I'm writing an application on GAE that is exposing a RESTlike API to a fixed number of remote servers which may be using any OS/software. At the moment I'm pondering how to identify and authenticate these remote servers painlessly.
I'm trying to avoid having to program too much of this myself for obvious security concerns.
If I'd were on an Apache or nginx I'd use SSL client certificates and let the clients choose whatever they want to contact the API, curl, webapp, whatever.
I understand that, at this time, GAE doesn't provide checking client certificates this way.
Is there any other way to do this in GAE with Py2.7?
If this is not possible or a very big hassle, can anyone point me to another good way to identify and authenticate remote servers in a situation like this?
I can only post two links of what I checked
https://groups.google.com/forum/?fromgroups=#!topic/google-appengine-python/c5PHMrAMAcI
https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app
plus much more over the last few days. I found some questions which are similar to mine, but none with a satisfying answer, to me at least.
I'd suggest looking into Google Cloud Endpoints, which is currently in the trusted tester phase. I discuss it in more detail in this answer, but the main things you'll get are:
An easy way to define your API
Automatic support for OAuth 2
We're primarily targeting developers building APIs in their application backends, but other "same party" (e.g. you're the API developer and consumer) uses should work equally well.
Related
I'm currently working on a University project that needs to be implemented with a Client - Server model.
I had experiences in the past where I was managing the communication at socket level and that really sucked.
I was wondering if someone could suggest an easy to use python framework that I can use for that purpose.
I don't know what kind of details you may need to answer so I'm just going to describe the project briefly.
Communication should happen over HTTP, possibly HTTPS.
The server does not need to send data back or invoke methods on the clients, it just collects data
Many clients send data concurrently to server, who needs to distinguish the sender, process the data accordingly and put the result in a database.
You can use something like Flask or Django. Both frameworks are fairly easy to implement, Flask is much easier than Django IMO, although Django has a built in authentication layer that you can use, albeit more difficult to implement in a client/server scenario like you need.
I would personally use Flask and JWT (JSON Web Tokens), which will allow you to give a token to each client for authentication with the server, which will also let you differentiate between clients, and you can use HTTPS for your SSL/TLS requirement. It is tons easier to implement this, and although I like django better for what it brings to the table, it is probably overkill to have you learn it for a single assignment.
For Flask with SSL, here is a quick rundown of that.
For JWT with Flask, here is that.
You can use any database system you would like.
If I understood you correctly you can use any web framework in python. For instance, you can use Flask (I use it and I like it). Django is also a popular choice among the python web frameworks. However, you shouldn't be limited to only these two. There are plenty of them out there. Just google for them.
The implementation of the client depends on what kind of communication there will be between the clients and the server - I don't have enough details here. I only know it's unidirectional.
The client can be a browser accessing you web application written in Flask where users send only POST requests to the server. However, even here the communication will bidirectional (the clients need to open the page which means the server sends requests back to the client) and it violates your initial requirement.
Then it can be a specific client written in python sending some particular requests to your server over http/https. For instance, your client can use a requests package to send HTTP requests.
I'm trying to figure out how to build a TCP proxy on GAE (Google App Engine). I would ordinarily do it using twisted networking engine but GAE doesn't allow frameworks. I'm also pretty new to internet and networking technologies in general.
Basically I have a proxy server and I'd like to use GAE as a TCP proxy to relay everything to the primary proxy server. All the GAE front ends are connected to the back end by google fiber, so if I make the back end near the primary proxy server, it should make it super fast regardless of where I'm connecting from.
Unfortunately GAE doesn't allow me to control ports at all and everything that I'm reading either tells me how to configure a TCP proxy on a server that I'm in complete control of or how to configure a proxy where I type the url into a webpage in the browser. Something along the lines of making a personal http://www.hidemyass.com/proxy/ type of website.
I'd like to set it up so I can simply tell chrome to ignore certificate errors (it connects to a dynamic IP using HTTPS so there's no way to sign it but I trust myself) and put the proxy info into chrome.
Edit: I'd prefer to write it in python but I can do any language
Thanks in advance
P.S. Please don't give answers like just use GoAgent or tor or something. They don't fulfill my purpose.
If you're simply trying to proxy HTTP requests like GoAgent does then have a look at the URLFetch documentation for Google App Engine.
URL Fetch Python API Overview
If you're trying to proxy anything else, then Daniel is correct.
This isn't the sort of thing you can use GAE for.
I don't know where you got the idea that GAE "doesn't allow frameworks". Of course it does, anything that speaks WSGI (eg Django, Flask, Pylons) is fine. But GAE is a web platform: it's not an appropriate place to try and write any sort of bare-metal networking platform. Apart from anything else, bandwidth on GAE is fairly expensive.
And also I don't know where you think the GAE "front ends" are, as opposed to the "back ends". GAE is not split that way, AFAIK.
I don't really understand what exactly you are trying to do, but it sounds like a content delivery network (CDN) like Akamai might be more appropriate.
I'm building my startup and I'm thinking ahead for shared use of services.
So far I want to allow people who have a user account on one app to be able to use the same user account on another app. This means I will have to build an authentication server.
I would like some opinions on how to allow an app to talk to the authentication server. Should I use curl? Should I use Python's http libs? All the code will be in Python.
All it's going to do is ask the authentication server if the person is allowed to use that app and the auth server will return a JSON user object. All authorization (roles and resources) will be app independent, so this app will not have to handle that.
Sorry if this seems a bit newbish; this is the first time I have separated authentication from the actual application.
Assuming you plan to write your own auth client code, it isn't event-driven, and you don't need to validate an https certificate, I would suggest using python's built-in urllib2 to call the auth server. This will minimize dependencies, which ought to make deployment and upgrades easier.
That being said, there are more than a few existing auth-related protocols and libraries in the world, some of which might save you some time and security worries over writing code from scratch. For example, if you make your auth server speak OpenID, many off-the-self applications and servers (including Apache) will have auth client plugins already made for you.
Your question isn't really a programming problem so much as it is an architecture problem. What I would recommend for your specific situation is to setup an LDAP server for authentication, authorization, and accounting (AAA). Then have your applications use that (every language has modules and libraries for LDAP). It is a reliable, secure, proven, and well-known way of handling such things.
Even if you strictly want to enforce HTTP-based authentication it is easy enough to slap an authentication server in front of your LDAP and call it a day. There's even existing code to do just that so you won't have to re-invent the wheel.
There is also CAS that you might wont to look at,
I'm developing a website (in Django) that uses OpenID to authenticate users. As I'm currently only running on my local machine I can't authenticate using one of the OpenID providers on the web. So I figure I need to run a local OpenID server that simply lets me type in a username and then passes that back to my main app.
Does such an OpenID dev server exist? Is this the best way to go about it?
The libraries at OpenID Enabled ship with examples that are sufficient to run a local test provider. Look in the examples/djopenid/ directory of the python-openid source distribution. Running that will give you an instance of this test provider.
I have no problems testing with myopenid.com. I thought there would be a problem testing on my local machine but it just worked. (I'm using ASP.NET with DotNetOpenId library).
The 'realm' and return url must contain the port number like 'http://localhost:93359'.
I assume it works OK because the provider does a client side redirect.
I'm also looking into this. I too am working on a Django project that might utilize Open Id. For references, check out:
PHPMyId
OpenId's page
Hopefully someone here has tackled this issue.
I'm using phpMyID to authenticate at StackOverflow right now. Generates a standard HTTP auth realm and works perfectly. It should be exactly what you need.
You could probably use the django OpenID library to write a provider to test against. Have one that always authenticates and one that always fails.
Why not run an OpenID provider from your local machine?
If you are a .Net developer there is an OpenID provider library for .Net at Google Code. This uses the standard .Net profile provider mechanism and wraps it with an OpenID layer. We are using it to add OpenID to our custom authentication engine.
If you are working in another language/platform there are a number of OpenID implementation avalaiable from the OpenID community site here.
You shouldn't be having trouble developing against your own machine. What error are you getting?
An OpenID provider will ask you to give your site (in this case http://localhost:8000 or similar) access to your identity. If you click ok then it will redirect you that url. I've never had problems with livejournal and I expect that myopenid.com will work too.
If you're having problems developing locally I suggest that the problem you're having is unrelated to the url being localhost, but something else. Without an error message or problem description it's impossible to say more.
Edit: It turns out that Yahoo do things differently to other OpenID providers that I've come across and disallow redirections to ip address, sites without a correct tld in their domain name and those that run on ports other than 80 or 443. See here for a post from a Yahoo developer on this subject. This post offers a work around, but I would suggest that for development myopenid.com would be far simpler than working around Yahoo, or running your own provider.
We use a lot of of python to do much of our deployment and would be handy to connect to our TFS server to get information on iteration paths, tickets etc. I can see the webservice but unable to find any documentation. Just wondering if anyone knew of anything?
The web services are not documented by Microsoft as it is not an officially supported route to talk to TFS. The officially supported route is to use their .NET API.
In the case of your sort of application, the course of action I usually recommend is to create your own web service shim that lives on the TFS server (or another server) and uses their API to talk to the server but allows you to present the data in a nice way to your application.
Their object model simplifies the interactions a great deal (depending on what you want to do) and so it actually means less code over-all - but better tested and testable code and also you can work around things such as the NTLM auth used by the TFS web services.
Hope that helps,
Martin.
So, this question is friggin' old, but let me take a whack at it (since it keeps coming up in my google searches).
There's no officiall supported API for the on premise TFS (the MSFT hosted one has http://www.visualstudio.com/en-us/integrate/api/overview).
That said, you can always use Fiddler (http://www.telerik.com/fiddler) or something like it to inspect the calls that the web client for TFS is making to the server and do your magic to turn those into the scripts in python you want.
You'll need to run your python scripts under a service account that has TFS privs appropriate to what it is trying to do (read, update, confugure... whatever).
Since it sounds like you are just trying to read from TFS, this might be a really easy way for you to get what you want since an HTTP get to
http://yourserver/tfs/yourcollection/yourproject/_workitems#id=yourworkitemid
will hand you back (halfway) sane html payloads.
If you want lists of iterations or teams or whatever, then your service account needs to have the appropriate admin privileges and hit things like
http://yourserver/tfs/yourcollection/yourproject/_admin/_iterations
and use that response.