Skip to content
/ pyramid_ipauth Public
forked from mozilla-services/pyramid_ipauth

a pyramid authentication policy based on remote ip address

0 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

smsearcy/pyramid_ipauth

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits

pyramid_ipauth

pyramid_ipauth

 
 

.coveragerc

.coveragerc

 
 

.gitignore

.gitignore

 
 

CHANGES.txt

CHANGES.txt

 
 

CONTRIBUTORS.txt

CONTRIBUTORS.txt

 
 

MANIFEST.in

MANIFEST.in

 
 

README.rst

README.rst

 
 

setup.cfg

setup.cfg

 
 

setup.py

setup.py

 
 

tox.ini

tox.ini

 
 

Repository files navigation

pyramid_ipauth

An authentication policy for Pyramid that sets identity and effective principals based on the remote IP address of the request.

Overview

To perform IP-address-based authentication, create an IPAuthenticationPolicy and specify the target IP range, userid and effective principals. Then set it as the authentication policy in your configurator:

authn_policy = IPAuthenticationPolicy("127.0.*.*", "myuser", ["locals"])
config.set_authentication_policy(authn_policy)

This will cause all requests from IP addresses in the 127.0.*.* range to be authenticated as user "myuser" and have the effective principal "locals".

It is also possible to specify the configuration options in your deployment file:

[app:pyramidapp]
use = egg:mypyramidapp

ipauth.ipaddrs = 127.0.0.* 127.0.1.*
ipauth.principals = locals

You can then simply include the pyramid_ipauth package into your configurator:

config.include("pyramid_ipauth")

It will detect the ipauth settings and construct an appropriate policy.

Note that this package only supports matching against a single set of IP addresss. If you need to assign different credentials to different sets of IP addresses, you can use the pyramid_multiauth package in conjunction with pyramid_ipauth:

http://github.com/mozilla-services/pyramid_multiauth

If you don't want to hard-code the userid or principals at configuration time, you may specify a "get_userid" and/or "get_principals" callback instead.

Specifying IP Addresses

IP addresses can be specified in a variety of forms, including:

  • "all": all possible IPv4 and IPv6 addresses
  • "local": all local addresses of the machine
  • "A.B.C.D" a single IP address
  • "A.B.C.D/N" a network address specification
  • "A.B.C.*" a glob matching against all possible numbers
  • "A.B.C.D-E" a glob matching against a range of numbers
  • a whitespace- or comma-separated string of any of the above
  • a netaddr IPAddress, IPRange, IPGlob, IPNetork of IPSet object
  • a list, tuple or iterable of any of the above

Proxies

This module does not respect the X-Forwarded-For header by default, since it can be spoofed easily by malicious clients. If your server is behind a trusted proxy that sets the X-Forwarded-For header, you should explicitly declare the set of trusted proxies like so:

IPAuthenticationPolicy("127.0.*.*",
                       principals=["local"],
                       proxies = "127.0.0.1")

The set of trusted proxy addresses can be specified using the same syntax as the set of IP addresses to authenticate.

About

a pyramid authentication policy based on remote ip address

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages

  • Python 100.0%