金字塔安全认证请求

pyramid security authenticating request

我正在使用金字塔身份验证,下面是我的代码,用于记住请求并查看是否同一用户已通过身份验证。

from pyramid.view import forbidden_view_config
from pyramid.response import Response
from pyramid.httpexceptions import HTTPFound, HTTPSeeOther
from pyramid.security import NO_PERMISSION_REQUIRED, Everyone, remember, authenticated_userid, unauthenticated_userid

from .oauth import OAuth
from .utils import redirect_path
from pyramid.view import (
    view_config,

    )
import requests
import logging
import json

log = logging.getLogger(__name__)

@view_config(route_name='login')
def login(request):

    print('login **** start')

    sm_user = request.headers.get('sm_user')
    userid = request.cookies.get('userid')

    print('sm_user - {0}'.format(sm_user))
    print('userid - {0}'.format(userid))

    if not sm_user and not userid:
        return HTTPFound(request.route_url('callback'))

    login_url = request.route_url('login')

    redirect_to = redirect_path(request)

    response = Response(json.dumps({'note': 'testing'}))
    return response


@view_config(route_name='callback')
def callback(request):

    log.debug('********* callback **********')
    print_requests(request)

    code = request.params.get('code')

    # userid, name = OAuth(code).get_user_info()
    userid ='lak'
    name = 'test'
    headers = remember(request, userid)
    login_url = request.route_url('login')
    print('login_url - ', login_url)

    response = HTTPSeeOther(location=login_url, headers=headers)
    response.set_cookie('name', name)
    response.set_cookie('userid', userid)

    return response


# @view_config(route_name='resource_1', permission='edit')
@view_config(route_name='resource_1')
def resource_1(request):
    print('u - ',unauthenticated_userid(request))
    print('a -', authenticated_userid(request))
    r = {'test': 'resource_1'}
    return Response(json.dumps(r))


@forbidden_view_config()
def resource_2(request):
    return Response('You are not allowed', status='403 Forbidden')

@view_config(route_name='mashup')
def mashup(request):
    print('mashup')

    r = {'Note': 'Undergoing test'}

    return Response(json.dumps(r))


def print_requests(request):
    pass

main.py

from pyramid.authentication import AuthTktAuthenticationPolicy
from pyramid.authorization import ACLAuthorizationPolicy
from pyramid.config import Configurator
from .security import groupfinder


def main(global_config, **settings):
    config = Configurator(settings=settings,
                          root_factory='.resources.Root')
    config.include('pyramid_chameleon')

    # Security policies
    authn_policy = AuthTktAuthenticationPolicy(
        settings['tutorial.secret'], callback=groupfinder,
        hashalg='sha512')
    authz_policy = ACLAuthorizationPolicy()
    config.set_authentication_policy(authn_policy)
    config.set_authorization_policy(authz_policy)

    config.add_route('login', '/')
    config.add_route('callback', '/login/oauth2/code')
    config.add_route('resource_1', '/resource_1')
    config.add_route('resource_2', '/resource_2')
    config.add_route('mashup', '/mashup.html')

    config.scan('.views')
    return config.make_wsgi_app()

security.py

import bcrypt


def hash_password(pw):
    pwhash = bcrypt.hashpw(pw.encode('utf8'), bcrypt.gensalt())
    return pwhash.decode('utf8')

def check_password(pw, hashed_pw):
    expected_hash = hashed_pw.encode('utf8')
    return bcrypt.checkpw(pw.encode('utf8'), expected_hash)


USERS = {'editor': hash_password('editor'),
         'viewer': hash_password('viewer')}
GROUPS = {'editor': ['group:editors'],
          'lak': ['group:editors']}


def groupfinder(userid, request):
    print('******** groupfinder ****', userid)
    print('group - ', GROUPS.get(userid, []))
    if userid in USERS:
        return GROUPS.get(userid, [])
            

resources.py

from pyramid.security import Allow, Everyone


class Root(object):
    __acl__ = [(Allow, Everyone, 'view'),
               (Allow, 'group:editors', 'edit')]

    def __init__(self, request):
        pass

Github URL:-

https://github.com/PREM1980/spa_authentication

默认情况下,authenticated_userid 不会在您调用 remember 的同一请求中更改。它只是在响应对象上设置一个 cookie,客户端将在下一个指示身份验证状态的请求中 return。在当前请求中,如果您希望 authenticated_userid 更改其值,那么您将必须实现自己的 remember 或其他管理机制 - Pyramid 在其任何身份验证中都不会默认执行此操作政策。身份验证策略 API 很简单,如果您觉得需要更改它的工作方式,您可以 subclass/override 它。