[Repoze-checkins] r720 - in repoze.decsec/trunk/repoze/decsec: . etc
Chris McDonough
chrism at agendaless.com
Fri Feb 22 03:07:54 UTC 2008
Author: Chris McDonough <chrism at agendaless.com>
Date: Thu Feb 21 22:07:53 2008
New Revision: 720
Log:
Rejigger names, fewer hook methods.
Added:
repoze.decsec/trunk/repoze/decsec/zope2.py (contents, props changed)
Modified:
repoze.decsec/trunk/repoze/decsec/etc/sample-config.ini
repoze.decsec/trunk/repoze/decsec/middleware.py
repoze.decsec/trunk/repoze/decsec/sample.py
Modified: repoze.decsec/trunk/repoze/decsec/etc/sample-config.ini
==============================================================================
--- repoze.decsec/trunk/repoze/decsec/etc/sample-config.ini (original)
+++ repoze.decsec/trunk/repoze/decsec/etc/sample-config.ini Thu Feb 21 22:07:53 2008
@@ -1,11 +1,14 @@
[decsec]
+# knobs
remote_user_key=REMOTE_USER
deny_exception=Paste.httpexceptions:Unauthorized
log_filename=%(here)s/decsec.log
log_level=info
allow_on_nomatch=false
+# hooks
initialize_hook=decsec.sample:initialize
-get_user_hook=decsec.sample:get_user
-principals_for_user_hook=decsec.sample:principals_for_user
-acl_for_request_hook=decsec.sample:acl_for_request
-protected_by_hook=decsec.sample:protected_by
+before_check_hook=decsec.sample:before_check
+request_principals_hook=decsec.sample:request_principals
+request_acl_hook=decsec.sample:request_acl
+request_permission_hook=decsec.sample:request_permission
+after_check_hook=decsec.sample:after_check
Modified: repoze.decsec/trunk/repoze/decsec/middleware.py
==============================================================================
--- repoze.decsec/trunk/repoze/decsec/middleware.py (original)
+++ repoze.decsec/trunk/repoze/decsec/middleware.py Thu Feb 21 22:07:53 2008
@@ -7,15 +7,18 @@
class DecsecMiddleware(object):
def __init__(self,
app,
- get_user,
- principals_for_user,
- acl_for_request,
+ global_conf,
+ request_principals,
+ request_acl,
+ request_permission,
initialize = None,
- log_filename='decsec.log',
+ before_check = None,
+ after_check = None,
+ log_filename = 'decsec.log',
log_level=logging.INFO,
allow_on_nomatch = False,
- remote_user_key='REMOTE_USER',
- deny_exception=httpexceptions.HTTPUnauthorized,
+ remote_user_key = 'REMOTE_USER',
+ deny_exception = httpexceptions.HTTPUnauthorized,
):
self.app = app
self.remote_user_key = remote_user_key
@@ -23,11 +26,13 @@
self.log_filename = log_filename
self.log_level = log_level
self.allow_on_nomatch = allow_on_nomatch
- self.get_user = get_user
- self.principals_for_user = principals_for_user
- self.acl_for_request = acl_for_request
+ self.request_prinicpals = request_principals
+ self.request_acl = request_acl
+ self.request_permission = request_permission
+ self.before_check = before_check
+ self.after_check = after_check
if initialize:
- initialize(self)
+ initialize(global_conf, self)
def __call__(self, environ, start_response):
allowed, reason = self.allowed(environ)
@@ -36,29 +41,27 @@
self.app(environ, start_response)
def allowed(self, environ):
+ if self.before_check:
+ self.before_check(environ)
principals = [Everyone]
- remote_user = environ.get(self.remote_user_key)
- if remote_user:
+ request_principals = self.request_principals(environ)
+ if request_principals:
principals.append(Authenticated)
- userid = self.get_user(remote_user)
- user_principals = self.principals_for_user(userid)
- principals.extend(user_principals)
- protected_by = self.protected_by(environ)
- acl = self.acl_for_request(environ)
+ principals.extend(request_principals)
+ protected_by = self.request_permission(environ)
+ acl = self.request_acl(environ)
if not self.acl_allows(acl, protected_by, principals):
- reason = u'%s %s' % (acl, principals)
+ reason = u'acl: %s principals: %s' % (acl, principals)
return False, reason
return True, None
+ if self.after_check:
+ self.after_check(environ)
def acl_allows(self, acl, protected_by, principals):
for ace in acl:
- for principal in principals:
+ for principal in flatten(principals):
if ace['principal'] == principal:
- permission = ace['permission']
- if isinstance(permission, basestring):
- permissions = [permission]
- else:
- permissions = flatten(permission)
+ permissions = flatten(ace['permission'])
if protected_by in permissions:
action = ace['action']
if action == 'allow':
@@ -85,7 +88,8 @@
[1, 2, [3, 4], (5, 6)]
>>> flatten([[[1,2,3], (42,None)], [4,5], [6], 7, MyVector(8,9,10)])
[1, 2, 3, 42, None, 4, 5, 6, 7, 8, 9, 10]"""
-
+ if isinstance(x, basestring):
+ return [x]
result = []
for el in x:
if hasattr(el, "__iter__") and not isinstance(el, basestring):
@@ -96,10 +100,11 @@
def make_middleware(app,
global_conf,
- get_user_hook=None,
- principals_for_user_hook=None,
- acl_for_request_hook=None,
- protected_by_hook=None,
+ request_principals_hook=None,
+ request_acl_hook=None,
+ request_permission_hook=None,
+ before_check_hook=None,
+ after_check_hook=None,
initialize_hook=None,
log_filename='decsec.log',
log_level='info',
@@ -107,33 +112,38 @@
remote_user_key='REMOTE_USER',
deny_exception='paste.httpexceptions:HTTPUnauthorized',
):
- if get_user_hook is None:
- raise ValueError('get_user_hook must be specified')
- if principals_for_user_hook is None:
- raise ValueError('principals_for_user_hook must be specified')
- if acl_for_request_hook is None:
- raise ValueError('acl_for_request_hook must be specified')
- if protected_by_hook is None:
- raise ValueError('protected_by_hook must be specified')
+ if request_principals_hook is None:
+ raise ValueError('request_principals_hook must be specified')
+ if request_acl_hook is None:
+ raise ValueError('request_acl_hook must be specified')
+ if request_permission_hook is None:
+ raise ValueError('request_permission_hook must be specified')
if allow_on_nomatch.lower().startswith('true'):
allow_on_nomatch = True
else:
allow_on_nomatch = False
deny_exception = _resolve(deny_exception)
- get_user = _resolve(get_user_hook)
- principals_for_user = _resolve(principals_for_user_hook)
- acl_for_request = _resolve(acl_for_request_hook)
- protected_by = _resolve(protected_by_hook)
+ request_principals = _resolve(request_principals_hook)
+ request_acl = _resolve(request_acl_hook)
+ request_permission = _resolve(request_permission_hook)
initialize = None
+ before_check = None
+ after_check = None
if initialize_hook is not None:
initialize = _resolve(initialize_hook)
+ if before_check_hook is not None:
+ before_check = _resolve(before_check_hook)
+ if after_check_hook is not None:
+ after_check = _resolve(after_check_hook)
log_level = getattr(logging, log_level.upper())
return DecsecMiddleware(app,
- get_user=get_user,
- principals_for_user=principals_for_user,
- acl_for_request = acl_for_request,
- protected_by = protected_by,
+ global_conf,
+ request_principals = request_principals,
+ request_acl = request_acl,
+ request_permission = request_permission,
initialize = initialize,
+ before_check = before_check,
+ after_check = after_check,
log_filename='decsec.log',
log_level=logging.INFO,
allow_on_nomatch = False,
Modified: repoze.decsec/trunk/repoze/decsec/sample.py
==============================================================================
--- repoze.decsec/trunk/repoze/decsec/sample.py (original)
+++ repoze.decsec/trunk/repoze/decsec/sample.py Thu Feb 21 22:07:53 2008
@@ -1,7 +1,7 @@
from repoze.decsec.interfaces import Everyone
from repoze.decsec.interfaces import Authenticated
-def initialize(global_conf, *kw):
+def initialize(global_conf, middleware):
""" Hook point: hook.initialize """
pass
@@ -39,27 +39,31 @@
Place('/', 'read', [allow_agendaless_to_any, allow_everyone_to_read]),
]
-def get_user(self, remote_user_value):
- return users.get(remote_user_value)
+def before_check(environ):
+ pass
-def principals_for_user(userid):
+def request_principals(environ):
+ userid = users.get(environ.get('REMOTE_USER'))
+ if userid is None:
+ return []
result = [userid]
for groupname, members in groups.items():
if userid in members:
result.append(groupname)
return result
-def acl_for_request(environ):
+def request_acl(environ):
path = environ['PATH_INFO']
for place in places:
if path.startswith(place.path):
return place.acl
return [{'action':'deny', 'principal':Everyone, 'permission':any}]
-def protected_by(environ):
+def request_permission(environ):
path = environ['PATH_INFO']
for place in places:
if path.startswith(place.path):
return place.protected_by
-
+def after_check(environ):
+ pass
Added: repoze.decsec/trunk/repoze/decsec/zope2.py
==============================================================================
--- (empty file)
+++ repoze.decsec/trunk/repoze/decsec/zope2.py Thu Feb 21 22:07:53 2008
@@ -0,0 +1,30 @@
+# stub zope2-aware decsec
+
+def initialize(global_conf,middleware):
+ # set up DB
+ pass
+
+def before_check(environ):
+ # traverse
+ pass
+
+def request_principals(environ):
+ # we use zope roles as decsec principals. we need some way of
+ # quickly determining which roles a user has in a particular
+ # context.
+ pass
+
+def request_acl(environ):
+ # role-permission maps are ACEs where the action is always allow.
+ pass
+
+def request_permission(environ):
+ # we need some way of quickly determining what permission protects
+ # the result of a traversal. __ac_permissions__ is the likely
+ # suspect.
+ pass
+
+def after_check(environ):
+ # do nothing.
+ pass
+
More information about the Repoze-checkins
mailing list