paste/auth/form.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

# (c) 2005 Clark C. Evans
# This module is part of the Python Paste Project and is released under
# the MIT License: http://www.opensource.org/licenses/mit-license.php
# This code was written with funding by http://prometheusresearch.com
"""
Authentication via HTML Form

This is a very simple HTML form login screen that asks for the username
and password.  This middleware component requires that an authorization
function taking the name and passsword and that it be placed in your
application stack. This class does not include any session management
code or way to save the user's authorization; however, it is easy enough
to put ``paste.auth.cookie`` in your application stack.

>>> from paste.wsgilib import dump_environ
>>> from paste.httpserver import serve
>>> from paste.auth.cookie import AuthCookieHandler
>>> from paste.auth.form import AuthFormHandler
>>> def authfunc(environ, username, password):
...    return username == password
>>> serve(AuthCookieHandler(
...           AuthFormHandler(dump_environ, authfunc)))
serving on...

"""
from paste.request import construct_url, parse_formvars

TEMPLATE = """\
<html>
  <head><title>Please Login!</title></head>
  <body>
    <h1>Please Login</h1>
    <form action="%s" method="post">
      <dl>
        <dt>Username:</dt>
        <dd><input type="text" name="username"></dd>
        <dt>Password:</dt>
        <dd><input type="password" name="password"></dd>
      </dl>
      <input type="submit" name="authform" />
      <hr />
    </form>
  </body>
</html>
"""

class AuthFormHandler(object):
    """
    HTML-based login middleware

    This causes a HTML form to be returned if ``REMOTE_USER`` is
    not found in the ``environ``.  If the form is returned, the
    ``username`` and ``password`` combination are given to a
    user-supplied authentication function, ``authfunc``.  If this
    is successful, then application processing continues.

    Parameters:

        ``application``

            The application object is called only upon successful
            authentication, and can assume ``environ['REMOTE_USER']``
            is set.  If the ``REMOTE_USER`` is already set, this
            middleware is simply pass-through.

        ``authfunc``

            This is a mandatory user-defined function which takes a
            ``environ``, ``username`` and ``password`` for its first
            three arguments.  It should return ``True`` if the user is
            authenticated.

        ``template``

            This is an optional (a default is provided) HTML
            fragment that takes exactly one ``%s`` substution
            argument; which *must* be used for the form's ``action``
            to ensure that this middleware component does not alter
            the current path.  The HTML form must use ``POST`` and
            have two input names:  ``username`` and ``password``.

    Since the authentication form is submitted (via ``POST``)
    neither the ``PATH_INFO`` nor the ``QUERY_STRING`` are accessed,
    and hence the current path remains _unaltered_ through the
    entire authentication process. If authentication succeeds, the
    ``REQUEST_METHOD`` is converted from a ``POST`` to a ``GET``,
    so that a redirect is unnecessary (unlike most form auth
    implementations)
    """

    def __init__(self, application, authfunc, template=None):
        self.application = application
        self.authfunc = authfunc
        self.template = template or TEMPLATE

    def __call__(self, environ, start_response):
        username = environ.get('REMOTE_USER','')
        if username:
            return self.application(environ, start_response)

        if 'POST' == environ['REQUEST_METHOD']:
            formvars = parse_formvars(environ, include_get_vars=False)
            username = formvars.get('username')
            password = formvars.get('password')
            if username and password:
                if self.authfunc(environ, username, password):
                    environ['AUTH_TYPE'] = 'form'
                    environ['REMOTE_USER'] = username
                    environ['REQUEST_METHOD'] = 'GET'
                    environ['CONTENT_LENGTH'] = ''
                    environ['CONTENT_TYPE'] = ''
                    del environ['paste.parsed_formvars']
                    return self.application(environ, start_response)

        content = self.template % construct_url(environ)
        start_response("200 OK", [('Content-Type', 'text/html'),
                                  ('Content-Length', str(len(content)))])
        return [content]

middleware = AuthFormHandler

__all__ = ['AuthFormHandler']

def make_form(app, global_conf, realm, authfunc, **kw):
    """
    Grant access via form authentication

    Config looks like this::

      [filter:grant]
      use = egg:Paste#auth_form
      realm=myrealm
      authfunc=somepackage.somemodule:somefunction

    """
    from paste.util.import_string import eval_import
    import types
    authfunc = eval_import(authfunc)
    assert isinstance(authfunc, types.FunctionType), "authfunc must resolve to a function"
    template = kw.get('template')
    if template is not None:
        template = eval_import(template)
        assert isinstance(template, str), "template must resolve to a string"

    return AuthFormHandler(app, authfunc, template)

if "__main__" == __name__:
    import doctest
    doctest.testmod(optionflags=doctest.ELLIPSIS)