Skip to main content

pyramid_ipauth

Project description

An authentication policy for Pyramid that sets identity and effective principals based on the remote IP address of the request.

Overview

To perform IP-address-based authentication, create an IPAuthenticationPolicy and specify the target IP range, userid and effective principals. Then set it as the authentication policy in your configurator:

authn_policy = IPAuthenticationPolicy("127.0.*.*", "myuser", ["locals"])
config.set_authentication_policy(authn_policy)

This will cause all requests from IP addresses in the 127.0.*.* range to be authenticated as user “myuser” and have the effective principal “locals”.

It is also possible to specify the configuration options in your deployment file:

[app:pyramidapp]
use = egg:mypyramidapp

ipauth.ipaddrs = 127.0.0.* 127.0.1.*
ipauth.principals = locals

You can then simply include the pyramid_ipauth package into your configurator:

config.include("pyramid_ipauth")

It will detect the ipauth settings and construct an appropriate policy.

Note that this package only supports matching against a single set of IP addresss. If you need to assign different credentials to different sets of IP addresses, you can use the pyramid_multiauth package in conjunction with pyramid_ipauth:

http://github.com/mozilla-services/pyramid_multiauth

If you don’t want to hard-code the userid or principals at configuration time, you may specify a “get_userid” and/or “get_principals” callback instead.

Specifying IP Addresses

IP addresses can be specified in a variety of forms, including:

  • “all”: all possible IPv4 and IPv6 addresses

  • “local”: all local addresses of the machine

  • “A.B.C.D” a single IP address

  • “A.B.C.D/N” a network address specification

  • “A.B.C.*” a glob matching against all possible numbers

  • “A.B.C.D-E” a glob matching against a range of numbers

  • a whitespace- or comma-separated string of any of the above

  • a netaddr IPAddress, IPRange, IPGlob, IPNetork of IPSet object

  • a list, tuple or iterable of any of the above

Proxies

This module does not respect the X-Forwarded-For header by default, since it can be spoofed easily by malicious clients. If your server is behind a trusted proxy that sets the X-Forwarded-For header, you should explicitly declare the set of trusted proxies like so:

IPAuthenticationPolicy("127.0.*.*",
                       principals=["local"],
                       proxies = "127.0.0.1")

The set of trusted proxy addresses can be specified using the same syntax as the set of IP addresses to authenticate.

0.3.3 - 2017-02-02

  • Fix splitting ipset strings on whitespace; thanks @kaleposhobios

0.3.2 - 2017-01-22

  • Resolve some warnings and clean up some tests; thanks Scott Searcy

0.3.1 - 2016-03-18

  • Fixes for python3 compatibility

0.3.0 - 2016-03-18

  • Add support for python3

0.2.0 - 2013-10-14

  • Add get_userid and get_principals callback functions; thanks mrijken

  • Convert principals into a list if necessary; thanks janakj

0.1.1 - 2012-01-30

  • Update license to MPL 2.0

0.1.0 - 2011-11-11

  • Initial release

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyramid_ipauth-0.3.3.tar.gz (9.9 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page