files: added x509 authentication to EOS offload.

zenodo · Feb 14, 2024 · a82821a · a82821a
1 parent 84a33b7
commit a82821a
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/invenio.cfg b/invenio.cfg
@@ -712,6 +712,14 @@ FILES_REST_XSENDFILE_ENABLED = False
 ZENODO_EOS_OFFLOAD_ENABLED = False
 ZENODO_EOS_OFFLOAD_HTTPHOST = ""
 ZENODO_EOS_OFFLOAD_REDIRECT_BASE_PATH = ""
+# control EOS offload authentication
+ZENODO_EOS_OFFLOAD_AUTH_X509 = False
+"""Specifies whether to use X509 authentication for EOS offload."""
+ZENODO_EOS_OFFLOAD_X509_CERT_PATH = ""
+"""The path to the X509 certificate file."""
+ZENODO_EOS_OFFLOAD_X509_KEY_PATH = ""
+"""The path to the X509 private key file."""
+
 
 FILES_REST_DEFAULT_QUOTA_SIZE = 5*10**10
 FILES_REST_DEFAULT_MAX_FILE_SIZE = 5*10**10

diff --git a/site/zenodo_rdm/files.py b/site/zenodo_rdm/files.py
@@ -31,15 +31,32 @@
 class EOSFilesOffload(BaseFileStorage):
     """Offload file downloads to another server."""
 
+    def _get_auth_session(self):
+        """Get a requests session with authentication configured.
+
+        If X.509 is enabled, it will be used, otherwise kerberos will be used.
+        """
+        s = requests.Session()
+        x509_enabled = current_app.config.get("ZENODO_EOS_OFFLOAD_AUTH_X509", False)
+        cert = current_app.config.get("ZENODO_EOS_OFFLOAD_X509_CERT_PATH")
+        key = current_app.config.get("ZENODO_EOS_OFFLOAD_X509_KEY_PATH")
+        if x509_enabled and cert and key:
+            s.cert = (cert, key)
+            s.verify = False
+        else:
+            # Default to kerberos
+            s.auth = HTTPKerberosAuth(DISABLED)
+            s.verify = False
+        return s
+
     def _get_eos_redirect_path(self):
         """Get the real path of the file streamed from another server."""
         host = current_app.config["ZENODO_EOS_OFFLOAD_HTTPHOST"]
         redirect_base_path = current_app.config["ZENODO_EOS_OFFLOAD_REDIRECT_BASE_PATH"]
         base_path = urlsplit(self.fileurl).path
-        eos_resp = requests.get(
+        session = self._get_auth_session()
+        eos_resp = session.get(
             f"{host}/{base_path}",
-            auth=HTTPKerberosAuth(DISABLED),
-            verify=False,
             allow_redirects=False,
         )
         if eos_resp.status_code != 307: