/usr/share/pyshared/schooltool/app/security.txt is in python-schooltool 1:2.1.0-0ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 | ==================================
SchoolTool security infrastructure
==================================
The security system of SchoolTool consists of:
* ``SchoolToolAuthenticationUtility``
* views for login/logout
* a custom security policy
The login/logout views store/reset the authentication data in the
session. The authentication utility authenticates the request
according to the data stored in the session.
The security policy is documented in :doc:`../securitypolicy/README`.
SchoolTool authentication utility
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(Handwaving...)
>>> from zope.app.testing import setup
>>> root = setup.placefulSetUp(True)
>>> from schooltool.relationship.tests import setUpRelationships
>>> setUpRelationships()
Global auth utility::
>>> from zope.principalregistry.principalregistry import principalRegistry
>>> from zope.authentication.interfaces import IAuthentication
>>> from zope.component import provideUtility
>>> provideUtility(principalRegistry, IAuthentication)
Session setup::
>>> from zope.component import provideAdapter
>>> from zope.publisher.interfaces import IRequest
>>> from zope.session.session import ClientId, Session
>>> from zope.session.session import PersistentSessionDataContainer
>>> from zope.session.http import CookieClientIdManager
>>> from zope.session.interfaces import ISessionDataContainer
>>> from zope.session.interfaces import IClientId
>>> from zope.session.interfaces import IClientIdManager, ISession
>>> provideAdapter(ClientId)
>>> provideAdapter(Session, (IRequest,), ISession)
>>> provideUtility(CookieClientIdManager(), IClientIdManager)
>>> sdc = PersistentSessionDataContainer()
>>> provideUtility(sdc, ISessionDataContainer, 'schooltool.auth')
SchoolTool is a possible site::
>>> from zope.interface.verify import verifyObject
>>> from zope.component.interfaces import ISite, IPossibleSite
>>> from schooltool.app.app import SchoolToolApplication
>>> app = SchoolToolApplication()
>>> verifyObject(IPossibleSite, app)
True
>>> verifyObject(ISite, app)
Traceback (most recent call last):
...
DoesNotImplement: An object does not implement interface
<InterfaceClass zope.component.interfaces.ISite>
>>> from zope.component import provideAdapter
>>> from schooltool.app.app import getSchoolToolApplication
>>> provideAdapter(getSchoolToolApplication)
The ``SchoolToolAuthenticationUtility`` is an ``IAuthentication`` utility that
lives in that site::
>>> from schooltool.app.security import SchoolToolAuthenticationUtility
>>> from schooltool.app.interfaces import ISchoolToolAuthentication
>>> auth = SchoolToolAuthenticationUtility()
>>> verifyObject(IAuthentication, auth)
True
>>> verifyObject(ISchoolToolAuthentication, auth)
True
Let's provide the location of auth::
>>> root['frogpond'] = app
>>> from schooltool.app.security import setUpLocalAuth
>>> setUpLocalAuth(app, auth)
>>> from schooltool.app.security import PersonContainerAuthenticationPlugin
>>> from schooltool.app.interfaces import ISchoolToolAuthenticationPlugin
>>> plugin = PersonContainerAuthenticationPlugin()
>>> provideUtility(plugin, ISchoolToolAuthenticationPlugin)
>>> from zope.component.hooks import setSite
>>> setSite(app)
Now, we get our local authentication service::
>>> from zope.component import getUtility
>>> getUtility(IAuthentication, context=app) is auth
True
>>> verifyObject(ISite, app)
True
getPrincipal
------------
The utility knows about the users of the application::
>>> from schooltool.person.person import Person, PersonContainer
>>> from zope.security.interfaces import IPrincipal
>>> app['persons'] = PersonContainer()
>>> person = Person(username=u"frog", title="Frog")
>>> app['persons']['frog'] = person
>>> principal = auth.getPrincipal('sb.person.frog')
>>> verifyObject(IPrincipal, principal)
True
>>> principal.title
'Frog'
The utility delegates to the next service if the principal is not
found::
>>> p = principalRegistry.definePrincipal('zope.manager', 'Mgmt', '',
... 'gandalf', '123')
>>> p1 = auth.getPrincipal('zope.manager')
>>> p == p1
True
>>> p.title
'Mgmt'
If the principal we are looking up does not exist, an exception is
raised::
>>> auth.getPrincipal('sb.person.nonexistent')
Traceback (most recent call last):
...
PrincipalLookupError: sb.person.nonexistent
Let's add a group:
>>> from schooltool.group.group import Group
>>> group = Group()
>>> group.title = "The Management"
>>> group.__name__ = "management"
>>> group.members.add(person)
And the user principal has a list ids of group principals he belongs
to. This list is used by the security policy::
>>> from zope.security.interfaces import IGroupAwarePrincipal
>>> p = auth.getPrincipal('sb.person.frog')
>>> verifyObject(IGroupAwarePrincipal, p)
True
>>> p.groups
['sb.group.management']
If the global principals like ``IEveryoneGroup``, ``IAuthenticatedGroup`` are
defined, they are added to the list of groups of a principal, too::
>>> from zope.authentication.interfaces import IAuthenticatedGroup
>>> from zope.authentication.interfaces import IEveryoneGroup
>>> from zope.principalregistry.principalregistry import AuthenticatedGroup
>>> from zope.principalregistry.principalregistry import EverybodyGroup
>>> authenticated = AuthenticatedGroup('zope.authenticated', '', '')
>>> provideUtility(authenticated, IAuthenticatedGroup)
>>> everyone = EverybodyGroup('zope.everybody', 'All users', '')
>>> provideUtility(everyone, IEveryoneGroup)
>>> p = auth.getPrincipal('sb.person.frog')
>>> p.groups
['sb.group.management', 'zope.authenticated', 'zope.everybody']
authenticate
------------
When no credentials are provided in the session, authenticate returns None:
>>> from zope.publisher.browser import TestRequest
>>> request = TestRequest()
>>> auth.authenticate(request)
Suppose, the user 'frog' has a password:
>>> app['persons']['frog'].setPassword('pond')
The frog has authenticated itself in the login form and the
credentials are stored in the session::
>>> auth.setCredentials(request, 'frog', 'shmond')
Traceback (most recent call last):
...
ValueError: bad credentials
>>> auth.setCredentials(request, 'snake', 'badgermushroom')
Traceback (most recent call last):
...
ValueError: bad credentials
>>> auth.setCredentials(request, 'frog', 'pond')
Now, it is authenticated by our utility:
>>> principal = auth.authenticate(request)
>>> verifyObject(IGroupAwarePrincipal, principal)
True
>>> principal.id
'sb.person.frog'
Our principal is adaptable to ``IPerson``:
>>> from schooltool.person.interfaces import IPerson
>>> from zope.security.proxy import removeSecurityProxy
>>> removeSecurityProxy(IPerson(principal)) is app['persons']['frog']
True
The credentials can be cleared from the session:
>>> auth.clearCredentials(request)
>>> auth.authenticate(request)
If there are no credentials set, clearing does not fail:
>>> auth.clearCredentials(request)
Also, if cookie based authentication fails, we support HTTP basic
authentication (by trying to adapt the request to ``ILoginPassword``)::
>>> from zope.interface import Interface, directlyProvides, implements
>>> from zope.authentication.interfaces import ILoginPassword
>>> class Adapter:
... implements(ILoginPassword)
... def __init__(self, context):
... self.context = context
... def getLogin(self):
... return "frog"
... def getPassword(self):
... return "pond"
... def needLogin(self, realm):
... self.context.unauthorized("basic realm=%s" % realm)
...
>>> class IFrogMarker(Interface): pass
>>> provideAdapter(Adapter, (IFrogMarker,), ILoginPassword)
>>> request = TestRequest()
>>> directlyProvides(request, IFrogMarker)
>>> auth.authenticate(request).id
'sb.person.frog'
unauthorized
------------
Our view issues the authorization challenge by redirecting to the
login page:
>>> request = TestRequest()
>>> auth.unauthorized(None, request)
>>> request.response.getStatus()
302
>>> request.response.getHeader('Location')
'http://127.0.0.1/frogpond/auth/@@login.html?forbidden=yes&nexturl=http%3A//127.0.0.1'
The URL is properly escaped
>>> request = TestRequest()
>>> request.getURL = lambda *a: '/++etc++site'
>>> auth.unauthorized(None, request)
>>> request.response.getStatus()
302
>>> request.response.getHeader('Location')
'http://127.0.0.1/frogpond/auth/@@login.html?forbidden=yes&nexturl=/%2B%2Betc%2B%2Bsite'
GET parameters are passed along:
>>> request = TestRequest()
>>> request.getURL = lambda *a: '/++etc++site'
>>> request.getHeader = lambda *a: 'foo=10&bar=20'
>>> auth.unauthorized(None, request)
>>> request.response.getStatus()
302
>>> request.response.getHeader('Location')
'http://127.0.0.1/frogpond/auth/@@login.html?forbidden=yes&nexturl=/%2B%2Betc%2B%2Bsite%3Ffoo%3D10%26bar%3D20'
However it does that only for regular browser requests. Other kinds of
requests issue the default challenge by setting the response code to 401
(Unauthorized).
>>> from zope.publisher.tests import httprequest
>>> request = httprequest.TestRequest()
>>> directlyProvides(request, IFrogMarker)
>>> auth.unauthorized(None, request)
>>> request.response.getStatus()
401
HTTP PUT, does so likewise, even though it uses a real BrowserRequest.
>>> request = TestRequest()
>>> request.method = 'PUT'
>>> directlyProvides(request, IFrogMarker)
>>> auth.unauthorized(None, request)
>>> request.response.getStatus()
401
And, since this is not a perfect world, we need a workaround for Mozilla
Calendar -- HTTP GET requests for .ics files also issue the HTTP Basic
authentication challenge.
>>> request = TestRequest()
>>> request.getURL = lambda *a: '/dir/calendar.ics'
>>> str(request.URL)
'...calendar.ics'
>>> directlyProvides(request, IFrogMarker)
>>> auth.unauthorized(None, request)
>>> request.response.getStatus()
401
.. Tear down::
>>> setup.placefulTearDown()
|