lazr.restful

Merge lp:~leonardr/lazr.restful/remove-authentication into lp:lazr.restful

remove-authentication
Merge into trunk

Proposed by Leonard Richardson on 2009-10-07

Status:	Merged
Merged at revision:	not available
Proposed branch:	lp:~leonardr/lazr.restful/remove-authentication
Merge into:	lp:lazr.restful
Diff against target:	490 lines 6 files modified setup.py (+0/-1) src/lazr/restful/NEWS.txt (+6/-0) src/lazr/restful/docs/wsgi.txt (+0/-225) src/lazr/restful/testing/webservice.py (+0/-33) src/lazr/restful/version.txt (+1/-1) src/lazr/restful/wsgi.py (+0/-144)
To merge this branch:	bzr merge lp:~leonardr/lazr.restful/remove-authentication
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Gavin Panella		2009-10-07	Approve on 2009-10-07
Review via email: mp+12991@code.launchpad.net

Revision history for this message

Leonard Richardson (leonardr) wrote on 2009-10-07:

This branch removes WSGI middleware from lazr.restful that was moved into lazr.authentication. The code is not used within lazr.restful itself (which is why it was moved), so there's no effect on the main body of code.

Revision history for this message

Gavin Panella (allenap) on 2009-10-07:

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Gary Poster

Launchpad code reviewers from Canonical

Leonard Richardson

lazr.restful

Merge lp:~leonardr/lazr.restful/remove-authentication into lp:lazr.restful

Commit message

Description of the change

Preview Diff

Subscribers

 === modified file 'setup.py'
 --- setup.py	2009-10-01 15:24:08 +0000
 +++ setup.py	2009-10-07 13:05:19 +0000
@@ -63,7 +63,6 @@
          'lazr.lifecycle',
          'lazr.uri',
          'martian==0.11',
--        'oauth',
          'setuptools',
          'simplejson',
          'van.testing',
 === modified file 'src/lazr/restful/NEWS.txt'
 --- src/lazr/restful/NEWS.txt	2009-10-06 16:09:51 +0000
 +++ src/lazr/restful/NEWS.txt	2009-10-07 13:05:19 +0000
@@ -2,6 +2,12 @@
  NEWS for lazr.restful
  =====================
++0.9.9 (2009-10-07)
++==================
++
++The authentication-related WSGI middleware classes have been split
++into a separate project, lazr.authentication.
++
 .9.8 (2009-10-06)
  ==================
 === removed file 'src/lazr/restful/docs/wsgi.txt'
 --- src/lazr/restful/docs/wsgi.txt	2009-10-06 15:59:10 +0000
 +++ src/lazr/restful/docs/wsgi.txt	1970-01-01 00:00:00 +0000
@@ -1,225 +0,0 @@
--WSGI Middleware
--===============
--
--lazr.restful defines some simple WSGI middleware for doing
--authentication. This is mainly for setting up testing scenarios for
--lazr.restfulclient, but you can use the middleware in real
--applications.
--
--BasicAuthMiddleware
---------------------
--
--The BasicAuthMiddleware implements HTTP Basic Auth. Its constructor
--takes a number of arguments, including a callback function that
--performs the actual authentication. This function returns an object
--identifying the user who's trying to authenticate. If the
--authentication credentials are invalid, it's supposed to return None.
--
--First, let's create a really simple WSGI application that responds to
--any request with a 200 response code.
--
--    >>> from lazr.restful.testing.webservice import WebServiceApplication
--    >>> from lazr.restful.example.base.tests.test_integration import (
--    ...     CookbookWebServiceTestPublication)
--
--    >>> def dummy_application(environ, start_response):
--    ...         start_response('200', [('Content-type','text/plain')])
--    ...         return ['Success']
--
--Now let's protect that application. Here's an authentication callback
--function.
--
--    >>> def authenticate(username, password):
--    ...     """Accepts "user/password", rejects everything else.
--    ...
--    ...     :return: The username, if the credentials are valid.
--    ...              None, otherwise.
--    ...     """
--    ...     if username == "user" and password == "password":
--    ...         return username
--    ...     return None
--
--    >>> print authenticate("user", "password")
--    user
--
--    >>> print authenticate("notuser", "password")
--    None
--
--Here's a WSGI application that protects the application using
--BasicAuthMiddleware.
--
--    >>> from lazr.restful.wsgi import BasicAuthMiddleware
--    >>> def protected_application():
--    ...     return BasicAuthMiddleware(
--    ...         dummy_application, realm="WSGI middleware test",
--    ...         protect_path_pattern=".*protected.*",
--    ...         authenticate_with=authenticate)
--
--    >>> import wsgi_intercept
--    >>> from wsgi_intercept.httplib2_intercept import install
--    >>> install()
--    >>> wsgi_intercept.add_wsgi_intercept(
--    ...     'basictest', 80, protected_application)
--
--Most of the application's URLs are not protected by the
--middleware. You can access them without providing credentials.
--
--    >>> import httplib2
--    >>> client = httplib2.Http()
--    >>> response, body = client.request('http://basictest/')
--    >>> print response['status']
--    200
--    >>> print body
--    Success
--
--Any URL that includes the string "protected" is protected by the
--middleware, and cannot be accessed without credentials.
--
--    >>> response, body = client.request('http://basictest/protected/')
--    >>> print response['status']
--    401
--    >>> print response['www-authenticate']
--    Basic realm="WSGI middleware test"
--
--    >>> response, body = client.request(
--    ...     'http://basictest/this-is-protected-as-well/')
--    >>> print response['status']
--    401
--
--The check_credentials() implementation given at the beginning of the
--test will only accept the user/password combination "user"/"password".
--Provide a bad username or password and you'll get a 401.
--
--    >>> client.add_credentials("baduser", "baspassword")
--    >>> response, body = client.request('http://basictest/protected/')
--    >>> print response['status']
--    401
--
--Provide the correct credentials and you'll get a 200, even for the
--protected URIs.
--
--    >>> client.add_credentials("user", "password")
--    >>> response, body = client.request('http://basictest/protected/')
--    >>> print response['status']
--    200
--
--OAuthMiddleware
-----------------
--
--The OAuthMiddleware implements section 7 ("Accessing Protected
--Resources") of the OAuth specification. That is, it makes sure that
--incoming consumer keys and access tokens pass some application-defined
--test. It does not help you serve request tokens or exchange a request
--token for an access token.
--
--We'll use OAuthMiddleware to protect the same simple application we
--protected earlier with BasicAuthMiddleware. But since we're using
--OAuth, we'll be checking a consumer key and access token, instead of a
--username and password.
--
--    >>> from oauth.oauth import OAuthConsumer, OAuthToken
--
--    >>> valid_consumer = OAuthConsumer("consumer", '')
--    >>> valid_token = OAuthToken("token", "secret")
--
--    >>> def authenticate(consumer, token, parameters):
--    ...     """Accepts the valid consumer and token, rejects everything else.
--    ...
--    ...     :return: The consumer, if the credentials are valid.
--    ...              None, otherwise.
--    ...     """
--    ...     if consumer == valid_consumer and token == valid_token:
--    ...         return consumer
--    ...     return None
--
--    >>> print authenticate(valid_consumer, valid_token, None).key
--    consumer
--
--    >>> invalid_consumer = OAuthConsumer("other consumer", '')
--    >>> print authenticate(invalid_consumer, valid_token, None)
--    None
--
--To test the OAuthMiddleware's security features, we'll also need to
--create a data store. In a real application the data store would
--probably be a database containing the registered consumer keys and
--tokens. We're using a simple data store designed for testing, and
--telling it about the one valid consumer and token.
--
--    >>> from lazr.restful.testing.webservice import SimpleOAuthDataStore
--    >>> data_store = SimpleOAuthDataStore(
--    ...     {valid_consumer.key : valid_consumer},
--    ...     {valid_token.key : valid_token})
--
--    >>> print data_store.lookup_consumer("consumer").key
--    consumer
--    >>> print data_store.lookup_consumer("badconsumer")
--    None
--
--The data store tracks the use of OAuth nonces. If you call the data
--store's lookup_nonce() twice with the same values, the first call will
--return False and the second call will return True.
--
--    >>> print data_store.lookup_nonce("consumer", "token", "nonce")
--    False
--    >>> print data_store.lookup_nonce("consumer", "token", "nonce")
--    True
--
--    >>> print data_store.lookup_nonce("newconsumer", "token", "nonce")
--    False
--
--Now let's protect an application with lazr.restful's OAuthMiddleware,
--using our authentication technique and our simple data store.
--
--    >>> from lazr.restful.wsgi import OAuthMiddleware
--    >>> def protected_application():
--    ...     return OAuthMiddleware(
--    ...         dummy_application, realm="OAuth test",
--    ...         authenticate_with=authenticate, data_store=data_store)
--
--    >>> wsgi_intercept.add_wsgi_intercept(
--    ...     'oauthtest', 80, protected_application)
--    >>> client = httplib2.Http()
--
--A properly signed request will go through to the underlying WSGI
--application.
--
--    >>> from oauth.oauth import (
--    ...     OAuthRequest, OAuthSignatureMethod_PLAINTEXT)
--    >>> def sign_request(url, consumer=valid_consumer, token=valid_token):
--    ...     request = OAuthRequest().from_consumer_and_token(
--    ...         consumer, token, http_url=url)
--    ...     request.sign_request(
--    ...         OAuthSignatureMethod_PLAINTEXT(), consumer, token)
--    ...     headers = request.to_header('OAuth test')
--    ...     return headers
--
--    >>> url = 'http://oauthtest/'
--    >>> headers = sign_request(url)
--    >>> response, body = client.request(url, headers=headers)
--    >>> print response['status']
--    200
--    >>> print body
--    Success
--
--If you replay a signed HTTP request that worked the first time, it
--will fail the second time, because you'll be sending a nonce that was
--already used.
--
--    >>> response, body = client.request(url, headers=headers)
--    >>> print response['status']
--    401
--
--An unsigned request will fail.
--
--    >>> response, body = client.request('http://oauthtest/')
--    >>> print response['status']
--    401
--
--A request signed with invalid credentials will fail.
--
--    >>> bad_token = OAuthToken("token", "badsecret")
--    >>> headers = sign_request(url, token=bad_token)
--    >>> response, body = client.request(url, headers=headers)
--    >>> print response['status']
--    401
--
 === modified file 'src/lazr/restful/testing/webservice.py'
 --- src/lazr/restful/testing/webservice.py	2009-10-06 15:59:10 +0000
 +++ src/lazr/restful/testing/webservice.py	2009-10-07 13:05:19 +0000
@@ -11,7 +11,6 @@
      'pprint_entry',
      'WebServiceTestPublication',
      'WebServiceTestRequest',
--    'SimpleOAuthDataStore',
      'TestPublication',
+     ]
@@ -22,8 +21,6 @@
  from urlparse import urljoin
  import wsgi_intercept
--from oauth.oauth import OAuthDataStore
--
  from zope.component import adapts, getUtility, queryMultiAdapter
  from zope.interface import implements
  from zope.publisher.browser import BrowserRequest
@@ -363,33 +360,3 @@
      def __str__(self):
          return "http://dummy"
      __call__ = __str__
--
--
--class SimpleOAuthDataStore(OAuthDataStore):
--    """A very simple implementation of the oauth library's OAuthDataStore."""
--
--    def __init__(self, consumers={}, tokens={}):
--        """Initialize with no nonces."""
--        self.consumers = consumers
--        self.tokens = tokens
--        self.nonces = set()
--
--    def lookup_token(self, token_type, token_field):
--        """Turn a token key into an OAuthToken object."""
--        return self.tokens.get(token_field)
--
--    def lookup_consumer(self, consumer):
--        """Turn a consumer key into an OAuthConsumer object."""
--        return self.consumers.get(consumer)
--
--    def lookup_nonce(self, consumer, token, nonce):
--        """Make sure a nonce has not already been used.
--
--        If the nonce has not been used, add it to the set
--        so that a future call to this method will return False.
--        """
--        key = (consumer, token, nonce)
--        if key in self.nonces:
--            return True
--        self.nonces.add(key)
--        return False
 === modified file 'src/lazr/restful/version.txt'
 --- src/lazr/restful/version.txt	2009-10-06 16:09:51 +0000
 +++ src/lazr/restful/version.txt	2009-10-07 13:05:19 +0000
@@ -1,1 +1,1 @@
--0.9.8
++0.9.9
 === modified file 'src/lazr/restful/wsgi.py'
 --- src/lazr/restful/wsgi.py	2009-10-06 15:59:10 +0000
 +++ src/lazr/restful/wsgi.py	2009-10-07 13:05:19 +0000
@@ -2,13 +2,10 @@
  __metaclass__ = type
  __all__ = [
--    'BasicAuthMiddleware',
      'WSGIApplication',
+     ]
  from pkg_resources import resource_string
--import re
--import urlparse
  from wsgiref.simple_server import make_server as wsgi_make_server
  from zope.component import getUtility
@@ -16,9 +13,6 @@
  from zope.interface import implements
  from zope.publisher.publish import publish
--from oauth.oauth import (
--    OAuthError, OAuthRequest, OAuthServer, OAuthSignatureMethod_PLAINTEXT)
--
  from lazr.restful.interfaces import (
      IWebServiceConfiguration, IServiceRootResource)
  from lazr.restful.simple import Publication, Request
@@ -66,141 +60,3 @@
          """Create a WSGI server object for a particular web service."""
          cls.configure_server(host, port, config_package, config_file)
          return wsgi_make_server(host, int(port), cls)
--
--
--class AuthenticationMiddleware(object):
--    """A base class for middleware that authenticates HTTP requests.
--
--    This class implements a generic HTTP authentication workflow:
--    check whether the requested resource is protected, get credentials
--    from the WSGI environment, validate them (using a callback
--    function) and either allow or deny acces.
--    """
--
--    def __init__(self, application, authenticate_with,
--                 realm="Restricted area", protect_path_pattern='.*'):
--        """Constructor.
--
--        :param application: A WSGI application.
--
--        :param authenticate_with: A callback function that takes some
--            number of credential arguemnts (the number and type
--            depends on the implementation of
--            getCredentialsFromEnvironment()) and returns an object
--            representing the authenticated user. If the credentials
--            are invalid or don't identify any existing user, the
--            function should return None.
--
--        :param realm: The string to give out as the authentication realm.
--        :param protect_path_pattern: A regular expression string. URL
--            paths matching this string will be protected with the
--            authentication method. URL paths not matching this string
--            can be accessed without authenticating.
--        """
--        self.application = application
--        self.authenticate_with = authenticate_with
--        self.realm = realm
--        self.protect_path_pattern = re.compile(protect_path_pattern)
--
--    def _unauthorized(self, start_response):
--        """Short-circuit the request with a 401 error code."""
--        start_response("401 Unauthorized",
--                       [('WWW-Authenticate',
--                         'Basic realm="%s"' % self.realm)])
--        return ['401 Unauthorized']
--
--    def __call__(self, environ, start_response):
--        """Protect certain resources by checking auth credentials."""
--        path_info = environ.get('PATH_INFO', '/')
--        if not self.protect_path_pattern.match(path_info):
--            environ['authenticated_user'] = None
--            return self.application(environ, start_response)
--
--        try:
--            credentials = self.getCredentialsFromEnvironment(environ)
--        except ValueError:
--            credentials = None
--        if credentials is None:
--            return self._unauthorized(start_response)
--
--        authenticated_user = self.authenticate_with(*credentials)
--        if authenticated_user is None:
--            return self._unauthorized(start_response)
--
--        environ['authenticated_user'] = authenticated_user
--
--        return self.application(environ, start_response)
--
--    def getCredentialsFromEnvironment(self, environment):
--        """Retrieve a set of credentials from the environment.
--
--        This superclass implementation ignores the environment
--        entirely, and so never authenticates anybody.
--
--        :param environment: The WSGI environment.
--        :return: A list of objects to be passed into the authenticate_with
--                 callback function, or None if the credentials could not
--                 be determined.
--        """
--        return None
--
--
--class BasicAuthMiddleware(AuthenticationMiddleware):
--    """WSGI middleware that implements HTTP Basic Auth."""
--
--    def getCredentialsFromEnvironment(self, environ):
--        authorization = environ.get('HTTP_AUTHORIZATION')
--        if authorization is None:
--            return None
--
--        method, auth = authorization.split(' ', 1)
--        if method.lower() != 'basic':
--            return None
--
--        auth = auth.strip().decode('base64')
--        username, password = auth.split(':', 1)
--        return username, password
--
--
--class OAuthMiddleware(AuthenticationMiddleware):
--    """WSGI middleware that implements (part of) OAuth.
--
--    This middleware only protects resources by making sure requests
--    are signed with a valid consumer and access token. It does not
--    help clients get request tokens or exchange request tokens for
--    access tokens.
--    """
--
--    def __init__(self, application, authenticate_with, data_store=None,
--                 realm="Restricted area", protect_path_pattern='.*'):
--        """See `AuthenticationMiddleware.`
--
--        :param data_store: An OAuthDataStore.
--        """
--        super(OAuthMiddleware, self).__init__(
--            application, authenticate_with, realm, protect_path_pattern)
--        self.data_store = data_store
--
--    def getCredentialsFromEnvironment(self, environ):
--        http_method = environ['REQUEST_METHOD']
--
--        # Recreate the URL.
--        url_scheme = environ['wsgi.url_scheme']
--        hostname = environ['HTTP_HOST']
--        path = environ['PATH_INFO']
--        query_string = environ['QUERY_STRING']
--        original_url = urlparse.urlunparse(
--            (url_scheme, hostname, path, '', query_string, ''))
--        headers = {'Authorization' : environ.get('HTTP_AUTHORIZATION', '')}
--        request = OAuthRequest().from_request(
--            http_method, original_url, headers=headers,
--            query_string=query_string)
--        if request is None:
--            return None
--        server = OAuthServer(self.data_store)
--        server.add_signature_method(OAuthSignatureMethod_PLAINTEXT())
--        try:
--            consumer, token, parameters = server.verify_request(request)
--        except OAuthError, e:
--            return None
--        return consumer, token, parameters