From 9a5c857007908db818dc2f7114f61ec541aad47d Mon Sep 17 00:00:00 2001
From: Ant Zucaro <azucaro@gmail.com>
Date: Sun, 15 Jun 2014 21:11:36 -0400
Subject: [PATCH] Set up some basic security things, including the root_factory
 (ACLFactory).

---
 xonstat/__init__.py |  9 ++++++++-
 xonstat/security.py | 27 +++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 xonstat/security.py

diff --git a/xonstat/__init__.py b/xonstat/__init__.py
index 6186a67..2955504 100644
--- a/xonstat/__init__.py
+++ b/xonstat/__init__.py
@@ -1,11 +1,13 @@
 import sqlahelper
 from pyramid_beaker import set_cache_regions_from_settings
+from pyramid.authentication import AuthTktAuthenticationPolicy
 from pyramid.config import Configurator
 from pyramid.httpexceptions import HTTPNotFound
 from pyramid.renderers import JSONP
 from sqlalchemy import engine_from_config
 from xonstat.models import initialize_db
 from xonstat.views import *
+from xonstat.security import *
 
 def main(global_config, **settings):
     """ This function returns a Pyramid WSGI application.
@@ -20,7 +22,7 @@ def main(global_config, **settings):
     # set up beaker cache
     set_cache_regions_from_settings(settings)
 
-    config = Configurator(settings=settings)
+    config = Configurator(settings=settings, root_factory=ACLFactory)
 
     # mako for templating
     config.include('pyramid_mako')
@@ -29,6 +31,11 @@ def main(global_config, **settings):
     # authentication and authorization policies.
     config.include('pyramid_persona')
 
+    # override the authn policy to provide a callback
+    secret = settings.get('persona.secret', None)
+    authn_policy = AuthTktAuthenticationPolicy(secret, callback=groupfinder, hashalg='sha512')
+    config.set_authentication_policy(authn_policy)
+
     # for json-encoded responses
     config.add_renderer('jsonp', JSONP(param_name='callback'))
 
diff --git a/xonstat/security.py b/xonstat/security.py
new file mode 100644
index 0000000..b942de1
--- /dev/null
+++ b/xonstat/security.py
@@ -0,0 +1,27 @@
+from pyramid.security import Allow, Everyone
+
+USERS = {
+    'admin':'admin',
+    'viewer':'viewer',
+}
+
+GROUPS = {
+    'admin':['group:admins'],
+}
+
+# default ACL
+class ACLFactory(object):
+    __acl__ = [
+        (Allow, Everyone, 'view'),
+        (Allow, 'group:admins', 'merge')
+    ]
+    def __init__(self, request):
+        pass
+
+
+def groupfinder(userid, request):
+    print('userid is %s' % userid)
+    if userid in USERS:
+        return GROUPS.get(userid, [])
+    else:
+        return []
-- 
2.39.2