Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mozilla-services/pyramid_multiauth

stacked authentication policies for pyramid
https://github.com/mozilla-services/pyramid_multiauth

Last synced: about 2 months ago
JSON representation

stacked authentication policies for pyramid

Host: GitHub
URL: https://github.com/mozilla-services/pyramid_multiauth
Owner: mozilla-services
License: mpl-2.0
Created: 2011-10-21T04:06:46.000Z (almost 13 years ago)
Default Branch: main
Last Pushed: 2024-03-28T14:59:32.000Z (6 months ago)
Last Synced: 2024-07-18T23:27:10.513Z (2 months ago)
Language: Python
Homepage:
Size: 104 KB
Stars: 41
Watchers: 10
Forks: 12
Open Issues: 2
Metadata Files:
- Readme: README.rst
- Changelog: CHANGES.txt
- Contributing: .github/CONTRIBUTING.md
- License: LICENSE
- Code of conduct: .github/CODE_OF_CONDUCT.md

Awesome Lists containing this project

awesome-pyramid - pyramid_multiauth - (Authorization)

README

        =================

pyramid_multiauth

=================

|pypi| |ci| |coverage|

.. |pypi| image:: https://img.shields.io/pypi/v/pyramid_multiauth.svg

    :target: https://pypi.python.org/pypi/pyramid_multiauth

.. |ci| image:: https://github.com/mozilla-services/pyramid_multiauth/actions/workflows/test.yml/badge.svg

    :target: https://github.com/mozilla-services/pyramid_multiauth/actions

.. |coverage| image:: https://coveralls.io/repos/github/mozilla-services/pyramid_multiauth/badge.svg?branch=main

    :target: https://coveralls.io/github/mozilla-services/pyramid_multiauth?branch=main

An authentication policy for Pyramid that proxies to a stack of other

authentication policies.

Overview

========

MultiAuthenticationPolicy is a Pyramid authentication policy that proxies to

a stack of *other* IAuthenticationPolicy objects, to provide a combined auth

solution from individual pieces.  Simply pass it a list of policies that

should be tried in order::

    policies = [

        IPAuthenticationPolicy("127.0.*.*", principals=["local"])

        IPAuthenticationPolicy("192.168.*.*", principals=["trusted"])

    ]

    authn_policy = MultiAuthenticationPolicy(policies)

    config.set_authentication_policy(authn_policy)

This example uses the pyramid_ipauth module to assign effective principals

based on originating IP address of the request.  It combines two such

policies so that requests originating from "127.0.*.*" will have principal

"local" while requests originating from "192.168.*.*" will have principal

"trusted".

In general, the results from the stacked authentication policies are combined

as follows:

    * authenticated_userid:    return userid from first successful policy

    * unauthenticated_userid:  return userid from first successful policy

    * effective_principals:    return union of principals from all policies

    * remember:                return headers from all policies

    * forget:                  return headers from all policies

Deployment Settings

===================

It is also possible to specify the authentication policies as part of your

paste deployment settings.  Consider the following example::

    [app:pyramidapp]

    use = egg:mypyramidapp

    multiauth.policies = ipauth1 ipauth2 pyramid_browserid

    multiauth.policy.ipauth1.use = pyramid_ipauth.IPAuthentictionPolicy

    multiauth.policy.ipauth1.ipaddrs = 127.0.*.*

    multiauth.policy.ipauth1.principals = local

    multiauth.policy.ipauth2.use = pyramid_ipauth.IPAuthentictionPolicy

    multiauth.policy.ipauth2.ipaddrs = 192.168.*.*

    multiauth.policy.ipauth2.principals = trusted

To configure authentication from these settings, simply include the multiauth

module into your configurator::

    config.include("pyramid_multiauth")

In this example you would get a MultiAuthenticationPolicy with three stacked

auth policies.  The first two, ipauth1 and ipauth2, are defined as the name of

of a callable along with a set of keyword arguments.  The third is defined as

the name of a module, pyramid_browserid, which will be processed via the

standard config.include() mechanism.

The end result would be a system that authenticates users via BrowserID, and

assigns additional principal identifiers based on the originating IP address

of the request.

If necessary, the *group finder function* and the *authorization policy* can

also be specified from configuration::

    [app:pyramidapp]

    use = egg:mypyramidapp

    multiauth.authorization_policy = mypyramidapp.acl.Custom

    multiauth.groupfinder  = mypyramidapp.acl.groupfinder

    ...

MultiAuthPolicySelected Event

=============================

An event is triggered when one of the multiple policies configured is selected.

::

    from pyramid_multiauth import MultiAuthPolicySelected

    # Track policy used, for prefixing user_id and for logging.

    def on_policy_selected(event):

        print("%s (%s) authenticated %s for request %s" % (event.policy_name,

                                                           event.policy,

                                                           event.userid,

                                                           event.request))

    config.add_subscriber(on_policy_selected, MultiAuthPolicySelected)