From: Ant Zucaro Date: Mon, 16 Jun 2014 01:11:36 +0000 (-0400) Subject: Set up some basic security things, including the root_factory (ACLFactory). X-Git-Url: https://git.rm.cloudns.org/?a=commitdiff_plain;h=9a5c857007908db818dc2f7114f61ec541aad47d;p=xonotic%2Fxonstat.git Set up some basic security things, including the root_factory (ACLFactory). --- diff --git a/xonstat/__init__.py b/xonstat/__init__.py index 6186a67..2955504 100644 --- a/xonstat/__init__.py +++ b/xonstat/__init__.py @@ -1,11 +1,13 @@ import sqlahelper from pyramid_beaker import set_cache_regions_from_settings +from pyramid.authentication import AuthTktAuthenticationPolicy from pyramid.config import Configurator from pyramid.httpexceptions import HTTPNotFound from pyramid.renderers import JSONP from sqlalchemy import engine_from_config from xonstat.models import initialize_db from xonstat.views import * +from xonstat.security import * def main(global_config, **settings): """ This function returns a Pyramid WSGI application. @@ -20,7 +22,7 @@ def main(global_config, **settings): # set up beaker cache set_cache_regions_from_settings(settings) - config = Configurator(settings=settings) + config = Configurator(settings=settings, root_factory=ACLFactory) # mako for templating config.include('pyramid_mako') @@ -29,6 +31,11 @@ def main(global_config, **settings): # authentication and authorization policies. config.include('pyramid_persona') + # override the authn policy to provide a callback + secret = settings.get('persona.secret', None) + authn_policy = AuthTktAuthenticationPolicy(secret, callback=groupfinder, hashalg='sha512') + config.set_authentication_policy(authn_policy) + # for json-encoded responses config.add_renderer('jsonp', JSONP(param_name='callback')) diff --git a/xonstat/security.py b/xonstat/security.py new file mode 100644 index 0000000..b942de1 --- /dev/null +++ b/xonstat/security.py @@ -0,0 +1,27 @@ +from pyramid.security import Allow, Everyone + +USERS = { + 'admin':'admin', + 'viewer':'viewer', +} + +GROUPS = { + 'admin':['group:admins'], +} + +# default ACL +class ACLFactory(object): + __acl__ = [ + (Allow, Everyone, 'view'), + (Allow, 'group:admins', 'merge') + ] + def __init__(self, request): + pass + + +def groupfinder(userid, request): + print('userid is %s' % userid) + if userid in USERS: + return GROUPS.get(userid, []) + else: + return []