Exemplo n.º 1
0
def get_access_token(args):
    access_token = None
    if isinstance(args.access_token, list) and len(args.access_token) > 0:
        # use only the first one for now:
        access_token = args.access_token[0]
        if access_token is not None and args.verbose > 1:
            print("Using AccessToken from Commandline")
    if access_token is None:
        # try commandline
        if args.oidc_agent_account is not None:
            try:
                access_token = agent.get_access_token(args.oidc_agent_account)
            except agent.OidcAgentError as e:
                print(F"Could not use oidc-agent: {e}")
            if access_token is not None and args.verbose > 1:
                print(
                    "Using AccessToken from oidc-agent (specified via commandline)"
                )
    if access_token is None:
        # try environment  for config
        env_vars_to_try = ["OIDC_AGENT_ACCOUNT"]
        for env_var in env_vars_to_try:
            if args.verbose > 2:
                print(F"trying {env_var}")
            account_name = os.getenv(env_var)
            if account_name is not None:
                try:
                    access_token = agent.get_access_token(account_name)
                except agent.OidcAgentError as e:
                    print(F"Could not use oidc-agent: {e}")
                    sys.exit(2)
                if access_token is not None and args.verbose > 1:
                    print(
                        F"Using AccessToken from Environment variable {env_var}"
                    )
                if access_token is not None:
                    break
    if access_token is None:
        # try environment for Access Token:
        env_vars_to_try = [
            "ACCESS_TOKEN", "OIDC", "OS_ACCESS_TOKEN", "OIDC_ACCESS_TOKEN",
            "WATTS_TOKEN", "WATTSON_TOKEN"
        ]
        for env_var in env_vars_to_try:
            access_token = os.getenv(env_var)
            if access_token is not None and args.verbose > 1:
                print(F"Using AccessToken from Environment variable {env_var}")
            if access_token is not None:
                break
    if access_token is None:
        print("No access token found")
        sys.exit(1)
    return access_token
Exemplo n.º 2
0
def get_token_from_oidc_agent(oidc_agent_account, quiet=False):
    """
    Get access token from oidc-agent

    :param quiet: If true, print no error message
    :param oidc_agent_account: account name in oidc-agent

    :return: access token, or None on error
    """

    if oidc_agent_account:
        try:
            access_token = agent.get_access_token(
                oidc_agent_account,
                min_valid_period=_MIN_ACCESS_TOKEN_TIME,
                application_hint="fedcloudclient",
            )
            return access_token
        except agent.OidcAgentError as exception:
            print_error(
                "Error during getting access token from oidc-agent\n"
                f"Error message: {exception}",
                quiet,
            )
    return None
Exemplo n.º 3
0
def  get_oidc_identities(n_iteration, headers, oidc_agent_name):
    token = None
    try:
        token = agent.get_access_token(oidc_agent_name,scope="scim:read")
        #print(token)
    except agent.OidcAgentError as e:
        print("ERROR oidc-agent: {}".format(e))
        return [], [], []

    if not token:
        print("Sync OIDC failed: no valid token retrieved")

    params = {}
    headers = {'Authorization': 'Bearer %s' % token, 'Content-type': 'application/json' }

    params = { 'startIndex': n_iteration*page_length + 1 }
    r = requests.get(iam_server+"scim/Users", headers=headers, params=params)

    tids = []
    usernames = []
    emails = []

    for user in json.loads(r.text)["Resources"]:
        username = user["displayName"]
        tid = user['id']
        for _email in user['emails']:
            if _email['primary']:
                email = _email['value']
                break
        if not email:
            print(f"NO PRIMARY EMAILS -- SKIPPING {tid}")
            continue
        #"emails":[{"type":"work","value":"*****@*****.**","primary":true}]
        if 'urn:indigo-dc:scim:schemas:IndigoUser' in user:
            if 'oidcIds' in user['urn:indigo-dc:scim:schemas:IndigoUser']:
                for oidcIds in user['urn:indigo-dc:scim:schemas:IndigoUser']['oidcIds']:
                    if "https://auth.cern.ch/auth/realms/cern" in oidcIds["issuer"]:
                        username = oidcIds['subject']

        tids.append(tid)
        usernames.append(username)
        emails.append(email)

    return tids, usernames, emails
Exemplo n.º 4
0
def s3_session_credentials(oidc_profile,
                           endpoint="https://minio.cloud.infn.it/",
                           verify=True):
    token = agent.get_access_token(oidc_profile, 60, "Example-Py-App")
    r = requests.post(endpoint,
                      data={
                          'Action': "AssumeRoleWithWebIdentity",
                          'Version': "2011-06-15",
                          'WebIdentityToken': token,
                          'DurationSeconds': 9000
                      },
                      verify=verify)

    tree = xmltodict.parse(r.content)

    credentials = dict(tree['AssumeRoleWithWebIdentityResponse']
                       ['AssumeRoleWithWebIdentityResult']['Credentials'])

    return dict(
        access_key=credentials['AccessKeyId'],
        secret_key=credentials['SecretAccessKey'],
        token=credentials['SessionToken'],
        # Silly that we basically stringify so it can be parsed again
        expiry_time=credentials['Expiration'])
Exemplo n.º 5
0
 def __call__(self, r):
     """Call method."""
     token = oidc.get_access_token(self.account)
     r.headers.update({'Authorization': "Bearer {}".format(token)})
     return r
Exemplo n.º 6
0
 def __call__(self, r):
     token = oidc.get_access_token(self.account)
     r.headers.update({'Authorization': "Bearer %s" % (token)})
     return r
Exemplo n.º 7
0
    "lagoproject.net": "egi-lago",
    "eosc-synergy.eu": "egi",
    "covid19.eosc-synergy.eu": "egi",
    "university.eosc-synergy.eu": "egi",
    "umsa.cerit-sc.cz": "egi",
    "o3as.data.kit.edu": "egi",
    "worsica.vo.incd.pt": "egi",
    "cryoem.instruct-eric.eu": "egi",
    "mswss.ui.savba.sk": "egi",
    "saps-vo.i3m.upv.es": "egi",
    "EOServices-vo.indra.es": "egi"
}
# "training.egi.eu": "egi",
# "mteam.data.kit.edu"

access_tokens = {an: agent.get_access_token(an) for an in account_names}

sites = fc_sites.list_sites()
vos = {}
for site in sites:
    vos[site] = [x["name"] for x in fc_sites.find_site_data(site)["vos"]]


# print (F"VOs: ")
# jprint(vos)
def synergy_filter(vox):
    if vox in SYNERGY_VOS:
        return vox
    return False
Exemplo n.º 8
0
def get_access_token(
    oidc_access_token,
    oidc_refresh_token,
    oidc_client_id,
    oidc_client_secret,
    oidc_url,
    oidc_agent_account,
):
    """
    Getting access token.
    Generate new access token from oidc-agent or refresh token (if given)
    or use existing token

    Check expiration time of access token
    Raise error if no valid token exists

    :param oidc_access_token:
    :param oidc_refresh_token:
    :param oidc_client_id:
    :param oidc_client_secret:
    :param oidc_url:
    :param oidc_agent_account:

    :return: access token
    """

    # First, try to get access token from oidc-agent
    if oidc_agent_account:
        try:
            access_token = agent.get_access_token(
                oidc_agent_account,
                min_valid_period=30,
                application_hint="fedcloudclient",
            )
            return access_token
        except agent.OidcAgentError as e:
            print("ERROR oidc-agent: {}".format(e))

    # Then try refresh token
    if oidc_refresh_token and oidc_client_id and oidc_client_secret and oidc_url:
        print(
            "WARNING: exposing refresh tokens is insecure and will be disabled in "
            "next version!",
            file=sys.stderr,
        )
        return token_refresh(oidc_client_id, oidc_client_secret,
                             oidc_refresh_token, oidc_url)["access_token"]

    # Then finally access token
    elif oidc_access_token:

        # Check expiration time of access token
        try:
            payload = jwt.decode(oidc_access_token,
                                 options={"verify_signature": False})
        except jwt.exceptions.InvalidTokenError:
            raise SystemExit("Error: Invalid access token.")

        expiration_timestamp = int(payload["exp"])
        current_timestamp = int(time.time())
        if current_timestamp > expiration_timestamp - 10:
            raise SystemExit(
                "The given access token has expired." +
                " Get new access token before continuing on operation")
        return oidc_access_token
    else:
        raise SystemExit(
            "Error: An access token is needed for the operation. You can specify "
            "access token directly via --oidc-access-token option or use oidc-agent "
            "via --oidc-agent-account")
Exemplo n.º 9
0
        client.del_identity(account=account, identity=identity, authtype='OIDC')

if __name__ == '__main__':
    """
    sync OIDC identities on user accounts
    """

    try:
        iam_server = os.environ.get("IAM_SERVER", "https://cms-auth.web.cern.ch/")
        oidc_agent_name = os.environ.get("OIDC_AGENT_NAME", "cms")
    except Exception as ex:
        print(ex)
        exit(1)

    try:
        token = agent.get_access_token(oidc_agent_name,scope="scim:read")
        #print(token)
    except agent.OidcAgentError as e:
        print("ERROR oidc-agent: {}".format(e))

    params = {}
    headers = {'Authorization': 'Bearer %s' % token, 'Content-type': 'application/json' }
    r = requests.get(iam_server+"scim/Users", headers=headers, params=params)

    #print(r.text)
    n_results = json.loads(r.text)['totalResults']

    n_iteration = 0
    tids_list = []
    usernames_list = []
    emails_list = []
Exemplo n.º 10
0
def main():

    args = parseOptions().parse_args()

    flaat = Flaat()

    flaat.set_verbosity(args.verbose)
    flaat.set_cache_lifetime(120)  # seconds; default is 300

    flaat.set_trusted_OP_list([
        'https://b2access.eudat.eu/oauth2/',
        'https://b2access-integration.fz-juelich.de/oauth2',
        'https://unity.helmholtz-data-federation.de/oauth2/',
        'https://login.helmholtz-data-federation.de/oauth2/',
        'https://login-dev.helmholtz.de/oauth2/',
        'https://login.helmholtz.de/oauth2/',
        'https://unity.eudat-aai.fz-juelich.de/oauth2/',
        'https://services.humanbrainproject.eu/oidc/',
        'https://accounts.google.com/', 'https://aai.egi.eu/oidc/',
        'https://aai-dev.egi.eu/oidc/', 'https://login.elixir-czech.org/oidc/',
        'https://iam-test.indigo-datacloud.eu/',
        'https://iam.deep-hybrid-datacloud.eu/',
        'https://iam.extreme-datacloud.eu/',
        'https://oidc.scc.kit.edu/auth/realms/kit/',
        'https://proxy.demo.eduteams.org', 'https://wlcg.cloud.cnaf.infn.it/'
    ])

    # if -in -ui or -at are specified, we set all to false:
    if args.show_user_info or args.show_access_token or args.show_introspection_info or args.quiet:
        args.show_all = False

    ## Get hold of an accesstoken:
    access_token = None
    # print(F"args.access_token: {args.access_token}")
    # print(F"Type of args.access_token: {type(args.access_token)}")
    # print(F"length of args.access_token: {len(args.access_token)}")
    if isinstance(args.access_token, list) and len(args.access_token) > 0:
        # use only the first one for now:
        access_token = args.access_token[0]
        if access_token is not None and args.verbose > 1:
            print("Using AccessToken from Commandline")

    if access_token is None:
        # try commandline
        if args.oidc_agent_account is not None:
            try:
                access_token = agent.get_access_token(args.oidc_agent_account)
            except agent.OidcAgentError as e:
                print(F"Could not use oidc-agent: {e}")
            if access_token is not None and args.verbose > 1:
                print(
                    "Using AccessToken from oidc-agent (specified via commandline)"
                )

    if access_token is None:
        # try environment  for config
        env_vars_to_try = ["OIDC_AGENT_ACCOUNT"]
        for env_var in env_vars_to_try:
            if args.verbose > 2:
                print(F"trying {env_var}")
            account_name = os.getenv(env_var)
            if account_name is not None:
                try:
                    access_token = agent.get_access_token(account_name)
                except agent.OidcAgentError as e:
                    print(F"Could not use oidc-agent: {e}")
                    sys.exit(2)
                if access_token is not None and args.verbose > 1:
                    print(
                        F"Using AccessToken from Environment variable {env_var}"
                    )
                if access_token is not None:
                    break
    if access_token is None:
        # try environment for Access Token:
        env_vars_to_try = [
            "ACCESS_TOKEN", "OIDC", "OS_ACCESS_TOKEN", "OIDC_ACCESS_TOKEN",
            "WATTS_TOKEN", "WATTSON_TOKEN"
        ]
        for env_var in env_vars_to_try:
            access_token = os.getenv(env_var)
            if access_token is not None and args.verbose > 1:
                print(F"Using AccessToken from Environment variable {env_var}")
            if access_token is not None:
                break

    if access_token is None:
        print("No access token found")
        sys.exit(1)

    ## Get actual info from the access token:
    accesstoken_info = flaat.get_info_thats_in_at(access_token)
    if args.show_access_token or args.show_all:
        if accesstoken_info is None:
            print(
                'Info: Your access token is not a JWT. I.e. it does not contain information (at least I cannot find it.)'
            )
        else:
            if args.verbose > 0:
                print(F"verbose: {args.verbose}")
                print('Information stored inside the access token:')
            print(
                json.dumps(accesstoken_info,
                           sort_keys=True,
                           indent=4,
                           separators=(',', ': ')))
        print('')

    user_info = flaat.get_info_from_userinfo_endpoints(access_token)
    if args.show_user_info or args.show_all:
        if user_info is None:
            print ('The response from the userinfo endpoint does not contain information (at least I cannot find it.)\n'\
                    'Submit an issue at https://github.com/indigo-dc/flaat if you feel this is wrong')
        else:
            if args.verbose > 0:
                print('Information retrieved from userinfo endpoint:')
            print(
                json.dumps(user_info,
                           sort_keys=True,
                           indent=4,
                           separators=(',', ': ')))
        print('')

    if args.client_id:
        flaat.set_client_id(args.client_id)
    if args.client_secret:
        flaat.set_client_secret(args.client_secret)
    introspection_info = flaat.get_info_from_introspection_endpoints(
        access_token)
    if args.show_introspection_info:
        if introspection_info is None:
            print ('The response from the introspection endpoint does not contain information (at least I cannot find it.)\n'\
                    'Submit an issue at https://github.com/indigo-dc/flaat if you feel this is wrong')
        else:
            print('Information retrieved from introspection endpoint:')
            print(
                json.dumps(introspection_info,
                           sort_keys=True,
                           indent=4,
                           separators=(',', ': ')))
        print('')

    timeleft = tokentools.get_timeleft(
        tokentools.merge_tokens(
            [accesstoken_info, user_info, introspection_info]))

    if timeleft is not None:
        if timeleft > 0:
            print('Token valid for %.1f more seconds.' % timeleft)
        else:
            print('Your token is already EXPIRED for %.1f seconds!' %
                  abs(timeleft))
        print('')