def GET(self):
"""
HTTP Success:
200 OK
HTTP Error:
401 Unauthorized
:param QUERY_STRING: the URL query string itself
:returns: "Rucio-Auth-Token" as a variable-length string header.
"""
header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN'))
header('Access-Control-Allow-Headers',
ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS'))
header('Access-Control-Allow-Methods', '*')
header('Access-Control-Allow-Credentials', 'true')
header('Content-Type', 'text/html')
header('Cache-Control',
'no-cache, no-store, max-age=0, must-revalidate')
header('Cache-Control', 'post-check=0, pre-check=0', False)
header('Pragma', 'no-cache')
query_string = ctx.env.get('QUERY_STRING')
ip = ctx.env.get('HTTP_X_FORWARDED_FOR')
if ip is None:
ip = ctx.ip
try:
result = get_token_oidc(query_string, ip)
except AccessDenied:
render = template.render(
join(dirname(__file__), '../auth_templates/'))
return render.auth_crash('contact')
except RucioException:
render = template.render(
join(dirname(__file__), '../auth_templates/'))
return render.auth_crash('internal_error')
except Exception:
print(format_exc())
render = template.render(
join(dirname(__file__), '../auth_templates/'))
return render.auth_crash('internal_error')
render = template.render(join(dirname(__file__), '../auth_templates/'))
if not result:
return render.auth_crash('no_result')
if 'fetchcode' in result:
authcode = result['fetchcode']
return render.auth_granted(authcode)
elif 'polling' in result and result['polling'] is True:
authcode = "allok"
return render.auth_granted(authcode)
else:
return render.auth_crash('bad_request')
def GET(self):
"""
HTTP Success:
200 OK
HTTP Error:
401 Unauthorized
:param QUERY_STRING: the URL query string itself
:returns: "Rucio-Auth-Token" as a variable-length string header.
"""
header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN'))
header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS'))
header('Access-Control-Allow-Methods', '*')
header('Access-Control-Allow-Credentials', 'true')
header('Content-Type', 'application/octet-stream')
header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate')
header('Cache-Control', 'post-check=0, pre-check=0', False)
header('Pragma', 'no-cache')
query_string = ctx.env.get('QUERY_STRING')
ip = ctx.env.get('HTTP_X_FORWARDED_FOR')
if ip is None:
ip = ctx.ip
try:
result = get_token_oidc(query_string, ip)
except AccessDenied:
raise generate_http_error(401, 'CannotAuthorize', 'Cannot authorize token request.')
except RucioException as error:
raise generate_http_error(500, error.__class__.__name__, error.args[0])
except Exception as error:
print(format_exc())
raise InternalError(error)
if not result:
raise generate_http_error(401, 'CannotAuthorize', 'Cannot authorize token request.')
if 'token' in result and 'webhome' not in result:
header('X-Rucio-Auth-Token', result['token'].token) # pylint: disable=no-member
header('X-Rucio-Auth-Token-Expires', date_to_str(result['token'].expired_at)) # pylint: disable=no-member
return str()
elif 'webhome' in result:
webhome = result['webhome']
if webhome is None:
header('Content-Type', 'text/html')
render = template.render(join(dirname(__file__), '../auth_templates/'))
return render.auth_crash('unknown_identity')
# domain setting is necessary so that the token gets distributed also to the webui server
domain = '.'.join(urlparse.urlparse(webhome).netloc.split('.')[1:])
setcookie('x-rucio-auth-token', value=result['token'].token, domain=domain, path='/')
setcookie('rucio-auth-token-created-at', value=int(time.time()), domain=domain, path='/')
return seeother(webhome)
else:
raise BadRequest()
def get(self):
"""
.. :quickref: OIDC;
:status 200: OK
:status 401: Unauthorized
"""
headers = self.get_headers()
headers.set('Content-Type', 'text/html')
headers.set('Cache-Control',
'no-cache, no-store, max-age=0, must-revalidate')
headers.add('Cache-Control', 'post-check=0, pre-check=0')
headers.set('Pragma', 'no-cache')
query_string = request.query_string.decode(encoding='utf-8')
ip = request.headers.get('X-Forwarded-For',
default=request.remote_addr)
try:
result = get_token_oidc(query_string, ip)
except AccessDenied:
headers.extend(
error_headers(
CannotAuthenticate.__name__,
'Cannot authorize your access, please check your access credentials'
))
return render_template('auth_crash.html',
crashtype='contact'), 401, headers
except Exception as error:
logging.exception("Internal Error")
headers.extend(
error_headers(error.__class__.__name__, str(error.args[0])))
return render_template('auth_crash.html',
crashtype='internal_error'), 500, headers
if not result:
headers.extend(
error_headers(
CannotAuthenticate.__name__,
'Cannot finalize your token request, no authorization content returned from the auth server'
))
return render_template('auth_crash.html',
crashtype='no_result'), 401, headers
if 'fetchcode' in result:
return render_template('auth_granted.html',
authcode=result['fetchcode']), 200, headers
elif 'polling' in result and result['polling'] is True:
return render_template('auth_granted.html',
authcode='allok'), 200, headers
else:
headers.extend(
error_headers('InvalidRequest',
'Cannot recognize and process your request'))
return render_template('auth_crash.html',
crashtype='bad_request'), 400, headers
def get(self):
"""
.. :quickref: OIDC;
:status 200: OK
:status 401: Unauthorized
:resheader X-Rucio-Auth-Token: The authentication token
:resheader X-Rucio-Auth-Token-Expires: The time when the token expires
"""
headers = Headers()
headers.set('Access-Control-Allow-Origin', request.environ.get('HTTP_ORIGIN'))
headers.set('Access-Control-Allow-Headers', request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS'))
headers.set('Access-Control-Allow-Methods', '*')
headers.set('Access-Control-Allow-Credentials', 'true')
headers.set('Content-Type', 'application/octet-stream')
headers.set('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate')
headers.add('Cache-Control', 'post-check=0, pre-check=0')
headers.set('Pragma', 'no-cache')
query_string = request.query_string.decode(encoding='utf-8')
ip = request.headers.get('X-Forwarded-For', default=request.remote_addr)
try:
result = get_token_oidc(query_string, ip)
except AccessDenied:
return generate_http_error_flask(401, 'CannotAuthorize', 'Cannot authorize token request.', headers=headers)
except RucioException as error:
return generate_http_error_flask(500, error.__class__.__name__, error.args[0], headers=headers)
except Exception as error:
logging.exception("Internal Error")
return str(error), 500, headers
if not result:
return generate_http_error_flask(401, 'CannotAuthorize', 'Cannot authorize token request.', headers=headers)
if 'token' in result and 'webhome' not in result:
headers.set('X-Rucio-Auth-Token', result['token'].token)
headers.set('X-Rucio-Auth-Token-Expires', date_to_str(result['token'].expired_at))
return '', 200, headers
elif 'webhome' in result:
webhome = result['webhome']
if webhome is None:
headers.extend(error_headers('CannotAuthenticate', 'Cannot find your OIDC identity linked to any Rucio account'))
headers.set('Content-Type', 'text/html')
return render_template('auth_crash.html', crashtype='unknown_identity'), 401, headers
# domain setting is necessary so that the token gets distributed also to the webui server
domain = '.'.join(urlparse.urlparse(webhome).netloc.split('.')[1:])
response = redirect(webhome, code=303)
response.headers.extend(headers)
response.set_cookie('x-rucio-auth-token', value=result['token'].token, domain=domain, path='/')
response.set_cookie('rucio-auth-token-created-at', value=str(time.time()), domain=domain, path='/')
return response
else:
return '', 400, headers
def get(self):
"""
.. :quickref: OIDC;
:status 200: OK
:status 401: Unauthorized
:resheader X-Rucio-Auth-Token: The authentication token
:resheader X-Rucio-Auth-Token-Expires: The time when the token expires
"""
headers = self.get_headers()
headers.set('Content-Type', 'application/octet-stream')
headers.set('Cache-Control',
'no-cache, no-store, max-age=0, must-revalidate')
headers.add('Cache-Control', 'post-check=0, pre-check=0')
headers.set('Pragma', 'no-cache')
query_string = request.query_string.decode(encoding='utf-8')
ip = request.headers.get('X-Forwarded-For',
default=request.remote_addr)
try:
result = get_token_oidc(query_string, ip)
except AccessDenied:
return generate_http_error_flask(401,
CannotAuthorize.__name__,
'Cannot authorize token request.',
headers=headers)
if not result:
return generate_http_error_flask(401,
CannotAuthorize.__name__,
'Cannot authorize token request.',
headers=headers)
if 'token' in result and 'webhome' not in result:
headers.set('X-Rucio-Auth-Token', result['token']['token'])
headers.set('X-Rucio-Auth-Token-Expires',
date_to_str(result['token']['expires_at']))
return '', 200, headers
elif 'webhome' in result:
webhome = result['webhome']
if webhome is None:
headers.extend(
error_headers(
CannotAuthenticate.__name__,
'Cannot find your OIDC identity linked to any Rucio account'
))
headers.set('Content-Type', 'text/html')
return render_template(
'auth_crash.html',
crashtype='unknown_identity'), 401, headers
# domain setting is necessary so that the token gets distributed also to the webui server
domain = '.'.join(urlparse(webhome).netloc.split('.')[1:])
response = redirect(webhome, code=303)
response.headers.extend(headers)
response.set_cookie('x-rucio-auth-token',
value=result['token']['token'],
domain=domain,
path='/')
response.set_cookie('rucio-auth-token-created-at',
value=str(time.time()),
domain=domain,
path='/')
return response
else:
return '', 400, headers
