|
|
|
|
''' User Authentication and Authorization '''
|
|
|
|
|
|
|
|
|
|
from passlib.context import CryptContext
|
|
|
|
|
from pyramid.authentication import AuthTktAuthenticationPolicy
|
|
|
|
|
from pyramid.authorization import ACLAuthorizationPolicy
|
|
|
|
|
from pyramid.security import Authenticated, Everyone
|
|
|
|
|
from pyramid.settings import aslist
|
|
|
|
|
|
|
|
|
|
from ordr.models.account import User
|
|
|
|
|
|
|
|
|
|
#: passlib context for hashing passwords
|
|
|
|
|
# at least one scheme must be set in advance, will be overridden by the
|
|
|
|
|
# settings in the .ini file.
|
|
|
|
|
password_context = CryptContext(schemes=['argon2'])
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class AuthenticationPolicy(AuthTktAuthenticationPolicy):
|
|
|
|
|
''' How to authenticate users '''
|
|
|
|
|
|
|
|
|
|
def authenticated_userid(self, request):
|
|
|
|
|
''' returns the id of an authenticated user
|
|
|
|
|
|
|
|
|
|
heavy lifting done in get_user() attached to request
|
|
|
|
|
'''
|
|
|
|
|
user = request.user
|
|
|
|
|
if user is not None:
|
|
|
|
|
return user.id
|
|
|
|
|
|
|
|
|
|
def effective_principals(self, request):
|
|
|
|
|
''' returns a list of principals for the user '''
|
|
|
|
|
principals = [Everyone]
|
|
|
|
|
user = request.user
|
|
|
|
|
if user is not None:
|
|
|
|
|
principals.append(Authenticated)
|
|
|
|
|
principals.extend(user.principals)
|
|
|
|
|
return principals
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def get_user(request):
|
|
|
|
|
''' retrieves the user object by the unauthenticated user id
|
|
|
|
|
|
|
|
|
|
:param pyramid.request.Request request:
|
|
|
|
|
the current request object
|
|
|
|
|
:rtype: :class:`ordr.models.account.User` or None
|
|
|
|
|
'''
|
|
|
|
|
user_id = request.unauthenticated_userid
|
|
|
|
|
if user_id is not None:
|
|
|
|
|
user = request.dbsession.query(User).filter_by(id=user_id).first()
|
|
|
|
|
if user and user.is_active:
|
|
|
|
|
return user
|
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def crypt_context_settings_to_string(settings, prefix='passlib.'):
|
|
|
|
|
''' returns a passlib context setting as a INI-formatted content
|
|
|
|
|
|
|
|
|
|
:param dict settings: settings for the crypt context
|
|
|
|
|
:param str prefix: prefix of the settings keys
|
|
|
|
|
:rtype: (str) config string in INI format for CryptContext.load()
|
|
|
|
|
|
|
|
|
|
This looks at first like a dump hack, but the parsing of all possible
|
|
|
|
|
context settings is quite a task. Since passlib has a context parser
|
|
|
|
|
included, this seems the most reliable way to do it.
|
|
|
|
|
'''
|
|
|
|
|
config_lines = ['[passlib]']
|
|
|
|
|
for ini_key, value in settings.items():
|
|
|
|
|
if ini_key.startswith(prefix):
|
|
|
|
|
context_key = ini_key.replace(prefix, '')
|
|
|
|
|
# the pyramid .ini format is different on lists
|
|
|
|
|
# than the .ini format used by passlib.
|
|
|
|
|
if context_key in {'schemes', 'deprecated'} and ',' not in value:
|
|
|
|
|
value = ','.join(aslist(value))
|
|
|
|
|
config_lines.append(f'{context_key} = {value}')
|
|
|
|
|
return '\n'.join(config_lines)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def includeme(config): # pragma: no cover
|
|
|
|
|
''' initializing authentication, authorization and password hash settings
|
|
|
|
|
|
|
|
|
|
Activate this setup using ``config.include('ordr.security')``.
|
|
|
|
|
'''
|
|
|
|
|
settings = config.get_settings()
|
|
|
|
|
|
|
|
|
|
# configure the passlib context manager for hashing user passwords
|
|
|
|
|
config_str = crypt_context_settings_to_string(settings, prefix='passlib.')
|
|
|
|
|
password_context.load(config_str)
|
|
|
|
|
|
|
|
|
|
# config for authentication and authorization
|
|
|
|
|
authn_policy = AuthenticationPolicy(
|
|
|
|
|
settings.get('auth.secret', ''),
|
|
|
|
|
hashalg='sha512',
|
|
|
|
|
)
|
|
|
|
|
config.set_authentication_policy(authn_policy)
|
|
|
|
|
config.set_authorization_policy(ACLAuthorizationPolicy())
|
|
|
|
|
|
|
|
|
|
# attach the get_user function returned by get_user_closure()
|
|
|
|
|
config.add_request_method(get_user, 'user', reify=True)
|
