Acquire.Identity._authorisation module¶

class Authorisation(resource=None, user=None, testing_key=None, testing_user_guid=None)[source]¶

Bases: object

This class holds the information needed to show that a user has authorised an action. This contains a signed token that records the time that the authorisation that was signed, together with an extra key (or secret) that can be used by the user and provider to verify that the authorisation is for the correct resource

assert_once(stale_time=7200, scope=None, permissions=None)[source]¶

Assert that this is in the one and only time that this service has seen this authorisation. This records the UID of the authorisation to the object store and then verifies that the signature of the UID is correct.

There is a small race condition if the service asserts the authorisation at the exact same time, but this is a highly unlikely occurance. The aim is to prevent replay attacks.

static from_data(data)[source]¶: Return an authorisation created from the json-decoded dictionary

from_user(user_uid, service_uid)[source]¶: Return whether or not this authorisation comes from the user with passed user_uid registered on the passed service_uid

identifiers()[source]¶: Return a dictionary of the full set of identifiers attached to this authorisation (e.g. user_guid, group_guid(s) etc.)

identity_uid()[source]¶: Return the UID of the identity service that authenticated the user

identity_url()[source]¶: Return the URL of the identity service that authenticated the user

is_null()[source]¶: Return whether or not this authorisation is null

is_stale(stale_time=7200)[source]¶: Return whether or not this authorisation is stale. ‘stale_time’ is the number of seconds after which the authorisation is considered stale (and thus no longer valid)

is_verified(refresh_time=3600, stale_time=7200)[source]¶

Return whether or not this authorisation has been verified. Note that this will cache any verification for ‘refresh_time’ (in seconds)

‘stale_time’ gives the time (in seconds) beyond which the authorisation will be considered stale (and thus not valid). By default this is 7200 seconds (2 hours), meaning that the authorisation must be used within 2 hours to be valid.

last_verification_time()[source]¶: Return the last time this authorisation was verified. Note that you should re-verify authorisations periodically, to ensure that they identity service is still happy that the login session was not suspicious

last_verified_resource()[source]¶: Return the resource that was used for the last successful verification of this authorisation. This returns None if this has not been verified before

session_uid()[source]¶: Return the login session that authenticated the user

signature()[source]¶: Return the actual signature

signature_time()[source]¶: Return the time when the authentication was signed

to_data()[source]¶: Return this object serialised to a json-encoded dictionary

uid()[source]¶: Return the UID of this authorisation. This will be signed by the user and can be used a use-once record by a service to validate that they have not seen this authorisation before

user_guid()[source]¶: Return the global UID for this user

user_uid()[source]¶: Return the UID of the user who created this authorisation

verify(resource=None, refresh_time=3600, stale_time=7200, force=False, accept_partial_match=False, scope=None, permissions=None, return_identifiers=True)[source]¶

Verify that this is a valid authorisation provided by the user for the passed ‘resource’. This will cache the verification for ‘refresh_time’ (in seconds), but re-verification can be forced if ‘force’ is True.

‘stale_time’ gives the time (in seconds) beyond which the authorisation will be considered stale (and thus not valid). By default this is 7200 seconds (2 hours), meaning that the authorisation must be used within 2 hours to be valid.

If ‘accept_partial_match’ is True, then if this Authorisation has been previously validated, then this previous authorisation is valid if the previously-verified resource contains ‘resource’, e.g. if you have previously verified that “create ABC123” is the verified resource, then this will still verify if “ABC123” if the partially-accepted match

If ‘scope’ is passed, then verify that the user logged in and signed the authorisation with the required ‘scope’.

If ‘permissions’ is passed, then verify that the user logged in and signed the authorisation with at least the specified ‘permissions’

If ‘testing_key’ is passed, then this object is being tested as part of the unit tests

If the authorisation was verified, then if ‘return_identifiers’ is True then this will return the full set of identifiers associated with the user who provided the authorisation