def get(self): """ .. :quickref: OIDC; :status 200: OK :status 303: Redirect :status 401: Unauthorized :resheader X-Rucio-Auth-Token: The authentication token """ headers = self.get_headers() # interaction with web browser - display response in html format headers.set('Content-Type', 'text/html') headers.set('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') headers.add('Cache-Control', 'post-check=0, pre-check=0') headers.set('Pragma', 'no-cache') try: fetchtoken = (request.headers.get('X-Rucio-Client-Fetch-Token', default=None) == 'True') query_string = request.query_string.decode(encoding='utf-8') result = redirect_auth_oidc(query_string, fetchtoken) except AccessDenied: headers.extend( error_headers( CannotAuthenticate.__name__, 'Cannot authorize your access, please check your access credentials' )) return render_template('auth_crash.html', crashtype='contact'), 401, headers except Exception as error: logging.exception("Internal Error") headers.extend( error_headers(error.__class__.__name__, str(error.args[0]))) return render_template('auth_crash.html', crashtype='internal_error'), 500, headers if not result: headers.extend( error_headers( CannotAuthenticate.__name__, 'Cannot finalize your token request, no authorization content returned from the auth server' )) return render_template('auth_crash.html', crashtype='no_result'), 401, headers if fetchtoken: # this is only a case of returning the final token to the Rucio Client polling # or requesting token after copy-pasting the Rucio code from the web page page headers.set('Content-Type', 'application/octet-stream') headers.set('X-Rucio-Auth-Token', result) return '', 200, headers else: response = redirect(result, code=303) response.headers.extend(headers) return response
def get(self): """ .. :quickref: OIDC; :status 200: OK :status 401: Unauthorized """ headers = self.get_headers() headers.set('Content-Type', 'text/html') headers.set('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') headers.add('Cache-Control', 'post-check=0, pre-check=0') headers.set('Pragma', 'no-cache') query_string = request.query_string.decode(encoding='utf-8') ip = request.headers.get('X-Forwarded-For', default=request.remote_addr) try: result = get_token_oidc(query_string, ip) except AccessDenied: headers.extend( error_headers( CannotAuthenticate.__name__, 'Cannot authorize your access, please check your access credentials' )) return render_template('auth_crash.html', crashtype='contact'), 401, headers except Exception as error: logging.exception("Internal Error") headers.extend( error_headers(error.__class__.__name__, str(error.args[0]))) return render_template('auth_crash.html', crashtype='internal_error'), 500, headers if not result: headers.extend( error_headers( CannotAuthenticate.__name__, 'Cannot finalize your token request, no authorization content returned from the auth server' )) return render_template('auth_crash.html', crashtype='no_result'), 401, headers if 'fetchcode' in result: return render_template('auth_granted.html', authcode=result['fetchcode']), 200, headers elif 'polling' in result and result['polling'] is True: return render_template('auth_granted.html', authcode='allok'), 200, headers else: headers.extend( error_headers('InvalidRequest', 'Cannot recognize and process your request')) return render_template('auth_crash.html', crashtype='bad_request'), 400, headers
def get(self): """ .. :quickref: OIDC; :status 200: OK :status 401: Unauthorized :resheader X-Rucio-Auth-Token: The authentication token :resheader X-Rucio-Auth-Token-Expires: The time when the token expires """ headers = self.get_headers() headers.set('Content-Type', 'application/octet-stream') headers.set('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') headers.add('Cache-Control', 'post-check=0, pre-check=0') headers.set('Pragma', 'no-cache') query_string = request.query_string.decode(encoding='utf-8') ip = request.headers.get('X-Forwarded-For', default=request.remote_addr) try: result = get_token_oidc(query_string, ip) except AccessDenied: return generate_http_error_flask(401, CannotAuthorize.__name__, 'Cannot authorize token request.', headers=headers) if not result: return generate_http_error_flask(401, CannotAuthorize.__name__, 'Cannot authorize token request.', headers=headers) if 'token' in result and 'webhome' not in result: headers.set('X-Rucio-Auth-Token', result['token'].token) headers.set('X-Rucio-Auth-Token-Expires', date_to_str(result['token'].expired_at)) return '', 200, headers elif 'webhome' in result: webhome = result['webhome'] if webhome is None: headers.extend(error_headers(CannotAuthenticate.__name__, 'Cannot find your OIDC identity linked to any Rucio account')) headers.set('Content-Type', 'text/html') return render_template('auth_crash.html', crashtype='unknown_identity'), 401, headers # domain setting is necessary so that the token gets distributed also to the webui server domain = '.'.join(urlparse(webhome).netloc.split('.')[1:]) response = redirect(webhome, code=303) response.headers.extend(headers) response.set_cookie('x-rucio-auth-token', value=result['token'].token, domain=domain, path='/') response.set_cookie('rucio-auth-token-created-at', value=str(time.time()), domain=domain, path='/') return response else: return '', 400, headers