nagare.security package¶
Submodules¶
nagare.security.basic_auth module¶
Authentication manager for the basic HTTP authentication scheme
-
class
nagare.security.basic_auth.
Authentication
(realm)¶ Bases:
nagare.security.common.Authentication
Authentication manager for the basic HTTP authentication scheme
-
check_password
(username, real_password, password)¶ Authentication
- In:
username
– user idreal_password
– real password of the userpassword
– password received
- Return:
- a boolean
-
denies
(detail)¶ Method called when a permission is denied
- In:
details
– asecurity.common.denial
object
-
get_ids
(request, response)¶ Return the data associated with the connected user
- In:
request
– the web request objectresponse
– the web response object
- Return:
- A tuple with the id of the user and its password as a dictionary
-
nagare.security.common module¶
-
class
nagare.security.common.
Authentication
¶ Bases:
object
An
Authentication
object identify, authenticate and create the user objectsNote
By definition, the user object
None
is the anonymous user-
check_password
(username, password, **kw)¶ Authentication
- In:
username
– the user idpassword
– the real password of the userkw
– other data for the user
- Return:
- a boolean
-
create_user
(request, response)¶ Check the user is valid and create it
-
denies
(detail)¶ Method called when a permission is denied
- In:
detail
– asecurity.common.denial
object
-
end_rendering
(request, response, session)¶ End of the request processing
- In:
request
– the request objectresponse
– the response objectsession
– the session
-
get_ids
(request, response)¶ Return the data associated with the connected user
- In:
request
– the web request objectresponse
– the web response object
- Return:
- A tuple with the id of the user and a dictionary of its data
-
get_password
(username)¶ Return the real password of the user
- In:
username
– the user id
- Return:
- the password
-
logout
()¶ Deconnection of the current user
-
set_user_id
(user, id, **kw)¶ Set the credentials of the user
- In:
user
– the userid
– the user id**kw
– the user credentials
-
-
exception
nagare.security.common.
Denial
(message='Access forbidden')¶ Bases:
exceptions.BaseException
Type of the objects return when an access is denied
In a boolean context, it is evaluated to
False
-
class
nagare.security.common.
Permission
¶ Bases:
object
Base class of all the permissions
-
class
nagare.security.common.
Private
¶ Bases:
nagare.security.common.Permission
To define the
private
permission singletonNobody has access to objects protected with this permission
-
class
nagare.security.common.
Public
¶ Bases:
nagare.security.common.Permission
To define the
public
permission singletonEvery body has access to objects protected with this permission
-
class
nagare.security.common.
Rules
¶ Bases:
object
Pre-defined security rules
A rule is an implementation of the
security.common.Rules.has_permission()
generic method.-
check_access_list
(user, perms, subject)¶ If several permissions are to be checked, the access must be granted for at least one permission
-
check_access_set
(user, perms, subject)¶ If several permissions are to be checked, the access must be granted for at least one permission
-
check_access_tuple
(user, perms, subject)¶ If several permissions are to be checked, the access must be granted for at least one permission
-
full_access
(user, perm, subject)¶ Everybody has access to an object protected with the
public
permission
-
has_permission
(user, perm, subject)¶ The
has_permission()
generic method and default implementation: by default all accesses are denied- In:
user
– user to check the permission forperm
– permission(s) to checksubject
– object to check the permission on
- Return:
- True if the access is granted
- Else a
security.common.denial
object
-
no_access
(user, perm, subject)¶ Nobody has access to an object protected with the
private
permission
-
nagare.security.digest_auth module¶
Authentication manager for the digest HTTP authentication scheme
-
class
nagare.security.digest_auth.
Authentication
(realm, private_key)¶ Bases:
nagare.security.common.Authentication
Authentication manager for the digest HTTP authentication scheme
-
check_password
(username, password, response, encoding, realm='', uri='', nonce='', nc='', cnonce='', qop='', http_method='', **kw)¶ Authentication
- In:
username
– user idpassword
– real password of the userencoding
– encoding of username and password on the clientresponse
,realm
,uri
,nonce
,nc
,cnonce
,qop
– elements of the challenge response
- Return:
- a boolean
-
denies
(detail)¶ Method called when a permission is denied
- In:
details
– asecurity.common.denial
object
-
get_ids
(request, response)¶ Return the data associated with the connected user
- In:
request
– the web request objectresponse
– the web response object
- Return:
- A tuple with the id of the user and all the challenge response parameters
-
nagare.security.dummy_manager module¶
Empty security manager
-
class
nagare.security.dummy_manager.
Manager
¶ Bases:
nagare.security.common.Authentication
,nagare.security.common.Rules
A security manager is typically a mix-in of an authentication manager and security rules
nagare.security.form_auth module¶
Simple form based authentication manager
The id and password of the user are first searched into the parameters of
the request. So, first, set a form with the fields names __ac_name
and __ac_password
(the prefix __ac
is configurable).
Then the user id and the password are automatically kept into a cookie, sent back on each request by the browser.
Warning
This simple authentication manager keeps the user id and password in clear into the cookie. So this authentication manager is as secure as the HTTP basic authentication.
-
class
nagare.security.form_auth.
Authentication
(prefix='__ac', key=None, max_age=None, path='/', domain=None, secure=None, httponly=False, comment=None, expires=None, overwrite=False, realm=None)¶ Bases:
nagare.security.basic_auth.Authentication
Simple form based authentication
Decode the data of the user cookie
- In:
cookie
– the data of the user cookie
- Return:
- A list with the id of the user and its password
Encode the data of the user cookie
- In:
ids
– a tuple of data to put into the cookie
- Return:
- the data to put into the user cookie
-
denies
(detail)¶ Method called when a permission is denied
- In:
details
– asecurity.common.denial
object
-
end_rendering
(request, response, session)¶ End of the request processing
- In:
request
– the request objectresponse
– the response objectsession
– the session
Search the data associated with the connected user into the cookies
- In:
cookies
– cookies dictionary
- Return:
- A list with the id of the user and its password
-
get_ids_from_params
(params)¶ Search the data associated with the connected user into the request parameter
- In:
params
– the request parameters
- Return:
- A tuple with the id of the user and its password
-
logout
(location='', delete_session=True)¶ Deconnection of the current user
Mark the user object as expired
- In:
location
– location to redirect todelete_session
– is the session expired too ?
-
set_user_id
(user, id, password)¶ Set the credentials of the user
- In:
user
– the userid
– the user idpassword
– the user password
Module contents¶
Securiy API for the applications
-
nagare.security.
call_with_permissions
(self, __action, __perm, __subject, *args, **kw)¶ Call a function or method only if permit
- In:
self
– ifNone
then__action
is a function else a method__action
– function or method to call__perm
– permission(s) to check__subject
– object to check the permissions onargs
,kw
–__action
parameters
- Return:
__action
return
-
nagare.security.
check_permissions
(perm, subject=None)¶ Control that the current user has the permissions
perm
on the objectsubject
Forward the call to the generic method
has_permission()
of the current security manager.Then let the security manager acts if the permission is denied.
Note
The default generic method can check a single permission or a list of permissions
- In:
perm
– permission(s)subject
– object to check the permissions on
- Return:
- True if the access is granted
- Else a
security.common.denial
object
-
nagare.security.
get_manager
()¶ Return the security manager
Each application has a dedicated security manager
- Return:
- the security manager
-
nagare.security.
get_user
()¶ Return the current user
- Return:
- the user object (created by the security manager) if not expired
-
nagare.security.
has_permissions
(perm, subject=None)¶ Check that the current user has the permissions
perm
on the objectsubject
Forward the call to the generic method
has_permission()
of the current security managerNote
The default generic method can check a single permission or a list of permissions
- In:
perm
– permission(s)subject
– object to check the permissions on
- Return:
- True if the access is granted
- Else a
security.common.denial
object
-
nagare.security.
permissions
(perm, subject=None)¶ Decorator to check the permissions of the current user
The
subject
will be the first argument of the decorated method- In:
perm
– permission(s)subject
– object to check the permissions on or the first argument- of the decorated method if
None
-
nagare.security.
permissions_with_subject
(perm, subject=None)¶ Decorator to check the permissions of the current user
The
subject
will be the first argument of the decorated method- In:
perm
– permission(s)subject
– object to check the permissions on or the first argument- of the decorated method if
None
-
nagare.security.
set_manager
(manager)¶ Change the security manager
- In:
manager
– the new security manager
-
nagare.security.
set_user
(user)¶ Change the user
- In:
user
– the current user
-
nagare.security.
wrapper
(action, perm, subject)¶ Wrap a function or method into a wrapper that will check the user permissions
- In:
action
– function or method to wrapperperm
– permission(s) to checksubject
– object to check the permissions on
- Return:
- new action