Navigation

SchoolTool security infrastructure

The security system of SchoolTool consists of:

  • SchoolToolAuthenticationUtility
  • views for login/logout
  • a custom security policy

The login/logout views store/reset the authentication data in the session. The authentication utility authenticates the request according to the data stored in the session.

The security policy is documented in SchoolTool Security Policy.

SchoolTool authentication utility

(Handwaving...)

>>> from zope.app.testing import setup
>>> root = setup.placefulSetUp(True)
>>> from schooltool.relationship.tests import setUpRelationships
>>> setUpRelationships()

Global auth utility:

>>> from zope.principalregistry.principalregistry import principalRegistry
>>> from zope.authentication.interfaces import IAuthentication
>>> from zope.component import provideUtility
>>> provideUtility(principalRegistry, IAuthentication)

Session setup:

>>> from zope.component import provideAdapter
>>> from zope.publisher.interfaces import IRequest
>>> from zope.session.session import ClientId, Session
>>> from zope.session.session import PersistentSessionDataContainer
>>> from zope.session.http import CookieClientIdManager
>>> from zope.session.interfaces import ISessionDataContainer
>>> from zope.session.interfaces import IClientId
>>> from zope.session.interfaces import IClientIdManager, ISession
>>> provideAdapter(ClientId)
>>> provideAdapter(Session, (IRequest,), ISession)

>>> provideUtility(CookieClientIdManager(), IClientIdManager)
>>> sdc = PersistentSessionDataContainer()
>>> provideUtility(sdc, ISessionDataContainer, 'schooltool.auth')

SchoolTool is a possible site:

>>> from zope.interface.verify import verifyObject
>>> from zope.component.interfaces import ISite, IPossibleSite

>>> from schooltool.app.app import SchoolToolApplication
>>> app = SchoolToolApplication()
>>> verifyObject(IPossibleSite, app)
True
>>> verifyObject(ISite, app)
Traceback (most recent call last):
...
DoesNotImplement: An object does not implement interface
                  <InterfaceClass zope.component.interfaces.ISite>

>>> from zope.component import provideAdapter
>>> from schooltool.app.app import getSchoolToolApplication
>>> provideAdapter(getSchoolToolApplication)

The SchoolToolAuthenticationUtility is an IAuthentication utility that lives in that site:

>>> from schooltool.app.security import SchoolToolAuthenticationUtility
>>> from schooltool.app.interfaces import ISchoolToolAuthentication
>>> auth = SchoolToolAuthenticationUtility()
>>> verifyObject(IAuthentication, auth)
True
>>> verifyObject(ISchoolToolAuthentication, auth)
True

Let’s provide the location of auth:

>>> root['frogpond'] = app
>>> from schooltool.app.security import setUpLocalAuth
>>> setUpLocalAuth(app, auth)

>>> from schooltool.app.security import PersonContainerAuthenticationPlugin
>>> from schooltool.app.interfaces import ISchoolToolAuthenticationPlugin
>>> plugin = PersonContainerAuthenticationPlugin()
>>> provideUtility(plugin, ISchoolToolAuthenticationPlugin)

>>> from zope.component.hooks import setSite
>>> setSite(app)

Now, we get our local authentication service:

>>> from zope.component import getUtility
>>> getUtility(IAuthentication, context=app) is auth
True
>>> verifyObject(ISite, app)
True

getPrincipal

The utility knows about the users of the application:

>>> from schooltool.person.person import Person, PersonContainer
>>> from zope.security.interfaces import IPrincipal
>>> app['persons'] = PersonContainer()
>>> person = Person(username=u"frog", title="Frog")
>>> app['persons']['frog'] = person

>>> principal = auth.getPrincipal('sb.person.frog')
>>> verifyObject(IPrincipal, principal)
True
>>> principal.title
'Frog'

The utility delegates to the next service if the principal is not found:

>>> p = principalRegistry.definePrincipal('zope.manager', 'Mgmt', '',
...                                       'gandalf', '123')

>>> p1 = auth.getPrincipal('zope.manager')
>>> p == p1
True
>>> p.title
'Mgmt'

If the principal we are looking up does not exist, an exception is raised:

>>> auth.getPrincipal('sb.person.nonexistent')
Traceback (most recent call last):
...
PrincipalLookupError: sb.person.nonexistent

Let’s add a group:

>>> from schooltool.group.group import Group
>>> group = Group()
>>> group.title = "The Management"
>>> group.__name__ = "management"
>>> group.members.add(person)

And the user principal has a list ids of group principals he belongs to. This list is used by the security policy:

>>> from zope.security.interfaces import IGroupAwarePrincipal
>>> p = auth.getPrincipal('sb.person.frog')
>>> verifyObject(IGroupAwarePrincipal, p)
True
>>> p.groups
['sb.group.management']

If the global principals like IEveryoneGroup, IAuthenticatedGroup are defined, they are added to the list of groups of a principal, too:

>>> from zope.authentication.interfaces import IAuthenticatedGroup
>>> from zope.authentication.interfaces import IEveryoneGroup
>>> from zope.principalregistry.principalregistry import AuthenticatedGroup
>>> from zope.principalregistry.principalregistry import EverybodyGroup

>>> authenticated = AuthenticatedGroup('zope.authenticated', '', '')
>>> provideUtility(authenticated, IAuthenticatedGroup)
>>> everyone = EverybodyGroup('zope.everybody', 'All users', '')
>>> provideUtility(everyone, IEveryoneGroup)

>>> p = auth.getPrincipal('sb.person.frog')
>>> p.groups
['sb.group.management', 'zope.authenticated', 'zope.everybody']

authenticate

When no credentials are provided in the session, authenticate returns None:

>>> from zope.publisher.browser import TestRequest
>>> request = TestRequest()
>>> auth.authenticate(request)

Suppose, the user ‘frog’ has a password:

>>> app['persons']['frog'].setPassword('pond')

The frog has authenticated itself in the login form and the credentials are stored in the session:

>>> auth.setCredentials(request, 'frog', 'shmond')
Traceback (most recent call last):
...
ValueError: bad credentials
>>> auth.setCredentials(request, 'snake', 'badgermushroom')
Traceback (most recent call last):
...
ValueError: bad credentials
>>> auth.setCredentials(request, 'frog', 'pond')

Now, it is authenticated by our utility:

>>> principal = auth.authenticate(request)
>>> verifyObject(IGroupAwarePrincipal, principal)
True
>>> principal.id
'sb.person.frog'

Our principal is adaptable to IPerson:

>>> from schooltool.person.interfaces import IPerson
>>> from zope.security.proxy import removeSecurityProxy
>>> removeSecurityProxy(IPerson(principal)) is  app['persons']['frog']
True

The credentials can be cleared from the session:

>>> auth.clearCredentials(request)
>>> auth.authenticate(request)

If there are no credentials set, clearing does not fail:

>>> auth.clearCredentials(request)

Also, if cookie based authentication fails, we support HTTP basic authentication (by trying to adapt the request to ILoginPassword):

>>> from zope.interface import Interface, directlyProvides, implements
>>> from zope.authentication.interfaces import ILoginPassword

>>> class Adapter:
...     implements(ILoginPassword)
...     def __init__(self, context):
...         self.context = context
...     def getLogin(self):
...         return "frog"
...     def getPassword(self):
...         return "pond"
...     def needLogin(self, realm):
...         self.context.unauthorized("basic realm=%s" % realm)
...
>>> class IFrogMarker(Interface): pass
>>> provideAdapter(Adapter, (IFrogMarker,), ILoginPassword)
>>> request = TestRequest()
>>> directlyProvides(request, IFrogMarker)

>>> auth.authenticate(request).id
'sb.person.frog'

unauthorized

Our view issues the authorization challenge by redirecting to the login page:

>>> request = TestRequest()
>>> auth.unauthorized(None, request)
>>> request.response.getStatus()
302
>>> request.response.getHeader('Location')
'http://127.0.0.1/frogpond/auth/@@login.html?forbidden=yes&nexturl=http%3A//127.0.0.1'

The URL is properly escaped

>>> request = TestRequest()
>>> request.getURL = lambda *a: '/++etc++site'
>>> auth.unauthorized(None, request)
>>> request.response.getStatus()
302
>>> request.response.getHeader('Location')
'http://127.0.0.1/frogpond/auth/@@login.html?forbidden=yes&nexturl=/%2B%2Betc%2B%2Bsite'

GET parameters are passed along:

>>> request = TestRequest()
>>> request.getURL = lambda *a: '/++etc++site'
>>> request.getHeader = lambda *a: 'foo=10&bar=20'
>>> auth.unauthorized(None, request)
>>> request.response.getStatus()
302
>>> request.response.getHeader('Location')
'http://127.0.0.1/frogpond/auth/@@login.html?forbidden=yes&nexturl=/%2B%2Betc%2B%2Bsite%3Ffoo%3D10%26bar%3D20'

However it does that only for regular browser requests. Other kinds of requests issue the default challenge by setting the response code to 401 (Unauthorized).

>>> from zope.publisher.tests import httprequest
>>> request = httprequest.TestRequest()
>>> directlyProvides(request, IFrogMarker)
>>> auth.unauthorized(None, request)
>>> request.response.getStatus()
401

HTTP PUT, does so likewise, even though it uses a real BrowserRequest.

>>> request = TestRequest()
>>> request.method = 'PUT'
>>> directlyProvides(request, IFrogMarker)
>>> auth.unauthorized(None, request)
>>> request.response.getStatus()
401

And, since this is not a perfect world, we need a workaround for Mozilla Calendar – HTTP GET requests for .ics files also issue the HTTP Basic authentication challenge.

>>> request = TestRequest()
>>> request.getURL = lambda *a: '/dir/calendar.ics'
>>> str(request.URL)
'...calendar.ics'
>>> directlyProvides(request, IFrogMarker)
>>> auth.unauthorized(None, request)
>>> request.response.getStatus()
401

Table Of Contents

Previous topic

Resource booking in SchoolTool

Next topic

SchoolTool Security Policy

This Page

Navigation

© Copyright SchoolTool Developers. Last updated on Nov 06, 2011. Created using Sphinx 1.0.7.