cherrypy-foundation 1.0.0__py3-none-any.whl

cherrypy_foundation/tests/test_logging.py

@@ -0,0 +1,78 @@
+# CherryPy
+# Copyright (C) 2026 IKUS Software
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import tempfile
+from pathlib import Path
+
+import cherrypy
+from cherrypy.test import helper
+
+from ..logging import setup_logging
+
+
+class Root:
+
+    @cherrypy.expose
+    def index(self):
+        return "OK"
+
+    @cherrypy.expose
+    def error(self):
+        cherrypy.log('error messages to be logged')
+
+
+class LoggingTest(helper.CPWebCase):
+    interactive = False
+
+    @classmethod
+    def setup_server(cls):
+        cls.tempdir = tempfile.TemporaryDirectory(prefix='cherrypy-foundation-', suffix='-logging')
+        cls.log_access_file = f'{cls.tempdir.name}/access.log'
+        cls.log_file = f'{cls.tempdir.name}/error.log'
+        setup_logging(log_file=cls.log_file, log_access_file=cls.log_access_file, level='DEBUG')
+        cherrypy.tree.mount(Root(), '/')
+
+    @classmethod
+    def teardown_class(cls):
+        # Delete temp folder
+        cls.tempdir.cleanup()
+        # Stop server
+        super().teardown_class()
+        # Reset logging to default.
+        # Re-enable screen logging
+        cherrypy.config.update({'log.screen': True, 'log.error_file': '', 'log.access_file': ''})
+        # Reset internal logger references
+        cherrypy.log.error_file = None
+        cherrypy.log.access_file = None
+
+    def test_logging_access(self):
+        mtime = Path(self.log_access_file).stat().st_mtime
+        # When page get queried
+        self.getPage('/')
+        # Then access files get updated
+        mtime2 = Path(self.log_access_file).stat().st_mtime
+        self.assertNotEqual(mtime, mtime2)
+
+    def test_logging_error(self):
+        data = Path(self.log_file).read_text()
+        self.assertNotIn('error messages to be logged', data)
+        # When page get queried
+        self.getPage('/error')
+        self.assertStatus(200)
+        # Then access files get updated
+        data2 = Path(self.log_file).read_text()
+        self.assertNotEqual(data, data2)
+        self.assertIn('error messages to be logged', data2)

cherrypy_foundation/tests/test_passwd.py

@@ -0,0 +1,51 @@
+# Cherrypy-foundation
+# Copyright (C) 2026 IKUS Software
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+'''
+Created on Apr. 10, 2020
+
+@author: Patrik Dufresne
+'''
+
+import importlib
+import unittest
+
+from ..passwd import check_password, hash_password
+
+HAS_ARGON2 = importlib.util.find_spec("argon2") is not None
+
+
+class Test(unittest.TestCase):
+
+    @unittest.skipUnless(HAS_ARGON2, "argon2 not installed")
+    def test_check_password_argon(self):
+        self.assertTrue(hash_password('admin12').startswith('$argon2'))
+        self.assertTrue(
+            check_password('admin123', '$argon2id$v=19$m=102400,t=2,p=8$/mDhOg8wyZeMTUjcbIC7mg$3pxRSfYgUXmKEKNtasP1Og')
+        )
+
+    @unittest.skipIf(HAS_ARGON2, "argon2 is installed")
+    def test_check_password_hashlib(self):
+        # Given argon is not installed
+        # When generating hash password
+        hash = hash_password('admin12')
+        # Then SSHA hash is generated
+        self.assertTrue(hash.startswith('{SSHA}'))
+
+    def test_check_password(self):
+        self.assertTrue(check_password('admin123', '{SSHA}/LAr7zGT/Rv/CEsbrEndyh27h+4fLb9h'))
+        self.assertFalse(check_password('admin12', '{SSHA}/LAr7zGT/Rv/CEsbrEndyh27h+4fLb9h'))
+        self.assertTrue(check_password('admin12', hash_password('admin12')))
+        self.assertTrue(check_password('admin123', hash_password('admin123')))

cherrypy_foundation/tests/test_sessions.py

@@ -0,0 +1,89 @@
+# Cherrypy-foundation
+# Copyright (C) 2026 IKUS Software
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import os
+import tempfile
+
+import cherrypy
+from cherrypy.test import helper
+
+from cherrypy_foundation.sessions import FileSession, session_lock
+
+
+@cherrypy.tools.sessions(on=True, locking='explicit', storage_class=FileSession)
+class Root:
+
+    @cherrypy.expose
+    def index(self, value='OK'):
+        if value:
+            with session_lock() as s:
+                s['value'] = value
+        return s['value']
+
+
+class FileSessionTest(helper.CPWebCase):
+    interactive = False
+
+    @classmethod
+    def setup_class(cls):
+        cls.tempdir = tempfile.TemporaryDirectory(prefix='cherrypy-foundation-', suffix='-file-session-test')
+        cls.storage_path = cls.tempdir.name
+        super().setup_class()
+
+    @classmethod
+    def teardown_class(cls):
+        cls.tempdir.cleanup()
+        super().teardown_class()
+
+    @classmethod
+    def setup_server(cls):
+        cherrypy.config.update(
+            {
+                'tools.sessions.storage_path': cls.storage_path,
+            }
+        )
+        cherrypy.tree.mount(Root(), '/')
+
+    @property
+    def _session_id(self):
+        """Return session id from cookie."""
+        if hasattr(self, 'cookies') and self.cookies:
+            for unused, value in self.cookies:
+                for part in value.split(';'):
+                    key, unused, value = part.partition('=')
+                    if key == 'session_id':
+                        return value
+
+    def test_get_page(self):
+        # Given a page with session enabled
+        # When the page get queried
+        self.getPage("/")
+        # Then a session is created with a id
+        self.assertStatus(200)
+        self.assertTrue(self._session_id)
+        # Then this session is created on disk.
+        s = FileSession(id=self._session_id, storage_path=self.storage_path)
+        self.assertTrue(s._exists())
+        # When session timeout and get clean-up
+        s.acquire_lock()
+        s.load()
+        s.timeout = 0
+        s.save()
+        s.clean_up()
+        # Then session get deleted
+        self.assertFalse(s._exists())
+        # Lock file also get deleted.
+        self.assertFalse(os.path.exists(s._get_file_path() + FileSession.LOCK_SUFFIX))

cherrypy_foundation/tests/test_url.py

@@ -0,0 +1,161 @@
+# Cherrypy-foundation
+# Copyright (C) 2026 IKUS Software
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import cherrypy
+from cherrypy.test import helper
+
+import cherrypy_foundation.tools.jinja2  # noqa
+
+from ..url import url_for
+
+env = cherrypy.tools.jinja2.create_env(
+    package_name=__package__,
+    globals={
+        'url_for': url_for,
+    },
+)
+
+
+class SubPage:
+
+    @cherrypy.expose
+    @cherrypy.tools.jinja2(template='test_url.html')
+    def index(self, **kwargs):
+        _relative = cherrypy.request.headers.get('-Relative')
+        return {'kwargs': {'_relative': _relative or None}}
+
+
+@cherrypy.tools.proxy(base='https://www.example.com')
+class ProxiedPage:
+
+    @cherrypy.expose
+    @cherrypy.tools.jinja2(template='test_url.html')
+    def index(self, **kwargs):
+        _relative = cherrypy.request.headers.get('-Relative')
+        return {'kwargs': {'_relative': _relative or None}}
+
+
+@cherrypy.tools.jinja2(env=env)
+class Root:
+    sub_page = SubPage()
+    proxied = ProxiedPage()
+
+    @cherrypy.expose
+    @cherrypy.tools.jinja2(template='test_url.html')
+    def index(self, **kwargs):
+        _relative = cherrypy.request.headers.get('-Relative')
+        return {'kwargs': {'_relative': _relative or None}}
+
+
+class UrlTest(helper.CPWebCase):
+    default_lang = None
+    interactive = False
+
+    @classmethod
+    def setup_server(cls):
+        cherrypy.tree.mount(Root(), '/')
+
+    def test_url_for(self):
+        self.assertEqual(url_for("foo", "bar"), 'http://127.0.0.1:54583/foo/bar')
+        self.assertEqual(url_for("foo", "bar", _relative='server'), '/foo/bar')
+        # Outside a request, relative url doesn't make alot of sens.
+        self.assertEqual(url_for("foo", "bar", _relative=1), '127.0.0.1:54583/foo/bar')
+        self.assertEqual(url_for("foo", "bar", _base='http://test.com'), 'http://test.com/foo/bar')
+
+    def test_get_page(self):
+        # Given a form
+        # When querying the page that include this form
+        self.getPage("/")
+        self.assertStatus(200)
+        # Then each field is render properly.
+        # 1. Check title
+        self.assertInBody('test-url')
+        # 2. Check user field
+        self.assertInBody(f'Empty: http://{self.HOST}:{self.PORT}/')
+        self.assertInBody(f'Dot: http://{self.HOST}:{self.PORT}/')
+        self.assertInBody(f'Dot page: http://{self.HOST}:{self.PORT}/my-page')
+        self.assertInBody(f'Slash: http://{self.HOST}:{self.PORT}/')
+        self.assertInBody(f'Page: http://{self.HOST}:{self.PORT}/my-page')
+        self.assertInBody(f'Slash page: http://{self.HOST}:{self.PORT}/my-page')
+        self.assertInBody(f'Query: http://{self.HOST}:{self.PORT}/my-page?bar=test+with+space&amp;foo=1')
+
+    def test_get_page_relative_true(self):
+        # Given a form
+        # When querying the page that include this form
+        self.getPage("/", headers=[('_relative', '1')])
+        self.assertStatus(200)
+        # Then each field is render properly.
+        # 1. Check title
+        self.assertInBody('test-url')
+        # 2. Check user field
+        self.assertInBody('Empty: <br/>')
+        self.assertInBody('Dot: <br/>')
+        self.assertInBody('Dot page: my-page<br/>')
+        self.assertInBody('Slash: <br/>')
+        self.assertInBody('Page: my-page<br/>')
+        self.assertInBody('Slash page: my-page<br/>')
+        self.assertInBody('Query: my-page?bar=test+with+space&amp;foo=1<br/>')
+
+    def test_get_page_relative_server(self):
+        # Given a form
+        # When querying the page that include this form
+        self.getPage("/", headers=[('_relative', 'server')])
+        self.assertStatus(200)
+        # Then each field is render properly.
+        # 1. Check title
+        self.assertInBody('test-url')
+        # 2. Check user field
+        self.assertInBody('Empty: /<br/>')
+        self.assertInBody('Dot: /<br/>')
+        self.assertInBody('Dot page: /my-page<br/>')
+        self.assertInBody('Slash: /<br/>')
+        self.assertInBody('Page: /my-page<br/>')
+        self.assertInBody('Slash page: /my-page<br/>')
+        self.assertInBody('Query: /my-page?bar=test+with+space&amp;foo=1<br/>')
+
+    def test_get_page_proxied(self):
+        # Given a form
+        # When querying the page that include this form
+        self.getPage("/proxied/")
+        self.assertStatus(200)
+        # Then each field is render properly.
+        # 1. Check title
+        self.assertInBody('test-url')
+        # 2. Check user field
+        self.assertInBody('Empty: https://www.example.com/')
+        self.assertInBody('Dot: https://www.example.com/proxied/')
+        self.assertInBody('Dot page: https://www.example.com/proxied/my-page<br/>')
+        self.assertInBody('Slash: https://www.example.com/')
+        self.assertInBody('Page: https://www.example.com/my-page')
+        self.assertInBody('Slash page: https://www.example.com/my-page')
+        self.assertInBody('Query: https://www.example.com/my-page?bar=test+with+space&amp;foo=1')
+
+    def test_get_sub_page(self):
+        # Given a form
+        # When querying the page that include this form
+        self.getPage("/sub-page/")
+        self.assertStatus(200)
+        # Then each field is render properly.
+        # 1. Check title
+        self.assertInBody('test-url')
+        # 2. Check user field
+        self.assertInBody(f'Empty: http://{self.HOST}:{self.PORT}/sub-page/')
+        self.assertInBody(f'Dot: http://{self.HOST}:{self.PORT}/sub-page/')
+        self.assertInBody(f'Dot page: http://{self.HOST}:{self.PORT}/sub-page/my-page')
+        self.assertInBody(f'Slash: http://{self.HOST}:{self.PORT}/')
+        self.assertInBody(f'Page: http://{self.HOST}:{self.PORT}/my-page')
+        self.assertInBody(f'Slash page: http://{self.HOST}:{self.PORT}/my-page')
+        self.assertInBody(f'Query: http://{self.HOST}:{self.PORT}/my-page?bar=test+with+space&amp;foo=1')

cherrypy_foundation/tools/auth.py

@@ -0,0 +1,263 @@
+# Authentication tools for cherrypy
+# Copyright (C) 2026 IKUS Software
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+import datetime
+import logging
+import urllib.parse
+
+import cherrypy
+
+from cherrypy_foundation.sessions import session_lock
+
+AUTH_LAST_PASSWORD_AT = '_auth_last_password_at'
+AUTH_METHOD = '_auth_method'
+AUTH_ORIGINAL_URL = '_auth_original_url'
+
+AUTH_DEFAULT_REDIRECT = "/login/"
+AUTH_DEFAULT_SESSION_KEY = "_auth_session_key"
+AUTH_DEFAULT_REAUTH_TIMEOUT = 60  # minutes
+
+
+class AuthManager(cherrypy.Tool):
+    """
+    CherryPy tool handling authentication.
+
+    Required config:
+      - tools.auth.user_lookup_func(login, user_info) -> (user_key, userobj)
+      - tools.auth.user_from_key_func(user_key) -> userobj | None
+      - tools.auth.checkpassword: callable or list of callables (login, password) ->
+          False | (login, user_info) | str(login)
+    """
+
+    def __init__(self):
+        super().__init__(point='before_handler', callable=self._restore_from_session, priority=70)
+
+    def _setup(self):
+        cherrypy.Tool._setup(self)
+        # Attach additional hooks as different priority to update preferred lang with more accurate preferences.
+        conf = self._merged_args()
+        conf.pop('priority', None)
+        cherrypy.serving.request.hooks.attach('before_handler', self._forbidden_or_redirect, priority=74, **conf)
+
+    # ---- Config helpers ----
+
+    @staticmethod
+    def _reauth_timeout_minutes() -> int:
+        # How long until we force a full username/password re-login regardless of session timeout.
+        return int(cherrypy.request.config.get('tools.auth.reauth_timeout', AUTH_DEFAULT_REAUTH_TIMEOUT))
+
+    @staticmethod
+    def _session_user_key() -> int:
+        return cherrypy.request.config.get('tools.auth.session_user_key', AUTH_DEFAULT_SESSION_KEY)
+
+    # ---- Tool entrypoints ----
+
+    def _restore_from_session(self, **kwargs):
+        """
+        Early hook: attempt to restore 'authenticated' state from session.
+        """
+        # Verify if session is enabled, if not the user is not authenticated.
+        if not hasattr(cherrypy.serving, 'session'):
+            return
+        # Check if a user_key is stored in session.
+        with session_lock() as session:
+            user_key = session.get(self._session_user_key())
+            if not user_key:
+                return
+
+            last = session.get(AUTH_LAST_PASSWORD_AT)
+            if last is None:
+                return  # never had a password login in this session
+            timeout = self._reauth_timeout_minutes()
+            if (last + datetime.timedelta(minutes=timeout)) < session.now():
+                return
+
+        # Mark request as authenticated by key; user object will be resolved later.
+        cherrypy.serving.request.login = user_key
+
+    def _forbidden_or_redirect(self, user_from_key_func, redirect=AUTH_DEFAULT_REDIRECT, **kwargs):
+        """
+        If authenticated via session, resolve user object; else redirect/403.
+        """
+        # Allow access to the login page itself
+        if cherrypy.serving.request.path_info == redirect:
+            return
+
+        user_key = getattr(cherrypy.serving.request, 'login', False)
+        if user_key:
+            try:
+                currentuser = user_from_key_func(user_key)
+            except Exception:
+                cherrypy.log(
+                    f'unexpected error searching for user_key={user_key}',
+                    context='AUTH',
+                    severity=logging.ERROR,
+                    traceback=True,
+                )
+                currentuser = None
+
+            if currentuser:
+                cherrypy.serving.request.currentuser = currentuser
+                return
+
+        # Not authenticated or user not found.
+        if redirect:
+            self.save_original_url()
+            raise cherrypy.HTTPRedirect(redirect)
+        raise cherrypy.HTTPError(403)
+
+    # ---- Login flows ----
+
+    def login_with_credentials(self, login, password):
+        """
+        Validate credentials with configured checkers; on success, call login_with_result.
+        """
+        if not login or not password:
+            cherrypy.log('authentication failed reason=empty_credentials', context='AUTH', severity=logging.WARNING)
+            return None
+        # Validate credentials using checkpassword function(s).
+        conf = self._merged_args()
+        checkpassword = conf.get('checkpassword')
+        if not isinstance(checkpassword, (list, tuple)):
+            checkpassword = [checkpassword]
+        for func in checkpassword:
+            try:
+                valid = func(login, password)
+                if not valid:
+                    continue
+                # Support various return value: tuple, string with username, boolean value
+                if isinstance(valid, (list, tuple)) and len(valid) >= 2:
+                    login, user_info = valid
+                elif isinstance(valid, str):
+                    login, user_info = valid, None
+                else:
+                    login, user_info = login, None
+                # If authentication is successful, initiate login process.
+                return self.login_with_result(login=login, user_info=user_info)
+            except Exception:
+                cherrypy.log(
+                    f'unexpected error checking password login={login} checkpassword={func.__qualname__} - continue with next function',
+                    context='AUTH',
+                    severity=logging.ERROR,
+                    traceback=True,
+                )
+        # If we reach here, authentication failed
+        if hasattr(cherrypy.serving, 'session'):
+            with session_lock() as session:
+                session.regenerate()  # Prevent session analysis
+
+        remote_ip = cherrypy.serving.request.remote.ip
+        cherrypy.log(
+            f'authentication failed login={login} ip={remote_ip} reason=wrong_credentials',
+            context='AUTH',
+            severity=logging.WARNING,
+        )
+
+        return None
+
+    def login_with_result(self, login=None, user_info=None, auth_method='password'):
+        """
+        Called after credentials were validated or via SSO.
+        Resolves user via user_lookup_func and establishes the session.
+        """
+        conf = self._merged_args()
+        user_lookup_func = conf.get('user_lookup_func')
+
+        try:
+            user_key, userobj = user_lookup_func(login=login, user_info=user_info or {})
+        except Exception:
+            cherrypy.log(
+                f"unexpected error searching user login={login} user_info={user_info}",
+                context='AUTH',
+                severity=logging.ERROR,
+                traceback=True,
+            )
+            return None
+
+        if not userobj:
+            cherrypy.log(
+                f"authentication failed login={login} reason=not_found", context='AUTH', severity=logging.WARNING
+            )
+            return None
+
+        # Notify plugins about user login
+        cherrypy.engine.publish('user_login', userobj)
+
+        # Store in session
+        if hasattr(cherrypy.serving, 'session'):
+            with session_lock() as session:
+                session_user_key = self._session_user_key()
+                session[session_user_key] = user_key
+                session[AUTH_METHOD] = auth_method
+                session[AUTH_LAST_PASSWORD_AT] = session.now()
+                # Generate a new session id
+                session.regenerate()
+
+        # When authenticated, store user_key in request.
+        cherrypy.serving.request.login = user_key
+        return userobj
+
+    # ---- Session helpers ----
+
+    def clear_session(self):
+        """
+        Clear session data and generate a new session id.
+        """
+        with session_lock() as session:
+            session.clear()
+            session.regenerate()
+
+    def get_original_url(self):
+        """
+        Return the original URL browsed by the user before authentication.
+        """
+        if not hasattr(cherrypy.serving, 'session'):
+            return None
+        with session_lock() as session:
+            return session.get(AUTH_ORIGINAL_URL)
+
+    def get_user_key(self):
+        """Return the last username."""
+        if not hasattr(cherrypy.serving, 'session'):
+            return False
+        session_user_key = self._session_user_key()
+        with session_lock() as session:
+            return session.get(session_user_key)
+
+    def redirect_to_original_url(self):
+        # Redirect user to original URL
+        redirect_url = self.get_original_url() or '/'
+        return cherrypy.HTTPRedirect(redirect_url)
+
+    def save_original_url(self):
+        """
+        Save the current URL to user's session.
+        """
+        # Skip this step if session is not enabled
+        if not hasattr(cherrypy.serving, 'session'):
+            return
+        # Extract URL including query-string.
+        request = cherrypy.serving.request
+        uri_encoding = getattr(request, 'uri_encoding', 'utf-8')
+        original_url = urllib.parse.quote(request.path_info, encoding=uri_encoding)
+        query_string = request.query_string
+
+        # Store value in session
+        with session_lock() as session:
+            session[AUTH_ORIGINAL_URL] = cherrypy.url(original_url, qs=query_string, base='')
+
+
+cherrypy.tools.auth = AuthManager()