Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Infrastructure (http://www.linux-archive.org/fedora-infrastructure/)
-   -   Verifying a FAS instance via JSON? (http://www.linux-archive.org/fedora-infrastructure/397784-verifying-fas-instance-via-json.html)

Toshio Kuratomi 07-11-2010 07:03 PM

Verifying a FAS instance via JSON?
 
On Sun, Jul 11, 2010 at 12:52:33PM -0400, Paul Frields wrote:
> This is probably going to be a very naive question, so bear with me.
> I'm trying my hand at an AuthFAS plugin for Drupal.
>
Note: If this is going to run outside of infrastructure it's probably best
not to auth against FAS due to the insecurity of getting people used to
typing their FAS credentials into third party websites.. If it's going to
run inside of infrastructure we should think about whether we want to run
Drupal. If it's going to run on some third party against some third party
FAS then we'd like to know who else is running FAS :-)

> As part of that
> code, I'm trying to verify the setting of a FAS instance URL, by using
> curl to hit https://<URL>/json/ (like
> https://admin.fedoraproject.org/accounts/json/). I give the
> administrator an opportunity to enter FAS credentials to be used in
> the curl process.
>
> The code is found here (in the authfas_admin_validate() function):
> http://fedorapeople.org/gitweb?p=pfrields/public_git/drupal-authfas-6x.git;a=summary
>
> If I'm at a browser and I hit https://admin.fp.o/accounts/json/
> directly, I have to enter my username/passphrase, and then I get a
> JSON result that includes a 'help' element, which is what I'm checking
> for in the code. This is sort of an optional step, really. I wanted to
> make it possible for people to know if they made a typo in the URL.
> But if I have to drop that validation step, and simply depend on the
> admin to get it right, that's probably acceptable. Maybe I'm trying to
> be too clever.
>
> In any case, regardless of the username and password I use, I don't
> get back a positive result. It's possible that's because I'm getting a
> login or some sort of CSRF intermediary request. I confess I haven't
> had a ton of time to dig deeply into the problem. I was hoping someone
> here would be able to say, "Here's something you need to do if you're
> using curl like that...". The curl code here is drawn from the
> original Auth_FAS.php on the wiki, but I'm not sure if the changes I
> made are all kosher.
>
Are you just trying to get username/password verification from fas? or are
you trying to get fas to give you a cookie that fas verifies is correct
everytime? I believe our mediawiki install does the former.

A quick look at the code leads me to believe that you aren't requesting json
data explicitly and therefore the login page is being returned as html
rather than json. Requesting json should make fas return an error if you
aren't logged in/handing in valid credentials.


A few other differences between the python-fedora implementation and this:

* I think that giving "username=XXX" as a param will yield an error.
* I think you need to have FOLLOWLOCATION=True so you follow redirects.

Here's what I *think* is php to implement that:

- curl_setopt($ch, CURLOPT_USERAGENT, "Drupal AuthFAS 0.1");
- curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($username)."&user_name=".url encode($username). "&password=".urlencode($password)."&login=Logi n");
+ curl_setopt($ch, CURLOPT_HEADERS, "user-agent: Drupal AuthFAS 0.1; Accept: application/json;");
+ curl_setopt($ch, CURLOPT_POSTFIELDS, "user_name=".urlencode($username). "&password=".urlencode($password)."&login=Logi n");
+ curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1)
+ curl_setopt($ch, CURLOPT_MAXREDIRS, 5)

I could be off in the bushes with this, though. If so, here's the
python-fedora code that connects to FAS. Checking for differences in what
you're giving curl and what it's giving curl is pretty straightforward:

http://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel/annotate/head%3A/fedora/client/proxyclient.py#L146

-Toshio
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Sijis Aviles 07-12-2010 11:55 PM

Verifying a FAS instance via JSON?
 
On Sun, Jul 11, 2010 at 2:03 PM, Toshio Kuratomi <a.badger@gmail.com> wrote:

> A few other differences between the python-fedora implementation and this:
>
> * I think that giving "username=XXX" as a param will yield an error.
> * I think you need to have FOLLOWLOCATION=True so you follow redirects.
>
> Here's what I *think* is php to implement that:
>
> - * * curl_setopt($ch, CURLOPT_USERAGENT, "Drupal AuthFAS 0.1");
> - * * curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($username)."&user_name=".url encode($username). *"&password=".urlencode($password)."&login=Login") ;
> + * * curl_setopt($ch, CURLOPT_HEADERS, "user-agent: Drupal AuthFAS 0.1; Accept: application/json;");
> + * * curl_setopt($ch, CURLOPT_POSTFIELDS, "user_name=".urlencode($username). *"&password=".urlencode($password)."&login=Login") ;
> + * * curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1)
> + * * curl_setopt($ch, CURLOPT_MAXREDIRS, 5)
>
> I could be off in the bushes with this, though. *If so, here's the
> python-fedora code that connects to FAS. *Checking for differences in what
> you're giving curl and what it's giving curl is pretty straightforward:
>
> http://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel/annotate/head%3A/fedora/client/proxyclient.py#L146
>
> -Toshio

For blogs.fp.o, we used php and json to get the authentication working.

Here's a link to the code that does this:
http://git.fedorahosted.org/git/?p=fedora-infrastructure.git;a=blob;f=plugins/wordpress-mu-plugin-fasauth/fasauth.php;h=f5eee36f9f2b4187a8de91794fad933a869b a023;hb=HEAD

Hopefully this is of help.

Sijis
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

"Paul W. Frields" 07-14-2010 01:09 PM

Verifying a FAS instance via JSON?
 
On Sun, Jul 11, 2010 at 03:03:02PM -0400, Toshio Kuratomi wrote:
> On Sun, Jul 11, 2010 at 12:52:33PM -0400, Paul Frields wrote:
> > This is probably going to be a very naive question, so bear with me.
> > I'm trying my hand at an AuthFAS plugin for Drupal.
> >
> Note: If this is going to run outside of infrastructure it's probably best
> not to auth against FAS due to the insecurity of getting people used to
> typing their FAS credentials into third party websites.. If it's going to
> run inside of infrastructure we should think about whether we want to run
> Drupal. If it's going to run on some third party against some third party
> FAS then we'd like to know who else is running FAS :-)

It's the second case, at least as far as a public test instance. One
of the things the Insight group has asked is that we investigate other
platforms, so I set about writing this plugin to try on a publictest
box against pt3's "FakeFAS" instance. It's not meant to be run on a
random server, rather in the same context that we have run a similar
Zikula plugin. Although I'm working on the code on my own box for
now, that's meant to be very short-term.

> > As part of that
> > code, I'm trying to verify the setting of a FAS instance URL, by using
> > curl to hit https://<URL>/json/ (like
> > https://admin.fedoraproject.org/accounts/json/). I give the
> > administrator an opportunity to enter FAS credentials to be used in
> > the curl process.
> >
> > The code is found here (in the authfas_admin_validate() function):
> > http://fedorapeople.org/gitweb?p=pfrields/public_git/drupal-authfas-6x.git;a=summary
> >
> > If I'm at a browser and I hit https://admin.fp.o/accounts/json/
> > directly, I have to enter my username/passphrase, and then I get a
> > JSON result that includes a 'help' element, which is what I'm checking
> > for in the code. This is sort of an optional step, really. I wanted to
> > make it possible for people to know if they made a typo in the URL.
> > But if I have to drop that validation step, and simply depend on the
> > admin to get it right, that's probably acceptable. Maybe I'm trying to
> > be too clever.
> >
> > In any case, regardless of the username and password I use, I don't
> > get back a positive result. It's possible that's because I'm getting a
> > login or some sort of CSRF intermediary request. I confess I haven't
> > had a ton of time to dig deeply into the problem. I was hoping someone
> > here would be able to say, "Here's something you need to do if you're
> > using curl like that...". The curl code here is drawn from the
> > original Auth_FAS.php on the wiki, but I'm not sure if the changes I
> > made are all kosher.
> >
> Are you just trying to get username/password verification from fas? or are
> you trying to get fas to give you a cookie that fas verifies is correct
> everytime? I believe our mediawiki install does the former.

The former.

> A quick look at the code leads me to believe that you aren't requesting json
> data explicitly and therefore the login page is being returned as html
> rather than json. Requesting json should make fas return an error if you
> aren't logged in/handing in valid credentials.
>
>
> A few other differences between the python-fedora implementation and this:
>
> * I think that giving "username=XXX" as a param will yield an error.
> * I think you need to have FOLLOWLOCATION=True so you follow redirects.
>
> Here's what I *think* is php to implement that:
>
> - curl_setopt($ch, CURLOPT_USERAGENT, "Drupal AuthFAS 0.1");
> - curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($username)."&user_name=".url encode($username). "&password=".urlencode($password)."&login=Logi n");
> + curl_setopt($ch, CURLOPT_HEADERS, "user-agent: Drupal AuthFAS 0.1; Accept: application/json;");
> + curl_setopt($ch, CURLOPT_POSTFIELDS, "user_name=".urlencode($username). "&password=".urlencode($password)."&login=Logi n");
> + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1)
> + curl_setopt($ch, CURLOPT_MAXREDIRS, 5)
>
> I could be off in the bushes with this, though. If so, here's the
> python-fedora code that connects to FAS. Checking for differences in what
> you're giving curl and what it's giving curl is pretty straightforward:
>
> http://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel/annotate/head%3A/fedora/client/proxyclient.py#L146

Thanks Toshio! I'll take a look at that code and reply here if I have
more questions.

--
Paul W. Frields http://paul.frields.org/
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://redhat.com/ - - - - http://pfrields.fedorapeople.org/
Where open source multiplies: http://opensource.com
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Mike McGrath 07-14-2010 02:05 PM

Verifying a FAS instance via JSON?
 
On Wed, 14 Jul 2010, Paul W. Frields wrote:

> On Sun, Jul 11, 2010 at 03:03:02PM -0400, Toshio Kuratomi wrote:
> > On Sun, Jul 11, 2010 at 12:52:33PM -0400, Paul Frields wrote:
> > > This is probably going to be a very naive question, so bear with me.
> > > I'm trying my hand at an AuthFAS plugin for Drupal.
> > >
> > Note: If this is going to run outside of infrastructure it's probably best
> > not to auth against FAS due to the insecurity of getting people used to
> > typing their FAS credentials into third party websites.. If it's going to
> > run inside of infrastructure we should think about whether we want to run
> > Drupal. If it's going to run on some third party against some third party
> > FAS then we'd like to know who else is running FAS :-)
>
> It's the second case, at least as far as a public test instance. One
> of the things the Insight group has asked is that we investigate other
> platforms, so I set about writing this plugin to try on a publictest
> box against pt3's "FakeFAS" instance. It's not meant to be run on a
> random server, rather in the same context that we have run a similar
> Zikula plugin. Although I'm working on the code on my own box for
> now, that's meant to be very short-term.
>
> > > As part of that
> > > code, I'm trying to verify the setting of a FAS instance URL, by using
> > > curl to hit https://<URL>/json/ (like
> > > https://admin.fedoraproject.org/accounts/json/). I give the
> > > administrator an opportunity to enter FAS credentials to be used in
> > > the curl process.
> > >
> > > The code is found here (in the authfas_admin_validate() function):
> > > http://fedorapeople.org/gitweb?p=pfrields/public_git/drupal-authfas-6x.git;a=summary
> > >
> > > If I'm at a browser and I hit https://admin.fp.o/accounts/json/
> > > directly, I have to enter my username/passphrase, and then I get a
> > > JSON result that includes a 'help' element, which is what I'm checking
> > > for in the code. This is sort of an optional step, really. I wanted to
> > > make it possible for people to know if they made a typo in the URL.
> > > But if I have to drop that validation step, and simply depend on the
> > > admin to get it right, that's probably acceptable. Maybe I'm trying to
> > > be too clever.
> > >
> > > In any case, regardless of the username and password I use, I don't
> > > get back a positive result. It's possible that's because I'm getting a
> > > login or some sort of CSRF intermediary request. I confess I haven't
> > > had a ton of time to dig deeply into the problem. I was hoping someone
> > > here would be able to say, "Here's something you need to do if you're
> > > using curl like that...". The curl code here is drawn from the
> > > original Auth_FAS.php on the wiki, but I'm not sure if the changes I
> > > made are all kosher.
> > >
> > Are you just trying to get username/password verification from fas? or are
> > you trying to get fas to give you a cookie that fas verifies is correct
> > everytime? I believe our mediawiki install does the former.
>
> The former.
>
> > A quick look at the code leads me to believe that you aren't requesting json
> > data explicitly and therefore the login page is being returned as html
> > rather than json. Requesting json should make fas return an error if you
> > aren't logged in/handing in valid credentials.
> >
> >
> > A few other differences between the python-fedora implementation and this:
> >
> > * I think that giving "username=XXX" as a param will yield an error.
> > * I think you need to have FOLLOWLOCATION=True so you follow redirects.
> >
> > Here's what I *think* is php to implement that:
> >
> > - curl_setopt($ch, CURLOPT_USERAGENT, "Drupal AuthFAS 0.1");
> > - curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($username)."&user_name=".url encode($username). "&password=".urlencode($password)."&login=Logi n");
> > + curl_setopt($ch, CURLOPT_HEADERS, "user-agent: Drupal AuthFAS 0.1; Accept: application/json;");
> > + curl_setopt($ch, CURLOPT_POSTFIELDS, "user_name=".urlencode($username). "&password=".urlencode($password)."&login=Logi n");
> > + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1)
> > + curl_setopt($ch, CURLOPT_MAXREDIRS, 5)
> >
> > I could be off in the bushes with this, though. If so, here's the
> > python-fedora code that connects to FAS. Checking for differences in what
> > you're giving curl and what it's giving curl is pretty straightforward:
> >
> > http://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel/annotate/head%3A/fedora/client/proxyclient.py#L146
>
> Thanks Toshio! I'll take a look at that code and reply here if I have
> more questions.
>

I'm happy to help and check this. Feel free to ping me on IRC.

-Mike
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

"Paul W. Frields" 07-16-2010 06:15 AM

Verifying a FAS instance via JSON?
 
On Wed, Jul 14, 2010 at 09:05:20AM -0500, Mike McGrath wrote:
> On Wed, 14 Jul 2010, Paul W. Frields wrote:
>
> > On Sun, Jul 11, 2010 at 03:03:02PM -0400, Toshio Kuratomi wrote:
> > > On Sun, Jul 11, 2010 at 12:52:33PM -0400, Paul Frields wrote:
> > > > This is probably going to be a very naive question, so bear with me.
> > > > I'm trying my hand at an AuthFAS plugin for Drupal.
> > > >
> > > Note: If this is going to run outside of infrastructure it's probably best
> > > not to auth against FAS due to the insecurity of getting people used to
> > > typing their FAS credentials into third party websites.. If it's going to
> > > run inside of infrastructure we should think about whether we want to run
> > > Drupal. If it's going to run on some third party against some third party
> > > FAS then we'd like to know who else is running FAS :-)
> >
> > It's the second case, at least as far as a public test instance. One
> > of the things the Insight group has asked is that we investigate other
> > platforms, so I set about writing this plugin to try on a publictest
> > box against pt3's "FakeFAS" instance. It's not meant to be run on a
> > random server, rather in the same context that we have run a similar
> > Zikula plugin. Although I'm working on the code on my own box for
> > now, that's meant to be very short-term.
> >
> > > > As part of that
> > > > code, I'm trying to verify the setting of a FAS instance URL, by using
> > > > curl to hit https://<URL>/json/ (like
> > > > https://admin.fedoraproject.org/accounts/json/). I give the
> > > > administrator an opportunity to enter FAS credentials to be used in
> > > > the curl process.
> > > >
> > > > The code is found here (in the authfas_admin_validate() function):
> > > > http://fedorapeople.org/gitweb?p=pfrields/public_git/drupal-authfas-6x.git;a=summary
> > > >
> > > > If I'm at a browser and I hit https://admin.fp.o/accounts/json/
> > > > directly, I have to enter my username/passphrase, and then I get a
> > > > JSON result that includes a 'help' element, which is what I'm checking
> > > > for in the code. This is sort of an optional step, really. I wanted to
> > > > make it possible for people to know if they made a typo in the URL.
> > > > But if I have to drop that validation step, and simply depend on the
> > > > admin to get it right, that's probably acceptable. Maybe I'm trying to
> > > > be too clever.
> > > >
> > > > In any case, regardless of the username and password I use, I don't
> > > > get back a positive result. It's possible that's because I'm getting a
> > > > login or some sort of CSRF intermediary request. I confess I haven't
> > > > had a ton of time to dig deeply into the problem. I was hoping someone
> > > > here would be able to say, "Here's something you need to do if you're
> > > > using curl like that...". The curl code here is drawn from the
> > > > original Auth_FAS.php on the wiki, but I'm not sure if the changes I
> > > > made are all kosher.
> > > >
> > > Are you just trying to get username/password verification from fas? or are
> > > you trying to get fas to give you a cookie that fas verifies is correct
> > > everytime? I believe our mediawiki install does the former.
> >
> > The former.
> >
> > > A quick look at the code leads me to believe that you aren't requesting json
> > > data explicitly and therefore the login page is being returned as html
> > > rather than json. Requesting json should make fas return an error if you
> > > aren't logged in/handing in valid credentials.
> > >
> > >
> > > A few other differences between the python-fedora implementation and this:
> > >
> > > * I think that giving "username=XXX" as a param will yield an error.
> > > * I think you need to have FOLLOWLOCATION=True so you follow redirects.
> > >
> > > Here's what I *think* is php to implement that:
> > >
> > > - curl_setopt($ch, CURLOPT_USERAGENT, "Drupal AuthFAS 0.1");
> > > - curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($username)."&user_name=".url encode($username). "&password=".urlencode($password)."&login=Logi n");
> > > + curl_setopt($ch, CURLOPT_HEADERS, "user-agent: Drupal AuthFAS 0.1; Accept: application/json;");
> > > + curl_setopt($ch, CURLOPT_POSTFIELDS, "user_name=".urlencode($username). "&password=".urlencode($password)."&login=Logi n");
> > > + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1)
> > > + curl_setopt($ch, CURLOPT_MAXREDIRS, 5)
> > >
> > > I could be off in the bushes with this, though. If so, here's the
> > > python-fedora code that connects to FAS. Checking for differences in what
> > > you're giving curl and what it's giving curl is pretty straightforward:
> > >
> > > http://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel/annotate/head%3A/fedora/client/proxyclient.py#L146
> >
> > Thanks Toshio! I'll take a look at that code and reply here if I have
> > more questions.
> >
>
> I'm happy to help and check this. Feel free to ping me on IRC.

Removing the "username" parameter and adding the FOLLOWLOCATION option
seems to have fixed the problem.

http://fedorapeople.org/gitweb?p=pfrields/public_git/drupal-authfas-6x.git;a=commit;h=312e19c82070c38a91f1e7437efdaefe 1c4c41c5

--
Paul W. Frields http://paul.frields.org/
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://redhat.com/ - - - - http://pfrields.fedorapeople.org/
Where open source multiplies: http://opensource.com
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure


All times are GMT. The time now is 12:51 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.