def create_shared_endpoint(globus_dict, host_endpoint, host_path, display_name='Globus endpoint', description='description'): globus_transfer_token = globus_dict['transfer_token'] scopes = "urn:globus:auth:scopes:transfer.api.globus.org:all" authorizer = globus_sdk.AccessTokenAuthorizer(globus_transfer_token) tc = TransferClient(authorizer=authorizer) # high level interface; provides iterators for list responses shared_ep_data = { "DATA_TYPE": "shared_endpoint", "host_endpoint": host_endpoint, "host_path": host_path, "display_name": display_name, # optionally specify additional endpoint fields "description": description } #r = tc.operation_mkdir(host_id, path=share_path) #TODO create the directory directly from here instead of at local level? tc.endpoint_autoactivate(host_endpoint, if_expires_in=3600) #necessary for real use? create_result = tc.create_shared_endpoint( shared_ep_data) #not the app's end point, so should fail endpoint_id = create_result['id'] globus_dict['endpoint_id'] = endpoint_id globus_dict['transfer_client'] = tc return globus_dict
def identities(): # Call get_login_status() to fill out the login status variables (for login/logout display) loginstatus = get_login_status() # If not logged in, welcome and invite to login if not session.get('is_authenticated'): return render_template(app.config['APP_LOGIN_TEMPLATE'], pagetitle=app.config['APP_DISPLAY_NAME'], loginurl=url_for('login'), loginstat=loginstatus) # get the stored access token for the Auth API and use it to access the Auth API # on the user's behalf auth_token = str(session.get('auth_token')) ac = globus_sdk.AuthClient( authorizer=globus_sdk.AccessTokenAuthorizer(auth_token)) try: # use Auth API to get more info about the authenticated user myids = ac.get_identities(ids=str(session.get('userid')), include="identity_provider").data except GlobusAPIError: # if any of the above have issues, trash the session and start over session.clear() return redirect(url_for('index')) # display all this information on the web page return render_template('identities.html', pagetitle=app.config['APP_DISPLAY_NAME'], explanationurl=url_for('change_effective_id'), globusmyids=json.dumps(myids, indent=3), loginstat=loginstatus)
def __init__(self): """ Initializes the HuBMAP downloader with client ID and hubmap endpoint. Here the user is asked to authenticate himself. """ self.CLIENT_ID = '40628e5b-29ae-43c7-adc5-38c75ff907b9' self.hubmap_endpoint_id = "af603d86-eab9-4eec-bb1d-9d26556741bb" client = globus_sdk.NativeAppAuthClient(self.CLIENT_ID) client.oauth2_start_flow() authorize_url = client.oauth2_get_authorize_url() print('Please go to this URL and login: {0}'.format(authorize_url)) # this is to work on Python2 and Python3 -- you can just use raw_input() or # input() for your specific version get_input = getattr(__builtins__, 'raw_input', input) auth_code = get_input( 'Please enter the code you get after login here: ').strip() token_response = client.oauth2_exchange_code_for_tokens(auth_code) globus_auth_data = token_response.by_resource_server['auth.globus.org'] globus_transfer_data = token_response.by_resource_server[ 'transfer.api.globus.org'] # most specifically, you want these tokens as strings self.AUTH_TOKEN = globus_auth_data['access_token'] self.TRANSFER_TOKEN = globus_transfer_data['access_token'] self.authorizer = globus_sdk.AccessTokenAuthorizer(self.TRANSFER_TOKEN) self.tc = globus_sdk.TransferClient(authorizer=self.authorizer) self.transfers = []
def test_oauth2_client_credentials_tokens(self): """ Get client credentials tokens, validate results Confirm tokens allow use of userinfo for the client Returns access_token for testing """ with mock.patch.object(self.cac, 'oauth2_token', side_effect=self.cac.oauth2_token) as m: token_res = self.cac.oauth2_client_credentials_tokens( requested_scopes="openid profile") m.assert_called_once_with( {"grant_type": "client_credentials", "scope": "openid profile"}) # validate results self.assertIn("access_token", token_res) self.assertIn("expires_in", token_res) self.assertIn("scope", token_res) self.assertEqual(token_res["resource_server"], "auth.globus.org") self.assertEqual(token_res["token_type"], "Bearer") # confirm usage of userinfo for client access_token = token_res["access_token"] ac = globus_sdk.AuthClient( authorizer=globus_sdk.AccessTokenAuthorizer(access_token)) userinfo_res = ac.oauth2_userinfo() self.assertEqual( userinfo_res["sub"], get_client_data()["confidential_app_client1"]["id"])
def get_confidential_app_authorizer(client_id, client_secret): tokens = do_client_credentials_app_authentication( client_id=client_id, client_secret=client_secret) transfer_tokens = tokens['transfer.api.globus.org'] transfer_access_token = transfer_tokens['access_token'] return globus_sdk.AccessTokenAuthorizer(transfer_access_token)
def userinfo(): # Call get_login_status() to fill out the login status variables (for login/logout display) loginstatus = get_login_status() # If not logged in, welcome and invite to login if not session.get('is_authenticated'): loginstatus["loginlink"] = url_for('login', state='goto-userinfo') return render_template(app.config['APP_LOGIN_TEMPLATE'], pagetitle=app.config['APP_DISPLAY_NAME'], loginstat=loginstatus) # get the stored access token for the Auth API and use it # to authorize stuff AS THE AUTHENTICATED USER auth_token = str(session.get('auth_token')) ac = globus_sdk.AuthClient( authorizer=globus_sdk.AccessTokenAuthorizer(auth_token)) try: # use Auth API to get the standard OIDC userinfo fields (like any OIDC client) oidcinfo = ac.oauth2_userinfo() except GlobusAPIError: # if any of the above have issues, trash the session and start over session.clear() return redirect(url_for('index')) # display all this information on the web page return render_template('userinfo.html', pagetitle=app.config['APP_DISPLAY_NAME'], explanationurl=url_for('change_linked_ids'), oidcinfo=json.dumps(oidcinfo.data, indent=3), loginstat=loginstatus)
def get_transfer_client(ctoken_obj): """ Get a transfer client from a ConciergeToken (request.auth obj) """ transfer_token = ctoken_obj.get_token(settings.TRANSFER_SCOPE) transfer_authorizer = globus_sdk.AccessTokenAuthorizer(transfer_token) return globus_sdk.TransferClient(authorizer=transfer_authorizer)
def get_globus_data(auth_token, transfer_token, gconfig): admin_endpoint_map = {} endpoint_map_list_of_tasks = {} # GlobusAuthorizer authorizer = globus_sdk.AccessTokenAuthorizer(transfer_token) tc = globus_sdk.TransferClient(authorizer=authorizer) # High level interface; provides iterators for list responses. # Get endpoints administered by user with given tokens for ep in tc.endpoint_search(filter_scope="administered-by-me"): print("[{}] {}".format(ep["id"], ep["display_name"])) admin_endpoint_map[ep["id"]] = ep["display_name"] if ep["display_name"] is None: if ep["canonical_name"] is not None: admin_endpoint_map[ep["id"]] = ep["canonical_name"] else: admin_endpoint_map[ep["id"]] = str(ep["id"]) # Filter DTNs that are not in the list of interested DTNs if ep["id"] not in gconfig["interested_dtn_id_list"]: continue task_list = [] iter_paginated_res = (tc.endpoint_manager_task_list( num_results=None, filter_endpoint=ep["id"])) for p in iter_paginated_res: task_list.append(p.data) endpoint_map_list_of_tasks[ep["id"]] = task_list # Print total number of tasks per endpoint print "Number of tasks", len(task_list) return admin_endpoint_map, endpoint_map_list_of_tasks
def authenticate_credentials(self, key): auth_client = globus_sdk.AuthClient( authorizer=globus_sdk.AccessTokenAuthorizer(key)) try: info = auth_client.oauth2_userinfo() email = info.get('email') if not email: log.error('Unable to get email for user, was "email" ' 'included in scopes?') raise AuthenticationFailed('Unable to verify user email') user_info = auth_client.get_identities(usernames=[email]) try: user_uuid = user_info.data['identities'][0]['id'] except KeyError: raise AuthenticationFailed( 'Failed to verify email "{}"'.format(email)) user = GlobusUser.objects.filter(uuid=user_uuid).first() if not user: user_info = auth_client.get_identities(usernames=[email]) log.debug('ID Info: {}'.format(user_info)) user = GlobusUser(email=email, uuid=user_uuid) user.save() log.debug('Concierge service authenticated user: {}'.format(email)) return user, key except globus_sdk.exc.AuthAPIError: raise AuthenticationFailed( detail={ 'detail': 'Expired or invalid Globus Auth', 'code': 'InvalidOrExpired' })
def move_to_protected_location(url, action_id, dcc_id): """Move user submitted datasets to a read-only location, where only the Action Provider has write access""" transfer_token = get_app_token(CONFIG["DEPENDENT_SCOPES"]["transfer"]) auth = globus_sdk.AccessTokenAuthorizer(transfer_token) tc = globus_sdk.TransferClient(authorizer=auth) purl = urllib.parse.urlparse(url) # DCCs *should* always be of the pattern "cfde_registry_dcc:kidsfirst" _, dcc_name = dcc_id.rsplit(":", 1) # New dataset name should look like: # /CFDE/public/kidsfirst/1612387394-05167ed4-6666-11eb-9dcc-784f43874631.tgz dcc_dir = os.path.join(CONFIG["LONG_TERM_STORAGE"], dcc_name) _, old_ext = os.path.splitext(purl.path) new_filename = f"{datetime.datetime.now().isoformat()}-{action_id}{old_ext}" new_dataset_path = os.path.join(dcc_dir, new_filename) logger.debug(f'Renaming dataset "{purl.path}" to "{new_dataset_path}"') try: tc.operation_rename(CONFIG["GCS_ENDPOINT"], purl.path, new_dataset_path) except globus_sdk.exc.TransferAPIError as tapie: if tapie.code == "EndpointError": raise error.DeveloperError(f"Failed to rename '{purl.path}' to '{new_dataset_path}', " f"Check {dcc_dir} exists!") from tapie raise url = urllib.parse.urlunparse((purl.scheme, purl.netloc, new_dataset_path, "", "", "")) logger.debug(f"Successfully updated dataset URL to {url}") return url
def __init__(self, token_response): ''' Assume the user has logged in to globus and the jhuidies#dmztest collection, initialized their client, visited the authentication url, copied the authentication code, and converted it to tokens, as set up in the accompanying notebook. e.g.: CLIENT_ID = 'XXXXX' client = globus_sdk.NativeAppAuthClient(CLIENT_ID) client.oauth2_start_flow() authorize_url = client.oauth2_get_authorize_url() auth_code = 'XXXXX' token_response = client.oauth2_exchange_code_for_tokens(auth_code) Here, set up the transfer client and jhu endpoint. ''' globus_auth_data = token_response.by_resource_server['auth.globus.org'] globus_transfer_data = token_response.by_resource_server[ 'transfer.api.globus.org'] AUTH_TOKEN = globus_auth_data['access_token'] TRANSFER_TOKEN = globus_transfer_data['access_token'] authorizer = globus_sdk.AccessTokenAuthorizer(TRANSFER_TOKEN) self.tc = globus_sdk.TransferClient(authorizer=authorizer) self.jhu_endpoint = 'jhuidies#dmztest' self.jhu_tc = self.tc.get_endpoint(self.jhu_endpoint)
def getGlobusObj(): if not session.get('is_authenticated'): return redirect(url_for('globus_login')) authorizer = globus_sdk.AccessTokenAuthorizer( session['tokens']['transfer.api.globus.org']['access_token']) transfer_client = globus_sdk.TransferClient(authorizer=authorizer) return transfer_client
def globusDo(func, tc: globus_sdk.TransferClient, **kwargs): if tc is None: tc = getGlobusObj() try: sess: synapse_session.obj = get_session() if (sess.globus_id == '') or (len(sess.globus_id) < 5): auth2 = globus_sdk.AccessTokenAuthorizer( session['tokens']['auth.globus.org']['access_token']) client = globus_sdk.AuthClient(authorizer=auth2) info = client.oauth2_userinfo() session['globus_id'] = info['sub'] sess.set_globus_id(info['sub']) sess.settings.globus_usr = info['preferred_username'] sess.save_settings() # session[usr.settings.GLOBUS_ID] = info['sub'] # session[usr.settings.GLOBUS_USER] = info['preferred_username'] print(info.data) return func(tc, kwargs) # globus.available_endpoints(transfer_client) except (globus_sdk.exc.TransferAPIError, KeyError) as e: if 'Token is not active' in str(e): return redirect(url_for('globus_login')) return "There was an error getting available Globus end points: " + str( e) except globus_sdk.exc.AuthAPIError as authapie: if 'FORBIDDEN' in str(authapie): return redirect(url_for('logout'))
def transfer_catalog(transfer_manifest, dest_endpoint, dest_prefix, transfer_token, sync_level=settings.GLOBUS_DEFAULT_SYNC_LEVEL): task_ids = [] transfer_authorizer = globus_sdk.AccessTokenAuthorizer(transfer_token) tc = globus_sdk.TransferClient(authorizer=transfer_authorizer) tc.endpoint_autoactivate(dest_endpoint) if not transfer_manifest: raise ValidationError('No valid data to transfer', code='no_data') for globus_source_endpoint, data_list in transfer_manifest.items(): log.debug( 'Starting transfer from {} to {}:{} containing {} files'.format( globus_source_endpoint, dest_endpoint, dest_prefix, len(data_list))) tc.endpoint_autoactivate(globus_source_endpoint) tdata = globus_sdk.TransferData(tc, globus_source_endpoint, dest_endpoint, label=settings.SERVICE_NAME, sync_level=sync_level) for item in data_list: tdata.add_item(item, '/'.join((dest_prefix, item))) task = tc.submit_transfer(tdata) task_ids.append(task['task_id']) return task_ids
def connect(self): lg = self.config['login'] self.refresh_token_file = refresh_token_file = lg['refresh token file'] have_refresh = os.path.exists(refresh_token_file) if have_refresh: with open(refresh_token_file) as f: token = f.readline().strip() self.authorizer = globus_sdk.RefreshTokenAuthorizer( refresh_token=token, auth_client=self.client) return #have a refresh token, all we need else: aurl = self.client.oauth2_get_authorize_url() browser = lg.getboolean('browser') if browser: webbrowser.open(aurl) time.sleep(0.5) else: print("open url {}".format(aurl)) print("login and paste result") auth_code = input("Paste globus response: ") tokens = self.client.oauth2_exchange_code_for_tokens(auth_code) transfer_data = tokens.by_resource_server['transfer.api.globus.org'] TRANSFER_TOKEN = transfer_data['access_token'] if not have_refresh: refresh = transfer_data['refresh_token'] with open(refresh_token_file, 'w') as f: print("{}".format(refresh), file=f) self.authorizer = globus_sdk.AccessTokenAuthorizer(TRANSFER_TOKEN)
def test_init(self): """ Confirms value error when trying to init with an authorizer """ with self.assertRaises(ValueError): globus_sdk.NativeAppAuthClient( client_id=get_client_data()["native_app_client1"]["id"], authorizer=globus_sdk.AccessTokenAuthorizer(""))
def get_transfer_client(user): '''return a transfer client for the user''' client = user.get_credentials('globus') if client is not None: access_token = client.extra_data['transfer.api.globus.org']['access_token'] authorizer = globus_sdk.AccessTokenAuthorizer(access_token) client = globus_sdk.TransferClient(authorizer=authorizer) return client
def mkdirRemote(endpoint, path): try: authorizer = globus_sdk.AccessTokenAuthorizer( GlobusManager.TRANSFER_TOKEN) tc = globus_sdk.TransferClient(authorizer=authorizer) tc.operation_mkdir(endpoint, path=path) except Exception, e: print e
def transfer_client(self): if self.__transfer_client: return self.__transfer_client transfer_token = self.tokens[self.transfer_scope]['access_token'] self.__transfer_client = globus_sdk.TransferClient( authorizer=globus_sdk.AccessTokenAuthorizer(transfer_token)) return self.__transfer_client
def mint_new_transfer_client(self, response=None): response = response or self.token_response access_token = response.by_resource_server['transfer.api.globus.org'][ 'access_token'] authorizer = globus_sdk.AccessTokenAuthorizer(access_token) return globus_sdk.TransferClient(authorizer=authorizer)
def https_authorizer(self): """Get the https authorizer for downloading/uploading data from the GCS instance. This can differ between the dev/staging/prod machines""" try: return self.__native_client.get_authorizers_by_scope()[self.gcs_https_scope] except (fair_research_login.LoadError, KeyError): at = self.tokens[self.gcs_https_scope]["access_token"] return globus_sdk.AccessTokenAuthorizer(at)
def get_transfer_client(user): """return a transfer client for the user""" client = user.get_credentials("globus") if client is not None: access_token = client.extra_data["transfer.api.globus.org"]["access_token"] authorizer = globus_sdk.AccessTokenAuthorizer(access_token) client = globus_sdk.TransferClient(authorizer=authorizer) return client
def get_file(url, output_path, auth_config, token=None, dest_endpoint=None): try: src_endpoint = urlsplit(url).hostname src_path = urlsplit(url).path if platform.system() == "Windows": dest_path = ''.join(('/', output_path.replace('\\', '/').replace(':', ''))) else: dest_path = os.path.abspath(output_path) if not token: token, dest_endpoint = authenticate(url, auth_config) if token is None: logger.warn("A valid Globus access token is required to create transfers. " "Check keychain.json for valid parameters.") return False if dest_endpoint is None: logger.warn("A valid Globus destination endpoint must be specified. " "Check keychain.json for valid parameters.") return False # initialize transfer client authorizer = globus_sdk.AccessTokenAuthorizer(token) client = globus_sdk.TransferClient(authorizer=authorizer) # Activate source endpoint logger.debug("Activating source endpoint: %s" % src_endpoint) data = client.endpoint_autoactivate(src_endpoint, if_expires_in=600) # Activate destination endpoint logger.debug("Activating destination endpoint: %s" % dest_endpoint) data = client.endpoint_autoactivate(dest_endpoint, if_expires_in=600) filename = src_path.rsplit('/', 1)[-1] label = "".join(("BDBag Fetch -- ", filename.replace('.', '_'))) # get a unique ID for this transfer tdata = globus_sdk.TransferData(client, src_endpoint, dest_endpoint, label=label) tdata.add_item(src_path, dest_path, recursive=False) # start the transfer data = client.submit_transfer(tdata) task_id = data["task_id"] logger.info("Globus transfer started with ID %s" % task_id) logger.debug("Transferring file %s to %s" % (url, output_path)) return True except Exception as e: logger.error('Globus transfer request exception: %s' % get_typed_exception(e)) return False
def tasks(): client = NativeClient(client_id=CLIENT_ID, app_name=APP_NAME) client.login(requested_scopes=SCOPES) tokens = client.load_tokens(requested_scopes=SCOPES) auther = globus_sdk.AccessTokenAuthorizer( tokens['search.api.globus.org']['access_token']) sc = globus_sdk.SearchClient(authorizer=auther) print(sc.get_task_list(INDEX)) print('Finished')
def _get_transfer_client(self) -> None: """Sets self.tc to Globus transfer client using self.transfer_token as authorization. Returns ------- None """ authorizer = globus_sdk.AccessTokenAuthorizer(self.transfer_token) self.tc = globus_sdk.TransferClient(authorizer=authorizer)
def gen_groups_client(client_id, client_secret): auth_client = globus_sdk.ConfidentialAppAuthClient(client_id, client_secret) token_response = auth_client.oauth2_client_credentials_tokens( requested_scopes=GROUPS_SCOPE).by_resource_server['nexus.api.globus.org'] authorizer = globus_sdk.AccessTokenAuthorizer(token_response['access_token']) groups_client = globus_sdk.base.BaseClient( 'groups', base_url=GROUPS_API_URL, authorizer=authorizer) return groups_client
def copyData(self, ori, dest): #print "xxx", ori, dest authorizer = globus_sdk.AccessTokenAuthorizer( GlobusManager.TRANSFER_TOKEN) tc = globus_sdk.TransferClient(authorizer=authorizer) res = self.copyDirectory(ori, dest, tc) if res == "NOT_A_DIRECTORY": res = self.copyFile(ori, dest, tc) if res is not "OK": raise Exception(res)
def get_globus_client(): # authorizer = globus_sdk.RefreshTokenAuthorizer( # os.environ["REFRESH_TOKEN"], # client) authorizer = globus_sdk.AccessTokenAuthorizer(TRANSFER_TOKEN) # and try using `tc` to make TransferClient calls. Everything should just # work -- for days and days, months and months, even years tc = globus_sdk.TransferClient(authorizer=authorizer) return tc
def index(): """ This could be any page you like, rendered by Flask. For this simple example, it will either redirect you to login, or print a simple message. """ if not session.get('is_authenticated'): return redirect(url_for('login')) logout_uri = url_for('logout', _external=True) # get the stored access token for the Auth API and use it # to authorize stuff AS THE AUTHENTICATED USER auth_token = str(session.get('tokens')['auth.globus.org']['access_token']) ac = globus_sdk.AuthClient( authorizer=globus_sdk.AccessTokenAuthorizer(auth_token)) # use Auth API to get more info about the authenticated user myids = ac.get_identities(ids=str(session.get('username')), include="identity_provider").data # use Auth API to get the standard OIDC userinfo fields (like any OIDC client) oidcinfo = ac.oauth2_userinfo() # get the stored OIDC id_token myoidc = session.get('id_token') # authenticate to Auth API AS AN APPLICATION and find out still more information cc = load_app_client() ir = cc.oauth2_token_introspect(auth_token, include='identities_set').data # display all this information on the web page page = '<html>\n<head><title>Display Your Auth Data</title></head>\n\n' page = page + '<body>\n<p>' + str( session.get('realname')) + ', you are logged in.</p>\n\n' page = page + '<p>Your local username is: ' + str( session.get('username')) + '</p>\n\n' page = page + '<p><a href="' + logout_uri + '">Logout now.</a></p>\n\n' page = page + '<p>OIDC UserInfo says your effective ID is ' + oidcinfo[ "sub"] page = page + ', your name is ' + oidcinfo["name"] page = page + ', and your email is ' + oidcinfo["email"] + '.</p>\n\n' page = page + '<pre>' + json.dumps(oidcinfo.data, indent=3) + '</pre>\n\n' page = page + '<p>Your OIDC identity is:</p>\n<pre>' + json.dumps( myoidc, indent=3) + '</pre>\n\n' page = page + '<p>Your Globus Auth identity is:</p>\n<pre>' + json.dumps( myids, indent=3) + '</pre>\n\n' page = page + '<p>Introspecting your Auth API access token tells me:</p>\n<pre>' + json.dumps( ir, indent=3) + '</pre>\n\n' # We probably shouldn't display the token, but for debugging purposes, here's how you'd do it... # page = page + '<p>The tokens I received are:</p>\n<pre>' + json.dumps(session.get('tokens'),indent=3) + '</pre>\n\n' page = page + '</body></html>' return (page)
def change_linked_ids(): # Call get_login_status() to fill out the login status variables (for login/logout display) loginstatus = get_login_status() # If not logged in, welcome and invite to login if not session.get('is_authenticated'): loginstatus["loginlink"] = url_for('login', state='goto-change_linked_ids') return render_template(app.config['APP_LOGIN_TEMPLATE'], pagetitle=app.config['APP_DISPLAY_NAME'], loginstat=loginstatus) # get the id_token from session context myoidc = session.get('id_token') primaryidp = myoidc['identity_provider_display_name'] # get the stored access token for the Auth API and use it # to authorize stuff AS THE AUTHENTICATED USER auth_token = str(session.get('auth_token')) ac = globus_sdk.AuthClient( authorizer=globus_sdk.AccessTokenAuthorizer(auth_token)) # get the identity_set from oauth2_userinfo() try: # use Auth API to get more info about the authenticated user myids = ac.get_identities(ids=str(session.get('userid')), include="identity_provider").data # use Auth API to get the standard OIDC userinfo fields (like any OIDC client) oidcinfo = ac.oauth2_userinfo() except GlobusAPIError: # if any of the above have issues, trash the session and start over session.clear() return redirect(url_for('index')) # there will always be at least one entry in the identity_set idsetproviders = '' first = True for id in oidcinfo.data['identity_set']: if first: first = False else: idsetproviders += ', ' idsetproviders += id['identity_provider_display_name'] return render_template('change-linked-ids.html', pagetitle=app.config['APP_DISPLAY_NAME'], returnurl=url_for('index'), primaryidp=primaryidp, idsetproviders=idsetproviders, loginstat=loginstatus)