Aspek security yang lebih rapi

CHANGES.txt

+0.4.1 2020-11-26
+----------------
+- Aspek security yang lebih rapi.
+
 0.4 2020-11-15
 --------------
 - Daemon bin/iso8583 tidak lagi memuat web service. Sebagai gantinya pembuatan

iso8583_web/__init__.py

@@ -7,13 +7,7 @@ from pyramid.i18n import get_localizer
 from pyramid.threadlocal import get_current_request
 from pyramid.config import Configurator
 from pyramid_beaker import session_factory_from_settings
-from pyramid.authentication import AuthTktAuthenticationPolicy
-from pyramid.authorization import ACLAuthorizationPolicy
 from pyramid_mailer import mailer_factory_from_settings
-from .security import (
-    group_finder,
-    get_user,
-    )
 from .tools.this_framework import get_locale_name
 from .views import RemoveSlashNotFoundViewFactory
 from .iso8583 import (
@@ -53,17 +47,10 @@ def main(global_config, **settings):
         session_factory=session_factory,
         locale_negotiator=get_locale_name)
     config.include('.models')
-    config.include('pyramid_tm')
     config.include('pyramid_beaker')
     config.include('pyramid_chameleon')
-    config.include('.renderers')
     config.include('.routes')
-    authn_policy = AuthTktAuthenticationPolicy(
-            'sosecret', callback=group_finder, hashalg='sha512')
-    config.set_authentication_policy(authn_policy)
-    authz_policy = ACLAuthorizationPolicy()
-    config.set_authorization_policy(authz_policy)
-    config.add_request_method(get_user, 'user', reify=True)
+    config.include('.security')
     config.add_notfound_view(RemoveSlashNotFoundViewFactory())
     config.add_translation_dirs('locale')
     config.registry['mailer'] = mailer_factory_from_settings(settings)

iso8583_web/common.py

@@ -83,6 +83,11 @@ class BaseView:
         msg = f'{prefix} {msg}'
         log.debug(msg)
 
+    def log_error(self, msg):
+        prefix = self.log_prefix()
+        msg = f'{prefix} {msg}'
+        log.debug(msg)
+
 
 # Abstract class. Inherit, please.
 class BaseIsoView(BaseView):

iso8583_web/models/__init__.py

@@ -50,7 +50,7 @@ def includeme(config):
     """
     Initialize the model for a Pyramid app.
 
-    Activate this setup using ``config.include('linkaja_sambat.models')``.
+    Activate this setup using ``config.include('.models')``.
 
     """
     settings = config.get_settings()
@@ -63,7 +63,7 @@ def includeme(config):
     config.include('pyramid_retry')
 
     session_factory = get_session_factory(get_engine(settings))
-    config.registry['dbsession_factory'] = session_factory
+    # config.registry['dbsession_factory'] = session_factory
 
     # make request.dbsession available for use in Pyramid
     config.add_request_method(

iso8583_web/renderers.py

-from pyramid_linkaja.structure import RENDERER
-
-
-def includeme(config):
-    config.add_renderer(RENDERER, 'pyramid_linkaja.renderer.Renderer')

iso8583_web/security.py

+from pyramid.authentication import AuthTktAuthenticationPolicy
+from pyramid.authorization import ACLAuthorizationPolicy
 from .models.ziggurat import (
     User,
     UserGroup,
@@ -22,3 +24,12 @@ def get_user(request):
     if uid:
         q = request.dbsession.query(User).filter_by(id=uid)
         return q.first()
+
+
+def includeme(config):
+    authn_policy = AuthTktAuthenticationPolicy(
+            'sosecret', callback=group_finder, hashalg='sha512')
+    config.set_authentication_policy(authn_policy)
+    authz_policy = ACLAuthorizationPolicy()
+    config.set_authorization_policy(authz_policy)
+    config.add_request_method(get_user, 'user', reify=True)

iso8583_web/views/group.py

@@ -103,7 +103,8 @@ PERMISSIONS = [
 
 def get_form(request, class_form, group=None):
     schema = class_form()
-    schema = schema.bind(permission_list=PERMISSIONS, group=group)
+    schema = schema.bind(
+            request=request, permission_list=PERMISSIONS, group=group)
     btn_save = Button('save', _('Save'))
     btn_cancel = Button('cancel', _('Cance'))
     buttons = (btn_save, btn_cancel)
@@ -193,7 +194,7 @@ def view_edit(request):
     resp = dict(title=_('Edit group'))
     if not request.POST:
         d = group.to_dict_without_none()
-        d['permissions'] = group_permission_set(group)
+        d['permissions'] = group_permission_set(request.dbsession, group)
         resp['form'] = form.render(appstruct=d)
         return resp
     if 'save' not in request.POST:

iso8583_web/views/user.py

@@ -128,6 +128,7 @@ REGEX_BEGIN_END_ALPHANUMERIC = re.compile('^[a-z0-9]+(?:[-][a-z0-9]+)*$')
 class UsernameValidator(Validator):
     def __init__(self, kw):
         self.db_session = kw['request'].dbsession
+        self.user = kw['user']
 
     def __call__(self, node, value):
         username = value.lower()
@@ -203,7 +204,8 @@ def get_form(request, class_form, user=None):
         group_list.append(group)
     schema = class_form()
     schema = schema.bind(
-            status_list=status_list, group_list=group_list, user=user)
+            request=request, status_list=status_list, group_list=group_list,
+            user=user)
     btn_save = Button('save', _('Save'))
     btn_cancel = Button('cancel', _('Cancel'))
     return Form(schema, buttons=(btn_save, btn_cancel))
@@ -228,7 +230,7 @@ def insert(request, values):
     user.email = values['email'].lower()
     user.user_name = values['user_name'].lower()
     user.security_code_date = create_now()
-    remain = regenerate_security_code(user)
+    remain = regenerate_security_code(request.dbsession, user)
     request.dbsession.add(user)
     request.dbsession.flush()
     for gid in values['groups']:
@@ -256,6 +258,7 @@ def view_add(request):
         resp['form'] = form.render()
         return resp
     user, remain = insert(request, dict(c.items()))
+    request.log(f'tambah user {user.user_name}')
     send_email_security_code(
         request, user, remain, 'Welcome new user', 'email-new-user',
         'email-new-user.tpl')