diff --git a/invenio.cfg b/invenio.cfg index fb55e763..52d010c7 100644 --- a/invenio.cfg +++ b/invenio.cfg @@ -712,6 +712,14 @@ FILES_REST_XSENDFILE_ENABLED = False ZENODO_EOS_OFFLOAD_ENABLED = False ZENODO_EOS_OFFLOAD_HTTPHOST = "" ZENODO_EOS_OFFLOAD_REDIRECT_BASE_PATH = "" +# control EOS offload authentication +ZENODO_EOS_OFFLOAD_AUTH_X509 = False +"""Specifies whether to use X509 authentication for EOS offload.""" +ZENODO_EOS_OFFLOAD_X509_CERT_PATH = "" +"""The path to the X509 certificate file.""" +ZENODO_EOS_OFFLOAD_X509_KEY_PATH = "" +"""The path to the X509 private key file.""" + FILES_REST_DEFAULT_QUOTA_SIZE = 5*10**10 FILES_REST_DEFAULT_MAX_FILE_SIZE = 5*10**10 diff --git a/site/zenodo_rdm/files.py b/site/zenodo_rdm/files.py index 3e760079..adcddaf9 100644 --- a/site/zenodo_rdm/files.py +++ b/site/zenodo_rdm/files.py @@ -31,15 +31,32 @@ class EOSFilesOffload(BaseFileStorage): """Offload file downloads to another server.""" + def _get_auth_session(self): + """Get a requests session with authentication configured. + + If X.509 is enabled, it will be used, otherwise kerberos will be used. + """ + s = requests.Session() + x509_enabled = current_app.config.get("ZENODO_EOS_OFFLOAD_AUTH_X509", False) + cert = current_app.config.get("ZENODO_EOS_OFFLOAD_X509_CERT_PATH") + key = current_app.config.get("ZENODO_EOS_OFFLOAD_X509_KEY_PATH") + if x509_enabled and cert and key: + s.cert = (cert, key) + s.verify = False + else: + # Default to kerberos + s.auth = HTTPKerberosAuth(DISABLED) + s.verify = False + return s + def _get_eos_redirect_path(self): """Get the real path of the file streamed from another server.""" host = current_app.config["ZENODO_EOS_OFFLOAD_HTTPHOST"] redirect_base_path = current_app.config["ZENODO_EOS_OFFLOAD_REDIRECT_BASE_PATH"] base_path = urlsplit(self.fileurl).path - eos_resp = requests.get( + session = self._get_auth_session() + eos_resp = session.get( f"{host}/{base_path}", - auth=HTTPKerberosAuth(DISABLED), - verify=False, allow_redirects=False, ) if eos_resp.status_code != 307: