Verifying a FAS instance via JSON?

Sun Jul 11 19:03:02 UTC 2010

On Sun, Jul 11, 2010 at 12:52:33PM -0400, Paul Frields wrote:
> This is probably going to be a very naive question, so bear with me.
> I'm trying my hand at an AuthFAS plugin for Drupal.
>
Note: If this is going to run outside of infrastructure it's probably best
not to auth against FAS due to the insecurity of getting people used to
typing their FAS credentials into third party websites..  If it's going to
run inside of infrastructure we should think about whether we want to run
Drupal.  If it's going to run on some third party against some third party
FAS then we'd like to know who else is running FAS :-)

> As part of that
> code, I'm trying to verify the setting of a FAS instance URL, by using
> curl to hit https://<URL>/json/ (like
> https://admin.fedoraproject.org/accounts/json/). I give the
> administrator an opportunity to enter FAS credentials to be used in
> the curl process.
> 
> The code is found here (in the authfas_admin_validate() function):
> http://fedorapeople.org/gitweb?p=pfrields/public_git/drupal-authfas-6x.git;a=summary
> 
> If I'm at a browser and I hit https://admin.fp.o/accounts/json/
> directly, I have to enter my username/passphrase, and then I get a
> JSON result that includes a 'help' element, which is what I'm checking
> for in the code. This is sort of an optional step, really. I wanted to
> make it possible for people to know if they made a typo in the URL.
> But if I have to drop that validation step, and simply depend on the
> admin to get it right, that's probably acceptable. Maybe I'm trying to
> be too clever.
> 
> In any case, regardless of the username and password I use, I don't
> get back a positive result. It's possible that's because I'm getting a
> login or some sort of CSRF intermediary request. I confess I haven't
> had a ton of time to dig deeply into the problem. I was hoping someone
> here would be able to say, "Here's something you need to do if you're
> using curl like that...".  The curl code here is drawn from the
> original Auth_FAS.php on the wiki, but I'm not sure if the changes I
> made are all kosher.
> 
Are you just trying to get username/password verification from fas?  or are
you trying to get fas to give you a cookie that fas verifies is correct
everytime?  I believe our mediawiki install does the former.

A quick look at the code leads me to believe that you aren't requesting json
data explicitly and therefore the login page is being returned as html
rather than json.  Requesting json should make fas return an error if you
aren't logged in/handing in valid credentials.

A few other differences between the python-fedora implementation and this:

* I think that giving "username=XXX" as a param will yield an error.
* I think you need to have FOLLOWLOCATION=True so you follow redirects.

Here's what I *think* is php to implement that:

-     curl_setopt($ch, CURLOPT_USERAGENT, "Drupal AuthFAS 0.1");
-     curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($username)."&user_name=".urlencode($username).  "&password=".urlencode($password)."&login=Login");
+     curl_setopt($ch, CURLOPT_HEADERS, "user-agent: Drupal AuthFAS 0.1; Accept: application/json;");
+     curl_setopt($ch, CURLOPT_POSTFIELDS, "user_name=".urlencode($username).  "&password=".urlencode($password)."&login=Login");
+     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1)
+     curl_setopt($ch, CURLOPT_MAXREDIRS, 5)

I could be off in the bushes with this, though.  If so, here's the
python-fedora code that connects to FAS.  Checking for differences in what
you're giving curl and what it's giving curl is pretty straightforward:

http://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel/annotate/head%3A/fedora/client/proxyclient.py#L146

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20100711/366c806f/attachment.bin 