1.
Pyramid Security

2.
Who are you?
村岡友介
MURAOKA Yusuke
@jbking
Self Contractor
pylons-ja
pypy-ja
django-ja

3.
Agenda
Security
Basics
Authentication
Authorization
Advanced

4.
Before dive into...
http://bit.ly/PyramidSecurity-

5.
What about Security
applicatio csrf,
n injections,
Tons of topics we xss
could discuss identifier,
framework authn,
Can be categorized authz
into some layers poisoning,
infra-
structure sniffing,
We focus today
“framework”layer
ddos
shoulder
social
hack

6.
No Security Pyramid
development.ini
production.ini
proj/templates/mytemplate.pt
proj/models.py
proj/views.py
proj/scripts
proj/scripts/initializedb.py
proj/scripts/__init__.py
proj/__init__.py
proj/tests.py
small starting...

7.
No Security Pyramid
development.ini
Configuration
production.ini
proj/templates/mytemplate.pt
proj/models.py
MV of MVC
proj/views.py
proj/scripts
proj/scripts/initializedb.py
proj/scripts/__init__.py
proj/__init__.py Make WSGI app
proj/tests.py
small starting...

8.
Security

9.
Basics
Authentication
/etc/passwd
Authorization
ls -l .
-rw-r--r-- 1 yusuke staff

10.
Basics

11.
Basics

12.
Easy enough?

13.
How to Enable Security
# in bootstrap
authentication_policy = AnAuthenticationPolicy()
authorization_policy = AnAuthorizationPolicy()
config = Configurator(settings=settings)
config.set_authentication_policy(authentication_policy)
config.set_authorization_policy(authorization_policy)
# in views
@view_config(permission=’...’, ...)
def logout(request):
headers = forget(request)
...

14.
Authentication in
Usage
authenticated_userid(request)
unauthenticated_userid(request)
effective_principals(request)
forget(request)
remember(request, principal, **kw)

15.
Authentication in
Usage
authenticated_userid(request)
unauthenticated_userid(request)
effective_principals(request)
forget(request) Response
remember(request, principal, **kw) Headers

16.
Authentication Policy
interface IAuthenticationPolicy
authenticated_userid(request)
unauthenticated_userid(request)
effective_principals(request)
remember(request, principal, **kw)
forget(request)

17.
Authentication Policy
interface IAuthenticationPolicy
authenticated_userid(request)
unauthenticated_userid(request) Principals
effective_principals(request)
remember(request, principal, **kw) Response
forget(request) Headers

18.
Bundled
Authentication Policy
AuthTktAuthenticationPolicy
RemoteUserAuthenticationPolicy
RepozeWho1AuthenticationPolic
y

19.
Authorization in Usage
has_permission(permission, context, request)
principals_allowed_by_permission(context, permission)
view_execution_permitted(context, permission, name=’’)

20.
Authorization in Usage
Check
has_permission(permission, context, request) Permissio
n
principals_allowed_by_permission(context, permission)
view_execution_permitted(context, permission, name=’’)

21.
Authorization Policy
interface IAuthorizationPolicy
principals_allowed_by_permission(context, permission)
permits(context, principals, permission)

22.
Authorization Policy
interface IAuthorizationPolicy
principals_allowed_by_permission(context, permission)
Check
permits(context, principals, permission) Permissio
n

23.
Bundled Authorization
Policy
ACLAuthorizationPolic

24.
Any Question?

25.
Advanced

26.
Security Pyramid
development.ini
production.ini
proj/templates/mytemplate.pt
proj/models.py
proj/views.py
proj/resources.py
proj/authentication.py
proj/authorization.py
...

27.
Security Pyramid
development.ini
production.ini
proj/templates/mytemplate.pt
proj/models.py
proj/views.py
proj/resources.py Find Resource
proj/authentication.py
Custom Security
proj/authorization.py
...

28.
Typical Stack
# in bootstrap
authentication_policy =
CustomAuthTktAuthenticationPolicy('seekrit')
authorization_policy = ACLAuthorizationPolicy()
config.add_route(..., ..., factory=resources.find_object)
# in resources
def find_object(request):
obj = ...
assert getattr(obj, ‘__acl__’, None) is not None
return obj
# in models
class Model:
__acl__ = [(Allow, Authenticated, ‘view’)]

29.
Always Tom
Authentication
class AlwaysTomPolicy(CallbackAuthenticationPolicy):
def unauthenticated_userid(self, request):
return ‘tom’
def remember(self, request, principal, **kw):
return []
def forget(self, request):
return []

30.
LDAP? Other Authn?
pip search repoze.who

31.
Any Question again?

32.
Thanks :)