RedHatTraining/pyramid.git

Merge pull request #3387 from mmerickel/src-folder-refactor

Michael Merickel

2018-10-15 81576ee51564c49d5ff3c1c07f214f22a8438231

commit \| author \| age
201596	1	import binascii
423b85	2	from codecs import utf_8_decode
CM	3	from codecs import utf_8_encode
693cb0	4	from collections import namedtuple
801adf	5	import hashlib
8e606d	6	import base64
69869e	7	import re
bd0c7a	8	import time as time_mod
cf428a	9	import warnings
fcc272	10
3b7334	11	from zope.interface import implementer
e6c2d2	12
767e44	13	from webob.cookies import CookieProfile
CM	14
0c1c39	15	from pyramid.compat import (
CM	16	long,
	17	text_type,
	18	binary_type,
	19	url_unquote,
	20	url_quote,
	21	bytes_,
	22	ascii_native_,
767e44	23	native_,
0c1c39	24	)
fcc272	25
0c1c39	26	from pyramid.interfaces import (
CM	27	IAuthenticationPolicy,
	28	IDebugLogger,
	29	)
423b85	30
0c1c39	31	from pyramid.security import (
CM	32	Authenticated,
	33	Everyone,
	34	)
69869e	35
13906d	36	from pyramid.util import strings_differ
52fde9	37	from pyramid.util import SimpleSerializer
13906d	38
69869e	39	VALID_TOKEN = re.compile(r"^[A-Za-z][A-Za-z0-9+_-]*$")
a1a9fb	40
25c64c	41
fcc272	42	class CallbackAuthenticationPolicy(object):
CM	43	""" Abstract class """
449287	44
CM	45	debug = False
	46	callback = None
	47
	48	def _log(self, msg, methodname, request):
	49	logger = request.registry.queryUtility(IDebugLogger)
	50	if logger:
	51	cls = self.__class__
	52	classname = cls.__module__ + '.' + cls.__name__
	53	methodname = classname + '.' + methodname
	54	logger.debug(methodname + ': ' + msg)
	55
07c9ee	56	def _clean_principal(self, princid):
CM	57	if princid in (Authenticated, Everyone):
	58	princid = None
	59	return princid
	60
7ec9e7	61	def authenticated_userid(self, request):
41b7db	62	""" Return the authenticated userid or ``None``.
MM	63
	64	If no callback is registered, this will be the same as
	65	``unauthenticated_userid``.
	66
	67	If a ``callback`` is registered, this will return the userid if
	68	and only if the callback returns a value that is not ``None``.
	69
	70	"""
449287	71	debug = self.debug
2526d8	72	userid = self.unauthenticated_userid(request)
fcc272	73	if userid is None:
449287	74	debug and self._log(
CM	75	'call to unauthenticated_userid returned None; returning None',
	76	'authenticated_userid',
	77	request)
fcc272	78	return None
07c9ee	79	if self._clean_principal(userid) is None:
CM	80	debug and self._log(
	81	('use of userid %r is disallowed by any built-in Pyramid '
	82	'security policy, returning None' % userid),
25c64c	83	'authenticated_userid',
07c9ee	84	request)
CM	85	return None
25c64c	86
fcc272	87	if self.callback is None:
449287	88	debug and self._log(
CM	89	'there was no groupfinder callback; returning %r' % (userid,),
	90	'authenticated_userid',
	91	request)
fcc272	92	return userid
449287	93	callback_ok = self.callback(userid, request)
CM	94	if callback_ok is not None: # is not None!
	95	debug and self._log(
	96	'groupfinder callback returned %r; returning %r' % (
	97	callback_ok, userid),
	98	'authenticated_userid',
	99	request
	100	)
fcc272	101	return userid
449287	102	debug and self._log(
CM	103	'groupfinder callback returned None; returning None',
	104	'authenticated_userid',
	105	request
	106	)
fcc272	107
7ec9e7	108	def effective_principals(self, request):
41b7db	109	""" A list of effective principals derived from request.
MM	110
	111	This will return a list of principals including, at least,
	112	:data:`pyramid.security.Everyone`. If there is no authenticated
	113	userid, or the ``callback`` returns ``None``, this will be the
	114	only principal:
	115
	116	.. code-block:: python
	117
	118	return [Everyone]
	119
	120	If the ``callback`` does not return ``None`` and an authenticated
	121	userid is found, then the principals will include
	122	:data:`pyramid.security.Authenticated`, the ``authenticated_userid``
	123	and the list of principals returned by the ``callback``:
	124
	125	.. code-block:: python
	126
	127	extra_principals = callback(userid, request)
	128	return [Everyone, Authenticated, userid] + extra_principals
	129
	130	"""
449287	131	debug = self.debug
fcc272	132	effective_principals = [Everyone]
2526d8	133	userid = self.unauthenticated_userid(request)
07c9ee	134
fcc272	135	if userid is None:
449287	136	debug and self._log(
2220a3	137	'unauthenticated_userid returned %r; returning %r' % (
449287	138	userid, effective_principals),
CM	139	'effective_principals',
	140	request
	141	)
fcc272	142	return effective_principals
07c9ee	143
CM	144	if self._clean_principal(userid) is None:
	145	debug and self._log(
	146	('unauthenticated_userid returned disallowed %r; returning %r '
	147	'as if it was None' % (userid, effective_principals)),
	148	'effective_principals',
	149	request
	150	)
	151	return effective_principals
25c64c	152
fcc272	153	if self.callback is None:
449287	154	debug and self._log(
CM	155	'groupfinder callback is None, so groups is []',
	156	'effective_principals',
	157	request)
fcc272	158	groups = []
CM	159	else:
dba59c	160	groups = self.callback(userid, request)
449287	161	debug and self._log(
CM	162	'groupfinder callback returned %r as groups' % (groups,),
	163	'effective_principals',
	164	request)
07c9ee	165
fcc272	166	if groups is None: # is None!
449287	167	debug and self._log(
CM	168	'returning effective principals: %r' % (
	169	effective_principals,),
	170	'effective_principals',
	171	request
	172	)
fcc272	173	return effective_principals
449287	174
fcc272	175	effective_principals.append(Authenticated)
CM	176	effective_principals.append(userid)
	177	effective_principals.extend(groups)
	178
449287	179	debug and self._log(
CM	180	'returning effective principals: %r' % (
	181	effective_principals,),
	182	'effective_principals',
	183	request
25c64c	184	)
fcc272	185	return effective_principals
25c64c	186
fcc272	187
3b7334	188	@implementer(IAuthenticationPolicy)
fcc272	189	class RepozeWho1AuthenticationPolicy(CallbackAuthenticationPolicy):
fd5ae9	190	""" A :app:`Pyramid` :term:`authentication policy` which
0a5df6	191	obtains data from the :mod:`repoze.who` 1.X WSGI 'API' (the
CM	192	``repoze.who.identity`` key in the WSGI environment).
fcc272	193
CM	194	Constructor Arguments
	195
	196	``identifier_name``
	197
0a5df6	198	Default: ``auth_tkt``. The :mod:`repoze.who` plugin name that
CM	199	performs remember/forget. Optional.
fcc272	200
CM	201	``callback``
	202
83c8ef	203	Default: ``None``. A callback passed the :mod:`repoze.who` identity
CM	204	and the :term:`request`, expected to return ``None`` if the user
	205	represented by the identity doesn't exist or a sequence of principal
	206	identifiers (possibly empty) representing groups if the user does
	207	exist. If ``callback`` is None, the userid will be assumed to exist
	208	with no group principals.
d2973d	209
CM	210	Objects of this class implement the interface described by
	211	:class:`pyramid.interfaces.IAuthenticationPolicy`.
fcc272	212	"""
CM	213
	214	def __init__(self, identifier_name='auth_tkt', callback=None):
	215	self.identifier_name = identifier_name
	216	self.callback = callback
a1a9fb	217
CM	218	def _get_identity(self, request):
	219	return request.environ.get('repoze.who.identity')
	220
	221	def _get_identifier(self, request):
	222	plugins = request.environ.get('repoze.who.plugins')
	223	if plugins is None:
	224	return None
	225	identifier = plugins[self.identifier_name]
	226	return identifier
	227
7ec9e7	228	def authenticated_userid(self, request):
41b7db	229	""" Return the authenticated userid or ``None``.
MM	230
	231	If no callback is registered, this will be the same as
	232	``unauthenticated_userid``.
	233
	234	If a ``callback`` is registered, this will return the userid if
	235	and only if the callback returns a value that is not ``None``.
	236
	237	"""
a1a9fb	238	identity = self._get_identity(request)
07c9ee	239
a1a9fb	240	if identity is None:
07c9ee	241	self.debug and self._log(
CM	242	'repoze.who identity is None, returning None',
	243	'authenticated_userid',
	244	request)
a1a9fb	245	return None
07c9ee	246
CM	247	userid = identity['repoze.who.userid']
	248
	249	if userid is None:
	250	self.debug and self._log(
	251	'repoze.who.userid is None, returning None' % userid,
	252	'authenticated_userid',
	253	request)
	254	return None
25c64c	255
07c9ee	256	if self._clean_principal(userid) is None:
CM	257	self.debug and self._log(
	258	('use of userid %r is disallowed by any built-in Pyramid '
	259	'security policy, returning None' % userid),
	260	'authenticated_userid',
	261	request)
	262	return None
	263
fcc272	264	if self.callback is None:
07c9ee	265	return userid
CM	266
dba59c	267	if self.callback(identity, request) is not None: # is not None!
07c9ee	268	return userid
a1a9fb	269
2526d8	270	def unauthenticated_userid(self, request):
41b7db	271	""" Return the ``repoze.who.userid`` key from the detected identity."""
2526d8	272	identity = self._get_identity(request)
CM	273	if identity is None:
	274	return None
	275	return identity['repoze.who.userid']
	276
7ec9e7	277	def effective_principals(self, request):
41b7db	278	""" A list of effective principals derived from the identity.
MM	279
	280	This will return a list of principals including, at least,
	281	:data:`pyramid.security.Everyone`. If there is no identity, or
	282	the ``callback`` returns ``None``, this will be the only principal.
	283
	284	If the ``callback`` does not return ``None`` and an identity is
	285	found, then the principals will include
	286	:data:`pyramid.security.Authenticated`, the ``authenticated_userid``
	287	and the list of principals returned by the ``callback``.
	288
	289	"""
a1a9fb	290	effective_principals = [Everyone]
CM	291	identity = self._get_identity(request)
07c9ee	292
a1a9fb	293	if identity is None:
07c9ee	294	self.debug and self._log(
CM	295	('repoze.who identity was None; returning %r' %
	296	effective_principals),
	297	'effective_principals',
	298	request
	299	)
a1a9fb	300	return effective_principals
07c9ee	301
fcc272	302	if self.callback is None:
CM	303	groups = []
	304	else:
dba59c	305	groups = self.callback(identity, request)
07c9ee	306
fcc272	307	if groups is None: # is None!
07c9ee	308	self.debug and self._log(
CM	309	('security policy groups callback returned None; returning %r' %
	310	effective_principals),
	311	'effective_principals',
	312	request
	313	)
fcc272	314	return effective_principals
07c9ee	315
a1a9fb	316	userid = identity['repoze.who.userid']
07c9ee	317
CM	318	if userid is None:
	319	self.debug and self._log(
	320	('repoze.who.userid was None; returning %r' %
	321	effective_principals),
	322	'effective_principals',
	323	request
	324	)
	325	return effective_principals
	326
	327	if self._clean_principal(userid) is None:
	328	self.debug and self._log(
	329	('unauthenticated_userid returned disallowed %r; returning %r '
	330	'as if it was None' % (userid, effective_principals)),
	331	'effective_principals',
	332	request
	333	)
	334	return effective_principals
	335
fcc272	336	effective_principals.append(Authenticated)
a1a9fb	337	effective_principals.append(userid)
CM	338	effective_principals.extend(groups)
	339	return effective_principals
	340
c7afe4	341	def remember(self, request, userid, **kw):
KOP	342	""" Store the ``userid`` as ``repoze.who.userid``.
25c64c	343
76144d	344	The identity to authenticated to :mod:`repoze.who`
c7afe4	345	will contain the given userid as ``userid``, and
76144d	346	provide all keyword arguments as additional identity
RB	347	keys. Useful keys could be ``max_age`` or ``userdata``.
	348	"""
a1a9fb	349	identifier = self._get_identifier(request)
CM	350	if identifier is None:
	351	return []
	352	environ = request.environ
76144d	353	identity = kw
c7afe4	354	identity['repoze.who.userid'] = userid
a1a9fb	355	return identifier.remember(environ, identity)
CM	356
7ec9e7	357	def forget(self, request):
41b7db	358	""" Forget the current authenticated user.
MM	359
	360	Return headers that, if included in a response, will delete the
	361	cookie responsible for tracking the current user.
	362
	363	"""
a1a9fb	364	identifier = self._get_identifier(request)
CM	365	if identifier is None:
	366	return []
	367	identity = self._get_identity(request)
	368	return identifier.forget(request.environ, identity)
fcc272	369
3b7334	370	@implementer(IAuthenticationPolicy)
fcc272	371	class RemoteUserAuthenticationPolicy(CallbackAuthenticationPolicy):
fd5ae9	372	""" A :app:`Pyramid` :term:`authentication policy` which
0a5df6	373	obtains data from the ``REMOTE_USER`` WSGI environment variable.
fcc272	374
CM	375	Constructor Arguments
	376
	377	``environ_key``
	378
	379	Default: ``REMOTE_USER``. The key in the WSGI environ which
	380	provides the userid.
	381
	382	``callback``
	383
dba59c	384	Default: ``None``. A callback passed the userid and the request,
83c8ef	385	expected to return None if the userid doesn't exist or a sequence of
CM	386	principal identifiers (possibly empty) representing groups if the
	387	user does exist. If ``callback`` is None, the userid will be assumed
	388	to exist with no group principals.
d2973d	389
449287	390	``debug``
CM	391
	392	Default: ``False``. If ``debug`` is ``True``, log messages to the
	393	Pyramid debug logger about the results of various authentication
	394	steps. The output from debugging is useful for reporting to maillist
	395	or IRC channels when asking for support.
	396
d2973d	397	Objects of this class implement the interface described by
CM	398	:class:`pyramid.interfaces.IAuthenticationPolicy`.
fcc272	399	"""
a1a9fb	400
449287	401	def __init__(self, environ_key='REMOTE_USER', callback=None, debug=False):
fcc272	402	self.environ_key = environ_key
CM	403	self.callback = callback
449287	404	self.debug = debug
a1a9fb	405
2526d8	406	def unauthenticated_userid(self, request):
41b7db	407	""" The ``REMOTE_USER`` value found within the ``environ``."""
fcc272	408	return request.environ.get(self.environ_key)
a1a9fb	409
c7afe4	410	def remember(self, request, userid, **kw):
41b7db	411	""" A no-op. The ``REMOTE_USER`` does not provide a protocol for
MM	412	remembering the user. This will be application-specific and can
	413	be done somewhere else or in a subclass."""
a1a9fb	414	return []
CM	415
7ec9e7	416	def forget(self, request):
41b7db	417	""" A no-op. The ``REMOTE_USER`` does not provide a protocol for
MM	418	forgetting the user. This will be application-specific and can
	419	be done somewhere else or in a subclass."""
a1a9fb	420	return []
fcc272	421
19b820	422	@implementer(IAuthenticationPolicy)
MM	423	class AuthTktAuthenticationPolicy(CallbackAuthenticationPolicy):
048754	424	"""A :app:`Pyramid` :term:`authentication policy` which
049d0d	425	obtains data from a Pyramid "auth ticket" cookie.
19b820	426
fcc272	427	Constructor Arguments
CM	428
	429	``secret``
	430
e521f1	431	The secret (a string) used for auth_tkt cookie signing. This value
CM	432	should be unique across all values provided to Pyramid for various
	433	subsystem secrets (see :ref:`admonishment_against_secret_sharing`).
fcc272	434	Required.
CM	435
	436	``callback``
	437
8b1f6e	438	Default: ``None``. A callback passed the userid and the
CM	439	request, expected to return ``None`` if the userid doesn't
0ec72c	440	exist or a sequence of principal identifiers (possibly empty) if
8b1f6e	441	the user does exist. If ``callback`` is ``None``, the userid
0ec72c	442	will be assumed to exist with no principals. Optional.
fcc272	443
CM	444	``cookie_name``
	445
968f46	446	Default: ``auth_tkt``. The cookie name used
fcc272	447	(string). Optional.
CM	448
	449	``secure``
	450
	451	Default: ``False``. Only send the cookie back over a secure
	452	conn. Optional.
	453
	454	``include_ip``
	455
	456	Default: ``False``. Make the requesting IP address part of
	457	the authentication data in the cookie. Optional.
	458
50e1a3	459	For IPv6 this option is not recommended. The ``mod_auth_tkt``
MM	460	specification does not specify how to handle IPv6 addresses, so using
	461	this option in combination with IPv6 addresses may cause an
	462	incompatible cookie. It ties the authentication ticket to that
	463	individual's IPv6 address.
918c9d	464
3ea1ed	465	``timeout``
CM	466
b955cc	467	Default: ``None``. Maximum number of seconds which a newly
CM	468	issued ticket will be considered valid. After this amount of
	469	time, the ticket will expire (effectively logging the user
	470	out). If this value is ``None``, the ticket never expires.
839ea0	471	Optional.
3ea1ed	472
CM	473	``reissue_time``
	474
474df5	475	Default: ``None``. If this parameter is set, it represents the number
CM	476	of seconds that must pass before an authentication token cookie is
	477	automatically reissued as the result of a request which requires
	478	authentication. The duration is measured as the number of seconds
	479	since the last auth_tkt cookie was issued and 'now'. If this value is
	480	``0``, a new ticket cookie will be reissued on every request which
	481	requires authentication.
	482
	483	A good rule of thumb: if you want auto-expired cookies based on
	484	inactivity: set the ``timeout`` value to 1200 (20 mins) and set the
	485	``reissue_time`` value to perhaps a tenth of the ``timeout`` value
	486	(120 or 2 mins). It's nonsensical to set the ``timeout`` value lower
	487	than the ``reissue_time`` value, as the ticket will never be reissued
	488	if so. However, such a configuration is not explicitly prevented.
	489
	490	Optional.
839ea0	491
CM	492	``max_age``
	493
0a5df6	494	Default: ``None``. The max age of the auth_tkt cookie, in
CM	495	seconds. This differs from ``timeout`` inasmuch as ``timeout``
	496	represents the lifetime of the ticket contained in the cookie,
	497	while this value represents the lifetime of the cookie itself.
	498	When this value is set, the cookie's ``Max-Age`` and
	499	``Expires`` settings will be set, allowing the auth_tkt cookie
b74cd4	500	to last between browser sessions. It is typically nonsensical
0a5df6	501	to set this to a value that is lower than ``timeout`` or
CM	502	``reissue_time``, although it is not explicitly prevented.
	503	Optional.
5ba063	504
CM	505	``path``
201596	506
5ba063	507	Default: ``/``. The path for which the auth_tkt cookie is valid.
CM	508	May be desirable if the application only serves part of a domain.
	509	Optional.
201596	510
5ba063	511	``http_only``
201596	512
5ba063	513	Default: ``False``. Hide cookie from JavaScript by setting the
CM	514	HttpOnly flag. Not honored by all browsers.
	515	Optional.
3dc86f	516
MM	517	``wild_domain``
	518
	519	Default: ``True``. An auth_tkt cookie will be generated for the
188aa7	520	wildcard domain. If your site is hosted as ``example.com`` this
WA	521	will make the cookie available for sites underneath ``example.com``
	522	such as ``www.example.com``.
3dc86f	523	Optional.
188aa7	524
WA	525	``parent_domain``
	526
	527	Default: ``False``. An auth_tkt cookie will be generated for the
	528	parent domain of the current site. For example if your site is
	529	hosted under ``www.example.com`` a cookie will be generated for
	530	``.example.com``. This can be useful if you have multiple sites
	531	sharing the same domain. This option supercedes the ``wild_domain``
	532	option.
	533	Optional.
	534
a1f768	535	``domain``
WA	536
	537	Default: ``None``. If provided the auth_tkt cookie will only be
	538	set for this domain. This option is not compatible with ``wild_domain``
	539	and ``parent_domain``.
	540	Optional.
	541
19b820	542	``hashalg``
MM	543
2e05d1	544	Default: ``sha512`` (the literal string).
19b820	545
MM	546	Any hash algorithm supported by Python's ``hashlib.new()`` function
	547	can be used as the ``hashalg``.
	548
bba64b	549	Cookies generated by different instances of AuthTktAuthenticationPolicy
CM	550	using different ``hashalg`` options are not compatible. Switching the
	551	``hashalg`` will imply that all existing users with a valid cookie will
	552	be required to re-login.
19b820	553
MM	554	Optional.
	555
449287	556	``debug``
CM	557
	558	Default: ``False``. If ``debug`` is ``True``, log messages to the
	559	Pyramid debug logger about the results of various authentication
	560	steps. The output from debugging is useful for reporting to maillist
	561	or IRC channels when asking for support.
	562
87771a	563	``samesite``
CM	564
	565	Default: ``'Lax'``. The 'samesite' option of the session cookie. Set
	566	the value to ``None`` to turn off the samesite option.
	567
	568	This option is available as of :app:`Pyramid` 1.10.
	569
0ad05a	570	.. versionchanged:: 1.4
CM	571
	572	Added the ``hashalg`` option, defaulting to ``sha512``.
	573
	574	.. versionchanged:: 1.5
	575
	576	Added the ``domain`` option.
	577
	578	Added the ``parent_domain`` option.
	579
	580	.. versionchanged:: 1.10
	581
	582	Added the ``samesite`` option and made the default ``'Lax'``.
	583
d2973d	584	Objects of this class implement the interface described by
CM	585	:class:`pyramid.interfaces.IAuthenticationPolicy`.
87771a	586
fcc272	587	"""
801adf	588
fcc272	589	def __init__(self,
CM	590	secret,
	591	callback=None,
968f46	592	cookie_name='auth_tkt',
fcc272	593	secure=False,
3ea1ed	594	include_ip=False,
CM	595	timeout=None,
839ea0	596	reissue_time=None,
5ba063	597	max_age=None,
CM	598	path="/",
	599	http_only=False,
77ded4	600	wild_domain=True,
449287	601	debug=False,
42764f	602	hashalg='sha512',
188aa7	603	parent_domain=False,
a1f768	604	domain=None,
87771a	605	samesite='Lax',
5ba063	606	):
fcc272	607	self.cookie = AuthTktCookieHelper(
CM	608	secret,
	609	cookie_name=cookie_name,
	610	secure=secure,
	611	include_ip=include_ip,
3ea1ed	612	timeout=timeout,
CM	613	reissue_time=reissue_time,
839ea0	614	max_age=max_age,
5ba063	615	http_only=http_only,
CM	616	path=path,
77ded4	617	wild_domain=wild_domain,
19b820	618	hashalg=hashalg,
188aa7	619	parent_domain=parent_domain,
a1f768	620	domain=domain,
87771a	621	samesite=samesite,
fcc272	622	)
CM	623	self.callback = callback
449287	624	self.debug = debug
fcc272	625
2526d8	626	def unauthenticated_userid(self, request):
41b7db	627	""" The userid key within the auth_tkt cookie."""
fcc272	628	result = self.cookie.identify(request)
CM	629	if result:
	630	return result['userid']
	631
c7afe4	632	def remember(self, request, userid, **kw):
99d77b	633	""" Accepts the following kw args: ``max_age=<int-seconds>,
41b7db	634	``tokens=<sequence-of-ascii-strings>``.
MM	635
	636	Return a list of headers which will set appropriate cookies on
	637	the response.
	638
	639	"""
c7afe4	640	return self.cookie.remember(request, userid, **kw)
fcc272	641
7ec9e7	642	def forget(self, request):
41b7db	643	""" A list of headers which will delete appropriate cookies."""
fcc272	644	return self.cookie.forget(request)
839ea0	645
CM	646	def b64encode(v):
45009c	647	return base64.b64encode(bytes_(v)).strip().replace(b'\n', b'')
839ea0	648
CM	649	def b64decode(v):
45009c	650	return base64.b64decode(bytes_(v))
839ea0	651
bd0c7a	652	# this class licensed under the MIT license (stolen from Paste)
CM	653	class AuthTicket(object):
	654	"""
	655	This class represents an authentication token. You must pass in
	656	the shared secret, the userid, and the IP address. Optionally you
	657	can include tokens (a list of strings, representing role names),
	658	'user_data', which is arbitrary data available for your own use in
	659	later scripts. Lastly, you can override the cookie name and
	660	timestamp.
	661
	662	Once you provide all the arguments, use .cookie_value() to
	663	generate the appropriate authentication ticket.
	664
455eed	665	Usage::
bd0c7a	666
455eed	667	token = AuthTicket('sharedsecret', 'username',
bd0c7a	668	os.environ['REMOTE_ADDR'], tokens=['admin'])
455eed	669	val = token.cookie_value()
bd0c7a	670
CM	671	"""
	672
	673	def __init__(self, secret, userid, ip, tokens=(), user_data='',
801adf	674	time=None, cookie_name='auth_tkt', secure=False,
DK	675	hashalg='md5'):
bd0c7a	676	self.secret = secret
CM	677	self.userid = userid
	678	self.ip = ip
	679	self.tokens = ','.join(tokens)
	680	self.user_data = user_data
	681	if time is None:
	682	self.time = time_mod.time()
	683	else:
	684	self.time = time
	685	self.cookie_name = cookie_name
	686	self.secure = secure
801adf	687	self.hashalg = hashalg
bd0c7a	688
CM	689	def digest(self):
	690	return calculate_digest(
	691	self.ip, self.time, self.secret, self.userid, self.tokens,
801adf	692	self.user_data, self.hashalg)
bd0c7a	693
CM	694	def cookie_value(self):
	695	v = '%s%08x%s!' % (self.digest(), int(self.time),
8e606d	696	url_quote(self.userid))
bd0c7a	697	if self.tokens:
CM	698	v += self.tokens + '!'
	699	v += self.user_data
	700	return v
	701
	702	# this class licensed under the MIT license (stolen from Paste)
	703	class BadTicket(Exception):
	704	"""
	705	Exception raised when a ticket can't be parsed. If we get far enough to
	706	determine what the expected digest should have been, expected is set.
	707	This should not be shown by default, but can be useful for debugging.
	708	"""
	709	def __init__(self, msg, expected=None):
	710	self.expected = expected
	711	Exception.__init__(self, msg)
	712
	713	# this function licensed under the MIT license (stolen from Paste)
048754	714	def parse_ticket(secret, ticket, ip, hashalg='md5'):
bd0c7a	715	"""
CM	716	Parse the ticket, returning (timestamp, userid, tokens, user_data).
	717
	718	If the ticket cannot be parsed, a ``BadTicket`` exception will be raised
	719	with an explanation.
	720	"""
ec5226	721	ticket = native_(ticket).strip('"')
801adf	722	digest_size = hashlib.new(hashalg).digest_size * 2
DK	723	digest = ticket[:digest_size]
bd0c7a	724	try:
801adf	725	timestamp = int(ticket[digest_size:digest_size + 8], 16)
e91639	726	except ValueError as e:
bd0c7a	727	raise BadTicket('Timestamp is not a hex integer: %s' % e)
CM	728	try:
801adf	729	userid, data = ticket[digest_size + 8:].split('!', 1)
bd0c7a	730	except ValueError:
CM	731	raise BadTicket('userid is not followed by !')
8e606d	732	userid = url_unquote(userid)
bd0c7a	733	if '!' in data:
CM	734	tokens, user_data = data.split('!', 1)
	735	else: # pragma: no cover (never generated)
	736	# @@: Is this the right order?
	737	tokens = ''
	738	user_data = data
	739
	740	expected = calculate_digest(ip, timestamp, secret,
801adf	741	userid, tokens, user_data, hashalg)
bd0c7a	742
13906d	743	# Avoid timing attacks (see
RK	744	# http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf)
	745	if strings_differ(expected, digest):
bd0c7a	746	raise BadTicket('Digest signature is not correct',
CM	747	expected=(expected, digest))
	748
	749	tokens = tokens.split(',')
	750
	751	return (timestamp, userid, tokens, user_data)
	752
	753	# this function licensed under the MIT license (stolen from Paste)
048754	754	def calculate_digest(ip, timestamp, secret, userid, tokens, user_data,
CM	755	hashalg='md5'):
8e606d	756	secret = bytes_(secret, 'utf-8')
CM	757	userid = bytes_(userid, 'utf-8')
	758	tokens = bytes_(tokens, 'utf-8')
	759	user_data = bytes_(user_data, 'utf-8')
801adf	760	hash_obj = hashlib.new(hashalg)
c0151a	761
BJR	762	# Check to see if this is an IPv6 address
	763	if ':' in ip:
	764	ip_timestamp = ip + str(int(timestamp))
	765	ip_timestamp = bytes_(ip_timestamp)
	766	else:
	767	# encode_ip_timestamp not required, left in for backwards compatibility
	768	ip_timestamp = encode_ip_timestamp(ip, timestamp)
	769
	770	hash_obj.update(ip_timestamp + secret + userid + b'\0' +
	771	tokens + b'\0' + user_data)
801adf	772	digest = hash_obj.hexdigest()
DK	773	hash_obj2 = hashlib.new(hashalg)
	774	hash_obj2.update(bytes_(digest) + secret)
	775	return hash_obj2.hexdigest()
bd0c7a	776
CM	777	# this function licensed under the MIT license (stolen from Paste)
	778	def encode_ip_timestamp(ip, timestamp):
	779	ip_chars = ''.join(map(chr, map(int, ip.split('.'))))
	780	t = int(timestamp)
	781	ts = ((t & 0xff000000) >> 24,
	782	(t & 0xff0000) >> 16,
	783	(t & 0xff00) >> 8,
	784	t & 0xff)
	785	ts_chars = ''.join(map(chr, ts))
45009c	786	return bytes_(ip_chars + ts_chars)
bd0c7a	787
fcc272	788	class AuthTktCookieHelper(object):
441666	789	"""
CM	790	A helper class for use in third-party authentication policy
	791	implementations. See
e1490d	792	:class:`pyramid.authentication.AuthTktAuthenticationPolicy` for the
441666	793	meanings of the constructor arguments.
CM	794	"""
bd0c7a	795	parse_ticket = staticmethod(parse_ticket) # for tests
CM	796	AuthTicket = AuthTicket # for tests
	797	BadTicket = BadTicket # for tests
e57f5c	798	now = None # for tests
839ea0	799
fcc272	800	userid_type_decoders = {
CM	801	'int':int,
839ea0	802	'unicode':lambda x: utf_8_decode(x)[0], # bw compat for old cookies
CM	803	'b64unicode': lambda x: utf_8_decode(b64decode(x))[0],
	804	'b64str': lambda x: b64decode(x),
fcc272	805	}
CM	806
	807	userid_type_encoders = {
	808	int: ('int', str),
	809	long: ('int', str),
07ee18	810	text_type: ('b64unicode', lambda x: b64encode(utf_8_encode(x)[0])),
45009c	811	binary_type: ('b64str', lambda x: b64encode(x)),
fcc272	812	}
201596	813
87771a	814	def __init__(self,
CM	815	secret,
	816	cookie_name='auth_tkt',
	817	secure=False,
	818	include_ip=False,
	819	timeout=None,
	820	reissue_time=None,
	821	max_age=None,
	822	http_only=False,
	823	path="/",
	824	wild_domain=True,
	825	hashalg='md5',
	826	parent_domain=False,
	827	domain=None,
	828	samesite='Lax',
	829	):
767e44	830
52fde9	831	serializer = SimpleSerializer()
25c64c	832
767e44	833	self.cookie_profile = CookieProfile(
25c64c	834	cookie_name=cookie_name,
JA	835	secure=secure,
	836	max_age=max_age,
	837	httponly=http_only,
	838	path=path,
87771a	839	serializer=serializer,
CM	840	samesite=samesite,
25c64c	841	)
767e44	842
fcc272	843	self.secret = secret
CM	844	self.cookie_name = cookie_name
	845	self.secure = secure
767e44	846	self.include_ip = include_ip
e2519d	847	self.timeout = timeout if timeout is None else int(timeout)
R	848	self.reissue_time = reissue_time if reissue_time is None else int(reissue_time)
	849	self.max_age = max_age if max_age is None else int(max_age)
77ded4	850	self.wild_domain = wild_domain
188aa7	851	self.parent_domain = parent_domain
a1f768	852	self.domain = domain
801adf	853	self.hashalg = hashalg
5ba063	854
767e44	855	def _get_cookies(self, request, value, max_age=None):
CM	856	cur_domain = request.domain
5ba063	857
188aa7	858	domains = []
a1f768	859	if self.domain:
WA	860	domains.append(self.domain)
188aa7	861	else:
a1f768	862	if self.parent_domain and cur_domain.count('.') > 1:
WA	863	domains.append('.' + cur_domain.split('.', 1)[1])
	864	else:
	865	domains.append(None)
	866	domains.append(cur_domain)
	867	if self.wild_domain:
	868	domains.append('.' + cur_domain)
c65b85	869
767e44	870	profile = self.cookie_profile(request)
77ded4	871
767e44	872	kw = {}
CM	873	kw['domains'] = domains
	874	if max_age is not None:
	875	kw['max_age'] = max_age
25c64c	876
767e44	877	headers = profile.get_headers(value, **kw)
CM	878	return headers
fcc272	879
839ea0	880	def identify(self, request):
441666	881	""" Return a dictionary with authentication information, or ``None``
CM	882	if no valid auth_tkt is attached to ``request``"""
839ea0	883	environ = request.environ
bd0c7a	884	cookie = request.cookies.get(self.cookie_name)
839ea0	885
bd0c7a	886	if cookie is None:
839ea0	887	return None
CM	888
	889	if self.include_ip:
	890	remote_addr = environ['REMOTE_ADDR']
	891	else:
	892	remote_addr = '0.0.0.0'
201596	893
839ea0	894	try:
bd0c7a	895	timestamp, userid, tokens, user_data = self.parse_ticket(
801adf	896	self.secret, cookie, remote_addr, self.hashalg)
bd0c7a	897	except self.BadTicket:
839ea0	898	return None
CM	899
e57f5c	900	now = self.now # service tests
CM	901
201596	902	if now is None:
bd0c7a	903	now = time_mod.time()
839ea0	904
CM	905	if self.timeout and ( (timestamp + self.timeout) < now ):
474df5	906	# the auth_tkt data has expired
839ea0	907	return None
CM	908
	909	userid_typename = 'userid_type:'
	910	user_data_info = user_data.split('\|')
	911	for datum in filter(None, user_data_info):
	912	if datum.startswith(userid_typename):
	913	userid_type = datum[len(userid_typename):]
	914	decoder = self.userid_type_decoders.get(userid_type)
	915	if decoder:
	916	userid = decoder(userid)
	917
	918	reissue = self.reissue_time is not None
6a47a0	919
CM	920	if reissue and not hasattr(request, '_authtkt_reissued'):
	921	if ( (now - timestamp) > self.reissue_time ):
ea58f2	922	# See https://github.com/Pylons/pyramid/issues#issue/108
45009c	923	tokens = list(filter(None, tokens))
cf3177	924	headers = self.remember(request, userid, max_age=self.max_age,
CM	925	tokens=tokens)
916b56	926	def reissue_authtkt(request, response):
MM	927	if not hasattr(request, '_authtkt_reissue_revoked'):
	928	for k, v in headers:
	929	response.headerlist.append((k, v))
	930	request.add_response_callback(reissue_authtkt)
839ea0	931	request._authtkt_reissued = True
CM	932
	933	environ['REMOTE_USER_TOKENS'] = tokens
	934	environ['REMOTE_USER_DATA'] = user_data
	935	environ['AUTH_TYPE'] = 'cookie'
	936
	937	identity = {}
	938	identity['timestamp'] = timestamp
	939	identity['userid'] = userid
	940	identity['tokens'] = tokens
	941	identity['userdata'] = user_data
	942	return identity
	943
fcc272	944	def forget(self, request):
441666	945	""" Return a set of expires Set-Cookie headers, which will destroy
CM	946	any existing auth_tkt cookie when attached to a response"""
916b56	947	request._authtkt_reissue_revoked = True
767e44	948	return self._get_cookies(request, None)
201596	949
17c4de	950	def remember(self, request, userid, max_age=None, tokens=()):
441666	951	""" Return a set of Set-Cookie headers; when set into a response,
e4e97b	952	these headers will represent a valid authentication ticket.
CM	953
	954	``max_age``
	955	The max age of the auth_tkt cookie, in seconds. When this value is
	956	set, the cookie's ``Max-Age`` and ``Expires`` settings will be set,
6a47a0	957	allowing the auth_tkt cookie to last between browser sessions. If
CM	958	this value is ``None``, the ``max_age`` value provided to the
	959	helper itself will be used as the ``max_age`` value. Default:
	960	``None``.
e4e97b	961
CM	962	``tokens``
	963	A sequence of strings that will be placed into the auth_tkt tokens
	964	field. Each string in the sequence must be of the Python ``str``
	965	type and must match the regex ``^[A-Za-z][A-Za-z0-9+_-]*$``.
	966	Tokens are available in the returned identity when an auth_tkt is
	967	found in the request and unpacked. Default: ``()``.
	968	"""
e2519d	969	max_age = self.max_age if max_age is None else int(max_age)
6a47a0	970
fcc272	971	environ = request.environ
839ea0	972
fcc272	973	if self.include_ip:
CM	974	remote_addr = environ['REMOTE_ADDR']
	975	else:
	976	remote_addr = '0.0.0.0'
	977
839ea0	978	user_data = ''
fcc272	979
CM	980	encoding_data = self.userid_type_encoders.get(type(userid))
6a47a0	981
fcc272	982	if encoding_data:
CM	983	encoding, encoder = encoding_data
cf428a	984	else:
BJR	985	warnings.warn(
	986	"userid is of type {}, and is not supported by the "
	987	"AuthTktAuthenticationPolicy. Explicitly converting to string "
	988	"and storing as base64. Subsequent requests will receive a "
	989	"string as the userid, it will not be decoded back to the type "
	990	"provided.".format(type(userid)), RuntimeWarning
	991	)
	992	encoding, encoder = self.userid_type_encoders.get(text_type)
	993	userid = str(userid)
	994
	995	userid = encoder(userid)
	996	user_data = 'userid_type:%s' % encoding
c3c0be	997
BS	998	new_tokens = []
69869e	999	for token in tokens:
45009c	1000	if isinstance(token, text_type):
CM	1001	try:
9f2d38	1002	token = ascii_native_(token)
45009c	1003	except UnicodeEncodeError:
CM	1004	raise ValueError("Invalid token %r" % (token,))
69869e	1005	if not (isinstance(token, str) and VALID_TOKEN.match(token)):
b05272	1006	raise ValueError("Invalid token %r" % (token,))
c3c0be	1007	new_tokens.append(token)
BS	1008	tokens = tuple(new_tokens)
69869e	1009
916b56	1010	if hasattr(request, '_authtkt_reissued'):
MM	1011	request._authtkt_reissue_revoked = True
	1012
bd0c7a	1013	ticket = self.AuthTicket(
839ea0	1014	self.secret,
CM	1015	userid,
	1016	remote_addr,
17c4de	1017	tokens=tokens,
839ea0	1018	user_data=user_data,
CM	1019	cookie_name=self.cookie_name,
801adf	1020	secure=self.secure,
048754	1021	hashalg=self.hashalg
CM	1022	)
fcc272	1023
839ea0	1024	cookie_value = ticket.cookie_value()
767e44	1025	return self._get_cookies(request, cookie_value, max_age)
ef992f	1026
3b7334	1027	@implementer(IAuthenticationPolicy)
ef992f	1028	class SessionAuthenticationPolicy(CallbackAuthenticationPolicy):
2c6582	1029	""" A :app:`Pyramid` authentication policy which gets its data from the
CM	1030	configured :term:`session`. For this authentication policy to work, you
	1031	will have to follow the instructions in the :ref:`sessions_chapter` to
	1032	configure a :term:`session factory`.
ef992f	1033
MM	1034	Constructor Arguments
	1035
	1036	``prefix``
	1037
	1038	A prefix used when storing the authentication parameters in the
	1039	session. Defaults to 'auth.'. Optional.
	1040
	1041	``callback``
	1042
	1043	Default: ``None``. A callback passed the userid and the
	1044	request, expected to return ``None`` if the userid doesn't
	1045	exist or a sequence of principal identifiers (possibly empty) if
	1046	the user does exist. If ``callback`` is ``None``, the userid
	1047	will be assumed to exist with no principals. Optional.
449287	1048
CM	1049	``debug``
	1050
	1051	Default: ``False``. If ``debug`` is ``True``, log messages to the
	1052	Pyramid debug logger about the results of various authentication
	1053	steps. The output from debugging is useful for reporting to maillist
	1054	or IRC channels when asking for support.
201596	1055
ef992f	1056	"""
MM	1057
449287	1058	def __init__(self, prefix='auth.', callback=None, debug=False):
ef992f	1059	self.callback = callback
MM	1060	self.prefix = prefix or ''
	1061	self.userid_key = prefix + 'userid'
449287	1062	self.debug = debug
ef992f	1063
c7afe4	1064	def remember(self, request, userid, **kw):
KOP	1065	""" Store a userid in the session."""
	1066	request.session[self.userid_key] = userid
ef992f	1067	return []
MM	1068
	1069	def forget(self, request):
c7afe4	1070	""" Remove the stored userid from the session."""
ef992f	1071	if self.userid_key in request.session:
MM	1072	del request.session[self.userid_key]
	1073	return []
	1074
	1075	def unauthenticated_userid(self, request):
	1076	return request.session.get(self.userid_key)
	1077
201596	1078
CR	1079	@implementer(IAuthenticationPolicy)
	1080	class BasicAuthAuthenticationPolicy(CallbackAuthenticationPolicy):
	1081	""" A :app:`Pyramid` authentication policy which uses HTTP standard basic
	1082	authentication protocol to authenticate users. To use this policy you will
	1083	need to provide a callback which checks the supplied user credentials
	1084	against your source of login data.
	1085
	1086	Constructor Arguments
	1087
	1088	``check``
	1089
	1090	A callback function passed a username, password and request, in that
	1091	order as positional arguments. Expected to return ``None`` if the
	1092	userid doesn't exist or a sequence of principal identifiers (possibly
	1093	empty) if the user does exist.
	1094
	1095	``realm``
	1096
0678de	1097	Default: ``"Realm"``. The Basic Auth Realm string. Usually displayed to
201596	1098	the user by the browser in the login dialog.
CR	1099
	1100	``debug``
	1101
	1102	Default: ``False``. If ``debug`` is ``True``, log messages to the
	1103	Pyramid debug logger about the results of various authentication
	1104	steps. The output from debugging is useful for reporting to maillist
	1105	or IRC channels when asking for support.
	1106
0678de	1107	Issuing a challenge
CR	1108
	1109	Regular browsers will not send username/password credentials unless they
	1110	first receive a challenge from the server. The following recipe will
	1111	register a view that will send a Basic Auth challenge to the user whenever
	1112	there is an attempt to call a view which results in a Forbidden response::
	1113
	1114	from pyramid.httpexceptions import HTTPUnauthorized
	1115	from pyramid.security import forget
ff9edd	1116	from pyramid.view import forbidden_view_config
0678de	1117
ff9edd	1118	@forbidden_view_config()
5067ff	1119	def forbidden_view(request):
VD	1120	if request.authenticated_userid is None:
	1121	response = HTTPUnauthorized()
	1122	response.headers.update(forget(request))
	1123	return response
	1124	return HTTPForbidden()
201596	1125	"""
CR	1126	def __init__(self, check, realm='Realm', debug=False):
	1127	self.check = check
	1128	self.realm = realm
	1129	self.debug = debug
	1130
	1131	def unauthenticated_userid(self, request):
41b7db	1132	""" The userid parsed from the ``Authorization`` request header."""
c895f8	1133	credentials = extract_http_basic_credentials(request)
201596	1134	if credentials:
cf40ff	1135	return credentials.username
201596	1136
c7afe4	1137	def remember(self, request, userid, **kw):
41b7db	1138	""" A no-op. Basic authentication does not provide a protocol for
MM	1139	remembering the user. Credentials are sent on every request.
	1140
	1141	"""
201596	1142	return []
CR	1143
	1144	def forget(self, request):
41b7db	1145	""" Returns challenge headers. This should be attached to a response
MM	1146	to indicate that credentials are required."""
201596	1147	return [('WWW-Authenticate', 'Basic realm="%s"' % self.realm)]
CR	1148
	1149	def callback(self, username, request):
744bf0	1150	# Username arg is ignored. Unfortunately
DG	1151	# extract_http_basic_credentials winds up getting called twice when
	1152	# authenticated_userid is called. Avoiding that, however,
	1153	# winds up duplicating logic from the superclass.
c895f8	1154	credentials = extract_http_basic_credentials(request)
201596	1155	if credentials:
CR	1156	username, password = credentials
	1157	return self.check(username, password, request)
c895f8	1158
DG	1159
0295ae	1160	HTTPBasicCredentials = namedtuple(
MM	1161	'HTTPBasicCredentials', ['username', 'password'])
693cb0	1162
DG	1163
c895f8	1164	def extract_http_basic_credentials(request):
DG	1165	""" A helper function for extraction of HTTP Basic credentials
0295ae	1166	from a given :term:`request`.
693cb0	1167
0295ae	1168	Returns a :class:`.HTTPBasicCredentials` 2-tuple with ``username`` and
MM	1169	``password`` attributes or ``None`` if no credentials could be found.
c895f8	1170
DG	1171	"""
362a58	1172	authorization = request.headers.get('Authorization')
DG	1173	if not authorization:
	1174	return None
c895f8	1175
362a58	1176	try:
DG	1177	authmeth, auth = authorization.split(' ', 1)
	1178	except ValueError: # not enough values to unpack
c895f8	1179	return None
DG	1180
	1181	if authmeth.lower() != 'basic':
	1182	return None
	1183
	1184	try:
	1185	authbytes = b64decode(auth.strip())
	1186	except (TypeError, binascii.Error): # can't decode
	1187	return None
	1188
	1189	# try utf-8 first, then latin-1; see discussion in
	1190	# https://github.com/Pylons/pyramid/issues/898
	1191	try:
	1192	auth = authbytes.decode('utf-8')
	1193	except UnicodeDecodeError:
	1194	auth = authbytes.decode('latin-1')
	1195
	1196	try:
	1197	username, password = auth.split(':', 1)
	1198	except ValueError: # not enough values to unpack
	1199	return None
693cb0	1200
0295ae	1201	return HTTPBasicCredentials(username, password)