def authenticate(rendered_tpl): try: auth_type = config_get('webui', 'auth_type') except: auth_type = 'x509' session_token = cookies().get('x-rucio-auth-token') validate_token = authentication.validate_auth_token(session_token) render = template.render(join(dirname(__file__), '../templates')) if auth_type == 'x509': return check_token(rendered_tpl) elif auth_type == 'userpass': if validate_token: return log_in(None, rendered_tpl) return seeother('/login') elif auth_type == 'x509_userpass': if ctx.env.get('SSL_CLIENT_VERIFY') == 'SUCCESS': return check_token(rendered_tpl) elif validate_token: return log_in(None, rendered_tpl) return render.no_certificate() return render.problem('Invalid auth type')
def before_request(): if request.environ.get('REQUEST_METHOD') == 'OPTIONS': return '', 200 auth_token = request.environ.get('HTTP_X_RUCIO_AUTH_TOKEN') try: auth = validate_auth_token(auth_token) except RucioException as error: return generate_http_error_flask(500, error.__class__.__name__, error.args[0]) except Exception as error: print(format_exc()) return error, 500 if auth is None: return generate_http_error_flask( 401, 'CannotAuthenticate', 'Cannot authenticate with given credentials') request.environ['vo'] = auth.get('vo', 'def') request.environ['issuer'] = auth.get('account') request.environ['identity'] = auth.get('identity') request.environ['request_id'] = generate_uuid() request.environ['start_time'] = time()
def GET(self): """ HTTP Success: 200 OK HTTP Error: 401 Unauthorized :param Rucio-Auth-Token: as a variable-length string. :returns: Tuple(account name, token lifetime). """ header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN')) header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')) header('Access-Control-Allow-Methods', '*') header('Access-Control-Allow-Credentials', 'true') header('Access-Control-Expose-Headers', 'X-Rucio-Auth-Token') header('Content-Type', 'application/octet-stream') header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') header('Cache-Control', 'post-check=0, pre-check=0', False) header('Pragma', 'no-cache') token = ctx.env.get('HTTP_X_RUCIO_AUTH_TOKEN') result = validate_auth_token(token) if not result: raise generate_http_error( 401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) return result
def get(self): """ Validate a Rucio Auth Token. .. :quickref: Validate; Validate a Rucio Auth Token. :reqheader Rucio-Auth-Token: as a variable-length string. :status 406: Not Acceptable. :returns: Tuple(account name, token lifetime). """ headers = self.get_headers() headers['Content-Type'] = 'application/octet-stream' headers[ 'Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' headers.add('Cache-Control', 'post-check=0, pre-check=0') headers['Pragma'] = 'no-cache' token = request.headers.get('X-Rucio-Auth-Token', default=None) result = validate_auth_token(token) if not result: return generate_http_error_flask( status_code=401, exc=CannotAuthenticate.__name__, exc_msg='Cannot authenticate with given credentials', headers=headers) return str(result), 200, headers
def get(self): """ Validate a Rucio Auth Token. .. :quickref: Validate; Validate a Rucio Auth Token. :reqheader Rucio-Auth-Token: as a variable-length string. :status 406: Not Acceptable. :returns: Tuple(account name, token lifetime). """ headers = Headers() headers['Access-Control-Allow-Origin'] = request.environ.get('HTTP_ORIGIN') headers['Access-Control-Allow-Headers'] = request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS') headers['Access-Control-Allow-Methods'] = '*' headers['Access-Control-Allow-Credentials'] = 'true' headers['Access-Control-Expose-Headers'] = 'X-Rucio-Auth-Token' headers['Content-Type'] = 'application/octet-stream' headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' headers.add('Cache-Control', 'post-check=0, pre-check=0') headers['Pragma'] = 'no-cache' token = request.headers.get('X-Rucio-Auth-Token', default=None) result = validate_auth_token(token) if not result: return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals(), headers=headers) return str(result), 200, headers
def rucio_loadhook(): """ Rucio load Hook to authenticate, timing, etc. """ # Allow cross-site scripting header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN')) header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')) header('Access-Control-Allow-Methods', '*') header('Access-Control-Allow-Credentials', 'true') if ctx.env.get('REQUEST_METHOD') == 'OPTIONS': raise OK if ctx.env.get('REQUEST_METHOD') == 'GET': header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') header('Cache-Control', 'post-check=0, pre-check=0', False) header('Pragma', 'no-cache') else: header('Content-Type', 'application/octet-stream') auth_token = ctx.env.get('HTTP_X_RUCIO_AUTH_TOKEN') try: auth = validate_auth_token(auth_token) except RucioException, e: raise generate_http_error(500, e.__class__.__name__, e.args[0][0])
def request_auth_env(): if flask.request.environ.get('REQUEST_METHOD') == 'OPTIONS': return '', 200 auth_token = flask.request.headers.get('X-Rucio-Auth-Token', default=None) try: auth = validate_auth_token(auth_token) except RucioException as error: return generate_http_error_flask(500, error.__class__.__name__, error.args[0]) except Exception: logging.exception('Internal error in validate_auth_token') return 'Internal Error', 500 if auth is None: return generate_http_error_flask( 401, CannotAuthenticate.__name__, 'Cannot authenticate with given credentials') flask.request.environ['vo'] = auth.get('vo', 'def') flask.request.environ['issuer'] = auth.get('account') flask.request.environ['identity'] = auth.get('identity') flask.request.environ['request_id'] = generate_uuid() flask.request.environ['start_time'] = time()
def GET(self): """ HTTP Success: 200 OK HTTP Error: 401 Unauthorized :param Rucio-Auth-Token: as a variable-length string. :returns: Tuple(account name, token lifetime). """ header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN')) header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')) header('Access-Control-Allow-Methods', '*') header('Access-Control-Allow-Credentials', 'true') header('Access-Control-Expose-Headers', 'X-Rucio-Auth-Token') header('Content-Type', 'application/octet-stream') header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') header('Cache-Control', 'post-check=0, pre-check=0', False) header('Pragma', 'no-cache') token = ctx.env.get('HTTP_X_RUCIO_AUTH_TOKEN') result = validate_auth_token(token) if not result: raise generate_http_error(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) return result
def get(self): """ Validate a Rucio Auth Token. .. :quickref: Validate; Validate a Rucio Auth Token. :reqheader Rucio-Auth-Token: as a variable-length string. :returns: Tuple(account name, token lifetime). """ response = Response() response.headers['Access-Control-Allow-Origin'] = request.environ.get('HTTP_ORIGIN') response.headers['Access-Control-Allow-Headers'] = request.environ.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS') response.headers['Access-Control-Allow-Methods'] = '*' response.headers['Access-Control-Allow-Credentials'] = 'true' response.headers['Access-Control-Expose-Headers'] = 'X-Rucio-Auth-Token' response.headers['Content-Type'] = 'application/octet-stream' response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' response.headers['Cache-Control'] = 'post-check=0, pre-check=0' response.headers['Pragma'] = 'no-cache' token = request.environ.get('HTTP_X_RUCIO_AUTH_TOKEN') result = validate_auth_token(token) if not result: return generate_http_error_flask(401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) response.set_data(result) return response
def authenticate(rendered_tpl): """ Select the auth type defined in config """ session_token = cookies().get('x-rucio-auth-token') validate_token = authentication.validate_auth_token(session_token) render = template.render(join(dirname(__file__), '../templates')) if AUTH_TYPE == 'x509': return check_token(rendered_tpl) elif AUTH_TYPE == 'userpass': if validate_token: return log_in(None, rendered_tpl) return seeother('/login') elif AUTH_TYPE == 'x509_userpass': if ctx.env.get('SSL_CLIENT_VERIFY') == 'SUCCESS': return check_token(rendered_tpl) elif validate_token: return log_in(None, rendered_tpl) return render.no_certificate() elif AUTH_TYPE == 'saml': return saml_authentication("GET", rendered_tpl) return render.problem('Invalid auth type')
def before_request(): if request.environ.get('REQUEST_METHOD') == 'OPTIONS': raise "", 200 auth_token = request.environ.get('HTTP_X_RUCIO_AUTH_TOKEN') try: auth = validate_auth_token(auth_token) except RucioException, e: return generate_http_error_flask(500, e.__class__.__name__, e.args[0][0])
def check_token(rendered_tpl): token = None js_token = "" js_account = "" def_account = None accounts = None cookie_accounts = None rucio_ui_version = version.version_string() render = template.render(join(dirname(__file__), '../templates')) if ctx.env.get('SSL_CLIENT_VERIFY') != 'SUCCESS': return render.problem("No certificate provided. Please authenticate with a cerficate registered in Rucio.") dn = ctx.env.get('SSL_CLIENT_S_DN') # try to get and check the rucio session token from cookie session_token = cookies().get('x-rucio-auth-token') validate_token = authentication.validate_auth_token(session_token) # if there is no session token or if invalid: get a new one. if validate_token is None: # get all accounts for an identity. Needed for account switcher in UI. accounts = identity.list_accounts_for_identity(dn, 'x509') cookie_accounts = accounts try: try: # try to get the default account for the identity. def_account = identity.get_default_account(dn, 'x509') except IdentityError: # if there is no default account used the first from the list off accounts. def_account = accounts[0] token = authentication.get_auth_token_x509(def_account, dn, 'webui', ctx.env.get('REMOTE_ADDR')) except: return render.problem("Your certificate (%s) is not registered in Rucio. Please contact <a href=\"mailto:[email protected]\">Rucio Support</a>" % dn) # write the token and account to javascript variables, that will be used in the HTML templates. js_token = __to_js('token', token) js_account = __to_js('account', def_account) # if there was no valid session token write the new token to a cookie. if token: setcookie('x-rucio-auth-token', value=token, expires=3600, path='/') if cookie_accounts: values = "" for acc in cookie_accounts: values += acc + " " setcookie('rucio-available-accounts', value=values[:-1], path='/') return render.base(js_token, js_account, rucio_ui_version, rendered_tpl)
def validate_webui_token(from_cookie=True, session_token=None): """ Validates token and returns token validation dictionary. :param from_cookie: Token is looked up in cookies if True, otherwise session_token must be provided :param session_token: token string :returns: None or token validation dictionary """ if from_cookie: session_token = cookies().get('x-rucio-auth-token') valid_token_dict = auth.validate_auth_token(session_token) if not valid_token_dict or not session_token: return None else: valid_token_dict['token'] = session_token return valid_token_dict
def rucio_loadhook(): """ Rucio load Hook to authenticate, timing, etc. """ # Allow cross-site scripting header('Access-Control-Allow-Origin', ctx.env.get('HTTP_ORIGIN')) header('Access-Control-Allow-Headers', ctx.env.get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')) header('Access-Control-Allow-Methods', '*') header('Access-Control-Allow-Credentials', 'true') if ctx.env.get('REQUEST_METHOD') == 'OPTIONS': raise OK if ctx.env.get('REQUEST_METHOD') == 'GET': header('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate') header('Cache-Control', 'post-check=0, pre-check=0', False) header('Pragma', 'no-cache') else: header('Content-Type', 'application/octet-stream') auth_token = ctx.env.get('HTTP_X_RUCIO_AUTH_TOKEN') try: auth = validate_auth_token(auth_token) except RucioException as error: raise generate_http_error(500, error.__class__.__name__, error.args[0]) except Exception as error: print(format_exc()) raise InternalError(error) if auth is None: raise generate_http_error( 401, 'CannotAuthenticate', 'Cannot authenticate with given credentials') # Propagate the issuer, request_id and start_time to the controller ctx.env['vo'] = auth.get('vo') ctx.env['issuer'] = auth.get('account') ctx.env['identity'] = auth.get('identity') ctx.env['request_id'] = generate_uuid() ctx.env['start_time'] = time()
def check_token(rendered_tpl): attribs = None token = None js_token = "" js_account = "" def_account = None accounts = None cookie_accounts = None rucio_ui_version = version.version_string() ui_account = None if 'ui_account' in input(): ui_account = input()['ui_account'] render = template.render(join(dirname(__file__), '../templates')) if ctx.env.get('SSL_CLIENT_VERIFY') != 'SUCCESS': return render.problem( "No certificate provided. Please authenticate with a certificate registered in Rucio." ) dn = ctx.env.get('SSL_CLIENT_S_DN') msg = "Your certificate (%s) is not mapped to any rucio account." % dn msg += "<br><br><font color=\"red\">First, please make sure it is correctly registered in <a href=\"https://voms2.cern.ch:8443/voms/atlas\">VOMS</a> and be patient until it has been fully propagated through the system.</font>" msg += "<br><br>Then, if it is still not working please contact <a href=\"mailto:[email protected]\">DDM Support</a>." # try to get and check the rucio session token from cookie session_token = cookies().get('x-rucio-auth-token') validate_token = authentication.validate_auth_token(session_token) # check if ui_account param is set and if yes, force new token if ui_account: accounts = identity.list_accounts_for_identity(dn, 'x509') if len(accounts) == 0: return render.problem(msg) if ui_account not in accounts: return render.problem( "The rucio account (%s) you selected is not mapped to your certificate (%s). Please select another account or none at all to automatically use your default account." % (ui_account, dn)) cookie_accounts = accounts if (validate_token is None) or (validate_token['account'] != ui_account): try: token = authentication.get_auth_token_x509( ui_account, dn, 'webui', ctx.env.get('REMOTE_ADDR')) except: return render.problem(msg) attribs = list_account_attributes(ui_account) js_token = __to_js('token', token) js_account = __to_js('account', def_account) else: # if there is no session token or if invalid: get a new one. if validate_token is None: # get all accounts for an identity. Needed for account switcher in UI. accounts = identity.list_accounts_for_identity(dn, 'x509') if len(accounts) == 0: return render.problem(msg) cookie_accounts = accounts # try to set the default account to the user account, if not available take the first account. def_account = accounts[0] for account in accounts: account_info = get_account_info(account) if account_info.account_type == AccountType.USER: def_account = account break selected_account = cookies().get('rucio-selected-account') if (selected_account): def_account = selected_account try: token = authentication.get_auth_token_x509( def_account, dn, 'webui', ctx.env.get('REMOTE_ADDR')) except: return render.problem(msg) attribs = list_account_attributes(def_account) # write the token and account to javascript variables, that will be used in the HTML templates. js_token = __to_js('token', token) js_account = __to_js('account', def_account) # if there was no valid session token write the new token to a cookie. if token: setcookie('x-rucio-auth-token', value=token, path='/') setcookie('rucio-auth-token-created-at', value=int(time()), path='/') if cookie_accounts: values = "" for acc in cookie_accounts: values += acc + " " setcookie('rucio-available-accounts', value=values[:-1], path='/') if attribs: setcookie('rucio-account-attr', value=dumps(attribs), path='/') if ui_account: setcookie('rucio-selected-account', value=ui_account, path='/') return render.base(js_token, js_account, rucio_ui_version, rendered_tpl)
def get(self): """ Sign a URL for a limited lifetime for a particular service. :reqheader X-Rucio-Account: Account identifier as a string. :reqheader X-Rucio-AppID: Application identifier as a string. :resheader Access-Control-Allow-Origin: :resheader Access-Control-Allow-Headers: :resheader Access-Control-Allow-Methods: :resheader Access-Control-Allow-Credentials: :resheader Access-Control-Expose-Headers: :resheader X-Rucio-Auth-Token: The authentication token :status 200: Successfully signed URL :status 400: Bad Request :status 401: Unauthorized :status 500: Internal Server Error """ response = Response() response.headers['Access-Control-Allow-Origin'] = request.environ.get( 'HTTP_ORIGIN') response.headers['Access-Control-Allow-Headers'] = request.environ.get( 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS') response.headers['Access-Control-Allow-Methods'] = '*' response.headers['Access-Control-Allow-Credentials'] = 'true' response.headers[ 'Access-Control-Expose-Headers'] = 'X-Rucio-Auth-Token' response.headers['Content-Type'] = 'application/octet-stream' response.headers[ 'Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' response.headers['Cache-Control'] = 'post-check=0, pre-check=0' response.headers['Pragma'] = 'no-cache' account = request.environ.get('HTTP_X_RUCIO_ACCOUNT') appid = request.environ.get('HTTP_X_RUCIO_APPID') if appid is None: appid = 'unknown' ip = request.environ.get('HTTP_X_FORWARDED_FOR') if ip is None: ip = request.remote_addr try: validate_auth_token(request.environ.get('HTTP_X_RUCIO_AUTH_TOKEN')) except AccessDenied: return generate_http_error_flask( 401, 'CannotAuthenticate', 'Cannot authenticate to account %(account)s with given credentials' % locals()) except RucioException as error: return generate_http_error_flask(500, error.__class__.__name__, error.args[0]) except Exception as error: print(format_exc()) return error, 500 svc, operation, url = None, None, None try: params = parse_qs(request.query[1:]) lifetime = params.get('lifetime', [600])[0] service = params.get('svc', ['gcs'])[0] operation = params.get('op', ['read'])[0] url = params.get('url', [None])[0] except ValueError: return generate_http_error_flask( 400, 'ValueError', 'Cannot decode json parameter list') if service not in ['gcs']: return generate_http_error_flask( 400, 'ValueError', 'Parameter "svc" must be either empty(=gcs), or gcs') if url is None: return generate_http_error_flask(400, 'ValueError', 'Parameter "url" not found') if operation not in ['read', 'write', 'delete']: return generate_http_error_flask( 400, 'ValueError', 'Parameter "op" must be either empty(=read), read, write, or delete.' ) try: result = get_signed_url(account, appid, ip, service=service, operation='read', url=url, lifetime=lifetime) except RucioException as error: return generate_http_error_flask(500, error.__class__.__name__, error.args[0]) except Exception as error: print(format_exc()) return error, 500 if not result: return generate_http_error_flask( 401, 'CannotAuthenticate', 'Cannot generate signed URL for account %(account)s' % locals()) return response
def GET(self): """ HTTP Success: 200 OK HTTP Error: 400 Bad Request 401 Unauthorized 406 Not Acceptable 500 Internal Server Error :param Rucio-VO: VO name as a string (Multi-VO only). :param Rucio-Account: Account identifier as a string. :param Rucio-AppID: Application identifier as a string. :returns: Signed URL. """ vo = ctx.env.get('HTTP_X_RUCIO_VO') account = ctx.env.get('HTTP_X_RUCIO_ACCOUNT') appid = ctx.env.get('HTTP_X_RUCIO_APPID') if appid is None: appid = 'unknown' ip = ctx.env.get('HTTP_X_FORWARDED_FOR') if ip is None: ip = ctx.ip try: validate_auth_token(ctx.env.get('HTTP_X_RUCIO_AUTH_TOKEN')) except RucioException as e: raise generate_http_error(500, e.__class__.__name__, e.args[0][0]) except Exception as e: print(format_exc()) raise InternalError(e) svc, operation, url = None, None, None try: params = parse_qs(ctx.query[1:]) lifetime = params.get('lifetime', [600])[0] service = params.get('svc', ['gcs'])[0] operation = params.get('op', ['read'])[0] url = params.get('url', [None])[0] except ValueError: raise generate_http_error(400, 'ValueError', 'Cannot decode json parameter list') if service not in ['gcs', 's3', 'swift']: raise generate_http_error( 400, 'ValueError', 'Parameter "svc" must be either empty(=gcs), gcs, s3 or swift') if url is None: raise generate_http_error(400, 'ValueError', 'Parameter "url" not found') if operation not in ['read', 'write', 'delete']: raise generate_http_error( 400, 'ValueError', 'Parameter "op" must be either empty(=read), read, write, or delete.' ) try: result = get_signed_url(account, appid, ip, service=service, operation=operation, url=url, lifetime=lifetime, vo=vo) except RucioException as e: raise generate_http_error(500, e.__class__.__name__, e.args[0]) except Exception as e: print(format_exc()) raise InternalError(e) if not result: raise generate_http_error( 401, 'CannotAuthenticate', 'Cannot generate signed URL for account %(account)s' % locals()) return result
def saml_authentication(method, rendered_tpl): """ Login with SAML :param method: method type, GET or POST :param rendered_tpl: page to be rendered """ attribs = None token = None js_token = "" js_account = "" def_account = None accounts = None cookie_accounts = None rucio_ui_version = version.version_string() policy = config_get('policy', 'permission') # Initialize variables for sending SAML request SAML_PATH = join(dirname(__file__), 'saml/') request = ctx.env data = dict(input()) req = prepare_webpy_request(request, data) auth = OneLogin_Saml2_Auth(req, custom_base_path=SAML_PATH) saml_user_data = cookies().get('saml-user-data') render = template.render(join(dirname(__file__), '../templates')) session_token = cookies().get('x-rucio-auth-token') validate_token = authentication.validate_auth_token(session_token) if method == "GET": # If user data is not present, redirect to IdP for authentication if not saml_user_data: return seeother(auth.login()) # If user data is present and token is valid, render the required page elif validate_token: js_token = __to_js('token', session_token) js_account = __to_js('account', def_account) return render.base(js_token, js_account, rucio_ui_version, policy, rendered_tpl) # If user data is present but token is not valid, create a new one saml_nameid = cookies().get('saml-nameid') accounts = identity.list_accounts_for_identity(saml_nameid, 'saml') cookie_accounts = accounts try: token = authentication.get_auth_token_saml( def_account, saml_nameid, 'webui', ctx.env.get('REMOTE_ADDR')).token except: return render.problem('Cannot get auth token') attribs = list_account_attributes(def_account) # write the token and account to javascript variables, that will be used in the HTML templates. js_token = __to_js('token', token) js_account = __to_js('account', def_account) set_cookies(token, cookie_accounts, attribs) return render.base(js_token, js_account, rucio_ui_version, policy, rendered_tpl) # If method is POST, check the received SAML response and redirect to home if valid auth.process_response() errors = auth.get_errors() if not errors: if auth.is_authenticated(): setcookie('saml-user-data', value=auth.get_attributes(), path='/') setcookie('saml-session-index', value=auth.get_session_index(), path='/') setcookie('saml-nameid', value=auth.get_nameid(), path='/') saml_nameid = auth.get_nameid() accounts = identity.list_accounts_for_identity(saml_nameid, 'saml') cookie_accounts = accounts # try to set the default account to the user account, if not available take the first account. def_account = accounts[0] for account in accounts: account_info = get_account_info(account) if account_info.account_type == AccountType.USER: def_account = account break selected_account = cookies().get('rucio-selected-account') if (selected_account): def_account = selected_account try: token = authentication.get_auth_token_saml( def_account, saml_nameid, 'webui', ctx.env.get('REMOTE_ADDR')).token except: return render.problem('Cannot get auth token') attribs = list_account_attributes(def_account) # write the token and account to javascript variables, that will be used in the HTML templates. js_token = __to_js('token', token) js_account = __to_js('account', def_account) set_cookies(token, cookie_accounts, attribs) return seeother("/") return render.problem("Not authenticated") return render.problem("Error while processing SAML")
def log_in(data, rendered_tpl): attribs = None token = None js_token = "" js_account = "" def_account = None accounts = None cookie_accounts = None rucio_ui_version = version.version_string() policy = config_get('policy', 'permission') render = template.render(join(dirname(__file__), '../templates')) # # try to get and check the rucio session token from cookie session_token = cookies().get('x-rucio-auth-token') validate_token = authentication.validate_auth_token(session_token) # if token is valid, render the requested page. if validate_token and not data: token = session_token js_token = __to_js('token', token) js_account = __to_js('account', def_account) return render.base(js_token, js_account, rucio_ui_version, policy, rendered_tpl) else: # if there is no session token or if invalid: get a new one. # if user tries to access a page through URL without logging in, then redirect to login page. if rendered_tpl: return render.login() # get all accounts for an identity. Needed for account switcher in UI. accounts = identity.list_accounts_for_identity(data.username, 'userpass') if len(accounts) == 0: return render.problem('No accounts for the given identity.') cookie_accounts = accounts # try to set the default account to the user account, if not available take the first account. def_account = accounts[0] for account in accounts: account_info = get_account_info(account) if account_info.account_type == AccountType.USER: def_account = account break selected_account = cookies().get('rucio-selected-account') if (selected_account): def_account = selected_account try: token = authentication.get_auth_token_user_pass( def_account, data.username, data.password.encode("ascii"), 'webui', ctx.env.get('REMOTE_ADDR')).token except: return render.problem('Cannot get auth token') attribs = list_account_attributes(def_account) # write the token and account to javascript variables, that will be used in the HTML templates. js_token = __to_js('token', token) js_account = __to_js('account', def_account) set_cookies(token, cookie_accounts, attribs) return seeother('/')