Bloks¶

How to use it¶

This blok defined User and the base of the Authentication / Authorization.

Alone this Blok is useless because no credential and autorization are defined

You can:

• Create an user:

  user = registry.User.insert(
      login='jssuzanne',
      first_name='Jean-Sébastien',
      last_name='Suzanne'
  )
  
  user.name  # Jean-Sébastien SUZANNE
  

• Add a role at this user:

  role = registry.User.Role.insert(
      name='admin',
      label='Administrator'
  )
  user.roles.append(role)
  

• check a permission for a user to use a resource:

  from anyblok_pyramid.security import AnyBlokResourceFactory
  
  @view_config(
      route_name='my_view',
      factory=AnyBlokResourceFactory('my_resource')
      permission='my_permission'
  )
  def my_view(request):
      return Response('Ok I have the permission')
  

User¶

class anyblok_pyramid.bloks.auth.user.User

Bases: object

User declaration need for Auth

AnyBlok registration:

• Type: Model
• Registry name: Model.User
• Tablename: user

Fields
name	Type - anyblok.field.Function fget - 'get_name'
first_name	default - anyblok.column.NoDefaultValue Type - anyblok.column.String size - 64 nullable - False
login	default - anyblok.column.NoDefaultValue Type - anyblok.column.String size - 64 primary_key - True nullable - False
last_name	default - anyblok.column.NoDefaultValue Type - anyblok.column.String size - 64 nullable - False

classmethod check_login(login=None, password=None, **kwargs)

Check login / password

This method raise an exception, because any credential is stored in this bloks

Warning

This method must be overwriting by anycredential blok

Parameters:	login – str, the login attribute of the user password – str kwargs – any options need to validate credential

first_name = <anyblok.column.String object>

classmethod format_login_params(request)

Return the login and password from query

By default the query come from json_body and are named login and password

If the entries come from another place, this method must be overwrite :param request: the request from the controllers

classmethod get_acl(login, resource, params=None)

Retun the ACL for a ressource and a user

Auth, does not implement any rule to compute ACL, This method allow all user to use the resource ask by controllers.

For other configuration, this method must be overwrite

Parameters:	login – str, login attribute of the user resource – str, name of a resource params – all options need to compute ACL

classmethod get_login_location_to(login, request)

Return the default path after the login

classmethod get_logout_location_to(request)

Return the default path after the logout

get_name()

Return the name of the user

classmethod get_roles(login)

Return the roles of an user

Parameters:	login – str, login attribute of the user
Return type:	list of str (name of the roles)

last_name = <anyblok.column.String object>

login = <anyblok.column.String object>

name = <anyblok.field.Function object>

Role¶

class anyblok_pyramid.bloks.auth.role.Role

Bases: object

Role, allow to group some authorization for an user

AnyBlok registration:

• Type: Model
• Registry name: Model.User.Role
• Tablename: user_role

Fields
label	default - anyblok.column.NoDefaultValue Type - anyblok.column.String size - 64 nullable - False
children	compute_join - False backref - 'parents' remote_columns - None m2m_local_columns - None Type - anyblok.relationship.Many2Many local_columns - None model - Model.User.Role m2m_remote_columns - None
name	default - anyblok.column.NoDefaultValue Type - anyblok.column.String size - 64 primary_key - True nullable - False
roles_name	Type - anyblok.field.Function fget - 'get_all_roles_name'
users	compute_join - False backref - 'roles' remote_columns - None m2m_local_columns - None Type - anyblok.relationship.Many2Many local_columns - None model - Model.User m2m_remote_columns - None

classmethod before_update_orm_event(mapper, connection, target)

Check if the role has not any cyclical dependencies

children = <anyblok.relationship.Many2Many object>

get_all_roles_name()

Return all the name of the roles self and dependencies

label = <anyblok.column.String object>

name = <anyblok.column.String object>

roles_name = <anyblok.field.Function object>

users = <anyblok.relationship.Many2Many object>

Views¶

Give the views forlogin and logout, this views, is not applied by default You must declare the route to use them

anyblok_pyramid.bloks.auth.views.login(request)¶

Default view to login one user

anyblok_pyramid.bloks.auth.views.logout(request)¶

Default view to logout one user

Configuration¶

Define the authentification / authorization policies, This depend of the options passed on the global configuration

anyblok_pyramid.bloks.auth.pyramid.getAuthenticationPolicy()¶

Return the authentication policy in function method in configuration

anyblok_pyramid.bloks.auth.pyramid.getAuthTktAuthenticationPolicy()¶

Define the authentication policy for Tkt

anyblok_pyramid.bloks.auth.pyramid.getRemoteUserAuthenticationPolicy()¶

Define the authentication policy for remote user server

anyblok_pyramid.bloks.auth.pyramid.getSessionAuthenticationPolicy()¶

Define the authentication policy for a session

anyblok_pyramid.bloks.auth.pyramid.getBasicAuthAuthenticationPolicy()¶

Define the authentication policy for a basic auth

Exceptions¶

exception anyblok_pyramid.bloks.auth.exceptions.RecursionRoleError¶

Simple exception to check if the roles is cyclic

How to use it¶

This Blok define credential from an existing user. You can not add credential for an unexisting user because one foreign key constraint is defined between both.

• You must have an user:

  user = registry.User.insert(
      login='jssuzanne',
      first_name='Jean-Sébastien',
      last_name='Suzanne'
  )
  

• Define the credential:

  registry.User.CredentialStore.insert(
      login=user.login,
      password='secret password',
  )
  

User¶

class anyblok_pyramid.bloks.password.user.CredentialStore

Bases: object

Save in table login / password

AnyBlok registration:

• Type: Model
• Registry name: Model.User.CredentialStore
• Tablename: user_credentialstore

Fields
password	default - anyblok.column.NoDefaultValue Type - anyblok.column.Password nullable - False
login	default - anyblok.column.NoDefaultValue Type - anyblok.column.String size - 64 primary_key - True nullable - False foreign_key - Model.User => login

login = <anyblok.column.String object>

password = <anyblok.column.Password object>

class anyblok_pyramid.bloks.password.user.User

Bases: object

AnyBlok registration:

• Type: Model
• Registry name: Model.User
• Tablename: user

classmethod check_login(login=None, password=None, **kwargs)

Overwrite the method to check if the user exist and the password gave is the same sa the password stored

Parameters:	login – str password – str
Exception:	HTTPUnauthorized

How to use it¶

This blok defined authorization for User or Role on a resource or model.

• Create an user:

  user = registry.User.insert(
      login='jssuzanne',
      first_name='Jean-Sébastien',
      last_name='Suzanne'
  )
  
  user.name  # Jean-Sébastien SUZANNE
  

• Add an autorization:

  user.roles.append(role)
  registry.User.Authorization.insert(
      resource='something',
      user=user,
      perm_create=dict(matched=True),
      perm_read=dict(matched=True),
      perm_update=dict(matched=True),
      perm_delete=dict(matched=True)
  )
  
  registry.User.Authorization.get_acl('jssuzanne', 'something')
  #  [
  #      (Allow, 'jssuzanne', ['create', 'delete', 'read', 'update']),
  #      (Deny, 'jssuzanne', ALL_PERMISSIONS),
  #  ]
  

The permissiosn is stored in the Json column, the permission can be the CRUD and also any another permission.

Each permission can defined three keys:

• condition: Query.filter_condition, if the empty then the condition is marked as True
• matched: If condition is True, the entry indicate the value (default None)
• unmatched: If condition is False, the entry indicate the value (default None)

matched and unmatched can have three values:

• True: Add the permission in Allow list,
• False: Add the permission in the Deny list,
• None: Do nothing, because this rule can not Allow or Deny

User¶

class anyblok_pyramid.bloks.authorization.user.User

Bases: object

AnyBlok registration:

• Type: Model
• Registry name: Model.User
• Tablename: user

classmethod get_acl(login, resource, params=None)

Overwrite the method to return the ACL for the resource and user

Parameters:	login – str, login of the user resource – str, name of the resource

Authorization¶

class anyblok_pyramid.bloks.authorization.authorization.Authorization

Bases: object

Store the autorization rules

AnyBlok registration:

• Type: Model
• Registry name: Model.User.Authorization
• Tablename: user_authorization

Fields
filter	Type - anyblok.column.Json
perm_delete	keys - 'delete' Type - anyblok.field.JsonRelated json_column - 'perms'
perm_create	keys - 'create' Type - anyblok.field.JsonRelated json_column - 'perms'
login	default - anyblok.column.NoDefaultValue size - 64 foreign_key - Model.User => login Type - anyblok.column.String
primary_keys	Type - anyblok.column.Json
model	default - anyblok.column.NoDefaultValue size - 64 foreign_key - Model.System.Model => name Type - anyblok.column.String
resource	default - anyblok.column.NoDefaultValue size - 64 Type - anyblok.column.String
perms	Type - anyblok.column.Json
user	index - False Type - anyblok.relationship.Many2One model - Model.User
role	index - False Type - anyblok.relationship.Many2One model - Model.User.Role
perm_update	keys - 'update' Type - anyblok.field.JsonRelated json_column - 'perms'
id	default - anyblok.column.NoDefaultValue autoincrement - True primary_key - True Type - anyblok.column.Integer
perm_read	keys - 'read' Type - anyblok.field.JsonRelated json_column - 'perms'
order	default - 100 Type - anyblok.column.Integer nullable - False

classmethod before_insert_orm_event(mapper, connection, target)

classmethod before_update_orm_event(mapper, connection, target)

check_validity()

Check at the insert or update that all rule match

Exception:	AuthorizationValidationException

filter = <anyblok.column.Json object>

classmethod get_acl(login, resource, params=None)

Return the Pyramid ACL in function of the resource and user

Parameters:	login – str, login of the user resource – str, name of the resource

classmethod get_acl_filter_model()

Return the Model to use to check the permission

id = <anyblok.column.Integer object>

login = <anyblok.column.String object>

model = <anyblok.column.String object>

order = <anyblok.column.Integer object>

perm_create = <anyblok.field.JsonRelated object>

perm_delete = <anyblok.field.JsonRelated object>

perm_read = <anyblok.field.JsonRelated object>

perm_update = <anyblok.field.JsonRelated object>

perms = <anyblok.column.Json object>

primary_keys = <anyblok.column.Json object>

resource = <anyblok.column.String object>

role = <anyblok.relationship.Many2One object>

user = <anyblok.relationship.Many2One object>

Exceptions¶

class anyblok_pyramid.bloks.authorization.exceptions.AuthorizationValidationException

Bases: Exception

Simple exception when Authorization entry is wrong