Commit 920931e5 authored by David Douard's avatar David Douard
Browse files

add support for pyramid_cubiweb integration (closes #5530811)

parent 787b94020b97
# copyright 2010-2013 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
# copyright 2010-2015 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
# contact http://www.logilab.fr -- mailto:contact@logilab.fr
#
# This program is free software: you can redistribute it and/or modify it under
......@@ -19,3 +19,36 @@
authentication plugin for cubicweb instances behind a trusted
reverse proxy managing authentication (eg. apache + kerberos)
"""
def includeme(config):
"""Activate the trusted authentication policy in a
pyramid_cubiweb instance.
Usually called from the main pyramid_cubicweb.core configurator
(see ``pyramid_cubicweb.core``).
See also :ref:`defaults_module`
"""
from cubes.trustedauth.pconfig import TrustedAuthenticationPolicy
policy = TrustedAuthenticationPolicy()
# # add some bw compat methods
# # these ease code factorization between pyramid related code and legacy one
# config.add_request_method(
# lambda req, header, default=None: req.headers.get(header, default),
# name='get_header', property=False, reify=False)
# config.add_request_method(lambda req: req.method,
# name='http_method', property=False, reify=False)
if config.registry.get('cubicweb.authpolicy') is None:
err = "trustedauth: the default cubicweb auth policy should be "\
"available via the 'cubicweb.authpolicy' registry config "\
"entry"
raise ValueError(err)
# if we use (the default) a multiauth policy in CW, append
# signedrequest to it
mainpolicy = config.registry['cubicweb.authpolicy']
mainpolicy._policies.append(policy)
# copyright 2015 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
# contact http://www.logilab.fr -- mailto:contact@logilab.fr
#
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU Lesser General Public License as published by the Free
# Software Foundation, either version 2.1 of the License, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
# details.
#
# You should have received a copy of the GNU Lesser General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
"""cubicweb-trustedauth pyramid_cubiweb integration module
"""
import logging
from zope.interface import implementer
from pyramid.authentication import IAuthenticationPolicy
logger = logging.getLogger(__name__)
# we cannot really use the RemoteUserAuthenticationPolicy here since
# it does **not** return the result of the callback -- where we could
# have done the login => eid translation -- call as
# authenticated_userid (pyramid_cubicweb expects this method to return
# a CWUser eid).
@implementer(IAuthenticationPolicy)
class TrustedAuthenticationPolicy(object):
def __init__(self, environ_key='HTTP_X_REMOTE_USER'):
self.environ_key = environ_key
def unauthenticated_userid(self, request):
return None
def authenticated_userid(self, request):
login = request.environ.get(self.environ_key)
if login is None:
return
repo = request.registry['cubicweb.repository']
with repo.internal_cnx() as cnx:
try:
rset = cnx.execute('Any U WHERE U is CWUser, U login %(login)s',
{'login': login})
if rset:
assert len(rset) == 1
logger.debug('%s: authenticated %s (%s)', self.__class__.__name__, login, rset[0][0])
return rset[0][0]
except Exception as exc:
logger.debug('%s: authentication failure (%s)', self.__class__.__name__, exc)
return None
def remember(self, request, principal, **kw):
""" A no-op. The ``REMOTE_USER`` does not provide a protocol for
remembering the user. This will be application-specific and can
be done somewhere else or in a subclass."""
return ()
def forget(self, request):
""" A no-op. The ``REMOTE_USER`` does not provide a protocol for
forgetting the user. This will be application-specific and can
be done somewhere else or in a subclass."""
return ()
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment