def get(self): """ Authenticate a Rucio account temporarily via username and password. .. :quickref: UserPass; Authenticate with username/password :reqheader X-Rucio-VO: VO name as a string (Multi-VO Only) :reqheader X-Rucio-Account: Account identifier as a string. :reqheader X-Rucio-Username: Username as a string. :reqheader X-Rucio-Password: password as a text-plain string. :reqheader X-Rucio-AppID: Application identifier as a string. :resheader Access-Control-Allow-Origin: :resheader Access-Control-Allow-Headers: :resheader Access-Control-Allow-Methods: :resheader Access-Control-Allow-Credentials: :resheader Access-Control-Expose-Headers: :resheader X-Rucio-Auth-Token: The authentication token :status 200: Successfully authenticated :status 404: Invalid credentials """ response = Response() response.headers['Access-Control-Allow-Origin'] = request.environ.get('HTTP_ORIGIN') response.headers['Access-Control-Allow-Headers'] = request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS') response.headers['Access-Control-Allow-Methods'] = '*' response.headers['Access-Control-Allow-Credentials'] = 'true' response.headers['Access-Control-Expose-Headers'] = 'X-Rucio-Auth-Token' response.headers['Content-Type'] = 'application/octet-stream' response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' response.headers['Cache-Control'] = 'post-check=0, pre-check=0' response.headers['Pragma'] = 'no-cache' vo = request.environ.get('HTTP_X_RUCIO_VO', 'def') account = request.environ.get('HTTP_X_RUCIO_ACCOUNT') username = request.environ.get('HTTP_X_RUCIO_USERNAME') password = request.environ.get('HTTP_X_RUCIO_PASSWORD') appid = request.environ.get('HTTP_X_RUCIO_APPID') if appid is None: appid = 'unknown' ip = request.environ.get('HTTP_X_FORWARDED_FOR') if ip is None: ip = request.remote_addr print(account, username, password, appid) try: result = get_auth_token_user_pass(account, username, password, appid, ip, vo=vo) except AccessDenied: return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) except RucioException as error: return generate_http_error_flask(500, error.__class__.__name__, error.args[0]) except Exception as error: print(format_exc()) return error, 500 if not result: return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) response.headers['X-Rucio-Auth-Token'] = result return response
def get(self): """ Authenticate a Rucio account temporarily via username and password. .. :quickref: UserPass; Authenticate with username/password :reqheader X-Rucio-VO: VO name as a string (Multi-VO Only) :reqheader X-Rucio-Account: Account identifier as a string. :reqheader X-Rucio-Username: Username as a string. :reqheader X-Rucio-Password: password as a text-plain string. :reqheader X-Rucio-AppID: Application identifier as a string. :resheader Access-Control-Allow-Origin: :resheader Access-Control-Allow-Headers: :resheader Access-Control-Allow-Methods: :resheader Access-Control-Allow-Credentials: :resheader Access-Control-Expose-Headers: :resheader X-Rucio-Auth-Token: The authentication token :status 200: Successfully authenticated :status 404: Invalid credentials """ headers = Headers() headers['Access-Control-Allow-Origin'] = request.environ.get('HTTP_ORIGIN') headers['Access-Control-Allow-Headers'] = request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS') headers['Access-Control-Allow-Methods'] = '*' headers['Access-Control-Allow-Credentials'] = 'true' headers['Access-Control-Expose-Headers'] = 'X-Rucio-Auth-Token' headers['Content-Type'] = 'application/octet-stream' headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' headers.add('Cache-Control', 'post-check=0, pre-check=0') headers['Pragma'] = 'no-cache' vo = request.headers.get('X-Rucio-VO', default='def') account = request.headers.get('X-Rucio-Account', default=None) username = request.headers.get('X-Rucio-Username', default=None) password = request.headers.get('X-Rucio-Password', default=None) appid = request.headers.get('X-Rucio-AppID', default='unknown') ip = request.headers.get('X-Forwarded-For', default=request.remote_addr) if not account or not username or not password: return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate without passing all required arguments', headers=headers) try: result = get_auth_token_user_pass(account, username, password, appid, ip, vo=vo) except AccessDenied: return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals(), headers=headers) except RucioException as error: return generate_http_error_flask(500, error.__class__.__name__, error.args[0], headers=headers) except Exception as error: logging.exception("Internal Error") return str(error), 500, headers if not result: return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals(), headers=headers) headers['X-Rucio-Auth-Token'] = result.token headers['X-Rucio-Auth-Token-Expires'] = date_to_str(result.expired_at) return '', 200, headers
def test_get_auth_token_user_pass_fail(self): """AUTHENTICATION (CORE): Username and password (correct credentials).""" result = get_auth_token_user_pass(account='root', username='******', password='******', appid='test', ip='127.0.0.1') assert_is_none(result)
def test_get_auth_token_user_pass_success(self): """AUTHENTICATION (CORE): Username and password (correct credentials).""" result = get_auth_token_user_pass(account='root', username='******', password='******', appid='test', ip='127.0.0.1', **self.vo) assert result is not None
def GET(self): """ HTTP Success: 200 OK HTTP Error: 401 Unauthorized :param Rucio-VO: VO name as a string (Multi-VO Only). :param Rucio-Account: Account identifier as a string. :param Rucio-Username: Username as a string. :param Rucio-Password: SHA1 hash of the password as a string. :param Rucio-AppID: Application identifier as a string. :returns: "Rucio-Auth-Token" as a variable-length string header. """ header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN')) header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')) header('Access-Control-Allow-Methods', '*') header('Access-Control-Allow-Credentials', 'true') header('Access-Control-Expose-Headers', 'X-Rucio-Auth-Token') header('Content-Type', 'application/octet-stream') header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') header('Cache-Control', 'post-check=0, pre-check=0', False) header('Pragma', 'no-cache') vo = ctx.env.get('HTTP_X_RUCIO_VO', 'def') account = ctx.env.get('HTTP_X_RUCIO_ACCOUNT') username = ctx.env.get('HTTP_X_RUCIO_USERNAME') password = ctx.env.get('HTTP_X_RUCIO_PASSWORD') appid = ctx.env.get('HTTP_X_RUCIO_APPID') if appid is None: appid = 'unknown' ip = ctx.env.get('HTTP_X_FORWARDED_FOR') if ip is None: ip = ctx.ip try: result = get_auth_token_user_pass(account, username, password, appid, ip, vo=vo) except AccessDenied: raise generate_http_error(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) except RucioException as error: raise generate_http_error(500, error.__class__.__name__, error.args[0]) except Exception as error: print(format_exc()) raise InternalError(error) if not result: raise generate_http_error(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) header('X-Rucio-Auth-Token', result.token) header('X-Rucio-Auth-Token-Expires', date_to_str(result.expired_at)) return str()
def test_many_tokens(vo, root_account, db_session): """AUTHENTIFICATION (REST): Error when deleting too many tokens.""" for i in range(2000): models.Token( account=root_account, token="dummytoken" + str(i), ip='127.0.0.1', expired_at=datetime.datetime.utcnow()).save(session=db_session) db_session.commit() # Ensures that the tokens are expired time.sleep(1) print( get_auth_token_user_pass(account='root', username='******', password='******', appid='test', ip='127.0.0.1', vo=vo))
def GET(self): """ HTTP Success: 200 OK HTTP Error: 401 Unauthorized :param Rucio-Account: Account identifier as a string. :param Rucio-Username: Username as a string. :param Rucio-Password: SHA1 hash of the password as a string. :param Rucio-AppID: Application identifier as a string. :returns: "Rucio-Auth-Token" as a variable-length string header. """ header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN')) header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')) header('Access-Control-Allow-Methods', '*') header('Access-Control-Allow-Credentials', 'true') header('Access-Control-Expose-Headers', 'X-Rucio-Auth-Token') header('Content-Type', 'application/octet-stream') header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') header('Cache-Control', 'post-check=0, pre-check=0', False) header('Pragma', 'no-cache') account = ctx.env.get('HTTP_X_RUCIO_ACCOUNT') username = ctx.env.get('HTTP_X_RUCIO_USERNAME') password = ctx.env.get('HTTP_X_RUCIO_PASSWORD') appid = ctx.env.get('HTTP_X_RUCIO_APPID') if appid is None: appid = 'unknown' ip = ctx.env.get('HTTP_X_FORWARDED_FOR') if ip is None: ip = ctx.ip try: result = get_auth_token_user_pass(account, username, password, appid, ip) except AccessDenied: raise generate_http_error(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) except RucioException, e: raise generate_http_error(500, e.__class__.__name__, e.args[0])
def test_get_auth_token_user_pass(self): """AUTHENTICATION (CORE): Username and password (correct credentials).""" result = get_auth_token_user_pass(account='root', username='******', password='******', appid='test', ip='127.0.0.1') assert_is_not_none(result)
def log_in(data, rendered_tpl): attribs = None token = None js_token = "" js_account = "" def_account = None accounts = None cookie_accounts = None rucio_ui_version = version.version_string() policy = config_get('policy', 'permission') render = template.render(join(dirname(__file__), '../templates')) # # try to get and check the rucio session token from cookie session_token = cookies().get('x-rucio-auth-token') validate_token = authentication.validate_auth_token(session_token) # if token is valid, render the requested page. if validate_token and not data: token = session_token js_token = __to_js('token', token) js_account = __to_js('account', def_account) return render.base(js_token, js_account, rucio_ui_version, policy, rendered_tpl) else: # if there is no session token or if invalid: get a new one. # if user tries to access a page through URL without logging in, then redirect to login page. if rendered_tpl: return render.login() # get all accounts for an identity. Needed for account switcher in UI. accounts = identity.list_accounts_for_identity(data.username, 'userpass') if len(accounts) == 0: return render.problem('No accounts for the given identity.') cookie_accounts = accounts # try to set the default account to the user account, if not available take the first account. def_account = accounts[0] for account in accounts: account_info = get_account_info(account) if account_info.account_type == AccountType.USER: def_account = account break selected_account = cookies().get('rucio-selected-account') if (selected_account): def_account = selected_account try: token = authentication.get_auth_token_user_pass( def_account, data.username, data.password.encode("ascii"), 'webui', ctx.env.get('REMOTE_ADDR')).token except: return render.problem('Cannot get auth token') attribs = list_account_attributes(def_account) # write the token and account to javascript variables, that will be used in the HTML templates. js_token = __to_js('token', token) js_account = __to_js('account', def_account) set_cookies(token, cookie_accounts, attribs) return seeother('/')
def get(self): """ Authenticate a Rucio account temporarily via username and password. .. :quickref: UserPass; Authenticate with username/password :reqheader X-Rucio-VO: VO name as a string (Multi-VO Only) :reqheader X-Rucio-Account: Account identifier as a string. :reqheader X-Rucio-Username: Username as a string. :reqheader X-Rucio-Password: password as a text-plain string. :reqheader X-Rucio-AppID: Application identifier as a string. :resheader Access-Control-Allow-Origin: :resheader Access-Control-Allow-Headers: :resheader Access-Control-Allow-Methods: :resheader Access-Control-Allow-Credentials: :resheader Access-Control-Expose-Headers: :resheader X-Rucio-Auth-Token: The authentication token :status 200: Successfully authenticated :status 404: Invalid credentials """ headers = self.get_headers() headers['Content-Type'] = 'application/octet-stream' headers[ 'Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' headers.add('Cache-Control', 'post-check=0, pre-check=0') headers['Pragma'] = 'no-cache' vo = extract_vo(request.headers) account = request.headers.get('X-Rucio-Account', default=None) username = request.headers.get('X-Rucio-Username', default=None) password = request.headers.get('X-Rucio-Password', default=None) appid = request.headers.get('X-Rucio-AppID', default='unknown') ip = request.headers.get('X-Forwarded-For', default=request.remote_addr) if not account or not username or not password: return generate_http_error_flask( 401, CannotAuthenticate.__name__, 'Cannot authenticate without passing all required arguments', headers=headers) try: result = get_auth_token_user_pass(account, username, password, appid, ip, vo=vo) except AccessDenied: return generate_http_error_flask( 401, CannotAuthenticate.__name__, f'Cannot authenticate to account {account} with given credentials', headers=headers) if not result: return generate_http_error_flask( 401, CannotAuthenticate.__name__, f'Cannot authenticate to account {account} with given credentials', headers=headers) headers['X-Rucio-Auth-Token'] = result['token'] headers['X-Rucio-Auth-Token-Expires'] = date_to_str( result['expires_at']) return '', 200, headers