def get(self):
"""
Sign a URL for a limited lifetime for a particular service.
:reqheader X-Rucio-VO: VO name as a string (Multi-VO only).
:reqheader X-Rucio-Account: Account identifier as a string.
:reqheader X-Rucio-AppID: Application identifier as a string.
:status 200: Successfully signed URL
:status 400: Bad Request
:status 401: Unauthorized
:status 406: Not Acceptable
:status 500: Internal Server Error
"""
vo = request.headers.get('X-Rucio-VO', default='def')
account = request.headers.get('X-Rucio-Account', default=None)
appid = request.headers.get('X-Rucio-AppID', default='unknown')
ip = request.headers.get('X-Forwarded-For', default=request.remote_addr)
rse, svc, operation, url = None, None, None, None
try:
query_string = request.query_string.decode(encoding='utf-8')
params = parse_qs(query_string)
rse = params.get('rse', [None])[0]
lifetime = params.get('lifetime', [600])[0]
service = params.get('svc', ['gcs'])[0]
operation = params.get('op', ['read'])[0]
url = params.get('url', [None])[0]
except ValueError:
return generate_http_error_flask(400, 'ValueError', 'Cannot decode json parameter list')
if service not in ['gcs', 's3', 'swift']:
return generate_http_error_flask(400, 'ValueError', 'Parameter "svc" must be either empty(=gcs), gcs, s3 or swift')
if url is None:
return generate_http_error_flask(400, 'ValueError', 'Parameter "url" not found')
if rse is None:
return generate_http_error_flask(400, 'ValueError', 'Parameter "rse" not found')
if operation not in ['read', 'write', 'delete']:
return generate_http_error_flask(400, 'ValueError', 'Parameter "op" must be either empty(=read), read, write, or delete.')
try:
result = get_signed_url(account, appid, ip, rse=rse, service=service, operation=operation, url=url, lifetime=lifetime, vo=vo)
except RucioException as error:
return generate_http_error_flask(500, error.__class__.__name__, error.args[0])
except Exception as error:
print(format_exc())
return str(error), 500
if not result:
return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot generate signed URL for account %(account)s' % locals())
return str(result), 200
def get(self):
"""
Sign a URL for a limited lifetime for a particular service.
:reqheader X-Rucio-VO: VO name as a string (Multi-VO only).
:reqheader X-Rucio-Account: Account identifier as a string.
:reqheader X-Rucio-AppID: Application identifier as a string.
:status 200: Successfully signed URL
:status 400: Bad Request
:status 401: Unauthorized
:status 406: Not Acceptable
"""
headers = self.get_headers()
vo = request.headers.get('X-Rucio-VO', default='def')
account = request.headers.get('X-Rucio-Account', default=None)
appid = request.headers.get('X-Rucio-AppID', default='unknown')
ip = request.headers.get('X-Forwarded-For',
default=request.remote_addr)
if 'rse' not in request.args:
return generate_http_error_flask(400,
ValueError.__name__,
'Parameter "rse" not found',
headers=headers)
rse = request.args.get('rse')
lifetime = request.args.get('lifetime', type=int, default=600)
service = request.args.get('svc', default='gcs')
operation = request.args.get('op', default='read')
if 'url' not in request.args:
return generate_http_error_flask(400,
ValueError.__name__,
'Parameter "url" not found',
headers=headers)
url = request.args.get('url')
if service not in ['gcs', 's3', 'swift']:
return generate_http_error_flask(
400,
ValueError.__name__,
'Parameter "svc" must be either empty(=gcs), gcs, s3 or swift',
headers=headers)
if operation not in ['read', 'write', 'delete']:
return generate_http_error_flask(
400,
ValueError.__name__,
'Parameter "op" must be either empty(=read), read, write, or delete.',
headers=headers)
result = get_signed_url(account,
appid,
ip,
rse=rse,
service=service,
operation=operation,
url=url,
lifetime=lifetime,
vo=vo)
if not result:
return generate_http_error_flask(
401,
CannotAuthenticate.__name__,
f'Cannot generate signed URL for account {account}',
headers=headers)
return str(result), 200, headers
def get(self):
"""
Sign a URL for a limited lifetime for a particular service.
:reqheader X-Rucio-Account: Account identifier as a string.
:reqheader X-Rucio-AppID: Application identifier as a string.
:resheader Access-Control-Allow-Origin:
:resheader Access-Control-Allow-Headers:
:resheader Access-Control-Allow-Methods:
:resheader Access-Control-Allow-Credentials:
:resheader Access-Control-Expose-Headers:
:resheader X-Rucio-Auth-Token: The authentication token
:status 200: Successfully signed URL
:status 400: Bad Request
:status 401: Unauthorized
:status 500: Internal Server Error
"""
response = Response()
response.headers['Access-Control-Allow-Origin'] = request.environ.get(
'HTTP_ORIGIN')
response.headers['Access-Control-Allow-Headers'] = request.environ.get(
'HTTP_ACCESS_CONTROL_REQUEST_HEADERS')
response.headers['Access-Control-Allow-Methods'] = '*'
response.headers['Access-Control-Allow-Credentials'] = 'true'
response.headers[
'Access-Control-Expose-Headers'] = 'X-Rucio-Auth-Token'
response.headers['Content-Type'] = 'application/octet-stream'
response.headers[
'Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
response.headers['Cache-Control'] = 'post-check=0, pre-check=0'
response.headers['Pragma'] = 'no-cache'
account = request.environ.get('HTTP_X_RUCIO_ACCOUNT')
appid = request.environ.get('HTTP_X_RUCIO_APPID')
if appid is None:
appid = 'unknown'
ip = request.environ.get('HTTP_X_FORWARDED_FOR')
if ip is None:
ip = request.remote_addr
try:
validate_auth_token(request.environ.get('HTTP_X_RUCIO_AUTH_TOKEN'))
except AccessDenied:
return generate_http_error_flask(
401, 'CannotAuthenticate',
'Cannot authenticate to account %(account)s with given credentials'
% locals())
except RucioException as error:
return generate_http_error_flask(500, error.__class__.__name__,
error.args[0])
except Exception as error:
print(format_exc())
return error, 500
svc, operation, url = None, None, None
try:
params = parse_qs(request.query[1:])
lifetime = params.get('lifetime', [600])[0]
service = params.get('svc', ['gcs'])[0]
operation = params.get('op', ['read'])[0]
url = params.get('url', [None])[0]
except ValueError:
return generate_http_error_flask(
400, 'ValueError', 'Cannot decode json parameter list')
if service not in ['gcs']:
return generate_http_error_flask(
400, 'ValueError',
'Parameter "svc" must be either empty(=gcs), or gcs')
if url is None:
return generate_http_error_flask(400, 'ValueError',
'Parameter "url" not found')
if operation not in ['read', 'write', 'delete']:
return generate_http_error_flask(
400, 'ValueError',
'Parameter "op" must be either empty(=read), read, write, or delete.'
)
try:
result = get_signed_url(account,
appid,
ip,
service=service,
operation='read',
url=url,
lifetime=lifetime)
except RucioException as error:
return generate_http_error_flask(500, error.__class__.__name__,
error.args[0])
except Exception as error:
print(format_exc())
return error, 500
if not result:
return generate_http_error_flask(
401, 'CannotAuthenticate',
'Cannot generate signed URL for account %(account)s' %
locals())
return response
def GET(self):
"""
HTTP Success:
200 OK
HTTP Error:
400 Bad Request
401 Unauthorized
406 Not Acceptable
500 Internal Server Error
:param Rucio-VO: VO name as a string (Multi-VO only).
:param Rucio-Account: Account identifier as a string.
:param Rucio-AppID: Application identifier as a string.
:returns: Signed URL.
"""
vo = ctx.env.get('HTTP_X_RUCIO_VO')
account = ctx.env.get('HTTP_X_RUCIO_ACCOUNT')
appid = ctx.env.get('HTTP_X_RUCIO_APPID')
if appid is None:
appid = 'unknown'
ip = ctx.env.get('HTTP_X_FORWARDED_FOR')
if ip is None:
ip = ctx.ip
try:
validate_auth_token(ctx.env.get('HTTP_X_RUCIO_AUTH_TOKEN'))
except RucioException as e:
raise generate_http_error(500, e.__class__.__name__, e.args[0][0])
except Exception as e:
print(format_exc())
raise InternalError(e)
svc, operation, url = None, None, None
try:
params = parse_qs(ctx.query[1:])
lifetime = params.get('lifetime', [600])[0]
service = params.get('svc', ['gcs'])[0]
operation = params.get('op', ['read'])[0]
url = params.get('url', [None])[0]
except ValueError:
raise generate_http_error(400, 'ValueError',
'Cannot decode json parameter list')
if service not in ['gcs', 's3', 'swift']:
raise generate_http_error(
400, 'ValueError',
'Parameter "svc" must be either empty(=gcs), gcs, s3 or swift')
if url is None:
raise generate_http_error(400, 'ValueError',
'Parameter "url" not found')
if operation not in ['read', 'write', 'delete']:
raise generate_http_error(
400, 'ValueError',
'Parameter "op" must be either empty(=read), read, write, or delete.'
)
try:
result = get_signed_url(account,
appid,
ip,
service=service,
operation=operation,
url=url,
lifetime=lifetime,
vo=vo)
except RucioException as e:
raise generate_http_error(500, e.__class__.__name__, e.args[0])
except Exception as e:
print(format_exc())
raise InternalError(e)
if not result:
raise generate_http_error(
401, 'CannotAuthenticate',
'Cannot generate signed URL for account %(account)s' %
locals())
return result
def get(self):
"""
---
summary: Sign URL
description: Sign a url for a limited lifetime for a particular srevice.
tags:
- Credentials
parameters:
- name: rse
in: query
description: The RSE to authenticate against.
schema:
type: string
required: true
- name: lifetime
in: query
description: The lifetime, default 600s.
schema:
type: string
required: false
- name: svc
in: query
description: The service, default gcs.
schema:
type: string
required: false
- name: op
in: query
description: The operation.
schema:
type: string
required: false
- name: url
in: query
description: The Url of the authentification.
schema:
type: string
required: true
requestBody:
content:
'application/octet-stream':
schema:
type: object
properties:
X-Rucio-Account:
description: Account identifier.
type: string
X-Rucio-VO:
description: VO name (Multi-VO only).
type: string
X-Rucio-AppID:
description: Application identifier.
type: string
responses:
200:
description: OK
content:
application/json:
schema:
type: array
items:
type: object
description: An account attribute.
properties:
key:
description: The key of the account attribute.
type: string
value:
description: The value of the account attribute.
type: string
401:
description: Invalid Auth Token
400:
description: bad request, no rse or url found.
406:
description: Not acceptable.
"""
headers = self.get_headers()
vo = extract_vo(request.headers)
account = request.headers.get('X-Rucio-Account', default=None)
appid = request.headers.get('X-Rucio-AppID', default='unknown')
ip = request.headers.get('X-Forwarded-For',
default=request.remote_addr)
if 'rse' not in request.args:
return generate_http_error_flask(400,
ValueError.__name__,
'Parameter "rse" not found',
headers=headers)
rse = request.args.get('rse')
lifetime = request.args.get('lifetime', type=int, default=600)
service = request.args.get('svc', default='gcs')
operation = request.args.get('op', default='read')
if 'url' not in request.args:
return generate_http_error_flask(400,
ValueError.__name__,
'Parameter "url" not found',
headers=headers)
url = request.args.get('url')
if service not in ['gcs', 's3', 'swift']:
return generate_http_error_flask(
400,
ValueError.__name__,
'Parameter "svc" must be either empty(=gcs), gcs, s3 or swift',
headers=headers)
if operation not in ['read', 'write', 'delete']:
return generate_http_error_flask(
400,
ValueError.__name__,
'Parameter "op" must be either empty(=read), read, write, or delete.',
headers=headers)
result = get_signed_url(account,
appid,
ip,
rse=rse,
service=service,
operation=operation,
url=url,
lifetime=lifetime,
vo=vo)
if not result:
return generate_http_error_flask(
401,
CannotAuthenticate.__name__,
f'Cannot generate signed URL for account {account}',
headers=headers)
return str(result), 200, headers
