magpie.adapter.magpieowssecurity

Module Contents

Classes

MagpieOWSSecurity

Attributes

LOGGER

magpie.adapter.magpieowssecurity.LOGGER

class magpie.adapter.magpieowssecurity.MagpieOWSSecurity(container: magpie.typedefs.AnySettingsContainer)

Bases: twitcher.interface.OWSSecurityInterface

_cached_request: Dict[uuid.UUID, pyramid.request.Request]

_get_service_cached(service_name: magpie.typedefs.Str, request_uuid: uuid.UUID) → Tuple[magpie.services.ServiceInterface, Dict[str, magpie.typedefs.AnyValue]]

Cache this method with beaker based on the provided caching key parameters.

If the cache is not hit (expired timeout or new key entry), calls service_factory() to retrieve the actual ServiceInterface implementation. Otherwise, returns the cached service to avoid SQL queries.

Note

Function arguments are required to generate caching keys by which cached elements will be retrieved. Those arguments must be serializable to generate the cache key (i.e.: cannot pass a Request object that contains session and other unserializable/circular references).

See also

• magpie.adapter.magpieowssecurity.MagpieOWSSecurity.get_service()

• magpie.adapter.magpieservice.MagpieServiceStore.fetch_by_name()

get_service(request: pyramid.request.Request) → magpie.services.ServiceInterface

Obtains the service referenced by the request.

Caching is automatically handled according to configured application settings and whether the specific service name being requested was already processed recently and not expired.

verify_request(request: pyramid.request.Request) → bool

Verify that the service request is allowed.

Added in version 3.18: Available only in Twitcher >= 0.6.x.

check_request(request: pyramid.request.Request) → None

Verifies if the request user has access to the targeted resource according to parent service and permissions.

If the request path corresponds to configured Twitcher proxy, evaluate the ACL. Otherwise, ignore request access validation.

In the case Twitcher proxy path is matched, the Logged User MUST be allowed access following Effective Permissions resolution via ACL. Otherwise, :exception:`OWSAccessForbidden` is raised.

Failing to parse the request or any underlying component that raises an exception will be left up to the parent caller to handle the exception. In most typical use case, this means Twitcher will raise a generic :exception:`OWSException` with NoApplicableCode, unless the exception was more specifically handled.

Raises:

• OWSAccessForbidden – If the user does not have access to the targeted resource under the service.

• HTTPBadRequest – If a request parsing error was detected when trying to resolve the permission based on the service/resource.

• Exception – Any derived exception that was not explicitly handled is re-raised directly after logging the event.

Returns:

Nothing if user has access.

update_request_cookies(request: pyramid.request.Request) → None

Ensure login of the user and update the request cookies if Twitcher is in a special configuration.

Only update if MAGPIE_COOKIE_NAME is missing and is retrievable from access_token field within the Authorization header. Counter-validate the login procedure by calling Magpie’s /session which should indicate if there is a logged user.