Jör*_*ees 14 python authorization oauth gitlab mattermost
在我们的团队中,我们使用gitlab(https://git.example)和捆绑的mattermost聊天(https://chat.example).
对于mattermost,我们希望有一个专用的bot用户(Web挂钩有限制,私有频道等),它实际上就像普通用户一样登录.
我们在gitlab中创建了该用户,并可以通过chrome登录我们的聊天(聊天登录redir - > gitlab oauth,输入用户名和pw - > redir回到聊天 - > authed).
现在我搜索了实际上可以做到这一点的python库,但是我只能找到一些需要client_id和client_secret... ...从我的理解(请纠正我,如果我错了)这不是我们正在寻找的,因为我们不希望通过gitlab创建另一个auth应用程序,但是通过gitlab登录我们的聊天(已经有id(已知)和secret(未知))作为用户.
由于我们找不到这样的lib,我们还检查了chrome中的网络请求,并尝试在python中重新创建它requests,但无法让它工作(不用说它涉及解析html和csrf标记). ..
我们尝试了另一次尝试和大量猜测,尝试获取access_token手动通过
client_id = 'the one of mattermost in our gitlab'
user = 'username'
pw = 'password'
r = requests.post(
'https://git.example/oauth/token',
data={
"grant_type": "password",
"username": user,
"password": pw,
"client_id": client_id,
}
)
access_token = r.json()['access_token']
这似乎有效(并且令牌看起来很好),但在mattermost API中使用它只会产生401:
ri = requests.get(
'https://chat.example/api/v1/users/me',
headers={'Authorization': 'Bearer ' + access_token}
)
ri.status_code, ri.json()
(401,
{u'detailed_error': u'token=...xxx...',
u'id': u'api.context.session_expired.app_error',
u'is_oauth': False,
u'message': u'Invalid or expired session, please login again.',
u'request_id': u'...yyy...',
u'status_code': 401})
可悲的是http://docs.mattermost.com/developer/web-service.html#oauth2目前并未对此有所了解,这就是我在这里问的原因.我是否可能会错过一些明显可以"激活" access_token在mattermost中的东西?
实际上我终于通过模仿浏览器的行为来运行如下,但我仍然对一个更通用的解决方案感兴趣,不涉及解析任何gitlab服务器的html ......:
import requests
from pyquery import PyQuery as pq
client_id = '...your_mattermost_client_id...'
user = '...username...'
pw = '...userpass...'
gitlab = 'https://git.example'
chat = 'https://chat.example'
team = '/your_team'
r = requests.get(
chat + team + '/login/gitlab'
)
q = pq(r.content)
csrf_token = q('#new_ldap_user input[name="authenticity_token"]')[0].value # watch out, several tokens for ldap vs. normal login, inspect the page to find correct one
r2 = requests.post(
gitlab + '/users/auth/ldapmain/callback', # or whatever the browser callback for your auth-method was
cookies=r.cookies,
data={
'authenticity_token': csrf_token,
'username': user,
'password': pw,
}
)
# print [h.url for h in r2.history] + [r2.url] # to check the redirects
me = requests.get(
chat + '/api/v1/users/me',
cookies=r2.cookies,
)
print me.json() # if everything went well you're now authorized
# remember to set cookies in the follow-up requests