pyceo/ceo_common/model/HTTPClient.py

import flask
from flask import g
import gssapi
import requests
from requests_gssapi import HTTPSPNEGOAuth
from zope import component
from zope.interface import implementer

from ceo_common.interfaces import IConfig, IHTTPClient, IKerberosService


@implementer(IHTTPClient)
class HTTPClient:
    def __init__(self):
        # Determine how to connect to other ceod instances
        cfg = component.getUtility(IConfig)
        if cfg.get('ceod_use_https'):
            self.scheme = 'https'
        else:
            self.scheme = 'http'
        self.ceod_port = cfg.get('ceod_port')
        self.base_domain = cfg.get('base_domain')

    def request(self, method: str, host: str, path: str, **kwargs):
        # always use the FQDN
        if '.' not in host:
            host = host + '.' + self.base_domain

        if method == 'GET':
            need_auth = path.startswith('/api/members') or \
                path.startswith('/api/cloud')
            delegate = False
        else:
            need_auth = True
            delegate = True

        # SPNEGO
        if need_auth:
            spnego_kwargs = {
                'opportunistic_auth': True,
                'target_name': gssapi.Name('ceod/' + host),
            }
            if flask.has_request_context():
                # This is reached when we are the server and the client has
                # forwarded their credentials to us.
                token = None
                if g.get('need_admin_creds', False):
                    # Some Kerberos bindings in some programming languages can't
                    # perform delegation, so use the admin creds here.
                    token = component.getUtility(IKerberosService).get_admin_creds_token()
                elif 'client_token' in g:
                    token = g.client_token
                if token is not None:
                    spnego_kwargs['creds'] = gssapi.Credentials(token=token)
            elif delegate:
                # This is reached when we are the client and we want to
                # forward our credentials to the server.
                spnego_kwargs['delegate'] = True
            auth = HTTPSPNEGOAuth(**spnego_kwargs)
        else:
            auth = None

        return requests.request(
            method,
            f'{self.scheme}://{host}:{self.ceod_port}{path}',
            auth=auth, **kwargs,
        )

    def get(self, host: str, path: str, **kwargs):
        return self.request('GET', host, path, **kwargs)

    def post(self, host: str, path: str, **kwargs):
        return self.request('POST', host, path, **kwargs)

    def patch(self, host: str, path: str, **kwargs):
        return self.request('PATCH', host, path, **kwargs)

    def delete(self, host: str, path: str, **kwargs):
        return self.request('DELETE', host, path, **kwargs)
use GSSAPI delegation 2021-08-25 22:19:18 -04:00			`import flask`
add skeleton for TUI 2021-08-28 23:09:02 -04:00			`from flask import g`
add app factory 2021-07-24 17:09:10 -04:00			`import gssapi`
			`import requests`
			`from requests_gssapi import HTTPSPNEGOAuth`
			`from zope import component`
			`from zope.interface import implementer`

Use the admin creds in the HTTPClient when necessary (#85) Currently, ceod uses the Kerberos credentials of the client when making requests to other services. This requires the client to send delegated credentials. Unfortunately the NPM krb5 package appears to be unable to perform delegation. So we will use the admin credentials instead (when appropriate). Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/85 Reviewed-by: Raymond Li <raymo@csclub.uwaterloo.ca> Co-authored-by: Max Erenberg <merenber@csclub.uwaterloo.ca> Co-committed-by: Max Erenberg <merenber@csclub.uwaterloo.ca> 2022-11-06 15:23:27 -05:00			`from ceo_common.interfaces import IConfig, IHTTPClient, IKerberosService`
add app factory 2021-07-24 17:09:10 -04:00

			`@implementer(IHTTPClient)`
			`class HTTPClient:`
			`def __init__(self):`
			`# Determine how to connect to other ceod instances`
			`cfg = component.getUtility(IConfig)`
			`if cfg.get('ceod_use_https'):`
			`self.scheme = 'https'`
			`else:`
			`self.scheme = 'http'`
			`self.ceod_port = cfg.get('ceod_port')`
use ConfigParser 2021-08-03 19:19:33 -04:00			`self.base_domain = cfg.get('base_domain')`
add app factory 2021-07-24 17:09:10 -04:00
add skeleton for TUI 2021-08-28 23:09:02 -04:00			`def request(self, method: str, host: str, path: str, **kwargs):`
use our own SPNEGO implementation 2021-08-21 02:27:33 -04:00			`# always use the FQDN`
			`if '.' not in host:`
			`host = host + '.' + self.base_domain`
add members CLI 2021-08-23 09:59:01 -04:00
add skeleton for TUI 2021-08-28 23:09:02 -04:00			`if method == 'GET':`
Add cloud vhost API (#35) Add an API for members to create their own virtual hosts. Co-authored-by: Max Erenberg <> Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/35 Co-authored-by: Max Erenberg <merenber@csclub.uwaterloo.ca> Co-committed-by: Max Erenberg <merenber@csclub.uwaterloo.ca> 2021-11-27 17:59:21 -05:00			`need_auth = path.startswith('/api/members') or \`
			`path.startswith('/api/cloud')`
add skeleton for TUI 2021-08-28 23:09:02 -04:00			`delegate = False`
			`else:`
			`need_auth = True`
			`delegate = True`

add members CLI 2021-08-23 09:59:01 -04:00			`# SPNEGO`
add skeleton for TUI 2021-08-28 23:09:02 -04:00			`if need_auth:`
			`spnego_kwargs = {`
			`'opportunistic_auth': True,`
			`'target_name': gssapi.Name('ceod/' + host),`
			`}`
Use the admin creds in the HTTPClient when necessary (#85) Currently, ceod uses the Kerberos credentials of the client when making requests to other services. This requires the client to send delegated credentials. Unfortunately the NPM krb5 package appears to be unable to perform delegation. So we will use the admin credentials instead (when appropriate). Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/85 Reviewed-by: Raymond Li <raymo@csclub.uwaterloo.ca> Co-authored-by: Max Erenberg <merenber@csclub.uwaterloo.ca> Co-committed-by: Max Erenberg <merenber@csclub.uwaterloo.ca> 2022-11-06 15:23:27 -05:00			`if flask.has_request_context():`
add skeleton for TUI 2021-08-28 23:09:02 -04:00			`# This is reached when we are the server and the client has`
			`# forwarded their credentials to us.`
Use the admin creds in the HTTPClient when necessary (#85) Currently, ceod uses the Kerberos credentials of the client when making requests to other services. This requires the client to send delegated credentials. Unfortunately the NPM krb5 package appears to be unable to perform delegation. So we will use the admin credentials instead (when appropriate). Reviewed-on: https://git.csclub.uwaterloo.ca/public/pyceo/pulls/85 Reviewed-by: Raymond Li <raymo@csclub.uwaterloo.ca> Co-authored-by: Max Erenberg <merenber@csclub.uwaterloo.ca> Co-committed-by: Max Erenberg <merenber@csclub.uwaterloo.ca> 2022-11-06 15:23:27 -05:00			`token = None`
			`if g.get('need_admin_creds', False):`
			`# Some Kerberos bindings in some programming languages can't`
			`# perform delegation, so use the admin creds here.`
			`token = component.getUtility(IKerberosService).get_admin_creds_token()`
			`elif 'client_token' in g:`
			`token = g.client_token`
			`if token is not None:`
			`spnego_kwargs['creds'] = gssapi.Credentials(token=token)`
add skeleton for TUI 2021-08-28 23:09:02 -04:00			`elif delegate:`
			`# This is reached when we are the client and we want to`
			`# forward our credentials to the server.`
			`spnego_kwargs['delegate'] = True`
			`auth = HTTPSPNEGOAuth(**spnego_kwargs)`
			`else:`
			`auth = None`
add members CLI 2021-08-23 09:59:01 -04:00
add app factory 2021-07-24 17:09:10 -04:00			`return requests.request(`
			`method,`
add skeleton for TUI 2021-08-28 23:09:02 -04:00			`f'{self.scheme}://{host}:{self.ceod_port}{path}',`
use GSSAPI delegation 2021-08-25 22:19:18 -04:00			`auth=auth, **kwargs,`
add app factory 2021-07-24 17:09:10 -04:00			`)`

add skeleton for TUI 2021-08-28 23:09:02 -04:00			`def get(self, host: str, path: str, **kwargs):`
			`return self.request('GET', host, path, **kwargs)`
add members CLI 2021-08-23 09:59:01 -04:00
add skeleton for TUI 2021-08-28 23:09:02 -04:00			`def post(self, host: str, path: str, **kwargs):`
			`return self.request('POST', host, path, **kwargs)`
add app factory 2021-07-24 17:09:10 -04:00
add skeleton for TUI 2021-08-28 23:09:02 -04:00			`def patch(self, host: str, path: str, **kwargs):`
			`return self.request('PATCH', host, path, **kwargs)`
add app factory 2021-07-24 17:09:10 -04:00
add skeleton for TUI 2021-08-28 23:09:02 -04:00			`def delete(self, host: str, path: str, **kwargs):`
			`return self.request('DELETE', host, path, **kwargs)`