vigiboard / dashboard / model / auth.py @ 805cc54a
History | View | Annotate | Download (6.63 KB)
1 |
# -*- coding: utf-8 -*-
|
---|---|
2 |
"""
|
3 |
Auth* related model.
|
4 |
|
5 |
This is where the models used by :mod:`repoze.who` and :mod:`repoze.what` are
|
6 |
defined.
|
7 |
|
8 |
It's perfectly fine to re-use this definition in the dashboard application,
|
9 |
though.
|
10 |
|
11 |
"""
|
12 |
import os |
13 |
from datetime import datetime |
14 |
import sys |
15 |
try:
|
16 |
from hashlib import sha1 |
17 |
except ImportError: |
18 |
sys.exit('ImportError: No module named hashlib\n'
|
19 |
'If you are on python2.4 this library is not part of python. '
|
20 |
'Please install it. Example: easy_install hashlib')
|
21 |
|
22 |
from sqlalchemy import Table, ForeignKey, Column |
23 |
from sqlalchemy.types import Unicode, Integer, DateTime |
24 |
from sqlalchemy.orm import relation, synonym |
25 |
|
26 |
from dashboard.model import DeclarativeBase, metadata, DBSession |
27 |
|
28 |
__all__ = ['User', 'Group', 'Permission'] |
29 |
|
30 |
|
31 |
#{ Association tables
|
32 |
|
33 |
|
34 |
# This is the association table for the many-to-many relationship between
|
35 |
# groups and permissions. This is required by repoze.what.
|
36 |
group_permission_table = Table('tg_group_permission', metadata,
|
37 |
Column('group_id', Integer, ForeignKey('tg_group.group_id', |
38 |
onupdate="CASCADE", ondelete="CASCADE")), |
39 |
Column('permission_id', Integer, ForeignKey('tg_permission.permission_id', |
40 |
onupdate="CASCADE", ondelete="CASCADE")) |
41 |
) |
42 |
|
43 |
# This is the association table for the many-to-many relationship between
|
44 |
# groups and members - this is, the memberships. It's required by repoze.what.
|
45 |
user_group_table = Table('tg_user_group', metadata,
|
46 |
Column('user_id', Integer, ForeignKey('tg_user.user_id', |
47 |
onupdate="CASCADE", ondelete="CASCADE")), |
48 |
Column('group_id', Integer, ForeignKey('tg_group.group_id', |
49 |
onupdate="CASCADE", ondelete="CASCADE")) |
50 |
) |
51 |
|
52 |
|
53 |
#{ The auth* model itself
|
54 |
|
55 |
|
56 |
class Group(DeclarativeBase): |
57 |
"""
|
58 |
Group definition for :mod:`repoze.what`.
|
59 |
|
60 |
Only the ``group_name`` column is required by :mod:`repoze.what`.
|
61 |
|
62 |
"""
|
63 |
|
64 |
__tablename__ = 'tg_group'
|
65 |
|
66 |
#{ Columns
|
67 |
|
68 |
group_id = Column(Integer, autoincrement=True, primary_key=True) |
69 |
|
70 |
group_name = Column(Unicode(16), unique=True, nullable=False) |
71 |
|
72 |
display_name = Column(Unicode(255))
|
73 |
|
74 |
created = Column(DateTime, default=datetime.now) |
75 |
|
76 |
#{ Relations
|
77 |
|
78 |
users = relation('User', secondary=user_group_table, backref='groups') |
79 |
|
80 |
#{ Special methods
|
81 |
|
82 |
def __repr__(self): |
83 |
return '<Group: name=%s>' % self.group_name |
84 |
|
85 |
def __unicode__(self): |
86 |
return self.group_name |
87 |
|
88 |
#}
|
89 |
|
90 |
|
91 |
# The 'info' argument we're passing to the email_address and password columns
|
92 |
# contain metadata that Rum (http://python-rum.org/) can use generate an
|
93 |
# admin interface for your models.
|
94 |
class User(DeclarativeBase): |
95 |
"""
|
96 |
User definition.
|
97 |
|
98 |
This is the user definition used by :mod:`repoze.who`, which requires at
|
99 |
least the ``user_name`` column.
|
100 |
|
101 |
"""
|
102 |
__tablename__ = 'tg_user'
|
103 |
|
104 |
#{ Columns
|
105 |
|
106 |
user_id = Column(Integer, autoincrement=True, primary_key=True) |
107 |
|
108 |
user_name = Column(Unicode(16), unique=True, nullable=False) |
109 |
|
110 |
email_address = Column(Unicode(255), unique=True, nullable=False, |
111 |
info={'rum': {'field':'Email'}}) |
112 |
|
113 |
display_name = Column(Unicode(255))
|
114 |
|
115 |
_password = Column('password', Unicode(80), |
116 |
info={'rum': {'field':'Password'}}) |
117 |
|
118 |
created = Column(DateTime, default=datetime.now) |
119 |
|
120 |
#{ Special methods
|
121 |
|
122 |
def __repr__(self): |
123 |
return '<User: email="%s", display name="%s">' % ( |
124 |
self.email_address, self.display_name) |
125 |
|
126 |
def __unicode__(self): |
127 |
return self.display_name or self.user_name |
128 |
|
129 |
#{ Getters and setters
|
130 |
|
131 |
@property
|
132 |
def permissions(self): |
133 |
"""Return a set of strings for the permissions granted."""
|
134 |
perms = set()
|
135 |
for g in self.groups: |
136 |
perms = perms | set(g.permissions)
|
137 |
return perms
|
138 |
|
139 |
@classmethod
|
140 |
def by_email_address(cls, email): |
141 |
"""Return the user object whose email address is ``email``."""
|
142 |
return DBSession.query(cls).filter(cls.email_address==email).first()
|
143 |
|
144 |
@classmethod
|
145 |
def by_user_name(cls, username): |
146 |
"""Return the user object whose user name is ``username``."""
|
147 |
return DBSession.query(cls).filter(cls.user_name==username).first()
|
148 |
|
149 |
def _set_password(self, password): |
150 |
"""Hash ``password`` on the fly and store its hashed version."""
|
151 |
hashed_password = password |
152 |
|
153 |
if isinstance(password, unicode): |
154 |
password_8bit = password.encode('UTF-8')
|
155 |
else:
|
156 |
password_8bit = password |
157 |
|
158 |
salt = sha1() |
159 |
salt.update(os.urandom(60))
|
160 |
hash = sha1() |
161 |
hash.update(password_8bit + salt.hexdigest())
|
162 |
hashed_password = salt.hexdigest() + hash.hexdigest()
|
163 |
|
164 |
# Make sure the hashed password is an UTF-8 object at the end of the
|
165 |
# process because SQLAlchemy _wants_ a unicode object for Unicode
|
166 |
# columns
|
167 |
if not isinstance(hashed_password, unicode): |
168 |
hashed_password = hashed_password.decode('UTF-8')
|
169 |
|
170 |
self._password = hashed_password
|
171 |
|
172 |
def _get_password(self): |
173 |
"""Return the hashed version of the password."""
|
174 |
return self._password |
175 |
|
176 |
password = synonym('_password', descriptor=property(_get_password, |
177 |
_set_password)) |
178 |
|
179 |
#}
|
180 |
|
181 |
def validate_password(self, password): |
182 |
"""
|
183 |
Check the password against existing credentials.
|
184 |
|
185 |
:param password: the password that was provided by the user to
|
186 |
try and authenticate. This is the clear text version that we will
|
187 |
need to match against the hashed one in the database.
|
188 |
:type password: unicode object.
|
189 |
:return: Whether the password is valid.
|
190 |
:rtype: bool
|
191 |
|
192 |
"""
|
193 |
hashed_pass = sha1() |
194 |
hashed_pass.update(password + self.password[:40]) |
195 |
return self.password[40:] == hashed_pass.hexdigest() |
196 |
|
197 |
|
198 |
class Permission(DeclarativeBase): |
199 |
"""
|
200 |
Permission definition for :mod:`repoze.what`.
|
201 |
|
202 |
Only the ``permission_name`` column is required by :mod:`repoze.what`.
|
203 |
|
204 |
"""
|
205 |
|
206 |
__tablename__ = 'tg_permission'
|
207 |
|
208 |
#{ Columns
|
209 |
|
210 |
permission_id = Column(Integer, autoincrement=True, primary_key=True) |
211 |
|
212 |
permission_name = Column(Unicode(16), unique=True, nullable=False) |
213 |
|
214 |
description = Column(Unicode(255))
|
215 |
|
216 |
#{ Relations
|
217 |
|
218 |
groups = relation(Group, secondary=group_permission_table, |
219 |
backref='permissions')
|
220 |
|
221 |
#{ Special methods
|
222 |
|
223 |
def __repr__(self): |
224 |
return '<Permission: name=%s>' % self.permission_name |
225 |
|
226 |
def __unicode__(self): |
227 |
return self.permission_name |
228 |
|
229 |
#}
|
230 |
|
231 |
|
232 |
#}
|