def GET(self):
"""
HTTP Success:
200 OK
HTTP Error:
401 Unauthorized
:param Rucio-VO: VO name as a string (Multi-VO only).
:param Rucio-Account: Account identifier as a string.
:param Rucio-AppID: Application identifier as a string.
:param SavedCredentials: Apache mod_auth_kerb SavedCredentials.
:returns: "Rucio-Auth-Token" as a variable-length string header.
"""
header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN'))
header('Access-Control-Allow-Headers',
ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS'))
header('Access-Control-Allow-Methods', '*')
header('Access-Control-Allow-Credentials', 'true')
header('Access-Control-Expose-Headers', 'X-Rucio-Auth-Token')
header('Content-Type', 'application/octet-stream')
header('Cache-Control',
'no-cache, no-store, max-age=0, must-revalidate')
header('Cache-Control', 'post-check=0, pre-check=0', False)
header('Pragma', 'no-cache')
vo = ctx.env.get('HTTP_X_RUCIO_VO', '')
account = ctx.env.get('HTTP_X_RUCIO_ACCOUNT')
gsscred = ctx.env.get('REMOTE_USER')
appid = ctx.env.get('HTTP_X_RUCIO_APPID')
if appid is None:
appid = 'unknown'
ip = ctx.env.get('HTTP_X_FORWARDED_FOR')
if ip is None:
ip = ctx.ip
try:
result = get_auth_token_gss(account, gsscred, appid, ip, vo=vo)
except AccessDenied:
raise generate_http_error(
401, 'CannotAuthenticate',
'Cannot authenticate to account %(account)s with given credentials'
% locals())
if result is None:
raise generate_http_error(
401, 'CannotAuthenticate',
'Cannot authenticate to account %(account)s with given credentials'
% locals())
else:
header('X-Rucio-Auth-Token', result.token)
header('X-Rucio-Auth-Token-Expires',
date_to_str(result.expired_at))
return str()
raise BadRequest()
def get(self):
"""
Authenticate a Rucio account temporarily via a GSS token.
.. :quickref: GSS; Authenticate with GSS token
:reqheader Rucio-VO: VO name as a string (Multi-VO only).
:reqheader Rucio-Account: Account identifier as a string.
:reqheader Rucio-AppID: Application identifier as a string.
:reqheader SavedCredentials: Apache mod_auth_kerb SavedCredentials.
:resheader Access-Control-Allow-Origin:
:resheader Access-Control-Allow-Headers:
:resheader Access-Control-Allow-Methods:
:resheader Access-Control-Allow-Credentials:
:resheader Access-Control-Expose-Headers:
:resheader X-Rucio-Auth-Token: The authentication token
:status 200: Successfully authenticated
:status 404: Invalid credentials
"""
headers = self.get_headers()
headers['Content-Type'] = 'application/octet-stream'
headers[
'Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
headers.add('Cache-Control', 'post-check=0, pre-check=0')
headers['Pragma'] = 'no-cache'
vo = extract_vo(request.headers)
account = request.headers.get('X-Rucio-Account', default=None)
gsscred = request.environ.get('REMOTE_USER')
appid = request.headers.get('X-Rucio-AppID', default='unknown')
ip = request.headers.get('X-Forwarded-For',
default=request.remote_addr)
try:
result = get_auth_token_gss(account, gsscred, appid, ip, vo=vo)
except AccessDenied:
return generate_http_error_flask(
status_code=401,
exc=CannotAuthenticate.__name__,
exc_msg=
f'Cannot authenticate to account {account} with given credentials',
headers=headers)
if result is None:
return generate_http_error_flask(
status_code=401,
exc=CannotAuthenticate.__name__,
exc_msg=
f'Cannot authenticate to account {account} with given credentials',
headers=headers)
headers['X-Rucio-Auth-Token'] = result['token']
headers['X-Rucio-Auth-Token-Expires'] = date_to_str(
result['expires_at'])
return '', 200, headers
def get(self):
"""
Authenticate a Rucio account temporarily via a GSS token.
.. :quickref: GSS; Authenticate with GSS token
:reqheader Rucio-VO: VO name as a string (Multi-VO only).
:reqheader Rucio-Account: Account identifier as a string.
:reqheader Rucio-AppID: Application identifier as a string.
:reqheader SavedCredentials: Apache mod_auth_kerb SavedCredentials.
:resheader Access-Control-Allow-Origin:
:resheader Access-Control-Allow-Headers:
:resheader Access-Control-Allow-Methods:
:resheader Access-Control-Allow-Credentials:
:resheader Access-Control-Expose-Headers:
:resheader X-Rucio-Auth-Token: The authentication token
:status 200: Successfully authenticated
:status 404: Invalid credentials
"""
response = Response()
response.headers['Access-Control-Allow-Origin'] = request.environ.get('HTTP_ORIGIN')
response.headers['Access-Control-Allow-Headers'] = request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')
response.headers['Access-Control-Allow-Methods'] = '*'
response.headers['Access-Control-Allow-Credentials'] = 'true'
response.headers['Access-Control-Expose-Headers'] = 'X-Rucio-Auth-Token'
response.headers['Content-Type'] = 'application/octet-stream'
response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
response.headers['Cache-Control'] = 'post-check=0, pre-check=0'
response.headers['Pragma'] = 'no-cache'
vo = request.environ.get('HTTP_X_RUCIO_VO', 'def')
account = request.environ.get('HTTP_X_RUCIO_ACCOUNT')
gsscred = request.environ.get('REMOTE_USER')
appid = request.environ.get('HTTP_X_RUCIO_APPID')
if appid is None:
appid = 'unknown'
ip = request.environ.get('HTTP_X_FORWARDED_FOR')
if ip is None:
ip = request.remote_addr
try:
result = get_auth_token_gss(account, gsscred, appid, ip, vo=vo)
except AccessDenied:
return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals())
if result is None:
return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals())
else:
response.headers('X-Rucio-Auth-Token', result)
return str()
return 'BadRequest', 400
def test_auth_gss(self):
""" MULTI VO (REST): Test gss authentication to multiple VOs """
mw = []
# Can't rely on `requests_kerberos` module being present, so get tokens from API instead
token_tst = get_auth_token_gss('root', '*****@*****.**', 'unknown', None, **self.vo).token
token_new = get_auth_token_gss('root', '*****@*****.**', 'unknown', None, **self.new_vo).token
headers_tst = {'X-Rucio-Auth-Token': str(token_tst)}
res_tst = TestApp(account_app.wsgifunc(*mw)).get('/', headers=headers_tst, expect_errors=True)
assert_equal(res_tst.status, 200)
accounts_tst = [parse_response(a)['account'] for a in res_tst.body.decode().split('\n')[:-1]]
assert_not_equal(len(accounts_tst), 0)
assert_in(self.account_tst, accounts_tst)
assert_not_in(self.account_new, accounts_tst)
headers_new = {'X-Rucio-Auth-Token': str(token_new)}
res_new = TestApp(account_app.wsgifunc(*mw)).get('/', headers=headers_new, expect_errors=True)
assert_equal(res_new.status, 200)
accounts_new = [parse_response(a)['account'] for a in res_new.body.decode().split('\n')[:-1]]
assert_not_equal(len(accounts_new), 0)
assert_in(self.account_new, accounts_new)
assert_not_in(self.account_tst, accounts_new)
def get(self):
"""
Authenticate a Rucio account temporarily via a GSS token.
.. :quickref: GSS; Authenticate with GSS token
:reqheader Rucio-VO: VO name as a string (Multi-VO only).
:reqheader Rucio-Account: Account identifier as a string.
:reqheader Rucio-AppID: Application identifier as a string.
:reqheader SavedCredentials: Apache mod_auth_kerb SavedCredentials.
:resheader Access-Control-Allow-Origin:
:resheader Access-Control-Allow-Headers:
:resheader Access-Control-Allow-Methods:
:resheader Access-Control-Allow-Credentials:
:resheader Access-Control-Expose-Headers:
:resheader X-Rucio-Auth-Token: The authentication token
:status 200: Successfully authenticated
:status 404: Invalid credentials
"""
headers = Headers()
headers['Access-Control-Allow-Origin'] = request.environ.get('HTTP_ORIGIN')
headers['Access-Control-Allow-Headers'] = request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')
headers['Access-Control-Allow-Methods'] = '*'
headers['Access-Control-Allow-Credentials'] = 'true'
headers['Access-Control-Expose-Headers'] = 'X-Rucio-Auth-Token'
headers['Content-Type'] = 'application/octet-stream'
headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
headers.add('Cache-Control', 'post-check=0, pre-check=0')
headers['Pragma'] = 'no-cache'
vo = request.headers.get('X-Rucio-VO', default='def')
account = request.headers.get('X-Rucio-Account', default=None)
gsscred = request.environ.get('REMOTE_USER')
appid = request.headers.get('X-Rucio-AppID', default='unknown')
ip = request.headers.get('X-Forwarded-For', default=request.remote_addr)
try:
result = get_auth_token_gss(account, gsscred, appid, ip, vo=vo)
except AccessDenied:
return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals(), headers=headers)
if result is None:
return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals(), headers=headers)
headers['X-Rucio-Auth-Token'] = result.token
headers['X-Rucio-Auth-Token-Expires'] = date_to_str(result.expired_at)
return '', 200, headers
def GET(self):
"""
HTTP Success:
200 OK
HTTP Error:
401 Unauthorized
:param Rucio-Account: Account identifier as a string.
:param Rucio-AppID: Application identifier as a string.
:param SavedCredentials: Apache mod_auth_kerb SavedCredentials.
:returns: "Rucio-Auth-Token" as a variable-length string header.
"""
header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN'))
header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS'))
header('Access-Control-Allow-Methods', '*')
header('Access-Control-Allow-Credentials', 'true')
header('Access-Control-Expose-Headers', 'X-Rucio-Auth-Token')
header('Content-Type', 'application/octet-stream')
header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate')
header('Cache-Control', 'post-check=0, pre-check=0', False)
header('Pragma', 'no-cache')
account = ctx.env.get('HTTP_X_RUCIO_ACCOUNT')
gsscred = ctx.env.get('REMOTE_USER')
appid = ctx.env.get('HTTP_X_RUCIO_APPID')
if appid is None:
appid = 'unknown'
ip = ctx.env.get('HTTP_X_FORWARDED_FOR')
if ip is None:
ip = ctx.ip
try:
result = get_auth_token_gss(account, gsscred, appid, ip)
except AccessDenied:
raise generate_http_error(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals())
if result is None:
raise generate_http_error(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals())
else:
header('X-Rucio-Auth-Token', result)
return str()
raise BadRequest()
