What does this code from AuthKit do? (where are these functions and methods defined?)

Question

I am trying to implement my own authentication method for AuthKit and am trying to figure out how some of the built-in methods work. In particular, I'm trying to figure out how to update the REMOTE_USER for environ correctly.

This is how it is handled inside of authkit.authenticate.basic but it is pretty confusing. I cannot find anyplace where REMOTE_USER and AUTH_TYPE are defined. Is there something strange going on here and if so, what is it?

def __call__(self, environ, start_response):
    environ['authkit.users'] = self.users
    result = self.authenticate(environ)
    if isinstance(result, str):
        AUTH_TYPE.update(environ, 'basic')
        REMOTE_USER.update(environ, result)
    return self.application(environ, start_response)

There are actually a number of all uppercase things like this that I cannot find a definition for. For example, where does AUTHORIZATION come from below:

def authenticate(self, environ):
    authorization = AUTHORIZATION(environ)
    if not authorization:
        return self.build_authentication()
    (authmeth, auth) = authorization.split(' ',1)
    if 'basic' != authmeth.lower():
        return self.build_authentication()
    auth = auth.strip().decode('base64')
    username, password = auth.split(':',1)
    if self.authfunc(environ, username, password):
        return username
    return self.build_authentication()

I feel like maybe I am missing some special syntax handling for the environ dict, but it is possible that there is something else really weird going on here that isn't immediately obvious to someone as new to Python as myself.

Answer 1

Looking at that source I see it has an (evil)

from paste.httpheaders import *

that is one way otherwise-mysterious barenames could suddenly appear in the code (which is exactly why this idiom is a very, very bad practice). I can't be sure that's how those identifiers suddenly and inexplicably materialize, but it's a possibility.