def get(self):
"""
Authenticate a Rucio account temporarily via username and password.
.. :quickref: UserPass; Authenticate with username/password
:reqheader X-Rucio-VO: VO name as a string (Multi-VO Only)
:reqheader X-Rucio-Account: Account identifier as a string.
:reqheader X-Rucio-Username: Username as a string.
:reqheader X-Rucio-Password: password as a text-plain string.
:reqheader X-Rucio-AppID: Application identifier as a string.
:resheader Access-Control-Allow-Origin:
:resheader Access-Control-Allow-Headers:
:resheader Access-Control-Allow-Methods:
:resheader Access-Control-Allow-Credentials:
:resheader Access-Control-Expose-Headers:
:resheader X-Rucio-Auth-Token: The authentication token
:status 200: Successfully authenticated
:status 404: Invalid credentials
"""
response = Response()
response.headers['Access-Control-Allow-Origin'] = request.environ.get('HTTP_ORIGIN')
response.headers['Access-Control-Allow-Headers'] = request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')
response.headers['Access-Control-Allow-Methods'] = '*'
response.headers['Access-Control-Allow-Credentials'] = 'true'
response.headers['Access-Control-Expose-Headers'] = 'X-Rucio-Auth-Token'
response.headers['Content-Type'] = 'application/octet-stream'
response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
response.headers['Cache-Control'] = 'post-check=0, pre-check=0'
response.headers['Pragma'] = 'no-cache'
vo = request.environ.get('HTTP_X_RUCIO_VO', 'def')
account = request.environ.get('HTTP_X_RUCIO_ACCOUNT')
username = request.environ.get('HTTP_X_RUCIO_USERNAME')
password = request.environ.get('HTTP_X_RUCIO_PASSWORD')
appid = request.environ.get('HTTP_X_RUCIO_APPID')
if appid is None:
appid = 'unknown'
ip = request.environ.get('HTTP_X_FORWARDED_FOR')
if ip is None:
ip = request.remote_addr
print(account, username, password, appid)
try:
result = get_auth_token_user_pass(account, username, password, appid, ip, vo=vo)
except AccessDenied:
return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals())
except RucioException as error:
return generate_http_error_flask(500, error.__class__.__name__, error.args[0])
except Exception as error:
print(format_exc())
return error, 500
if not result:
return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals())
response.headers['X-Rucio-Auth-Token'] = result
return response
def get(self):
"""
Authenticate a Rucio account temporarily via username and password.
.. :quickref: UserPass; Authenticate with username/password
:reqheader X-Rucio-VO: VO name as a string (Multi-VO Only)
:reqheader X-Rucio-Account: Account identifier as a string.
:reqheader X-Rucio-Username: Username as a string.
:reqheader X-Rucio-Password: password as a text-plain string.
:reqheader X-Rucio-AppID: Application identifier as a string.
:resheader Access-Control-Allow-Origin:
:resheader Access-Control-Allow-Headers:
:resheader Access-Control-Allow-Methods:
:resheader Access-Control-Allow-Credentials:
:resheader Access-Control-Expose-Headers:
:resheader X-Rucio-Auth-Token: The authentication token
:status 200: Successfully authenticated
:status 404: Invalid credentials
"""
headers = Headers()
headers['Access-Control-Allow-Origin'] = request.environ.get('HTTP_ORIGIN')
headers['Access-Control-Allow-Headers'] = request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')
headers['Access-Control-Allow-Methods'] = '*'
headers['Access-Control-Allow-Credentials'] = 'true'
headers['Access-Control-Expose-Headers'] = 'X-Rucio-Auth-Token'
headers['Content-Type'] = 'application/octet-stream'
headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
headers.add('Cache-Control', 'post-check=0, pre-check=0')
headers['Pragma'] = 'no-cache'
vo = request.headers.get('X-Rucio-VO', default='def')
account = request.headers.get('X-Rucio-Account', default=None)
username = request.headers.get('X-Rucio-Username', default=None)
password = request.headers.get('X-Rucio-Password', default=None)
appid = request.headers.get('X-Rucio-AppID', default='unknown')
ip = request.headers.get('X-Forwarded-For', default=request.remote_addr)
if not account or not username or not password:
return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate without passing all required arguments', headers=headers)
try:
result = get_auth_token_user_pass(account, username, password, appid, ip, vo=vo)
except AccessDenied:
return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals(), headers=headers)
except RucioException as error:
return generate_http_error_flask(500, error.__class__.__name__, error.args[0], headers=headers)
except Exception as error:
logging.exception("Internal Error")
return str(error), 500, headers
if not result:
return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals(), headers=headers)
headers['X-Rucio-Auth-Token'] = result.token
headers['X-Rucio-Auth-Token-Expires'] = date_to_str(result.expired_at)
return '', 200, headers
def test_get_auth_token_user_pass_fail(self):
"""AUTHENTICATION (CORE): Username and password (correct credentials)."""
result = get_auth_token_user_pass(account='root',
username='******',
password='******',
appid='test',
ip='127.0.0.1')
assert_is_none(result)
def test_get_auth_token_user_pass_success(self):
"""AUTHENTICATION (CORE): Username and password (correct credentials)."""
result = get_auth_token_user_pass(account='root',
username='******',
password='******',
appid='test',
ip='127.0.0.1',
**self.vo)
assert result is not None
def GET(self):
"""
HTTP Success:
200 OK
HTTP Error:
401 Unauthorized
:param Rucio-VO: VO name as a string (Multi-VO Only).
:param Rucio-Account: Account identifier as a string.
:param Rucio-Username: Username as a string.
:param Rucio-Password: SHA1 hash of the password as a string.
:param Rucio-AppID: Application identifier as a string.
:returns: "Rucio-Auth-Token" as a variable-length string header.
"""
header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN'))
header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS'))
header('Access-Control-Allow-Methods', '*')
header('Access-Control-Allow-Credentials', 'true')
header('Access-Control-Expose-Headers', 'X-Rucio-Auth-Token')
header('Content-Type', 'application/octet-stream')
header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate')
header('Cache-Control', 'post-check=0, pre-check=0', False)
header('Pragma', 'no-cache')
vo = ctx.env.get('HTTP_X_RUCIO_VO', 'def')
account = ctx.env.get('HTTP_X_RUCIO_ACCOUNT')
username = ctx.env.get('HTTP_X_RUCIO_USERNAME')
password = ctx.env.get('HTTP_X_RUCIO_PASSWORD')
appid = ctx.env.get('HTTP_X_RUCIO_APPID')
if appid is None:
appid = 'unknown'
ip = ctx.env.get('HTTP_X_FORWARDED_FOR')
if ip is None:
ip = ctx.ip
try:
result = get_auth_token_user_pass(account, username, password, appid, ip, vo=vo)
except AccessDenied:
raise generate_http_error(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals())
except RucioException as error:
raise generate_http_error(500, error.__class__.__name__, error.args[0])
except Exception as error:
print(format_exc())
raise InternalError(error)
if not result:
raise generate_http_error(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals())
header('X-Rucio-Auth-Token', result.token)
header('X-Rucio-Auth-Token-Expires', date_to_str(result.expired_at))
return str()
def test_many_tokens(vo, root_account, db_session):
"""AUTHENTIFICATION (REST): Error when deleting too many tokens."""
for i in range(2000):
models.Token(
account=root_account,
token="dummytoken" + str(i),
ip='127.0.0.1',
expired_at=datetime.datetime.utcnow()).save(session=db_session)
db_session.commit()
# Ensures that the tokens are expired
time.sleep(1)
print(
get_auth_token_user_pass(account='root',
username='******',
password='******',
appid='test',
ip='127.0.0.1',
vo=vo))
def GET(self):
"""
HTTP Success:
200 OK
HTTP Error:
401 Unauthorized
:param Rucio-Account: Account identifier as a string.
:param Rucio-Username: Username as a string.
:param Rucio-Password: SHA1 hash of the password as a string.
:param Rucio-AppID: Application identifier as a string.
:returns: "Rucio-Auth-Token" as a variable-length string header.
"""
header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN'))
header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS'))
header('Access-Control-Allow-Methods', '*')
header('Access-Control-Allow-Credentials', 'true')
header('Access-Control-Expose-Headers', 'X-Rucio-Auth-Token')
header('Content-Type', 'application/octet-stream')
header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate')
header('Cache-Control', 'post-check=0, pre-check=0', False)
header('Pragma', 'no-cache')
account = ctx.env.get('HTTP_X_RUCIO_ACCOUNT')
username = ctx.env.get('HTTP_X_RUCIO_USERNAME')
password = ctx.env.get('HTTP_X_RUCIO_PASSWORD')
appid = ctx.env.get('HTTP_X_RUCIO_APPID')
if appid is None:
appid = 'unknown'
ip = ctx.env.get('HTTP_X_FORWARDED_FOR')
if ip is None:
ip = ctx.ip
try:
result = get_auth_token_user_pass(account, username, password, appid, ip)
except AccessDenied:
raise generate_http_error(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals())
except RucioException, e:
raise generate_http_error(500, e.__class__.__name__, e.args[0])
def test_get_auth_token_user_pass(self):
"""AUTHENTICATION (CORE): Username and password (correct credentials)."""
result = get_auth_token_user_pass(account='root', username='******', password='******', appid='test', ip='127.0.0.1')
assert_is_not_none(result)
def log_in(data, rendered_tpl):
attribs = None
token = None
js_token = ""
js_account = ""
def_account = None
accounts = None
cookie_accounts = None
rucio_ui_version = version.version_string()
policy = config_get('policy', 'permission')
render = template.render(join(dirname(__file__), '../templates'))
# # try to get and check the rucio session token from cookie
session_token = cookies().get('x-rucio-auth-token')
validate_token = authentication.validate_auth_token(session_token)
# if token is valid, render the requested page.
if validate_token and not data:
token = session_token
js_token = __to_js('token', token)
js_account = __to_js('account', def_account)
return render.base(js_token, js_account, rucio_ui_version, policy,
rendered_tpl)
else:
# if there is no session token or if invalid: get a new one.
# if user tries to access a page through URL without logging in, then redirect to login page.
if rendered_tpl:
return render.login()
# get all accounts for an identity. Needed for account switcher in UI.
accounts = identity.list_accounts_for_identity(data.username,
'userpass')
if len(accounts) == 0:
return render.problem('No accounts for the given identity.')
cookie_accounts = accounts
# try to set the default account to the user account, if not available take the first account.
def_account = accounts[0]
for account in accounts:
account_info = get_account_info(account)
if account_info.account_type == AccountType.USER:
def_account = account
break
selected_account = cookies().get('rucio-selected-account')
if (selected_account):
def_account = selected_account
try:
token = authentication.get_auth_token_user_pass(
def_account, data.username, data.password.encode("ascii"),
'webui', ctx.env.get('REMOTE_ADDR')).token
except:
return render.problem('Cannot get auth token')
attribs = list_account_attributes(def_account)
# write the token and account to javascript variables, that will be used in the HTML templates.
js_token = __to_js('token', token)
js_account = __to_js('account', def_account)
set_cookies(token, cookie_accounts, attribs)
return seeother('/')
def get(self):
"""
Authenticate a Rucio account temporarily via username and password.
.. :quickref: UserPass; Authenticate with username/password
:reqheader X-Rucio-VO: VO name as a string (Multi-VO Only)
:reqheader X-Rucio-Account: Account identifier as a string.
:reqheader X-Rucio-Username: Username as a string.
:reqheader X-Rucio-Password: password as a text-plain string.
:reqheader X-Rucio-AppID: Application identifier as a string.
:resheader Access-Control-Allow-Origin:
:resheader Access-Control-Allow-Headers:
:resheader Access-Control-Allow-Methods:
:resheader Access-Control-Allow-Credentials:
:resheader Access-Control-Expose-Headers:
:resheader X-Rucio-Auth-Token: The authentication token
:status 200: Successfully authenticated
:status 404: Invalid credentials
"""
headers = self.get_headers()
headers['Content-Type'] = 'application/octet-stream'
headers[
'Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
headers.add('Cache-Control', 'post-check=0, pre-check=0')
headers['Pragma'] = 'no-cache'
vo = extract_vo(request.headers)
account = request.headers.get('X-Rucio-Account', default=None)
username = request.headers.get('X-Rucio-Username', default=None)
password = request.headers.get('X-Rucio-Password', default=None)
appid = request.headers.get('X-Rucio-AppID', default='unknown')
ip = request.headers.get('X-Forwarded-For',
default=request.remote_addr)
if not account or not username or not password:
return generate_http_error_flask(
401,
CannotAuthenticate.__name__,
'Cannot authenticate without passing all required arguments',
headers=headers)
try:
result = get_auth_token_user_pass(account,
username,
password,
appid,
ip,
vo=vo)
except AccessDenied:
return generate_http_error_flask(
401,
CannotAuthenticate.__name__,
f'Cannot authenticate to account {account} with given credentials',
headers=headers)
if not result:
return generate_http_error_flask(
401,
CannotAuthenticate.__name__,
f'Cannot authenticate to account {account} with given credentials',
headers=headers)
headers['X-Rucio-Auth-Token'] = result['token']
headers['X-Rucio-Auth-Token-Expires'] = date_to_str(
result['expires_at'])
return '', 200, headers