Commit 3ea87d27 authored by Christophe de Vienne's avatar Christophe de Vienne
Browse files

[auth] Use pyramid_multiauth

It makes it easier to finely tune what parts of the default authentication stack
we want to use or not.

It also makes it possible for any cube to add its own policy in addition to the
others.

Related to #4985962
parent 1a816189ceee
......@@ -2,29 +2,37 @@ import datetime
import logging
import warnings
from zope.interface import implementer
from pyramid.settings import asbool
from pyramid.authorization import ACLAuthorizationPolicy
from pyramid_cubicweb.core import get_principals
from pyramid_multiauth import MultiAuthenticationPolicy
from pyramid.authentication import AuthTktAuthenticationPolicy
from pyramid.interfaces import IAuthenticationPolicy
log = logging.getLogger(__name__)
class CubicWebAuthTktAuthenticationPolicy(AuthTktAuthenticationPolicy):
@implementer(IAuthenticationPolicy)
class UpdateLoginTimeAuthenticationPolicy(object):
"""An authentication policy that update the user last_login_time.
The update is done in the 'remember' method, which is called on login,
and each time the authentication ticket is reissued.
Meaning, the last_login_time is updated reissue_time seconds (maximum)
before the last request by the user.
The update is done in the 'remember' method, which is called by the login
views login,
Usually used via :func:`includeme`.
"""
def authenticated_userid(self, request):
pass
def effective_principals(self, request):
return ()
def remember(self, request, principal, **kw):
headers = super(CubicWebAuthTktAuthenticationPolicy, self).remember(
request, principal, **kw)
try:
repo = request.registry['cubicweb.repository']
with repo.internal_cnx() as cnx:
......@@ -35,7 +43,10 @@ class CubicWebAuthTktAuthenticationPolicy(AuthTktAuthenticationPolicy):
cnx.commit()
except:
log.exception("Failed to update last_login_time")
return headers
return ()
def forget(self, request):
return ()
def includeme(config):
......@@ -45,25 +56,41 @@ def includeme(config):
See also :ref:`defaults_module`
"""
secret = config.registry['cubicweb.config']['pyramid-auth-secret']
settings = config.registry.settings
policies = []
if asbool(settings.get('cubicweb.auth.update_login_time', True)):
policies.append(UpdateLoginTimeAuthenticationPolicy())
if asbool(settings.get('cubicweb.auth.authtkt', True)):
secret = config.registry['cubicweb.config']['pyramid-auth-secret']
if not secret:
secret = 'notsosecret'
warnings.warn('''
!! WARNING !! !! WARNING !!
The authentication cookies are signed with a static secret key.
To put your own secret key, edit your all-in-one.conf file
and set the 'pyramid-auth-secret' key.
if not secret:
secret = 'notsosecret'
warnings.warn('''
YOU SHOULD STOP THIS INSTANCE unless your really know what you
are doing !!
!! WARNING !! !! WARNING !!
''')
The authentication cookies are signed with a static secret key.
To put your own secret key, edit your all-in-one.conf file
and set the 'pyramid-auth-secret' key.
policies.append(
AuthTktAuthenticationPolicy(
secret, hashalg='sha512', reissue_time=3600))
YOU SHOULD STOP THIS INSTANCE unless your really know what you
are doing !!
kw = {}
if asbool(settings.get('cubicweb.auth.groups_principals', True)):
kw['callback'] = get_principals
''')
authpolicy = MultiAuthenticationPolicy(policies, **kw)
config.registry['cubicweb.authpolicy'] = authpolicy
config.set_authentication_policy(
CubicWebAuthTktAuthenticationPolicy(
secret, callback=get_principals, hashalg='sha512',
reissue_time=3600))
config.set_authentication_policy(authpolicy)
config.set_authorization_policy(ACLAuthorizationPolicy())
......@@ -30,6 +30,7 @@ setup(
'pyramid >= 1.5.0',
'waitress >= 0.8.9',
'cubicweb >= 3.19.3',
'wsgicors >= 0.3'
'wsgicors >= 0.3',
'pyramid_multiauth',
]
)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment