tracim_backend.lib.utils.authentification.CookieSessionAuthentificationPolicy.authenticated_userid() - Code Metrics - Inspection of "Merge pull request #35 from tracim/feature/cookie_..." - tracim/tracim_v2 - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — develop ( ca1745...b1b5c2 )

by Bastien

created 2018-08-31 13:46 UTC

CookieSessionAuthentificationPolicy.authenticated_userid() B

↳ Parent: tracim_backend.lib.utils.authentification

Complexity

Conditions

Size

Total Lines	15
Code Lines	12

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
eloc	12
dl	0
loc	15
rs	8.6666
c	0
b	0
f	0
cc	6
nop	2

import datetime
import typing

from pyramid.authentication import CallbackAuthenticationPolicy
from pyramid.authentication import SessionAuthenticationPolicy
from pyramid.interfaces import IAuthenticationPolicy
from pyramid.request import Request
from zope.interface import implementer

from tracim_backend.exceptions import UserDoesNotExist
from tracim_backend.lib.core.user import UserApi
from tracim_backend.lib.utils.request import TracimRequest
from tracim_backend.models import User

BASIC_AUTH_WEBUI_REALM = "tracim"
TRACIM_API_KEY_HEADER = "Tracim-Api-Key"
TRACIM_API_USER_EMAIL_LOGIN_HEADER = "Tracim-Api-Login"

###
# Pyramid HTTP Basic Auth
###


def basic_auth_check_credentials(
        login: str,
        cleartext_password: str,
        request: TracimRequest
) -> typing.Optional[list]:
    """
    Check credential for pyramid basic_auth
    :param login: login of user
    :param cleartext_password: user password in cleartext
    :param request: Pyramid request
    :return: None if auth failed, list of permissions if auth succeed
    """

    # Do not accept invalid user
    user = _get_auth_unsafe_user(request)
    if not user \
            or user.email != login \
            or not user.is_active \
            or user.is_deleted \
            or not user.validate_password(cleartext_password):
        return None
    return []


def _get_auth_unsafe_user(
    request: Request,
) -> typing.Optional[User]:
    """
    :param request: pyramid request
    :return: User or None
    """
    app_config = request.registry.settings['CFG']
    uapi = UserApi(None, session=request.dbsession, config=app_config)
    try:
        login = request.unauthenticated_userid
        if not login:
            return None
        user = uapi.get_one_by_email(login)
    except UserDoesNotExist:
        return None
    return user

###
# Pyramid cookie auth policy
###


@implementer(IAuthenticationPolicy)
class CookieSessionAuthentificationPolicy(SessionAuthenticationPolicy):

    def __init__(self, reissue_time: int, debug: bool = False):
        SessionAuthenticationPolicy.__init__(self, debug=debug, callback=None)
        self._reissue_time = reissue_time

    def authenticated_userid(self, request):
        # check if user is correct
        user = _get_auth_unsafe_user(request)
        # do not allow invalid_user + ask for cleanup of session cookie
        if not user or not user.is_active or user.is_deleted:
            request.session.delete()
            return None
        # recreate session if need renew
        if not request.session.new:
            now = datetime.datetime.now()
            last_access_datetime = datetime.datetime.utcfromtimestamp(request.session.last_accessed)
            reissue_limit = last_access_datetime + datetime.timedelta(seconds=self._reissue_time)  # nopep8
            if now > reissue_limit:  # nopep8
                request.session.regenerate_id()
        return request.unauthenticated_userid

    def forget(self, request):
        """ Remove the stored userid from the session."""
        if self.userid_key in request.session:
            request.session.delete()
        return []


###
# Pyramid API key auth
###


@implementer(IAuthenticationPolicy)
class ApiTokenAuthentificationPolicy(CallbackAuthenticationPolicy):

    def __init__(self, api_key_header: str, api_user_email_login_header: str):
        self.api_key_header = api_key_header
        self.api_user_email_login_header = api_user_email_login_header

    def authenticated_userid(self, request):
        app_config = request.registry.settings['CFG']  # type:'CFG'
        valid_api_key = app_config.API_KEY
        api_key = request.headers.get(self.api_key_header)
        if not api_key or not valid_api_key:
            return None
        if valid_api_key != api_key:
            return None
        # check if user is correct
        user = _get_auth_unsafe_user(request)
        if not user or not user.is_active or user.is_deleted:
            return None
        return request.unauthenticated_userid

    def unauthenticated_userid(self, request):
        return request.headers.get(self.api_user_email_login_header)

    def remember(self, request, userid, **kw):
        return []

    def forget(self, request):
        return []


1			import datetime
2			import typing
3
4			from pyramid.authentication import CallbackAuthenticationPolicy
5			from pyramid.authentication import SessionAuthenticationPolicy
6			from pyramid.interfaces import IAuthenticationPolicy
7			from pyramid.request import Request
8			from zope.interface import implementer
9
10			from tracim_backend.exceptions import UserDoesNotExist
11			from tracim_backend.lib.core.user import UserApi
12			from tracim_backend.lib.utils.request import TracimRequest
13			from tracim_backend.models import User
14
15			BASIC_AUTH_WEBUI_REALM = "tracim"
16			TRACIM_API_KEY_HEADER = "Tracim-Api-Key"
17			TRACIM_API_USER_EMAIL_LOGIN_HEADER = "Tracim-Api-Login"
18
19			###
20			# Pyramid HTTP Basic Auth
21			###
22
23
24			def basic_auth_check_credentials(
25			login: str,
26			cleartext_password: str,
27			request: TracimRequest
28			) -> typing.Optional[list]:
29			"""
30			Check credential for pyramid basic_auth
31			:param login: login of user
32			:param cleartext_password: user password in cleartext
33			:param request: Pyramid request
34			:return: None if auth failed, list of permissions if auth succeed
35			"""
36
37			# Do not accept invalid user
38			user = _get_auth_unsafe_user(request)
39			if not user \
40			or user.email != login \
41			or not user.is_active \
42			or user.is_deleted \
43			or not user.validate_password(cleartext_password):
44			return None
45			return []
46
47
48			def _get_auth_unsafe_user(
49			request: Request,
50			) -> typing.Optional[User]:
51			"""
52			:param request: pyramid request
53			:return: User or None
54			"""
55			app_config = request.registry.settings['CFG']
56			uapi = UserApi(None, session=request.dbsession, config=app_config)
57			try:
58			login = request.unauthenticated_userid
59			if not login:
60			return None
61			user = uapi.get_one_by_email(login)
62			except UserDoesNotExist:
63			return None
64			return user
65
66			###
67			# Pyramid cookie auth policy
68			###
69
70
71			@implementer(IAuthenticationPolicy)
72			class CookieSessionAuthentificationPolicy(SessionAuthenticationPolicy):
73
74			def __init__(self, reissue_time: int, debug: bool = False):
75			SessionAuthenticationPolicy.__init__(self, debug=debug, callback=None)
76			self._reissue_time = reissue_time
77
78			def authenticated_userid(self, request):
79			# check if user is correct
80			user = _get_auth_unsafe_user(request)
81			# do not allow invalid_user + ask for cleanup of session cookie
82			if not user or not user.is_active or user.is_deleted:
83			request.session.delete()
84			return None
85			# recreate session if need renew
86			if not request.session.new:
87			now = datetime.datetime.now()
88			last_access_datetime = datetime.datetime.utcfromtimestamp(request.session.last_accessed)
89			reissue_limit = last_access_datetime + datetime.timedelta(seconds=self._reissue_time) # nopep8
90			if now > reissue_limit: # nopep8
91			request.session.regenerate_id()
92			return request.unauthenticated_userid
93
94			def forget(self, request):
95			""" Remove the stored userid from the session."""
96			if self.userid_key in request.session:
97			request.session.delete()
98			return []
99
100
101			###
102			# Pyramid API key auth
103			###
104
105
106			@implementer(IAuthenticationPolicy)
107			class ApiTokenAuthentificationPolicy(CallbackAuthenticationPolicy):
108
109			def __init__(self, api_key_header: str, api_user_email_login_header: str):
110			self.api_key_header = api_key_header
111			self.api_user_email_login_header = api_user_email_login_header
112
113			def authenticated_userid(self, request):
114			app_config = request.registry.settings['CFG'] # type:'CFG'
115			valid_api_key = app_config.API_KEY
116			api_key = request.headers.get(self.api_key_header)
117			if not api_key or not valid_api_key:
118			return None
119			if valid_api_key != api_key:
120			return None
121			# check if user is correct
122			user = _get_auth_unsafe_user(request)
123			if not user or not user.is_active or user.is_deleted:
124			return None
125			return request.unauthenticated_userid
126
127			def unauthenticated_userid(self, request):
128			return request.headers.get(self.api_user_email_login_header)
129
130			def remember(self, request, userid, **kw):
131			return []
132
133			def forget(self, request):
134			return []
135

tracim / tracim_v2

Push — develop ( ca1745...b1b5c2 )

CookieSessionAuthentificationPolicy.authenticated_userid() B

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like