add basic_auth + simple pyramid auth acl example

tracim/__init__.py

@@ -3,10 +3,14 @@ import json
 import time
 
 from pyramid.config import Configurator
+from pyramid.authentication import BasicAuthAuthenticationPolicy
+from pyramid.authorization import ACLAuthorizationPolicy
 from hapic.ext.pyramid import PyramidContext
 
 from tracim.extensions import hapic
 from tracim.config import CFG
+from tracim.lib.utils.auth import check_credentials
+from tracim.lib.utils.auth import Root
 from tracim.views.example_api.example_api_controller import ExampleApiController
 from tracim.views.default.default_controller import DefaultController
 
@@ -19,6 +23,11 @@ def main(global_config, **settings):
     app_config.configure_filedepot()
     settings['CFG'] = app_config
     configurator = Configurator(settings=settings, autocommit=True)
+    # Add BasicAuthPolicy + ACL AuthorizationPolicy
+    authn_policy = BasicAuthAuthenticationPolicy(check_credentials)
+    configurator.set_authorization_policy(ACLAuthorizationPolicy())
+    configurator.set_authentication_policy(authn_policy)
+    configurator.set_root_factory(lambda request: Root())
     # Pyramids "plugin" include.
     configurator.include('pyramid_jinja2')
     # Add SqlAlchemy DB

tracim/lib/utils/auth.py

@@ -0,0 +1,22 @@
+from pyramid.security import ALL_PERMISSIONS
+from pyramid.security import Allow
+from pyramid.security import Authenticated
+
+
+def check_credentials(username, password, request):
+    if username == 'admin' and password == 'admin':
+        # an empty list is enough to indicate logged-in... watch how this
+        # affects the principals returned in the home view if you want to
+        # expand ACLs later
+        return ['g:admin']
+    if username == 'user' and password == 'user':
+        return []
+
+
+class Root:
+    # dead simple, give everyone who is logged in any permission
+    # (see the home_view for an example permission)
+    __acl__ = (
+        (Allow, 'g:admin', ALL_PERMISSIONS),
+        (Allow, Authenticated, 'user'),
+    )

tracim/views/default/default_controller.py

@@ -3,6 +3,9 @@ from tracim.views.controllers import Controller
 from pyramid.config import Configurator
 from pyramid.response import Response
 from pyramid.exceptions import NotFound
+from pyramid.httpexceptions import HTTPUnauthorized
+from pyramid.httpexceptions import HTTPForbidden
+from pyramid.security import forget
 
 
 class DefaultController(Controller):
@@ -13,6 +16,17 @@ class DefaultController(Controller):
         return {}
 
     @classmethod
+    def forbidden_view(cls, request):
+        if request.authenticated_userid is None:
+            response = HTTPUnauthorized()
+            response.headers.update(forget(request))
+
+        # user is logged in but doesn't have permissions, reject wholesale
+        else:
+            response = HTTPForbidden()
+        return response
+
+    @classmethod
     def test_config(cls, request):
         try:
             app_config = request.registry.settings['CFG']
@@ -21,6 +35,25 @@ class DefaultController(Controller):
             return Response(e, content_type='text/plain', status=500)
         return {'project': project}
 
+    @classmethod
+    def test_admin_page(cls, request):
+        try:
+            app_config = request.registry.settings['CFG']
+            project = 'admin'
+        except Exception as e:
+            return Response(e, content_type='text/plain', status=500)
+        return {'project': project}
+
+    @classmethod
+    def test_user_page(cls, request):
+        try:
+            app_config = request.registry.settings['CFG']
+            project = 'user'
+        except Exception as e:
+            return Response(e, content_type='text/plain', status=500)
+        return {'project': project}
+
+
     def bind(self, configurator: Configurator):
         configurator.add_static_view('static', 'static', cache_max_age=3600)
         configurator.add_view(
@@ -35,3 +68,20 @@ class DefaultController(Controller):
             route_name='test_config',
             renderer='tracim:templates/mytemplate.jinja2',
         )
+
+        configurator.add_route('test_admin', '/test_admin')
+        configurator.add_view(
+            self.test_admin_page,
+            route_name='test_admin',
+            renderer='tracim:templates/mytemplate.jinja2',
+            permission='admin',
+        )
+
+        configurator.add_route('test_user', '/test_user')
+        configurator.add_view(
+            self.test_user_page,
+            route_name='test_user',
+            renderer='tracim:templates/mytemplate.jinja2',
+            permission='user',
+        )
+        configurator.add_forbidden_view(self.forbidden_view)