EMDIS-ECS
view release on metacpan or search on metacpan
docker/qpid-broker-python/pybroker.py view on Meta::CPAN
def on_start(self, event):
if self.debug >= 1:
print('on_start: {}'.format(event))
ssl_domain = SSLDomain(SSLDomain.MODE_SERVER)
# SSL trust store (e.g. PEM file containing trusted CA certificate(s))
if self.truststore:
ssl_domain.set_trusted_ca_db(self.truststore)
# server certificate
if self.sslkey:
ssl_domain.set_credentials(self.sslcert, self.sslkey, self.sslpass)
self.acceptor = event.container.listen(url=self.url, ssl_domain=ssl_domain)
def _queue(self, address):
if address not in self.queues:
self.queues[address] = Queue()
return self.queues[address]
def on_connection_init(self, event):
if self.debug >= 1:
script/ecs_amqp_recv.py view on Meta::CPAN
self.virtual_host = vhost
# SSL trust store
self.truststore = truststore
# client-side SSL certificate
self.sslcert = sslcert
self.sslkey = sslkey
self.sslpass = sslpass
# authentication credentials
self.username = username
self.password = password
# inactivity timeout
self.inactivity_timestamp = 0
self.inactivity_threshold = timeout
# output dir
self.outputdir = outputdir
self.hextrans = str.maketrans('0123456789abcdef', 'BCDFGHJKLMNPQRST')
script/ecs_amqp_recv.py view on Meta::CPAN
ssl_domain.set_trusted_ca_db(self.truststore)
if True:
# use trust store to verify peer's (e.g. broker's) SSL certificate
ssl_domain.set_peer_authentication(SSLDomain.VERIFY_PEER)
else:
# verify hostname on peer's (e.g. broker's) SSL certificate
ssl_domain.set_peer_authentication(SSLDomain.VERIFY_PEER_NAME)
# client-side certificate
if self.sslkey:
ssl_domain.set_credentials(self.sslcert, self.sslkey, self.sslpass)
if self.username:
# username and password authentication
self.connection = event.container.connect(url=self.url,
ssl_domain=ssl_domain,
user=self.username,
password = self.password,
allow_insecure_mechs=False,
sasl_enabled=True,
allowed_mechs="PLAIN",
script/ecs_amqp_send.py view on Meta::CPAN
self.virtual_host = vhost
# SSL trust store
self.truststore = truststore
# client-side SSL certificate
self.sslcert = sslcert
self.sslkey = sslkey
self.sslpass = sslpass
# authentication credentials
self.username = username
self.password = password
# input file
self.inputfile = inputfile
if self.inputfile == '-':
self.inputfile = sys.stdin.fileno()
# application defined message properties
self.application_defined_message_properties = None
script/ecs_amqp_send.py view on Meta::CPAN
ssl_domain.set_trusted_ca_db(self.truststore)
if True:
# use trust store to verify peer's (e.g. broker's) SSL certificate
ssl_domain.set_peer_authentication(SSLDomain.VERIFY_PEER)
else:
# verify hostname on peer's (e.g. broker's) SSL certificate
ssl_domain.set_peer_authentication(SSLDomain.VERIFY_PEER_NAME)
# client-side certificate
if self.sslkey:
ssl_domain.set_credentials(self.sslcert, self.sslkey, self.sslpass)
if self.username:
# basic username and password authentication
event.container.connect(url=self.url,
ssl_domain=ssl_domain,
user=self.username,
password = self.password,
allow_insecure_mechs=False,
sasl_enabled=True,
allowed_mechs="PLAIN",
script/ecs_token view on Meta::CPAN
token_endpoint => 'emdis/ecs/oauth/token_endpoint',
};
my $SECSTOR_TIMELIMIT = 3;
my $CACHED_TOKEN_EXPIRATION_MARGIN = 600;
# add --nocache option
my $USAGE =
"Usage:$/" .
" ecs_token <command> [options]$/" .
"Where:$/" .
" <command> is code, credentials, or refresh$/" .
" code [options] are:$/" .
" --auth_endpoint <auth_endpoint>$/" .
" --client_id <client_id>$/" .
" --client_secret <client_secret>$/" .
" --nocache$/" .
" --redirect_uri <redirect_uri>$/" .
" --scope <scope>$/" .
" --token_endpoint <token_endpoint>$/" .
" credentials [options] are:$/" .
" --client_id <client_id>$/" .
" --client_secret <client_secret>$/" .
" --nocache$/" .
" --scope <scope>$/" .
" --token_endpoint <token_endpoint>$/" .
" refresh [options] are:$/" .
" --client_id <client_id>$/" .
" --client_secret <client_secret>$/" .
" --nocache$/" .
" --refresh_token <refresh_token>$/" .
script/ecs_token view on Meta::CPAN
" perldoc ecs_token$/";
my %options = ();
GetOptions(\%options, 'auth_endpoint=s', 'client_id=s', 'client_secret=s',
'nocache', 'redirect_uri=s', 'refresh_token=s', 'scope=s',
'token_endpoint=s')
or die "Error - Unrecognized command line option$/" . $USAGE;
my $command = ($#ARGV == 0 ? $ARGV[0] : '');
die "Error - unrecognized, invalid, or missing <command>$/" . $USAGE
unless $command eq 'code' or $command eq 'credentials' or $command eq 'refresh';
# if configured, have gpg-agent cache GnuPG passphrase used by "pass"
if(exists $ENV{PASS_GPG_KEYGRIP} and exists $ENV{PASS_GPG_PASSPHRASE}) {
# default (linux) location of gpg-preset-passphrase program is in
# /usr/libexec (not on PATH)
my $gpg_preset_passphrase = exists $ENV{GPG_PRESET_PASSPHRASE}
? $ENV{GPG_PRESET_PASSPHRASE}
: '/usr/libexec/gpg-preset-passphrase';
# use gpg-preset-passphrase to set passphrase in gpg-agent cache
script/ecs_token view on Meta::CPAN
print $OUT "New refresh token stored.$/";
die "Error - Access token not received$/"
unless exists $parsed_content->{access_token};
if(not $nocache) {
store_cached_token($response->decoded_content, $token_request_timestamp);
}
}
if($command eq 'credentials') {
# using client credentials flow ... (with client secret, not cert-based JWT)
# get configuration parameters
my $client_id = get_config_param('client_id');
my $client_secret = get_config_param('client_secret');
my $nocache = exists $options{nocache};
my $scope = get_config_param('scope');
my $token_endpoint = get_config_param('token_endpoint');
# fail fast if command line contains unsupported options
die "Error - Option(s) unsupported for \"credentials\" command$/" . $USAGE
if exists $options{auth_endpoint} or exists $options{redirect_uri}
or exists $options{refresh_token};
if(not $nocache) {
# use cached token if available
my $cached_token = get_cached_token();
if($cached_token) {
print $cached_token, $/;
exit 0;
}
}
my $token_request_timestamp = time;
# use client id, client secret, and resource to request access token
# from token endpoint
my $response = $user_agent->post($token_endpoint, [
client_id => $client_id,
client_secret => $client_secret,
scope => $scope,
grant_type => 'client_credentials',
]);
die "Error - Access token request failed: " . $response->status_line . $/ .
$response->decoded_content . $/
unless $response->is_success;
# parse JSON response content
my $parsed_content = decode_json($response->decoded_content);
die "Error - Unexpected response content: " . ref($parsed_content) . $/
script/ecs_token view on Meta::CPAN
ecs_token - Use OAuth 2.0 refresh token to get new access token
=head1 SYNOPSIS
ecs_token code
(use web browser to log in to EMDIS email account)
(open displayed URL in web browser and follow flow to get auth code)
(paste auth code at input prompt)
ecs_token credentials
ecs_token refresh
=head1 DESCRIPTION
C<ecs_token> offers support for obtaining an OAuth 2.0 access token. A
valid OAuth 2.0 access token is needed when connecting to email services
that require "modern" SASL XOAUTH2 or OAUTHBEARER authentication.
When successful, the output of the non-interactive C<ecs_token credentials>
and C<ecs_token refresh> commands match the requirements of the
INBOX_OAUTH_TOKEN_CMD and SMTP_OAUTH_TOKEN_CMD configuration settings
for EMDIS::ECS.
To securely store the client id, client secret, refresh token and related
parameters, C<ecs_token> uses the C<pass> (passwordstore.org) command-line
password manager, which stores its data in gpg-encrypted files.
Note: Due to variations in OAuth 2.0 identity provider setup requirements
and implementation details, this C<ecs_token> program may not be directly
script/ecs_token view on Meta::CPAN
=over
=item code
Use authorization code flow to request new OAuth 2.0 access token and refresh
token. Displays URL for user to visit in web browser to log in and give consent.
Waits for user to enter authorization code, then uses code to request an access
token. Stores new refresh token from response to token request.
=item credentials
Use client credentials flow to request new OAuth 2.0 access token.
=item refresh
Use existing refresh token to request new OAuth 2.0 access token. Store new
refresh token if present in response to token request.
=back
=head2 Configuration Parameters
script/ecs_token view on Meta::CPAN
=item cached_token_timestamp
Not a true configuration parameter, but only a secure storage location to
hold a timestamp for the most recent token response. To avoid a secure
storage retrieval error, initialize this to the value '0' (zero).
=item client_id
OAuth 2.0 client id. Required by the C<ecs_token code>,
C<ecs_token credentials>, and C<ecs_token refresh> commands. Example value:
1083558311832-0q5ul7ffdg6n4fj1p1to6rae88hvhsha.apps.googleusercontent.com
=item client_secret
OAuth 2.0 client secret. Required by the C<ecs_token code>,
C<ecs_token credentials>, and C<ecs_token refresh> commands. Example value:
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
=item nocache
This flag can only be set via the command line, not via secure storage.
When nocache is set, the program will not attempt to retrieve a cached
access token from storage or cache a new access token for future use.
=item redirect_uri
script/ecs_token view on Meta::CPAN
OAuth 2.0 refresh token, for refresh token flow. Required by the
C<ecs_token refresh> command. Initialized by the C<ecs_token code>
command. May also be populated by the C<ecs_token refresh> command.
Example value:
1//04Gei0xdQmoxKCgYIARAAGAQSNwF-L9IrizgSeuBmjQf7RNSPpAKUK-wsOFcDicS8jZEmusXSppx09bFyehICh4WkGqRrUj73OH0
=item scope
OAuth 2.0 scope. Required by the C<ecs_token code> and
C<ecs_token credentials> commands. Example values:
https://mail.google.com/
https://outlook.office365.com/.default
=item token_endpoint
OAuth 2.0 token endpoint. Required by the C<ecs_token code>,
C<ecs_token credentials>, and C<ecs_token refresh> commands. Example
values:
https://accounts.google.com/o/oauth2/token
https://login.microsoftonline.com/[tenant_id]/oauth2/v2.0/token
=back
=head1 SETUP
=head2 GnuPG
script/ecs_token view on Meta::CPAN
click the I<Next> button. Under I<Audience> select I<External> and click
the I<Next> button. Under I<Contact information> enter I<Email addresses>
and click the I<Next> button. Under I<Finish> click the I<I agree ...>
checkbox and click the I<Continue> button. Then, click the I<Create>
button.
=item 5.
Create OAuth 2.0 client ID for Perl ECS app. In I<Google Cloud> console,
select I<Navigation menu> > I<APIs & Services> > I<Credentials>. On the
I<Credentials> page, click the I<+ Create credentials> button and select
I<OAuth client ID> from the drop-down menu. On the I<Create OAuth client ID>
page select I<Web application> as the I<Application type> and enter an
appropriate name for the app (e.g. "Perl ECS"). Under
I<Authorized redirect URIs> click the I<+ Add URI> button and enter the
following URI (as mentioned in the C<oauth.py> script):
https://google.github.io/gmail-oauth2-tools/html/oauth2.dance.html
Then, click the I<Create> button.
( run in 0.450 second using v1.01-cache-2.11-cpan-2b1a40005be )