Ticket #210: security_server_patch_2.diff

server/python/testapp/development.ini

@@ +1 @@
+#
+# testapp - Pylons development environment configuration
+#
+# The %(here)s variable will be replaced with the parent directory of this file
+#
+[DEFAULT]
+debug = true
+# Uncomment and replace with the address which should receive any error reports
+#email_to = you@yourdomain.com
+smtp_server = localhost
+error_email_from = paste@localhost
+
+[server:main]
+use = egg:Paste#http
+host = 0.0.0.0
+port = 5000
+
+[app:main]
+use = egg:testapp
+full_stack = true
+cache_dir = %(here)s/data
+beaker.session.key = testapp
+beaker.session.secret = somesecret
+
+# If you'd like to fine-tune the individual locations of the cache data dirs
+# for the Cache data, or the Session saves, un-comment the desired settings
+# here:
+#beaker.cache.data_dir = %(here)s/data/cache
+#beaker.session.data_dir = %(here)s/data/sessions
+
+# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
+# Debug mode will enable the interactive debugging tool, allowing ANYONE to
+# execute malicious code after an exception is raised.
+#set debug = false
+
+
+# Logging configuration
+[loggers]
+keys = root, testapp
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = INFO
+handlers = console
+
+[logger_testapp]
+level = DEBUG
+handlers =
+qualname = testapp
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

server/python/testapp/testapp/tests/functional/test_security.py

@@ +1 @@
+from testapp.tests import *
+
+import simplejson
+
+class TestSecurityController(TestController):
+    def _get_permissions(self, user):
+        extra_environ = {}
+        if user:
+            extra_environ['REMOTE_USER'] = user
+        response = self.app.get(url_for(controller='security',
+                                        action='permissions'),
+                                extra_environ=extra_environ)
+        return simplejson.loads(response.body)['permissions']
+
+    def test_permissions(self):
+        permissions = self._get_permissions(None)
+
+        assert permissions["application"] == False
+        assert permissions["application.widgets.edit"] == False
+        assert permissions.has_key("layer")
+        # TODO test inside the layer properties
+
+        permissions = self._get_permissions("alice")
+
+        assert permissions["application"] == True
+        assert permissions["application.widgets.edit"] == True
+        assert permissions.has_key("layer")
+        # TODO test inside the layer properties
+
+        permissions = self._get_permissions("carol")
+
+        assert permissions["application"] == True
+        assert permissions["application.widgets.edit"] == False
+        assert permissions.has_key("layer")
+        # TODO test inside the layer properties

server/python/testapp/testapp/tests/functional/test_wms_auth_proxy.py

@@ +1 @@
+from testapp.tests import *
+
+import paste.fixture
+import BaseHTTPServer
+import threading
+import urllib2
+import time
+
+# When running the tests, no HTTP server is started. To simulate a WMS server,
+# a small HTTP server is run on port 9999.
+
+
+class WMSHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
+    def do_GET(self):
+        self.send_response(200)
+        self.send_header("Content-type", "text/plain")
+        self.end_headers()
+        self.wfile.write("Dummy response\n")
+
+def run_httpd(server_class=BaseHTTPServer.HTTPServer,
+              handler_class=WMSHTTPRequestHandler):
+    server_address = ('', 9999)
+    httpd = server_class(server_address, handler_class)
+    server_running = True
+    threading.Thread(target=httpd.serve_forever).start()
+    # Wait some times to allow the server to startup
+    import time
+    time.sleep(0.5)
+
+# Having the setup/teardown method inside TestWmsAuthProxyController is not working
+# so let's have them at the module level.
+def setup():
+    run_httpd()
+
+class TestWmsAuthProxyController(TestController):
+    def check_access(self, alias, user, layers, expected_allowed):
+        # url_for() is not working for "<url>/*more syntax. So hardcoding is
+        # needed
+        url = "/wms_auth_proxy/%s/wms?layers=%s" % (alias, ",".join(layers))
+        allowed = True
+        content = ""
+        try:
+            extra_environ = {}
+            if user:
+                extra_environ['REMOTE_USER'] = user
+            content = self.app.get(url, extra_environ=extra_environ)
+        except paste.fixture.AppError, e:
+            print "Exception: %s %s" % (e.__class__, e)
+            allowed = False
+        assert expected_allowed == allowed, "Unexpected access to resource " + \
+               "alias: %s user: %s layers: %s allowed: %s" % \
+               (alias, user, layers, expected_allowed)
+        # FIXME: can't make a distinction between invalid alias and denied response
+        if expected_allowed:
+            assert content, "Content shouldn't be empty (%s)" % repr(content)
+
+    def test_basic(self):
+        # Check that we fail for invalid alias
+        try:
+            self.check_access("non_existant", None, [], True)
+        except AssertionError:
+            pass
+        else: 
+            raise AssertionError("Should have raised an assertion about wrong alias")
+
+    def test_no_restriction(self):
+        self.check_access("no_restrictions", None, [], True)
+        self.check_access("no_restrictions", "alice", ["parkings"], True)
+
+    def test_default_deny(self):
+        # Should we still allow access if no layers are given?
+        self.check_access("default_deny", None, [], True)
+        self.check_access("default_deny", "bob", [], True)
+        self.check_access("default_deny", None, ["parkings"], False)
+        self.check_access("default_deny", None, ["summits"], False)
+        self.check_access("default_deny", None, ["parkings", "summits"], False)
+
+        self.check_access("default_deny", "alice", ["parkings"], True)
+        self.check_access("default_deny", "alice", ["parkings", "summits"], False)
+
+    def test_default_allow(self):
+        self.check_access("default_allow", None, [], True)
+        self.check_access("default_allow", "bob", [], True)
+        self.check_access("default_allow", None, ["parkings"], False)
+        self.check_access("default_allow", None, ["summits"], True)
+        self.check_access("default_allow", None, ["parkings", "summits"], False)
+
+        self.check_access("default_allow", "alice", ["parkings"], True)
+        self.check_access("default_allow", "alice", ["parkings", "summits"], True)
+
+    def test_wms0(self):
+        self.check_access("wms0", None, [], True)
+        self.check_access("wms0", None, ["background"], True)
+        self.check_access("wms0", None, ["parkings"], False)
+        self.check_access("wms0", None, ["summits"], False)
+        self.check_access("wms0", None, ["background", "parkings"], False)
+        self.check_access("wms0", None, ["parkings", "summits"], False)
+        self.check_access("wms0", None, ["background", "parkings", "summits"], False)
+
+        self.check_access("wms0", "alice", [], True)
+        self.check_access("wms0", "alice", ["background"], True)
+        self.check_access("wms0", "alice", ["parkings"], True)
+        self.check_access("wms0", "alice", ["summits"], False)
+        self.check_access("wms0", "alice", ["background", "parkings"], True)
+        self.check_access("wms0", "alice", ["parkings", "summits"], False)
+        self.check_access("wms0", "alice", ["background", "parkings", "summits"], False)
+
+        self.check_access("wms0", "bob", [], True)
+        self.check_access("wms0", "bob", ["background"], True)
+        self.check_access("wms0", "bob", ["parkings"], True)
+        self.check_access("wms0", "bob", ["summits"], True)
+        self.check_access("wms0", "bob", ["background", "parkings"], True)
+        self.check_access("wms0", "bob", ["parkings", "summits"], True)
+        self.check_access("wms0", "bob", ["background", "parkings", "summits"], True)

server/python/testapp/testapp/tests/__init__.py

@@ +1 @@
+"""Pylons application test package
+
+When the test runner finds and executes tests within this directory,
+this file will be loaded to setup the test environment.
+
+It registers the root directory of the project in sys.path and
+pkg_resources, in case the project hasn't been installed with
+setuptools. It also initializes the application via websetup (paster
+setup-app) with the project's test.ini configuration file.
+"""
+import os
+import sys
+from unittest import TestCase
+
+import pkg_resources
+import paste.fixture
+import paste.script.appinstall
+from paste.deploy import loadapp
+from routes import url_for
+
+__all__ = ['url_for', 'TestController']
+
+here_dir = os.path.dirname(os.path.abspath(__file__))
+conf_dir = os.path.dirname(os.path.dirname(here_dir))
+
+sys.path.insert(0, conf_dir)
+pkg_resources.working_set.add_entry(conf_dir)
+pkg_resources.require('Paste')
+pkg_resources.require('PasteScript')
+
+test_file = os.path.join(conf_dir, 'test.ini')
+cmd = paste.script.appinstall.SetupCommand('setup-app')
+cmd.run([test_file])
+
+class TestController(TestCase):
+
+    def __init__(self, *args, **kwargs):
+        wsgiapp = loadapp('config:test.ini', relative_to=conf_dir)
+        self.app = paste.fixture.TestApp(wsgiapp)
+        TestCase.__init__(self, *args, **kwargs)

server/python/testapp/testapp/config/permissions.py

@@ +1 @@
+from authkit.permissions import HasAuthKitRole, ValidAuthKitUser
+from mapfish.controllers.security import Deny
+
+permissions = {
+    "application": ValidAuthKitUser(),
+    "application.widgets.edit": HasAuthKitRole("editor"),
+    "widgets.print.dpi.100": Deny()
+}

server/python/testapp/testapp/config/middleware.py

@@ +1 @@
+"""Pylons middleware initialization"""
+from paste.cascade import Cascade
+from paste.registry import RegistryManager
+from paste.urlparser import StaticURLParser
+from paste.deploy.converters import asbool
+
+from pylons import config
+from pylons.error import error_template
+from pylons.middleware import error_mapper, ErrorDocuments, ErrorHandler, \
+    StaticJavascripts
+from pylons.wsgiapp import PylonsApp
+
+from testapp.config.environment import load_environment
+
+def make_app(global_conf, full_stack=True, **app_conf):
+    """Create a Pylons WSGI application and return it
+
+    ``global_conf``
+        The inherited configuration for this application. Normally from
+        the [DEFAULT] section of the Paste ini file.
+
+    ``full_stack``
+        Whether or not this application provides a full WSGI stack (by
+        default, meaning it handles its own exceptions and errors).
+        Disable full_stack when this application is "managed" by
+        another WSGI middleware.
+
+    ``app_conf``
+        The application's local configuration. Normally specified in the
+        [app:<name>] section of the Paste ini file (where <name>
+        defaults to main).
+    """
+    # Configure the Pylons environment
+    load_environment(global_conf, app_conf)
+
+    # The Pylons WSGI app
+    app = PylonsApp()
+
+    # CUSTOM MIDDLEWARE HERE (filtered by error handling middlewares)
+
+    if asbool(full_stack):
+        # Handle Python exceptions
+        app = ErrorHandler(app, global_conf, error_template=error_template,
+                           **config['pylons.errorware'])
+
+        # AuthKit authentication
+        import authkit.authenticate
+        app = authkit.authenticate.middleware(app, app_conf)
+
+        # Display error documents for 401, 403, 404 status codes (and
+        # 500 when debug is disabled)
+        app = ErrorDocuments(app, global_conf, mapper=error_mapper, **app_conf)
+
+    # Establish the Registry for this application
+    app = RegistryManager(app)
+
+    # Static files
+    javascripts_app = StaticJavascripts()
+    static_app = StaticURLParser(config['pylons.paths']['static_files'])
+    app = Cascade([static_app, javascripts_app, app])
+    return app

server/python/testapp/testapp/config/environment.py

@@ +1 @@
+"""Pylons environment configuration"""
+import os
+
+from pylons import config
+
+import testapp.lib.app_globals as app_globals
+import testapp.lib.helpers
+from testapp.config.routing import make_map
+
+def load_environment(global_conf, app_conf):
+    """Configure the Pylons environment via the ``pylons.config``
+    object
+    """
+    # Pylons paths
+    root = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+    paths = dict(root=root,
+                 controllers=os.path.join(root, 'controllers'),
+                 static_files=os.path.join(root, 'public'),
+                 templates=[os.path.join(root, 'templates')])
+
+    # Initialize config with the basic options
+    config.init_app(global_conf, app_conf, package='testapp',
+                    template_engine='mako', paths=paths)
+
+    config['routes.map'] = make_map()
+    config['pylons.g'] = app_globals.Globals()
+    config['pylons.h'] = testapp.lib.helpers
+
+    # Customize templating options via this variable
+    tmpl_options = config['buffet.template_options']
+
+    # CONFIGURATION OPTIONS HERE (note: all config options will override
+    # any Pylons config options)

server/python/testapp/testapp/config/routing.py

@@ +1 @@
+"""Routes configuration
+
+The more specific and detailed routes should be defined first so they
+may take precedent over the more generic routes. For more information
+refer to the routes manual at http://routes.groovie.org/docs/
+"""
+from pylons import config
+from routes import Mapper
+
+def make_map():
+    """Create, configure and return the routes Mapper"""
+    map = Mapper(directory=config['pylons.paths']['controllers'],
+                 always_scan=config['debug'])
+
+    # The ErrorController route (handles 404/500 error pages); it should
+    # likely stay at the top, ensuring it can always be resolved
+    map.connect('error/:action/:id', controller='error')
+
+    # CUSTOM ROUTES HERE
+    map.connect('wms_auth_proxy/*more', controller='wms_auth_proxy', action='get',
+                conditions={"method": ['GET']})
+
+
+    map.connect(':controller/:action/:id')
+    map.connect('*url', controller='template', action='view')
+
+    return map

server/python/testapp/testapp/websetup.py

@@ +1 @@
+"""Setup the testapp application"""
+import logging
+
+from paste.deploy import appconfig
+from pylons import config
+
+from testapp.config.environment import load_environment
+
+log = logging.getLogger(__name__)
+
+def setup_config(command, filename, section, vars):
+    """Place any commands to setup testapp here"""
+    conf = appconfig('config:' + filename)
+    load_environment(conf.global_conf, conf.local_conf)

server/python/testapp/testapp/controllers/wms_auth_proxy.py

@@ +1 @@
+from mapfish.controllers.auth_proxy import AuthProxyController
+from mapfish.controllers.auth_proxy import WMSLayer, TileCacheLayer
+from mapfish.controllers.security import Deny
+
+from authkit.permissions import HasAuthKitRole, ValidAuthKitUser
+from authkit.authorize.pylons_adaptors import authorized
+
+from testapp.lib.base import *
+
+import logging
+log = logging.getLogger(__name__)
+
+def get_permissions():
+    return WmsAuthProxyController()._get_permissions()
+
+class WmsAuthProxyController(AuthProxyController):
+    # FIXME: tests want to access the index method and fail if missing.
+    # Don't know where this is coming from.
+    def index(self):
+        return ""
+
+    def __init__(self):
+        layers = []
+
+        # Configuration:
+        #
+        # Users
+        #  alice: rolealice, editor
+        #  bob: rolebob, admin
+        #  carol: -
+        
+        # WMS sublayers:
+        #  parkings
+        #  summits
+        #  background
+
+        WMS_SERVER = "http://localhost:9999"
+
+        layers.append(WMSLayer(alias="no_restrictions",
+                               url=WMS_SERVER,
+                               layers={}))
+
+        layers.append(WMSLayer(alias="default_deny",
+                               url=WMS_SERVER,
+                               layers={
+                                   "parkings": HasAuthKitRole('rolealice'),
+                                   "DEFAULT": Deny()
+                               }))
+
+        layers.append(WMSLayer(alias="default_allow",
+                               url=WMS_SERVER,
+                               layers={
+                                   "parkings": HasAuthKitRole('rolealice')
+                               }))
+
+        layers.append(WMSLayer(alias="wms0",
+                               url=WMS_SERVER,
+                               layers={
+                                   # background is public
+                                   "parkings": HasAuthKitRole('editor'),
+                                   "summits": HasAuthKitRole(['editor', 'admin'], all=True)
+                               }))
+
+        # TODO: test tilecache layer
+
+        self.set_layers(layers)

server/python/testapp/testapp/controllers/error.py

@@ +1 @@
+import cgi
+import os.path
+
+from paste.urlparser import StaticURLParser
+from pylons.middleware import error_document_template, media_path
+
+from testapp.lib.base import *
+
+class ErrorController(BaseController):
+    """Generates error documents as and when they are required.
+
+    The ErrorDocuments middleware forwards to ErrorController when error
+    related status codes are returned from the application.
+
+    This behaviour can be altered by changing the parameters to the
+    ErrorDocuments middleware in your config/middleware.py file.
+    
+    """
+    def document(self):
+        """Render the error document"""
+        page = error_document_template % \
+            dict(prefix=request.environ.get('SCRIPT_NAME', ''),
+                 code=cgi.escape(request.params.get('code', '')),
+                 message=cgi.escape(request.params.get('message', '')))
+        return page
+
+    def img(self, id):
+        """Serve Pylons' stock images"""
+        return self._serve_file(os.path.join(media_path, 'img'), id)
+
+    def style(self, id):
+        """Serve Pylons' stock stylesheets"""
+        return self._serve_file(os.path.join(media_path, 'style'), id)
+
+    def _serve_file(self, root, path):
+        """Call Paste's FileApp (a WSGI application) to serve the file
+        at the specified path
+        """
+        static = StaticURLParser(root)
+        request.environ['PATH_INFO'] = '/%s' % path
+        return static(request.environ, self.start_response)

server/python/testapp/testapp/controllers/template.py

@@ +1 @@
+from testapp.lib.base import *
+
+class TemplateController(BaseController):
+
+    def view(self, url):
+        """By default, the final controller tried to fulfill the request
+        when no other routes match. It may be used to display a template
+        when all else fails, e.g.::
+
+            def view(self, url):
+                return render('/%s' % url)
+
+        Or if you're using Mako and want to explicitly send a 404 (Not
+        Found) response code when the requested template doesn't exist::
+
+            import mako.exceptions
+
+            def view(self, url):
+                try:
+                    return render('/%s' % url)
+                except mako.exceptions.TopLevelLookupException:
+                    abort(404)
+
+        By default this controller aborts the request with a 404 (Not
+        Found)
+        """
+        abort(404)

server/python/testapp/testapp/controllers/security.py

@@ +1 @@
+import logging
+
+from testapp.lib.base import *
+import mapfish.controllers.security
+
+log = logging.getLogger(__name__)
+
+class SecurityController(mapfish.controllers.security.SecurityController):
+    pass

server/python/testapp/testapp/lib/base.py

@@ +1 @@
+"""The base Controller API
+
+Provides the BaseController class for subclassing, and other objects
+utilized by Controllers.
+"""
+from pylons import c, cache, config, g, request, response, session
+from pylons.controllers import WSGIController
+from pylons.controllers.util import abort, etag_cache, redirect_to
+from pylons.decorators import jsonify, validate
+from pylons.i18n import _, ungettext, N_
+from pylons.templating import render
+
+import testapp.lib.helpers as h
+import testapp.model as model
+
+class BaseController(WSGIController):
+
+    def __call__(self, environ, start_response):
+        """Invoke the Controller"""
+        # WSGIController.__call__ dispatches to the Controller method
+        # the request is routed to. This routing information is
+        # available in environ['pylons.routes_dict']
+        return WSGIController.__call__(self, environ, start_response)
+
+# Include the '_' function in the public names
+__all__ = [__name for __name in locals().keys() if not __name.startswith('_') \
+           or __name == '_']

server/python/testapp/testapp/lib/helpers.py

@@ +1 @@
+"""Helper functions
+
+Consists of functions to typically be used within templates, but also
+available to Controllers. This module is available to both as 'h'.
+"""
+from webhelpers import *

server/python/testapp/testapp/lib/app_globals.py

@@ +1 @@
+"""The application's Globals object"""
+from pylons import config
+
+class Globals(object):
+    """Globals acts as a container for objects available throughout the
+    life of the application
+    """
+
+    def __init__(self):
+        """One instance of Globals is created during application
+        initialization and is available during requests via the 'g'
+        variable
+        """
+        pass

server/python/testapp/testapp/public/index.html

@@ +1 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+   "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+  <title>Pylons Default Page</title>
+  <style>
+    body { background-color: #fff; color: #333; }
+
+    body, p {
+      font-family: verdana, arial, helvetica, sans-serif;
+      font-size:   12px;
+      line-height: 18px;
+    }
+    pre {
+      background-color: #eee;
+      padding: 10px;
+      font-size: 11px;
+      line-height: 13px;
+    }
+
+    a { color: #000; }
+    a:visited { color: #666; }
+    a:hover { color: #fff; background-color:#000; }
+  </style>
+</head>
+<body>
+
+Test Pylons Web Application for MapFish
+
+</body>
+</html>

server/python/testapp/setup.py

@@ +1 @@
+try:
+    from setuptools import setup, find_packages
+except ImportError:
+    from ez_setup import use_setuptools
+    use_setuptools()
+    from setuptools import setup, find_packages
+
+setup(
+    name='testapp',
+    version="",
+    #description='',
+    #author='',
+    #author_email='',
+    #url='',
+    install_requires=["Pylons>=0.9.6.2"],
+    packages=find_packages(exclude=['ez_setup']),
+    include_package_data=True,
+    test_suite='nose.collector',
+    package_data={'testapp': ['i18n/*/LC_MESSAGES/*.mo']},
+    #message_extractors = {'testapp': [
+    #        ('**.py', 'python', None),
+    #        ('templates/**.mako', 'mako', None),
+    #        ('public/**', 'ignore', None)]},
+    entry_points="""
+    [paste.app_factory]
+    main = testapp.config.middleware:make_app
+
+    [paste.app_install]
+    main = pylons.util:PylonsInstaller
+    """,
+)

server/python/testapp/docs/index.txt

@@ +1 @@
+testapp
++++++++
+
+This is the main index page of your documentation. It should be written in
+`reStructuredText format <http://docutils.sourceforge.net/rst.html>`_.
+
+You can generate your documentation in HTML format by running this command::
+
+    setup.py pudge
+
+For this to work you will need to download and install ``buildutils`` and
+``pudge``.

server/python/testapp/testapp.egg-info/SOURCES.txt

@@ +1 @@
+MANIFEST.in
+README.txt
+setup.cfg
+setup.py
+testapp/__init__.py
+testapp/websetup.py
+testapp.egg-info/PKG-INFO
+testapp.egg-info/SOURCES.txt
+testapp.egg-info/dependency_links.txt
+testapp.egg-info/entry_points.txt
+testapp.egg-info/paste_deploy_config.ini_tmpl
+testapp.egg-info/paster_plugins.txt
+testapp.egg-info/requires.txt
+testapp.egg-info/top_level.txt
+testapp/config/__init__.py
+testapp/config/environment.py
+testapp/config/middleware.py
+testapp/config/routing.py
+testapp/controllers/__init__.py
+testapp/controllers/error.py
+testapp/controllers/hello.py
+testapp/controllers/template.py
+testapp/lib/__init__.py
+testapp/lib/app_globals.py
+testapp/lib/base.py
+testapp/lib/helpers.py
+testapp/model/__init__.py
+testapp/public/index.html
+testapp/tests/__init__.py
+testapp/tests/test_models.py
+testapp/tests/functional/__init__.py
+testapp/tests/functional/test_hello.py

server/python/testapp/testapp.egg-info/paste_deploy_config.ini_tmpl

@@ +1 @@
+#
+# testapp - Pylons configuration
+#
+# The %(here)s variable will be replaced with the parent directory of this file
+#
+[DEFAULT]
+debug = true
+email_to = you@yourdomain.com
+smtp_server = localhost
+error_email_from = paste@localhost
+
+[server:main]
+use = egg:Paste#http
+host = 0.0.0.0
+port = 5000
+
+[app:main]
+use = egg:testapp
+full_stack = true
+cache_dir = %(here)s/data
+beaker.session.key = testapp
+beaker.session.secret = ${app_instance_secret}
+app_instance_uuid = ${app_instance_uuid}
+
+# If you'd like to fine-tune the individual locations of the cache data dirs
+# for the Cache data, or the Session saves, un-comment the desired settings
+# here:
+#beaker.cache.data_dir = %(here)s/data/cache
+#beaker.session.data_dir = %(here)s/data/sessions
+
+# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
+# Debug mode will enable the interactive debugging tool, allowing ANYONE to
+# execute malicious code after an exception is raised.
+set debug = false
+
+
+# Logging configuration
+[loggers]
+keys = root
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = INFO
+handlers = console
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(asctime)s %(levelname)-5.5s [%(name)s] %(message)s

server/python/testapp/testapp.egg-info/PKG-INFO

@@ +1 @@
+Metadata-Version: 1.0
+Name: testapp
+Version: 0.0.0dev
+Summary: UNKNOWN
+Home-page: UNKNOWN
+Author: UNKNOWN
+Author-email: UNKNOWN
+License: UNKNOWN
+Description: UNKNOWN
+Platform: UNKNOWN

server/python/testapp/testapp.egg-info/entry_points.txt

@@ +1 @@
+
+    [paste.app_factory]
+    main = testapp.config.middleware:make_app
+
+    [paste.app_install]
+    main = pylons.util:PylonsInstaller
+    

server/python/testapp/testapp.egg-info/paster_plugins.txt

@@ +1 @@
+Pylons
+WebHelpers
+PasteScript

server/python/testapp/MANIFEST.in

@@ +1 @@
+recursive-include testapp/public *
+recursive-include testapp/templates *

server/python/testapp/README.txt

@@ +1 @@
+This file is for you to describe the testapp application. Typically
+you would include information such as the information below:
+
+Installation and Setup
+======================
+
+Install ``testapp`` using easy_install::
+
+    easy_install testapp
+
+Make a config file as follows::
+
+    paster make-config testapp config.ini
+
+Tweak the config file as appropriate and then setup the application::
+
+    paster setup-app config.ini
+
+Then you are ready to go.

server/python/testapp/test.ini

@@ +1 @@
+#
+# testapp - Pylons testing environment configuration
+#
+# The %(here)s variable will be replaced with the parent directory of this file
+#
+[DEFAULT]
+debug = true
+# Uncomment and replace with the address which should receive any error reports
+#email_to = you@yourdomain.com
+smtp_server = localhost
+error_email_from = paste@localhost
+
+[server:main]
+use = egg:Paste#http
+host = 0.0.0.0
+port = 5000
+
+[app:main]
+use = config:development.ini
+
+# Add additional test specific configuration options as necessary.
+
+# If you'd like to fine-tune the individual locations of the cache data dirs
+# for the Cache data, or the Session saves, un-comment the desired settings
+# here:
+#beaker.cache.data_dir = %(here)s/data/cache
+#beaker.session.data_dir = %(here)s/data/sessions
+
+authkit.setup.method = form, cookie
+authkit.form.authenticate.user.data = alice:alice rolealice editor
+                                      bob:bob rolebob admin editor
+                                      carol:carol
+# XXX should be generated
+authkit.cookie.secret = 3db76b5f-cb74-448f-b291-63f3afc8e1bc
+authkit.cookie.signoutpath = /logout

server/python/testapp/setup.cfg

@@ +1 @@
+[egg_info]
+tag_build = dev
+tag_svn_revision = true
+
+[easy_install]
+find_links = http://www.pylonshq.com/download/
+
+[pudge]
+theme = pythonpaste.org
+
+# Add extra doc files here with spaces between them
+docs = docs/index.txt
+
+# Doc Settings
+doc_base = docs/
+dest = docs/html
+
+# Add extra modules here separated with commas
+modules = testapp
+title = Testapp
+organization = Pylons
+
+# Highlight code-block sections with Pygments
+highlighter = pygments
+
+# Optionally add extra links
+#organization_url = http://pylonshq.com/
+#trac_url = http://pylonshq.com/project
+settings = no_about=true
+
+# Optionally add extra settings
+#           link1=/community/ Community
+#           link2=/download/ Download
+
+[publish]
+doc-dir=docs/html
+make-dirs=1
+
+# Babel configuration
+[compile_catalog]
+domain = testapp
+directory = testapp/i18n
+statistics = true
+
+[extract_messages]
+add_comments = TRANSLATORS:
+output_file = testapp/i18n/testapp.pot
+width = 80
+
+[init_catalog]
+domain = testapp
+input_file = testapp/i18n/testapp.pot
+output_dir = testapp/i18n
+
+[update_catalog]
+domain = testapp
+input_file = testapp/i18n/testapp.pot
+output_dir = testapp/i18n
+previous = true

server/python/mapfish/controllers/auth_proxy.py

@@ +1 @@
+from pylons import request, response
+from pylons.controllers import WSGIController
+
+from authkit.authorize.pylons_adaptors import authorized
+from authkit.authorize import NotAuthorizedError
+import re
+import cgi
+import urlparse
+import urllib2
+from urllib import urlencode
+
+def add_routes(map, url, controller):
+    """Add the pylons routes for a proxy
+    """
+    map.connect(url + "*more", controller=controller, action='get',
+                conditions=dict(method=['GET']))
+
+class Layer(object):
+    def __init__(self, alias, url, layers, **kwargs):
+        self.alias = alias
+        self.url = url
+        self.layers = layers
+        self.options = kwargs
+
+    def get_permissions(self):
+        return {
+            "url": self.url,
+            "layers": dict(((name, authorized(perm)) for (name, perm) in
+                            self.layers.iteritems()))
+        }
+
+    def check_permissions(self):
+        # Check layers
+        layers = self.get_requested_layers()
+        for layer in layers:
+            if self.layers.has_key(layer):
+                perm = self.layers[layer]
+            elif self.layers.has_key("DEFAULT"):
+                perm = self.layers["DEFAULT"]
+            else:
+                continue
+            if not authorized(perm):
+                return False, "Not allowed to access layer: %s" % cgi.escape(layer)
+
+        # TODO add other checks here (bbox, ...)
+
+        return True, "Access allowed"
+
+    def get_requested_layers(self):
+        raise NotImplementedError()
+
+    def get_requested_bbox(self):
+        raise NotImplementedError()
+
+class WMSLayer(Layer):
+    def get_param(self, name):
+        """Returns the request parameter given in argument, ignoring case.
+           If not found, None is returned.
+        """
+        for k in request.params.keys():
+            if k.lower() == name:
+                return request.params[k]
+        return None
+
+    def get_requested_layers(self):
+        layers = self.get_param("layers")
+        if not layers:
+            return []
+        return layers.split(",")
+
+class TileCacheLayer(Layer):
+    def get_requested_layers(self):
+        raise NotImplementedError("TODO TileCacheLayer::get_requested_layers")
+
+
+class AuthProxyController(WSGIController):
+    def __init__(self):
+        self.layers = []
+        self.alias_to_layer = {}
+
+    def set_layers(self, layers):
+        self.alias_to_layers = dict(((layer.alias, layer) for layer in layers))
+        self.layers = layers
+
+    def _get_permissions(self):
+        return {
+            "layer": [l.get_permissions() for l in self.layers]
+        }
+
+    def get(self, more):
+        """Proxy action
+        """
+        # extract the first segment of the url
+        m = re.match("/?([^/]+)(/?.*)$", more)
+        if not m:
+            response.status_code = 500
+            return "Invalid URL, missing alias in the path"
+        alias, more = m.groups()
+        
+        if not self.alias_to_layers.has_key(alias):
+            response.status_code = 500
+            return "Wrong alias %s" % cgi.escape(alias)
+        layer = self.alias_to_layers[alias]
+
+        allowed, msg = layer.check_permissions()
+        if not allowed:
+            # We don't use 403 to avoid triggering AuthKit login dialog
+            response.status_code = 406
+            return msg
+
+        url = layer.url + more
+        return self._proxy(url)
+
+    def _proxy(self, url):
+        """Do the actual action of proxying the call.
+        """
+        query = urlencode(request.params)
+        full_url = url
+        if query:
+            if not full_url.endswith("?"):
+    &nb