- Add three new ZCML directives which configure authentication

  policies:

  - ``repozewho1authenticationpolicy``

  - ``remoteuserauthenticationpolicy``

  - ``authtktauthenticationpolicy``

- Add a new ZCML directive which configures an ACL authorization
  policy named ``aclauthorizationpolicy``.

4 files changed, 261 insertions, 12 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 3a3c39495..d590f63eb 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,6 +1,18 @@
 Next release
 ============
 
+- Add three new ZCML directives which configure authentication
+  policies:
+
+  - ``repozewho1authenticationpolicy``
+
+  - ``remoteuserauthenticationpolicy``
+
+  - ``authtktauthenticationpolicy``
+
+- Add a new ZCML directive which configures an ACL authorization
+  policy named ``aclauthorizationpolicy``.
+
 - Bug fix: when a ``repoze.bfg.resource.PackageOverrides`` class was
   instantiated, and the package it was overriding already had a
   ``__loader__`` attribute, it would fail at startup time, even if the
diff --git a/repoze/bfg/includes/meta.zcml b/repoze/bfg/includes/meta.zcml
index ba0fc50cc..89a540098 100644
--- a/repoze/bfg/includes/meta.zcml
+++ b/repoze/bfg/includes/meta.zcml
@@ -28,17 +28,41 @@
         handler="repoze.bfg.zcml.forbidden"
         />
 
-  <meta:directive
-      name="route"
-      schema="repoze.bfg.zcml.IRouteDirective"
-      handler="repoze.bfg.zcml.route"
-      />
-
-  <meta:directive
-      name="resource"
-      schema="repoze.bfg.zcml.IResourceDirective"
-      handler="repoze.bfg.zcml.resource"
-      />
+    <meta:directive
+        name="route"
+        schema="repoze.bfg.zcml.IRouteDirective"
+        handler="repoze.bfg.zcml.route"
+        />
+
+    <meta:directive
+        name="resource"
+        schema="repoze.bfg.zcml.IResourceDirective"
+        handler="repoze.bfg.zcml.resource"
+        />
+
+    <meta:directive
+        name="repozewho1authenticationpolicy"
+        schema="repoze.bfg.zcml.IRepozeWho1AuthenticationPolicyDirective"
+        handler="repoze.bfg.zcml.repozewho1authenticationpolicy"
+        />
+
+    <meta:directive
+        name="remoteuserauthenticationpolicy"
+        schema="repoze.bfg.zcml.IRemoteUserAuthenticationPolicyDirective"
+        handler="repoze.bfg.zcml.remoteuserauthenticationpolicy"
+        />
+
+    <meta:directive
+        name="authtktauthenticationpolicy"
+        schema="repoze.bfg.zcml.IAuthTktAuthenticationPolicyDirective"
+        handler="repoze.bfg.zcml.authtktauthenticationpolicy"
+        />
+
+    <meta:directive
+        name="aclauthorizationpolicy"
+        schema="repoze.bfg.zcml.IACLAuthorizationPolicyDirective"
+        handler="repoze.bfg.zcml.aclauthorizationpolicy"
+        />
 
   </meta:directives>
 
diff --git a/repoze/bfg/tests/test_zcml.py b/repoze/bfg/tests/test_zcml.py
index cb841013d..37cdaeb61 100644
--- a/repoze/bfg/tests/test_zcml.py
+++ b/repoze/bfg/tests/test_zcml.py
@@ -579,7 +579,134 @@ class TestForbiddenDirective(unittest.TestCase):
         self.assertEqual(regadapt['args'][2], IForbiddenView)
         self.assertEqual(regadapt['args'][3], '')
         self.assertEqual(regadapt['args'][4], None)
-        
+
+class TestRepozeWho1AuthenticationPolicyDirective(unittest.TestCase):
+    def _callFUT(self, context, **kw):
+        from repoze.bfg.zcml import repozewho1authenticationpolicy
+        return repozewho1authenticationpolicy(context, **kw)
+    
+    def test_it(self):
+        context = DummyContext()
+        def callback(identity, request):
+            """ """
+        self._callFUT(context, identifier_name='auth_tkt', callback=callback)
+        actions = context.actions
+        from repoze.bfg.interfaces import IAuthenticationPolicy
+        from repoze.bfg.zcml import handler
+
+        self.assertEqual(len(actions), 1)
+
+        regadapt = actions[0]
+        regadapt_discriminator = 'authentication_policy'
+        self.assertEqual(regadapt['discriminator'], regadapt_discriminator)
+        self.assertEqual(regadapt['callable'], handler)
+        self.assertEqual(regadapt['args'][0], 'registerUtility')
+        policy = regadapt['args'][1]
+        self.assertEqual(policy.callback, callback)
+        self.assertEqual(policy.identifier_name, 'auth_tkt')
+        self.assertEqual(regadapt['args'][2], IAuthenticationPolicy)
+        self.assertEqual(regadapt['args'][3], '')
+        self.assertEqual(regadapt['args'][4], None)
+
+class TestRemoteUserAuthenticationPolicyDirective(unittest.TestCase):
+    def _callFUT(self, context, **kw):
+        from repoze.bfg.zcml import remoteuserauthenticationpolicy
+        return remoteuserauthenticationpolicy(context, **kw)
+    
+    def test_it(self):
+        context = DummyContext()
+        def callback(identity, request):
+            """ """
+        self._callFUT(context, environ_key='BLAH', callback=callback)
+        actions = context.actions
+        from repoze.bfg.interfaces import IAuthenticationPolicy
+        from repoze.bfg.zcml import handler
+
+        self.assertEqual(len(actions), 1)
+
+        regadapt = actions[0]
+        regadapt_discriminator = 'authentication_policy'
+        self.assertEqual(regadapt['discriminator'], regadapt_discriminator)
+        self.assertEqual(regadapt['callable'], handler)
+        self.assertEqual(regadapt['args'][0], 'registerUtility')
+        policy = regadapt['args'][1]
+        self.assertEqual(policy.environ_key, 'BLAH')
+        self.assertEqual(policy.callback, callback)
+        self.assertEqual(regadapt['args'][2], IAuthenticationPolicy)
+        self.assertEqual(regadapt['args'][3], '')
+        self.assertEqual(regadapt['args'][4], None)
+
+class TestAuthTktAuthenticationPolicyDirective(unittest.TestCase):
+    def _callFUT(self, context, secret, **kw):
+        from repoze.bfg.zcml import authtktauthenticationpolicy
+        return authtktauthenticationpolicy(context, secret, **kw)
+    
+    def test_it_noconfigerror(self):
+        context = DummyContext()
+        def callback(identity, request):
+            """ """
+        self._callFUT(context, 'sosecret', callback=callback,
+                      cookie_name='repoze.bfg.auth_tkt',
+                      secure=True, include_ip=True, timeout=100,
+                      reissue_time=60)
+        actions = context.actions
+        from repoze.bfg.interfaces import IAuthenticationPolicy
+        from repoze.bfg.zcml import handler
+
+        self.assertEqual(len(actions), 1)
+
+        regadapt = actions[0]
+        regadapt_discriminator = 'authentication_policy'
+        self.assertEqual(regadapt['discriminator'], regadapt_discriminator)
+        self.assertEqual(regadapt['callable'], handler)
+        self.assertEqual(regadapt['args'][0], 'registerUtility')
+        policy = regadapt['args'][1]
+        self.assertEqual(policy.cookie.secret, 'sosecret')
+        self.assertEqual(policy.callback, callback)
+        self.assertEqual(regadapt['args'][2], IAuthenticationPolicy)
+        self.assertEqual(regadapt['args'][3], '')
+        self.assertEqual(regadapt['args'][4], None)
+
+    def test_it_configerror(self):
+        from zope.configuration.exceptions import ConfigurationError
+        context = DummyContext()
+        def callback(identity, request):
+            """ """
+        self.assertRaises(ConfigurationError,
+                          self._callFUT,
+                          context, 'sosecret', callback=callback,
+                          cookie_name='repoze.bfg.auth_tkt',
+                          secure=True, include_ip=True, timeout=100,
+                          reissue_time=500)
+
+class TestACLAuthorizationPolicyDirective(unittest.TestCase):
+    def _callFUT(self, context, **kw):
+        from repoze.bfg.zcml import aclauthorizationpolicy
+        return aclauthorizationpolicy(context, **kw)
+    
+    def test_it(self):
+        from repoze.bfg.authorization import ACLAuthorizationPolicy
+        from repoze.bfg.interfaces import IAuthorizationPolicy
+        from repoze.bfg.zcml import handler
+        context = DummyContext()
+        def callback(identity, request):
+            """ """
+        self._callFUT(context)
+        actions = context.actions
+
+        self.assertEqual(len(actions), 1)
+
+        regadapt = actions[0]
+        regadapt_discriminator = 'authorization_policy'
+        self.assertEqual(regadapt['discriminator'], regadapt_discriminator)
+        self.assertEqual(regadapt['callable'], handler)
+        self.assertEqual(regadapt['args'][0], 'registerUtility')
+        policy = regadapt['args'][1]
+        self.assertEqual(policy.__class__, ACLAuthorizationPolicy)
+        self.assertEqual(regadapt['args'][2], IAuthorizationPolicy)
+        self.assertEqual(regadapt['args'][3], '')
+        self.assertEqual(regadapt['args'][4], None)
+
 class TestDeriveView(unittest.TestCase):
     def _callFUT(self, view):
         from repoze.bfg.zcml import derive_view
diff --git a/repoze/bfg/zcml.py b/repoze/bfg/zcml.py
index 701ca341b..4384924a7 100644
--- a/repoze/bfg/zcml.py
+++ b/repoze/bfg/zcml.py
@@ -15,6 +15,13 @@ from zope.configuration.fields import GlobalObject
 from zope.interface import Interface
 
 from zope.schema import TextLine
+from zope.schema import Bool
+from zope.schema import Int
+
+from repoze.bfg.authentication import RepozeWho1AuthenticationPolicy
+from repoze.bfg.authentication import RemoteUserAuthenticationPolicy
+from repoze.bfg.authentication import AuthTktAuthenticationPolicy
+from repoze.bfg.authorization import ACLAuthorizationPolicy
 
 from repoze.bfg.interfaces import IRoutesMapper
 from repoze.bfg.interfaces import IViewPermission
@@ -22,6 +29,7 @@ from repoze.bfg.interfaces import INotFoundAppFactory
 from repoze.bfg.interfaces import INotFoundView
 from repoze.bfg.interfaces import IForbiddenView
 from repoze.bfg.interfaces import IAuthenticationPolicy
+from repoze.bfg.interfaces import IAuthorizationPolicy
 from repoze.bfg.interfaces import ISecurityPolicy
 from repoze.bfg.interfaces import IView
 from repoze.bfg.interfaces import IUnauthorizedAppFactory
@@ -219,6 +227,84 @@ def resource(context, to_override, override_with):
         args = (package, path, override_package, override_prefix),
         )
 
+class IRepozeWho1AuthenticationPolicyDirective(Interface):
+    identifier_name = TextLine(title=u'identitfier_name', required=False,
+                               default=u'auth_tkt')
+    callback = GlobalObject(title=u'callback', required=False)
+
+def repozewho1authenticationpolicy(_context, identifier_name='auth_tkt',
+                                   callback=None):
+    policy = RepozeWho1AuthenticationPolicy(identifier_name=identifier_name,
+                                            callback=callback)
+    _context.action(
+        discriminator = 'authentication_policy',
+        callable = handler,
+        args = ('registerUtility', policy, IAuthenticationPolicy, '',
+                _context.info),
+        )
+
+class IRemoteUserAuthenticationPolicyDirective(Interface):
+    environ_key = TextLine(title=u'environ_key', required=False,
+                           default=u'REMOTE_USER')
+    callback = GlobalObject(title=u'callback', required=False)
+
+def remoteuserauthenticationpolicy(_context, environ_key, callback=None):
+    policy = RemoteUserAuthenticationPolicy(environ_key=environ_key,
+                                            callback=callback)
+    _context.action(
+        discriminator = 'authentication_policy',
+        callable = handler,
+        args = ('registerUtility', policy, IAuthenticationPolicy, '',
+                _context.info),
+        )
+
+class IAuthTktAuthenticationPolicyDirective(Interface):
+    secret = TextLine(title=u'secret', required=True)
+    callback = GlobalObject(title=u'callback', required=False)
+    cookie_name = TextLine(title=u'cookie_name', required=False,
+                           default=u'repoze.bfg.auth_tkt')
+    secure = Bool(title=u"secure", required=False, default=False)
+    include_ip = Bool(title=u"include_ip", required=False, default=False)
+    timeout = Int(title=u"timeout", required=False, default=None)
+    reissue_time = Int(title=u"reissue_time", required=False, default=None)
+
+def authtktauthenticationpolicy(_context,
+                                secret,
+                                callback=None,
+                                cookie_name='repoze.bfg.auth_tkt',
+                                secure=False,
+                                include_ip=False,
+                                timeout=None,
+                                reissue_time=None):
+    try:
+        policy = AuthTktAuthenticationPolicy(secret,
+                                             callback=callback,
+                                             cookie_name=cookie_name,
+                                             secure=secure,
+                                             include_ip = include_ip,
+                                             timeout = timeout,
+                                             reissue_time = reissue_time)
+    except ValueError, why:
+        raise ConfigurationError(str(why))
+    _context.action(
+        discriminator = 'authentication_policy',
+        callable = handler,
+        args = ('registerUtility', policy, IAuthenticationPolicy, '',
+                _context.info),
+        )
+
+class IACLAuthorizationPolicyDirective(Interface):
+    pass
+
+def aclauthorizationpolicy(_context):
+    policy = ACLAuthorizationPolicy()
+    _context.action(
+        discriminator = 'authorization_policy',
+        callable = handler,
+        args = ('registerUtility', policy, IAuthorizationPolicy, '',
+                _context.info),
+        )
+
 class IRouteDirective(Interface):
     """ The interface for the ``route`` ZCML directive
     """