security Package

security Package

Security

authentication Module

class opennode.oms.security.authentication.AuthenticationUtility

Bases: grokcore.component.components.GlobalUtility

getPrincipal(id)

registerPrincipal(principal)

class opennode.oms.security.authentication.PamAuthChecker

Bases: object

Check user credentials using PAM infrastructure

credentialInterfaces = <InterfaceClass twisted.cred.credentials.IUsernamePassword>

requestAvatarId(credentials)

opennode.oms.security.authentication.checkers()

opennode.oms.security.authentication.create_special_principals()

opennode.oms.security.authentication.get_linux_groups_for_user(user)

opennode.oms.security.authentication.reload_groups(stream)

opennode.oms.security.authentication.reload_roles(stream)

opennode.oms.security.authentication.reload_users(stream)

opennode.oms.security.authentication.setup_conf_reload_watch(path, handler)

Registers a inotify watch which will invoke handler for passing the open file

opennode.oms.security.authentication.setup_groups(event)

opennode.oms.security.authentication.setup_permissions(event)

opennode.oms.security.authentication.setup_roles(event)

opennode.oms.security.authentication.ssha_hash(user, password, encoded_password)

checker Module

class opennode.oms.security.checker.AuditingPermissionDictionary

Bases: dict

get(key, default=None)

marker = <object object at 0x38cc670>

seen = {}

class opennode.oms.security.checker.Checker(get_permissions, set_permissions=None, interaction=None)

Bases: object

check(object, name)

See IChecker

check_getattr(object, name)

See IChecker

check_setattr(object, name)

See IChecker

permission_id(name)

See INameBasedChecker

proxy(value)

See IChecker

setattr_permission_id(name)

See INameBasedChecker

opennode.oms.security.checker.get_interaction(obj)

Extract interaction from a proxied object

opennode.oms.security.checker.proxy_factory(value, interaction)

class opennode.oms.security.checker.strong_defaultdict

Bases: collections.defaultdict

Python’s defaultdict type doesn’t invoke default factory when called with get, we need this subclass to implement a permissive checker.

get(name)

directives Module

class opennode.oms.security.directives.permissions(*args, **kw)

Bases: martian.directive.Directive

Use this directive in a class in order to set it’s attribute’s permissions.

default = None

scope = <martian.directive.ClassScope object at 0x2821cd0>

store = <martian.directive.StoreOnce object at 0x2821910>

grokkers Module

class opennode.oms.security.grokkers.SecurityGrokker

Bases: martian.components.ClassGrokker

execute(factory, config, permissions, **kw)

interaction Module

class opennode.oms.security.interaction.OmsSecurityPolicy(*args, **kw)

Bases: zope.securitypolicy.zopepolicy.ZopeSecurityPolicy

A Security Policy represents an interaction with a principal and performs the actual checks.

The default zope security system depends on keeping the current interaction in a thread local variable. OMS is based on the twisted async model and thus we avoid setting the current interaction within the current thread, as it could be used by different callbacks in the reactor.

We rely on a custom checker (see opennode.oms.security.checker) for embedding the interaction inside the security proxy itself; however in some cases we need to use security proxies which are created by other libraries (like secured adapters created for IPrincipalRoleManager) and in that cases we need to temporarily setup an interaction for the current thread, but we have to avoid that it leaks out to other coroutines.

For that end, we extend ZopeSecurityPolicy in such a way that it can be used as:

>>> with interaction:
...    primrole = IPrincipalRoleManager(obj)
...    primrole.getRolesForPrincipal(id)
...    # ...

The with context guard will ensure that the function containing this construct is not a generator, because using it in a defer.inlineCallbacks method will result in leaking the interaction to other goroutines.

class opennode.oms.security.interaction.SessionStub(principal=None)

Bases: object

opennode.oms.security.interaction.new_interaction(principal)

passwd Module

opennode.oms.security.passwd.ask_password()

opennode.oms.security.passwd.hash_pw(password)

opennode.oms.security.passwd.run()

permissions Module

class opennode.oms.security.permissions.Add(id, title='', description='')

Bases: grokcore.security.components.Permission

class opennode.oms.security.permissions.Create(id, title='', description='')

Bases: grokcore.security.components.Permission

class opennode.oms.security.permissions.Delete(id, title='', description='')

Bases: grokcore.security.components.Permission

class opennode.oms.security.permissions.Modify(id, title='', description='')

Bases: grokcore.security.components.Permission

class opennode.oms.security.permissions.Nothing(id, title='', description='')

Bases: grokcore.security.components.Permission

class opennode.oms.security.permissions.Read(id, title='', description='')

Bases: grokcore.security.components.Permission

class opennode.oms.security.permissions.Remove(id, title='', description='')

Bases: grokcore.security.components.Permission

class opennode.oms.security.permissions.Rest(id, title='', description='')

Bases: grokcore.security.components.Permission

class opennode.oms.security.permissions.Role(name, nick)

Bases: zope.securitypolicy.role.Role

Oms roles act as permissions

nick_to_role = {}

role_to_nick = {}

class opennode.oms.security.permissions.Traverse(id, title='', description='')

Bases: grokcore.security.components.Permission

class opennode.oms.security.permissions.View(id, title='', description='')

Bases: grokcore.security.components.Permission

principals Module

class opennode.oms.security.principals.Group(id)

Bases: opennode.oms.security.principals.User

class opennode.oms.security.principals.User(id)

Bases: object

opennode.oms.security.principals.effective_principals(principal_or_interaction, acc=None)

Returns all the principals including recursive groups