ahriman.core.auth package

Submodules

ahriman.core.auth.auth module

class Auth(configuration: Configuration, provider: AuthSettings = AuthSettings.Disabled)

Bases: LazyLogging

helper to deal with user authorization

enabled

indicates if authorization is enabled

Type:

bool

max_age

session age in seconds. It will be used for both client side and server side checks

Type:

int

allow_read_only

allow read only access to APIs

Type:

bool

Parameters:

  • configuration (Configuration) – configuration instance

  • provider (AuthSettings, optional) – authorization type definition (Default value = AuthSettings.Disabled)

static load(configuration: Configuration, database: SQLite) Auth

load authorization module from settings

Parameters:

  • configuration (Configuration) – configuration instance

  • database (SQLite) – database instance

Returns:

authorization module according to current settings

Return type:

Auth

async check_credentials(username: str, password: str | None) bool

validate user password

Parameters:

  • username (str) – username

  • password (str | None) – entered password

Returns:

True in case if password matches, False otherwise

Return type:

bool

async known_username(username: str) bool

check if user is known

Parameters:

username (str) – username

Returns:

True in case if user is known and can be authorized and False otherwise

Return type:

bool

async verify_access(username: str, required: UserAccess, context: str | None) bool

validate if user has access to requested resource

Parameters:

  • username (str) – username

  • required (UserAccess) – required access level

  • context (str | None) – URI request path

Returns:

True in case if user is allowed to do this request and False otherwise

Return type:

bool

property auth_control: str

This workaround is required to make different behaviour for login interface. In case of internal authentication it must provide an interface (modal form) to log in with button sends POST request. But for an external providers behaviour can be different: e.g. OAuth provider requires sending GET request to external resource

Returns:

login control as html code to insert

Return type:

str

property is_external: bool

check if the provider is external (e.g. OAuth)

Returns:

True in case if external provider is used and False otherwise

Return type:

bool

ahriman.core.auth.helpers module

async authorized_userid(*args: Any, **kwargs: Any) Any

handle aiohttp security methods

Parameters:

  • *args (Any) – argument list as provided by authorized_userid function

  • **kwargs (Any) – named argument list as provided by authorized_userid function

Returns:

None in case if no aiohttp_security module found and function call otherwise

Return type:

Any

async check_authorized(*args: Any, **kwargs: Any) Any

handle aiohttp security methods

Parameters:

  • *args (Any) – argument list as provided by check_authorized function

  • **kwargs (Any) – named argument list as provided by check_authorized function

Returns:

None in case if no aiohttp_security module found and function call otherwise

Return type:

Any

async forget(*args: Any, **kwargs: Any) Any

handle aiohttp security methods

Parameters:

  • *args (Any) – argument list as provided by forget function

  • **kwargs (Any) – named argument list as provided by forget function

Returns:

None in case if no aiohttp_security module found and function call otherwise

Return type:

Any

async remember(*args: Any, **kwargs: Any) Any

handle disabled auth

Parameters:

  • *args (Any) – argument list as provided by remember function

  • **kwargs (Any) – named argument list as provided by remember function

Returns:

None in case if no aiohttp_security module found and function call otherwise

Return type:

Any

ahriman.core.auth.mapping module

class Mapping(configuration: Configuration, database: SQLite, provider: AuthSettings = AuthSettings.Configuration)

Bases: Auth

user authorization based on mapping from configuration file

salt

random generated string to salted password

Type:

str

database

database instance

Type:

SQLite

Parameters:

  • configuration (Configuration) – configuration instance

  • database (SQLite) – database instance

  • provider (AuthSettings, optional) – authorization type definition (Default value = AuthSettings.Configuration)

async check_credentials(username: str, password: str | None) bool

validate user password

Parameters:

  • username (str) – username

  • password (str | None) – entered password

Returns:

True in case if password matches, False otherwise

Return type:

bool

async get_user(username: str) User | None

retrieve user from in-memory mapping

Parameters:

username (str) – username

Returns:

user descriptor if username is known and None otherwise

Return type:

User | None

async known_username(username: str) bool

check if user is known

Parameters:

username (str) – username

Returns:

True in case if user is known and can be authorized and False otherwise

Return type:

bool

async verify_access(username: str, required: UserAccess, context: str | None) bool

validate if user has access to requested resource

Parameters:

  • username (str) – username

  • required (UserAccess) – required access level

  • context (str | None) – URI request path

Returns:

True in case if user is allowed to do this request and False otherwise

Return type:

bool

ahriman.core.auth.oauth module

class OAuth(configuration: Configuration, database: SQLite, provider: AuthSettings = AuthSettings.OAuth)

Bases: Mapping

User authorization implementation via OAuth. It is required to create application first and put application credentials.

client_id

application client id

Type:

str

client_secret

application client secret key

Type:

str

provider

provider class, should be one of aiohttp-client provided classes

Type:

aioauth_client.OAuth2Client

redirect_uri

redirect URI registered in provider

Type:

str

scopes

list of scopes required by the application

Type:

str

Parameters:

  • configuration (Configuration) – configuration instance

  • database (SQLite) – database instance

  • provider (AuthSettings, optional) – authorization type definition (Default value = AuthSettings.OAuth)

static get_provider(name: str) type[aioauth_client.OAuth2Client]

load OAuth2 provider by name

Parameters:

name (str) – name of the provider. Must be valid class defined in aioauth-client library

Returns:

loaded provider type

Return type:

type[aioauth_client.OAuth2Client]

Raises:

OptionError – in case if invalid OAuth provider name supplied

get_client() aioauth_client.OAuth2Client

load client from parameters

Returns:

generated client according to current settings

Return type:

aioauth_client.OAuth2Client

get_oauth_url(state: str) str

get authorization URI for the specified settings

Parameters:

state (str) – CSRF token to pass to OAuth2 provider

Returns:

authorization URI as a string

Return type:

str

async get_oauth_username(code: str, state: str | None, session: dict[str, Any]) str | None

extract OAuth username from remote

Parameters:

  • code (str) – authorization code provided by external service

  • state (str | None) – CSRF token returned by external service

  • session (dict[str, Any]) – current session instance

Returns:

username as is in OAuth provider

Return type:

str | None

property auth_control: str

get authorization html control

Returns:

login control as html code to insert

Return type:

str

property is_external: bool

check if the provider is external (e.g. OAuth)

Returns:

True in case if external provider is used and False otherwise

Return type:

bool

ahriman.core.auth.pam module

class PAM(configuration: Configuration, database: SQLite, provider: AuthSettings = AuthSettings.PAM)

Bases: Mapping

User authorization implementation by using default PAM

full_access_group

group name users of which have full access

Type:

str

permit_root_login

permit login as root

Type:

bool

Parameters:

  • configuration (Configuration) – configuration instance

  • database (SQLite) – database instance

  • provider (AuthSettings, optional) – authorization type definition (Default value = AuthSettings.PAM)

static group_members(group_name: str) list[str]

extract current group members

Parameters:

group_name (str) – group name

Returns:

list of users which belong to the specified group. In case if group wasn’t found, the empty list will be returned

Return type:

list[str]

async check_credentials(username: str, password: str | None) bool

validate user password

Parameters:

  • username (str) – username

  • password (str | None) – entered password

Returns:

True in case if password matches, False otherwise

Return type:

bool

async known_username(username: str) bool

check if user is known

Parameters:

username (str) – username

Returns:

True in case if user is known and can be authorized and False otherwise

Return type:

bool

async verify_access(username: str, required: UserAccess, context: str | None) bool

validate if user has access to requested resource

Parameters:

  • username (str) – username

  • required (UserAccess) – required access level

  • context (str | None) – URI request path

Returns:

True in case if user is allowed to do this request and False otherwise

Return type:

bool

Module contents