B `7@sddlZddlmZddlmZddlmZddlmZddl m Z m Z m Z m Z mZmZmZmZddlmZddlmZGd d d ZeeGd d d ZdS) N) implementer) action_method)LegacySessionCSRFStoragePolicy)ConfigurationError) PHASE1_CONFIG PHASE2_CONFIGIAuthenticationPolicyIAuthorizationPolicyICSRFStoragePolicyIDefaultCSRFOptionsIDefaultPermissionISecurityPolicy)LegacySecurityPolicy)as_sorted_tuplec@sfeZdZddZeddZeddZeddZed d Zd d Z edddZ eddZ dS)SecurityConfiguratorMixincCs|tdS)N)set_csrf_storage_policyr)selfr_/home/kop/projects/devel/pgwui/test_venv/lib/python3.7/site-packages/pyramid/config/security.pyadd_default_securitysz.SecurityConfiguratorMixin.add_default_securitycsNfdd}ddd}|d<jt|t|fddS)aOverride the :app:`Pyramid` :term:`security policy` in the current configuration. The ``policy`` argument must be an instance of a security policy or a :term:`dotted Python name` that points at an instance of a security policy. .. note:: Using the ``security_policy`` argument to the :class:`pyramid.config.Configurator` constructor can be used to achieve the same purpose. csjtdS)N)registryregisterUtilityr r)policyrrrregister(sz?SecurityConfiguratorMixin.set_security_policy..registerzsecurity policyNr)orderintrospectables) maybe_dottedintrospectableobject_descriptionactionr r)rrrintrr)rrrset_security_policys z-SecurityConfiguratorMixin.set_security_policycs^tjdtddfdd}ddd}|d<jt|t|fd dS) a .. deprecated:: 2.0 Authentication policies have been replaced by security policies. See :ref:`upgrading_auth_20` for more information. Override the :app:`Pyramid` :term:`authentication policy` in the current configuration. The ``policy`` argument must be an instance of an authentication policy or a :term:`dotted Python name` that points at an instance of an authentication policy. .. note:: Using the ``authentication_policy`` argument to the :class:`pyramid.config.Configurator` constructor can be used to achieve the same purpose. zAuthentication and authorization policies have been deprecated in favor of security policies. See "Upgrading Authentication/Authorization" in "What's New in Pyramid 2.0" of the documentation for more information.) stacklevelcsVjtjtdkr&tdjtdk r>tdt}j|tdS)NzCannot configure an authentication policy without also configuring an authorization policy (use the set_authorization_policy method)z]Cannot configure an authentication and authorizationpolicy with a configured security policy.)rrr queryUtilityr rr r)Zsecurity_policy)rrrrrWszESecurityConfiguratorMixin.set_authentication_policy..registerzauthentication policyNr)rr) warningswarnDeprecationWarningrrrrrr)rrrr r)rrrset_authentication_policy:s" z3SecurityConfiguratorMixin.set_authentication_policycsvtjdtddfdd}fdd}dd d}|d <jt|t|fd d |d S) a .. deprecated:: 2.0 Authentication policies have been replaced by security policies. See :ref:`upgrading_auth_20` for more information. Override the :app:`Pyramid` :term:`authorization policy` in the current configuration. The ``policy`` argument must be an instance of an authorization policy or a :term:`dotted Python name` that points at an instance of an authorization policy. .. note:: Using the ``authorization_policy`` argument to the :class:`pyramid.config.Configurator` constructor can be used to achieve the same purpose. zAuthentication and authorization policies have been deprecated in favor of security policies. See "Upgrading Authentication/Authorization" in "What's New in Pyramid 2.0" of the documentation for more information.r")r#csjtdS)N)rrr r)rrrrrszDSecurityConfiguratorMixin.set_authorization_policy..registercs&jr dSjtdkr"tddS)NzCannot configure an authorization policy without also configuring an authentication policy (use the set_authorization_policy method))Z autocommitrr$rrr)rrrensures zBSecurityConfiguratorMixin.set_authorization_policy..ensurezauthorization policyNr)rr) r%r&r'rrrrr r)rrrr)r r)rrrset_authorization_policyws&  z2SecurityConfiguratorMixin.set_authorization_policycsXfdd}ddd}|d<dd}|d<jt|t||fddS) a Set the default permission to be used by all subsequent :term:`view configuration` registrations. ``permission`` should be a :term:`permission` string to be used as the default permission. An example of a permission string:``'view'``. Adding a default permission makes it unnecessary to protect each view configuration with an explicit permission, unless your application policy requires some exception for a particular view. If a default permission is *not* set, views represented by view configuration registrations which do not explicitly declare a permission will be executable by entirely anonymous users (any authorization policy is ignored). Later calls to this method override will conflict with earlier calls; there can be only one default permission active at a time within an application. .. warning:: If a default permission is in effect, view configurations meant to create a truly anonymously accessible view (even :term:`exception view` views) *must* use the value of the permission importable as :data:`pyramid.security.NO_PERMISSION_REQUIRED`. When this string is used as the ``permission`` for a view configuration, the default permission is ignored, and the view is registered, making it available to all callers regardless of their credentials. .. seealso:: See also :ref:`setting_a_default_permission`. .. note:: Using the ``default_permission`` argument to the :class:`pyramid.config.Configurator` constructor can be used to achieve the same purpose. csjtdS)N)rrr r) permissionrrrrszBSecurityConfiguratorMixin.set_default_permission..registerzdefault permissionNvalue permissionsr+)rr)rrr r)rr+rr Z perm_intrr)r+rrset_default_permissions*  z0SecurityConfiguratorMixin.set_default_permissioncCs,|d||d}||d<|jd|fddS)a A configurator directive which registers a free-standing permission without associating it with a view callable. This can be used so that the permission shows up in the introspectable data under the ``permissions`` category (permissions mentioned via ``add_view`` already end up in there). For example:: config = Configurator() config.add_permission('view') r-r+r,N)r)rr)rZpermission_namer rrradd_permissions  z(SecurityConfiguratorMixin.add_permissionT csrf_token X-CSRF-TokenGETHEADOPTIONSTRACEFNc st|||||||dfdd}ddd} || d<|| d<|| d<t|| d <|| d <|| d <|| d <jt|t| fd dS)a Set the default CSRF options used by subsequent view registrations. ``require_csrf`` controls whether CSRF checks will be automatically enabled on each view in the application. This value is used as the fallback when ``require_csrf`` is left at the default of ``None`` on :meth:`pyramid.config.Configurator.add_view`. ``token`` is the name of the CSRF token used in the body of the request, accessed via ``request.POST[token]``. Default: ``csrf_token``. ``header`` is the name of the header containing the CSRF token, accessed via ``request.headers[header]``. Default: ``X-CSRF-Token``. If ``token`` or ``header`` are set to ``None`` they will not be used for checking CSRF tokens. ``safe_methods`` is an iterable of HTTP methods which are expected to not contain side-effects as defined by RFC2616. Safe methods will never be automatically checked for CSRF tokens. Default: ``('GET', 'HEAD', 'OPTIONS', TRACE')``. ``check_origin`` is a boolean. If ``False``, the ``Origin`` and ``Referer`` headers will not be validated as part of automated CSRF checks. ``allow_no_origin`` is a boolean. If ``True``, a request lacking both an ``Origin`` and ``Referer`` header will pass the CSRF check. This option has no effect if ``check_origin`` is ``False``. If ``callback`` is set, it must be a callable accepting ``(request)`` and returning ``True`` if the request should be checked for a valid CSRF token. This callback allows an application to support alternate authentication methods that do not rely on cookies which are not subject to CSRF attacks. For example, if a request is authenticated using the ``Authorization`` header instead of a cookie, this may return ``False`` for that request so that clients do not need to send the ``X-CSRF-Token`` header. The callback is only tested for non-safe methods as defined by ``safe_methods``. .. versionadded:: 1.7 .. versionchanged:: 1.8 Added the ``callback`` option. .. versionchanged:: 2.0 Added the ``allow_no_origin`` and ``check_origin`` options. ) require_csrftokenheader safe_methods check_originallow_no_origincallbackcsjtdS)N)rrr r)optionsrrrrGszDSecurityConfiguratorMixin.set_default_csrf_options..registerzdefault csrf view optionsNr7r8r9r:r;r<r=)rr)DefaultCSRFOptionsrrrr r) rr7r8r9r:r;r<r=rr r)r>rrset_default_csrf_optionss4< z2SecurityConfiguratorMixin.set_default_csrf_optionscs<fdd}ddd}|d<jt||fddS)a Set the :term:`CSRF storage policy` used by subsequent view registrations. ``policy`` is a class that implements the :meth:`pyramid.interfaces.ICSRFStoragePolicy` interface and defines how to generate and persist CSRF tokens. csjtdS)N)rrr r)rrrrrkszCSecurityConfiguratorMixin.set_csrf_storage_policy..registerzcsrf storage policyNr)r)rrr )rrrr r)rrrr_s  z1SecurityConfiguratorMixin.set_csrf_storage_policy)Tr0r1r2TFN) __name__ __module__ __qualname__rrr!r(r*r.r/r@rrrrrrs ! = < = Urc@seZdZddZdS)r?cCs2||_||_||_t||_||_||_||_dS)N)r7r8r9 frozensetr:r;r<r=)rr7r8r9r:r;r<r=rrr__init__ws  zDefaultCSRFOptions.__init__N)rArBrCrErrrrr?usr?)r%Zzope.interfacerZpyramid.config.actionsrZ pyramid.csrfrZpyramid.exceptionsrZpyramid.interfacesrrrr r r r r Zpyramid.securityrZ pyramid.utilrrr?rrrrs    (  b