def remember(self, environ, identity):
cookies = get_cookies(environ)
if identity is not None and not self.cookie_name in cookies:
aes = environ['aes_cipher']
val = base64.b64encode(bauth(aes, '%s:%s' % (
identity['login'], identity['password'])))
identity['tokens'] = environ['remote.domains']
identity['repoze.who.userid'] = val
return Basetkt.remember(self, environ, identity)
def setup_sql_auth(app, user_class, group_class, permission_class,
dbsession, form_plugin=None, form_identifies=True,
cookie_secret='secret', cookie_name='authtkt',
login_url='/login', login_handler='/login_handler',
post_login_url=None, logout_handler='/logout_handler',
post_logout_url=None, login_counter_name=None,
translations={}, cookie_timeout=None,
cookie_reissue_time=None, charset="iso-8859-1",
use_default_authenticator=True,
**who_args):
"""
Configure :mod:`repoze.who` and :mod:`repoze.what` with SQL-only
authentication and authorization, respectively.
:param app: Your WSGI application.
:param user_class: The SQLAlchemy/Elixir class for the users.
:param group_class: The SQLAlchemy/Elixir class for the groups.
:param permission_class: The SQLAlchemy/Elixir class for the permissions.
:param dbsession: The SQLAlchemy/Elixir session.
:param form_plugin: The main :mod:`repoze.who` challenger plugin; this is
usually a login form.
:param form_identifies: Whether the ``form_plugin`` may and should act as
an :mod:`repoze.who` identifier.
:type form_identifies: bool
:param cookie_secret: The "secret" for the AuthTktCookiePlugin (**set a
custom one!**).
:type cookie_secret: str
:param cookie_name: The name for the AuthTktCookiePlugin.
:type cookie_name: str
:param login_url: The URL where the login form is displayed.
:type login_url: str
:param login_handler: The URL where the login form is submitted.
:type login_handler: str
:param post_login_url: The URL/path where users should be redirected to
after login.
:type post_login_url: str
:param logout_handler: The URL where the logout is handled.
:type login_handler: str
:param post_logout_url: The URL/path where users should be redirected to
after logout.
:type post_logout_url: str
:param login_counter_name: The name of the variable in the query string
that represents the login counter; defaults to ``__logins``.
:type login_counter_name: str
:param translations: The model translations.
:type translations: dict
:param cookie_timeout: The time (in seconds) during which the session cookie
would be valid.
:type cookie_timeout: :class:`int`
:param cookie_reissue_time: How often should the session cookie be reissued
(in seconds); must be less than ``timeout``.
:type cookie_reissue_time: :class:`int`
:param use_default_authenticator: Whether the default SQL authenticator
should be used.
:type use_default_authenticator: :class:`bool`
:return: The WSGI application with authentication and authorization
middleware.
It configures :mod:`repoze.who` with the following plugins:
* Identifiers:
* :class:`repoze.who.plugins.friendlyform.FriendlyFormPlugin` as the
first identifier and challenger -- using ``login`` as the URL/path
where the login form will be displayed, ``login_handler`` as the
URL/path where the form will be sent and ``logout_handler`` as the
URL/path where the user will be logged out. The so-called *rememberer*
of such an identifier will be the identifier below.
If ``post_login_url`` is defined, the user will be redirected to that
page after login. Likewise, if ``post_logout_url`` is defined, the
user will be redirected to that page after logout.
You can override the
:class:`repoze.who.plugins.friendlyform.FriendlyFormPlugin`'s login
counter variable name (which defaults to ``__logins``) by defining
``login_counter_name``.
.. tip::
This plugin may be overridden with the ``form_plugin`` argument.
See also the ``form_identifies`` argument.
* :class:`repoze.who.plugins.auth_tkt.AuthTktCookiePlugin`. You can
customize the cookie name and secret using the ``cookie_name`` and
``cookie_secret`` arguments, respectively.
Then it will append the identifiers you pass through the ``identifiers``
keyword argument, if any.
* Authenticators:
* :class:`repoze.who.plugins.sa.SQLAlchemyAuthenticatorPlugin` (unless
``use_default_authenticator`` is ``False``), using the ``user_class``
and ``dbsession`` arguments as its user class and DB session,
respectively.
Then it will be appended to the authenticators you pass through the
``authenticators`` keyword argument, if any. The default authenticator
would have the lowest precedence.
* Challengers:
* The same Form-based plugin used in the identifiers.
Then it will append the challengers you pass through the
``challengers`` keyword argument, if any.
* Metadata providers:
* :class:`repoze.who.plugins.sa.SQLAlchemyUserMDPlugin`, using
the ``user_class`` and ``dbsession`` arguments as its user class and
DB session, respectively.
Then it will append the metadata providers you pass through the
``mdproviders`` keyword argument, if any.
The ``charset`` is passed to any component which needs to decode/encode
data to/from the user. At present, only
:class:`~repoze.who.plugins.friendlyform.FriendlyFormPlugin` does.
Additional keyword arguments will be passed to
:class:`repoze.who.middleware.PluggableAuthenticationMiddleware`.
.. warning::
It's very important to set a custom ``cookie_secret``! It's the key to
encrypt *and* decrypt the cookies, so you shouldn't leave the default
one.
.. note::
If you don't want to use the groups/permissions-based authorization
pattern, then set ``group_class`` and ``permission_class`` to ``None``.
.. versionchanged:: 1.0.5
Introduced the ``cookie_timeout`` and ``cookie_reissue_time`` arguments.
.. versionchanged:: 1.0.6
Introduced the ``charset`` argument.
.. versionchanged:: 1.0.8
Introduced the ``use_default_authenticator`` argument.
"""
plugin_translations = find_plugin_translations(translations)
source_adapters = configure_sql_adapters(
user_class,
group_class,
permission_class,
dbsession,
plugin_translations['group_adapter'],
plugin_translations['permission_adapter'])
group_adapters= {}
group_adapter = source_adapters.get('group')
if group_adapter:
group_adapters = {'sql_auth': group_adapter}
permission_adapters = {}
permission_adapter = source_adapters.get('permission')
if permission_adapter:
permission_adapters = {'sql_auth': permission_adapter}
# Setting the repoze.who authenticators:
if 'authenticators' not in who_args:
who_args['authenticators'] = []
if use_default_authenticator:
sqlauth = SQLAlchemyAuthenticatorPlugin(user_class, dbsession)
sqlauth.translations.update(plugin_translations['authenticator'])
who_args['authenticators'].append(('sqlauth', sqlauth))
cookie = AuthTktCookiePlugin(cookie_secret, cookie_name,
timeout=cookie_timeout,
reissue_time=cookie_reissue_time)
# Setting the repoze.who identifiers
if 'identifiers' not in who_args:
who_args['identifiers'] = []
who_args['identifiers'].append(('cookie', cookie))
if form_plugin is None:
form = FriendlyFormPlugin(
login_url,
login_handler,
post_login_url,
logout_handler,
post_logout_url,
login_counter_name=login_counter_name,
rememberer_name='cookie',
charset=charset,
)
else:
form = form_plugin
if form_identifies:
who_args['identifiers'].insert(0, ('main_identifier', form))
# Setting the repoze.who challengers:
if 'challengers' not in who_args:
who_args['challengers'] = []
who_args['challengers'].append(('form', form))
# Setting up the repoze.who mdproviders:
sql_user_md = SQLAlchemyUserMDPlugin(user_class, dbsession)
sql_user_md.translations.update(plugin_translations['mdprovider'])
if 'mdproviders' not in who_args:
who_args['mdproviders'] = []
who_args['mdproviders'].append(('sql_user_md', sql_user_md))
# Including logging
log_file = who_args.pop('log_file', None)
if log_file is not None:
if log_file.lower() == 'stdout':
log_stream = sys.stdout
elif log_file.lower() == 'stderr':
log_stream = sys.stderr
else:
log_stream = open(log_file, 'wb')
who_args['log_stream'] = log_stream
log_level = who_args.get('log_level', None)
if log_level is None:
log_level = logging.INFO
else:
log_level = _LEVELS[log_level.lower()]
who_args['log_level'] = log_level
middleware = setup_auth(app, group_adapters, permission_adapters,
**who_args)
return middleware
def setup_sql_auth(app,
user_class,
group_class,
permission_class,
dbsession,
form_plugin=None,
form_identifies=True,
cookie_secret='secret',
cookie_name='authtkt',
login_url='/login',
login_handler='/login_handler',
post_login_url=None,
logout_handler='/logout_handler',
post_logout_url=None,
login_counter_name=None,
translations={},
**who_args):
"""
Configure :mod:`repoze.who` and :mod:`repoze.what` with SQL-only
authentication and authorization, respectively.
:param app: Your WSGI application.
:param user_class: The SQLAlchemy/Elixir class for the users.
:param group_class: The SQLAlchemy/Elixir class for the groups.
:param permission_class: The SQLAlchemy/Elixir class for the permissions.
:param dbsession: The SQLAlchemy/Elixir session.
:param form_plugin: The main :mod:`repoze.who` challenger plugin; this is
usually a login form.
:param form_identifies: Whether the ``form_plugin`` may and should act as
an :mod:`repoze.who` identifier.
:type form_identifies: bool
:param cookie_secret: The "secret" for the AuthTktCookiePlugin.
:type cookie_secret: str
:param cookie_name: The name for the AuthTktCookiePlugin.
:type cookie_name: str
:param login_url: The URL where the login form is displayed.
:type login_url: str
:param login_handler: The URL where the login form is submitted.
:type login_handler: str
:param post_login_url: The URL/path where users should be redirected to
after login.
:type post_login_url: str
:param logout_handler: The URL where the logout is handled.
:type login_handler: str
:param post_logout_url: The URL/path where users should be redirected to
after logout.
:type post_logout_url: str
:param login_counter_name: The name of the variable in the query string
that represents the login counter; defaults to ``__logins``.
:type login_counter_name: str
:param translations: The model translations.
:type translations: dict
:return: The WSGI application with authentication and authorization
middleware.
It configures :mod:`repoze.who` with the following plugins:
* Identifiers:
* :class:`repoze.who.plugins.friendlyform.FriendlyFormPlugin` as the
first identifier and challenger -- using ``login`` as the URL/path
where the login form will be displayed, ``login_handler`` as the
URL/path where the form will be sent and ``logout_handler`` as the
URL/path where the user will be logged out. The so-called *rememberer*
of such an identifier will be the identifier below.
If ``post_login_url`` is defined, the user will be redirected to that
page after login. Likewise, if ``post_logout_url`` is defined, the
user will be redirected to that page after logout.
You can override the
:class:`repoze.who.plugins.friendlyform.FriendlyFormPlugin`'s login
counter variable name (which defaults to ``__logins``) by defining
``login_counter_name``.
.. tip::
This plugin may be overridden with the ``form_plugin`` argument.
See also the ``form_identifies`` argument.
* :class:`repoze.who.plugins.auth_tkt.AuthTktCookiePlugin`. You can
customize the cookie name and secret using the ``cookie_name`` and
``cookie_secret`` arguments, respectively.
Then it will append the identifiers you pass through the ``identifiers``
keyword argument, if any.
* Authenticators:
* :class:`repoze.who.plugins.sa.SQLAlchemyAuthenticatorPlugin`, using
the ``user_class`` and ``dbsession`` arguments as its user class and
DB session, respectively.
Then it will append the authenticators you pass through the
``authenticators`` keyword argument, if any.
* Challengers:
* The same Form-based plugin used in the identifiers.
Then it will append the challengers you pass through the
``challengers`` keyword argument, if any.
* Metadata providers:
* :class:`repoze.who.plugins.sa.SQLAlchemyUserMDPlugin`, using
the ``user_class`` and ``dbsession`` arguments as its user class and
DB session, respectively.
Then it will append the metadata providers you pass through the
``mdproviders`` keyword argument, if any.
Additional keyword arguments will be passed to
:class:`repoze.who.middleware.PluggableAuthenticationMiddleware`.
.. note::
If you don't want to use the groups/permissions-based authorization
pattern, then set ``group_class`` and ``permission_class`` to ``None``.
"""
plugin_translations = find_plugin_translations(translations)
if group_class is None or permission_class is None:
group_adapters = permission_adapters = None
else:
source_adapters = configure_sql_adapters(
user_class, group_class, permission_class, dbsession,
plugin_translations['group_adapter'],
plugin_translations['permission_adapter'])
group_adapters = {'sql_auth': source_adapters['group']}
permission_adapters = {'sql_auth': source_adapters['permission']}
# Setting the repoze.who authenticators:
sqlauth = SQLAlchemyAuthenticatorPlugin(user_class, dbsession)
sqlauth.translations.update(plugin_translations['authenticator'])
if 'authenticators' not in who_args:
who_args['authenticators'] = []
who_args['authenticators'].append(('sqlauth', sqlauth))
cookie = AuthTktCookiePlugin(cookie_secret, cookie_name)
# Setting the repoze.who identifiers
if 'identifiers' not in who_args:
who_args['identifiers'] = []
who_args['identifiers'].append(('cookie', cookie))
if form_plugin is None:
form = FriendlyFormPlugin(login_url,
login_handler,
post_login_url,
logout_handler,
post_logout_url,
login_counter_name=login_counter_name,
rememberer_name='cookie')
else:
form = form_plugin
if form_identifies:
who_args['identifiers'].insert(0, ('main_identifier', form))
# Setting the repoze.who challengers:
if 'challengers' not in who_args:
who_args['challengers'] = []
who_args['challengers'].append(('form', form))
# Setting up the repoze.who mdproviders:
sql_user_md = SQLAlchemyUserMDPlugin(user_class, dbsession)
sql_user_md.translations.update(plugin_translations['mdprovider'])
if 'mdproviders' not in who_args:
who_args['mdproviders'] = []
who_args['mdproviders'].append(('sql_user_md', sql_user_md))
middleware = setup_auth(app, group_adapters, permission_adapters,
**who_args)
return middleware
def make_test_middleware(app, global_conf):
""" Functionally equivalent to
[plugin:redirector]
use = repoze.who.plugins.redirector.RedirectorPlugin
login_url = /login.html
[plugin:auth_tkt]
use = repoze.who.plugins.auth_tkt:AuthTktCookiePlugin
secret = SEEKRIT
cookie_name = oatmeal
[plugin:basicauth]
use = repoze.who.plugins.basicauth.BasicAuthPlugin
realm = repoze.who
[plugin:htpasswd]
use = repoze.who.plugins.htpasswd.HTPasswdPlugin
filename = <...>
check_fn = repoze.who.plugins.htpasswd:crypt_check
[general]
request_classifier = repoze.who.classifiers:default_request_classifier
challenge_decider = repoze.who.classifiers:default_challenge_decider
[identifiers]
plugins = authtkt basicauth
[authenticators]
plugins = authtkt htpasswd
[challengers]
plugins = redirector:browser basicauth
"""
# be able to test without a config file
from repoze.who.plugins.basicauth import BasicAuthPlugin
from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin
from repoze.who.plugins.redirector import RedirectorPlugin
from repoze.who.plugins.htpasswd import HTPasswdPlugin
io = StringIO()
for name, password in [('admin', 'admin'), ('chris', 'chris')]:
io.write('%s:%s\n' % (name, password))
io.seek(0)
def cleartext_check(password, hashed):
return password == hashed #pragma NO COVERAGE
htpasswd = HTPasswdPlugin(io, cleartext_check)
basicauth = BasicAuthPlugin('repoze.who')
auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
redirector = RedirectorPlugin('/login.html')
redirector.classifications = {IChallenger: ['browser']} # only for browser
identifiers = [
('auth_tkt', auth_tkt),
('basicauth', basicauth),
]
authenticators = [('htpasswd', htpasswd)]
challengers = [('redirector', redirector), ('basicauth', basicauth)]
mdproviders = []
from repoze.who.classifiers import default_request_classifier
from repoze.who.classifiers import default_challenge_decider
log_stream = None
import os
if os.environ.get('WHO_LOG'):
log_stream = sys.stdout
middleware = PluggableAuthenticationMiddleware(app,
identifiers,
authenticators,
challengers,
mdproviders,
default_request_classifier,
default_challenge_decider,
log_stream=log_stream,
log_level=logging.DEBUG)
return middleware
def setup_auth(app,
form_plugin=None,
form_identifies=True,
cookie_secret='secret',
cookie_name='authtkt',
login_url='/login',
login_handler='/login_handler',
post_login_url=None,
logout_handler='/logout_handler',
post_logout_url=None,
login_counter_name=None,
cookie_timeout=None,
cookie_reissue_time=None,
**who_args):
"""
Sets :mod:`repoze.who` up with the provided authenticators and
options to create FriendlyFormPlugin/FastFormPlugin.
It returns a middleware that provides identification,
authentication and authorization in a way that is compatible
with repoze.who and repoze.what.
"""
if 'charset' in who_args: #pragma: no cover
log.warn('charset argument in authentication setup is ignored')
who_args.pop('charset')
# If no identifiers are provided in repoze setup arguments
# then create a default one using AuthTktCookiePlugin.
if 'identifiers' not in who_args:
from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin
cookie = AuthTktCookiePlugin(cookie_secret,
cookie_name,
timeout=cookie_timeout,
reissue_time=cookie_reissue_time)
who_args['identifiers'] = [('cookie', cookie)]
who_args['authenticators'].insert(0, ('cookie', cookie))
# If no form plugin is provided then create a default
# one using the provided options.
if form_plugin is None:
from tg.configuration.auth.fastform import FastFormPlugin
form = FastFormPlugin(login_url,
login_handler,
post_login_url,
logout_handler,
post_logout_url,
rememberer_name='cookie',
login_counter_name=login_counter_name)
else:
form = form_plugin
if form_identifies:
who_args['identifiers'].insert(0, ('main_identifier', form))
# Setting the repoze.who challengers:
if 'challengers' not in who_args:
who_args['challengers'] = []
who_args['challengers'].append(('form', form))
# Including logging
log_file = who_args.pop('log_file', None)
if log_file is not None:
if log_file.lower() == 'stdout':
log_stream = sys.stdout
elif log_file.lower() == 'stderr':
log_stream = sys.stderr
else:
log_stream = open(log_file, 'wb')
who_args['log_stream'] = log_stream
log_level = who_args.get('log_level', None)
if log_level is None:
log_level = logging.INFO
else:
log_level = _LEVELS[log_level.lower()]
who_args['log_level'] = log_level
# Setting up the metadata provider for the user information
if 'mdproviders' not in who_args:
who_args['mdproviders'] = []
# Set up default classifier
if 'classifier' not in who_args:
who_args['classifier'] = default_request_classifier
# Set up default challenger decider
if 'challenge_decider' not in who_args:
who_args['challenge_decider'] = turbogears_challenge_decider
skip_authn = who_args.pop('skip_authentication', False)
if asbool(skip_authn):
return _AuthenticationForgerMiddleware(app, **who_args)
else:
return PluggableAuthenticationMiddleware(app, **who_args)
def make_app(global_conf, full_stack=True, static_files=True, **app_conf):
"""Create a Pylons WSGI application and return it
``global_conf``
The inherited configuration for this application. Normally from
the [DEFAULT] section of the Paste ini file.
``full_stack``
Whether this application provides a full WSGI stack (by default,
meaning it handles its own exceptions and errors). Disable
full_stack when this application is "managed" by another WSGI
middleware.
``static_files``
Whether this application serves its own static files; disable
when another web server is responsible for serving them.
``app_conf``
The application's local configuration. Normally specified in
the [app:<name>] section of the Paste ini file (where <name>
defaults to main).
"""
# Configure the Pylons environment
load_environment(global_conf, app_conf)
# The Pylons WSGI app
app = PylonsApp()
# Routing/Session/Cache Middleware
app = RoutesMiddleware(app, config['routes.map'])
app = SessionMiddleware(app, config)
app = CacheMiddleware(app, config)
# CUSTOM MIDDLEWARE HERE (filtered by error handling middlewares)
basicauth = BasicAuthPlugin('OpenSpending')
auth_tkt = AuthTktCookiePlugin(
'RANDOM_KEY_THAT_ONLY_LOOKS_LIKE_A_PLACEHOLDER',
cookie_name='openspending_login',
timeout=86400 * 90,
reissue_time=3600)
form = FriendlyFormPlugin('/login',
'/perform_login',
'/after_login',
'/logout',
'/after_logout',
rememberer_name='auth_tkt')
identifiers = [('auth_tkt', auth_tkt), ('basicauth', basicauth),
('form', form)]
authenticators = [('auth_tkt', auth_tkt),
('username', UsernamePasswordAuthenticator()),
('apikey', ApiKeyAuthenticator())]
challengers = [('form', form), ('basicauth', basicauth)]
log_stream = sys.stdout
app = PluggableAuthenticationMiddleware(app,
identifiers,
authenticators,
challengers, [],
default_request_classifier,
default_challenge_decider,
log_stream=log_stream,
log_level=logging.WARN)
if asbool(full_stack):
# Handle Python exceptions
app = ErrorHandler(app, global_conf, **config['pylons.errorware'])
# Display error documents for 401, 403, 404 status codes (and
# 500 when debug is disabled)
if asbool(config['debug']):
app = StatusCodeRedirect(app)
else:
app = StatusCodeRedirect(app, [400, 401, 403, 404, 500])
# Establish the Registry for this application
app = RegistryManager(app)
if asbool(static_files):
max_age = None if asbool(config['debug']) else 3600
# Serve static files
static_app = StaticURLParser(config['pylons.paths']['static_files'],
cache_max_age=max_age)
static_parsers = [static_app, app]
app = Cascade(static_parsers)
return app
def add_auth(app, site_name, cookie_name, cookie_secret, login_url,
login_handler_url, authenticators, mdproviders, groups,
permissions):
"""
Add authentication and authorization middleware to the ``app``.
:param app: The WSGI application.
:param site_name: the site name used in basic auth box.
:param cookie_name: basic auth name and cookie name.
:param cookie_secret: unique secret string used to protect sessions.
:param login_url: the url for the login page
:param login_handler_url: the url for the login handler
:param authenticators: list of authenticator plugins
:param mdproviders: list of mdprovider plugins
:param groups: list of groups plugins
:param permissions: list of permissions plugins
:return: The same WSGI application, with authentication and
authorization middleware.
"""
get_log().info("add_auth: intialising Repoze")
if not authenticators:
raise ValueError("No authenticators provided")
if not mdproviders:
raise ValueError("No mdproviders provided")
if not groups:
raise ValueError("No groups provided")
if not permissions:
raise ValueError("No permissions provided")
# If we ever change default behavior for challengers and identifiers,
# move these to the above function
logout_handler = None
form = RedirectingFormPlugin(
login_url,
login_handler_url,
logout_handler,
rememberer_name='cookie',
)
cookie = AuthTktCookiePlugin(cookie_secret, cookie_name)
#identifiers = [('main_identifier', form), ('basicauth', basicauth),\
# ('cookie', cookie)]
#identifiers = [('basicauth', basicauth), ('cookie', cookie)]
identifiers = [('form', form), ('cookie', cookie)]
#challengers = [('form', form), ('basicauth', basicauth)]
#challengers = [('basicauth', basicauth)]
challengers = [('form', form)]
#get_log().info(dict(groups))
#get_log().info( dict(permissions))
#get_log().info( identifiers)
#get_log().info( authenticators)
#get_log().info( challengers )
#get_log().info( mdproviders)
app_with_auth = setup_auth(
app=app,
# # why these are dicts where all the other are lists...
group_adapters=dict(groups),
permission_adapters=dict(permissions),
identifiers=identifiers,
authenticators=authenticators,
challengers=challengers,
mdproviders=mdproviders,
log_level=logging.DEBUG
)
get_log().info("add_auth: user/group/permission setup OK.")
return app_with_auth
def __init__(self, secret, cookie_name='auth_tkt',
secure=False, include_ip=False, timeout=None,
reissue_time=None, userid_checker=None, pkey=None):
Basetkt.__init__(self, secret, cookie_name, secure, include_ip,
timeout, reissue_time, userid_checker)
self.pkey = pkey
def remember(self, environ, identity):
if environ.get('repoze.who.identity'):
return AuthTktCookiePlugin.remember(self, environ, identity)
else:
return self.forget(environ, identity)
# Configure the repoze.who middleware:
## fake .htpasswd authentication source
io = StringIO()
for name, password in [('admin', 'admin'), ('user', 'user')]:
io.write('%s:%s\n' % (name, password))
io.seek(0)
def cleartext_check(password, hashed):
return password == hashed
htpasswd = HTPasswdPlugin(io, cleartext_check)
## other plugins
basicauth = BasicAuthPlugin('repoze.who')
auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
redirector = RedirectorPlugin(login_url='/login.html')
redirector.classifications = {IChallenger: ['browser']} # only for browser
## group / order plugins by function
identifiers = [('auth_tkt', auth_tkt), ('basicauth', basicauth)]
authenticators = [('auth_tkt', auth_tkt), ('htpasswd', htpasswd)]
challengers = [('redirector', redirector), ('basicauth', basicauth)]
mdproviders = []
## set up who logging, if desired
log_stream = None
if os.environ.get('WHO_LOG'):
log_stream = sys.stdout
# Wrap the middleware around the application.
# Configure the repoze.who middleware:
## fake .htpasswd authentication source
io = StringIO()
for name, password in [('admin', 'admin'), ('user', 'user')]:
io.write('%s:%s\n' % (name, password))
io.seek(0)
def cleartext_check(password, hashed):
return password == hashed
htpasswd = HTPasswdPlugin(io, cleartext_check)
## other plugins
basicauth = BasicAuthPlugin('repoze.who')
auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt', digest_algo="sha512")
redirector = RedirectorPlugin(login_url='/login.html')
redirector.classifications = {IChallenger: ['browser']} # only for browser
## group / order plugins by function
identifiers = [('auth_tkt', auth_tkt), ('basicauth', basicauth)]
authenticators = [('auth_tkt', auth_tkt), ('htpasswd', htpasswd)]
challengers = [('redirector', redirector), ('basicauth', basicauth)]
mdproviders = []
## set up who logging, if desired
log_stream = None
if os.environ.get('WHO_LOG'):
log_stream = sys.stdout
# Wrap the middleware around the application.
from tg.configuration import AppConfig
from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin
from repoze.who.plugins.basicauth import BasicAuthPlugin
import os
authtkt = AuthTktCookiePlugin('authtkt', 'authtkt')
basicauth = BasicAuthPlugin("something")
import pythondispatchms
from pythondispatchms import model, lib
base_config = AppConfig()
base_config.renderers = []
# True to prevent dispatcher from striping extensions
# For example /socket.io would be served by "socket_io"
# method instead of "socket".
base_config.disable_request_extensions = False
# Set None to disable escaping punctuation characters to "_"
# when dispatching methods.
# Set to a function to provide custom escaping.
base_config.dispatch_path_translator = True
base_config.prefer_toscawidgets2 = True
base_config.package = pythondispatchms
# Enable json in expose
base_config.renderers.append('json')
def make_test_middleware(app, global_conf):
""" Functionally equivalent to
[plugin:form]
use = repoze.who.plugins.form.FormPlugin
rememberer_name = cookie
login_form_qs=__do_login
[plugin:cookie]
use = repoze.who.plugins.cookie:InsecureCookiePlugin
cookie_name = oatmeal
[plugin:basicauth]
use = repoze.who.plugins.basicauth.BasicAuthPlugin
realm = repoze.who
[plugin:htpasswd]
use = repoze.who.plugins.htpasswd.HTPasswdPlugin
filename = <...>
check_fn = repoze.who.plugins.htpasswd:crypt_check
[general]
request_classifier = repoze.who.classifiers:default_request_classifier
challenge_decider = repoze.who.classifiers:default_challenge_decider
[identifiers]
plugins = form:browser cookie basicauth
[authenticators]
plugins = htpasswd
[challengers]
plugins = form:browser basicauth
"""
# be able to test without a config file
from repoze.who.plugins.basicauth import BasicAuthPlugin
from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin
from repoze.who.plugins.cookie import InsecureCookiePlugin
from repoze.who.plugins.form import FormPlugin
from repoze.who.plugins.htpasswd import HTPasswdPlugin
io = StringIO()
salt = 'aa'
for name, password in [ ('admin', 'admin'), ('chris', 'chris') ]:
io.write('%s:%s\n' % (name, password))
io.seek(0)
def cleartext_check(password, hashed):
return password == hashed #pragma NO COVERAGE
htpasswd = HTPasswdPlugin(io, cleartext_check)
basicauth = BasicAuthPlugin('repoze.who')
auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
cookie = InsecureCookiePlugin('oatmeal')
form = FormPlugin('__do_login', rememberer_name='auth_tkt')
form.classifications = { IIdentifier:['browser'],
IChallenger:['browser'] } # only for browser
identifiers = [('form', form),('auth_tkt',auth_tkt),('basicauth',basicauth)]
authenticators = [('htpasswd', htpasswd)]
challengers = [('form',form), ('basicauth',basicauth)]
mdproviders = []
from repoze.who.classifiers import default_request_classifier
from repoze.who.classifiers import default_challenge_decider
log_stream = None
import os
if os.environ.get('WHO_LOG'):
log_stream = sys.stdout
middleware = PluggableAuthenticationMiddleware(
app,
identifiers,
authenticators,
challengers,
mdproviders,
default_request_classifier,
default_challenge_decider,
log_stream = log_stream,
log_level = logging.DEBUG
)
return middleware
