Bloks

Blok Auth

class anyblok_pyramid.bloks.auth.Auth(registry)

Bases: anyblok.blok.Blok

author = 'Jean-Sébastien Suzanne'
conditional_by = []
conflicting_by = []
classmethod import_declaration_module()

Do the python import for the Declaration of the model or other

name = 'auth'
optional_by = []
classmethod pyramid_load_config(config)
classmethod reload_declaration_module(reload)
required = ['anyblok-core']
required_by = ['auth-password', 'authorization']
version = '0.1.0'

How to use it

This blok defined User and the base of the Authentication / Authorization.

Alone this Blok is useless because no credential and autorization are defined

You can:

  • Create an user:

    user = registry.User.insert(
        login='jssuzanne',
        first_name='Jean-Sébastien',
        last_name='Suzanne'
    )
    
    user.name  # Jean-Sébastien SUZANNE
    
  • Add a role at this user:

    role = registry.User.Role.insert(
        name='admin',
        label='Administrator'
    )
    user.roles.append(role)
    
  • check a permission for a user to use a resource:

    from anyblok_pyramid.security import AnyBlokResourceFactory
    
    @view_config(
        route_name='my_view',
        factory=AnyBlokResourceFactory('my_resource')
        permission='my_permission'
    )
    def my_view(request):
        return Response('Ok I have the permission')
    

Warning

The have to define credential behaviours, to login and logout

User

class anyblok_pyramid.bloks.auth.user.User

Bases: object

User declaration need for Auth

AnyBlok registration:

  • Type: Model
  • Registry name: Model.User
  • Tablename: user
Fields  
login
  • default - anyblok.column.NoDefaultValue
  • size - 64
  • nullable - False
  • Type - anyblok.column.String
  • primary_key - True
first_name
  • default - anyblok.column.NoDefaultValue
  • size - 64
  • nullable - False
  • Type - anyblok.column.String
last_name
  • default - anyblok.column.NoDefaultValue
  • size - 64
  • nullable - False
  • Type - anyblok.column.String
name
  • Type - anyblok.field.Function
  • fget - 'get_name'
classmethod check_login(login=None, password=None, **kwargs)

Check login / password

This method raise an exception, because any credential is stored in this bloks

Warning

This method must be overwriting by anycredential blok

Parameters:
  • login – str, the login attribute of the user
  • password – str
  • kwargs – any options need to validate credential
first_name = <anyblok.column.String object>
classmethod format_login_params(request)

Return the login and password from query

By default the query come from json_body and are named login and password

If the entries come from another place, this method must be overwrite :param request: the request from the controllers

classmethod get_acl(login, resource, params=None)

Retun the ACL for a ressource and a user

Auth, does not implement any rule to compute ACL, This method allow all user to use the resource ask by controllers.

For other configuration, this method must be overwrite

Parameters:
  • login – str, login attribute of the user
  • resource – str, name of a resource
  • params – all options need to compute ACL
classmethod get_login_location_to(login, request)

Return the default path after the login

classmethod get_logout_location_to(request)

Return the default path after the logout

get_name()

Return the name of the user

classmethod get_roles(login)

Return the roles of an user

Parameters:login – str, login attribute of the user
Return type:list of str (name of the roles)
last_name = <anyblok.column.String object>
login = <anyblok.column.String object>
name = <anyblok.field.Function object>

Role

class anyblok_pyramid.bloks.auth.role.Role

Bases: object

Role, allow to group some authorization for an user

AnyBlok registration:

  • Type: Model
  • Registry name: Model.User.Role
  • Tablename: user_role
Fields  
label
  • default - anyblok.column.NoDefaultValue
  • size - 64
  • nullable - False
  • Type - anyblok.column.String
roles_name
  • Type - anyblok.field.Function
  • fget - 'get_all_roles_name'
users
  • backref - 'roles'
  • model - Model.User
  • remote_columns - None
  • local_columns - None
  • Type - anyblok.relationship.Many2Many
  • m2m_local_columns - None
  • compute_join - False
  • m2m_remote_columns - None
children
  • backref - 'parents'
  • model - Model.User.Role
  • remote_columns - None
  • local_columns - None
  • Type - anyblok.relationship.Many2Many
  • m2m_local_columns - None
  • compute_join - False
  • m2m_remote_columns - None
name
  • default - anyblok.column.NoDefaultValue
  • size - 64
  • nullable - False
  • Type - anyblok.column.String
  • primary_key - True
classmethod before_update_orm_event(mapper, connection, target)

Check if the role has not any cyclical dependencies

children = <anyblok.relationship.Many2Many object>
get_all_roles_name()

Return all the name of the roles self and dependencies

label = <anyblok.column.String object>
name = <anyblok.column.String object>
roles_name = <anyblok.field.Function object>
users = <anyblok.relationship.Many2Many object>

Views

Give the views forlogin and logout, this views, is not applied by default You must declare the route to use them

anyblok_pyramid.bloks.auth.views.login(request)

Default view to login one user

anyblok_pyramid.bloks.auth.views.logout(request)

Default view to logout one user

Configuration

Define the authentification / authorization policies, This depend of the options passed on the global configuration

anyblok_pyramid.bloks.auth.pyramid.getAuthenticationPolicy()

Return the authentication policy in function method in configuration

anyblok_pyramid.bloks.auth.pyramid.getAuthTktAuthenticationPolicy()

Define the authentication policy for Tkt

anyblok_pyramid.bloks.auth.pyramid.getRemoteUserAuthenticationPolicy()

Define the authentication policy for remote user server

anyblok_pyramid.bloks.auth.pyramid.getSessionAuthenticationPolicy()

Define the authentication policy for a session

anyblok_pyramid.bloks.auth.pyramid.getBasicAuthAuthenticationPolicy()

Define the authentication policy for a basic auth

Exceptions

exception anyblok_pyramid.bloks.auth.exceptions.RecursionRoleError

Simple exception to check if the roles is cyclic

Blok Password

class anyblok_pyramid.bloks.password.Password(registry)

Bases: anyblok.blok.Blok

author = 'Jean-Sébastien Suzanne'
conditional_by = []
conflicting_by = []
classmethod import_declaration_module()

Do the python import for the Declaration of the model or other

name = 'auth-password'
optional_by = []
classmethod reload_declaration_module(reload)
required = ['auth']
required_by = []
version = '0.1.0'

How to use it

This Blok define credential from an existing user. You can not add credential for an unexisting user because one foreign key constraint is defined between both.

  • You must have an user:

    user = registry.User.insert(
        login='jssuzanne',
        first_name='Jean-Sébastien',
        last_name='Suzanne'
    )
    
  • Define the credential:

    registry.User.CredentialStore.insert(
        login=user.login,
        password='secret password',
    )
    

Note

The password use the Password column, the value is crypted is table and can not be get during the execution of the application, You only compare it

User

class anyblok_pyramid.bloks.password.user.CredentialStore

Bases: object

Save in table login / password

AnyBlok registration:

  • Type: Model
  • Registry name: Model.User.CredentialStore
  • Tablename: user_credentialstore
Fields  
password
  • default - anyblok.column.NoDefaultValue
  • nullable - False
  • Type - anyblok.column.Password
login
  • default - anyblok.column.NoDefaultValue
  • size - 64
  • foreign_key - Model.User => login
  • nullable - False
  • Type - anyblok.column.String
  • primary_key - True
login = <anyblok.column.String object>
password = <anyblok.column.Password object>
class anyblok_pyramid.bloks.password.user.User

Bases: object

AnyBlok registration:

  • Type: Model
  • Registry name: Model.User
  • Tablename: user
classmethod check_login(login=None, password=None, **kwargs)

Overwrite the method to check if the user exist and the password gave is the same sa the password stored

Parameters:
  • login – str
  • password – str
Exception:

HTTPUnauthorized

Blok Authorization

class anyblok_pyramid.bloks.authorization.Authorization(registry)

Bases: anyblok.blok.Blok

author = 'Jean-Sébastien Suzanne'
conditional_by = []
conflicting_by = []
classmethod import_declaration_module()

Do the python import for the Declaration of the model or other

name = 'authorization'
optional_by = []
classmethod reload_declaration_module(reload)
required = ['auth']
required_by = []
version = '0.1.0'

How to use it

This blok defined authorization for User or Role on a resource or model.

  • Create an user:

    user = registry.User.insert(
        login='jssuzanne',
        first_name='Jean-Sébastien',
        last_name='Suzanne'
    )
    
    user.name  # Jean-Sébastien SUZANNE
    
  • Add an autorization:

    user.roles.append(role)
    registry.User.Authorization.insert(
        resource='something',
        user=user,
        perm_create=dict(matched=True),
        perm_read=dict(matched=True),
        perm_update=dict(matched=True),
        perm_delete=dict(matched=True)
    )
    
    registry.User.Authorization.get_acl('jssuzanne', 'something')
    #  [
    #      (Allow, 'jssuzanne', ['create', 'delete', 'read', 'update']),
    #      (Deny, 'jssuzanne', ALL_PERMISSIONS),
    #  ]
    

The permissiosn is stored in the Json column, the permission can be the CRUD and also any another permission.

Each permission can defined three keys:

  • condition: Query.filter_condition, if the empty then the condition is marked as True
  • matched: If condition is True, the entry indicate the value (default None)
  • unmatched: If condition is False, the entry indicate the value (default None)

matched and unmatched can have three values:

  • True: Add the permission in Allow list,
  • False: Add the permission in the Deny list,
  • None: Do nothing, because this rule can not Allow or Deny

User

class anyblok_pyramid.bloks.authorization.user.User

Bases: object

AnyBlok registration:

  • Type: Model
  • Registry name: Model.User
  • Tablename: user
classmethod get_acl(login, resource, params)

Overwrite the method to return the ACL for the resource and user

Parameters:
  • login – str, login of the user
  • resource – str, name of the resource

Authorization

class anyblok_pyramid.bloks.authorization.authorization.Authorization

Bases: object

Store the autorization rules

AnyBlok registration:

  • Type: Model
  • Registry name: Model.User.Authorization
  • Tablename: user_authorization
Fields  
user
  • model - Model.User
  • index - False
  • Type - anyblok.relationship.Many2One
role
  • model - Model.User.Role
  • index - False
  • Type - anyblok.relationship.Many2One
perms
  • Type - anyblok.column.Json
login
  • default - anyblok.column.NoDefaultValue
  • size - 64
  • foreign_key - Model.User => login
  • Type - anyblok.column.String
id
  • autoincrement - True
  • default - anyblok.column.NoDefaultValue
  • Type - anyblok.column.Integer
  • primary_key - True
perm_read
  • json_column - 'perms'
  • Type - anyblok.field.JsonRelated
  • keys - 'read'
filter
  • Type - anyblok.column.Json
resource
  • default - anyblok.column.NoDefaultValue
  • size - 64
  • Type - anyblok.column.String
model
  • default - anyblok.column.NoDefaultValue
  • size - 64
  • foreign_key - Model.System.Model => name
  • Type - anyblok.column.String
order
  • default - 100
  • nullable - False
  • Type - anyblok.column.Integer
perm_update
  • json_column - 'perms'
  • Type - anyblok.field.JsonRelated
  • keys - 'update'
perm_create
  • json_column - 'perms'
  • Type - anyblok.field.JsonRelated
  • keys - 'create'
perm_delete
  • json_column - 'perms'
  • Type - anyblok.field.JsonRelated
  • keys - 'delete'
primary_keys
  • Type - anyblok.column.Json
classmethod before_insert_orm_event(mapper, connection, target)
classmethod before_update_orm_event(mapper, connection, target)
check_validity()

Check at the insert or update that all rule match

Exception:AuthorizationValidationException
filter = <anyblok.column.Json object>
classmethod get_acl(login, resource, params)

Return the Pyramid ACL in function of the resource and user

Parameters:
  • login – str, login of the user
  • resource – str, name of the resource
classmethod get_acl_filter_model()

Return the Model to use to check the permission

id = <anyblok.column.Integer object>
login = <anyblok.column.String object>
model = <anyblok.column.String object>
order = <anyblok.column.Integer object>
perm_create = <anyblok.field.JsonRelated object>
perm_delete = <anyblok.field.JsonRelated object>
perm_read = <anyblok.field.JsonRelated object>
perm_update = <anyblok.field.JsonRelated object>
perms = <anyblok.column.Json object>
primary_keys = <anyblok.column.Json object>
resource = <anyblok.column.String object>
role = <anyblok.relationship.Many2One object>
user = <anyblok.relationship.Many2One object>

Exceptions

class anyblok_pyramid.bloks.authorization.exceptions.AuthorizationValidationException

Bases: Exception

Simple exception when Authorization entry is wrong