source: TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/basic.py @ 6271

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/result_handler/basic.py@6271
Revision 6271, 3.8 KB checked in by pjkersha, 10 years ago (diff)

Working Genshi PEP result handler plugin

Line 
1"""WSGI Policy Enforcement Point basic result handler - returns a HTML access
2denied message to the client if the client is not authorized.
3
4Functionality in this module moved from original authz package location
5
6NERC DataGrid Project
7"""
8__author__ = "P J Kershaw"
9__date__ = "05/01/10"
10__copyright__ = "(C) 2010 Science and Technology Facilities Council"
11__contact__ = "Philip.Kershaw@stfc.ac.uk"
12__revision__ = "$Id: $"
13__license__ = "BSD - see LICENSE file in top-level directory"
14import logging
15log = logging.getLogger(__name__)
16
17from httplib import UNAUTHORIZED, FORBIDDEN
18
19from ndg.security.server.wsgi import NDGSecurityMiddlewareBase
20from ndg.security.server.wsgi.authz.result_handler import (
21                                                PEPResultHandlerMiddlewareBase)
22
23
24class PEPResultHandlerMiddleware(PEPResultHandlerMiddlewareBase):
25    """This middleware is invoked if access is denied to a given resource.  It
26    is incorporated into the call stack by passing it in to a MultiHandler
27    instance.  The MultiHandler is configured in the AuthorizationMiddlewareBase
28    class below.  The MultiHandler is passed a checker method which determines
29    whether to allow access, or call this interface.   The checker is
30    implemented in the AuthorizationHandler.  See below ...
31   
32    This class can be overridden to define custom behaviour for the access
33    denied response e.g. include an interface to enable users to register for
34    the dataset from which they have been denied access.  See
35    AuthorizationMiddlewareBase pepResultHandler keyword.
36   
37    PEPResultHandlerMiddlewareBase (SessionMiddlewareBase) base class defines
38    user session key and isAuthenticated property
39    """
40   
41    def __init__(self, app, global_conf, prefix='', **app_conf):
42        '''
43        @type app: callable following WSGI interface
44        @param app: next middleware application in the chain     
45        @type global_conf: dict       
46        @param global_conf: PasteDeploy global configuration dictionary
47        @type prefix: basestring
48        @param prefix: prefix for configuration items
49        @type app_conf: dict       
50        @param app_conf: PasteDeploy application specific configuration
51        dictionary
52        '''
53        super(PEPResultHandlerMiddleware, self).__init__(app,
54                                                         global_conf,
55                                                         prefix=prefix,
56                                                         **app_conf)
57               
58    @PEPResultHandlerMiddlewareBase.initCall
59    def __call__(self, environ, start_response):
60       
61        log.debug("PEPResultHandlerMiddleware.__call__ ...")
62       
63        session = self.environ.get(self.sessionKey)
64        if not self.isAuthenticated:
65            # This check is included as a precaution: this condition should be
66            # caught be the AuthNRedirectHandlerMiddleware or PEPFilter
67            log.warning("PEPResultHandlerMiddleware: user is not "
68                        "authenticated - setting HTTP 401 response")
69            return self._setErrorResponse(code=UNAUTHORIZED)
70        else:
71            # Get response message from PDP recorded by PEP
72            pepCtx = session.get(
73                    PEPResultHandlerMiddleware.PEPCTX_SESSION_KEYNAME, {})
74            pdpResponse = pepCtx.get(
75                    PEPResultHandlerMiddleware.PEPCTX_RESPONSE_SESSION_KEYNAME)
76            msg = getattr(pdpResponse, 'message', '') or ''
77               
78            response = ("Access is forbidden for this resource:%s"
79                        "Please check with your site administrator that you "
80                        "have the required access privileges." % 
81                        msg.join(('\n\n',)*2))
82
83            return self._setErrorResponse(code=FORBIDDEN, msg=response)
Note: See TracBrowser for help on using the repository browser.