def _get_dcostoken_by_post_with_creds(dcos_url, creds):
"""
Get DC/OS Authentication token by POST to `acs/api/v1/auth/login`
with specific credentials. Credentials can be uid/password for
username/password authentication, OIDC ID token for implicit OIDC flow
(used for open DC/OS), or uid/token for service accounts (where token is a
jwt token encoded with private key).
:param dcos_url: url to cluster
:type dcos_url: str
:param creds: credentials to login endpoint
:type creds: {}
:returns: DC/OS Authentication Token
:rtype: str
"""
url = dcos_url.rstrip('/') + '/acs/api/v1/auth/login'
response = http._request('post', url, json=creds)
token = None
if response.status_code == 200:
token = response.json()['token']
config.set_val("core.dcos_acs_token", token)
return token
def header_challenge_auth(dcos_url):
"""
Triggers authentication using scheme specified in www-authenticate header.
Raises exception if authentication fails.
:param dcos_url: url to cluster
:type dcos_url: str
:rtype: None
"""
# hit protected endpoint which will prompt for auth if cluster has auth
endpoint = '/pkgpanda/active.buildinfo.full.json'
url = urllib.parse.urljoin(dcos_url, endpoint)
response = http._request('HEAD', url)
auth_scheme = _get_auth_scheme(response)
for _ in range(3):
if response.status_code == 401:
# this header claims the cluster is open DC/OS 1.7, 1.8 or 1.9
# and supports OIDC implicit auth
if auth_scheme == "oauthjwt":
token = _get_dcostoken_by_oidc_implicit_flow(dcos_url)
# auth_scheme == "acsjwt"
# this header claims the cluster is enterprise DC/OS 1.7, 1.8 or
# 1.9 and supports username/pawword auth
else:
token = _get_dcostoken_by_dcos_uid_password_auth(dcos_url)
if token is not None:
break
elif response.status_code == 200:
break
else:
raise DCOSAuthenticationException(response)
def browser_prompt_auth(dcos_url, provider_info):
"""
Get DC/OS Authentication token by browser prompt
:param dcos_url: url to cluster
:type dcos_url: str
:param provider_info: info about provider to auth with
:param provider_info: str
:rtype: None
"""
start_flow_url = provider_info["config"]["start_flow_url"].lstrip('/')
if not urlparse(start_flow_url).netloc:
start_flow_url = dcos_url.rstrip('/') + start_flow_url
dcos_token = _prompt_user_for_token(start_flow_url,
"DC/OS Authentication Token")
# verify token
endpoint = '/pkgpanda/active.buildinfo.full.json'
url = urllib.parse.urljoin(dcos_url, endpoint)
response = http._request('HEAD', url, auth=http.DCOSAcsAuth(dcos_token))
if response.status_code in [200, 403]:
config.set_val("core.dcos_acs_token", dcos_token)
else:
raise DCOSException("Authentication failed")
def _get_dcostoken_by_post_with_creds(dcos_url, creds):
"""
Get DC/OS Authentication token by POST to `acs/api/v1/auth/login`
with specific credentials. Credentials can be uid/password for
username/password authentication, OIDC ID token for implicit OIDC flow
(used for open DC/OS), or uid/token for service accounts (where token is a
jwt token encoded with private key).
:param dcos_url: url to cluster
:type dcos_url: str
:param creds: credentials to login endpoint
:type creds: {}
:returns: DC/OS Authentication Token
:rtype: str
"""
url = dcos_url.rstrip('/') + '/acs/api/v1/auth/login'
response = http._request('post', url, json=creds)
token = None
if response.status_code == 200:
token = response.json()['token']
config.set_val("core.dcos_acs_token", token)
return token
def header_challenge_auth(dcos_url):
"""
Triggers authentication using scheme specified in www-authenticate header.
Raises exception if authentication fails.
:param dcos_url: url to cluster
:type dcos_url: str
:rtype: None
"""
# hit protected endpoint which will prompt for auth if cluster has auth
endpoint = '/pkgpanda/active.buildinfo.full.json'
url = urllib.parse.urljoin(dcos_url, endpoint)
response = http._request('HEAD', url)
auth_scheme = _get_auth_scheme(response)
for _ in range(3):
if response.status_code == 401:
# this header claims the cluster is open DC/OS 1.7, 1.8 or 1.9
# and supports OIDC implicit auth
if auth_scheme == "oauthjwt":
token = _get_dcostoken_by_oidc_implicit_flow(dcos_url)
# auth_scheme == "acsjwt"
# this header claims the cluster is enterprise DC/OS 1.7, 1.8 or
# 1.9 and supports username/pawword auth
else:
token = _get_dcostoken_by_dcos_uid_password_auth(dcos_url)
if token is not None:
response.status_code = 200
break
else:
raise DCOSAuthenticationException(response)
def browser_prompt_auth(dcos_url, provider_info):
"""
Get DC/OS Authentication token by browser prompt
:param dcos_url: url to cluster
:type dcos_url: str
:param provider_info: info about provider to auth with
:param provider_info: str
:rtype: None
"""
start_flow_url = provider_info["config"]["start_flow_url"].lstrip('/')
if not urlparse(start_flow_url).netloc:
start_flow_url = dcos_url.rstrip('/') + start_flow_url
dcos_token = _prompt_user_for_token(
start_flow_url, "DC/OS Authentication Token")
# verify token
endpoint = '/pkgpanda/active.buildinfo.full.json'
url = urllib.parse.urljoin(dcos_url, endpoint)
response = http._request('HEAD', url, auth=http.DCOSAcsAuth(dcos_token))
if response.status_code in [200, 403]:
config.set_val("core.dcos_acs_token", dcos_token)
else:
raise DCOSException("Authentication failed")