File: README.rst

package info (click to toggle)
python-pyramid-multiauth 1.0.2-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 200 kB
  • sloc: python: 499; makefile: 33
file content (115 lines) | stat: -rw-r--r-- 4,255 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
=================
pyramid_multiauth
=================

|pypi| |ci| |coverage|

.. |pypi| image:: https://img.shields.io/pypi/v/pyramid_multiauth.svg
    :target: https://pypi.python.org/pypi/pyramid_multiauth

.. |ci| image:: https://github.com/mozilla-services/pyramid_multiauth/actions/workflows/test.yml/badge.svg
    :target: https://github.com/mozilla-services/pyramid_multiauth/actions

.. |coverage| image:: https://coveralls.io/repos/github/mozilla-services/pyramid_multiauth/badge.svg?branch=main
    :target: https://coveralls.io/github/mozilla-services/pyramid_multiauth?branch=main

An authentication policy for Pyramid that proxies to a stack of other
authentication policies.


Overview
========

MultiAuthenticationPolicy is a Pyramid authentication policy that proxies to
a stack of *other* IAuthenticationPolicy objects, to provide a combined auth
solution from individual pieces.  Simply pass it a list of policies that
should be tried in order::


    policies = [
        IPAuthenticationPolicy("127.0.*.*", principals=["local"])
        IPAuthenticationPolicy("192.168.*.*", principals=["trusted"])
    ]
    authn_policy = MultiAuthenticationPolicy(policies)
    config.set_authentication_policy(authn_policy)

This example uses the pyramid_ipauth module to assign effective principals
based on originating IP address of the request.  It combines two such
policies so that requests originating from "127.0.*.*" will have principal
"local" while requests originating from "192.168.*.*" will have principal
"trusted".

In general, the results from the stacked authentication policies are combined
as follows:

    * authenticated_userid:    return userid from first successful policy
    * unauthenticated_userid:  return userid from first successful policy
    * effective_principals:    return union of principals from all policies
    * remember:                return headers from all policies
    * forget:                  return headers from all policies


Deployment Settings
===================

It is also possible to specify the authentication policies as part of your
paste deployment settings.  Consider the following example::

    [app:pyramidapp]
    use = egg:mypyramidapp

    multiauth.policies = ipauth1 ipauth2 pyramid_browserid

    multiauth.policy.ipauth1.use = pyramid_ipauth.IPAuthentictionPolicy
    multiauth.policy.ipauth1.ipaddrs = 127.0.*.*
    multiauth.policy.ipauth1.principals = local

    multiauth.policy.ipauth2.use = pyramid_ipauth.IPAuthentictionPolicy
    multiauth.policy.ipauth2.ipaddrs = 192.168.*.*
    multiauth.policy.ipauth2.principals = trusted

To configure authentication from these settings, simply include the multiauth
module into your configurator::

    config.include("pyramid_multiauth")

In this example you would get a MultiAuthenticationPolicy with three stacked
auth policies.  The first two, ipauth1 and ipauth2, are defined as the name of
of a callable along with a set of keyword arguments.  The third is defined as
the name of a module, pyramid_browserid, which will be processed via the
standard config.include() mechanism.

The end result would be a system that authenticates users via BrowserID, and
assigns additional principal identifiers based on the originating IP address
of the request.

If necessary, the *group finder function* and the *authorization policy* can
also be specified from configuration::

    [app:pyramidapp]
    use = egg:mypyramidapp

    multiauth.authorization_policy = mypyramidapp.acl.Custom
    multiauth.groupfinder  = mypyramidapp.acl.groupfinder

    ...


MultiAuthPolicySelected Event
=============================

An event is triggered when one of the multiple policies configured is selected.

::

    from pyramid_multiauth import MultiAuthPolicySelected


    # Track policy used, for prefixing user_id and for logging.
    def on_policy_selected(event):
        print("%s (%s) authenticated %s for request %s" % (event.policy_name,
                                                           event.policy,
                                                           event.userid,
                                                           event.request))

    config.add_subscriber(on_policy_selected, MultiAuthPolicySelected)