def post(self):
"""
.. :quickref: SAML;
:status 200: OK
"""
if not EXTRA_MODULES['onelogin']:
return "SAML not configured on the server side.", 200, [
('X-Rucio-Auth-Token', '')
]
SAML_PATH = config_get('saml', 'config_path')
req = prepare_saml_request(request.environ,
dict(request.args.items(multi=False)))
auth = OneLogin_Saml2_Auth(req, custom_base_path=SAML_PATH)
auth.process_response()
errors = auth.get_errors()
if not errors:
if auth.is_authenticated():
response = Response()
response.set_cookie('saml-nameid',
value=auth.get_nameid(),
path='/')
return response
return '', 200
def get(self):
"""
.. :quickref: SAML;
:status 200: OK
:status 401: Unauthorized
:reqheader Rucio-VO: VO name as a string (Multi-VO only)
:reqheader Rucio-Account: Account identifier as a string.
:reqheader Rucio-Username: Username as a string.
:reqheader Rucio-Password: Password as a string.
:reqheader Rucio-AppID: Application identifier as a string.
:resheader X-Rucio-SAML-Auth-URL: as a variable-length string header.
"""
headers = Headers()
headers.set('Access-Control-Allow-Origin', request.environ.get('HTTP_ORIGIN'))
headers.set('Access-Control-Allow-Headers', request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS'))
headers.set('Access-Control-Allow-Methods', '*')
headers.set('Access-Control-Allow-Credentials', 'true')
headers.set('Access-Control-Expose-Headers', 'X-Rucio-Auth-Token')
headers.set('Content-Type', 'application/octet-stream')
headers.set('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate')
headers.add('Cache-Control', 'post-check=0, pre-check=0')
headers.set('Pragma', 'no-cache')
if not EXTRA_MODULES['onelogin']:
return "SAML not configured on the server side.", 400, headers
saml_nameid = cookies().get('saml-nameid')
vo = request.headers.get('X-Rucio-VO', default='def')
account = request.headers.get('X-Rucio-Account', default=None)
appid = request.headers.get('X-Rucio-AppID', default='unknown')
ip = request.headers.get('X-Forwarded-For', default=request.remote_addr)
if saml_nameid:
try:
result = get_auth_token_saml(account, saml_nameid, appid, ip, vo=vo)
except AccessDenied:
return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals(), headers=headers)
except RucioException as error:
return generate_http_error_flask(500, error.__class__.__name__, error.args[0], headers=headers)
except Exception as error:
logging.exception("Internal Error")
return str(error), 500, headers
if not result:
return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals(), headers=headers)
headers.set('X-Rucio-Auth-Token', result.token)
headers.set('X-Rucio-Auth-Token-Expires', date_to_str(result.expired_at))
return '', 200, headers
# Path to the SAML config folder
SAML_PATH = config_get('saml', 'config_path')
req = prepare_saml_request(request.environ, dict(request.args.items(multi=False)))
auth = OneLogin_Saml2_Auth(req, custom_base_path=SAML_PATH)
headers.set('X-Rucio-SAML-Auth-URL', auth.login())
return '', 200, headers
def POST(self):
if not EXTRA_MODULES['onelogin']:
header('X-Rucio-Auth-Token', None)
return "SAML not configured on the server side."
SAML_PATH = config_get('saml', 'config_path')
req = prepare_saml_request(ctx.env, dict(param_input()))
auth = OneLogin_Saml2_Auth(req, custom_base_path=SAML_PATH)
auth.process_response()
errors = auth.get_errors()
if not errors:
if auth.is_authenticated():
setcookie('saml-nameid', value=auth.get_nameid(), path='/')
def GET(self):
"""
HTTP Success:
200 OK
HTTP Error:
401 Unauthorized
:param Rucio-VO: VO name as a string (Multi-VO only)
:param Rucio-Account: Account identifier as a string.
:param Rucio-Username: Username as a string.
:param Rucio-Password: Password as a string.
:param Rucio-AppID: Application identifier as a string.
:returns: "X-Rucio-SAML-Auth-URL" as a variable-length string header.
"""
header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN'))
header('Access-Control-Allow-Headers',
ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS'))
header('Access-Control-Allow-Methods', '*')
header('Access-Control-Allow-Credentials', 'true')
header('Access-Control-Expose-Headers', 'X-Rucio-Auth-Token')
header('Content-Type', 'application/octet-stream')
header('Cache-Control',
'no-cache, no-store, max-age=0, must-revalidate')
header('Cache-Control', 'post-check=0, pre-check=0', False)
header('Pragma', 'no-cache')
if not EXTRA_MODULES['onelogin']:
header('X-Rucio-Auth-Token', None)
return "SAML not configured on the server side."
saml_nameid = cookies().get('saml-nameid')
vo = ctx.env.get('HTTP_X_RUCIO_VO', 'def')
account = ctx.env.get('HTTP_X_RUCIO_ACCOUNT')
appid = ctx.env.get('HTTP_X_RUCIO_APPID')
if appid is None:
appid = 'unknown'
ip = ctx.env.get('HTTP_X_FORWARDED_FOR')
if ip is None:
ip = ctx.ip
if saml_nameid:
try:
result = get_auth_token_saml(account,
saml_nameid,
appid,
ip,
vo=vo)
except AccessDenied:
raise generate_http_error(
401, 'CannotAuthenticate',
'Cannot authenticate to account %(account)s with given credentials'
% locals())
except RucioException as error:
raise generate_http_error(500, error.__class__.__name__,
error.args[0])
except Exception as error:
print(format_exc())
raise InternalError(error)
if not result:
raise generate_http_error(
401, 'CannotAuthenticate',
'Cannot authenticate to account %(account)s with given credentials'
% locals())
header('X-Rucio-Auth-Token', result.token)
header('X-Rucio-Auth-Token-Expires',
date_to_str(result.expired_at))
return str()
# Path to the SAML config folder
SAML_PATH = config_get('saml', 'config_path')
request = ctx.env
data = dict(param_input())
req = prepare_saml_request(request, data)
auth = OneLogin_Saml2_Auth(req, custom_base_path=SAML_PATH)
header('X-Rucio-SAML-Auth-URL', auth.login())
return str()
def get(self):
"""
.. :quickref: SAML;
:status 200: OK
:status 401: Unauthorized
:reqheader Rucio-VO: VO name as a string (Multi-VO only)
:reqheader Rucio-Account: Account identifier as a string.
:reqheader Rucio-Username: Username as a string.
:reqheader Rucio-Password: Password as a string.
:reqheader Rucio-AppID: Application identifier as a string.
:resheader X-Rucio-SAML-Auth-URL: as a variable-length string header.
"""
headers = self.get_headers()
headers.set('Content-Type', 'application/octet-stream')
headers.set('Cache-Control',
'no-cache, no-store, max-age=0, must-revalidate')
headers.add('Cache-Control', 'post-check=0, pre-check=0')
headers.set('Pragma', 'no-cache')
if not EXTRA_MODULES['onelogin']:
return "SAML not configured on the server side.", 400, headers
saml_nameid = cookies().get('saml-nameid')
vo = request.headers.get('X-Rucio-VO', default='def')
account = request.headers.get('X-Rucio-Account', default=None)
appid = request.headers.get('X-Rucio-AppID', default='unknown')
ip = request.headers.get('X-Forwarded-For',
default=request.remote_addr)
if saml_nameid:
try:
result = get_auth_token_saml(account,
saml_nameid,
appid,
ip,
vo=vo)
except AccessDenied:
return generate_http_error_flask(
status_code=401,
exc=CannotAuthenticate.__name__,
exc_msg=
f'Cannot authenticate to account {account} with given credentials',
headers=headers)
if not result:
return generate_http_error_flask(
status_code=401,
exc=CannotAuthenticate.__name__,
exc_msg=
f'Cannot authenticate to account {account} with given credentials',
headers=headers)
headers.set('X-Rucio-Auth-Token', result.token)
headers.set('X-Rucio-Auth-Token-Expires',
date_to_str(result.expired_at))
return '', 200, headers
# Path to the SAML config folder
SAML_PATH = config_get('saml', 'config_path')
req = prepare_saml_request(request.environ,
dict(request.args.items(multi=False)))
auth = OneLogin_Saml2_Auth(req, custom_base_path=SAML_PATH)
headers.set('X-Rucio-SAML-Auth-URL', auth.login())
return '', 200, headers