On Wed, Jul 14, 2010 at 09:05:20AM -0500, Mike McGrath wrote: > On Wed, 14 Jul 2010, Paul W. Frields wrote: > > > On Sun, Jul 11, 2010 at 03:03:02PM -0400, Toshio Kuratomi wrote: > > > On Sun, Jul 11, 2010 at 12:52:33PM -0400, Paul Frields wrote: > > > > This is probably going to be a very naive question, so bear with me. > > > > I'm trying my hand at an AuthFAS plugin for Drupal. > > > > > > > Note: If this is going to run outside of infrastructure it's probably best > > > not to auth against FAS due to the insecurity of getting people used to > > > typing their FAS credentials into third party websites.. If it's going to > > > run inside of infrastructure we should think about whether we want to run > > > Drupal. If it's going to run on some third party against some third party > > > FAS then we'd like to know who else is running FAS :-) > > > > It's the second case, at least as far as a public test instance. One > > of the things the Insight group has asked is that we investigate other > > platforms, so I set about writing this plugin to try on a publictest > > box against pt3's "FakeFAS" instance. It's not meant to be run on a > > random server, rather in the same context that we have run a similar > > Zikula plugin. Although I'm working on the code on my own box for > > now, that's meant to be very short-term. > > > > > > As part of that > > > > code, I'm trying to verify the setting of a FAS instance URL, by using > > > > curl to hit https://<URL>/json/ (like > > > > https://admin.fedoraproject.org/accounts/json/). I give the > > > > administrator an opportunity to enter FAS credentials to be used in > > > > the curl process. > > > > > > > > The code is found here (in the authfas_admin_validate() function): > > > > http://fedorapeople.org/gitweb?p=pfrields/public_git/drupal-authfas-6x.git;a=summary > > > > > > > > If I'm at a browser and I hit https://admin.fp.o/accounts/json/ > > > > directly, I have to enter my username/passphrase, and then I get a > > > > JSON result that includes a 'help' element, which is what I'm checking > > > > for in the code. This is sort of an optional step, really. I wanted to > > > > make it possible for people to know if they made a typo in the URL. > > > > But if I have to drop that validation step, and simply depend on the > > > > admin to get it right, that's probably acceptable. Maybe I'm trying to > > > > be too clever. > > > > > > > > In any case, regardless of the username and password I use, I don't > > > > get back a positive result. It's possible that's because I'm getting a > > > > login or some sort of CSRF intermediary request. I confess I haven't > > > > had a ton of time to dig deeply into the problem. I was hoping someone > > > > here would be able to say, "Here's something you need to do if you're > > > > using curl like that...". The curl code here is drawn from the > > > > original Auth_FAS.php on the wiki, but I'm not sure if the changes I > > > > made are all kosher. > > > > > > > Are you just trying to get username/password verification from fas? or are > > > you trying to get fas to give you a cookie that fas verifies is correct > > > everytime? I believe our mediawiki install does the former. > > > > The former. > > > > > A quick look at the code leads me to believe that you aren't requesting json > > > data explicitly and therefore the login page is being returned as html > > > rather than json. Requesting json should make fas return an error if you > > > aren't logged in/handing in valid credentials. > > > > > > > > > A few other differences between the python-fedora implementation and this: > > > > > > * I think that giving "username=XXX" as a param will yield an error. > > > * I think you need to have FOLLOWLOCATION=True so you follow redirects. > > > > > > Here's what I *think* is php to implement that: > > > > > > - curl_setopt($ch, CURLOPT_USERAGENT, "Drupal AuthFAS 0.1"); > > > - curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($username)."&user_name=".urlencode($username). "&password=".urlencode($password)."&login=Login"); > > > + curl_setopt($ch, CURLOPT_HEADERS, "user-agent: Drupal AuthFAS 0.1; Accept: application/json;"); > > > + curl_setopt($ch, CURLOPT_POSTFIELDS, "user_name=".urlencode($username). "&password=".urlencode($password)."&login=Login"); > > > + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1) > > > + curl_setopt($ch, CURLOPT_MAXREDIRS, 5) > > > > > > I could be off in the bushes with this, though. If so, here's the > > > python-fedora code that connects to FAS. Checking for differences in what > > > you're giving curl and what it's giving curl is pretty straightforward: > > > > > > http://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel/annotate/head%3A/fedora/client/proxyclient.py#L146 > > > > Thanks Toshio! I'll take a look at that code and reply here if I have > > more questions. > > > > I'm happy to help and check this. Feel free to ping me on IRC. Removing the "username" parameter and adding the FOLLOWLOCATION option seems to have fixed the problem. http://fedorapeople.org/gitweb?p=pfrields/public_git/drupal-authfas-6x.git;a=commit;h=312e19c82070c38a91f1e7437efdaefe1c4c41c5 -- Paul W. Frields http://paul.frields.org/ gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717 http://redhat.com/ - - - - http://pfrields.fedorapeople.org/ Where open source multiplies: http://opensource.com _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
