Set up some basic security things, including the root_factory (ACLFactory).
authorAnt Zucaro <azucaro@gmail.com>
Mon, 16 Jun 2014 01:11:36 +0000 (21:11 -0400)
committerAnt Zucaro <azucaro@gmail.com>
Mon, 16 Jun 2014 01:11:36 +0000 (21:11 -0400)
xonstat/__init__.py
xonstat/security.py [new file with mode: 0644]

index 6186a67e60e03ce5188bce292f57ce0161835940..29555048da6a01e98fcb0330159385fa59ca71d8 100644 (file)
@@ -1,11 +1,13 @@
 import sqlahelper
 from pyramid_beaker import set_cache_regions_from_settings
+from pyramid.authentication import AuthTktAuthenticationPolicy
 from pyramid.config import Configurator
 from pyramid.httpexceptions import HTTPNotFound
 from pyramid.renderers import JSONP
 from sqlalchemy import engine_from_config
 from xonstat.models import initialize_db
 from xonstat.views import *
+from xonstat.security import *
 
 def main(global_config, **settings):
     """ This function returns a Pyramid WSGI application.
@@ -20,7 +22,7 @@ def main(global_config, **settings):
     # set up beaker cache
     set_cache_regions_from_settings(settings)
 
-    config = Configurator(settings=settings)
+    config = Configurator(settings=settings, root_factory=ACLFactory)
 
     # mako for templating
     config.include('pyramid_mako')
@@ -29,6 +31,11 @@ def main(global_config, **settings):
     # authentication and authorization policies.
     config.include('pyramid_persona')
 
+    # override the authn policy to provide a callback
+    secret = settings.get('persona.secret', None)
+    authn_policy = AuthTktAuthenticationPolicy(secret, callback=groupfinder, hashalg='sha512')
+    config.set_authentication_policy(authn_policy)
+
     # for json-encoded responses
     config.add_renderer('jsonp', JSONP(param_name='callback'))
 
diff --git a/xonstat/security.py b/xonstat/security.py
new file mode 100644 (file)
index 0000000..b942de1
--- /dev/null
@@ -0,0 +1,27 @@
+from pyramid.security import Allow, Everyone
+
+USERS = {
+    'admin':'admin',
+    'viewer':'viewer',
+}
+
+GROUPS = {
+    'admin':['group:admins'],
+}
+
+# default ACL
+class ACLFactory(object):
+    __acl__ = [
+        (Allow, Everyone, 'view'),
+        (Allow, 'group:admins', 'merge')
+    ]
+    def __init__(self, request):
+        pass
+
+
+def groupfinder(userid, request):
+    print('userid is %s' % userid)
+    if userid in USERS:
+        return GROUPS.get(userid, [])
+    else:
+        return []