Verifying a FAS instance via JSON?

Paul W. Frields stickster at gmail.com
Wed Jul 14 13:09:56 UTC 2010 

On Sun, Jul 11, 2010 at 03:03:02PM -0400, Toshio Kuratomi wrote:
> On Sun, Jul 11, 2010 at 12:52:33PM -0400, Paul Frields wrote:
> > This is probably going to be a very naive question, so bear with me.
> > I'm trying my hand at an AuthFAS plugin for Drupal.
> >
> Note: If this is going to run outside of infrastructure it's probably best
> not to auth against FAS due to the insecurity of getting people used to
> typing their FAS credentials into third party websites..  If it's going to
> run inside of infrastructure we should think about whether we want to run
> Drupal.  If it's going to run on some third party against some third party
> FAS then we'd like to know who else is running FAS :-)

It's the second case, at least as far as a public test instance.  One
of the things the Insight group has asked is that we investigate other
platforms, so I set about writing this plugin to try on a publictest
box against pt3's "FakeFAS" instance.  It's not meant to be run on a
random server, rather in the same context that we have run a similar
Zikula plugin.  Although I'm working on the code on my own box for
now, that's meant to be very short-term.

> > As part of that
> > code, I'm trying to verify the setting of a FAS instance URL, by using
> > curl to hit https://<URL>/json/ (like
> > https://admin.fedoraproject.org/accounts/json/). I give the
> > administrator an opportunity to enter FAS credentials to be used in
> > the curl process.
> > 
> > The code is found here (in the authfas_admin_validate() function):
> > http://fedorapeople.org/gitweb?p=pfrields/public_git/drupal-authfas-6x.git;a=summary
> > 
> > If I'm at a browser and I hit https://admin.fp.o/accounts/json/
> > directly, I have to enter my username/passphrase, and then I get a
> > JSON result that includes a 'help' element, which is what I'm checking
> > for in the code. This is sort of an optional step, really. I wanted to
> > make it possible for people to know if they made a typo in the URL.
> > But if I have to drop that validation step, and simply depend on the
> > admin to get it right, that's probably acceptable. Maybe I'm trying to
> > be too clever.
> > 
> > In any case, regardless of the username and password I use, I don't
> > get back a positive result. It's possible that's because I'm getting a
> > login or some sort of CSRF intermediary request. I confess I haven't
> > had a ton of time to dig deeply into the problem. I was hoping someone
> > here would be able to say, "Here's something you need to do if you're
> > using curl like that...".  The curl code here is drawn from the
> > original Auth_FAS.php on the wiki, but I'm not sure if the changes I
> > made are all kosher.
> > 
> Are you just trying to get username/password verification from fas?  or are
> you trying to get fas to give you a cookie that fas verifies is correct
> everytime?  I believe our mediawiki install does the former.

The former.

> A quick look at the code leads me to believe that you aren't requesting json
> data explicitly and therefore the login page is being returned as html
> rather than json.  Requesting json should make fas return an error if you
> aren't logged in/handing in valid credentials.
> 
> 
> A few other differences between the python-fedora implementation and this:
> 
> * I think that giving "username=XXX" as a param will yield an error.
> * I think you need to have FOLLOWLOCATION=True so you follow redirects.
> 
> Here's what I *think* is php to implement that:
> 
> -     curl_setopt($ch, CURLOPT_USERAGENT, "Drupal AuthFAS 0.1");
> -     curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($username)."&user_name=".urlencode($username).  "&password=".urlencode($password)."&login=Login");
> +     curl_setopt($ch, CURLOPT_HEADERS, "user-agent: Drupal AuthFAS 0.1; Accept: application/json;");
> +     curl_setopt($ch, CURLOPT_POSTFIELDS, "user_name=".urlencode($username).  "&password=".urlencode($password)."&login=Login");
> +     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1)
> +     curl_setopt($ch, CURLOPT_MAXREDIRS, 5)
> 
> I could be off in the bushes with this, though.  If so, here's the
> python-fedora code that connects to FAS.  Checking for differences in what
> you're giving curl and what it's giving curl is pretty straightforward:
> 
> http://bzr.fedorahosted.org/bzr/python-fedora/python-fedora-devel/annotate/head%3A/fedora/client/proxyclient.py#L146

Thanks Toshio!  I'll take a look at that code and reply here if I have
more questions.

-- 
Paul W. Frields                                http://paul.frields.org/
  gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
  http://redhat.com/   -  -  -  -   http://pfrields.fedorapeople.org/
          Where open source multiplies: http://opensource.com

More information about the infrastructure mailing list