Beispiel #1
0
 def web_auth(self):
     typeAuth = str(self.request.arguments["typeauth"][0])
     loadValue = self.request.arguments["value"][0]
     method = Conf.getCSValue("TypeAuths/%s/method" % typeAuth)
     auths = ['Certificate']
     if Conf.getCSSections("TypeAuths")['OK']:
         auths.extend(Conf.getCSSections("TypeAuths").get("Value"))
     if (typeAuth == 'Logout') or (typeAuth not in auths):
         typeAuth = self.get_secure_cookie("TypeAuth")
         self.set_secure_cookie("TypeAuth", 'Visitor')
     elif method == 'oAuth2':
         accessToken = loadValue
         url = Conf.getCSValue(
             'TypeAuths/%s/authority' % typeAuth) + '/userinfo'
         access = 'Bearer ' + accessToken
         heads = {
             'Authorization': access,
             'Content-Type': 'application/json'
         }
         oJson = requests.get(url, headers=heads, verify=False).json()
         res = getUsernameForID(oJson['sub'])
         if res['OK']:
             self.set_secure_cookie("TypeAuth", typeAuth)
             self.set_secure_cookie("AccessToken", accessToken)
             self.write({"value": 'Done'})
         else:
             self.write({"value": 'NotRegistred', "profile": oJson})
     else:
         self.set_secure_cookie("TypeAuth", typeAuth)
Beispiel #2
0
 def oAuth2():
     if self.get_secure_cookie("AccessToken"):
         access_token = self.get_secure_cookie("AccessToken")
         url = Conf.getCSValue(
             "TypeAuths/%s/authority" % typeAuth) + '/userinfo'
         heads = {
             'Authorization': 'Bearer ' + access_token,
             'Content-Type': 'application/json'
         }
         if 'error' in requests.get(url, headers=heads,
                                    verify=False).json():
             self.log.error('OIDC request error: %s' % requests.get(
                 url, headers=heads, verify=False).json()['error'])
             return
         ID = requests.get(url, headers=heads,
                           verify=False).json()['sub']
         result = getUsernameForID(ID)
         if result['OK']:
             self.__credDict['username'] = result['Value']
         result = getDNForUsername(self.__credDict['username'])
         if result['OK']:
             self.__credDict['validDN'] = True
             self.__credDict['DN'] = result['Value'][0]
         result = getCAForUsername(self.__credDict['username'])
         if result['OK']:
             self.__credDict['issuer'] = result['Value'][0]
         return
Beispiel #3
0
 def web_sendRequest(self):
     typeAuth = str(self.request.arguments["typeauth"][0])
     loadValue = self.request.arguments["value"]
     addresses = Conf.getCSValue('AdminsEmails')
     NotificationClient().sendMail(
         addresses,
         subject="Request from %s %s" % (loadValue[0], loadValue[1]),
         body='Type auth: %s, details: %s' % (typeAuth, loadValue))
Beispiel #4
0
 def web_getAuthCFG(self):
     typeAuth = str(self.request.arguments["typeauth"][0])
     loadValue = self.request.arguments["value"][0]
     res = {}
     if Conf.getCSSections("TypeAuths")['OK']:
         if typeAuth:
             if loadValue:
                 if loadValue == 'all':
                     res = Conf.getCSOptionsDict("TypeAuths/%s" %
                                                 typeAuth).get('Value')
                 else:
                     res = Conf.getCSValue(
                         "TypeAuths/%s/%s" % (typeAuth, loadValue), None)
             else:
                 res = Conf.getCSOptions("TypeAuths/%s" % typeAuth)
         else:
             res = Conf.getCSSections("TypeAuths")
     self.write(res)
Beispiel #5
0
 def oAuth2():
   if self.get_secure_cookie("AccessToken"):
     access_token = self.get_secure_cookie("AccessToken")
     url = Conf.getCSValue("TypeAuths/%s/authority" % typeAuth) + '/userinfo'
     heads = {'Authorization': 'Bearer ' + access_token, 'Content-Type': 'application/json'}
     if 'error' in requests.get(url, headers=heads, verify=False).json():
       self.log.error('OIDC request error: %s' % requests.get(url, headers=heads, verify=False).json()['error'])
       return
     ID = requests.get(url, headers=heads, verify=False).json()['sub']
     result = getUsernameForID(ID)
     if result['OK']:
       self.__credDict['username'] = result['Value']
     result = getDNForUsername(self.__credDict['username'])
     if result['OK']:
       self.__credDict['validDN'] = True
       self.__credDict['DN'] = result['Value'][0]
     result = getCAForUsername(self.__credDict['username'])
     if result['OK']:
       self.__credDict['issuer'] = result['Value'][0]
     return
Beispiel #6
0
    def __processCredentials(self):
        """
    Extract the user credentials based on the certificate or what comes from the balancer
    """

        if not self.request.protocol == "https":
            return

        # OIDC auth method
        def oAuth2():
            if self.get_secure_cookie("AccessToken"):
                access_token = self.get_secure_cookie("AccessToken")
                url = Conf.getCSValue(
                    "TypeAuths/%s/authority" % typeAuth) + '/userinfo'
                heads = {
                    'Authorization': 'Bearer ' + access_token,
                    'Content-Type': 'application/json'
                }
                if 'error' in requests.get(url, headers=heads,
                                           verify=False).json():
                    self.log.error('OIDC request error: %s' % requests.get(
                        url, headers=heads, verify=False).json()['error'])
                    return
                ID = requests.get(url, headers=heads,
                                  verify=False).json()['sub']
                result = getUsernameForID(ID)
                if result['OK']:
                    self.__credDict['username'] = result['Value']
                result = getDNForUsername(self.__credDict['username'])
                if result['OK']:
                    self.__credDict['validDN'] = True
                    self.__credDict['DN'] = result['Value'][0]
                result = getCAForUsername(self.__credDict['username'])
                if result['OK']:
                    self.__credDict['issuer'] = result['Value'][0]
                return

        # Type of Auth
        if not self.get_secure_cookie("TypeAuth"):
            self.set_secure_cookie("TypeAuth", 'Certificate')
        typeAuth = self.get_secure_cookie("TypeAuth")
        self.log.info("Type authentication: %s" % str(typeAuth))
        if typeAuth == "Visitor":
            return
        retVal = Conf.getCSSections("TypeAuths")
        if retVal['OK']:
            if typeAuth in retVal.get("Value"):
                method = Conf.getCSValue("TypeAuths/%s/method" % typeAuth,
                                         'default')
                if method == "oAuth2":
                    oAuth2()

        # NGINX
        if Conf.balancer() == "nginx":
            headers = self.request.headers
            if headers['X-Scheme'] == "https" and headers[
                    'X-Ssl_client_verify'] == 'SUCCESS':
                DN = headers['X-Ssl_client_s_dn']
                if not DN.startswith('/'):
                    items = DN.split(',')
                    items.reverse()
                    DN = '/' + '/'.join(items)
                self.__credDict['DN'] = DN
                self.__credDict['issuer'] = headers['X-Ssl_client_i_dn']
                result = Registry.getUsernameForDN(DN)
                if not result['OK']:
                    self.__credDict['validDN'] = False
                else:
                    self.__credDict['validDN'] = True
                    self.__credDict['username'] = result['Value']
            return

        # TORNADO
        derCert = self.request.get_ssl_certificate(binary_form=True)
        if not derCert:
            return
        pemCert = ssl.DER_cert_to_PEM_cert(derCert)
        chain = X509Chain()
        chain.loadChainFromString(pemCert)
        result = chain.getCredentials()
        if not result['OK']:
            self.log.error("Could not get client credentials %s" %
                           result['Message'])
            return
        self.__credDict = result['Value']
        # Hack. Data coming from OSSL directly and DISET difer in DN/subject
        try:
            self.__credDict['DN'] = self.__credDict['subject']
        except KeyError:
            pass
Beispiel #7
0
  def __processCredentials(self):
    """
    Extract the user credentials based on the certificate or what comes from the balancer
    """

    if not self.request.protocol == "https":
      return

    # OIDC auth method
    def oAuth2():
      if self.get_secure_cookie("AccessToken"):
        access_token = self.get_secure_cookie("AccessToken")
        url = Conf.getCSValue("TypeAuths/%s/authority" % typeAuth) + '/userinfo'
        heads = {'Authorization': 'Bearer ' + access_token, 'Content-Type': 'application/json'}
        if 'error' in requests.get(url, headers=heads, verify=False).json():
          self.log.error('OIDC request error: %s' % requests.get(url, headers=heads, verify=False).json()['error'])
          return
        ID = requests.get(url, headers=heads, verify=False).json()['sub']
        result = getUsernameForID(ID)
        if result['OK']:
          self.__credDict['username'] = result['Value']
        result = getDNForUsername(self.__credDict['username'])
        if result['OK']:
          self.__credDict['validDN'] = True
          self.__credDict['DN'] = result['Value'][0]
        result = getCAForUsername(self.__credDict['username'])
        if result['OK']:
          self.__credDict['issuer'] = result['Value'][0]
        return

    # Type of Auth
    if not self.get_secure_cookie("TypeAuth"):
      self.set_secure_cookie("TypeAuth", 'Certificate')
    typeAuth = self.get_secure_cookie("TypeAuth")
    self.log.info("Type authentication: %s" % str(typeAuth))
    if typeAuth == "Visitor":
      return
    retVal = Conf.getCSSections("TypeAuths")
    if retVal['OK']:
      if typeAuth in retVal.get("Value"):
        method = Conf.getCSValue("TypeAuths/%s/method" % typeAuth, 'default')
        if method == "oAuth2":
          oAuth2()

    # NGINX
    if Conf.balancer() == "nginx":
      headers = self.request.headers
      if headers['X-Scheme'] == "https" and headers['X-Ssl_client_verify'] == 'SUCCESS':
        DN = headers['X-Ssl_client_s_dn']
        if not DN.startswith('/'):
          items = DN.split(',')
          items.reverse()
          DN = '/' + '/'.join(items)
        self.__credDict['DN'] = DN
        self.__credDict['issuer'] = headers['X-Ssl_client_i_dn']
        result = Registry.getUsernameForDN(DN)
        if not result['OK']:
          self.__credDict['validDN'] = False
        else:
          self.__credDict['validDN'] = True
          self.__credDict['username'] = result['Value']
      return

    # TORNADO
    derCert = self.request.get_ssl_certificate(binary_form=True)
    if not derCert:
      return
    pemCert = ssl.DER_cert_to_PEM_cert(derCert)
    chain = X509Chain()
    chain.loadChainFromString(pemCert)
    result = chain.getCredentials()
    if not result['OK']:
      self.log.error("Could not get client credentials %s" % result['Message'])
      return
    self.__credDict = result['Value']
    # Hack. Data coming from OSSL directly and DISET difer in DN/subject
    try:
      self.__credDict['DN'] = self.__credDict['subject']
    except KeyError:
      pass