Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate authn/authz to security policies of Pyramid 2 #2897

Open
leplatrem opened this issue Oct 26, 2021 · 2 comments
Open

Migrate authn/authz to security policies of Pyramid 2 #2897

leplatrem opened this issue Oct 26, 2021 · 2 comments
Labels
scope: permissions want

Comments

@leplatrem
Copy link
Contributor

In Pyramid 2, the concepts of authentication and authorization was replaced by a single one: security policies. The concept of principals was replaced with the concept of identity.

Kinto continues to work thanks to this backward compatibility layer LegacySecurityPolicy.

In Kinto, the authorization is implemented in core, and the authentication via plugins.

In order to support the new system, Kinto would have to setup a single security policy, whose authorization part would be similar to what we currently have, and the authentication part from pyramid-multiauth could be rewritten as a helper (composition pattern).

from pyramid_multiauth import MultipleAuthenticationHelper

class KintoSecurityPolicy:
    def __init__(self, settings):
        self.helper = MultipleAuthenticationHelper(settings)

    def identity(self, request):
        # Will iterate through all configured authentication methods
        userid = self.helper.authenticated_userid(request)
        if userid is None:
            return None
        return  userid # tuple with chosen policy and userid

    def authenticated_userid(self, request):
        principals = self.identity(request)
        if principals is None:
             return principals
        return principals[0]

    def principals(self, request, identity):
        principals = [Everyone]
        if request.identity is not None:
            principals.append(Authenticated)
            chosenauthn, userid = request.identity
            principals.append(f"{chosenauthn}:{userid}")
            # Look up groups too...
       return principals

    def permits(self, request, context, permission):
        # Use current authorization code here.
        # ...

    def remember(request, userid, **kw):
        return self.helper.remember(request, userid, **kw)

    def forget(request, **kw):
        return self.helper.forget(request, **kw)

/cc @slav0nic
@leplatrem leplatrem added the want label Oct 26, 2021
@slav0nic
Copy link
Contributor

slav0nic commented Dec 5, 2021

Yes, pyramid official docs recommended did it in this way. But in my projects i still stuck with old api :)
Here is also some examples from the core: AuthTktCookieHelper, SessionAuthenticationHelper.

Also Request.unauthenticated_userid deprecated and should be replaced by authenticated_userid or Request.identity.
Same for Request.effective_principals

Maybe it make sense replace request.bound_data by request.RequestLocalCache (example), also #1821

@leplatrem
Copy link
Contributor Author

@slav0nic was suggesting to look at hypothesis/h#6595

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
scope: permissions want
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@slav0nic @leplatrem