Changeset 67

Timestamp:

04/18/07 15:46:07

Author:

thejimmyg

Message:

Added a database example, changed permissions to work with the new user API and fixed some intercept problems with form, digest and basic

Files:

• AuthKit/branches/0.4/README.txt (modified) (1 diff)
• AuthKit/branches/0.4/authkit/authenticate/__init__.py (modified) (4 diffs)
• AuthKit/branches/0.4/authkit/authenticate/auth_tkt.py (modified) (1 diff)
• AuthKit/branches/0.4/authkit/authenticate/basic.py (modified) (4 diffs)
• AuthKit/branches/0.4/authkit/authenticate/digest.py (modified) (4 diffs)
• AuthKit/branches/0.4/authkit/authenticate/form.py (modified) (2 diffs)
• AuthKit/branches/0.4/authkit/authenticate/multi.py (modified) (5 diffs)
• AuthKit/branches/0.4/authkit/authenticate/passurl.py (modified) (2 diffs)
• AuthKit/branches/0.4/authkit/permissions.py (modified) (6 diffs)
• AuthKit/branches/0.4/authkit/users (added)
• AuthKit/branches/0.4/authkit/users.py (deleted)
• AuthKit/branches/0.4/authkit/users/__init__.py (added)
• AuthKit/branches/0.4/examples/user (added)
• AuthKit/branches/0.4/examples/user/database (added)
• AuthKit/branches/0.4/examples/user/database/README.txt (added)
• AuthKit/branches/0.4/examples/user/database/app.py (added)
• AuthKit/branches/0.4/examples/user/database/create.py (added)
• AuthKit/branches/0.4/examples/user/database/model.py (added)
• AuthKit/branches/0.4/test/test.py (modified) (2 diffs)

AuthKit/branches/0.4/README.txt

@@ -3 +3 @@
-
-WARNING: THIS CODE IS NOT PRODUCTION READY
+
+Need Testing
+============
+
+* Intercept code with redirect, passurl and forward
-
-Changes

AuthKit/branches/0.4/authkit/authenticate/__init__.py

@@ -229 +229 @@
-    how to create your own ``Users`` objects.
-    """
-    
-    if not environ.has_key('authkit.users'):
-        raise no_authkit_users_in_environ
-    users = environ['authkit.users']
-
+
+
+
-        return True
-    return False
@@ -255 +256 @@
-    Only required if you intend to use HTTP digest authentication.
-    """
-    #import authkit.authenticate.digest
-    if not environ.has_key('authkit.users'):
-        raise no_authkit_users_in_environ
-    users = environ['authkit.users']
-passwords.has_key(username.lower()
-passwords[username.lower()
+user_exists(username
+user(username)['password'
-        return digest.digest_password(realm, username, password)
-    # After speaking to Clark Evans who wrote the origianl code, this is the correct thing:
-    return None
-
-#def load_cookie_middleware(app, final, prefix):
-#    """
-#    Various AuthKit authenticate mathods such as ``form`` and ``passurl`` use a
-#    cookie. Their cookie support is based on the
-#    ``authkit.authenticate.auth_tkt`` middleware.  This utility function reads
-#    the cookie config options and returns the correctly configured cookie
-#    middleware automatically, reducing duplication in the code.
-#    """
-#    from paste.deploy.converters import asbool
-#    from authkit.authenticate.auth_tkt import AuthKitCookieMiddleware
-#    params = {
-#        'secret':_get_value(final, 'cookie_secret', prefix), 
-#    }
-#    for param in [
-#        ['cookie_name','cookie_name'], 
-#        ['cookie_includeip', 'include_ip'],
-#        ['cookie_signout', 'logout_path'],
-#        ['cookie_enforce', 'cookie_enforce'],
-#    ]:
-#        if param[0] in final:
-#            params[param[1]] = final[param[0]]
-#    cookie_params = {}
-#    if final.has_key('cookie_params'):
-#        data = _get_value(final, 'cookie_params', prefix)
-#        if isinstance(data, str):
-#            lines = data.replace('\r\n','\n').replace('\r','\n').split('\n')
-#            for line in lines:
-#                if line.strip():
-#                    parts = line.strip().split(':')
-#                    name = parts[0].strip().lower()
-#                    if name in [
-#                        'expires',  
-#                        'path', 
-#                        'comment', 
-#                        'domain',
-#                        'max-age',
-#                        'secure',
-#                        'version',
-#                    ]:
-#                        cookie_params[name] = ':'.join(parts[1:]).strip()
-#                    else:
-#                        raise AuthKitConfigError('Invalid cookie parameter %r'%name)
-#        elif isinstance(data, dict):
-#            cookie_params = data.copy()
-#        else:
-#            raise AuthKitConfigError("Expected a string or dictionary for authkit.cookie_params")
-#   # raise Exception(params)
-#    if params.has_key('include_ip'):
-#        params['include_ip'] = asbool(params['include_ip'])
-#    app = AuthKitCookieMiddleware(app, cookie_params=cookie_params, **params)
-#    return app
-
-def get_authenticate_function(app, authenticate_conf, format, prefix):
-    """
@@ -324 +272 @@
-    """
-    function = None
+    users = None
-    if len(authenticate_conf) < 1:
-        raise AuthKitConfigError('Expected at least one authenticate key, not %r'%authenticate_conf)
@@ -349 +298 @@
-            else:
-                raise Exception('Invalid format for authenticate function %r'%format)
-
+, users
-
-def get_template(template_conf, prefix):

AuthKit/branches/0.4/authkit/authenticate/auth_tkt.py

@@ -322 +322 @@
-                return [msg]
-            try:
-
-
+
-                timestamp, userid, tokens, user_data = parse_ticket(
-                    self.secret, cookie_value, remote_addr)

AuthKit/branches/0.4/authkit/authenticate/basic.py

@@ -4 +4 @@
-This implementation is identical to the `paste.auth.basic
-<http://pythonpaste.org/module-paste.auth.basic.html>`_ implemenation.
+
+
+Note:: If users are prompted to sign in this also seems to have the effect of
+    signing them out.
+
-"""
-#from paste.auth.basic import middleware
@@ -93 +98 @@
-
-    def __call__(self, environ, start_response):
-
-
+
+
+
+
+
+
+
-
-middleware = AuthBasicHandler
-
-class TryToAddUsername:
-
+, users
-        self.application = application
+        self.users = users
-        self.authenticate = AuthBasicAuthenticator(realm, authfunc)
-
-    def __call__(self, environ, start_response):
+        environ['authkit.users'] = self.users
-        result = self.authenticate(environ)
-        if isinstance(result, str):
@@ -121 +133 @@
-):
-    authenticate_conf = strip_base(auth_conf, 'authenticate.')
-
+, users
-        app, 
-        authenticate_conf, 
@@ -132 +144 @@
-    app.add_method('basic', middleware, auth_conf['realm'], authfunc)
-    app.add_checker('basic', status_checker)
-
+, users
-    return app
-

AuthKit/branches/0.4/authkit/authenticate/digest.py

@@ -4 +4 @@
-This implementation is identical to the `paste.auth.digest
-<http://pythonpaste.org/module-paste.auth.digest.html>`_ implemenation.
+
+Note:: If users are prompted to sign in this also seems to have the effect of
+    signing them out.
-"""
-
@@ -178 +181 @@
-        
-    def __call__(self, environ, start_response):
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-        
-class TryToAddUsername:
-
+, users
-        self.application = application
+        self.users = users
-        self.authenticate = AuthDigestAuthenticator(realm, authfunc)
-
-    def __call__(self, environ, start_response):
+        environ['authkit.users'] = self.users
-        method = REQUEST_METHOD(environ)
-        fullpath = SCRIPT_NAME(environ) + PATH_INFO(environ)
@@ -213 +223 @@
-):
-    authenticate_conf = strip_base(auth_conf, 'authenticate.')
-
+, users
-        app, 
-        authenticate_conf, 
@@ -224 +234 @@
-    app.add_method('digest', middleware, auth_conf['realm'], authfunc)
-    app.add_checker('digest', status_checker)
-
+, users
-    return app
-

AuthKit/branches/0.4/authkit/authenticate/form.py

@@ -43 +43 @@
-        
-    def __call__(self, environ, start_response):
+        # Shouldn't ever allow a response if this is called via the multi handler
-        username = environ.get('REMOTE_USER','')
-        if username:
-            return self.application(environ, start_response)
-
-        if 'POST' == environ['REQUEST_METHOD']:
-            formvars = parse_formvars(environ, include_get_vars=False)
@@ -85 +83 @@
-        template_ = template
-    authenticate_conf = strip_base(auth_conf, 'authenticate.')
-
+, users
-        app, 
-        authenticate_conf, 

AuthKit/branches/0.4/authkit/authenticate/multi.py

@@ -5 +5 @@
-
-from paste.auth import multi
+import logging
+
+log = logging.getLogger('authkit.authenticate.multi')
-
-class NoBindingFoundError(Exception):
@@ -30 +33 @@
-                status_.append(status)
-                headers_.append(headers)
-
+
+
-            return self.default(environ, find)
-
+        def logging_start_response(status, headers, exc_info=None):
+            log.debug("Matched binding returns status: %r, headers: %r, exc_info: %r", status, headers, exc_info)
+            return start_response(status, headers, exc_info)
+            
-        def check():
-            for (checker,binding) in self.predicate:
-                if checker(environ):
-
+
+
+
-            for (checker,binding) in self.checker:
-                if not len(status_):
@@ -43 +53 @@
-                    raise Exception('No headers were returned by the application')
-                if checker(environ, status_[0], headers_ and headers_[0] or []):
-
+
+
+
-            raise NoBindingFoundError('Check failed')
-
+    
-        checked = False
-        f = []
@@ -58 +70 @@
-                        result = check()
-                    except NoBindingFoundError, e:
+                        log.debug("MutliMiddleware: No binding was found for the check")
-                        start_response(status_[0], headers_ and headers_[0] or [], exc_info_[0])
-                    else:
+                        # Commented out because it could create huge logs very quickly!
+                        log.debug("Binding matched, returning result %r", result)
-                        return result
-                f.append(data)
@@ -65 +80 @@
-            app_iter.close()
-        return f                    
-#
-#class ChangeTo401:
-#    def __init__(self, app, catch=[], exclude=[]):
-#        self.app = app
-#        ex = []
-#        for e in exclude:
-#            e_ = str(e).strip()
-#            if str(e_) in ['401','*']:
-#                raise AuthKitConfigError('You cannot exclude %s since this would disable the authkit middleware'%e_)
-#            ex.append(e_)
-#        self.catch = []
-#        for c in catch:
-#            ch = str(c).strip()
-#            if ch not in ex:
-#                self.catch.append(ch)
-#        
-#    def __call__(self, environ, start_response):
-#        def authkit_start_response(status, headers, exc_info=None):
-#            if '*' in self.catch:
-#                status = '401 Please sign in'
-#            else:
-#                for code in self.catch:
-#                    if str(code) == status[:3]:
-#                        status = '401 Please sign in'
-#            return start_response(status, headers, exc_info)
-#        return self.app(environ, authkit_start_response)
-
-def status_checker(environ, status, headers):
-
+
+
+
-        return True
+    log.debug("Status checker returns False")
-    return False

AuthKit/branches/0.4/authkit/authenticate/passurl.py

@@ -121 +121 @@
-        raise Exception("Invalid store type %r"%store)
-    return conn, cstore
-    
-    
-class AuthOpenIDHandler:
@@ -176 +175 @@
-
-    def verify(self, environ, start_response):
-   
+    
-        baseurl = self.baseurl or construct_url(environ, with_query_string=False, with_path_info=False)
-        params = dict(paste.request.parse_formvars(environ))

AuthKit/branches/0.4/authkit/permissions.py

@@ -52 +52 @@
-   """
-
-
+self, 
-        return app(environ, start_response)
-
@@ -189 +189 @@
-        In this implementation role names are case insensitive.
-        """
+        if not environ.has_key('authkit.users'):
+            raise no_authkit_users_in_environ
-        if not environ.has_key('REMOTE_USER'):
-            if self.error: 
-                raise self.error
-            raise NotAuthenticatedError('Not authenticated')
-            
-        if not environ.has_key('authkit.users'):
-            raise no_authkit_users_in_environ
-        users = environ['authkit.users']
-
-
+
-            raise NotAuthorizedError('No such user')
-
-
-
-
-
-
-
-
+
+
+
+
+
-            for role in self.roles:
-
+
+
+
+
+
+
+
+
+
-                    return app(environ, start_response)
-            if self.error:
@@ -215 +218 @@
-            else:
-                raise NotAuthorizedError("User doesn't have any of the specified roles")
-        else:
-            for role in self.roles:
-                if role.lower() not in users.roles[environ['REMOTE_USER']]:
-                    if self.error:
-                        raise self.error
-                    else:
-                        raise NotAuthorizedError("User doesn't have the role %s"%role.lower())
-            return app(environ, start_response)
-
-    
-class HasAuthKitGroup(RequestPermission):
@@ -246 +240 @@
-        In this implementation group names are case insensitive.
-        """
+        if not environ.has_key('authkit.users'):
+            raise no_authkit_users_in_environ
-        if not environ.has_key('REMOTE_USER'):
-            if self.error: 
-                raise self.error
-            raise NotAuthenticatedError('Not authenticated')
-            
-        if not environ.has_key('authkit.users'):
-            raise no_authkit_users_in_environ
-        users = environ['authkit.users']
-
+
+
+
+
+
+
+
-            raise NotAuthorizedError('No such user')
-        if not users.groups.has_key(environ['REMOTE_USER']) and self.groups == None:
-            return app(environ, start_response)
-        elif self.groups == None:
-            if self.error:
-                raise self.error
-            else:
-                raise NotAuthorizedError("User is not a member of any group")
-        for group in self.groups:
-groups[environ['REMOTE_USER']] == group.lower(
+user_has_group(environ['REMOTE_USER'], group
-                return app(environ, start_response)
-        if self.error:
@@ -270 +262 @@
-        else:
-            raise NotAuthorizedError("User is not a member of the specified group(s) %r"%self.groups)
-
+
-class ValidAuthKitUser(UserIn):
-    """
@@ -279 +271 @@
-        pass
-    
-
+self, app, 
-        if not environ.has_key('authkit.users'):
-            raise no_authkit_users_in_environ
-
-
-
+
+
+
+
+

AuthKit/branches/0.4/test/test.py

@@ -52 +52 @@
-        assert 'You Have Access To This Page.' in res
-
+def test_intercept():
+    # XXX Note, these tests don't test when the inclusion of a username and only test form
+    # should also test all the other methods too for correct behaviour
+    def sample_app(environ, start_response):
+        if environ.get('PATH_INFO') == '/403':
+            start_response('403 Forbidden', [('Content-type', 'text/plain')])
+            return ['Access denied']
+        elif environ.get('PATH_INFO') == '/401':
+            start_response('401 Unauth', [('Content-type', 'text/plain')])
+            return ['Not Authed']
+        elif environ.get('PATH_INFO') == '/702':
+            start_response('702 Doesnt exist', [('Content-type', 'text/plain')])
+            return ['Access denied']
+        elif environ.get('PATH_INFO') == '/500':
+            start_response('500 Error', [('Content-type', 'text/plain')])
+            return ['Error']
+
+    app = middleware(
+        sample_app,
+        setup_method='form,cookie',
+        cookie_secret='secret encryption string',
+        form_authenticate_user_data = """
+            Username1:password1
+            username2:password2
+        """,
+        cookie_signoutpath = '/signout',
+        setup_intercept = "403, 702",
+    )
+    res = TestApp(app).get('/403', status=401)
+    assertEqual(res.header('content-type'), 'text/html')
+    # XXX Should this keep the original status code or not?
+    assertEqual(res.full_status, '401 Unauthorized')
+    assert 'Please Sign In' in res
+
+    res = TestApp(app).get('/702', status=401)
+    assertEqual(res.header('content-type'), 'text/html')
+    # XXX Should this keep the original status code or not?
+    assertEqual(res.full_status, '401 Unauthorized')
+    assert 'Please Sign In' in res
+
+    res = TestApp(app).get('/500', status=500)
+    assertEqual(res.header('content-type'), 'text/plain')
+    assertEqual(res.full_status, '500 Error')
+    assert 'Error' in res
+    
+    res = TestApp(app).get('/401', status=401)
+    assertEqual(res.header('content-type'), 'text/plain')
+    assertEqual(res.full_status, '401 Unauth')
+    assert 'Not Authed' in res
+    
-def test_fail():
-    for app in [basic_app, digest_app]:
@@ -90 +140 @@
-        os.remove("test/mydb.db")
-    import test_model
-
+.database
-    
-