def main(): '''Start the infirmary server''' args = _parseArgs() logging.basicConfig(level=args.loglevel) _logger.info('🏥 Infirmary version %s', VERSION) config = Configurator(registry=getGlobalSiteManager(), root_factory=Root) config.setup_registry() config.set_authentication_policy(BasicAuthAuthenticationPolicy(_checkCredentials)) config.set_authorization_policy(ACLAuthorizationPolicy()) config.add_route('home', '/') config.add_route('ping', '/ping') config.add_route('hello', '/hello/{name}', factory=Root) config.add_route('clinicalCores', '/clinicalCores', factory=Root) config.add_route('clinicalCore', '/clinicalCores/{participant_ID}', factory=Root) config.add_route('organs', '/organs', factory=Root) config.add_route('organ', '/organs/{identifier}', factory=Root) config.add_route('specimens', '/specimens', factory=Root) config.add_route('specimen', '/specimens/{specimen_ID}', factory=Root) config.add_route('genomics', '/genomics', factory=Root) config.add_route('genomic', '/genomics/{specimen_ID}', factory=Root) config.add_route('images', '/images', factory=Root) config.add_route('image', '/images/{identifier}', factory=Root) config.add_subscriber(cors_callback, NewRequest) config.scan() provideUtility(AppStats(sys.argv[0])) provideUtility(Directory(args.ldap_server)) provideUtility(Database(args.database)) app = config.make_wsgi_app() _logger.debug('🏃♀️ Starting server on port %d', args.port) server = make_server('0.0.0.0', args.port, app) server.serve_forever()
def main(*args, **settings): from pyramid.config import Configurator from pyramid.events import NewRequest, ContextFound from pyramid.authentication import BasicAuthAuthenticationPolicy from pyramid.authorization import ACLAuthorizationPolicy from pyramid.renderers import JSON, JSONP logger.info('Start registry api...') read_users(settings['auth.file']) config = Configurator(autocommit=True, settings=settings, authentication_policy=BasicAuthAuthenticationPolicy( auth_check, __name__), authorization_policy=ACLAuthorizationPolicy(), root_factory=Root, route_prefix=ROUTE_PREFIX) config.include('pyramid_exclog') config.add_forbidden_view(forbidden) config.add_request_method(request_params, 'params', reify=True) config.add_request_method(authenticated_role, reify=True) config.add_renderer('prettyjson', JSON(indent=4)) config.add_renderer('jsonp', JSONP(param_name='opt_jsonp')) config.add_renderer('prettyjsonp', JSONP(indent=4, param_name='opt_jsonp')) config.add_subscriber(add_logging_context, NewRequest) config.add_subscriber(set_logging_context, ContextFound) config.add_subscriber(set_renderer, NewRequest) config.add_route('health', '/health') config.add_route('registry', '/registry/{param}.json') config.scan('openprocurement.medicines.registry.api.views') return config.make_wsgi_app()
def main(global_config, **settings): settings["global_config"] = global_config config = Configurator(settings=settings) # Jinja 2 templates as .html files config.include('pyramid_jinja2') config.add_jinja2_renderer('.html') config.add_jinja2_search_path('pyramid_notebook:demo/templates', name='.html') config.add_route('home', '/') config.add_route('login', '/login') config.add_route('shell1', '/shell1') config.add_route('shell2', '/shell2') config.add_route('shutdown_notebook', '/notebook/shutdown') config.add_route('notebook_proxy', '/notebook/*remainder') config.scan(views) authn_policy = auth.AuthTktAuthenticationPolicy('seekrITT', callback=auth.groupfinder) config.set_authentication_policy(BasicAuthAuthenticationPolicy(mycheck)) config.set_authorization_policy(authn_policy) # Make sure we can target Pyramid router debug messages in logging configuration pyramid_debug_logger = logging.getLogger("pyramid_debug") config.registry.registerUtility(pyramid_debug_logger, IDebugLogger) return config.make_wsgi_app()
def includeme(config): authentication_policy = BasicAuthAuthenticationPolicy(check) authorization_policy = ACLAuthorizationPolicy() config.set_authentication_policy(authentication_policy) config.set_authorization_policy(authorization_policy) config.set_root_factory(lambda request: RootFactory())
def main(): # Stupid workaround to wait for mysql actually starting inside of a container time.sleep(15) # Just init the database at the start for simplicity db.create.init() p = BackgroundEventPersister(Events) p.start() DBSession.configure(bind=Engine) Base.metadata.bind = Engine with Configurator() as config: config.include('pyramid_tm') config.add_request_method(get_user, 'user', reify=True) config.add_route('place_order', '/orders', request_method='POST') config.add_route('list_orders', '/orders', request_method='GET') config.add_route('cancel_order', '/order/{orderId}', request_method='DELETE') config.scan('views') auth_policy = BasicAuthAuthenticationPolicy(check_credentials) config.set_authentication_policy(auth_policy) config.set_authorization_policy(ACLAuthorizationPolicy()) config.set_root_factory(lambda request: Root()) app = config.make_wsgi_app() serve(app, host='0.0.0.0', port=8888)
def create_authentication(settings): timeout = settings.get("authtkt_timeout") timeout = None if timeout is None else int(timeout) reissue_time = settings.get("reissue_time") reissue_time = None if reissue_time is None else int(reissue_time) http_only = settings.get("authtkt_http_only", "True") http_only = http_only.lower() in ("true", "yes", "1") secure = settings.get("authtkt_secure", "True") secure = secure.lower() in ("true", "yes", "1") samesite = settings.get("authtkt_samesite", "Lax") secret = settings["authtkt_secret"] if len(secret) < 64: raise Exception( '"authtkt_secret should be at least 64 characters.' 'See https://docs.pylonsproject.org/projects/pyramid/en/latest/api/session.html' ) cookie_authentication_policy = AuthTktAuthenticationPolicy( secret, callback=defaultgroupsfinder, cookie_name=settings["authtkt_cookie_name"], samesite=None if samesite == '' else samesite, timeout=timeout, max_age=timeout, reissue_time=reissue_time, hashalg="sha512", http_only=http_only, secure=secure, ) basic_authentication_policy = BasicAuthAuthenticationPolicy( c2cgeoportal_check) policies = [cookie_authentication_policy, basic_authentication_policy] return MultiAuthenticationPolicy(policies)
def setup_basic_http_auth(config): """ Initialize HTTP Basic Auth support. """ realm = "Sandglass API" basic_auth = BasicAuthAuthenticationPolicy(auth_callback, realm=realm) config.set_authentication_policy(basic_auth) config.add_forbidden_view(handle_basic_auth_challenge)
def main(global_config, **settings): from openprocurement.integrations.edr.auth import (authenticated_role) from openprocurement.integrations.edr.utils import ( forbidden, add_logging_context, set_logging_context, request_params, set_renderer, Root, read_users) from openprocurement.integrations.edr.utils import auth_check from pyramid.authentication import BasicAuthAuthenticationPolicy from pyramid.authorization import ACLAuthorizationPolicy from pyramid.config import Configurator from pyramid.events import NewRequest, ContextFound from pyramid.renderers import JSON, JSONP LOGGER.info('Start edr api') read_users(settings['auth.file']) config = Configurator( autocommit=True, settings=settings, authentication_policy=BasicAuthAuthenticationPolicy( auth_check, __name__), authorization_policy=ACLAuthorizationPolicy(), root_factory=Root, route_prefix=ROUTE_PREFIX, ) config.include('pyramid_exclog') config.add_forbidden_view(forbidden) config.add_request_method(request_params, 'params', reify=True) config.add_request_method(authenticated_role, reify=True) config.add_renderer('prettyjson', JSON(indent=4)) config.add_renderer('jsonp', JSONP(param_name='opt_jsonp')) config.add_renderer('prettyjsonp', JSONP(indent=4, param_name='opt_jsonp')) config.add_renderer( 'yaml', 'openprocurement.integrations.edr.renderers.YAMLRenderer') config.add_subscriber(add_logging_context, NewRequest) config.add_subscriber(set_logging_context, ContextFound) config.add_subscriber(set_renderer, NewRequest) # Init edr connection config.registry.edr_client = EdrClient( settings.get('edr_api_server'), settings.get('edr_api_token'), int(settings.get('edr_api_port')), float(settings.get('edr_timeout_min', 1)), float(settings.get('edr_timeout_max', 60)), float(settings.get('edr_timeout_step', 2)), settings.get('edr_timeout_mode', 'mult')) config.registry.cache_db = Db(settings) config.registry.time_to_live = settings.get("time_to_live", 300) config.registry.time_to_live_negative = settings.get( "time_to_live_negative", 30) LOGGER.info("SANDBOX_MODE = {}".format(SANDBOX_MODE)) # Include views config.add_route('verify', '/verify') config.add_route('details', '/details/{id}') config.add_route('health', '/health') config.scan("openprocurement.integrations.edr.views") return config.make_wsgi_app()
def main(global_config, **settings): """ This function returns a Pyramid WSGI application. """ with Configurator(settings=settings) as config: config.route_prefix = 'api' config.include('cornice') config.include('cornice_swagger') swagger_data = SWAGGER if settings.get('api.swagger'): swagger_data.update(read_datafile(settings.get('api.swagger'))) config.registry.settings['api_specs'] = swagger_data config.add_route('cornice_swagger.open_api_path', '/swagger.json') config.add_route('health', '/health') config.add_route('self.schema', '/release-schema.json') config.cornice_enable_openapi_explorer(api_explorer_path='/swagger.ui') config.include('.models') config.add_renderer('simplejson', JSON(serializer=simplejson.dumps)) config.add_request_method(release_package, name='release_package') config.add_request_method(record_package, name='record_package') config.registry.page_size = int(settings.get('api.page_size', 100)) config.registry.publisher = read_datafile( settings.get('api.publisher')) config.registry.schema = read_datafile(settings.get('api.schema')) config.registry.merge_rules = get_merge_rules( settings.get('api.schema')) BASE['extensions'] = settings.get('api.extensions', '').split() config.registry.models = { 'Release': config.registry.schema, 'Record': RECORD } config.set_authorization_policy(ACLAuthorizationPolicy()) tokens = [t.strip() for t in settings.get('api.tokens', '').split(',')] if tokens: config.registry.tokens = frozenset(tokens) config.set_authentication_policy( BasicAuthAuthenticationPolicy(check_credentials)) config.registry.validator = None if settings.get('api.force_validation', False): config.registry.validator = fastjsonschema.compile( config.registry.schema) apps = settings.get('apps', '').split(',') for pname in apps: if not pname: continue try: app = getattr(config.maybe_dotted(pname), 'includeme', '') if app: app(config) logger.info(f"Installed app {pname}") except KeyError as e: logger.error( f"Unable to load {pname} plugin. Error: {repr(e)}") config.scan() return config.make_wsgi_app()
def setUp(self): settings = { 'pyramlson.apidef_path': os.path.join(DATA_DIR, 'test-api.raml'), } auth_policy = BasicAuthAuthenticationPolicy(dummy_check, 'TEST REALM') self.config = testing.setUp(settings=settings) self.config.set_authorization_policy(ACLAuthorizationPolicy()) self.config.set_authentication_policy(auth_policy) self.config.include('pyramlson') self.config.scan('.resource') from webtest import TestApp self.testapp = TestApp(self.config.make_wsgi_app())
def includeme(config): if auth_activated(config.registry): logger.debug("basic authentication is activated.") # Security policies for basic auth authn_policy = BasicAuthAuthenticationPolicy(check=groupfinder, realm="Birdhouse") authz_policy = ACLAuthorizationPolicy() config.set_authentication_policy(authn_policy) config.set_authorization_policy(authz_policy) config.set_root_factory(root_factory) config.add_request_method(_get_username, 'username', reify=True) config.add_request_method(_get_password, 'password', reify=True)
def create_authentication( settings: Dict[str, Any]) -> MultiAuthenticationPolicy: timeout = settings.get("authtkt_timeout") timeout = None if timeout is None or timeout.lower() == "none" else int( timeout) reissue_time = settings.get("authtkt_reissue_time") reissue_time = None if reissue_time is None or reissue_time.lower( ) == "none" else int(reissue_time) max_age = settings.get("authtkt_max_age") max_age = None if max_age is None or max_age.lower() == "none" else int( max_age) http_only = settings.get("authtkt_http_only", "True") http_only = http_only.lower() in ("true", "yes", "1") secure = settings.get("authtkt_secure", "True") secure = secure.lower() in ("true", "yes", "1") samesite = settings.get("authtkt_samesite", "Lax") secret = settings["authtkt_secret"] basicauth = settings.get("basicauth", "False").lower() in ("true", "yes", "1") if len(secret) < 64: raise Exception( '"authtkt_secret should be at least 64 characters.' "See https://docs.pylonsproject.org/projects/pyramid/en/latest/api/session.html" ) policies = [] url_authentication_policy = UrlAuthenticationPolicy( settings.get("urllogin", {}).get("aes_key"), defaultgroupsfinder, ) policies.append(url_authentication_policy) cookie_authentication_policy = AuthTktAuthenticationPolicy( secret, callback=defaultgroupsfinder, cookie_name=settings["authtkt_cookie_name"], samesite=None if samesite == "" else samesite, timeout=timeout, max_age=max_age, reissue_time=reissue_time, hashalg="sha512", http_only=http_only, secure=secure, ) policies.append(cookie_authentication_policy) if basicauth: basic_authentication_policy = BasicAuthAuthenticationPolicy( c2cgeoportal_check) policies.append(basic_authentication_policy) return MultiAuthenticationPolicy(policies)
def create_authentication(settings): timeout = settings.get("authtkt_timeout", None) timeout = None if timeout is None else int(timeout) cookie_authentication_policy = AuthTktAuthenticationPolicy( settings["authtkt_secret"], callback=defaultgroupsfinder, cookie_name=settings["authtkt_cookie_name"], timeout=timeout, max_age=timeout, hashalg="sha512", http_only=True, ) basic_authentication_policy = BasicAuthAuthenticationPolicy(c2cgeoportal_check) policies = [cookie_authentication_policy, basic_authentication_policy] return MultiAuthenticationPolicy(policies)
def main(global_config, **settings): """ This function returns a Pyramid WSGI application. """ read_users(settings['auth.file']) config = Configurator( settings=settings, authentication_policy=BasicAuthAuthenticationPolicy( auth_check, __name__), authorization_policy=ACLAuthorizationPolicy(), root_factory=Root, ) config.add_request_method(request_params, 'params', reify=True) config.add_subscriber(new_request_subscriber, NewRequest) config.add_subscriber(add_logging_context, ContextFound) config.include('pyramid_exclog') config.add_route('status', '/') config.add_route('register', '/register') config.add_route('upload', '/upload') config.add_route('upload_file', '/upload/{doc_id}') config.add_route('get', '/get/{doc_id}') config.scan(ignore='openprocurement.documentservice.tests') config.registry.signer = signer = Signer( settings.get('dockey', '').decode('hex')) config.registry.dockey = dockey = signer.hex_vk()[:8] verifier = Verifier(signer.hex_vk()) config.registry.dockeyring = dockeyring = {dockey: verifier} dockeys = settings.get( 'dockeys') if 'dockeys' in settings else Signer().hex_vk() for key in dockeys.split('\0'): dockeyring[key[:8]] = Verifier(key) config.registry.keyring = keyring = {dockey: verifier} apikeys = settings.get( 'apikeys') if 'apikeys' in settings else Signer().hex_vk() for key in apikeys.split('\0'): keyring[key[:8]] = Verifier(key) config.registry.apikey = key[:8] config.registry.upload_host = settings.get('upload_host') config.registry.get_host = settings.get('get_host') # search for storage storage = settings.get('storage') for entry_point in iter_entry_points( 'openprocurement.documentservice.plugins', storage): plugin = entry_point.load() config.registry.storage = plugin(config) return config.make_wsgi_app()
def setUp(self): def check_cred(username, *args, **kwargs): return [username] @implementer(IAuthorizationPolicy) class AuthorizationPolicy(object): def permits(self, context, principals, permission): return permission in principals self.config = testing.setUp() self.config.include('cornice') self.config.add_route('noservice', '/noservice') self.config.set_authorization_policy(AuthorizationPolicy()) self.config.set_authentication_policy( BasicAuthAuthenticationPolicy(check_cred)) self.config.set_default_permission('readwrite') self.config.scan('cornice.tests.test_cors') self.app = TestApp(CatchErrors(self.config.make_wsgi_app()))
def includeme(config): config.include('pyramid_contextauth') tkt_policy = AuthTktAuthenticationPolicy('secret') config.register_authentication_policy( tkt_policy, Context1, ) config.register_authentication_policy( BasicAuthAuthenticationPolicy('realm'), Context2, ) config.register_authentication_policy(Context345Policy(), (Context3, Context4)) config.register_authentication_policy(LocationAwarePolicy(), Root) config.commit()
def make_app(server_config): config = Configurator(settings=server_config, root_factory=APIFactory, default_permission="access") config.include("pyramid_jinja2") def check_function(username, password, request): if (password == server_config["admin_secret"] and username == server_config["admin_user"]): return "admin", username return None authn_policy = BasicAuthAuthenticationPolicy(check_function, realm="ChannelStream") authz_policy = ACLAuthorizationPolicy() config.set_authentication_policy(authn_policy) config.set_authorization_policy(authz_policy) json_renderer = JSON(serializer=json.dumps, indent=4) json_renderer.add_adapter(datetime.datetime, datetime_adapter) json_renderer.add_adapter(uuid.UUID, uuid_adapter) config.add_renderer("json", json_renderer) config.add_subscriber("channelstream.subscribers.handle_new_request", "pyramid.events.NewRequest") config.add_request_method("channelstream.utils.handle_cors", "handle_cors") config.include("channelstream.wsgi_views") config.scan("channelstream.wsgi_views.server") config.scan("channelstream.wsgi_views.error_handlers") config.scan("channelstream.events") config.include("pyramid_apispec.views") config.pyramid_apispec_add_explorer( spec_route_name="openapi_spec", script_generator="channelstream.utils:swagger_ui_script_template", permission=NO_PERMISSION_REQUIRED, ) app = config.make_wsgi_app() return app
def includeme(config): """ For inclusion by Pyramid. """ config.add_request_method(get_user, str('user'), reify=True) config.add_request_method(get_acls, str('acls'), reify=True) config.add_request_method(get_settings, str('settings'), reify=True) settings = config.registry.settings authn_policy = PluginAuthenticationPolicy( SessionAuthenticationPolicy(callback=find_princs), { '/dav': DigestAuthenticationPolicy( settings.get('netprofile.auth.secret'), find_princs_digest, realm=settings.get('netprofile.auth.digest.realm', 'NetProfile UI'), check_timestamp=asbool( settings.get('netprofile.auth.digest.check_timestamp', 'true')), timestamp_max_ahead=int( settings.get('netprofile.auth.digest.timestamp_max_ahead', 5)), timestamp_max_behind=int( settings.get('netprofile.auth.digest.timestamp_max_behind', 120))), '/api': BasicAuthAuthenticationPolicy( find_princs_basic, settings.get('netprofile.auth.rpc_realm', 'NetProfile RPC'), settings.get('netprofile.debug')) }) authz_policy = ACLAuthorizationPolicy() config.set_authorization_policy(authz_policy) config.set_authentication_policy(authn_policy) config.add_subscriber(_auth_to_db, ContextFound) config.add_subscriber(_check_session, PluginPolicySelected)
def create_authentication(settings): timeout = settings.get("authtkt_timeout") timeout = None if timeout is None else int(timeout) reissue_time = settings.get("reissue_time") reissue_time = None if reissue_time is None else int(reissue_time) http_only = settings.get("authtkt_http_only", "True") http_only = http_only.lower() in ("true", "yes", "1") secure = settings.get("authtkt_secure", "True") secure = secure.lower() in ("true", "yes", "1") cookie_authentication_policy = AppAwareAuthTktAuthenticationPolicy( settings["authtkt_secret"], callback=defaultgroupsfinder, cookie_name=settings["authtkt_cookie_name"], timeout=timeout, max_age=timeout, reissue_time=reissue_time, hashalg="sha512", http_only=http_only, secure=secure, parent_domain=True) basic_authentication_policy = BasicAuthAuthenticationPolicy( c2cgeoportal_check) policies = [cookie_authentication_policy, basic_authentication_policy] return MultiAuthenticationPolicy(policies)
def __init__(self, secret, realm='Realm', hardcoded=()): """ We need to initialise variables here for both forms of auth which we're planning on using. :param secret: A hashing secret for AuthTkt, which should be generated outside the Pyhton process. :param realm: The Basic Auth realm which is probably set to eos_db. :param hardcoded: Triplets of user:password:group that should not be looked up in the database. """ self.hardcoded = {x[0]: (x[1], x[2]) for x in hardcoded} #DELETE ME #self.check = check # Password check routine passed to the constructor. #self.realm = realm # Basic Auth realm. # Now initialise both Auth Policies. AuthTkt has sha256 specified in # place of the default MD5 in order to suppress warnings about # security. self.bap = BasicAuthAuthenticationPolicy(check=self.passwordcheck, realm=realm) self.tap = AuthTktAuthenticationPolicy(secret=secret, callback=self.groupfinder, cookie_name='auth_tkt', hashalg='sha256')
def create_authentication(settings): timeout = settings.get("authtkt_timeout") timeout = None if timeout is None else int(timeout) reissue_time = settings.get("reissue_time") reissue_time = None if reissue_time is None else int(reissue_time) http_only = settings.get("authtk_http_only") http_only = True if http_only is None else http_only != "False" secure = settings.get("authtk_secure") secure = True if secure is None else secure != "False" cookie_authentication_policy = AuthTktAuthenticationPolicy( settings["authtkt_secret"], callback=defaultgroupsfinder, cookie_name=settings["authtkt_cookie_name"], timeout=timeout, max_age=timeout, reissue_time=reissue_time, hashalg="sha512", http_only=http_only, secure=secure, ) basic_authentication_policy = BasicAuthAuthenticationPolicy( c2cgeoportal_check) policies = [cookie_authentication_policy, basic_authentication_policy] return MultiAuthenticationPolicy(policies)
def main(settings): """Create and return a WSGI application.""" config = Configurator() config.registry.engine = init_db(settings) def db(request): connection = request.registry.engine.connect() transaction = connection.begin() def cleanup(request): if request.exception is not None: transaction.rollback() else: transaction.commit() connection.close() request.add_finished_callback(cleanup) return connection config.add_request_method(db, reify=True) # Configure authentication / authorization authn_policy = BasicAuthAuthenticationPolicy(check_credentials) config.set_authentication_policy(authn_policy) config.set_authorization_policy(ACLAuthorizationPolicy()) config.set_root_factory(lambda request: Root()) config.add_forbidden_view(forbidden_view) config.add_view(view=error_view, context=Exception, renderer="json") config.add_static_view(name="static", path="../../queryduck-web/static") config.add_route("post_query", "/{target}/query", request_method="POST") config.add_route("get_query", "/{target}/query", request_method="GET") config.add_route("get_statements", "/statements", request_method="GET") config.add_route("submit_transaction", "/statements/transaction", request_method="POST") config.add_route("get_statement", "/statements/{reference}", request_method="GET") config.add_route("create_statements", "/statements", request_method="POST") config.add_route("create_volume", "/volumes/{reference}", request_method="PUT") config.add_route("delete_volume", "/volumes/{reference}", request_method="DELETE") config.add_route("get_volume", "/volumes/{reference}") config.add_route("list_volumes", "/volumes") config.add_route("create_blob", "/blobs/new", request_method="POST") config.add_route("get_blob", "/blobs/{reference}") config.add_route("list_blobs", "/blobs") config.add_route("list_volume_files", "/volumes/{volume_reference}/files", request_method="GET") config.add_route( "mutate_volume_files", "/volumes/{volume_reference}/files", request_method="POST", ) config.add_route( "get_volume_file", "/volumes/{volume_reference}/files/{file_path}", request_method="GET", ) config.scan(".controllers") config.scan(".transaction.controllers") config.scan(".storage.controllers") app = config.make_wsgi_app() return app
def __init__(self, check=None): if check is None: check = AuthClientPolicy.check self._basic_auth_policy = BasicAuthAuthenticationPolicy(check=check)
def getBasicAuthAuthenticationPolicy(): """Define basic auth authentication policy""" return BasicAuthAuthenticationPolicy( # pragma: no cover Configuration.get('pyramid_basicauth_check'), debug=Configuration.get('pyramid_authentication_debug'))
def create_authentication( settings: Dict[str, Any]) -> MultiAuthenticationPolicy: """Create all the authentication policies.""" timeout = settings.get("authtkt_timeout") timeout = None if timeout is None or timeout.lower() == "none" else int( timeout) reissue_time = settings.get("authtkt_reissue_time") reissue_time = None if reissue_time is None or reissue_time.lower( ) == "none" else int(reissue_time) max_age = settings.get("authtkt_max_age") max_age = None if max_age is None or max_age.lower() == "none" else int( max_age) http_only = settings.get("authtkt_http_only", "True") http_only = http_only.lower() in ("true", "yes", "1") secure = settings.get("authtkt_secure", "True") secure = secure.lower() in ("true", "yes", "1") samesite = settings.get("authtkt_samesite", "Lax") secret = settings["authtkt_secret"] basicauth = settings.get("basicauth", "False").lower() in ("true", "yes", "1") if len(secret) < 64: raise Exception( '"authtkt_secret should be at least 64 characters.' "See https://docs.pylonsproject.org/projects/pyramid/en/latest/api/session.html" ) policies = [] policies.append( UrlAuthenticationPolicy( settings.get("urllogin", {}).get("aes_key"), defaultgroupsfinder, )) policies.append( AuthTktAuthenticationPolicy( secret, callback=defaultgroupsfinder, cookie_name=settings["authtkt_cookie_name"], samesite=None if samesite == "" else samesite, timeout=timeout, max_age=max_age, reissue_time=reissue_time, hashalg="sha512", http_only=http_only, secure=secure, )) policies.append(OAuth2AuthenticationPolicy()) if basicauth: if settings["authentication"].get("two_factor", False): LOG.warning( "Basic auth and tow factor auth should not be enable toogether, " "you should use OAuth2 instead of Basic auth") basic_authentication_policy = BasicAuthAuthenticationPolicy( c2cgeoportal_check) policies.append(basic_authentication_policy) # Consider empty string as not configured if "DEV_LOGINNAME" in os.environ and os.environ["DEV_LOGINNAME"]: policies.append(DevAuthenticationPolicy()) return MultiAuthenticationPolicy(policies)
def main(global_config, **settings): """ This function returns a Pyramid WSGI application. """ load_processing_settings(settings) load_local_settings(settings, settings["appname"]) settings.update({"version": version}) config = Configurator(root_factory=Root, settings=settings) config.set_authorization_policy(ACLAuthorizationPolicy()) config.set_authentication_policy( BasicAuthAuthenticationPolicy(check=groupfinder, )) # set forbidden view to basic auth def forbidden_view(request): resp = HTTPUnauthorized() resp.www_authenticate = 'Basic realm="Thinkhazard"' return resp config.add_forbidden_view(forbidden_view) config.include("pyramid_jinja2") config.include("papyrus") config.include("thinkhazard.session") config.add_tween("thinkhazard.tweens.notmodified_tween_factory", over=MAIN) config.add_static_view("static", "static", cache_max_age=3600) config.add_static_view("lib", settings.get("node_modules"), cache_max_age=86000) config.add_translation_dirs("thinkhazard:locale") config.set_locale_negotiator("thinkhazard.i18n.custom_locale_negotiator") config.add_route("healthcheck", "/healthcheck") if settings["appname"] == "public": config.include(add_public_routes) config.add_route("sitemap", "/sitemap.xml") if settings["appname"] == "admin": # Celery from thinkhazard.celery import app as celery_app config.add_request_method(lambda x: celery_app, "celery_app", reify=True) config.set_default_permission("admin") config.include(add_public_routes, route_prefix="preview") config.add_route("admin_index", "/") config.add_route("admin_add_task", "/addtask") config.add_route("admin_technical_rec", "/technical_rec") config.add_route("admin_technical_rec_new", "/technical_rec/new") config.add_route("admin_technical_rec_edit", "/technical_rec/{id:\d+}") config.add_route("admin_technical_rec_delete", "/technical_rec/{id:\d+}/delete") config.add_route("admin_admindiv_hazardsets", "/admindiv_hazardsets") config.add_route("admin_admindiv_hazardsets_export", "/admindiv_hazardsets_export") config.add_route( "admin_admindiv_hazardsets_hazardtype", "/admindiv_hazardsets/{hazardtype:([A-Z]{2})}", ) config.add_route("admin_climate_rec", "/climate_rec") config.add_route("admin_climate_rec_hazardtype", "/climate_rec/{hazard_type:([A-Z]{2})}") config.add_route("admin_climate_rec_new", "/climate_rec/{hazard_type:([A-Z]{2})}/new") config.add_route("admin_climate_rec_edit", "/climate_rec/{id:\d+}") config.add_route("admin_climate_rec_delete", "/climate_rec/{id:\d+}/delete") config.add_route("admin_hazardcategories", "/hazardcategories") config.add_route( "admin_hazardcategory", "/hazardcategory/{hazard_type:([A-Z]{2})}" "/{hazard_level:([A-Z]{3})}", ) config.add_route("admin_hazardsets", "/hazardsets") config.add_route("admin_hazardset", "/hazardset/{hazardset}") config.add_route("admin_contacts", "/contacts") config.add_route("admin_contact_new", "/contact/new") config.add_route("admin_contact_edit", "/contact/{id:\d+}") config.add_route("admin_contact_delete", "/contact/{id:\d+}/delete") config.add_route("admin_contact_admindiv_hazardtype_association", "/contact/CAdHt_form") config.add_renderer("geojson", GeoJSON()) config.add_renderer("csv", "thinkhazard.renderers.CSVRenderer") config.add_request_method( lambda r: S3Helper(r.registry.settings), "s3_helper", property=True, reify=True, ) scan_ignore = [] if settings["appname"] != "public": scan_ignore.append("thinkhazard.views.sitemap") if settings["appname"] != "admin": scan_ignore.append("thinkhazard.views.admin") config.scan(ignore=scan_ignore) return config.make_wsgi_app()
def main(global_config, **settings): Service.cors_origins = ('*', ) settings = settings_expandvars(settings) config = Configurator(settings=settings, root_factory=RootFactory) config.include("cornice") # Redirect to the current version of the API if the prefix isn't used. config.add_route(name='redirect_to_version', pattern='/{path:(?!%s).*}' % API_VERSION) config.add_view(view=redirect_to_version, route_name='redirect_to_version') config.route_prefix = '/%s' % API_VERSION # Permission management policies = [ BasicAuthAuthenticationPolicy(check_credentials), HawkAuthenticationPolicy(decode_hawk_id=get_credentials), ] authn_policy = MultiAuthenticationPolicy(policies) # Unauthorized view config.add_forbidden_view(forbidden_view) # Global permissions model_creators = settings.get("daybed.can_create_model", "Everyone") token_creators = settings.get("daybed.can_create_token", "Everyone") token_managers = settings.get("daybed.can_manage_token", None) authz_policy = DaybedAuthorizationPolicy( model_creators=build_list(model_creators), token_creators=build_list(token_creators), token_managers=build_list(token_managers), ) config.set_authentication_policy(authn_policy) config.set_authorization_policy(authz_policy) # We need to scan AFTER setting the authn / authz policies config.scan("daybed.views") # Attach the token to the request, coming from Pyramid as userid def get_credentials_id(request): try: credentials_id, _ = get_credentials(request, request.authenticated_userid) return credentials_id except ValueError: return None config.add_request_method(get_credentials_id, 'credentials_id', reify=True) # Events # Helper for notifying events def notify(request, event, *args): klass = config.maybe_dotted('daybed.events.' + event) event = klass(*(args + (request, ))) request.registry.notify(event) config.add_request_method(notify, 'notify') # Backend config.registry.tokenHmacKey = settings['daybed.tokenHmacKey'] # backend initialisation backend_class = config.maybe_dotted(settings['daybed.backend']) config.registry.backend = backend_class.load_from_config(config) # Indexing # Connect client to hosts in conf index_hosts = build_list( settings.get('elasticsearch.hosts', "localhost:9200")) indices_prefix = settings.get('elasticsearch.indices_prefix', 'daybed_') config.registry.index = index = indexer.ElasticSearchIndexer( index_hosts, indices_prefix) # Suscribe index methods to API events config.add_subscriber(index.on_model_created, events.ModelCreated) config.add_subscriber(index.on_model_updated, events.ModelUpdated) config.add_subscriber(index.on_model_deleted, events.ModelDeleted) config.add_subscriber(index.on_record_created, events.RecordCreated) config.add_subscriber(index.on_record_updated, events.RecordUpdated) config.add_subscriber(index.on_record_deleted, events.RecordDeleted) # Renderers # Force default accept header to JSON def add_default_accept(event): json_mime = 'application/json' accept = event.request.headers.get('Accept', json_mime) if json_mime in accept: accept = json_mime event.request.headers["Accept"] = accept config.add_subscriber(add_default_accept, NewRequest) # JSONP config.add_renderer('jsonp', JSONP(param_name='callback')) # Geographic data renderer config.add_renderer('geojson', GeoJSON()) # Requests attachments def attach_objects_to_request(event): event.request.db = config.registry.backend event.request.index = config.registry.index http_scheme = event.request.registry.settings.get('daybed.http_scheme') if http_scheme: event.request.scheme = http_scheme config.add_subscriber(attach_objects_to_request, NewRequest) # Plugins try: config.include("daybed_browserid") except ImportError: pass return config.make_wsgi_app()
def web(global_config, **local_settings): """ This function returns a Pyramid WSGI application. """ settings = global_config settings.update(local_settings) # set CFG object app_config = CFG(settings) app_config.configure_filedepot() settings['CFG'] = app_config configurator = Configurator(settings=settings, autocommit=True) # Add BasicAuthPolicy authn_policy = BasicAuthAuthenticationPolicy( basic_auth_check_credentials, realm=BASIC_AUTH_WEBUI_REALM, ) configurator.include(add_cors_support) # make sure to add this before other routes to intercept OPTIONS configurator.add_cors_preflight_handler() # Default authorization : Accept anything. configurator.set_authorization_policy(AcceptAllAuthorizationPolicy()) configurator.set_authentication_policy(authn_policy) # INFO - GM - 11-04-2018 - set default perm # setting default perm is needed to force authentification # mecanism in all views. configurator.set_default_permission(TRACIM_DEFAULT_PERM) # Override default request configurator.set_request_factory(TracimRequest) # Pyramids "plugin" include. configurator.include('pyramid_jinja2') # Add SqlAlchemy DB configurator.include('.models') # set Hapic context = PyramidContext( configurator=configurator, default_error_builder=ErrorSchema(), debug=app_config.DEBUG, ) hapic.set_context(context) # INFO - G.M - 2018-07-04 - global-context exceptions # Not found context.handle_exception(NotFound, HTTPStatus.NOT_FOUND) # Bad request context.handle_exception(WorkspaceNotFoundInTracimRequest, HTTPStatus.BAD_REQUEST) # nopep8 context.handle_exception(UserNotFoundInTracimRequest, HTTPStatus.BAD_REQUEST) # nopep8 context.handle_exception(ContentNotFoundInTracimRequest, HTTPStatus.BAD_REQUEST) # nopep8 context.handle_exception(WorkspaceNotFound, HTTPStatus.BAD_REQUEST) context.handle_exception(UserDoesNotExist, HTTPStatus.BAD_REQUEST) context.handle_exception(ContentNotFound, HTTPStatus.BAD_REQUEST) context.handle_exception(ContentTypeNotAllowed, HTTPStatus.BAD_REQUEST) context.handle_exception(InvalidId, HTTPStatus.BAD_REQUEST) # Auth exception context.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED) context.handle_exception(UserNotActive, HTTPStatus.FORBIDDEN) context.handle_exception(AuthenticationFailed, HTTPStatus.FORBIDDEN) context.handle_exception(InsufficientUserRoleInWorkspace, HTTPStatus.FORBIDDEN) # nopep8 context.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN) # Internal server error context.handle_exception(OperationalError, HTTPStatus.INTERNAL_SERVER_ERROR) context.handle_exception(Exception, HTTPStatus.INTERNAL_SERVER_ERROR) # Add controllers session_controller = SessionController() system_controller = SystemController() user_controller = UserController() workspace_controller = WorkspaceController() comment_controller = CommentController() html_document_controller = HTMLDocumentController() thread_controller = ThreadController() file_controller = FileController() configurator.include(session_controller.bind, route_prefix=BASE_API_V2) configurator.include(system_controller.bind, route_prefix=BASE_API_V2) configurator.include(user_controller.bind, route_prefix=BASE_API_V2) configurator.include(workspace_controller.bind, route_prefix=BASE_API_V2) configurator.include(comment_controller.bind, route_prefix=BASE_API_V2) configurator.include(html_document_controller.bind, route_prefix=BASE_API_V2) # nopep8 configurator.include(thread_controller.bind, route_prefix=BASE_API_V2) configurator.include(file_controller.bind, route_prefix=BASE_API_V2) hapic.add_documentation_view( '/api/v2/doc', 'Tracim v2 API', 'API of Tracim v2', ) return configurator.make_wsgi_app()
def getBasicAuthAuthenticationPolicy(): """Define the authentication policy for a basic auth""" return BasicAuthAuthenticationPolicy( Configuration.get('pyramid_basicauth_check'), debug=Configuration.get('pyramid_authentication_debug'))
def main(global_config, **settings): """ This function returns a Pyramid WSGI application. """ authn_policy = BasicAuthAuthenticationPolicy( groupfinder, realm=settings['reliquary.realm'], debug=settings['pyramid.debug']) authz_policy = ACLAuthorizationPolicy() engine = engine_from_config(settings, 'sqlalchemy.') DBSession.configure(bind=engine) Base.metadata.bind = engine config = Configurator( settings=settings, authentication_policy=authn_policy, authorization_policy=authz_policy, root_factory=Root, ) config.include('pyramid_chameleon') #config.add_static_view('static', 'static', cache_max_age=3600) # ui config.add_route('home', '/api/v1/', request_method='GET') # basic api config.add_route('put_relic', '/api/v1/raw/{channel}/{index}/{relic_name}', request_method='PUT') config.add_route('get_relic', '/api/v1/raw/{channel}/{index}/{relic_name}', request_method='GET') # autoindex (nginx autogenerate index page compatible) config.add_route('autoindex', '/api/v1/autoindex/{channel}/{index}/', request_method='GET') # python package index (PEP-503 compliant) # PROXY config.add_route('pypi_proxy_simple_package', '/api/v1/python/proxy/{channel}/{index}/simple/{package}/', request_method='GET') config.add_route('pypi_proxy_simple', '/api/v1/python/proxy/{channel}/{index}/simple/', request_method='GET') # just to keep compat with pypi.python.org package locations -- calls out # to upstream or to get_relic route config.add_route('pypi_proxy_package', '/api/v1/python/proxy/{channel}/{index}/packages/{parta}/{partb}/{hash}/{package}', request_method='GET') # SELF-HOSTED config.add_route('pypi_simple_package', '/api/v1/python/{channel}/{index}/simple/{package}/', request_method='GET') config.add_route('pypi_simple', '/api/v1/python/{channel}/{index}/simple/', request_method='GET') # commonjs registry (http://wiki.commonjs.org/wiki/Packages/Registry) # npmjs.org is historically based on this, and npm should be compatible # PROXY # these mostly try to replicate the npmjs registry public api in function # npmjs registry api: https://github.com/npm/registry/blob/master/docs/REGISTRY-API.md # set the registry used with npm-config (.npmrc files): https://docs.npmjs.com/files/npmrc # http://registry.npmjs.org/<name>/<version> config.add_route('commonjs_proxy_registry_package_version', '/api/v1/commonjs/proxy/{channel}/{index}/{package}/{version}/', request_method='GET') # http://registry.npmjs.org/<name>/ config.add_route('commonjs_proxy_registry_package_root', '/api/v1/commonjs/proxy/{channel}/{index}/{package}/', request_method='GET') # http://registry.npmjs.org/-/all config.add_route('commonjs_proxy_registry_root', '/api/v1/commonjs/proxy/{channel}/{index}/', request_method='GET') # http://registry.npmjs.org/-/<package>-<version>.tgz config.add_route('commonjs_proxy_package', '/api/v1/commonjs/proxy/package/{channel}/{index}/{package}/{version}', request_method='GET') # SELF HOSTED config.add_route('commonjs_registry_root', '/api/v1/commonjs/{channel}/{index}/', request_method='GET') config.add_route('commonjs_registry_package_root', '/api/v1/commonjs/{channel}/{index}/{package}/', request_method='GET') config.add_route('commonjs_registry_package_version', '/api/v1/commonjs/{channel}/{index}/{package}/{version}/', request_method='GET') # debian repository (https://wiki.debian.org/RepositoryFormat) # additional info: http://www.ibiblio.org/gferg/ldp/giles/repository/repository-2.html # these are the minimum required paths # example sources.list entry: deb http://127.0.0.1/api/v1/debian/wildcard trusty main config.add_route('debian_distrelease', '/api/v1/debian/{channel}/dist/{index}/Release', request_method='GET') config.add_route('debian_archrelease', '/api/v1/debian/{channel}/dist/{index}/main/binary-{arch}/Release', request_method='GET') config.add_route('debian_archpackages', '/api/v1/debian/{channel}/dist/{index}/main/binary-{arch}/Packages', request_method='GET') config.add_route('debian_archpackagesgz', '/api/v1/debian/{channel}/dist/{index}/main/binary-{arch}/Packages.gz', request_method='GET') config.add_route('debian_archpackagesbz2', '/api/v1/debian/{channel}/dist/{index}/main/binary-{arch}/Packages.bz2', request_method='GET') config.add_route('debian_poolpackage', '/api/v1/debian/{channel}/pool/{index}/{relic_name}', request_method='GET') # additional paths that could be just a directory listing of some sort (like autoindex) config.add_route('debian_archindex', '/api/v1/debian/{channel}/dist/{index}/main/binary-{arch}/', request_method='GET') config.add_route('debian_compindex', '/api/v1/debian/{channel}/dist/{index}/main/', request_method='GET') config.add_route('debian_distindex', '/api/v1/debian/{channel}/dist/{index}/', request_method='GET') config.add_route('debian_distrootindex', '/api/v1/debian/{channel}/dist/', request_method='GET') config.add_route('debian_channelindex', '/api/v1/debian/{channel}/', request_method='GET') config.add_route('debian_pooldistindex', '/api/v1/debian/{channel}/pool/{index}/', request_method='GET') config.add_route('debian_poolrootindex', '/api/v1/debian/{channel}/pool/', request_method='GET') config.add_notfound_view(notfound, append_slash=True) config.scan('.views') return config.make_wsgi_app()