-
Notifications
You must be signed in to change notification settings - Fork 6
/
python-cern-sso.spec
185 lines (129 loc) · 5.49 KB
/
python-cern-sso.spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
%global sum Cern Single-Single-Sign-On driver
%global srcname cern-sso
%define name python-%{srcname}
Name: python-cern-sso
Version: 1.3.2
Summary: %{sum}
Release: 2%{?dist}
Source0: %{name}-%{version}.tar.gz
License: MIT
Group: CERN/Utilities
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
Prefix: %{_prefix}
BuildArch: noarch
BuildRequires: python2-devel python34-devel python-setuptools python34-setuptools
Vendor: Albin Stjerna <[email protected]>
Requires: python-requests python-requests-kerberos python-six
Url: https://gitlab.cern.ch/astjerna/cern-sso-python
%description
This is a re-implementation of the Perl script
cern-get-sso-cookie_.
as a Python library. As a bonus, a shell client re-implementing (most
of) the functionality of ``cern-get-sso-cookie``, is also provided.
.. _cern-get-sso-cookie: https://github.com/sashabaranov/cern-get-sso-cookie/
Prerequisites
-------------
This package assumes a working Kerberos and OpenSSL setup, but should be
compatible with both python 2.7 and 3.
Usage
-----
The module provides only two functions: ``krb_sign_on`` and
``cert_sign_on``, used for authentication with Kerberos and certificates
respectively. Both take an optional cookiejar (which can be a Requests
``CookieJar``, or a ``MozillaCookieJar``) which is filled during
operations. In any event, a cookie jar is also returned by both
functions.
The returned cookie jar can be used directly as an argument to Requests'
``cookies``
.. code:: python
import cern_sso
import requests
my_url = "https://my-secret-place.cern.ch"
cookies = cern_sso.krb_sign_on(my_url)
# Perform request
r1 = requests.get(my_url, cookies=cookies)
It is assumed that the user running the program is already authenticated
against Kerberos.
This is what the same procedure would look like using SSL certificates:
.. code:: python
import cern_sso
import requests
my_url = "https://my-secret-place.cern.ch"
cert_file = "/home/albin/myCert.pem"
key_file = "/home/albin/myCert.key"
cookies = cern_sso.cert_sign_on(my_url, cert_file=cert_file,
key_file=key_file)
# Perform request
r1 = requests.get(my_url, cookies=cookies)
Certain limitations apply to the certificate and key files, please see
the following section on command-line usage for further information on
this.
For an example of how to use an external CookieJar, see
``bin/cern-get-sso-cookie.py``.
Using ``cern-get-sso-cookie.py``
------------------------------
Just like ``cern-get-sso-cookie``, the Python implementation will
authenticate against a desired URL and returna Mozilla cookie-file
suitable for use with Curl or Wget.
For use with Kerberos, make sure you are authenticated either via
password or a keytab:
.. code:: sh
$ kinit [email protected]
<enter password>
Now you can perform the authentication:
.. code:: sh
$ cern-get-sso-cookie.py --url https://cerntraining.service-now.com --kerberos
# cookies.txt now contains the relevant session cookies
$ curl -L --cookie cookies.txt --cookie-jar cookies.txt -H 'Accept: application/json' "https://cerntraining.service-now.com/api/now/v1/table/incident"
In the spirit of the UNIX philosophy, ``cern-get-sso-cookie.py`` outputs
nothing on success. Please try ``--verbose`` or even ``--debug`` if that is
not to your liking!
For authentication against a SSL certificate (and key), you first need
to process the certificate files to remove passwords and separate the
key and certificate:
.. code:: sh
$ openssl pkcs12 -clcerts -nokeys -in myCert.p12 -out myCert.pem
$ openssl pkcs12 -nocerts -in myCert.p12 -out myCert.tmp.key
$ openssl rsa -in myCert.tmp.key -out myCert.key
It is assumed that your certificate and key files have the same base
name and are located in the same folder, and that the key has the file
ending ``.key`` and the certificate ``.pem``. In the example above, the base
name ``myCert`` was used.
Finally, you can use the certificates to obtain a SSO cookie:
.. code:: sh
$ cern-get-sso-cookie.py --url https://cerntraining.service-now.com --cert myCert
For further notes on usage, see ``cern-get-sso-cookie.py --help``.
%package -n python2-%{srcname}
Summary: %{sum}
Requires: python-requests python-requests-kerberos python-six
#%{?python_provide:%python_provide python2-%{srcname}}
%description -n python2-%{srcname}
An python module which provides a convenient example.
%package -n python3-%{srcname}
Summary: %{sum}
Requires: python34-requests python34-requests-kerberos python34-six
#%{?python_provide:%python_provide python3-%{srcname}}
%description -n python3-%{srcname}
An python module which provides a convenient example.
%prep
%setup -q
%build
%{__python3} setup.py build --executable=%{__python2}
%{__python2} setup.py build --executable=%{__python2}
%install
%{__rm} -rf %{buildroot}
%{__python3} setup.py install --single-version-externally-managed -O1 --root=$RPM_BUILD_ROOT --prefix=/usr --record=INSTALLED_FILES_3
%{__python2} setup.py install --single-version-externally-managed -O1 --root=$RPM_BUILD_ROOT --prefix=/usr --record=INSTALLED_FILES_2
%clean
rm -rf $RPM_BUILD_ROOT
%files -n python2-%{srcname}
%doc README.rst
# %files -f INSTALLED_FILES_2
%{python2_sitelib}/*
%{_bindir}/cern-get-sso-cookie.py
%defattr(-,root,root,-)
%files -n python3-%{srcname}
%doc README.rst
# %files -f INSTALLED_FILES_3
%{python3_sitelib}/*
%defattr(-,root,root)