def web_auth(self):
typeAuth = str(self.request.arguments["typeauth"][0])
loadValue = self.request.arguments["value"][0]
method = Conf.getCSValue("TypeAuths/%s/method" % typeAuth)
auths = ['Certificate']
if Conf.getCSSections("TypeAuths")['OK']:
auths.extend(Conf.getCSSections("TypeAuths").get("Value"))
if (typeAuth == 'Logout') or (typeAuth not in auths):
typeAuth = self.get_secure_cookie("TypeAuth")
self.set_secure_cookie("TypeAuth", 'Visitor')
elif method == 'oAuth2':
accessToken = loadValue
url = Conf.getCSValue(
'TypeAuths/%s/authority' % typeAuth) + '/userinfo'
access = 'Bearer ' + accessToken
heads = {
'Authorization': access,
'Content-Type': 'application/json'
}
oJson = requests.get(url, headers=heads, verify=False).json()
res = getUsernameForID(oJson['sub'])
if res['OK']:
self.set_secure_cookie("TypeAuth", typeAuth)
self.set_secure_cookie("AccessToken", accessToken)
self.write({"value": 'Done'})
else:
self.write({"value": 'NotRegistred', "profile": oJson})
else:
self.set_secure_cookie("TypeAuth", typeAuth)
def oAuth2():
if self.get_secure_cookie("AccessToken"):
access_token = self.get_secure_cookie("AccessToken")
url = Conf.getCSValue(
"TypeAuths/%s/authority" % typeAuth) + '/userinfo'
heads = {
'Authorization': 'Bearer ' + access_token,
'Content-Type': 'application/json'
}
if 'error' in requests.get(url, headers=heads,
verify=False).json():
self.log.error('OIDC request error: %s' % requests.get(
url, headers=heads, verify=False).json()['error'])
return
ID = requests.get(url, headers=heads,
verify=False).json()['sub']
result = getUsernameForID(ID)
if result['OK']:
self.__credDict['username'] = result['Value']
result = getDNForUsername(self.__credDict['username'])
if result['OK']:
self.__credDict['validDN'] = True
self.__credDict['DN'] = result['Value'][0]
result = getCAForUsername(self.__credDict['username'])
if result['OK']:
self.__credDict['issuer'] = result['Value'][0]
return
def web_sendRequest(self):
typeAuth = str(self.request.arguments["typeauth"][0])
loadValue = self.request.arguments["value"]
addresses = Conf.getCSValue('AdminsEmails')
NotificationClient().sendMail(
addresses,
subject="Request from %s %s" % (loadValue[0], loadValue[1]),
body='Type auth: %s, details: %s' % (typeAuth, loadValue))
def web_getAuthCFG(self):
typeAuth = str(self.request.arguments["typeauth"][0])
loadValue = self.request.arguments["value"][0]
res = {}
if Conf.getCSSections("TypeAuths")['OK']:
if typeAuth:
if loadValue:
if loadValue == 'all':
res = Conf.getCSOptionsDict("TypeAuths/%s" %
typeAuth).get('Value')
else:
res = Conf.getCSValue(
"TypeAuths/%s/%s" % (typeAuth, loadValue), None)
else:
res = Conf.getCSOptions("TypeAuths/%s" % typeAuth)
else:
res = Conf.getCSSections("TypeAuths")
self.write(res)
def oAuth2():
if self.get_secure_cookie("AccessToken"):
access_token = self.get_secure_cookie("AccessToken")
url = Conf.getCSValue("TypeAuths/%s/authority" % typeAuth) + '/userinfo'
heads = {'Authorization': 'Bearer ' + access_token, 'Content-Type': 'application/json'}
if 'error' in requests.get(url, headers=heads, verify=False).json():
self.log.error('OIDC request error: %s' % requests.get(url, headers=heads, verify=False).json()['error'])
return
ID = requests.get(url, headers=heads, verify=False).json()['sub']
result = getUsernameForID(ID)
if result['OK']:
self.__credDict['username'] = result['Value']
result = getDNForUsername(self.__credDict['username'])
if result['OK']:
self.__credDict['validDN'] = True
self.__credDict['DN'] = result['Value'][0]
result = getCAForUsername(self.__credDict['username'])
if result['OK']:
self.__credDict['issuer'] = result['Value'][0]
return
def __processCredentials(self):
"""
Extract the user credentials based on the certificate or what comes from the balancer
"""
if not self.request.protocol == "https":
return
# OIDC auth method
def oAuth2():
if self.get_secure_cookie("AccessToken"):
access_token = self.get_secure_cookie("AccessToken")
url = Conf.getCSValue(
"TypeAuths/%s/authority" % typeAuth) + '/userinfo'
heads = {
'Authorization': 'Bearer ' + access_token,
'Content-Type': 'application/json'
}
if 'error' in requests.get(url, headers=heads,
verify=False).json():
self.log.error('OIDC request error: %s' % requests.get(
url, headers=heads, verify=False).json()['error'])
return
ID = requests.get(url, headers=heads,
verify=False).json()['sub']
result = getUsernameForID(ID)
if result['OK']:
self.__credDict['username'] = result['Value']
result = getDNForUsername(self.__credDict['username'])
if result['OK']:
self.__credDict['validDN'] = True
self.__credDict['DN'] = result['Value'][0]
result = getCAForUsername(self.__credDict['username'])
if result['OK']:
self.__credDict['issuer'] = result['Value'][0]
return
# Type of Auth
if not self.get_secure_cookie("TypeAuth"):
self.set_secure_cookie("TypeAuth", 'Certificate')
typeAuth = self.get_secure_cookie("TypeAuth")
self.log.info("Type authentication: %s" % str(typeAuth))
if typeAuth == "Visitor":
return
retVal = Conf.getCSSections("TypeAuths")
if retVal['OK']:
if typeAuth in retVal.get("Value"):
method = Conf.getCSValue("TypeAuths/%s/method" % typeAuth,
'default')
if method == "oAuth2":
oAuth2()
# NGINX
if Conf.balancer() == "nginx":
headers = self.request.headers
if headers['X-Scheme'] == "https" and headers[
'X-Ssl_client_verify'] == 'SUCCESS':
DN = headers['X-Ssl_client_s_dn']
if not DN.startswith('/'):
items = DN.split(',')
items.reverse()
DN = '/' + '/'.join(items)
self.__credDict['DN'] = DN
self.__credDict['issuer'] = headers['X-Ssl_client_i_dn']
result = Registry.getUsernameForDN(DN)
if not result['OK']:
self.__credDict['validDN'] = False
else:
self.__credDict['validDN'] = True
self.__credDict['username'] = result['Value']
return
# TORNADO
derCert = self.request.get_ssl_certificate(binary_form=True)
if not derCert:
return
pemCert = ssl.DER_cert_to_PEM_cert(derCert)
chain = X509Chain()
chain.loadChainFromString(pemCert)
result = chain.getCredentials()
if not result['OK']:
self.log.error("Could not get client credentials %s" %
result['Message'])
return
self.__credDict = result['Value']
# Hack. Data coming from OSSL directly and DISET difer in DN/subject
try:
self.__credDict['DN'] = self.__credDict['subject']
except KeyError:
pass
def __processCredentials(self):
"""
Extract the user credentials based on the certificate or what comes from the balancer
"""
if not self.request.protocol == "https":
return
# OIDC auth method
def oAuth2():
if self.get_secure_cookie("AccessToken"):
access_token = self.get_secure_cookie("AccessToken")
url = Conf.getCSValue("TypeAuths/%s/authority" % typeAuth) + '/userinfo'
heads = {'Authorization': 'Bearer ' + access_token, 'Content-Type': 'application/json'}
if 'error' in requests.get(url, headers=heads, verify=False).json():
self.log.error('OIDC request error: %s' % requests.get(url, headers=heads, verify=False).json()['error'])
return
ID = requests.get(url, headers=heads, verify=False).json()['sub']
result = getUsernameForID(ID)
if result['OK']:
self.__credDict['username'] = result['Value']
result = getDNForUsername(self.__credDict['username'])
if result['OK']:
self.__credDict['validDN'] = True
self.__credDict['DN'] = result['Value'][0]
result = getCAForUsername(self.__credDict['username'])
if result['OK']:
self.__credDict['issuer'] = result['Value'][0]
return
# Type of Auth
if not self.get_secure_cookie("TypeAuth"):
self.set_secure_cookie("TypeAuth", 'Certificate')
typeAuth = self.get_secure_cookie("TypeAuth")
self.log.info("Type authentication: %s" % str(typeAuth))
if typeAuth == "Visitor":
return
retVal = Conf.getCSSections("TypeAuths")
if retVal['OK']:
if typeAuth in retVal.get("Value"):
method = Conf.getCSValue("TypeAuths/%s/method" % typeAuth, 'default')
if method == "oAuth2":
oAuth2()
# NGINX
if Conf.balancer() == "nginx":
headers = self.request.headers
if headers['X-Scheme'] == "https" and headers['X-Ssl_client_verify'] == 'SUCCESS':
DN = headers['X-Ssl_client_s_dn']
if not DN.startswith('/'):
items = DN.split(',')
items.reverse()
DN = '/' + '/'.join(items)
self.__credDict['DN'] = DN
self.__credDict['issuer'] = headers['X-Ssl_client_i_dn']
result = Registry.getUsernameForDN(DN)
if not result['OK']:
self.__credDict['validDN'] = False
else:
self.__credDict['validDN'] = True
self.__credDict['username'] = result['Value']
return
# TORNADO
derCert = self.request.get_ssl_certificate(binary_form=True)
if not derCert:
return
pemCert = ssl.DER_cert_to_PEM_cert(derCert)
chain = X509Chain()
chain.loadChainFromString(pemCert)
result = chain.getCredentials()
if not result['OK']:
self.log.error("Could not get client credentials %s" % result['Message'])
return
self.__credDict = result['Value']
# Hack. Data coming from OSSL directly and DISET difer in DN/subject
try:
self.__credDict['DN'] = self.__credDict['subject']
except KeyError:
pass
