pypicloud.access.base module¶

The access backend object base class

class pypicloud.access.base.IAccessBackend(request=None, default_read=None, default_write=None, disallow_fallback=(), cache_update=None, pwd_context=None, token_expiration=604800, signing_key=None)[source]¶

Bases: object

Base class for retrieving user and package permission data

ROOT_ACL = [('Allow', 'system.Authenticated', 'login'), ('Allow', 'admin', <pyramid.security.AllPermissionsList object>), ('Deny', 'system.Everyone', <pyramid.security.AllPermissionsList object>)][source]¶

allow_register() → bool[source]¶

Check if the backend allows registration

This should only be overridden by mutable backends

Returns:	allow : bool

allow_register_token() → bool[source]¶

Check if the backend allows registration via tokens

This should only be overridden by mutable backends

Returns:	allow : bool

allowed_permissions(package: str) → Dict[str, Tuple[str, ...]][source]¶

Get all allowed permissions for all principals on a package

Returns:	perms : dict Mapping of principal to tuple of permissions

can_update_cache() → bool[source]¶: Return True if the user has permissions to update the pypi cache

check_health() → Tuple[bool, str][source]¶

Check the health of the access backend

Returns:	(healthy, status) : (bool, str) Tuple that describes the health status and provides an optional status message

classmethod configure(settings: pypicloud.util.EnvironSettings) → Dict[str, Any][source]¶: Configure the access backend with app settings

dump() → Dict[str, Any][source]¶

Dump all of the access control data to a universal format

Returns:	data : dict

get_acl(package: str) → List[Tuple[str, str, str]][source]¶: Construct an ACL for a package

group_members(group: str) → List[str][source]¶

Get a list of users that belong to a group

Parameters:	group : str
Returns:	users : list List of user names

group_package_permissions(group: str) → List[Dict[str, List[str]]][source]¶

Get a list of all packages that a group has permissions on

Parameters:	group : str
Returns:	packages : list List of dicts. Each dict contains ‘package’ (str) and ‘permissions’ (list)

group_permissions(package: str) → Dict[str, List[str]][source]¶

Get a mapping of all groups to their permissions on a package

Parameters:	package : str The name of a python package
Returns:	permissions : dict mapping of group name to a list of permissions (which can contain ‘read’ and/or ‘write’)

groups(username: Optional[str] = None) → List[str][source]¶

Get a list of all groups

If a username is specified, get all groups that the user belongs to

Parameters:	username : str, optional
Returns:	groups : list List of group names

has_permission(package: str, perm: str) → bool[source]¶: Check if this user has a permission for a package

in_any_group(username: str, groups: List[str]) → bool[source]¶

Find out if a user is in any of a set of groups

Parameters:	username : str Name of user. May be None for the anonymous user. groups : list list of group names. Supports ‘everyone’, ‘authenticated’, and ‘admin’.
Returns:	member : bool

in_group(username: Optional[str], group: str) → bool[source]¶

Find out if a user is in a group

Parameters:	username : str, None Name of user. May be None for the anonymous user. group : str Name of the group. Supports ‘everyone’, ‘authenticated’, and ‘admin’.
Returns:	member : bool

is_admin(username: str) → bool[source]¶

Check if the user is an admin

Parameters:	username : str
Returns:	is_admin : bool

load(data)[source]¶

Idempotently load universal access control data.

By default, this does nothing on immutable backends. Backends may override this method to provide an implementation.

This method works by default on mutable backends with no override necessary.

mutable = False[source]¶

need_admin() → bool[source]¶

Find out if there are any admin users

This should only be overridden by mutable backends

Returns:	need_admin : bool True if no admin user exists and the backend is mutable, False otherwise

classmethod postfork(**kwargs)[source]¶: This method will be called after uWSGI forks

user_data(username=None)[source]¶

Get a list of all users or data for a single user

For Mutable backends, this MUST exclude all pending users

Returns:	users : list Each user is a dict with a ‘username’ str, and ‘admin’ bool user : dict If a username is passed in, instead return one user with the fields above plus a ‘groups’ list.

user_package_permissions(username: str) → List[Dict[str, List[str]]][source]¶

Get a list of all packages that a user has permissions on

Parameters:	username : str
Returns:	packages : list List of dicts. Each dict contains ‘package’ (str) and ‘permissions’ (list)

user_permissions(package: str) → Dict[str, List[str]][source]¶

Get a mapping of all users to their permissions for a package

Parameters:	package : str The name of a python package
Returns:	permissions : dict Mapping of username to a list of permissions (which can contain ‘read’ and/or ‘write’)

user_principals(username: Optional[str]) → List[str][source]¶

Get a list of principals for a user

Parameters:	username : str
Returns:	principals : list

verify_user(username: str, password: str) → bool[source]¶

Check the login credentials of a user

For Mutable backends, pending users should fail to verify

Parameters:	username : str password : str
Returns:	valid : bool True if user credentials are valid, false otherwise

class pypicloud.access.base.IMutableAccessBackend(request=None, default_read=None, default_write=None, disallow_fallback=(), cache_update=None, pwd_context=None, token_expiration=604800, signing_key=None)[source]¶

Bases: pypicloud.access.base.IAccessBackend

Base class for access backends that can change user/group permissions

allow_register()[source]¶

Check if the backend allows registration

This should only be overridden by mutable backends

Returns:	allow : bool

allow_register_token()[source]¶

Check if the backend allows registration via tokens

This should only be overridden by mutable backends

Returns:	allow : bool

approve_user(username: str) → None[source]¶

Mark a user as approved by the admin

Parameters:	username : str

create_group(group: str) → None[source]¶

Create a new group

Parameters:	group : str

delete_group(group: str) → None[source]¶

Delete a group

Parameters:	group : str

delete_user(username: str) → None[source]¶

Delete a user

Parameters:	username : str

dump()[source]¶

Dump all of the access control data to a universal format

Returns:	data : dict

edit_group_permission(package: str, group: str, perm: Set[str], add: bool) → None[source]¶

Grant or revoke a permission for a group on a package

Parameters:	package : str group : str perm : {‘read’, ‘write’} add : bool If True, grant permissions. If False, revoke.

edit_user_group(username: str, group: str, add: bool) → None[source]¶

Add or remove a user to/from a group

Parameters:	username : str group : str add : bool If True, add to group. If False, remove.

edit_user_password(username: str, password: str) → None[source]¶

Change a user’s password

Parameters:	username : str password : str

edit_user_permission(package: str, username: str, perm: Set[str], add: bool) → None[source]¶

Grant or revoke a permission for a user on a package

Parameters:	package : str username : str perm : {‘read’, ‘write’} add : bool If True, grant permissions. If False, revoke.

get_signup_token(username: str) → str[source]¶

Create a signup token

Parameters:	username : str The username to be created when this token is consumed
Returns:	token : str

load(data)[source]¶

Idempotently load universal access control data.

By default, this does nothing on immutable backends. Backends may override this method to provide an implementation.

This method works by default on mutable backends with no override necessary.

mutable = True[source]¶

need_admin() → bool[source]¶

Find out if there are any admin users

This should only be overridden by mutable backends

Returns:	need_admin : bool True if no admin user exists and the backend is mutable, False otherwise

pending_users() → List[str][source]¶

Retrieve a list of all users pending admin approval

Returns:	users : list List of usernames

register(username: str, password: str) → None[source]¶

Register a new user

The new user should be marked as pending admin approval

Parameters:	username : str password : str This should be the plaintext password

set_allow_register(allow: bool) → None[source]¶

Allow or disallow user registration

Parameters:	allow : bool

set_user_admin(username: str, admin: bool) → None[source]¶

Grant or revoke admin permissions for a user

Parameters:	username : str admin : bool If True, grant permissions. If False, revoke.

validate_signup_token(token: str) → Optional[str][source]¶

Validate a signup token

Parameters:	token : str
Returns:	username : str or None This will be None if the validation fails

pypicloud.access.base.get_pwd_context(preferred_hash: Optional[str] = None, rounds: Optional[int] = None) → passlib.context.LazyCryptContext[source]¶: Create a passlib context for hashing passwords

pypicloud.access.base.group_to_principal(group: str) → str[source]¶: Convert a group to its corresponding principal

pypicloud.access.base.groups_to_principals(groups: List[str]) → List[str][source]¶: Convert a list of groups to a list of principals