1 files changed, 86 insertions, 0 deletions

diff --git a/repoze/bfg/authentication.py b/repoze/bfg/authentication.py
new file mode 100644
index 000000000..487a5e6a8
--- /dev/null
+++ b/repoze/bfg/authentication.py
@@ -0,0 +1,86 @@
+from zope.interface import implements
+from repoze.bfg.interfaces import IAuthenticationPolicy
+from repoze.bfg.security import Everyone
+from repoze.bfg.security import Authenticated
+
+class RepozeWho1AuthenticationPolicy(object):
+    """ A BFG authentication policy which obtains data from the
+    repoze.who 1.X WSGI API """
+    implements(IAuthenticationPolicy)
+    identifier_name = 'auth_tkt'
+
+    def _get_identity(self, request):
+        return request.environ.get('repoze.who.identity')
+
+    def _get_identifier(self, request):
+        plugins = request.environ.get('repoze.who.plugins')
+        if plugins is None:
+            return None
+        identifier = plugins[self.identifier_name]
+        return identifier
+
+    def authenticated_userid(self, context, request):
+        identity = self._get_identity(request)
+        if identity is None:
+            return None
+        return identity['repoze.who.userid']
+
+    def effective_principals(self, context, request):
+        effective_principals = [Everyone]
+        identity = self._get_identity(request)
+        if identity is None:
+            return effective_principals
+
+        effective_principals.append(Authenticated)
+        userid = identity['repoze.who.userid']
+        groups = identity.get('groups', [])
+        effective_principals.append(userid)
+        effective_principals.extend(groups)
+
+        return effective_principals
+
+    def remember(self, context, request, principal, **kw):
+        identifier = self._get_identifier(request)
+        if identifier is None:
+            return []
+        environ = request.environ
+        identity = {'repoze.who.userid':principal}
+        return identifier.remember(environ, identity)
+
+    def forget(self, context, request):
+        identifier = self._get_identifier(request)
+        if identifier is None:
+            return []
+        identity = self._get_identity(request)
+        return identifier.forget(request.environ, identity)
+    
+class RemoteUserAuthenticationPolicy(object):
+    """ A BFG authentication policy which obtains data from the
+    REMOTE_USER WSGI envvar """
+    implements(IAuthenticationPolicy)
+
+    def _get_identity(self, request):
+        return request.environ.get('REMOTE_USER')
+
+    def authenticated_userid(self, context, request):
+        identity = self._get_identity(request)
+        if identity is None:
+            return None
+        return identity
+
+    def effective_principals(self, context, request):
+        effective_principals = [Everyone]
+        identity = self._get_identity(request)
+        if identity is None:
+            return effective_principals
+
+        effective_principals.append(Authenticated)
+        effective_principals.append(identity)
+
+        return effective_principals
+
+    def remember(self, context, request, principal, **kw):
+        return []
+
+    def forget(self, context, request):
+        return []