nagare.security package

Submodules

nagare.security.basic_auth module

Authentication manager for the basic HTTP authentication scheme

class nagare.security.basic_auth.Authentication(realm)

Bases: nagare.security.common.Authentication

Authentication manager for the basic HTTP authentication scheme

check_password(username, real_password, password)

Authentication

In:

• username – user id
• real_password – real password of the user
• password – password received

Return:

• a boolean

denies(detail)

Method called when a permission is denied

In:

• details – a security.common.denial object

get_ids(request, response)

Return the data associated with the connected user

In:

• request – the web request object
• response – the web response object

Return:

• A tuple with the id of the user and its password as a dictionary

nagare.security.common module

class nagare.security.common.Authentication

Bases: object

An Authentication object identify, authenticate and create the user objects

Note

By definition, the user object None is the anonymous user

check_password(username, password, **kw)

Authentication

In:

• username – the user id
• password – the real password of the user
• kw – other data for the user

Return:

• a boolean

create_user(request, response)

Check the user is valid and create it

denies(detail)

Method called when a permission is denied

In:

• detail – a security.common.denial object

end_rendering(request, response, session)

End of the request processing

In:

• request – the request object
• response – the response object
• session – the session

get_ids(request, response)

Return the data associated with the connected user

In:

• request – the web request object
• response – the web response object

Return:

• A tuple with the id of the user and a dictionary of its data

get_password(username)

Return the real password of the user

In:

• username – the user id

Return:

• the password

logout()

Deconnection of the current user

set_user_id(user, id, **kw)

Set the credentials of the user

In:

• user – the user
• id – the user id
• **kw – the user credentials

exception nagare.security.common.Denial(message='Access forbidden')

Bases: exceptions.BaseException

Type of the objects return when an access is denied

In a boolean context, it is evaluated to False

class nagare.security.common.Permission

Bases: object

Base class of all the permissions

class nagare.security.common.Private

Bases: nagare.security.common.Permission

To define the private permission singleton

Nobody has access to objects protected with this permission

class nagare.security.common.Public

Bases: nagare.security.common.Permission

To define the public permission singleton

Every body has access to objects protected with this permission

class nagare.security.common.Rules

Bases: object

Pre-defined security rules

A rule is an implementation of the security.common.Rules.has_permission() generic method.

check_access_list(user, perms, subject)

If several permissions are to be checked, the access must be granted for at least one permission

check_access_set(user, perms, subject)

If several permissions are to be checked, the access must be granted for at least one permission

check_access_tuple(user, perms, subject)

If several permissions are to be checked, the access must be granted for at least one permission

full_access(user, perm, subject)

Everybody has access to an object protected with the public permission

has_permission(user, perm, subject)

The has_permission() generic method and default implementation: by default all accesses are denied

In:

• user – user to check the permission for
• perm – permission(s) to check
• subject – object to check the permission on

Return:

• True if the access is granted
• Else a security.common.denial object

no_access(user, perm, subject)

Nobody has access to an object protected with the private permission

class nagare.security.common.User(id=None, *args)

Bases: object

Base class for the user objects

get_id()

set_id(id, *args)

nagare.security.digest_auth module

Authentication manager for the digest HTTP authentication scheme

class nagare.security.digest_auth.Authentication(realm, private_key)

Bases: nagare.security.common.Authentication

Authentication manager for the digest HTTP authentication scheme

check_password(username, password, response, encoding, realm='', uri='', nonce='', nc='', cnonce='', qop='', http_method='', **kw)

Authentication

In:

• username – user id
• password – real password of the user
• encoding – encoding of username and password on the client
• response, realm, uri, nonce, nc, cnonce, qop – elements of the challenge response

Return:

• a boolean

denies(detail)

Method called when a permission is denied

In:

• details – a security.common.denial object

get_ids(request, response)

Return the data associated with the connected user

In:

• request – the web request object
• response – the web response object

Return:

• A tuple with the id of the user and all the challenge response parameters

nagare.security.dummy_manager module

Empty security manager

class nagare.security.dummy_manager.Manager

Bases: nagare.security.common.Authentication, nagare.security.common.Rules

A security manager is typically a mix-in of an authentication manager and security rules

nagare.security.form_auth module

Simple form based authentication manager

The id and password of the user are first searched into the parameters of the request. So, first, set a form with the fields names __ac_name and __ac_password (the prefix __ac is configurable).

Then the user id and the password are automatically kept into a cookie, sent back on each request by the browser.

Warning

This simple authentication manager keeps the user id and password in clear into the cookie. So this authentication manager is as secure as the HTTP basic authentication.

class nagare.security.form_auth.Authentication(prefix='__ac', key=None, max_age=None, path='/', domain=None, secure=None, httponly=False, comment=None, expires=None, overwrite=False, realm=None)

Bases: nagare.security.basic_auth.Authentication

Simple form based authentication

cookie_decode(cookie)

Decode the data of the user cookie

In:

• cookie – the data of the user cookie

Return:

• A list with the id of the user and its password

cookie_encode(*ids)

Encode the data of the user cookie

In:

• ids – a tuple of data to put into the cookie

Return:

• the data to put into the user cookie

denies(detail)

Method called when a permission is denied

In:

• details – a security.common.denial object

end_rendering(request, response, session)

End of the request processing

In:

• request – the request object
• response – the response object
• session – the session

get_ids_from_cookie(cookies)

Search the data associated with the connected user into the cookies

In:

• cookies – cookies dictionary

Return:

• A list with the id of the user and its password

get_ids_from_params(params)

Search the data associated with the connected user into the request parameter

In:

• params – the request parameters

Return:

• A tuple with the id of the user and its password

logout(location='', delete_session=True)

Deconnection of the current user

Mark the user object as expired

In:

• location – location to redirect to
• delete_session – is the session expired too ?

set_user_id(user, id, password)

Set the credentials of the user

In:

• user – the user
• id – the user id
• password – the user password

Module contents

Securiy API for the applications

nagare.security.call_with_permissions(self, __action, __perm, __subject, *args, **kw)

Call a function or method only if permit

In:

• self – if None then __action is a function else a method
• __action – function or method to call
• __perm – permission(s) to check
• __subject – object to check the permissions on
• args, kw – __action parameters

Return:

• __action return

nagare.security.check_permissions(perm, subject=None)

Control that the current user has the permissions perm on the object subject

Forward the call to the generic method has_permission() of the current security manager.

Then let the security manager acts if the permission is denied.

Note

The default generic method can check a single permission or a list of permissions

In:

• perm – permission(s)
• subject – object to check the permissions on

Return:

• True if the access is granted
• Else a security.common.denial object

nagare.security.get_manager()

Return the security manager

Each application has a dedicated security manager

Return:

• the security manager

nagare.security.get_user()

Return the current user

Return:

• the user object (created by the security manager) if not expired

nagare.security.has_permissions(perm, subject=None)

Check that the current user has the permissions perm on the object subject

Forward the call to the generic method has_permission() of the current security manager

Note

The default generic method can check a single permission or a list of permissions

In:

• perm – permission(s)
• subject – object to check the permissions on

Return:

• True if the access is granted
• Else a security.common.denial object

nagare.security.permissions(perm, subject=None)

Decorator to check the permissions of the current user

The subject will be the first argument of the decorated method

In:

• perm – permission(s)

• subject – object to check the permissions on or the first argument

  of the decorated method if None

nagare.security.permissions_with_subject(perm, subject=None)

Decorator to check the permissions of the current user

The subject will be the first argument of the decorated method

In:

• perm – permission(s)

• subject – object to check the permissions on or the first argument

  of the decorated method if None

nagare.security.set_manager(manager)

Change the security manager

In:

• manager – the new security manager

nagare.security.set_user(user)

Change the user

In:

• user – the current user

nagare.security.wrapper(action, perm, subject)

Wrap a function or method into a wrapper that will check the user permissions

In:

• action – function or method to wrapper
• perm – permission(s) to check
• subject – object to check the permissions on

Return:

• new action