def GET(self): """ HTTP Success: 200 OK HTTP Error: 401 Unauthorized :param QUERY_STRING: the URL query string itself :returns: "Rucio-Auth-Token" as a variable-length string header. """ header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN')) header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')) header('Access-Control-Allow-Methods', '*') header('Access-Control-Allow-Credentials', 'true') header('Content-Type', 'text/html') header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') header('Cache-Control', 'post-check=0, pre-check=0', False) header('Pragma', 'no-cache') query_string = ctx.env.get('QUERY_STRING') ip = ctx.env.get('HTTP_X_FORWARDED_FOR') if ip is None: ip = ctx.ip try: result = get_token_oidc(query_string, ip) except AccessDenied: render = template.render( join(dirname(__file__), '../auth_templates/')) return render.auth_crash('contact') except RucioException: render = template.render( join(dirname(__file__), '../auth_templates/')) return render.auth_crash('internal_error') except Exception: print(format_exc()) render = template.render( join(dirname(__file__), '../auth_templates/')) return render.auth_crash('internal_error') render = template.render(join(dirname(__file__), '../auth_templates/')) if not result: return render.auth_crash('no_result') if 'fetchcode' in result: authcode = result['fetchcode'] return render.auth_granted(authcode) elif 'polling' in result and result['polling'] is True: authcode = "allok" return render.auth_granted(authcode) else: return render.auth_crash('bad_request')
def GET(self): """ HTTP Success: 200 OK HTTP Error: 401 Unauthorized :param QUERY_STRING: the URL query string itself :returns: "Rucio-Auth-Token" as a variable-length string header. """ header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN')) header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')) header('Access-Control-Allow-Methods', '*') header('Access-Control-Allow-Credentials', 'true') header('Content-Type', 'application/octet-stream') header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') header('Cache-Control', 'post-check=0, pre-check=0', False) header('Pragma', 'no-cache') query_string = ctx.env.get('QUERY_STRING') ip = ctx.env.get('HTTP_X_FORWARDED_FOR') if ip is None: ip = ctx.ip try: result = get_token_oidc(query_string, ip) except AccessDenied: raise generate_http_error(401, 'CannotAuthorize', 'Cannot authorize token request.') except RucioException as error: raise generate_http_error(500, error.__class__.__name__, error.args[0]) except Exception as error: print(format_exc()) raise InternalError(error) if not result: raise generate_http_error(401, 'CannotAuthorize', 'Cannot authorize token request.') if 'token' in result and 'webhome' not in result: header('X-Rucio-Auth-Token', result['token'].token) # pylint: disable=no-member header('X-Rucio-Auth-Token-Expires', date_to_str(result['token'].expired_at)) # pylint: disable=no-member return str() elif 'webhome' in result: webhome = result['webhome'] if webhome is None: header('Content-Type', 'text/html') render = template.render(join(dirname(__file__), '../auth_templates/')) return render.auth_crash('unknown_identity') # domain setting is necessary so that the token gets distributed also to the webui server domain = '.'.join(urlparse.urlparse(webhome).netloc.split('.')[1:]) setcookie('x-rucio-auth-token', value=result['token'].token, domain=domain, path='/') setcookie('rucio-auth-token-created-at', value=int(time.time()), domain=domain, path='/') return seeother(webhome) else: raise BadRequest()
def get(self): """ .. :quickref: OIDC; :status 200: OK :status 401: Unauthorized """ headers = self.get_headers() headers.set('Content-Type', 'text/html') headers.set('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') headers.add('Cache-Control', 'post-check=0, pre-check=0') headers.set('Pragma', 'no-cache') query_string = request.query_string.decode(encoding='utf-8') ip = request.headers.get('X-Forwarded-For', default=request.remote_addr) try: result = get_token_oidc(query_string, ip) except AccessDenied: headers.extend( error_headers( CannotAuthenticate.__name__, 'Cannot authorize your access, please check your access credentials' )) return render_template('auth_crash.html', crashtype='contact'), 401, headers except Exception as error: logging.exception("Internal Error") headers.extend( error_headers(error.__class__.__name__, str(error.args[0]))) return render_template('auth_crash.html', crashtype='internal_error'), 500, headers if not result: headers.extend( error_headers( CannotAuthenticate.__name__, 'Cannot finalize your token request, no authorization content returned from the auth server' )) return render_template('auth_crash.html', crashtype='no_result'), 401, headers if 'fetchcode' in result: return render_template('auth_granted.html', authcode=result['fetchcode']), 200, headers elif 'polling' in result and result['polling'] is True: return render_template('auth_granted.html', authcode='allok'), 200, headers else: headers.extend( error_headers('InvalidRequest', 'Cannot recognize and process your request')) return render_template('auth_crash.html', crashtype='bad_request'), 400, headers
def get(self): """ .. :quickref: OIDC; :status 200: OK :status 401: Unauthorized :resheader X-Rucio-Auth-Token: The authentication token :resheader X-Rucio-Auth-Token-Expires: The time when the token expires """ headers = Headers() headers.set('Access-Control-Allow-Origin', request.environ.get('HTTP_ORIGIN')) headers.set('Access-Control-Allow-Headers', request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')) headers.set('Access-Control-Allow-Methods', '*') headers.set('Access-Control-Allow-Credentials', 'true') headers.set('Content-Type', 'application/octet-stream') headers.set('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') headers.add('Cache-Control', 'post-check=0, pre-check=0') headers.set('Pragma', 'no-cache') query_string = request.query_string.decode(encoding='utf-8') ip = request.headers.get('X-Forwarded-For', default=request.remote_addr) try: result = get_token_oidc(query_string, ip) except AccessDenied: return generate_http_error_flask(401, 'CannotAuthorize', 'Cannot authorize token request.', headers=headers) except RucioException as error: return generate_http_error_flask(500, error.__class__.__name__, error.args[0], headers=headers) except Exception as error: logging.exception("Internal Error") return str(error), 500, headers if not result: return generate_http_error_flask(401, 'CannotAuthorize', 'Cannot authorize token request.', headers=headers) if 'token' in result and 'webhome' not in result: headers.set('X-Rucio-Auth-Token', result['token'].token) headers.set('X-Rucio-Auth-Token-Expires', date_to_str(result['token'].expired_at)) return '', 200, headers elif 'webhome' in result: webhome = result['webhome'] if webhome is None: headers.extend(error_headers('CannotAuthenticate', 'Cannot find your OIDC identity linked to any Rucio account')) headers.set('Content-Type', 'text/html') return render_template('auth_crash.html', crashtype='unknown_identity'), 401, headers # domain setting is necessary so that the token gets distributed also to the webui server domain = '.'.join(urlparse.urlparse(webhome).netloc.split('.')[1:]) response = redirect(webhome, code=303) response.headers.extend(headers) response.set_cookie('x-rucio-auth-token', value=result['token'].token, domain=domain, path='/') response.set_cookie('rucio-auth-token-created-at', value=str(time.time()), domain=domain, path='/') return response else: return '', 400, headers
def get(self): """ .. :quickref: OIDC; :status 200: OK :status 401: Unauthorized :resheader X-Rucio-Auth-Token: The authentication token :resheader X-Rucio-Auth-Token-Expires: The time when the token expires """ headers = self.get_headers() headers.set('Content-Type', 'application/octet-stream') headers.set('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') headers.add('Cache-Control', 'post-check=0, pre-check=0') headers.set('Pragma', 'no-cache') query_string = request.query_string.decode(encoding='utf-8') ip = request.headers.get('X-Forwarded-For', default=request.remote_addr) try: result = get_token_oidc(query_string, ip) except AccessDenied: return generate_http_error_flask(401, CannotAuthorize.__name__, 'Cannot authorize token request.', headers=headers) if not result: return generate_http_error_flask(401, CannotAuthorize.__name__, 'Cannot authorize token request.', headers=headers) if 'token' in result and 'webhome' not in result: headers.set('X-Rucio-Auth-Token', result['token']['token']) headers.set('X-Rucio-Auth-Token-Expires', date_to_str(result['token']['expires_at'])) return '', 200, headers elif 'webhome' in result: webhome = result['webhome'] if webhome is None: headers.extend( error_headers( CannotAuthenticate.__name__, 'Cannot find your OIDC identity linked to any Rucio account' )) headers.set('Content-Type', 'text/html') return render_template( 'auth_crash.html', crashtype='unknown_identity'), 401, headers # domain setting is necessary so that the token gets distributed also to the webui server domain = '.'.join(urlparse(webhome).netloc.split('.')[1:]) response = redirect(webhome, code=303) response.headers.extend(headers) response.set_cookie('x-rucio-auth-token', value=result['token']['token'], domain=domain, path='/') response.set_cookie('rucio-auth-token-created-at', value=str(time.time()), domain=domain, path='/') return response else: return '', 400, headers