From 0168300b0da3c79e05ec87aa777e04674a86cebb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89ric=20Araujo?= Date: Sat, 14 Dec 2019 13:32:07 -0500 Subject: start reworking security policy --- src/pyramid/authentication.py | 6 ++--- src/pyramid/config/testing.py | 8 +++++-- src/pyramid/interfaces.py | 17 ++++++------- src/pyramid/security.py | 56 +++++++++++++++++++++++-------------------- src/pyramid/testing.py | 9 +++++-- src/pyramid/viewderivers.py | 9 +++---- 6 files changed, 58 insertions(+), 47 deletions(-) (limited to 'src') diff --git a/src/pyramid/authentication.py b/src/pyramid/authentication.py index de06fe955..500a84646 100644 --- a/src/pyramid/authentication.py +++ b/src/pyramid/authentication.py @@ -1110,7 +1110,7 @@ class SessionAuthenticationPolicy(CallbackAuthenticationPolicy): return self.helper.forget(request) def unauthenticated_userid(self, request): - return self.helper.identify(request) + return self.helper.authenticated_userid(request) class SessionAuthenticationHelper: @@ -1134,13 +1134,13 @@ class SessionAuthenticationHelper: request.session[self.userid_key] = userid return [] - def forget(self, request): + def forget(self, request, **kw): """ Remove the stored userid from the session.""" if self.userid_key in request.session: del request.session[self.userid_key] return [] - def identify(self, request): + def authenticated_userid(self, request): """ Return the stored userid.""" return request.session.get(self.userid_key) diff --git a/src/pyramid/config/testing.py b/src/pyramid/config/testing.py index 21c622656..83a8db552 100644 --- a/src/pyramid/config/testing.py +++ b/src/pyramid/config/testing.py @@ -13,6 +13,7 @@ class TestingConfiguratorMixin(object): # testing API def testing_securitypolicy( self, + userid=None, identity=None, permissive=True, remember_result=None, @@ -39,6 +40,7 @@ class TestingConfiguratorMixin(object): not provided (or it is provided, and is ``None``), the default value ``[]`` (the empty list) will be returned by ``forget``. + XXX rewrite The behavior of the registered :term:`authentication policy` depends on the values provided for the ``userid`` and ``groupids`` argument. The authentication policy will return @@ -51,7 +53,6 @@ class TestingConfiguratorMixin(object): This function is most useful when testing code that uses the APIs named :meth:`pyramid.request.Request.has_permission`, :attr:`pyramid.request.Request.authenticated_userid`, - :attr:`pyramid.request.Request.effective_principals`, and :func:`pyramid.security.principals_allowed_by_permission`. .. versionadded:: 1.4 @@ -59,11 +60,14 @@ class TestingConfiguratorMixin(object): .. versionadded:: 1.4 The ``forget_result`` argument. + + .. versionchanged:: 2.0 + Removed ``groupids`` argument and doc about effective principals. """ from pyramid.testing import DummySecurityPolicy policy = DummySecurityPolicy( - identity, permissive, remember_result, forget_result + userid, identity, permissive, remember_result, forget_result ) self.registry.registerUtility(policy, ISecurityPolicy) return policy diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py index 688293509..11b794e2b 100644 --- a/src/pyramid/interfaces.py +++ b/src/pyramid/interfaces.py @@ -484,18 +484,21 @@ class IViewMapperFactory(Interface): class ISecurityPolicy(Interface): def identify(request): - """ Return an object identifying a trusted and verified user. This - object may be anything, but should implement a ``__str__`` method that - outputs a corresponding :term:`userid`. + """ Return an object identifying a trusted and verified user. + The object may be anything. """ - def permits(request, context, identity, permission): + def authenticated_userid(request, identity): + """ Return a :term:`userid` string identifying the trusted and + verified user, or ``None`` if unauthenticated. + """ + + def permits(request, context, permission): """ Return an instance of :class:`pyramid.security.Allowed` if a user of the given identity is allowed the ``permission`` in the current ``context``, else return an instance of :class:`pyramid.security.Denied`. - """ def remember(request, userid, **kw): @@ -503,13 +506,11 @@ class ISecurityPolicy(Interface): :term:`userid` named ``userid`` when set in a response. An individual authentication policy and its consumers can decide on the composition and meaning of ``**kw``. - """ - def forget(request): + def forget(request, **kw): """ Return a set of headers suitable for 'forgetting' the current user on subsequent requests. - """ diff --git a/src/pyramid/security.py b/src/pyramid/security.py index 08c36b457..053ff5818 100644 --- a/src/pyramid/security.py +++ b/src/pyramid/security.py @@ -82,7 +82,7 @@ def remember(request, userid, **kw): return policy.remember(request, userid, **kw) -def forget(request): +def forget(request, **kw): """ Return a sequence of header tuples (e.g. ``[('Set-Cookie', 'foo=abc')]``) suitable for 'forgetting' the set of credentials @@ -104,7 +104,7 @@ def forget(request): policy = _get_security_policy(request) if policy is None: return [] - return policy.forget(request) + return policy.forget(request, **kw) def principals_allowed_by_permission(context, permission): @@ -293,7 +293,9 @@ class ACLAllowed(ACLPermitsResult, Allowed): """ -class SecurityAPIMixin(object): +class SecurityAPIMixin: + """ Mixin for Request class providing auth-related properties. """ + @property def authenticated_identity(self): """ @@ -315,18 +317,14 @@ class SecurityAPIMixin(object): .. versionchanged:: 2.0 - When using the new security system, this property outputs the - string representation of the :term:`identity`. + This property delegates to the effective :term:`security policy`, + ignoring old-style :term:`authentication policy`. """ - authn = _get_authentication_policy(self) - security = _get_security_policy(self) - if authn is not None: - return authn.authenticated_userid(self) - elif security is not None: - return str(security.identify(self)) - else: + policy = _get_security_policy(self) + if policy is None: return None + return policy.authenticated_userid(self) def has_permission(self, permission, context=None): """ Given a permission and an optional context, returns an instance of @@ -353,11 +351,12 @@ class SecurityAPIMixin(object): policy = _get_security_policy(self) if policy is None: return Allowed('No security policy in use.') - identity = policy.identify(self) - return policy.permits(self, context, identity, permission) + return policy.permits(self, context, permission) class AuthenticationAPIMixin(object): + """ Mixin for Request class providing compatibility properties. """ + @property def unauthenticated_userid(self): """ @@ -365,8 +364,8 @@ class AuthenticationAPIMixin(object): ``unauthenticated_userid`` does not have an equivalent in the new security system. Use :attr:`.authenticated_userid` or - :attr:`.identity` instead. See :ref:`upgrading_auth` for more - information. + :attr:`.authenticated_identity` instead. + See :ref:`upgrading_auth` for more information. Return an object which represents the *claimed* (not verified) user id of the credentials present in the request. ``None`` if there is no @@ -377,14 +376,18 @@ class AuthenticationAPIMixin(object): associated with the userid exists in persistent storage. """ - authn = _get_authentication_policy(self) - security = _get_security_policy(self) - if authn is not None: - return authn.unauthenticated_userid(self) - elif security is not None: - return str(security.identify(self)) - else: + policy = _get_security_policy(self) + if policy is None: return None + return policy.authenticated_userid(self) + + unauthenticated_userid = deprecated( + unauthenticated_userid, + 'The new security policy has removed the concept of unauthenticated ' + 'userid. See https://docs.pylonsproject.org/projects/pyramid/en/latest' + '/whatsnew-2.0.html#upgrading-authentication-authorization ' + 'for more information.', + ) @property def effective_principals(self): @@ -428,7 +431,7 @@ class LegacySecurityPolicy: def _get_authz_policy(self, request): return request.registry.getUtility(IAuthorizationPolicy) - def identify(self, request): + def authenticated_userid(self, request): authn = self._get_authn_policy(request) return authn.authenticated_userid(request) @@ -436,11 +439,12 @@ class LegacySecurityPolicy: authn = self._get_authn_policy(request) return authn.remember(request, userid, **kw) - def forget(self, request): + def forget(self, request, **kw): authn = self._get_authn_policy(request) + # XXX log warning if varkwargs were passed? return authn.forget(request) - def permits(self, request, context, identity, permission): + def permits(self, request, context, permission): authn = self._get_authn_policy(request) authz = self._get_authz_policy(request) principals = authn.effective_principals(request) diff --git a/src/pyramid/testing.py b/src/pyramid/testing.py index 3bf3f1898..316e0bd15 100644 --- a/src/pyramid/testing.py +++ b/src/pyramid/testing.py @@ -42,11 +42,13 @@ class DummySecurityPolicy(object): def __init__( self, + userid=None, identity=None, permissive=True, remember_result=None, forget_result=None, ): + self.userid = None self.identity = identity self.permissive = permissive if remember_result is None: @@ -59,14 +61,17 @@ class DummySecurityPolicy(object): def identify(self, request): return self.identity - def permits(self, request, context, identity, permission): + def authenticated_userid(self, request): + return self.userid + + def permits(self, request, context, permission): return self.permissive def remember(self, request, userid, **kw): self.remembered = userid return self.remember_result - def forget(self, request): + def forget(self, request, **kw): self.forgotten = True return self.forget_result diff --git a/src/pyramid/viewderivers.py b/src/pyramid/viewderivers.py index 35f9a08d2..7c28cbf85 100644 --- a/src/pyramid/viewderivers.py +++ b/src/pyramid/viewderivers.py @@ -316,8 +316,7 @@ def _secured_view(view, info): if policy and (permission is not None): def permitted(context, request): - identity = policy.identify(request) - return policy.permits(request, context, identity, permission) + return policy.permits(request, context, permission) def secured_view(context, request): result = permitted(context, request) @@ -363,10 +362,8 @@ def _authdebug_view(view, info): elif permission is None: msg = 'Allowed (no permission registered)' else: - identity = policy.identify(request) - msg = str( - policy.permits(request, context, identity, permission) - ) + result = policy.permits(request, context, permission) + msg = str(result) else: msg = 'Allowed (no security policy in use)' -- cgit v1.2.3 From 279fbb2524586d8a0ed1d5fa28ca1aced79eb126 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Sat, 14 Dec 2019 17:49:44 -0600 Subject: Update docs from Configurator.testing_securitypolicy. --- src/pyramid/config/testing.py | 69 +++++++++++++++++++++---------------------- src/pyramid/testing.py | 2 +- 2 files changed, 34 insertions(+), 37 deletions(-) (limited to 'src') diff --git a/src/pyramid/config/testing.py b/src/pyramid/config/testing.py index 83a8db552..2cde8fc59 100644 --- a/src/pyramid/config/testing.py +++ b/src/pyramid/config/testing.py @@ -19,41 +19,38 @@ class TestingConfiguratorMixin(object): remember_result=None, forget_result=None, ): - """Unit/integration testing helper: Registers a pair of faux - :app:`Pyramid` security policies: a :term:`authentication - policy` and a :term:`authorization policy`. - - The behavior of the registered :term:`authorization policy` - depends on the ``permissive`` argument. If ``permissive`` is - true, a permissive :term:`authorization policy` is registered; - this policy allows all access. If ``permissive`` is false, a - nonpermissive :term:`authorization policy` is registered; this - policy denies all access. - - ``remember_result``, if provided, should be the result returned by - the ``remember`` method of the faux authentication policy. If it is - not provided (or it is provided, and is ``None``), the default value - ``[]`` (the empty list) will be returned by ``remember``. - - ``forget_result``, if provided, should be the result returned by - the ``forget`` method of the faux authentication policy. If it is - not provided (or it is provided, and is ``None``), the default value - ``[]`` (the empty list) will be returned by ``forget``. - - XXX rewrite - The behavior of the registered :term:`authentication policy` - depends on the values provided for the ``userid`` and - ``groupids`` argument. The authentication policy will return - the userid identifier implied by the ``userid`` argument and - the group ids implied by the ``groupids`` argument when the - :attr:`pyramid.request.Request.authenticated_userid` or - :attr:`pyramid.request.Request.effective_principals` APIs are - used. - - This function is most useful when testing code that uses - the APIs named :meth:`pyramid.request.Request.has_permission`, - :attr:`pyramid.request.Request.authenticated_userid`, - :func:`pyramid.security.principals_allowed_by_permission`. + """Unit/integration testing helper. Registers a faux :term:`security + policy`. + + This function is most useful when testing code that uses the security + APIs, such as :meth:`pyramid.request.Request.identity`, + :attr:`pyramid.request.Request.authenticated_userid`, or + :meth:`pyramid.request.Request.has_permission`, + + The behavior of the registered :term:`security policy` depends on the + arguments passed to this method. + + :param userid: If provided, the policy's ``authenticated_userid`` + method will return this value. As a result, + :attr:`pyramid.request.Request.authenticated_userid` will have this + value as well. + :type userid: str + :param identity: If provided, the policy's ``identify`` method will + return this value. As a result, + :attr:`pyramid.request.Request.authenticated_identity`` will have + this value. + :type identity: object + :param permissive: If true, the policy will allow access to any user + for any permission. If false, the policy will deny all access. + :type permissive: bool + :param remember_result: If provided, the policy's ``remember`` method + will return this value. Otherwise, ``remember`` will return an + empty list. + :type remember_result: list + :param forget_result: If provided, the policy's ``forget`` method will + return this value. Otherwise, ``forget`` will return an empty + list. + :type forget_result: list .. versionadded:: 1.4 The ``remember_result`` argument. @@ -62,7 +59,7 @@ class TestingConfiguratorMixin(object): The ``forget_result`` argument. .. versionchanged:: 2.0 - Removed ``groupids`` argument and doc about effective principals. + Removed ``groupids`` argument and add `identity` argument. """ from pyramid.testing import DummySecurityPolicy diff --git a/src/pyramid/testing.py b/src/pyramid/testing.py index 316e0bd15..a1870874e 100644 --- a/src/pyramid/testing.py +++ b/src/pyramid/testing.py @@ -38,7 +38,7 @@ class DummyRootFactory(object): class DummySecurityPolicy(object): - """ A standin for a security policy""" + """ A standin for a :term:`security policy`.""" def __init__( self, -- cgit v1.2.3 From 495da107e3da765649957a0c03561648ea75e26b Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Sat, 14 Dec 2019 18:57:03 -0600 Subject: Correct implementation of Request.unauthenticated_userid. New implementation was not backwards compatible. This brings back the old implementation, except changing to pull from ISecurityPolicy.authenticated_userid when applicable. Also undeprecated the method again. --- src/pyramid/security.py | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/pyramid/security.py b/src/pyramid/security.py index 053ff5818..838bcebbd 100644 --- a/src/pyramid/security.py +++ b/src/pyramid/security.py @@ -376,18 +376,14 @@ class AuthenticationAPIMixin(object): associated with the userid exists in persistent storage. """ - policy = _get_security_policy(self) - if policy is None: + authn = _get_authentication_policy(self) + security = _get_security_policy(self) + if authn is not None: + return authn.unauthenticated_userid(self) + elif security is not None: + return security.authenticated_userid(self) + else: return None - return policy.authenticated_userid(self) - - unauthenticated_userid = deprecated( - unauthenticated_userid, - 'The new security policy has removed the concept of unauthenticated ' - 'userid. See https://docs.pylonsproject.org/projects/pyramid/en/latest' - '/whatsnew-2.0.html#upgrading-authentication-authorization ' - 'for more information.', - ) @property def effective_principals(self): -- cgit v1.2.3 From fe637b6953eb95137844a4c1153ccc33ab8136e3 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Sat, 14 Dec 2019 19:05:36 -0600 Subject: Bring back `identify` to `LegacySecurityPolicy`. --- src/pyramid/security.py | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src') diff --git a/src/pyramid/security.py b/src/pyramid/security.py index 838bcebbd..f07bc0bfe 100644 --- a/src/pyramid/security.py +++ b/src/pyramid/security.py @@ -427,6 +427,9 @@ class LegacySecurityPolicy: def _get_authz_policy(self, request): return request.registry.getUtility(IAuthorizationPolicy) + def identify(self, request): + return self.authenticated_userid(request) + def authenticated_userid(self, request): authn = self._get_authn_policy(request) return authn.authenticated_userid(request) -- cgit v1.2.3 From d699c9ace8028bf74e1c6c3ea085fdf9beeb2586 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Sat, 14 Dec 2019 19:12:01 -0600 Subject: Raise error on kwargs in `LegacySecurityPolicy.forget`. --- src/pyramid/security.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/pyramid/security.py b/src/pyramid/security.py index f07bc0bfe..e3a978c52 100644 --- a/src/pyramid/security.py +++ b/src/pyramid/security.py @@ -439,8 +439,12 @@ class LegacySecurityPolicy: return authn.remember(request, userid, **kw) def forget(self, request, **kw): + if kw: + raise ValueError( + 'Legacy authentication policies do not support keyword ' + 'arguments for `forget`' + ) authn = self._get_authn_policy(request) - # XXX log warning if varkwargs were passed? return authn.forget(request) def permits(self, request, context, permission): -- cgit v1.2.3 From 638125171a311b9a6ba7c02da844ca601a2b0e0e Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Sat, 14 Dec 2019 19:16:58 -0600 Subject: Fix tests for `DummySecurityPolicy`. --- src/pyramid/testing.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/pyramid/testing.py b/src/pyramid/testing.py index a1870874e..a92bb5d03 100644 --- a/src/pyramid/testing.py +++ b/src/pyramid/testing.py @@ -48,7 +48,7 @@ class DummySecurityPolicy(object): remember_result=None, forget_result=None, ): - self.userid = None + self.userid = userid self.identity = identity self.permissive = permissive if remember_result is None: -- cgit v1.2.3 From cd0b92d10bfbb38068c216ce44dde9732fa127a8 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Sat, 14 Dec 2019 20:27:30 -0600 Subject: Update docs. --- src/pyramid/interfaces.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py index 11b794e2b..891b851ee 100644 --- a/src/pyramid/interfaces.py +++ b/src/pyramid/interfaces.py @@ -484,9 +484,9 @@ class IViewMapperFactory(Interface): class ISecurityPolicy(Interface): def identify(request): - """ Return an object identifying a trusted and verified user. - - The object may be anything. + """ Return an object identifying a trusted and verified user for the + current request. The object can be of any shape, such as a simple ID + string or an ORM object. """ def authenticated_userid(request, identity): -- cgit v1.2.3 From 2e06fa414412688dc3b7e0b422b0fc0b96ec882f Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Sat, 14 Dec 2019 20:17:36 -0800 Subject: Bring back identity into permits. --- src/pyramid/interfaces.py | 2 +- src/pyramid/security.py | 6 ++++-- src/pyramid/testing.py | 2 +- src/pyramid/viewderivers.py | 9 ++++++--- 4 files changed, 12 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py index 891b851ee..d20401028 100644 --- a/src/pyramid/interfaces.py +++ b/src/pyramid/interfaces.py @@ -494,7 +494,7 @@ class ISecurityPolicy(Interface): verified user, or ``None`` if unauthenticated. """ - def permits(request, context, permission): + def permits(request, context, identity, permission): """ Return an instance of :class:`pyramid.security.Allowed` if a user of the given identity is allowed the ``permission`` in the current ``context``, else return an instance of diff --git a/src/pyramid/security.py b/src/pyramid/security.py index e3a978c52..d6af69e51 100644 --- a/src/pyramid/security.py +++ b/src/pyramid/security.py @@ -351,7 +351,9 @@ class SecurityAPIMixin: policy = _get_security_policy(self) if policy is None: return Allowed('No security policy in use.') - return policy.permits(self, context, permission) + return policy.permits( + self, context, self.authenticated_identity, permission + ) class AuthenticationAPIMixin(object): @@ -447,7 +449,7 @@ class LegacySecurityPolicy: authn = self._get_authn_policy(request) return authn.forget(request) - def permits(self, request, context, permission): + def permits(self, request, context, identity, permission): authn = self._get_authn_policy(request) authz = self._get_authz_policy(request) principals = authn.effective_principals(request) diff --git a/src/pyramid/testing.py b/src/pyramid/testing.py index a92bb5d03..f550156dd 100644 --- a/src/pyramid/testing.py +++ b/src/pyramid/testing.py @@ -64,7 +64,7 @@ class DummySecurityPolicy(object): def authenticated_userid(self, request): return self.userid - def permits(self, request, context, permission): + def permits(self, request, context, identity, permission): return self.permissive def remember(self, request, userid, **kw): diff --git a/src/pyramid/viewderivers.py b/src/pyramid/viewderivers.py index 7c28cbf85..35f9a08d2 100644 --- a/src/pyramid/viewderivers.py +++ b/src/pyramid/viewderivers.py @@ -316,7 +316,8 @@ def _secured_view(view, info): if policy and (permission is not None): def permitted(context, request): - return policy.permits(request, context, permission) + identity = policy.identify(request) + return policy.permits(request, context, identity, permission) def secured_view(context, request): result = permitted(context, request) @@ -362,8 +363,10 @@ def _authdebug_view(view, info): elif permission is None: msg = 'Allowed (no permission registered)' else: - result = policy.permits(request, context, permission) - msg = str(result) + identity = policy.identify(request) + msg = str( + policy.permits(request, context, identity, permission) + ) else: msg = 'Allowed (no security policy in use)' -- cgit v1.2.3 From 7b74e97fd156bef6b8f347d7d38615d5bea6c967 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Sun, 15 Dec 2019 09:15:12 -0800 Subject: Four spaces of indentation. --- src/pyramid/config/testing.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/pyramid/config/testing.py b/src/pyramid/config/testing.py index 2cde8fc59..58b239232 100644 --- a/src/pyramid/config/testing.py +++ b/src/pyramid/config/testing.py @@ -53,13 +53,14 @@ class TestingConfiguratorMixin(object): :type forget_result: list .. versionadded:: 1.4 - The ``remember_result`` argument. + The ``remember_result`` argument. .. versionadded:: 1.4 - The ``forget_result`` argument. + The ``forget_result`` argument. .. versionchanged:: 2.0 - Removed ``groupids`` argument and add `identity` argument. + Removed ``groupids`` argument and add `identity` argument. + """ from pyramid.testing import DummySecurityPolicy -- cgit v1.2.3 From 32bf9b3669f2ba0c4a0aaf35f4e2cdad8f9314f0 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Sun, 15 Dec 2019 19:55:10 -0800 Subject: Revert "Bring back identity into permits." This reverts commit 2e06fa414412688dc3b7e0b422b0fc0b96ec882f. --- src/pyramid/interfaces.py | 2 +- src/pyramid/security.py | 6 ++---- src/pyramid/testing.py | 2 +- src/pyramid/viewderivers.py | 9 +++------ 4 files changed, 7 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py index d20401028..891b851ee 100644 --- a/src/pyramid/interfaces.py +++ b/src/pyramid/interfaces.py @@ -494,7 +494,7 @@ class ISecurityPolicy(Interface): verified user, or ``None`` if unauthenticated. """ - def permits(request, context, identity, permission): + def permits(request, context, permission): """ Return an instance of :class:`pyramid.security.Allowed` if a user of the given identity is allowed the ``permission`` in the current ``context``, else return an instance of diff --git a/src/pyramid/security.py b/src/pyramid/security.py index d6af69e51..e3a978c52 100644 --- a/src/pyramid/security.py +++ b/src/pyramid/security.py @@ -351,9 +351,7 @@ class SecurityAPIMixin: policy = _get_security_policy(self) if policy is None: return Allowed('No security policy in use.') - return policy.permits( - self, context, self.authenticated_identity, permission - ) + return policy.permits(self, context, permission) class AuthenticationAPIMixin(object): @@ -449,7 +447,7 @@ class LegacySecurityPolicy: authn = self._get_authn_policy(request) return authn.forget(request) - def permits(self, request, context, identity, permission): + def permits(self, request, context, permission): authn = self._get_authn_policy(request) authz = self._get_authz_policy(request) principals = authn.effective_principals(request) diff --git a/src/pyramid/testing.py b/src/pyramid/testing.py index f550156dd..a92bb5d03 100644 --- a/src/pyramid/testing.py +++ b/src/pyramid/testing.py @@ -64,7 +64,7 @@ class DummySecurityPolicy(object): def authenticated_userid(self, request): return self.userid - def permits(self, request, context, identity, permission): + def permits(self, request, context, permission): return self.permissive def remember(self, request, userid, **kw): diff --git a/src/pyramid/viewderivers.py b/src/pyramid/viewderivers.py index 35f9a08d2..7c28cbf85 100644 --- a/src/pyramid/viewderivers.py +++ b/src/pyramid/viewderivers.py @@ -316,8 +316,7 @@ def _secured_view(view, info): if policy and (permission is not None): def permitted(context, request): - identity = policy.identify(request) - return policy.permits(request, context, identity, permission) + return policy.permits(request, context, permission) def secured_view(context, request): result = permitted(context, request) @@ -363,10 +362,8 @@ def _authdebug_view(view, info): elif permission is None: msg = 'Allowed (no permission registered)' else: - identity = policy.identify(request) - msg = str( - policy.permits(request, context, identity, permission) - ) + result = policy.permits(request, context, permission) + msg = str(result) else: msg = 'Allowed (no security policy in use)' -- cgit v1.2.3 From 5f6f7184a997cb2dfa341eef53259d4254a242e8 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Sun, 15 Dec 2019 20:27:10 -0800 Subject: Remove requirement that identity is validated. --- src/pyramid/interfaces.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py index 891b851ee..c0ff317a4 100644 --- a/src/pyramid/interfaces.py +++ b/src/pyramid/interfaces.py @@ -483,17 +483,16 @@ class IViewMapperFactory(Interface): class ISecurityPolicy(Interface): - def identify(request): - """ Return an object identifying a trusted and verified user for the - current request. The object can be of any shape, such as a simple ID - string or an ORM object. - """ - def authenticated_userid(request, identity): """ Return a :term:`userid` string identifying the trusted and verified user, or ``None`` if unauthenticated. """ + def identify(request): + """ Return the :term:`identity` of the current user. The object can be + of any shape, such as a simple ID string or an ORM object. + """ + def permits(request, context, permission): """ Return an instance of :class:`pyramid.security.Allowed` if a user of the given identity is allowed the ``permission`` in the current -- cgit v1.2.3 From 03069ff0845c1b85c21119985e8157d54e7ce71c Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Mon, 16 Dec 2019 11:37:45 -0800 Subject: Fix EffectivePrincipalsPredicate deprecation warning. Fired upon registering, not upon use. --- src/pyramid/predicates.py | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/src/pyramid/predicates.py b/src/pyramid/predicates.py index a09933253..83f7f3295 100644 --- a/src/pyramid/predicates.py +++ b/src/pyramid/predicates.py @@ -285,6 +285,14 @@ class EffectivePrincipalsPredicate(object): else: self.val = set((val,)) + __init__ = deprecated( + __init__, + 'The new security policy has removed the concept of principals. See ' + 'https://docs.pylonsproject.org/projects/pyramid/en/latest' + '/whatsnew-2.0.html#upgrading-authentication-authorization ' + 'for more information.', + ) + def text(self): return 'effective_principals = %s' % sorted(list(self.val)) @@ -299,15 +307,6 @@ class EffectivePrincipalsPredicate(object): return False -deprecated( - 'EffectivePrincipalsPredicate', - 'The new security policy has removed the concept of principals. See ' - 'https://docs.pylonsproject.org/projects/pyramid/en/latest' - '/whatsnew-2.0.html#upgrading-authentication-authorization ' - 'for more information.', -) - - class Notted(object): def __init__(self, predicate): self.predicate = predicate -- cgit v1.2.3 From 965dd8295fc9fade649ca61b899811492a0dd2f6 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Tue, 17 Dec 2019 11:28:51 -0800 Subject: Remove `identity` from authenticated_userid interface. --- src/pyramid/interfaces.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py index c0ff317a4..af3c61503 100644 --- a/src/pyramid/interfaces.py +++ b/src/pyramid/interfaces.py @@ -483,7 +483,7 @@ class IViewMapperFactory(Interface): class ISecurityPolicy(Interface): - def authenticated_userid(request, identity): + def authenticated_userid(request): """ Return a :term:`userid` string identifying the trusted and verified user, or ``None`` if unauthenticated. """ -- cgit v1.2.3 From 3b34a67aa3916a766369220a0185b648b9513489 Mon Sep 17 00:00:00 2001 From: Theron Luhn Date: Tue, 17 Dec 2019 11:32:16 -0800 Subject: Improve docs for remember/forget. --- src/pyramid/interfaces.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/pyramid/interfaces.py b/src/pyramid/interfaces.py index af3c61503..c4160cc2b 100644 --- a/src/pyramid/interfaces.py +++ b/src/pyramid/interfaces.py @@ -502,14 +502,15 @@ class ISecurityPolicy(Interface): def remember(request, userid, **kw): """ Return a set of headers suitable for 'remembering' the - :term:`userid` named ``userid`` when set in a response. An - individual authentication policy and its consumers can - decide on the composition and meaning of ``**kw``. + :term:`userid` named ``userid`` when set in a response. An individual + security policy and its consumers can decide on the composition and + meaning of ``**kw``. """ def forget(request, **kw): """ Return a set of headers suitable for 'forgetting' the - current user on subsequent requests. + current user on subsequent requests. An individual security policy and + its consumers can decide on the composition and meaning of ``**kw``. """ -- cgit v1.2.3 From c52cfec057a9e22b794da655eac1708dfba8bef7 Mon Sep 17 00:00:00 2001 From: Michael Merickel Date: Mon, 23 Dec 2019 13:31:54 -0600 Subject: modify deprecation warning --- src/pyramid/config/routes.py | 11 +++++++++++ src/pyramid/config/views.py | 11 +++++++++++ src/pyramid/predicates.py | 18 ------------------ 3 files changed, 22 insertions(+), 18 deletions(-) (limited to 'src') diff --git a/src/pyramid/config/routes.py b/src/pyramid/config/routes.py index 4b26b7481..daef8e9f2 100644 --- a/src/pyramid/config/routes.py +++ b/src/pyramid/config/routes.py @@ -332,6 +332,17 @@ class RoutesConfiguratorMixin(object): stacklevel=3, ) + if 'effective_principals' in predicates: + warnings.warn( + ( + 'The new security policy has removed the concept of ' + 'principals. See "Upgrading Authentication/Authorization" ' + 'in "What\'s New in Pyramid 2.0" for more information.' + ), + DeprecationWarning, + stacklevel=3, + ) + if accept is not None: if not is_nonstr_iter(accept): accept = [accept] diff --git a/src/pyramid/config/views.py b/src/pyramid/config/views.py index bc0b05a08..1c17d2343 100644 --- a/src/pyramid/config/views.py +++ b/src/pyramid/config/views.py @@ -791,6 +791,17 @@ class ViewsConfiguratorMixin(object): stacklevel=4, ) + if 'effective_principals' in view_options: + warnings.warn( + ( + 'The new security policy has removed the concept of ' + 'principals. See "Upgrading Authentication/Authorization" ' + 'in "What\'s New in Pyramid 2.0" for more information.' + ), + DeprecationWarning, + stacklevel=4, + ) + if accept is not None: if is_nonstr_iter(accept): raise ConfigurationError( diff --git a/src/pyramid/predicates.py b/src/pyramid/predicates.py index 83f7f3295..32c6a4089 100644 --- a/src/pyramid/predicates.py +++ b/src/pyramid/predicates.py @@ -1,7 +1,5 @@ import re -from zope.deprecation import deprecated - from pyramid.exceptions import ConfigurationError from pyramid.traversal import ( @@ -271,28 +269,12 @@ class PhysicalPathPredicate(object): class EffectivePrincipalsPredicate(object): - """ - .. deprecated:: 2.0 - - The new security system has removed the concept of principals. See - :ref:`upgrading_auth` for more information. - - """ - def __init__(self, val, config): if is_nonstr_iter(val): self.val = set(val) else: self.val = set((val,)) - __init__ = deprecated( - __init__, - 'The new security policy has removed the concept of principals. See ' - 'https://docs.pylonsproject.org/projects/pyramid/en/latest' - '/whatsnew-2.0.html#upgrading-authentication-authorization ' - 'for more information.', - ) - def text(self): return 'effective_principals = %s' % sorted(list(self.val)) -- cgit v1.2.3