static_view('static_demo', 'deformdemo:static') config.add_static_view('static_ubikdb', 'ubikdb:static') config.add_static_view('static_sdi_ubikdb_demo', 'sdi_ubikdb_demo:static') config.add_translation_dirs( 'colander:locale', 'deform:locale', 'deformdemo:locale' ) def onerror(*arg): pass config.scan('deformdemo', onerror=onerror) # override login page to show login info config.add_mgmt_view( login, name='login', renderer='sdi_ubikdb_demo:templates/login.pt', tab_condition=False, permission=NO_PERMISSION_REQUIRED) config.add_mgmt_view( login, context=HTTPForbidden, renderer='sdi_ubikdb_demo:templates/login.pt', tab_condition=False, permission=NO_PERMISSION_REQUIRED ) try: from sddav.authentication import SDIBasicAuthPolicy # set up the basic auth policy if we have sddav secret = settings['substanced.secret'] authn_policy = MultiAuthenticationPolicy([ AuthTktAuthenticationPolicy(secret, callback=groupfinder), SDIBasicAuthPolicy(), ]) config.set_authentication_policy(authn_policy) except ImportError: pass else: config.include('sddav') return config.make_wsgi_app()
def create_authentication( settings: Dict[str, Any]) -> MultiAuthenticationPolicy: timeout = settings.get("authtkt_timeout") timeout = None if timeout is None or timeout.lower() == "none" else int( timeout) reissue_time = settings.get("authtkt_reissue_time") reissue_time = None if reissue_time is None or reissue_time.lower( ) == "none" else int(reissue_time) max_age = settings.get("authtkt_max_age") max_age = None if max_age is None or max_age.lower() == "none" else int( max_age) http_only = settings.get("authtkt_http_only", "True") http_only = http_only.lower() in ("true", "yes", "1") secure = settings.get("authtkt_secure", "True") secure = secure.lower() in ("true", "yes", "1") samesite = settings.get("authtkt_samesite", "Lax") secret = settings["authtkt_secret"] basicauth = settings.get("basicauth", "False").lower() in ("true", "yes", "1") if len(secret) < 64: raise Exception( '"authtkt_secret should be at least 64 characters.' "See https://docs.pylonsproject.org/projects/pyramid/en/latest/api/session.html" ) policies = [] url_authentication_policy = UrlAuthenticationPolicy( settings.get("urllogin", {}).get("aes_key"), defaultgroupsfinder, ) policies.append(url_authentication_policy) cookie_authentication_policy = AuthTktAuthenticationPolicy( secret, callback=defaultgroupsfinder, cookie_name=settings["authtkt_cookie_name"], samesite=None if samesite == "" else samesite, timeout=timeout, max_age=max_age, reissue_time=reissue_time, hashalg="sha512", http_only=http_only, secure=secure, ) policies.append(cookie_authentication_policy) if basicauth: basic_authentication_policy = BasicAuthAuthenticationPolicy( c2cgeoportal_check) policies.append(basic_authentication_policy) return MultiAuthenticationPolicy(policies)
def create_authentication(settings): timeout = settings.get("authtkt_timeout", None) timeout = None if timeout is None else int(timeout) cookie_authentication_policy = AuthTktAuthenticationPolicy( settings["authtkt_secret"], callback=defaultgroupsfinder, cookie_name=settings["authtkt_cookie_name"], timeout=timeout, max_age=timeout, hashalg="sha512", http_only=True, ) basic_authentication_policy = BasicAuthAuthenticationPolicy(c2cgeoportal_check) policies = [cookie_authentication_policy, basic_authentication_policy] return MultiAuthenticationPolicy(policies)
def test_policy_selected_event(self): from pyramid.testing import testConfig from pyramid_multiauth import MultiAuthPolicySelected policies = [TestAuthnPolicy2(), TestAuthnPolicy3()] policy = MultiAuthenticationPolicy(policies) with testConfig() as config: request = DummyRequest() selected_policy = [] def track_policy(event): selected_policy.append((event.policy, event.request)) config.add_subscriber(track_policy, MultiAuthPolicySelected) self.assertEquals(policy.authenticated_userid(request), "test2") self.assertEquals(selected_policy[0][0], policies[0]) self.assertEquals(selected_policy[0][1], request) self.assertEquals(len(selected_policy), 1)
def includeme(config): # Register our login service config.register_service_factory(database_login_factory, IUserService) # Register our token services config.register_service_factory( TokenServiceFactory(name="password"), ITokenService, name="password" ) config.register_service_factory( TokenServiceFactory(name="email"), ITokenService, name="email" ) config.register_service_factory( TokenServiceFactory(name="two_factor"), ITokenService, name="two_factor" ) # Register our password breach detection service. breached_pw_class = config.maybe_dotted( config.registry.settings.get( "breached_passwords.backend", HaveIBeenPwnedPasswordBreachedService ) ) config.register_service_factory( breached_pw_class.create_service, IPasswordBreachedService ) # Register our authentication and authorization policies config.set_authentication_policy( MultiAuthenticationPolicy( [ SessionAuthenticationPolicy(callback=_authenticate), BasicAuthAuthenticationPolicy(check=_basic_auth_login), MacaroonAuthenticationPolicy(callback=_authenticate), ] ) ) config.set_authorization_policy( MacaroonAuthorizationPolicy(policy=ACLAuthorizationPolicy()) ) # Add a request method which will allow people to access the user object. config.add_request_method(_user, name="user", reify=True) # Register the rate limits that we're going to be using for our login # attempts config.register_service_factory( RateLimit("10 per 5 minutes"), IRateLimiter, name="user.login" ) config.register_service_factory( RateLimit("1000 per 5 minutes"), IRateLimiter, name="global.login" )
def includeme(config): # Register our login service config.register_service_factory(database_login_factory, IUserService) # Register our authentication and authorization policies config.set_authentication_policy( MultiAuthenticationPolicy([ SessionAuthenticationPolicy(callback=_authenticate), BasicAuthAuthenticationPolicy(check=_login), ]), ) config.set_authorization_policy(ACLAuthorizationPolicy()) # Add a request method which will allow people to access the user object. config.add_request_method(_user, name="user", reify=True)
def includeme(config): """Configuration include fuction for this module""" api_key_authn_policy = APIKeyAuthenticationPolicy() config.include('openstax_accounts') openstax_authn_policy = config.registry.getUtility( IOpenstaxAccountsAuthenticationPolicy) # Set up api & user authentication policies. policies = [api_key_authn_policy, openstax_authn_policy] authn_policy = MultiAuthenticationPolicy(policies) config.set_authentication_policy(authn_policy) # Set up the authorization policy. authz_policy = ACLAuthorizationPolicy() config.set_authorization_policy(authz_policy)
def set_multi_authentication_policy(config, settings): policy_tkt = AuthTktAuthenticationPolicy(settings['auth.secret_key'], callback=role_finder) policy_jwt = create_jwt_authentication_policy(config, callback=api_role_finder) policy = MultiAuthenticationPolicy([policy_jwt, policy_tkt]) ## extraced from pyramid_jwt def request_create_token(request, principal, expiration=None, **claims): return policy_jwt.create_token(principal, expiration, **claims) def request_claims(request): return policy_jwt.get_claims(request) config.set_authentication_policy(policy) config.add_request_method(request_create_token, 'create_jwt_token') config.add_request_method(request_claims, 'jwt_claims', reify=True)
def create_authentication(settings): timeout = settings.get("authtkt_timeout") timeout = None if timeout is None else int(timeout) reissue_time = settings.get("reissue_time") reissue_time = None if reissue_time is None else int(reissue_time) http_only = settings.get("authtk_http_only") http_only = True if http_only is None else http_only != "False" secure = settings.get("authtk_secure") secure = True if secure is None else secure != "False" cookie_authentication_policy = AuthTktAuthenticationPolicy( settings["authtkt_secret"], callback=defaultgroupsfinder, cookie_name=settings["authtkt_cookie_name"], timeout=timeout, max_age=timeout, reissue_time=reissue_time, hashalg="sha512", http_only=http_only, secure=secure, ) basic_authentication_policy = BasicAuthAuthenticationPolicy( c2cgeoportal_check) policies = [cookie_authentication_policy, basic_authentication_policy] return MultiAuthenticationPolicy(policies)
def create_authentication(settings): timeout = settings.get("authtkt_timeout") timeout = None if timeout is None else int(timeout) reissue_time = settings.get("reissue_time") reissue_time = None if reissue_time is None else int(reissue_time) http_only = settings.get("authtkt_http_only", "True") http_only = http_only.lower() in ("true", "yes", "1") secure = settings.get("authtkt_secure", "True") secure = secure.lower() in ("true", "yes", "1") cookie_authentication_policy = AppAwareAuthTktAuthenticationPolicy( settings["authtkt_secret"], callback=defaultgroupsfinder, cookie_name=settings["authtkt_cookie_name"], timeout=timeout, max_age=timeout, reissue_time=reissue_time, hashalg="sha512", http_only=http_only, secure=secure, parent_domain=True) basic_authentication_policy = BasicAuthAuthenticationPolicy( c2cgeoportal_check) policies = [cookie_authentication_policy, basic_authentication_policy] return MultiAuthenticationPolicy(policies)
def configure_karl(config, load_zcml=True): # Authorization/Authentication policies settings = config.registry.settings authentication_policy = MultiAuthenticationPolicy([ AuthTktAuthenticationPolicy(settings['who_secret'], callback=group_finder, cookie_name=settings['who_cookie']), # for b/w compat with bootstrapper RepozeWho1AuthenticationPolicy(callback=group_finder), BasicAuthenticationPolicy() ]) config.set_authorization_policy(ACLAuthorizationPolicy()) config.set_authentication_policy(authentication_policy) # Static tree revisions routing static_rev = settings.get('static_rev') if not static_rev: static_rev = _guess_static_rev() settings['static_rev'] = static_rev config.add_static_view('/static/%s' % static_rev, 'karl.views:static', cache_max_age=60 * 60 * 24 * 365) # Add a redirecting static view to all _other_ revisions. def _expired_static_predicate(info, request): # We add a redirecting route to all static/*, # _except_ if it starts with the active revision segment. path = info['match']['path'] return path and path[0] != static_rev config.add_route('expired-static', '/static/*path', custom_predicates=(_expired_static_predicate, )) # Need a session if using Velruse config.set_session_factory(Session(settings['who_secret'])) # Configure bottlecap layouts config.include('bottlecap') config.add_renderer('.pt', ux2_metarenderer_factory) config.registry.registerUtility(FormishZPTMetaRenderer(), IFormishRenderer) config.include('karl.security.sso') if load_zcml: config.hook_zca() config.include('pyramid_zcml') config.load_zcml('standalone.zcml') # chatter uses this to display user chatter pages, because # there is no container for chatter to hang a view from. config.add_view('karl.views.chatter.finder', context=NotFound, renderer="karl.views:templates/errorpage.pt") debug = asbool(settings.get('debug', 'false')) if not debug: config.add_view('karl.errorpage.errorpage', context=Exception, renderer="karl.views:templates/errorpage.pt") debugtoolbar = asbool(settings.get('debugtoolbar', 'false')) if debugtoolbar and pyramid_debugtoolbar: config.include(pyramid_debugtoolbar) config.add_subscriber(block_webdav, NewRequest) if slowlog is not None: config.include(slowlog) if perfmetrics is not None: config.include(perfmetrics)
def configure(config): """Configures the MAGMa web app. `config` is a instance of :class:Configurator. """ settings = config.get_settings() config.include('pyramid_mako') config.include('pyramid_tm') # for human users authn_policy1 = AuthTktAuthenticationPolicy( secret=settings['cookie.secret'], path=settings['cookie.path'], hashalg='sha512', callback=groupfinder, cookie_name=settings.get('cookie.name', 'auth_tkt'), wild_domain=False, http_only=True, ) # for service consumers # See http://www.rfk.id.au/blog/entry/securing-pyramid-persona-macauth/ authn_policy2 = MACAuthenticationPolicy.from_settings(settings) authn_policy2.find_groups = groupfinder auth_policies = [ authn_policy1, authn_policy2, ] authn_policy = MultiAuthenticationPolicy(auth_policies) config.set_authentication_policy(authn_policy) config.set_authorization_policy(ACLAuthorizationPolicy()) config.set_root_factory(RootFactory) config.add_renderer('jsonhtml', jsonhtml_renderer_factory) config.add_static_view('static', 'magmaweb:static', cache_max_age=3600) # for everyone config.add_route('home', '/') config.add_route('help', '/help') config.add_route('login', '/login') # for authenticated users config.add_route('defaults.json', '/defaults.json') config.add_route('startjob', '/start') config.add_route('jobfromscratch', '/results/') config.add_route('uploaddb', '/uploaddb') config.add_route('workspace', '/workspace') config.add_route('access_token', '/access_token.json') config.add_route('logout', '/logout') # JobFactory + traverse def add_job_route(name, pattern): """"Add route with :class:Job as context""" config.add_route(name, pattern, traverse='/{jobid}', factory=JobIdFactory) # for job owner add_job_route('status.json', '/status/{jobid}.json') add_job_route('status', '/status/{jobid}') # for authenticated users add_job_route('results', '/results/{jobid}') add_job_route('molecules.json', '/results/{jobid}/molecules.json') add_job_route('molecules.csv', '/results/{jobid}/molecules.csv') add_job_route('molecules.sdf', '/results/{jobid}/molecules.sdf') add_job_route('fragments.json', '/results/{jobid}/fragments/{scanid}/{molid}.json') add_job_route('chromatogram.json', '/results/{jobid}/chromatogram.json') add_job_route('mspectra.json', '/results/{jobid}/mspectra/{scanid}.json') add_job_route('extractedionchromatogram.json', '/results/{jobid}/extractedionchromatogram/{molid}.json') add_job_route('stderr.txt', '/results/{jobid}/stderr.txt') add_job_route('stdout.txt', '/results/{jobid}/stdout.txt') add_job_route('runinfo.json', '/results/{jobid}/runinfo.json') # for job owner add_job_route('rpc.add_structures', '/rpc/{jobid}/add_structures') add_job_route('rpc.add_ms_data', '/rpc/{jobid}/add_ms_data') add_job_route('rpc.metabolize', '/rpc/{jobid}/metabolize') add_job_route('rpc.metabolize_one', '/rpc/{jobid}/metabolize_one') add_job_route('rpc.annotate', '/rpc/{jobid}/annotate') add_job_route('rpc.assign', '/rpc/{jobid}/assign') add_job_route('rpc.unassign', '/rpc/{jobid}/unassign') # find view_config decorations config.scan('magmaweb', ignore='magmaweb.tests') # add config defaults and # cast config parameter to boolean auto_register = asbool(settings.get('auto_register', False)) config.add_settings(auto_register=auto_register) restricted = asbool(settings.get('restricted', False)) config.add_settings(restricted=restricted) ncpus = settings.get('ncpus', 1) config.add_settings(ncpus=ncpus) # Setup connection to user database engine = engine_from_config(settings) init_user_db(engine)
__all__ = ( 'DEFAULT_POLICY', 'WEBSOCKET_POLICY', ) log = logging.getLogger(__name__) PROXY_POLICY = RemoteUserAuthenticationPolicy( environ_key='HTTP_X_FORWARDED_USER', callback=groupfinder) TICKET_POLICY = pyramid_authsanity.AuthServicePolicy() TOKEN_POLICY = TokenAuthenticationPolicy(callback=groupfinder) DEFAULT_POLICY = AuthenticationPolicy(api_policy=TOKEN_POLICY, fallback_policy=TICKET_POLICY) WEBSOCKET_POLICY = MultiAuthenticationPolicy([TOKEN_POLICY, TICKET_POLICY]) def includeme(config): global DEFAULT_POLICY global WEBSOCKET_POLICY # Set up authsanity config.register_service_factory( '.services.auth_ticket_service_factory', iface='pyramid_authsanity.interfaces.IAuthService') settings = config.registry.settings settings['authsanity.source'] = 'cookie' settings['authsanity.cookie.max_age'] = 2592000 settings['authsanity.cookie.httponly'] = True settings['authsanity.secret'] = derive_key(settings['secret_key'],
def includeme(config): """ Activate the CubicWeb AuthTkt authentication policy. Usually called via ``config.include('cubicweb.pyramid.auth')``. See also :ref:`defaults_module` """ settings = config.registry.settings policies = [] if asbool(settings.get('cubicweb.auth.update_login_time', True)): policies.append(UpdateLoginTimeAuthenticationPolicy()) if asbool(settings.get('cubicweb.auth.authtkt', True)): session_prefix = 'cubicweb.auth.authtkt.session.' persistent_prefix = 'cubicweb.auth.authtkt.persistent.' session_secret = settings.get(session_prefix + 'secret', 'notsosecret') persistent_secret = settings.get(persistent_prefix + 'secret', 'notsosecret') if ('notsosecret' in (session_secret, persistent_secret) and config.registry['cubicweb.config'].mode != 'test'): warnings.warn(''' !! SECURITY WARNING !! The authentication cookies are signed with a static secret key. Configure the following options in your pyramid.ini file: - cubicweb.auth.authtkt.session.secret - cubicweb.auth.authtkt.persistent.secret YOU SHOULD STOP THIS INSTANCE unless your really know what you are doing !! Please refer to to cubicweb-pyramid documentation on how to write this pyramid.ini file: https://cubicweb.readthedocs.io/en/latest/book/pyramid/settings/#pyramid-settings-file Without it authentication WON'T work. ''') policies.append( CWAuthTktAuthenticationPolicy(session_secret, False, defaults={ 'hashalg': 'sha512', 'cookie_name': 'auth_tkt', 'timeout': 1200, 'reissue_time': 120, 'http_only': True, 'secure': True }, prefix=session_prefix, **settings)) policies.append( CWAuthTktAuthenticationPolicy(persistent_secret, True, defaults={ 'hashalg': 'sha512', 'cookie_name': 'pauth_tkt', 'max_age': 3600 * 24 * 30, 'reissue_time': 3600 * 24, 'http_only': True, 'secure': True }, prefix=persistent_prefix, **settings)) kw = {} if asbool(settings.get('cubicweb.auth.groups_principals', True)): kw['callback'] = get_principals authpolicy = MultiAuthenticationPolicy(policies, **kw) config.registry['cubicweb.authpolicy'] = authpolicy config.set_authentication_policy(authpolicy) config.set_authorization_policy(ACLAuthorizationPolicy())