An authentication policy for Pyramid that sets identity and effective principals based on the remote IP address of the request.
To perform IP-address-based authentication, create an IPAuthenticationPolicy and specify the target IP range, userid and effective principals. Then set it as the authentication policy in your configurator:
authn_policy = IPAuthenticationPolicy("127.0.*.*", "myuser", ["locals"]) config.set_authentication_policy(authn_policy)
This will cause all requests from IP addresses in the 127.0.*.* range to be authenticated as user “myuser” and have the effective principal “locals”.
It is also possible to specify the configuration options in your deployment file:
[app:pyramidapp] use = egg:mypyramidapp ipauth.ipaddrs = 127.0.0.* 127.0.1.* ipauth.principals = locals
You can then simply include the pyramid_ipauth package into your configurator:
It will detect the ipauth settings and construct an appropriate policy.
Note that this package only supports matching against a single set of IP addresss. If you need to assign different credentials to different sets of IP addresses, you can use the pyramid_multiauth package in conjunction with pyramid_ipauth:
If you don’t want to hard-code the userid or principals at configuration time, you may specify a “get_userid” and/or “get_principals” callback instead.
Specifying IP Addresses
IP addresses can be specified in a variety of forms, including:
- “all”: all possible IPv4 and IPv6 addresses
- “local”: all local addresses of the machine
- “A.B.C.D” a single IP address
- “A.B.C.D/N” a network address specification
- “A.B.C.*” a glob matching against all possible numbers
- “A.B.C.D-E” a glob matching against a range of numbers
- a whitespace- or comma-separated string of any of the above
- a netaddr IPAddress, IPRange, IPGlob, IPNetork of IPSet object
- a list, tuple or iterable of any of the above
This module does not respect the X-Forwarded-For header by default, since it can be spoofed easily by malicious clients. If your server is behind a trusted proxy that sets the X-Forwarded-For header, you should explicitly declare the set of trusted proxies like so:
IPAuthenticationPolicy("127.0.*.*", principals=["local"], proxies = "127.0.0.1")
The set of trusted proxy addresses can be specified using the same syntax as the set of IP addresses to authenticate.
0.3.3 - 2017-02-02
- Fix splitting ipset strings on whitespace; thanks @kaleposhobios
0.3.2 - 2017-01-22
- Resolve some warnings and clean up some tests; thanks Scott Searcy
0.3.1 - 2016-03-18
- Fixes for python3 compatibility
0.3.0 - 2016-03-18
- Add support for python3
0.2.0 - 2013-10-14
- Add get_userid and get_principals callback functions; thanks mrijken
- Convert principals into a list if necessary; thanks janakj
0.1.1 - 2012-01-30
- Update license to MPL 2.0
0.1.0 - 2011-11-11
- Initial release