API Documentation

An implementation of the authentication features required to work with mod_auth_tkt from Python.

This is basically a port of all the Perl functionality and examples contained in mod_auth_tkt.

Note

This code all looks a bit of a mess from a Python progammers point of view but I’ve tried hard to keep the implemenation here as close as possible to the original Perl version so that any changes to that version can be easily ported back to this version. As a result the code isn’t written in the way I would normally write this sort of module but on this occassion I judged maintainability to be more important than style.

class authtkt.AuthTicket(secret, userid, ip, tokens=(), user_data='', time=None, cookie_name='auth_tkt', secure=False)

This class represents an authentication token. You must pass in the shared secret, the userid, and the IP address. Optionally you can include tokens (a list of strings, representing role names), ‘user_data’, which is arbitrary data available for your own use in later scripts. Lastly, you can override the cookie name and timestamp.

Once you provide all the arguments, use .cookie_value() to generate the appropriate authentication ticket. .cookie() generates a Cookie object, the str() of which is the complete cookie header to be sent.

CGI usage:

token = auth_ticket.AuthTicket('sharedsecret', 'username',
    os.environ['REMOTE_ADDR'], tokens=['admin'])
print 'Status: 200 OK'
print 'Content-type: text/html'
print token.cookie()
print
... redirect HTML ...

Webware usage:

token = auth_ticket.AuthTicket('sharedsecret', 'username',
    self.request().environ()['REMOTE_ADDR'], tokens=['admin'])
self.response().setCookie('auth_tkt', token.cookie_value())

Be careful not to do an HTTP redirect after login; use meta refresh or Javascript – some browsers have bugs where cookies aren’t saved when set on a redirect.

cookie()

cookie_value()

digest()

digest0()

ipts()

class authtkt.AuthTkt(conf=None, secret=None)

Parse an Apache config file conating the mod_auth_tkt options and provide a dictionary-like interface to read them.

Also provide a ticket() method to generate a ticket based on the options.

Note

This class is designed to be a close approximation to the functionality contained in the Perl AuthTkt.pm module at http://search.cpan.org/~gavinc/Apache-AuthTkt-0.08/AuthTkt.pm and is the main interface which should be used in an implementation to access the AuthTkt* options and generate tickets.

Used it like this:

# Constructor - either (preferred):
at = AuthTkt(conf='/etc/httpd/conf.d/auth_tkt.conf')
# OR:
at = AuthTkt(secret='818f9c9d-91ed-4b74-9f48-ff99cfe00a0e')

# Generate ticket
ticket = at.ticket(userid=username, ip=ip_addr)

# Get the ticket cookie value:
value = ticket.cookie_value()

# Or generate cookie containing ticket
cookie = ticket.cookie()

# Access the shared secret
secret = at['secret']
# If using the 'conf' constructor above, all other TKTAuth attributes 
#   are also available e.g.:
at['cookie_name'], at['ignore_ip'], at['request_ssl']

cookie()

get(name, default=None)

has_key(name)

ticket(userid, ip, tokens=(), user_data='', time=None)

authtkt.convert_time_seconds(time)

authtkt.get_default_handler_configuration()

authtkt.guest_sub()

authtkt.handle(at, conf, base, mode, flow)

authtkt.parse_conf(filename, DEFAULTS={'TKTAuthTimeoutMin': 120, 'TKTAuthCookieSecure': 0, 'TKTAuthRequireSSL': 0, 'TKTAuthGuestLogin': 0, 'TKTAuthTimeoutRefresh': 0.5, 'TKTAuthIgnoreIP': 0, 'TKTAuthGuestUser': 'guest', 'TKTAuthBackArgName': 'back', 'TKTAuthCookieName': 'auth_tkt', 'TKTAuthTimeout': 7200}, PREFIX='TKTAuth', ignore_secret=False)

authtkt.render_html(q)

authtkt.run_with_cgi(application)

authtkt.validate_sub(username, password, flow=None)