+cherrypy.tools.jsonify = cherrypy.Tool('before_finalize',
+ jsonify_tool_callback, priority=30)
+
+
+def require_login():
+ """If the user isn't logged in, raise 403 with an error."""
+ if cherrypy.request.login is False:
+ raise cherrypy.HTTPError(403,
+ "You are not authorized to access that resource")
+
+cherrypy.tools.require_login = cherrypy.Tool('on_start_resource',
+ require_login, priority=150)
+
+
+def require_POST():
+ """If the request isn't a POST request, raise 405 Method Not Allowed"""
+ if cherrypy.request.method != "POST":
+ raise cherrypy.HTTPError(405,
+ "You must submit this request with POST")
+
+cherrypy.tools.require_POST = cherrypy.Tool('on_start_resource',
+ require_POST, priority=150)
+
+
+def remote_user_login():
+ """Get remote user from SSL or GSSAPI, and store in request object.
+
+Get the current user based on environment variables set by SSL or
+GSSAPI, and store it in the attribute cherrpy.request.login.
+
+Per the CherryPy API (http://www.cherrypy.org/wiki/RequestObject#login),
+the attribute is set to the username on successful login, to False on
+failed login, and is left at None if the user attempted no authentication.
+"""
+ environ = cherrypy.request.wsgi_environ
+ user = environ.get('REMOTE_USER')
+ if user is None:
+ return
+ if environ.get('AUTH_TYPE') == 'Negotiate':
+ # Convert the krb5 principal into a krb4 username
+ if not user.endswith('@%s' % config.kerberos.realm):
+ cherrypy.request.login = False # failed to log in
+ else:
+ cherrypy.request.login = user.split('@')[0].replace('/', '.')
+ else:
+ cherrypy.request.login = user
+
+cherrypy.tools.remote_user_login = cherrypy.Tool('on_start_resource',
+ remote_user_login, priority=50)
+
+
+def invirtwebstate_init():
+ """Initialize the cherrypy.request.state object from Invirt"""
+ if not hasattr(cherrypy.request, "state"):
+ cherrypy.request.state = State(cherrypy.request.login)
+
+cherrypy.tools.invirtwebstate = cherrypy.Tool('on_start_resource',
+ invirtwebstate_init, priority=100)
+