def post(self):
"""
.. :quickref: SAML;
:status 200: OK
"""
if not EXTRA_MODULES['onelogin']:
return "SAML not configured on the server side.", 200, [
('X-Rucio-Auth-Token', '')
]
SAML_PATH = config_get('saml', 'config_path')
req = prepare_saml_request(request.environ,
dict(request.args.items(multi=False)))
auth = OneLogin_Saml2_Auth(req, custom_base_path=SAML_PATH)
auth.process_response()
errors = auth.get_errors()
if not errors:
if auth.is_authenticated():
response = Response()
response.set_cookie('saml-nameid',
value=auth.get_nameid(),
path='/')
return response
return '', 200
def get(self):
"""
.. :quickref: SAML;
:status 200: OK
:status 401: Unauthorized
:reqheader Rucio-VO: VO name as a string (Multi-VO only)
:reqheader Rucio-Account: Account identifier as a string.
:reqheader Rucio-Username: Username as a string.
:reqheader Rucio-Password: Password as a string.
:reqheader Rucio-AppID: Application identifier as a string.
:resheader X-Rucio-SAML-Auth-URL: as a variable-length string header.
"""
headers = self.get_headers()
headers.set('Content-Type', 'application/octet-stream')
headers.set('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate')
headers.add('Cache-Control', 'post-check=0, pre-check=0')
headers.set('Pragma', 'no-cache')
if not EXTRA_MODULES['onelogin']:
return "SAML not configured on the server side.", 400, headers
saml_nameid = request.cookies.get('saml-nameid', default=None)
vo = request.headers.get('X-Rucio-VO', default='def')
account = request.headers.get('X-Rucio-Account', default=None)
appid = request.headers.get('X-Rucio-AppID', default='unknown')
ip = request.headers.get('X-Forwarded-For', default=request.remote_addr)
if saml_nameid:
try:
result = get_auth_token_saml(account, saml_nameid, appid, ip, vo=vo)
except AccessDenied:
return generate_http_error_flask(
status_code=401,
exc=CannotAuthenticate.__name__,
exc_msg=f'Cannot authenticate to account {account} with given credentials',
headers=headers
)
if not result:
return generate_http_error_flask(
status_code=401,
exc=CannotAuthenticate.__name__,
exc_msg=f'Cannot authenticate to account {account} with given credentials',
headers=headers
)
headers.set('X-Rucio-Auth-Token', result.token)
headers.set('X-Rucio-Auth-Token-Expires', date_to_str(result.expired_at))
return '', 200, headers
# Path to the SAML config folder
SAML_PATH = config_get('saml', 'config_path')
req = prepare_saml_request(request.environ, dict(request.args.items(multi=False)))
auth = OneLogin_Saml2_Auth(req, custom_base_path=SAML_PATH)
headers.set('X-Rucio-SAML-Auth-URL', auth.login())
return '', 200, headers