def GET(self): """ HTTP Success: 200 OK HTTP Error: 401 Unauthorized :param Rucio-VO: VO name as a string (Multi-VO only). :param Rucio-Account: Account identifier as a string. :param Rucio-AppID: Application identifier as a string. :param SavedCredentials: Apache mod_auth_kerb SavedCredentials. :returns: "Rucio-Auth-Token" as a variable-length string header. """ header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN')) header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')) header('Access-Control-Allow-Methods', '*') header('Access-Control-Allow-Credentials', 'true') header('Access-Control-Expose-Headers', 'X-Rucio-Auth-Token') header('Content-Type', 'application/octet-stream') header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') header('Cache-Control', 'post-check=0, pre-check=0', False) header('Pragma', 'no-cache') vo = ctx.env.get('HTTP_X_RUCIO_VO', '') account = ctx.env.get('HTTP_X_RUCIO_ACCOUNT') gsscred = ctx.env.get('REMOTE_USER') appid = ctx.env.get('HTTP_X_RUCIO_APPID') if appid is None: appid = 'unknown' ip = ctx.env.get('HTTP_X_FORWARDED_FOR') if ip is None: ip = ctx.ip try: result = get_auth_token_gss(account, gsscred, appid, ip, vo=vo) except AccessDenied: raise generate_http_error( 401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) if result is None: raise generate_http_error( 401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) else: header('X-Rucio-Auth-Token', result.token) header('X-Rucio-Auth-Token-Expires', date_to_str(result.expired_at)) return str() raise BadRequest()
def get(self): """ Authenticate a Rucio account temporarily via a GSS token. .. :quickref: GSS; Authenticate with GSS token :reqheader Rucio-VO: VO name as a string (Multi-VO only). :reqheader Rucio-Account: Account identifier as a string. :reqheader Rucio-AppID: Application identifier as a string. :reqheader SavedCredentials: Apache mod_auth_kerb SavedCredentials. :resheader Access-Control-Allow-Origin: :resheader Access-Control-Allow-Headers: :resheader Access-Control-Allow-Methods: :resheader Access-Control-Allow-Credentials: :resheader Access-Control-Expose-Headers: :resheader X-Rucio-Auth-Token: The authentication token :status 200: Successfully authenticated :status 404: Invalid credentials """ headers = self.get_headers() headers['Content-Type'] = 'application/octet-stream' headers[ 'Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' headers.add('Cache-Control', 'post-check=0, pre-check=0') headers['Pragma'] = 'no-cache' vo = extract_vo(request.headers) account = request.headers.get('X-Rucio-Account', default=None) gsscred = request.environ.get('REMOTE_USER') appid = request.headers.get('X-Rucio-AppID', default='unknown') ip = request.headers.get('X-Forwarded-For', default=request.remote_addr) try: result = get_auth_token_gss(account, gsscred, appid, ip, vo=vo) except AccessDenied: return generate_http_error_flask( status_code=401, exc=CannotAuthenticate.__name__, exc_msg= f'Cannot authenticate to account {account} with given credentials', headers=headers) if result is None: return generate_http_error_flask( status_code=401, exc=CannotAuthenticate.__name__, exc_msg= f'Cannot authenticate to account {account} with given credentials', headers=headers) headers['X-Rucio-Auth-Token'] = result['token'] headers['X-Rucio-Auth-Token-Expires'] = date_to_str( result['expires_at']) return '', 200, headers
def get(self): """ Authenticate a Rucio account temporarily via a GSS token. .. :quickref: GSS; Authenticate with GSS token :reqheader Rucio-VO: VO name as a string (Multi-VO only). :reqheader Rucio-Account: Account identifier as a string. :reqheader Rucio-AppID: Application identifier as a string. :reqheader SavedCredentials: Apache mod_auth_kerb SavedCredentials. :resheader Access-Control-Allow-Origin: :resheader Access-Control-Allow-Headers: :resheader Access-Control-Allow-Methods: :resheader Access-Control-Allow-Credentials: :resheader Access-Control-Expose-Headers: :resheader X-Rucio-Auth-Token: The authentication token :status 200: Successfully authenticated :status 404: Invalid credentials """ response = Response() response.headers['Access-Control-Allow-Origin'] = request.environ.get('HTTP_ORIGIN') response.headers['Access-Control-Allow-Headers'] = request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS') response.headers['Access-Control-Allow-Methods'] = '*' response.headers['Access-Control-Allow-Credentials'] = 'true' response.headers['Access-Control-Expose-Headers'] = 'X-Rucio-Auth-Token' response.headers['Content-Type'] = 'application/octet-stream' response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' response.headers['Cache-Control'] = 'post-check=0, pre-check=0' response.headers['Pragma'] = 'no-cache' vo = request.environ.get('HTTP_X_RUCIO_VO', 'def') account = request.environ.get('HTTP_X_RUCIO_ACCOUNT') gsscred = request.environ.get('REMOTE_USER') appid = request.environ.get('HTTP_X_RUCIO_APPID') if appid is None: appid = 'unknown' ip = request.environ.get('HTTP_X_FORWARDED_FOR') if ip is None: ip = request.remote_addr try: result = get_auth_token_gss(account, gsscred, appid, ip, vo=vo) except AccessDenied: return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) if result is None: return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) else: response.headers('X-Rucio-Auth-Token', result) return str() return 'BadRequest', 400
def test_auth_gss(self): """ MULTI VO (REST): Test gss authentication to multiple VOs """ mw = [] # Can't rely on `requests_kerberos` module being present, so get tokens from API instead token_tst = get_auth_token_gss('root', '*****@*****.**', 'unknown', None, **self.vo).token token_new = get_auth_token_gss('root', '*****@*****.**', 'unknown', None, **self.new_vo).token headers_tst = {'X-Rucio-Auth-Token': str(token_tst)} res_tst = TestApp(account_app.wsgifunc(*mw)).get('/', headers=headers_tst, expect_errors=True) assert_equal(res_tst.status, 200) accounts_tst = [parse_response(a)['account'] for a in res_tst.body.decode().split('\n')[:-1]] assert_not_equal(len(accounts_tst), 0) assert_in(self.account_tst, accounts_tst) assert_not_in(self.account_new, accounts_tst) headers_new = {'X-Rucio-Auth-Token': str(token_new)} res_new = TestApp(account_app.wsgifunc(*mw)).get('/', headers=headers_new, expect_errors=True) assert_equal(res_new.status, 200) accounts_new = [parse_response(a)['account'] for a in res_new.body.decode().split('\n')[:-1]] assert_not_equal(len(accounts_new), 0) assert_in(self.account_new, accounts_new) assert_not_in(self.account_tst, accounts_new)
def get(self): """ Authenticate a Rucio account temporarily via a GSS token. .. :quickref: GSS; Authenticate with GSS token :reqheader Rucio-VO: VO name as a string (Multi-VO only). :reqheader Rucio-Account: Account identifier as a string. :reqheader Rucio-AppID: Application identifier as a string. :reqheader SavedCredentials: Apache mod_auth_kerb SavedCredentials. :resheader Access-Control-Allow-Origin: :resheader Access-Control-Allow-Headers: :resheader Access-Control-Allow-Methods: :resheader Access-Control-Allow-Credentials: :resheader Access-Control-Expose-Headers: :resheader X-Rucio-Auth-Token: The authentication token :status 200: Successfully authenticated :status 404: Invalid credentials """ headers = Headers() headers['Access-Control-Allow-Origin'] = request.environ.get('HTTP_ORIGIN') headers['Access-Control-Allow-Headers'] = request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS') headers['Access-Control-Allow-Methods'] = '*' headers['Access-Control-Allow-Credentials'] = 'true' headers['Access-Control-Expose-Headers'] = 'X-Rucio-Auth-Token' headers['Content-Type'] = 'application/octet-stream' headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' headers.add('Cache-Control', 'post-check=0, pre-check=0') headers['Pragma'] = 'no-cache' vo = request.headers.get('X-Rucio-VO', default='def') account = request.headers.get('X-Rucio-Account', default=None) gsscred = request.environ.get('REMOTE_USER') appid = request.headers.get('X-Rucio-AppID', default='unknown') ip = request.headers.get('X-Forwarded-For', default=request.remote_addr) try: result = get_auth_token_gss(account, gsscred, appid, ip, vo=vo) except AccessDenied: return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals(), headers=headers) if result is None: return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals(), headers=headers) headers['X-Rucio-Auth-Token'] = result.token headers['X-Rucio-Auth-Token-Expires'] = date_to_str(result.expired_at) return '', 200, headers
def GET(self): """ HTTP Success: 200 OK HTTP Error: 401 Unauthorized :param Rucio-Account: Account identifier as a string. :param Rucio-AppID: Application identifier as a string. :param SavedCredentials: Apache mod_auth_kerb SavedCredentials. :returns: "Rucio-Auth-Token" as a variable-length string header. """ header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN')) header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')) header('Access-Control-Allow-Methods', '*') header('Access-Control-Allow-Credentials', 'true') header('Access-Control-Expose-Headers', 'X-Rucio-Auth-Token') header('Content-Type', 'application/octet-stream') header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') header('Cache-Control', 'post-check=0, pre-check=0', False) header('Pragma', 'no-cache') account = ctx.env.get('HTTP_X_RUCIO_ACCOUNT') gsscred = ctx.env.get('REMOTE_USER') appid = ctx.env.get('HTTP_X_RUCIO_APPID') if appid is None: appid = 'unknown' ip = ctx.env.get('HTTP_X_FORWARDED_FOR') if ip is None: ip = ctx.ip try: result = get_auth_token_gss(account, gsscred, appid, ip) except AccessDenied: raise generate_http_error(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) if result is None: raise generate_http_error(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) else: header('X-Rucio-Auth-Token', result) return str() raise BadRequest()