Commits

Andriy Kornatskyy committed 6686a42

Working on documentation

Comments (0)

Files changed (8)

+# -*- coding: utf-8 -*-
+#
+# wheezy.security documentation build configuration file, created by
+# sphinx-quickstart on Fri Sep  9 20:36:50 2011.
+#
+# This file is execfile()d with the current directory set to its containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+import sys, os
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#sys.path.insert(0, os.path.abspath('.'))
+sys.path.extend([
+	os.path.abspath(os.path.join('..', 'src'))
+])
+
+# -- General configuration -----------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be extensions
+# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+extensions = [
+    'sphinx.ext.autodoc', 'sphinx.ext.doctest',
+    'sphinx.ext.coverage', 'sphinx.ext.viewcode'
+]
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix of source filenames.
+source_suffix = '.rst'
+
+# The encoding of source files.
+#source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = u'wheezy.security'
+copyright = u'2011, Andriy Kornatskyy'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+version = '0.1'
+# The full version, including alpha/beta/rc tags.
+release = '0.1'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+#today = ''
+# Else, today_fmt is used as the format for a strftime call.
+#today_fmt = '%B %d, %Y'
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+exclude_patterns = ['_build']
+
+# The reST default role (used for this markup: `text`) to use for all documents.
+#default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+#add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+#add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+#show_authors = False
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'colorful'
+
+# A list of ignored prefixes for module index sorting.
+#modindex_common_prefix = []
+
+
+# -- Options for HTML output ---------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+html_theme = 'default'
+
+# The style sheet to use for HTML pages.
+html_style = 'style.css'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+html_theme_options = {
+    'footerbgcolor': '#FFF',
+    'footertextcolor': '#000',
+    'sidebarbgcolor': '#FFF',
+    'sidebartextcolor': '#4d8cbf',
+    'sidebarlinkcolor': '#216093',
+    'relbarbgcolor': '#FFF',
+    'relbartextcolor': '#000',
+    'relbarlinkcolor': '#216093',
+    'bgcolor': '#FFF',
+    'textcolor': '#000',
+    'linkcolor': '#216093',
+    'visitedlinkcolor': '#216093',
+    'headbgcolor': '#FFF',
+    'headtextcolor': '#4d8cbf',
+    'codebgcolor': '#FFF',
+    'codetextcolor': '#060',
+    'bodyfont': 'Georgia, serif',
+    'headfont': 'Calibri, sans-serif',
+	'stickysidebar': True,
+	'externalrefs': True
+}
+
+# Add any paths that contain custom themes here, relative to this directory.
+#html_theme_path = []
+
+# The name for this set of Sphinx documents.  If None, it defaults to
+# '<project> v<release> documentation'.
+#html_title = None
+
+# A shorter title for the navigation bar.  Default is the same as html_title.
+#html_short_title = None
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+#html_logo = None
+
+# The name of an image file (within the static path) to use as favicon of the
+# docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+#html_favicon = None
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named 'default.css' will overwrite the builtin 'default.css'.
+html_static_path = ['static']
+
+# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
+# using the given strftime format.
+#html_last_updated_fmt = '%b %d, %Y'
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+#html_use_smartypants = True
+
+# Custom sidebar templates, maps document names to template names.
+#html_sidebars = {}
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+#html_additional_pages = {}
+
+# If false, no module index is generated.
+#html_domain_indices = True
+
+# If false, no index is generated.
+#html_use_index = True
+
+# If true, the index is split into individual pages for each letter.
+#html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+#html_show_sourcelink = True
+
+# If true, 'Created using Sphinx' is shown in the HTML footer. Default is True.
+html_show_sphinx = False
+
+# If true, '(C) Copyright ...' is shown in the HTML footer. Default is True.
+html_show_copyright = False
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it.  The value of this option must be the
+# base URL from which the finished HTML is served.
+#html_use_opensearch = ''
+
+# This is the file name suffix for HTML files (e.g. '.xhtml').
+#html_file_suffix = None
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'wheezy.securitydoc'
+
+
+# -- Options for LaTeX output --------------------------------------------------
+
+# The paper size ('letter' or 'a4').
+#latex_paper_size = 'letter'
+
+# The font size ('10pt', '11pt' or '12pt').
+#latex_font_size = '10pt'
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title, author, documentclass [howto/manual]).
+latex_documents = [
+  ('index', 'wheezy.security.tex', u'wheezy.security Documentation',
+   u'Andriy Kornatskyy', 'manual'),
+]
+
+# The name of an image file (relative to this directory) to place at the top of
+# the title page.
+#latex_logo = None
+
+# For 'manual' documents, if this is true, then toplevel headings are parts,
+# not chapters.
+#latex_use_parts = False
+
+# If true, show page references after internal links.
+#latex_show_pagerefs = False
+
+# If true, show URL addresses after external links.
+#latex_show_urls = False
+
+# Additional stuff for the LaTeX preamble.
+#latex_preamble = ''
+
+# Documents to append as an appendix to all manuals.
+#latex_appendices = []
+
+# If false, no module index is generated.
+#latex_domain_indices = True
+
+
+# -- Options for manual page output --------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+    ('index', 'wheezy.security', u'wheezy.security Documentation',
+     [u'Andriy Kornatskyy'], 1)
+]
+
+Examples
+========
+
+We start with a simple example. Before we proceed 
+let setup `virtualenv`_ environment::
+
+    $ virtualenv env
+    $ env/bin/easy_install wheezy.security[pycrypto]
+
+
+Protecting Information
+----------------------
+
+Let assume we would like protect some sensitive information, e.g. user id. We
+can encrypt it, add hash to proove validity and finally say that this
+value is valid for 20 minutes only::
+
+    from wheezy.security.crypto import Ticket
+    
+    ticket = Ticket(max_age=1200, salt='p5sArbHFZvxgeEJFrM9h')
+
+Once you have ticket you can encode any string::
+
+    protected_value = ticket.encode('hello')
+    
+Decode ``protected_value`` this way::
+
+    value = ticket.decode(protected_value)
+    
+User Principal
+--------------
+
+Ticket can be used to protect user principal over network (e.g. in http 
+cookie)::
+    
+    from wheezy.security import Principal
+
+    principal = Principal(
+            id='125134788', 
+            roles=['user'], 
+            alias='John Smith')
+    secure_value = ticket.encode(principal.dump())
+    
+Server side now restores this information::
+
+    from wheezy.security import ANONYMOUS
+    from wheezy.security import Principal
+
+    principal_dump = ticket.decode(secure_value)
+    if principal_dump:
+        principal = Principal.load(principal_dump)
+    else:
+        principal = ANONYMOUS
+
+.. _`virtualenv`: http://pypi.python.org/pypi/virtualenv

doc/gettingstarted.rst

+
+Getting Started
+===============
+
+Install
+-------
+
+:ref:`wheezy.security` requires `python`_ version 2.4 to 2.7 or 3.2.
+It is independent of operating system. You can install it from `pypi`_
+site using `setuptools`_::
+
+    $ easy_install wheezy.security
+
+If you are using `virtualenv`_::
+
+    $ virtualenv env
+    $ env/bin/easy_install wheezy.security
+
+If you would like take benefit of one of cryptography library that has
+built-in support specify extra requirements::
+
+    $ easy_install wheezy.security[pycrypto]
+
+Develop
+-------
+
+You can get the `source code`_ using `mercurial`_::
+
+    $ hg clone http://bitbucket.org/akorn/wheezy.security
+    $ cd wheezy.security
+
+Prepare `virtualenv`_ environment in *env* directory ::
+
+    $ make env
+
+... and run all tests::
+
+    $ make test
+
+You can read how to compile from source code different versions of
+`python`_ in the `article`_ published on `mind reference`_ blog.
+
+You can run certain make targets with specific python version. Here
+we are going to run `doctest`_ with python3.2::
+
+    $ make env doctest-cover VERSION=3.2
+
+Generate documentation with `sphinx`_::
+
+	$ make doc
+
+If you run into any issue or have comments, go ahead and add on
+`bitbucket`_.
+
+.. _`pypi`: http://pypi.python.org/pypi/wheezy.security
+.. _`python`: http://www.python.org
+.. _`setuptools`: http://pypi.python.org/pypi/setuptools
+.. _`bitbucket`: http://bitbucket.org/akorn/wheezy.security/issues
+.. _`source code`: http://bitbucket.org/akorn/wheezy.security/src
+.. _`mercurial`: http://mercurial.selenic.com/
+.. _`virtualenv`: http://pypi.python.org/pypi/virtualenv
+.. _`article`: http://mindref.blogspot.com/2011/09/compile-python-from-source.html
+.. _`mind reference`: http://mindref.blogspot.com/
+.. _`doctest`: http://docs.python.org/library/doctest.html
+.. _`sphinx`: http://sphinx.pocoo.org/
+.. _`wheezy.security`:
+
+Wheezy Security
+=================
+
+Introduction
+------------
+
+:ref:`wheezy.security` is a `python`_ package written in pure Python code. 
+It is a lightweight security library that provides integration with:
+
+* `pycrypto`_ - The Python Cryptography Toolkit
+
+It is optimized for performance, well tested and documented.
+
+Resources:
+
+* `source code`_, `examples`_ and `issues`_ tracker are available
+  on `bitbucket`_
+* `documentation`_
+* `eggs`_ on `pypi`_
+
+Contents
+--------
+
+.. toctree::
+   :maxdepth: 2
+
+   gettingstarted
+   examples
+   userguide
+   modules
+
+.. _`python`: http://www.python.org
+.. _`source code`: http://bitbucket.org/akorn/wheezy.security/src
+.. _`bitbucket`: http://bitbucket.org/akorn/wheezy.security
+.. _`issues`: http://bitbucket.org/akorn/wheezy.security/issues
+.. _`documentation`: http://packages.python.org/wheezy.security
+.. _`examples`: http://bitbucket.org/akorn/wheezy.security/src/tip/demos
+.. _`pypi`: http://pypi.python.org
+.. _`eggs`: http://pypi.python.org/pypi/wheezy.security
+.. _`pycrypto`: https://www.dlitz.net/software/pycrypto/
+Modules
+=======
+
+wheezy.security
+---------------
+
+.. automodule:: wheezy.security
+   :members:
+
+wheezy.security.principal
+-------------------------
+
+.. automodule:: wheezy.security.principal
+   :members:
+   
+wheezy.security.crypto
+----------------------
+
+.. automodule:: wheezy.security.crypto
+   :members:
+   
+wheezy.security.crypto.ticket
+-----------------------------
+
+.. automodule:: wheezy.security.crypto.ticket
+   :members:
+   
+wheezy.security.crypto.padding
+------------------------------
+
+.. automodule:: wheezy.security.crypto.padding
+   :members:

doc/static/style.css

+@import url("default.css");
+
+div.body h1,
+div.body h2,
+div.body h3,
+div.body h4,
+div.body h5,
+div.body h6,
+div.sphinxsidebar h3,
+div.sphinxsidebar h4 {
+    font-weight: bold;
+    border-bottom: none;
+}
+
+pre {
+    line-height: 14pt;
+    margin: 17pt;
+    padding-left: 1em;
+    border: none;
+    border-left: 3px solid #EE9816;
+    font-family: 'Consolas','Deja Vu Sans Mono','Bitstream Vera Sans Mono',monospace;
+    font-size: 0.9em;
+}
+
+div.body p, div.body dd, div.body li {
+    text-align: left;
+}
+
+.highlight {
+    background: #FFF !important;
+}
+
+th.field-name {
+    background: #FFF;
+}
+
+div.related {
+    position: fixed;
+}
+
+div.body {
+    top: 30px;
+    bottom: 0;
+    right: 0;
+    left: 230px;
+    margin: 0;
+    position: fixed;
+    overflow: auto;
+    height: auto;
+}
+
+div.related, div.sphinxsidebar {
+    font-family: Calibri, sans-serif;
+}

doc/userguide.rst

+
+User Guide
+==========
+
+The objective of security is protection of information from theft or
+corruption, while allowing the information to remain accessible to its
+intended users.
+
+Ticket
+------
+Ticket is a short packet of bytes generated by a network server for a client,
+which can be delivered to itself as a means of authentication or proof of
+authorization, and cannot easily be forged.
+
+:py:class:`~wheezy.security.crypto.ticket.Ticket` has the following
+characteristics:
+
+* It is valid for certain period of time, namely has explicitly set expiration
+  time.
+* It value is signed to prove it authenticity.
+* It is encrypted to protect sensitive information.
+* It has noise to harden forgery.
+
+:py:class:`~wheezy.security.crypto.ticket.Ticket` can be instantiated
+by passing the following arguments:
+
+* ``max_age`` - period of time (in seconds) this Ticket is considered valid.
+* ``salt`` - a random sequence that harden ticket forgery. That is prepended
+  to validation key and encryption key.
+* ``digestmod`` - hash algorithm used with HMAC (Hash-based Message
+  Authentication Code) to sign ticket. Defaults to SHA1.
+* ``cypher`` - cryptography algorithm. Defaults to AES128.
+* ``options`` - a dictionary that hold the following configuration values:
+  ``CRYPTO_VALIDATION_KEY`` (used by signature) and
+  ``CRYPTO_ENCRYPTION_KEY`` (used by encryption).
+
+Validation and Encryption Keys
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Keys used for validation and encryption are ensured to be of length 320 bits at
+least. :py:meth:`~wheezy.security.crypto.ticket.ensure_strong_key` function
+appends HMAC signature to the key.
+
+If cryptography library is not available you will see a warning message::
+
+    Ticket: cypher not available
+
+While Ticket continue to function even cryptography library is not installed
+it strongly recommended to be used in production environment.
+
+Thread Safety
+~~~~~~~~~~~~~
+
+Ticket does not alter it state once initialized. It is guaranteed to be
+thread safe.
+
+Typical Use Case
+~~~~~~~~~~~~~~~~
+
+Here is typical use case when all possible configuration attributes are used::
+
+    from wheezy.security.crypto.comp import aes192
+    from wheezy.security.crypto.comp import sha1
+    from wheezy.security.crypto import Ticket
+
+    options = {
+        'CRYPTO_VALIDATION_KEY': 'LkLlYR5WbTk54kaIgJOp',
+        'CRYPTO_ENCRYPTION_KEY': 'rH64daeXBZdgrR7WNawf'
+    }
+
+    ticket = Ticket(
+            max_age=1200,
+            salt='CzQnV0KazDKElBYiIC2w',
+            digestmod=sha1,
+            cypher=aes192,
+            options=options)
+
+The ``ticket`` instance can be shared application wide. ``encode`` /
+``decode`` methods are used this way::
+
+    protected_value = ticket.encode('hello')
+
+    assert 'hello' == ticket.decode(protected_value)
+
+In case validity of ticket can not be confirmed ``decode`` method returns
+``None``.
+
+Extensibility
+~~~~~~~~~~~~~
+
+Ticket ``cypher`` can be any callable that satisfy the following contract:
+
+* Initialization is called with encryption key. Returned object must be a
+  factory for actual algorithm instance.
+* Algorithm factory must return new algorithm via simple callable with no
+  arguments.
+* Algorithm implementation must support two methods: ``encrypt(value)``
+  and ``decrypt(value)``.
+
+Principal
+---------
+:py:class:`~wheezy.security.principal.Principal` is a container of user
+specific security information. It includes the following attributes:
+
+* ``id`` - user identity, e.g. number `755345`, UUID
+  `f102a87b-ee36-4a2e-97de-8f803f470867` or whatever else is valid to
+  look up a user quickly in your application.
+* ``roles`` - a list of authorized user roles, e.g. `user`, `manager`, etc.
+* ``alias`` - a user friendly name, display name, etc. This can be something
+  like `John Smith`, etc.
+* ``extra`` - any string you would like to hold in security context.
+
+Here is a sample how to instantiate new Principal::
+
+    principal = Principal(
+            id='125134788', 
+            roles=['user'], 
+            alias='John Smith')
+
+:py:class:`~wheezy.security.principal.Principal` supports the following
+methods:
+
+* ``dump`` - converts instance to a string.
+* ``load`` - reverse operation to ``dump``.
+
+You can use ``Ticket`` to secure ``Principal`` pass across network boundary.
+Combining them both you can introduce authentication/authorization cookie
+to your application.
+
+

src/wheezy/security/principal.py

 
 
 class Principal(object):
+    """ Container of user specific security information
+    """
 
     def __init__(self, id='', roles=None, alias='', extra=''):
         self.id = id