Re: basic auth tool, password expiration, and HTTPRedirect.

Sylvain,
The current version of auth allows you to pass in a
dictionary to the 
auth function.  This is inefficient, meaning that you have
to make a 
dictionary of all users each time one needs to auth.  Now
you can pass 
in a function, which receives the username as a parameter,
and returns 
that user's password, which the auth module uses for
comparing to what 
was submitted by the user.

It is backwards compatible with the existing auth library.

Scott

Sylvain Hellegouarch wrote:
> I might be missing something but how is this different
from what is 
> already done in CherryPy 3?
>
> http://www.cherrypy.org/browser/tags/che
rrypy-3.0.1/cherrypy/lib/auth.py
>
> - Sylvain
>
> Scott Chapman a écrit :
>   
>>>> Everything is in life 
>>>>
>>>> - Sylvain
>>>>     
>>>>       
>>>>         
>>> Could you point me to an example of how to use
it, or a write-up on
>>> how it works?
>>>   
>>>     
>>>       
>> Here's a new version of the auth handler that I've
submitted to Robert 
>> to include in the next CP release. It's a place to
start in your quest:
>>
>> Rather than passing in a dictionary of users, pass
in a callable 
>> function that does what you want.  It will take
care of calling the 
>> function to auth a user, and it will pass in the
username.  Your auth 
>> function should return a plaintext password which
the auth mechanism 
>> will use for comparing to the one supplied by the
client.  If you pass 
>> back something that will never be matched (i.e. if
the password has 
>> expired), you should be running. 
>>
>> I haven't tested this to see what the behavior is
if you passed back 
>> None for a password and the user types in
"None" as their password yet, 
>> for instance.  It has not been tested for security
issues yet.  YMMV.
>>
>> Scott
>>
>>
>> import cherrypy
>> from cherrypy.lib import httpauth
>> import sha
>>
>> def check_auth(users, encrypt=None):
>>     """If an authorization header
contains credentials, return True, 
>> else False."""
>>     if 'authorization' in
cherrypy.request.headers:
>>         # make sure the provided credentials are
correctly set
>>         ah = 
>>
httpauth.parseAuthorization(cherrypy.request.headers['author
ization'])
>>         if ah is None:
>>             raise cherrypy.HTTPError(400, 'Bad
Request')
>>        
>>         if not encrypt:
>>             encrypt =
httpauth.DIGEST_AUTH_ENCODERS[httpauth.MD5]
>>        
>>         if callable(users):
>>             try:
>>                 users = users() # expect it to
return a dictionary
>>             except TypeError:
>>                 password =
users(ah["username"])
>>                 password =
sha.new(password).hexdigest()
>>             else:
>>                 if not isinstance(users, dict):
>>                     raise ValueError,
"Authentication users must be a 
>> dictionary"
>>        
>>                 # fetch the user password
>>                 password =
users.get(ah["username"], None)
>>        
>>         # validate the authorization by
re-computing it here
>>         # and compare it with what the user-agent
provided
>>         if httpauth.checkResponse(ah, password, 
>> method=cherrypy.request.method,
>>                                  
encrypt=encrypt):
>>             cherrypy.request.login =
ah["username"]
>>             return True
>>
>>         cherrypy.request.login = False
>>     return False
>>
>>
>>
>>
>>     
>>>   
>>>       
>
>
> >
>
>
>   


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "cherrypy-users" group.
To post to this group, send email to cherrypy-usersgooglegroups.com
To unsubscribe from this group, send email to
cherrypy-users-unsubscribegooglegroups.com
For more options, visit this group at h
ttp://groups.google.com/group/cherrypy-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Scott,

I get it indeed. Nicely done.

- Sylvain

Scott Chapman a écrit :
> Sylvain,
> The current version of auth allows you to pass in a
dictionary to the 
> auth function.  This is inefficient, meaning that you
have to make a 
> dictionary of all users each time one needs to auth. 
Now you can pass 
> in a function, which receives the username as a
parameter, and returns 
> that user's password, which the auth module uses for
comparing to what 
> was submitted by the user.
>
> It is backwards compatible with the existing auth
library.
>
> Scott
>
> Sylvain Hellegouarch wrote:
>   
>> I might be missing something but how is this
different from what is 
>> already done in CherryPy 3?
>>
>> http://www.cherrypy.org/browser/tags/che
rrypy-3.0.1/cherrypy/lib/auth.py
>>
>> - Sylvain
>>
>> Scott Chapman a écrit :
>>   
>>     
>>>>> Everything is in life 
>>>>>
>>>>> - Sylvain
>>>>>     
>>>>>       
>>>>>         
>>>>>           
>>>> Could you point me to an example of how to
use it, or a write-up on
>>>> how it works?
>>>>   
>>>>     
>>>>       
>>>>         
>>> Here's a new version of the auth handler that
I've submitted to Robert 
>>> to include in the next CP release. It's a place
to start in your quest:
>>>
>>> Rather than passing in a dictionary of users,
pass in a callable 
>>> function that does what you want.  It will take
care of calling the 
>>> function to auth a user, and it will pass in
the username.  Your auth 
>>> function should return a plaintext password
which the auth mechanism 
>>> will use for comparing to the one supplied by
the client.  If you pass 
>>> back something that will never be matched (i.e.
if the password has 
>>> expired), you should be running. 
>>>
>>> I haven't tested this to see what the behavior
is if you passed back 
>>> None for a password and the user types in
"None" as their password yet, 
>>> for instance.  It has not been tested for
security issues yet.  YMMV.
>>>
>>> Scott
>>>
>>>
>>> import cherrypy
>>> from cherrypy.lib import httpauth
>>> import sha
>>>
>>> def check_auth(users, encrypt=None):
>>>     """If an authorization
header contains credentials, return True, 
>>> else False."""
>>>     if 'authorization' in
cherrypy.request.headers:
>>>         # make sure the provided credentials
are correctly set
>>>         ah = 
>>>
httpauth.parseAuthorization(cherrypy.request.headers['author
ization'])
>>>         if ah is None:
>>>             raise cherrypy.HTTPError(400, 'Bad
Request')
>>>        
>>>         if not encrypt:
>>>             encrypt =
httpauth.DIGEST_AUTH_ENCODERS[httpauth.MD5]
>>>        
>>>         if callable(users):
>>>             try:
>>>                 users = users() # expect it to
return a dictionary
>>>             except TypeError:
>>>                 password =
users(ah["username"])
>>>                 password =
sha.new(password).hexdigest()
>>>             else:
>>>                 if not isinstance(users,
dict):
>>>                     raise ValueError,
"Authentication users must be a 
>>> dictionary"
>>>        
>>>                 # fetch the user password
>>>                 password =
users.get(ah["username"], None)
>>>        
>>>         # validate the authorization by
re-computing it here
>>>         # and compare it with what the
user-agent provided
>>>         if httpauth.checkResponse(ah, password,

>>> method=cherrypy.request.method,
>>>                                  
encrypt=encrypt):
>>>             cherrypy.request.login =
ah["username"]
>>>             return True
>>>
>>>         cherrypy.request.login = False
>>>     return False
>>>
>>>
>>>
>>>
>>>     
>>>       
>>>>   
>>>>       
>>>>         
>>     
>>   
>>     
>
>
> >
>   


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "cherrypy-users" group.
To post to this group, send email to cherrypy-usersgooglegroups.com
To unsubscribe from this group, send email to
cherrypy-users-unsubscribegooglegroups.com
For more options, visit this group at h
ttp://groups.google.com/group/cherrypy-users?hl=en
-~----------~----~----~----~------~----~------~--~---