def __init__(self, OS_USERNAME: str = "", OS_PASSWORD: str = ""):
OS_USERNAME = OS_USERNAME or os.environ["OS_USERNAME"]
OS_PASSWORD = OS_PASSWORD or os.environ["OS_PASSWORD"]
OS_PROJECT_ID = "2dc0b65279674a42833a064ce3677297"
# from https://user.cscs.ch/storage/object_storage/usage_examples/tokens/
from keystoneauth1.identity import v3
from keystoneauth1 import session
from keystoneauth1.extras._saml2 import V3Saml2Password
from keystoneclient.v3 import client
saml_auth = V3Saml2Password(auth_url='https://pollux.cscs.ch:13000/v3',
identity_provider='cscskc',
protocol='mapped',
identity_provider_url='https://auth.cscs.ch/auth/realms/cscs/protocol/saml/',
username=OS_USERNAME,
password=OS_PASSWORD)
unscoped_sess = session.Session(auth=saml_auth)
kc_token = unscoped_sess.get_token()
#With the project id you can now request to the Keystone service a scoped token for project :
auth = v3.Token(auth_url=saml_auth.auth_url,
token=kc_token,
project_id=OS_PROJECT_ID)
scoped_sess = session.Session(auth=auth)
super().__init__(
OS_AUTH_TOKEN=scoped_sess.get_token(),
OS_STORAGE_URL=f"https://object.cscs.ch/v1/AUTH_{OS_PROJECT_ID}",
OS_IDENTITY_PROVIDER_URL=saml_auth.identity_provider_url,
OS_AUTH_URL=saml_auth.auth_url,
OS_PROTOCOL=saml_auth.protocol,
OS_IDENTITY_API_VERSION="3",
OS_AUTH_TYPE="token",
OS_IDENTITY_PROVIDER=saml_auth.identity_provider,
OS_INTERFACE="public",
OS_PROJECT_ID=OS_PROJECT_ID
)
def __init__(self, username, token=None):
self.username = username
if token:
auth = v3.Token(auth_url=OS_AUTH_URL, token=token)
else:
pwd = os.environ.get('CSCS_PASS')
if not pwd:
pwd = getpass.getpass("Password: "******"Couldn't authenticate! Incorrect username.")
except IndexError:
raise Exception("Couldn't authenticate! Incorrect password.")
self._ks_projects = {ksprj.name: ksprj
for ksprj in self._client.projects.list(user=self.user_id)}
self._projects = None
def v3tokens():
# parse request
body = flask.request.get_json()
headers = flask.request.headers
#print "IN v3tokens", body
# Prep the headers for the request to the server
headers = prep_client_headers(headers)
# Bypass requests without a password inside (e.g. for unscoped-to-scoped auth)
if 'password' not in body['auth']['identity']:
return proxy()
# Get the input from the body
user = body['auth']['identity']['password']['user']
username = user['name']
password = user['password']
# Log the new request
#print request.remote_addr, "XXX", time.strftime('%d/%m/%Y %H:%M:%S'), "Authenticating user:"******"%s - %s - Authenticating user: %s", request.remote_addr,
time.strftime('%d/%m/%Y %H:%M:%S'), username)
# get unscoped token via SAML
auth = V3Saml2Password(auth_url=REMOTE_HOST_URL + 'v3',
identity_provider=OS_IDENTITY_PROVIDER,
protocol=OS_PROTOCOL,
identity_provider_url=OS_IDENTITY_PROVIDER_URL,
username=username,
password=password)
# We should already have the right headers available, just take this one:
sess = session.Session(
auth=auth,
additional_headers={'X-Forwarded-For': headers['X-Forwarded-For']})
try:
token = sess.get_token(auth)
except:
return flask.Response("Error authenticating, maybe wrong password?",
status=401,
mimetype='application/json')
#print auth.get_auth_state()
#print auth.get_headers(sess)
#token = sess.get_auth_headers()['X-Auth-Token']
#print token
# patch original body (and keep the rest of the request)
del (body['auth']['identity'])
body['auth']['identity'] = {"methods": ["token"], "token": {"id": token}}
# get scoped token (or unscoped, depending on the original request)
r = requests.post(REMOTE_HOST_URL + 'v3/auth/tokens',
json=body,
headers=headers)
# forward response
return flask.Response(r.text,
headers=dict(r.headers),
status=r.status_code)
def get_keystone_token(settings):
# GETTING UNSCOPED TOKEN
# NEEDS LXML package
auth = V3Saml2Password(
identity_provider='cscskc',
protocol='mapped',
identity_provider_url=
'https://auth.cscs.ch/auth/realms/cscs/protocol/saml/',
auth_url=settings["os_auth_url"],
username=settings["os_username"],
password=settings["os_password"])
sess = session.Session(auth=auth)
# GETTING PROJECT SCOPED TOKEN USING PREVIOUS TOKEN
auth = v3.Token(auth_url=settings["os_auth_url"],
token=sess.get_token(),
project_id=settings["os_project_id"])
sess = session.Session(auth=auth)
return sess.get_token()
def authenticate(self, username, password):
try:
auth = V3Saml2Password(
auth_url=self.OS_AUTH_URL,
identity_provider=self.OS_IDENTITY_PROVIDER,
protocol=self.OS_PROTOCOL,
identity_provider_url=self.OS_IDENTITY_PROVIDER_URL,
username=username,
password=password)
sess = keystonesession.Session(auth=auth)
try:
log.info(sess.get_token())
except AttributeError as e:
log.info(e)
log.info(e.args)
auth = v3.token.Token(auth_url=self.OS_AUTH_URL,
token=sess.get_token(),
project_id=self.OS_PROJECT_ID)
sess = keystonesession.Session(auth=auth)
OS_TOKEN = sess.get_token()
return {"error": 0, "OS_TOKEN": OS_TOKEN}
except keystoneexception.http.BadRequest as e:
log.error(e)
log.error(e.message)
log.error(e.details)
return {"error": 1, "msg": e.message}
except Exception as e:
log.error(type(e))
return {"error": 1, "msg": e}
'OS_PROTOCOL'] if 'OS_PROTOCOL' in os.environ else 'mapped'
OS_INTERFACE = os.environ[
'OS_INTERFACE'] if 'OS_INTERFACE' in os.environ else 'public'
if 'OS_TOKEN' in os.environ:
# We've already been authenticated. We can just set the right variables
OS_TOKEN = os.environ['OS_TOKEN']
OS_USERNAME = os.environ['OS_USERNAME']
auth = v3.Token(auth_url=OS_AUTH_URL, token=OS_TOKEN)
else:
### Authenticate user:
OS_USERNAME = getpass.getpass("Username: "******"User info:", OS_USERNAME, sess.get_user_id()
if 'OS_PROJECT_ID' in os.environ:
# The token we've got from the environment is already scoped
OS_PROJECT_ID = os.environ['OS_PROJECT_ID']
else:
### List user's projects:
from keystoneclient.v3 import client
ks = client.Client(session=sess, interface=OS_INTERFACE)
projects = ks.projects.list(user=sess.get_user_id())
print "Available projects:", [t.name for t in projects]
def v2tokens():
# parse request
body = flask.request.get_json()
headers = flask.request.headers
# Prep the headers for the request to the server
headers = prep_client_headers(headers)
# Bypass requests without a password inside (e.g. for unscoped-to-scoped auth)
if 'passwordCredentials' not in body['auth']:
return proxy()
# Get the input from the body
username = body['auth']['passwordCredentials']['username']
password = body['auth']['passwordCredentials']['password']
# Log the new request
#print request.remote_addr, "XXX", time.strftime('%d/%m/%Y %H:%M:%S'), "Authenticating user:"******"%s - %s - Authenticating user: %s", request.remote_addr, time.strftime('%d/%m/%Y %H:%M:%S'), username)
# Check if the request is for a scoped token:
tenantId = None
tenantName = None
isScoped = False
if 'tenantId' in body['auth']:
tenantId = body['auth']['tenantId']
tenantDomain = None
isScoped = True
if 'tenantName' in body['auth']:
tenantName = body['auth']['tenantName']
tenantDomain = DEFAULT_DOMAIN
isScoped = True
# get unscoped token via SAML
auth = V3Saml2Password(auth_url=REMOTE_HOST_URL+'v3',
identity_provider=OS_IDENTITY_PROVIDER,
protocol=OS_PROTOCOL,
identity_provider_url=OS_IDENTITY_PROVIDER_URL,
# The next 3 are for scoped tokens
project_id=tenantId,
project_name=tenantName,
project_domain_name=tenantDomain,
username=username,
password=password)
# We should already have the right headers available, just take this one:
sess = session.Session(auth=auth, additional_headers={'X-Forwarded-For': headers['X-Forwarded-For']})
try:
token = sess.get_token(auth)
if isScoped:
# From now on, we just need to work with the Project ID, not the name
tenantID=sess.get_project_id()
except:
return flask.Response("Error authenticating, maybe wrong password?", status=401, mimetype='application/json')
# create new body to get the catalog without the password
newbody = {'auth' : {'token': {'id': token} } }
if isScoped:
# Otherwise we get an empty service catalog and nothing works
newbody['auth']['tenantId'] = tenantID
# resubmit request
r = requests.post(REMOTE_HOST_URL+'v2.0/tokens', json=newbody, headers=headers)
# forward response
return flask.Response(r.text, headers=dict(r.headers), status=r.status_code)
with open(str(int(time.time())) + ".txt", "w") as logfile:
logfile.write(container)
logfile.write("\r\n")
for tar in glob.glob("*.tar"):
print(time.asctime())
print(tar)
logfile.write(time.asctime())
logfile.write("\r\n")
if batch < time.monotonic():
logfile.write("login " + username)
logfile.write("\r\n")
batch = time.monotonic() + 60 * 60
auth = V3Saml2Password(
auth_url='https://pollux.cscs.ch:13000/v3',
identity_provider='cscskc',
protocol='mapped',
identity_provider_url=
'https://auth.cscs.ch/auth/realms/cscs/protocol/saml/',
username=username,
password=password)
sess = session.Session(auth=auth)
token = sess.get_token()
logfile.write(tar)
logfile.write("\r\n")
with open(tar, "rb") as tarfile:
req = requests.put(
"https://object.cscs.ch/v1/AUTH_08c08f9f119744cbbf77e216988da3eb/"
+ container + "/?extract-archive=tar",
data=tarfile,
headers={"X-Auth-Token": token})
os.rename(tar, "done/" + tar)
logfile.write(time.asctime())