def __init__(self, configuration, debug=True):
super(XMLAPIConnector, self).__init__()
self.storage_ip = configuration.emc_nas_server
self.username = configuration.emc_nas_login
self.password = configuration.emc_nas_password
self.debug = debug
self.auth_url = 'https://' + self.storage_ip + '/Login'
self._url = 'https://{}/servlets/CelerraManagementServices'.format(
self.storage_ip)
context = enas_utils.create_ssl_context(configuration)
if context:
https_handler = url_request.HTTPSHandler(context=context)
else:
https_handler = url_request.HTTPSHandler()
cookie_handler = url_request.HTTPCookieProcessor(
http_cookiejar.CookieJar())
self.url_opener = url_request.build_opener(https_handler,
cookie_handler)
self._do_setup()
def open_no_proxy(*args, **kwargs):
# NOTE(jamespage):
# Deal with more secure certification chain verficiation
# introduced in python 2.7.9 under PEP-0476
# https://github.com/python/peps/blob/master/pep-0476.txt
if hasattr(ssl, "_create_unverified_context"):
opener = urlrequest.build_opener(
urlrequest.ProxyHandler({}),
urlrequest.HTTPSHandler(context=ssl._create_unverified_context()))
else:
opener = urlrequest.build_opener(urlrequest.ProxyHandler({}))
return opener.open(*args, **kwargs)
def _get_opener(self):
if not self.opener:
if (CONF.dashboard.disable_ssl_certificate_validation and
self._ssl_default_context_supported()):
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
self.opener = request.build_opener(
request.HTTPSHandler(context=ctx),
request.HTTPCookieProcessor())
else:
self.opener = request.build_opener(
request.HTTPCookieProcessor())
return self.opener
def __init__(self, token=None, url=API_URL_DEFAULT, format=FORMAT_DEFAULT):
self.url = url
self.token = token
self.format = format
self.opener = urlrequest.build_opener(urlrequest.HTTPSHandler())
def request(url, timeout=None, debug=False):
"""Request the given URL using LIGO.ORG SAML authentication.
This requires an active Kerberos ticket for the user, to get one:
>>> from ligo.org import kinit
>>> kinit('albert.einstein')
Then request as follows
>>> from ligo.org import request
>>> response = request(myurl)
>>> print(response.read())
Parameters
----------
url : `str`
URL path for request
timeout : `int`, optional, default: no timeout
number of seconds to wait for server response,
debug : `bool`, optional, default: `False`
Query in verbose debugging mode
Returns
-------
response : `file`-like
the raw response from the URL, probably XML/HTML or JSON
Examples
--------
>>> from ligo.org import request
>>> response = request('https://ldas-jobs.ligo.caltech.edu/')
>>> print(response.read())
"""
# set debug to 1 to see all HTTP(s) traffic
debug = int(debug)
# need an instance of HTTPS handler to do HTTPS
httpshandler = urllib2.HTTPSHandler(debuglevel=debug)
# use a cookie jar to store session cookies
jar = http_cookiejar.LWPCookieJar()
# if a cookie jar exists open it and read the cookies
# and make sure it has the right permissions
if os.path.exists(COOKIE_JAR):
os.chmod(COOKIE_JAR, stat.S_IRUSR | stat.S_IWUSR)
# set ignore_discard so that session cookies are preserved
try:
jar.load(COOKIE_JAR, ignore_discard=True)
except http_cookiejar.LoadError as e:
warnings.warn('http_cookiejar.LoadError caught: %s' % str(e))
# create a cookie handler from the cookie jar
cookiehandler = urllib2.HTTPCookieProcessor(jar)
# need a redirect handler to follow redirects
redirecthandler = urllib2.HTTPRedirectHandler()
# need an auth handler that can do negotiation.
# input parameter is the Kerberos service principal.
auth_handler = HTTPNegotiateAuthHandler(service_principal='HTTP@%s' %
LIGO_LOGIN_URL)
# create the opener.
opener = urllib2.build_opener(auth_handler, cookiehandler, httpshandler,
redirecthandler)
# prepare the request object
req = urllib2.Request(url)
# use the opener and the request object to make the request.
if timeout is None:
timeout = socket._GLOBAL_DEFAULT_TIMEOUT
response = opener.open(req, timeout=timeout)
# save the session cookies to a file so that they can
# be used again without having to authenticate
jar.save(COOKIE_JAR, ignore_discard=True)
return response
def get_handlers(self):
handlers = []
if self._verify_cert == False:
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
handler = request.HTTPSHandler(context=ctx)
handlers.append(handler)
from urllib.request import HTTPRedirectHandler
redirect_handler = HTTPRedirectHandler()
redirect_handler.max_redirections = 30
redirect_handler.max_repeats = 30
handlers.append(redirect_handler)
if self._username and self._password:
passman = request.HTTPPasswordMgrWithDefaultRealm()
passman.add_password(None, self._parsed_org_url, self._username,
self._password)
handlers.append(request.HTTPBasicAuthHandler(passman))
passman = request.HTTPPasswordMgrWithDefaultRealm()
passman.add_password(None, self._parsed_org_url, self._username,
self._password)
handlers.append(request.HTTPDigestAuthHandler(passman))
if os.name == 'nt':
try:
from arcgis._impl.common._iwa import NtlmSspiAuthHandler, KerberosSspiAuthHandler
auth_krb = KerberosSspiAuthHandler()
handlers.append(auth_krb)
try:
auth_NTLM = NtlmSspiAuthHandler()
handlers.append(auth_NTLM)
except:
pass
except Error as err:
_log.error(
"winkerberos packages is required for IWA authentication (NTLM and Kerberos)."
)
_log.error(
"Please install it:\n\tconda install winkerberos")
_log.error(str(err))
else:
_log.error(
'The GIS uses Integrated Windows Authentication which is currently only supported on the Windows platform'
)
if self._auth == "PKI" or \
(self.cert_file is not None and self.key_file is not None):
handlers.append(
HTTPSClientAuthHandler(self.key_file, self.cert_file))
elif self._portal_connection and \
self._portal_connection.cert_file is not None and \
self._portal_connection.key_file is not None:
handlers.append(
HTTPSClientAuthHandler(self._portal_connection.key_file,
self._portal_connection.cert_file))
cj = cookiejar.CookieJar()
if self.proxy_host: # Simple Proxy Support
from urllib.request import ProxyHandler
if self.proxy_port is None:
self.proxy_port = 80
proxies = {
"http": "http://%s:%s" % (self.proxy_host, self.proxy_port),
"https": "https://%s:%s" % (self.proxy_host, self.proxy_port)
}
proxy_support = ProxyHandler(proxies)
handlers.append(proxy_support)
handlers.append(request.HTTPCookieProcessor(cj))
return handlers
def request(url,
endpoint=IDP_ENDPOINTS['LIGO.ORG'],
use_kerberos=None,
debug=False):
"""Request the given URL using ECP shibboleth authentication
This requires an active Kerberos ticket for the user, to get one:
>>> from ligo.org import kinit
>>> kinit('albert.einstein')
Then request as follows
>>> from ligo.org import request
>>> response = request(myurl)
>>> print(response.read())
Adapted from
https://wiki.shibboleth.net/confluence/download/attachments/4358416/ecp.py
Parameters
----------
url : `str`
URL path for request
endpoint : `str`
ECP endpoint URL for request
use_kerberos : `bool`, optional
use existing kerberos credential for login, default is to try, but
fall back to username/password prompt
debug : `bool`, optional, default: `False`
query in verbose debugging mode
Returns
-------
response : `str`
the raw (decoded) response from the URL, probably XML/HTML or JSON
"""
login_host = urlparse(endpoint).netloc
# create a cookie jar and cookie handler (and read existing cookies)
cookie_jar = ECPCookieJar()
if os.path.exists(COOKIE_JAR):
try:
cookie_jar.load(COOKIE_JAR, ignore_discard=True)
except http_cookiejar.LoadError as e:
warnings.warn('Caught error loading ECP cookie: %s' % str(e))
cookie_handler = urllib_request.HTTPCookieProcessor(cookie_jar)
# need an instance of HTTPS handler to do HTTPS
httpsHandler = urllib_request.HTTPSHandler(debuglevel=0)
if debug:
httpsHandler.set_http_debuglevel(1)
# create the base opener object
opener = urllib_request.build_opener(cookie_handler, httpsHandler)
# get kerberos credentials if available
if use_kerberos is None:
try:
creds = klist()
except KerberosError:
use_kerberos = False
else:
if creds:
use_kerberos = True
else:
use_kerberos = False
if use_kerberos:
opener.add_handler(
HTTPNegotiateAuthHandler(service_principal='HTTP@%s' % login_host))
# -- intiate ECP request --------------------
# headers needed to indicate to the SP an ECP request
headers = {
'Accept':
'text/html; application/vnd.paos+xml',
'PAOS':
'ver="urn:liberty:paos:2003-08";'
'"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"',
}
# request target from SP
request = urllib_request.Request(url=url, headers=headers)
response = opener.open(request)
# convert the SP resonse from string to etree Element object
sp_response = etree.XML(response.read())
# pick out the relay state element from the SP so that it can
# be included later in the response to the SP
namespaces = {
'ecp': 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp',
'S': 'http://schemas.xmlsoap.org/soap/envelope/',
'paos': 'urn:liberty:paos:2003-08'
}
relay_state = sp_response.xpath("//ecp:RelayState",
namespaces=namespaces)[0]
# make a deep copy of the SP response and then remove the header
# in order to create the package for the IdP
idp_request = deepcopy(sp_response)
header = idp_request[0]
idp_request.remove(header)
# -- authenticate with endpoint -------------
request = urllib_request.Request(endpoint,
data=etree.tostring(idp_request))
request.get_method = lambda: 'POST'
request.add_header('Content-Type', 'test/xml; charset=utf-8')
# get credentials for non-kerberos request
if not use_kerberos:
# prompt the user for a password
login = input("Enter username for %s: " % login_host)
password = getpass.getpass("Enter password for login '%s': " % login)
# combine the login and password, base64 encode, and send
# using the Authorization header
base64string = base64.encodestring(
('%s:%s' % (login, password)).encode()).decode().replace('\n', '')
request.add_header('Authorization', 'Basic %s' % base64string)
response = opener.open(request)
idp_response = etree.XML(response.read())
assertion_consumer_service = idp_response.xpath(
"/S:Envelope/S:Header/ecp:Response/@AssertionConsumerServiceURL",
namespaces=namespaces)[0]
# make a deep copy of the IdP response and replace its
# header contents with the relay state initially sent by
# the SP
sp_package = deepcopy(idp_response)
sp_package[0][0] = relay_state
headers = {'Content-Type': 'application/vnd.paos+xml'}
# POST the package to the SP
request = urllib_request.Request(url=assertion_consumer_service,
data=etree.tostring(sp_package),
headers=headers)
request.get_method = lambda: 'POST'
response = opener.open(request)
# -- cache cookies --------------------------
cookie_jar.save(COOKIE_JAR, ignore_discard=True)
# -- actually send GET ----------------------
request = urllib_request.Request(url=url)
response = opener.open(request)
return response.read()
#!/usr/bin/env python
print('If you get error "ImportError: No module named \'six\'"'+\
'install six:\n$ sudo pip install six')
import sys
import ssl
if sys.version_info[0] == 2:
import six
from six.moves.urllib import request
ctx = ssl.create_default_context()
ctx.verify_flags = ssl.VERIFY_DEFAULT
opener = request.build_opener(
request.ProxyHandler({'http': 'http://127.0.0.1:24000'}),
request.HTTPSHandler(context=ctx))
print(opener.open('https://lumtest.com/myip.json').read())
if sys.version_info[0] == 3:
import urllib.request
ctx = ssl.create_default_context()
ctx.verify_flags = ssl.VERIFY_DEFAULT
opener = urllib.request.build_opener(
urllib.request.ProxyHandler({'http': 'http://127.0.0.1:24000'}),
urllib.request.HTTPSHandler(context=ctx))
print(opener.open('https://lumtest.com/myip.json').read())
