Ñò ‰»&Qc @sñdZddkZyddkZWnej oddkZnXddkZddklZei Z de fd„ƒYZ de fd„ƒYZe d„Zd „Zd „Zd d „Zd e fd„ƒYZddeedd„ZdS(s' Implementation of cookie signing as done in `mod_auth_tkt `_. mod_auth_tkt is an Apache module that looks for these signed cookies and sets ``REMOTE_USER``, ``REMOTE_USER_TOKENS`` (a comma-separated list of groups) and ``REMOTE_USER_DATA`` (arbitrary string data). This module is an alternative to the ``paste.auth.cookie`` module; it's primary benefit is compatibility with mod_auth_tkt, which in turn makes it possible to use the same authentication process with non-Python code run under Apache. iÿÿÿÿN(trequestt AuthTicketcBsDeZdZddddeed„Zd„Zd„Zd„Z RS( sU This class represents an authentication token. You must pass in the shared secret, the userid, and the IP address. Optionally you can include tokens (a list of strings, representing role names), 'user_data', which is arbitrary data available for your own use in later scripts. Lastly, you can override the timestamp, cookie name, whether to secure the cookie and the digest algorithm (for details look at ``AuthTKTMiddleware``). Once you provide all the arguments, use .cookie_value() to generate the appropriate authentication ticket. .cookie() generates a Cookie object, the str() of which is the complete cookie header to be sent. CGI usage:: token = auth_tkt.AuthTick('sharedsecret', 'username', os.environ['REMOTE_ADDR'], tokens=['admin']) print 'Status: 200 OK' print 'Content-type: text/html' print token.cookie() print ... redirect HTML ... Webware usage:: token = auth_tkt.AuthTick('sharedsecret', 'username', self.request().environ()['REMOTE_ADDR'], tokens=['admin']) self.response().setCookie('auth_tkt', token.cookie_value()) Be careful not to do an HTTP redirect after login; use meta refresh or Javascript -- some browsers have bugs where cookies aren't saved when set on a redirect. ttauth_tktc Cs¤||_||_||_di|ƒ|_||_|djotiƒ|_n ||_||_ ||_ t | t ƒot t| ƒ|_n | |_dS(Nt,(tsecrettuseridtiptjointtokenst user_datatNonettime_modttimet cookie_nametsecuret isinstancetstrtgetattrthashlibt digest_algo( tselfRRRR R R RRR((s7/usr/lib/python2.6/site-packages/paste/auth/auth_tkt.pyt__init__Ys        cCs1t|i|i|i|i|i|i|iƒS(N(tcalculate_digestRR RRR R R(R((s7/usr/lib/python2.6/site-packages/paste/auth/auth_tkt.pytdigestmscCsUd|iƒt|iƒ|if}|io||id7}n||i7}|S(Ns %s%08x%s!t!(RtintR RR R (Rtv((s7/usr/lib/python2.6/site-packages/paste/auth/auth_tkt.pyt cookie_valuers %  cCsntiƒ}|iƒidƒiƒiddƒ||i`_ looks for (if you have mod_auth_tkt installed, you don't need this middleware, since Apache will set the environmental variables for you). Arguments: ``secret``: A secret that should be shared by any instances of this application. If this app is served from more than one machine, they should all have the same secret. ``cookie_name``: The name of the cookie to read and write from. Default ``auth_tkt``. ``secure``: If the cookie should be set as 'secure' (only sent over SSL) and if the login must be over SSL. (Defaults to False) ``httponly``: If the cookie should be marked as HttpOnly, which means that it's not accessible to JavaScript. (Defaults to False) ``include_ip``: If the cookie should include the user's IP address. If so, then if they change IPs their cookie will be invalid. ``logout_path``: The path under this middleware that should signify a logout. The page will be shown as usual, but the user will also be logged out when they visit this page. ``digest_algo``: Digest algorithm specified as a name of the algorithm provided by ``hashlib`` or as a compatible digest object constructor. Defaults to ``md5``, as in mod_auth_tkt. The others currently compatible with mod_auth_tkt are ``sha256`` and ``sha512``. If used with mod_auth_tkt, then these settings (except logout_path) should match the analogous Apache configuration settings. This also adds two functions to the request: ``environ['paste.auth_tkt.set_user'](userid, tokens='', user_data='')`` This sets a cookie that logs the user in. ``tokens`` is a string (comma-separated groups) or a list of strings. ``user_data`` is a string for your own use. ``environ['paste.auth_tkt.logout_user']()`` Logs out the user. Rc Cs||_||_||_||_||_||_||_||_| |_| |_ t | t ƒot t | ƒ|_n | |_dS(N(tappRRRthttponlyt include_ipt logout_pathtno_domain_cookietcurrent_domain_cookietwildcard_cookieRRRRR( RRLRRRRNRORMRPRQRRR((s7/usr/lib/python2.6/site-packages/paste/auth/auth_tkt.pyR s          c s tiˆƒ}|iˆiƒo|ˆii}nd}|oÀˆioˆd}nd}yˆtˆi||ˆiƒ\}}}} di |ƒ}|ˆd<ˆi dƒoˆdd|}n|ˆd<| ˆd`_. ``secret`` is requird, but can be set globally or locally. iÿÿÿÿ(tasboolRs>You must provide a 'secret' (in global or local configuration)N(tpaste.deploy.convertersRuR RhR3RK(RLt global_confRRRRNRORu((s7/usr/lib/python2.6/site-packages/paste/auth/auth_tkt.pytmake_auth_tkt_middlewares    (R*R R Rt ImportErrortmd5R!tpasteRtsha256R,tobjectRR/R-R:RR=R<RKR R+RtRx(((s7/usr/lib/python2.6/site-packages/paste/auth/auth_tkt.pyt&s(   M ) ´