Merge pull request #3465 from luhn/security-policy

Security policy implementation

5 files changed, 84 insertions, 6 deletions

diff --git a/tests/pkgs/defpermbugapp/__init__.py b/tests/pkgs/defpermbugapp/__init__.py
index 81897e86a..af78404ae 100644
--- a/tests/pkgs/defpermbugapp/__init__.py
+++ b/tests/pkgs/defpermbugapp/__init__.py
@@ -25,6 +25,6 @@ def includeme(config):
     authn_policy = AuthTktAuthenticationPolicy('seekt1t', hashalg='sha512')
     authz_policy = ACLAuthorizationPolicy()
     config.scan('tests.pkgs.defpermbugapp')
-    config._set_authentication_policy(authn_policy)
-    config._set_authorization_policy(authz_policy)
+    config.set_authentication_policy(authn_policy)
+    config.set_authorization_policy(authz_policy)
     config.set_default_permission('private')
diff --git a/tests/pkgs/forbiddenapp/__init__.py b/tests/pkgs/forbiddenapp/__init__.py
index 31ea4dd52..79670dd32 100644
--- a/tests/pkgs/forbiddenapp/__init__.py
+++ b/tests/pkgs/forbiddenapp/__init__.py
@@ -22,7 +22,7 @@ def includeme(config):
 
     authn_policy = AuthTktAuthenticationPolicy('seekr1t', hashalg='sha512')
     authz_policy = ACLAuthorizationPolicy()
-    config._set_authentication_policy(authn_policy)
-    config._set_authorization_policy(authz_policy)
+    config.set_authentication_policy(authn_policy)
+    config.set_authorization_policy(authz_policy)
     config.add_view(x_view, name='x', permission='private')
     config.add_view(forbidden_view, context=HTTPForbidden)
diff --git a/tests/pkgs/legacysecurityapp/__init__.py b/tests/pkgs/legacysecurityapp/__init__.py
new file mode 100644
index 000000000..12fb6104e
--- /dev/null
+++ b/tests/pkgs/legacysecurityapp/__init__.py
@@ -0,0 +1,37 @@
+from pyramid.response import Response
+from pyramid.authentication import RemoteUserAuthenticationPolicy
+from pyramid.security import Allowed, Denied
+
+
+class AuthorizationPolicy:
+    def permits(self, context, principals, permission):
+        if 'bob' in principals and permission == 'foo':
+            return Allowed('')
+        else:
+            return Denied('')
+
+    def principals_allowed_by_permission(self, context, permission):
+        raise NotImplementedError()  # pragma: no cover
+
+
+def public(context, request):
+    return Response('Hello')
+
+
+def private(context, request):
+    return Response('Secret')
+
+
+def inaccessible(context, request):
+    raise AssertionError()  # pragma: no cover
+
+
+def includeme(config):
+    config.set_authentication_policy(RemoteUserAuthenticationPolicy())
+    config.set_authorization_policy(AuthorizationPolicy())
+    config.add_route('public', '/public')
+    config.add_view(public, route_name='public')
+    config.add_route('private', '/private')
+    config.add_view(private, route_name='private', permission='foo')
+    config.add_route('inaccessible', '/inaccessible')
+    config.add_view(inaccessible, route_name='inaccessible', permission='bar')
diff --git a/tests/pkgs/securityapp/__init__.py b/tests/pkgs/securityapp/__init__.py
new file mode 100644
index 000000000..6ddba585b
--- /dev/null
+++ b/tests/pkgs/securityapp/__init__.py
@@ -0,0 +1,41 @@
+from pyramid.response import Response
+from pyramid.security import Allowed, Denied
+
+
+class SecurityPolicy:
+    def identify(self, request):
+        return request.environ.get('REMOTE_USER')
+
+    def permits(self, request, context, identity, permission):
+        if identity and permission == 'foo':
+            return Allowed('')
+        else:
+            return Denied('')
+
+    def remember(self, request, userid, **kw):
+        raise NotImplementedError()  # pragma: no cover
+
+    def forget(self, request):
+        raise NotImplementedError()  # pragma: no cover
+
+
+def public(context, request):
+    return Response('Hello')
+
+
+def private(context, request):
+    return Response('Secret')
+
+
+def inaccessible(context, request):
+    raise AssertionError()  # pragma: no cover
+
+
+def includeme(config):
+    config.set_security_policy(SecurityPolicy())
+    config.add_route('public', '/public')
+    config.add_view(public, route_name='public')
+    config.add_route('private', '/private')
+    config.add_view(private, route_name='private', permission='foo')
+    config.add_route('inaccessible', '/inaccessible')
+    config.add_view(inaccessible, route_name='inaccessible', permission='bar')
diff --git a/tests/pkgs/staticpermapp/__init__.py b/tests/pkgs/staticpermapp/__init__.py
index ffc87d39a..a12eac2d3 100644
--- a/tests/pkgs/staticpermapp/__init__.py
+++ b/tests/pkgs/staticpermapp/__init__.py
@@ -18,8 +18,8 @@ def includeme(config):
 
     authn_policy = RemoteUserAuthenticationPolicy()
     authz_policy = ACLAuthorizationPolicy()
-    config._set_authentication_policy(authn_policy)
-    config._set_authorization_policy(authz_policy)
+    config.set_authentication_policy(authn_policy)
+    config.set_authorization_policy(authz_policy)
     config.add_static_view('allowed', 'tests:fixtures/static/')
     config.add_static_view(
         'protected', 'tests:fixtures/static/', permission='view'