On Sun, Jul 11, 2010 at 03:03:02PM -0400, Toshio Kuratomi wrote:
On Sun, Jul 11, 2010 at 12:52:33PM -0400, Paul Frields wrote:
> This is probably going to be a very naive question, so bear with me.
> I'm trying my hand at an AuthFAS plugin for Drupal.
>
Note: If this is going to run outside of infrastructure it's probably best
not to auth against FAS due to the insecurity of getting people used to
typing their FAS credentials into third party websites.. If it's going to
run inside of infrastructure we should think about whether we want to run
Drupal. If it's going to run on some third party against some third party
FAS then we'd like to know who else is running FAS :-)
It's the second case, at least as far as a public test instance. One
of the things the Insight group has asked is that we investigate other
platforms, so I set about writing this plugin to try on a publictest
box against pt3's "FakeFAS" instance. It's not meant to be run on a
random server, rather in the same context that we have run a similar
Zikula plugin. Although I'm working on the code on my own box for
now, that's meant to be very short-term.
> As part of that
> code, I'm trying to verify the setting of a FAS instance URL, by using
> curl to hit https://<URL>/json/ (like
>
https://admin.fedoraproject.org/accounts/json/). I give the
> administrator an opportunity to enter FAS credentials to be used in
> the curl process.
>
> The code is found here (in the authfas_admin_validate() function):
>
http://fedorapeople.org/gitweb?p=pfrields/public_git/drupal-authfas-6x.gi...
>
> If I'm at a browser and I hit
https://admin.fp.o/accounts/json/
> directly, I have to enter my username/passphrase, and then I get a
> JSON result that includes a 'help' element, which is what I'm checking
> for in the code. This is sort of an optional step, really. I wanted to
> make it possible for people to know if they made a typo in the URL.
> But if I have to drop that validation step, and simply depend on the
> admin to get it right, that's probably acceptable. Maybe I'm trying to
> be too clever.
>
> In any case, regardless of the username and password I use, I don't
> get back a positive result. It's possible that's because I'm getting a
> login or some sort of CSRF intermediary request. I confess I haven't
> had a ton of time to dig deeply into the problem. I was hoping someone
> here would be able to say, "Here's something you need to do if you're
> using curl like that...". The curl code here is drawn from the
> original Auth_FAS.php on the wiki, but I'm not sure if the changes I
> made are all kosher.
>
Are you just trying to get username/password verification from fas? or are
you trying to get fas to give you a cookie that fas verifies is correct
everytime? I believe our mediawiki install does the former.
The former.
A quick look at the code leads me to believe that you aren't
requesting json
data explicitly and therefore the login page is being returned as html
rather than json. Requesting json should make fas return an error if you
aren't logged in/handing in valid credentials.
A few other differences between the python-fedora implementation and this:
* I think that giving "username=XXX" as a param will yield an error.
* I think you need to have FOLLOWLOCATION=True so you follow redirects.
Here's what I *think* is php to implement that:
- curl_setopt($ch, CURLOPT_USERAGENT, "Drupal AuthFAS 0.1");
- curl_setopt($ch, CURLOPT_POSTFIELDS,
"username=".urlencode($username)."&user_name=".urlencode($username).
"&password=".urlencode($password)."&login=Login");
+ curl_setopt($ch, CURLOPT_HEADERS, "user-agent: Drupal AuthFAS 0.1; Accept:
application/json;");
+ curl_setopt($ch, CURLOPT_POSTFIELDS, "user_name=".urlencode($username).
"&password=".urlencode($password)."&login=Login");
+ curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1)
+ curl_setopt($ch, CURLOPT_MAXREDIRS, 5)
I could be off in the bushes with this, though. If so, here's the
python-fedora code that connects to FAS. Checking for differences in what
you're giving curl and what it's giving curl is pretty straightforward:
http://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel/annotat...
Thanks Toshio! I'll take a look at that code and reply here if I have
more questions.
--
Paul W. Frields
http://paul.frields.org/
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://redhat.com/ - - - -
http://pfrields.fedorapeople.org/
Where open source multiplies:
http://opensource.com