def export_requestDelegationUpload(self, requestedUploadTime, userGroup): """ Request a delegation. Send a delegation request to client """ credDict = self.getRemoteCredentials() userDN = credDict['DN'] userName = credDict['username'] if not userGroup: userGroup = credDict['group'] retVal = Registry.getGroupsForUser(credDict['username']) if not retVal['OK']: return retVal groupsAvailable = retVal['Value'] if userGroup not in groupsAvailable: return S_ERROR("%s is not a valid group for user %s" % (userGroup, userName)) clientChain = credDict['x509Chain'] clientSecs = clientChain.getIssuerCert()['Value'].getRemainingSecs( )['Value'] requestedUploadTime = min(requestedUploadTime, clientSecs) # FIXME: this is useless now... result = self.__proxyDB.generateDelegationRequest( credDict['x509Chain'], userDN) if result['OK']: gLogger.info("Upload request by %s:%s given id %s" % (userName, userGroup, result['Value']['id'])) else: gLogger.error( "Upload request failed", "by %s:%s : %s" % (userName, userGroup, result['Message'])) return result
def export_requestDelegationUpload( self, requestedUploadTime, userGroup ): """ Request a delegation. Send a delegation request to client """ credDict = self.getRemoteCredentials() userDN = credDict[ 'DN' ] userName = credDict[ 'username' ] if not userGroup: userGroup = credDict[ 'group' ] retVal = Registry.getGroupsForUser( credDict[ 'username' ] ) if not retVal[ 'OK' ]: return retVal groupsAvailable = retVal[ 'Value' ] if userGroup not in groupsAvailable: return S_ERROR( "%s is not a valid group for user %s" % ( userGroup, userName ) ) clientChain = credDict[ 'x509Chain' ] clientSecs = clientChain.getIssuerCert()[ 'Value' ].getRemainingSecs()[ 'Value' ] requestedUploadTime = min( requestedUploadTime, clientSecs ) retVal = self.__proxyDB.getRemainingTime( userDN, userGroup ) if not retVal[ 'OK' ]: return retVal remainingSecs = retVal[ 'Value' ] # If we have a proxy longer than the one uploading it's not needed # ten minute margin to compensate just in case if remainingSecs >= requestedUploadTime - 600: gLogger.info( "Upload request not necessary by %s:%s" % ( userName, userGroup ) ) return self.__addKnownUserProxiesInfo( S_OK() ) result = self.__proxyDB.generateDelegationRequest( credDict[ 'x509Chain' ], userDN ) if result[ 'OK' ]: gLogger.info( "Upload request by %s:%s given id %s" % ( userName, userGroup, result['Value']['id'] ) ) else: gLogger.error( "Upload request failed", "by %s:%s : %s" % ( userName, userGroup, result['Message'] ) ) return result
def getCredentials( self ): if not self.__loadedChain: return S_ERROR( "No chain loaded" ) credDict = { 'subject' : self.__certList[0].get_subject().one_line(), 'issuer' : self.__certList[0].get_issuer().one_line(), 'secondsLeft' : self.getRemainingSecs()[ 'Value' ], 'isProxy' : self.__isProxy, 'isLimitedProxy' : self.__isProxy and self.__isLimitedProxy, 'validDN' : False, 'validGroup' : False } if self.__isProxy: retVal = self.getDIRACGroup() if not retVal[ 'OK' ]: return retVal diracGroup = retVal[ 'Value' ] if not diracGroup: diracGroup = Registry.getDefaultUserGroup() credDict[ 'group' ] = diracGroup credDict[ 'identity'] = self.__certList[ self.__firstProxyStep + 1 ].get_subject().one_line() retVal = Registry.getUsernameForDN( credDict[ 'identity' ] ) if retVal[ 'OK' ]: credDict[ 'username' ] = retVal[ 'Value' ] credDict[ 'validDN' ] = True retVal = Registry.getGroupsForUser( credDict[ 'username' ] ) if retVal[ 'OK' ] and diracGroup in retVal[ 'Value']: credDict[ 'validGroup' ] = True credDict[ 'groupProperties' ] = Registry.getPropertiesForGroup( diracGroup ) else: retVal = Registry.getHostnameForDN( credDict['subject'] ) retVal[ 'group' ] = 'hosts' if retVal[ 'OK' ]: credDict[ 'hostname' ] = retVal[ 'Value' ] credDict[ 'validDN' ] = True credDict[ 'validGroup' ] = True return S_OK( credDict )
def export_requestDelegationUpload(self, requestedUploadTime, diracGroup=None): """ Request a delegation. Send a delegation request to client :param int,long requestedUploadTime: requested live time :return: S_OK(dict)/S_ERROR() -- dict contain id and proxy as string of the request """ if diracGroup: # WARN: Since v7r1, DIRAC has implemented the ability to store only one proxy and # WARN: dynamically add a group at the request of a proxy. This means that group extensions # WARN: doesn't need for storing proxies. self.log.warn("Proxy with DIRAC group or VOMS extensions must be not allowed to be uploaded.") credDict = self.getRemoteCredentials() userDN = credDict['DN'] userName = credDict['username'] userGroup = diracGroup or credDict['group'] retVal = Registry.getGroupsForUser(credDict['username']) if not retVal['OK']: return retVal groupsAvailable = retVal['Value'] if userGroup not in groupsAvailable: return S_ERROR("%s is not a valid group for user %s" % (userGroup, userName)) clientChain = credDict['x509Chain'] clientSecs = clientChain.getIssuerCert()['Value'].getRemainingSecs()['Value'] requestedUploadTime = min(requestedUploadTime, clientSecs) # FIXME: this is useless now... result = self.__proxyDB.generateDelegationRequest(credDict['x509Chain'], userDN) if result['OK']: gLogger.info("Upload request by %s:%s given id %s" % (userName, userGroup, result['Value']['id'])) else: gLogger.error("Upload request failed", "by %s:%s : %s" % (userName, userGroup, result['Message'])) return result
def getCredentials( self, ignoreDefault = False ): if not self.__loadedChain: return S_ERROR( "No chain loaded" ) credDict = { 'subject' : self.__certList[0].get_subject().one_line(), 'issuer' : self.__certList[0].get_issuer().one_line(), 'secondsLeft' : self.getRemainingSecs()[ 'Value' ], 'isProxy' : self.__isProxy, 'isLimitedProxy' : self.__isProxy and self.__isLimitedProxy, 'validDN' : False, 'validGroup' : False, 'groupProperties' : [] } if self.__isProxy: credDict[ 'identity'] = self.__certList[ self.__firstProxyStep + 1 ].get_subject().one_line() retVal = Registry.getUsernameForDN( credDict[ 'identity' ] ) if retVal[ 'OK' ]: credDict[ 'username' ] = retVal[ 'Value' ] credDict[ 'validDN' ] = True retVal = self.getDIRACGroup( ignoreDefault = ignoreDefault ) if retVal[ 'OK' ]: diracGroup = retVal[ 'Value' ] credDict[ 'group' ] = diracGroup retVal = Registry.getGroupsForUser( credDict[ 'username' ] ) if retVal[ 'OK' ] and diracGroup in retVal[ 'Value' ]: credDict[ 'validGroup' ] = True credDict[ 'groupProperties' ] = Registry.getPropertiesForGroup( diracGroup ) else: retVal = Registry.getHostnameForDN( credDict['subject'] ) retVal[ 'group' ] = 'hosts' if retVal[ 'OK' ]: credDict[ 'hostname' ] = retVal[ 'Value' ] credDict[ 'validDN' ] = True credDict[ 'validGroup' ] = True return S_OK( credDict )
def getCredentials(self, ignoreDefault=False): if not self.__loadedChain: return S_ERROR(DErrno.ENOCHAIN) credDict = { 'subject': self.__certList[0].get_subject().one_line(), 'issuer': self.__certList[0].get_issuer().one_line(), 'secondsLeft': self.getRemainingSecs()['Value'], 'isProxy': self.__isProxy, 'isLimitedProxy': self.__isProxy and self.__isLimitedProxy, 'validDN': False, 'validGroup': False } if self.__isProxy: credDict['identity'] = self.__certList[self.__firstProxyStep + 1].get_subject().one_line() # Check if we have the PUSP case result = self.isPUSP() if result['OK'] and result['Value']: credDict['identity'] = result['Identity'] credDict['subproxyUser'] = result['SubproxyUser'] credDict['rfc'] = self.__isRFC retVal = Registry.getUsernameForDN(credDict['identity']) if not retVal['OK']: return S_OK(credDict) credDict['username'] = retVal['Value'] credDict['validDN'] = True retVal = self.getDIRACGroup(ignoreDefault=ignoreDefault) if retVal['OK']: diracGroup = retVal['Value'] credDict['group'] = diracGroup retVal = Registry.getGroupsForUser(credDict['username']) if retVal['OK'] and diracGroup in retVal['Value']: credDict['validGroup'] = True credDict[ 'groupProperties'] = Registry.getPropertiesForGroup( diracGroup) else: retVal = Registry.getHostnameForDN(credDict['subject']) if retVal['OK']: credDict['group'] = 'hosts' credDict['hostname'] = retVal['Value'] credDict['validDN'] = True credDict['validGroup'] = True credDict['groupProperties'] = Registry.getHostOption( credDict['hostname'], 'Properties') retVal = Registry.getUsernameForDN(credDict['subject']) if retVal['OK']: credDict['username'] = retVal['Value'] credDict['validDN'] = True return S_OK(credDict)
def getCredentials(self, ignoreDefault=False): if not self.__loadedChain: return S_ERROR(DErrno.ENOCHAIN) credDict = {'subject': self.__certList[0].get_subject().one_line(), 'issuer': self.__certList[0].get_issuer().one_line(), 'secondsLeft': self.getRemainingSecs()['Value'], 'isProxy': self.__isProxy, 'isLimitedProxy': self.__isProxy and self.__isLimitedProxy, 'validDN': False, 'validGroup': False} if self.__isProxy: credDict['identity'] = self.__certList[self.__firstProxyStep + 1].get_subject().one_line() # Check if we have the PUSP case result = self.isPUSP() if result['OK'] and result['Value']: credDict['identity'] = result['Identity'] credDict['subproxyUser'] = result['SubproxyUser'] credDict['rfc'] = self.__isRFC retVal = Registry.getUsernameForDN(credDict['identity']) if not retVal['OK']: return S_OK(credDict) credDict['username'] = retVal['Value'] credDict['validDN'] = True retVal = self.getDIRACGroup(ignoreDefault=ignoreDefault) if retVal['OK']: diracGroup = retVal['Value'] credDict['group'] = diracGroup retVal = Registry.getGroupsForUser(credDict['username']) if retVal['OK'] and diracGroup in retVal['Value']: credDict['validGroup'] = True credDict['groupProperties'] = Registry.getPropertiesForGroup(diracGroup) else: retVal = Registry.getHostnameForDN(credDict['subject']) if retVal['OK']: credDict['group'] = 'hosts' credDict['hostname'] = retVal['Value'] credDict['validDN'] = True credDict['validGroup'] = True credDict['groupProperties'] = Registry.getHostOption(credDict['hostname'], 'Properties') retVal = Registry.getUsernameForDN(credDict['subject']) if retVal['OK']: credDict['username'] = retVal['Value'] credDict['validDN'] = True return S_OK(credDict)
def getCredentials(self, ignoreDefault=False): if not self.__loadedChain: return S_ERROR("No chain loaded") credDict = { "subject": self.__certList[0].get_subject().one_line(), "issuer": self.__certList[0].get_issuer().one_line(), "secondsLeft": self.getRemainingSecs()["Value"], "isProxy": self.__isProxy, "isLimitedProxy": self.__isProxy and self.__isLimitedProxy, "validDN": False, "validGroup": False, } if self.__isProxy: credDict["identity"] = self.__certList[self.__firstProxyStep + 1].get_subject().one_line() retVal = Registry.getUsernameForDN(credDict["identity"]) if not retVal["OK"]: return S_OK(credDict) credDict["username"] = retVal["Value"] credDict["validDN"] = True retVal = self.getDIRACGroup(ignoreDefault=ignoreDefault) if retVal["OK"]: diracGroup = retVal["Value"] credDict["group"] = diracGroup retVal = Registry.getGroupsForUser(credDict["username"]) if retVal["OK"] and diracGroup in retVal["Value"]: credDict["validGroup"] = True credDict["groupProperties"] = Registry.getPropertiesForGroup(diracGroup) else: retVal = Registry.getHostnameForDN(credDict["subject"]) if retVal["OK"]: credDict["group"] = "hosts" credDict["hostname"] = retVal["Value"] credDict["validDN"] = True credDict["validGroup"] = True credDict["groupProperties"] = Registry.getHostOption(credDict["hostname"], "Properties") retVal = Registry.getUsernameForDN(credDict["subject"]) if retVal["OK"]: credDict["username"] = retVal["Value"] credDict["validDN"] = True return S_OK(credDict)
def getCredentials( self, ignoreDefault = False ): if not self.__loadedChain: return S_ERROR( "No chain loaded" ) credDict = { 'subject' : self.__certList[0].get_subject().one_line(), 'issuer' : self.__certList[0].get_issuer().one_line(), 'secondsLeft' : self.getRemainingSecs()[ 'Value' ], 'isProxy' : self.__isProxy, 'isLimitedProxy' : self.__isProxy and self.__isLimitedProxy, 'validDN' : False, 'validGroup' : False } if self.__isProxy: credDict[ 'identity'] = self.__certList[ self.__firstProxyStep + 1 ].get_subject().one_line() retVal = Registry.getUsernameForDN( credDict[ 'identity' ] ) if not retVal[ 'OK' ]: # We could not contact the CS most likely, which is possible, e.g. when doing # dirac-proxy-init -x credDict[ 'username' ] = 'unknown' else: credDict[ 'username' ] = retVal[ 'Value' ] credDict[ 'validDN' ] = True retVal = self.getDIRACGroup( ignoreDefault = ignoreDefault ) if retVal[ 'OK' ]: diracGroup = retVal[ 'Value' ] credDict[ 'group' ] = diracGroup retVal = Registry.getGroupsForUser( credDict[ 'username' ] ) if retVal[ 'OK' ] and diracGroup in retVal[ 'Value' ]: credDict[ 'validGroup' ] = True credDict[ 'groupProperties' ] = Registry.getPropertiesForGroup( diracGroup ) else: retVal = Registry.getHostnameForDN( credDict['subject'] ) if retVal[ 'OK' ]: credDict[ 'group' ] = 'hosts' credDict[ 'hostname' ] = retVal[ 'Value' ] credDict[ 'validDN' ] = True credDict[ 'validGroup' ] = True retVal = Registry.getUsernameForDN( credDict[ 'subject' ] ) if retVal[ 'OK' ]: credDict[ 'username' ] = retVal[ 'Value' ] credDict[ 'validDN' ] = True return S_OK( credDict )
def export_requestDelegationUpload(self, requestedUploadTime, userGroup): """ Request a delegation. Send a delegation request to client """ credDict = self.getRemoteCredentials() userDN = credDict['DN'] userName = credDict['username'] if not userGroup: userGroup = credDict['group'] retVal = Registry.getGroupsForUser(credDict['username']) if not retVal['OK']: return retVal groupsAvailable = retVal['Value'] if userGroup not in groupsAvailable: return S_ERROR("%s is not a valid group for user %s" % (userGroup, userName)) clientChain = credDict['x509Chain'] clientSecs = clientChain.getIssuerCert()['Value'].getRemainingSecs( )['Value'] requestedUploadTime = min(requestedUploadTime, clientSecs) retVal = self.__proxyDB.getRemainingTime(userDN, userGroup) if not retVal['OK']: return retVal remainingSecs = retVal['Value'] # If we have a proxy longer than the one uploading it's not needed # ten minute margin to compensate just in case if remainingSecs >= requestedUploadTime - 600: gLogger.info("Upload request not necessary by %s:%s" % (userName, userGroup)) return self.__addKnownUserProxiesInfo(S_OK()) result = self.__proxyDB.generateDelegationRequest( credDict['x509Chain'], userDN) if result['OK']: gLogger.info("Upload request by %s:%s given id %s" % (userName, userGroup, result['Value']['id'])) else: gLogger.error( "Upload request failed", "by %s:%s : %s" % (userName, userGroup, result['Message'])) return result
def export_requestDelegationUpload( self, requestedUploadTime, userGroup ): """ Request a delegation. Send a delegation request to client """ credDict = self.getRemoteCredentials() userDN = credDict[ 'DN' ] userName = credDict[ 'username' ] if not userGroup: userGroup = credDict[ 'group' ] retVal = Registry.getGroupsForUser( credDict[ 'username' ] ) if not retVal[ 'OK' ]: return retVal groupsAvailable = retVal[ 'Value' ] if userGroup not in groupsAvailable: return S_ERROR( "%s is not a valid group for user %s" % ( userGroup, userName ) ) clientChain = credDict[ 'x509Chain' ] clientSecs = clientChain.getIssuerCert()[ 'Value' ].getRemainingSecs()[ 'Value' ] requestedUploadTime = min( requestedUploadTime, clientSecs ) #FIXME: this is useless now... result = self.__proxyDB.generateDelegationRequest( credDict[ 'x509Chain' ], userDN ) if result[ 'OK' ]: gLogger.info( "Upload request by %s:%s given id %s" % ( userName, userGroup, result['Value']['id'] ) ) else: gLogger.error( "Upload request failed", "by %s:%s : %s" % ( userName, userGroup, result['Message'] ) ) return result
def generateProxy( params ): if params.checkClock: result = getClockDeviation() if result[ 'OK' ]: deviation = result[ 'Value' ] if deviation > 600: gLogger.error( "Your host clock seems to be off by more than TEN MINUTES! Thats really bad." ) gLogger.error( "We're cowardly refusing to generate a proxy. Please fix your system time" ) sys.exit( 1 ) elif deviation > 180: gLogger.error( "Your host clock seems to be off by more than THREE minutes! Thats bad." ) gLogger.notice( "We'll generate the proxy but please fix your system time" ) elif deviation > 60: gLogger.error( "Your host clock seems to be off by more than a minute! Thats not good." ) gLogger.notice( "We'll generate the proxy but please fix your system time" ) certLoc = params.certLoc keyLoc = params.keyLoc if not certLoc or not keyLoc: cakLoc = Locations.getCertificateAndKeyLocation() if not cakLoc: return S_ERROR( "Can't find user certificate and key" ) if not certLoc: certLoc = cakLoc[0] if not keyLoc: keyLoc = cakLoc[1] params.certLoc = certLoc params.keyLoc = keyLoc #Load password testChain = X509Chain() retVal = testChain.loadChainFromFile( params.certLoc ) if not retVal[ 'OK' ]: return S_ERROR( "Cannot load certificate %s: %s" % ( params.certLoc, retVal[ 'Message' ] ) ) timeLeft = testChain.getRemainingSecs()[ 'Value' ] / 86400 if timeLeft < 30: gLogger.notice( "\nYour certificate will expire in %d days. Please renew it!\n" % timeLeft ) retVal = testChain.loadKeyFromFile( params.keyLoc, password = params.userPasswd ) if not retVal[ 'OK' ]: passwdPrompt = "Enter Certificate password:"******"\n" ) else: userPasswd = getpass.getpass( passwdPrompt ) params.userPasswd = userPasswd #Find location proxyLoc = params.proxyLoc if not proxyLoc: proxyLoc = Locations.getDefaultProxyLocation() chain = X509Chain() #Load user cert and key retVal = chain.loadChainFromFile( certLoc ) if not retVal[ 'OK' ]: gLogger.warn( retVal[ 'Message' ] ) return S_ERROR( "Can't load %s" % certLoc ) retVal = chain.loadKeyFromFile( keyLoc, password = params.userPasswd ) if not retVal[ 'OK' ]: gLogger.warn( retVal[ 'Message' ] ) if 'bad decrypt' in retVal[ 'Message' ]: return S_ERROR( "Bad passphrase" ) return S_ERROR( "Can't load %s" % keyLoc ) if params.checkWithCS: retVal = chain.generateProxyToFile( proxyLoc, params.proxyLifeTime, strength = params.proxyStrength, limited = params.limitedProxy, rfc = params.rfc ) gLogger.info( "Contacting CS..." ) retVal = Script.enableCS() if not retVal[ 'OK' ]: gLogger.warn( retVal[ 'Message' ] ) if 'Unauthorized query' in retVal[ 'Message' ]: # add hint for users return S_ERROR( "Can't contact DIRAC CS: %s (User possibly not registered with dirac server) " % retVal[ 'Message' ] ) return S_ERROR( "Can't contact DIRAC CS: %s" % retVal[ 'Message' ] ) userDN = chain.getCertInChain( -1 )['Value'].getSubjectDN()['Value'] if not params.diracGroup: result = Registry.findDefaultGroupForDN( userDN ) if not result[ 'OK' ]: gLogger.warn( "Could not get a default group for DN %s: %s" % ( userDN, result[ 'Message' ] ) ) else: params.diracGroup = result[ 'Value' ] gLogger.info( "Default discovered group is %s" % params.diracGroup ) gLogger.info( "Checking DN %s" % userDN ) retVal = Registry.getUsernameForDN( userDN ) if not retVal[ 'OK' ]: gLogger.warn( retVal[ 'Message' ] ) return S_ERROR( "DN %s is not registered" % userDN ) username = retVal[ 'Value' ] gLogger.info( "Username is %s" % username ) retVal = Registry.getGroupsForUser( username ) if not retVal[ 'OK' ]: gLogger.warn( retVal[ 'Message' ] ) return S_ERROR( "User %s has no groups defined" % username ) groups = retVal[ 'Value' ] if params.diracGroup not in groups: return S_ERROR( "Requested group %s is not valid for DN %s" % ( params.diracGroup, userDN ) ) gLogger.info( "Creating proxy for %s@%s (%s)" % ( username, params.diracGroup, userDN ) ) if params.summary: h = int( params.proxyLifeTime / 3600 ) m = int( params.proxyLifeTime / 60 ) - h * 60 gLogger.notice( "Proxy lifetime will be %02d:%02d" % ( h, m ) ) gLogger.notice( "User cert is %s" % certLoc ) gLogger.notice( "User key is %s" % keyLoc ) gLogger.notice( "Proxy will be written to %s" % proxyLoc ) if params.diracGroup: gLogger.notice( "DIRAC Group will be set to %s" % params.diracGroup ) else: gLogger.notice( "No DIRAC Group will be set" ) gLogger.notice( "Proxy strength will be %s" % params.proxyStrength ) if params.limitedProxy: gLogger.notice( "Proxy will be limited" ) retVal = chain.generateProxyToFile( proxyLoc, params.proxyLifeTime, params.diracGroup, strength = params.proxyStrength, limited = params.limitedProxy, rfc = params.rfc ) if not retVal[ 'OK' ]: gLogger.warn( retVal[ 'Message' ] ) return S_ERROR( "Couldn't generate proxy: %s" % retVal[ 'Message' ] ) return S_OK( proxyLoc )
def getCredentials(self, ignoreDefault=False, withRegistryInfo=True): """Returns a summary of the credentials contained in the current chain :params ignoreDefault: (default False) If True and if no DIRAC group is found in the proxy, lookup the CS :params withRegistryInfo: (default True) if set to True, will enhance the returned dict with info from the registry :returns: S_OK with the credential dict. Some parameters of the dict are always there, other depends on the nature of the Chain Always present: * subject: str. The last DN in the chain * issuer: str. The issuer of the last cert in the chain * secondsLeft: validity of the chain in seconds (see :py:meth:`.getRemainingSecs`) * isProxy: boolean (see :py:meth:`.isProxy`) * isLimitedProxy: boolean (see :py:meth:`.isLimitedProxy`) * validDN: boolean if the DN is known to DIRAC * validGroup: False (see further definition) * DN: either the DN of the host, or the DN of the user corresponding to the proxy Only for proxy: * identity: If it is a normal proxy, it is the DN of the certificate. If it is a PUSP, it contains the identity as in :py:meth:`.isPUSP` * username: DIRAC username associated to the DN (needs withRegistryInfo) (see :py:func:`DIRAC.ConfigurationSystem.Client.Helpers.Registry.getUsernameForDN`) * group: DIRAC group, depending on ignoreDefault param(see :py:meth:`.getDIRACGroup`) * validGroup: True if the group found is in the list of groups the user belongs to * groupProperty: (only if validGroup) get the properties of the group For Host certificate (needs withRegistryInfo): * group: always `hosts` * hostname: name of the host as registered in the CS (see :py:func:`DIRAC.ConfigurationSystem.Client.Helpers.Registry.getHostnameForDN`) * validGroup: True * groupProperties: host options (see :py:func:`DIRAC.ConfigurationSystem.Client.Helpers.Registry.getHostOption`) If it is a user certificate (needs withRegistryInfo): * username: like for proxy * validDN: like proxy """ credDict = { "subject": str(self._certList[0].getSubjectDN()["Value"]), # ['Value'] :( "issuer": self._certList[0].getIssuerDN()["Value"], # ['Value'] :( "secondsLeft": self.getRemainingSecs()["Value"], "isProxy": self.__isProxy, "isLimitedProxy": self.__isProxy and self.__isLimitedProxy, "validDN": False, "validGroup": False, } # Add the DN entry as the subject. credDict["DN"] = credDict["subject"] if self.__isProxy: credDict["identity"] = str( self._certList[self.__firstProxyStep + 1].getSubjectDN()["Value"] ) # ['Value'] :( # if the chain is a proxy, then the DN we want to work with is the real one of the # user, not the one of his proxy credDict["DN"] = credDict["identity"] # Check if we have the PUSP case result = self.isPUSP() if result["OK"] and result["Value"]: credDict["identity"] = result["Identity"] credDict["subproxyUser"] = result["SubproxyUser"] if withRegistryInfo: retVal = Registry.getUsernameForDN(credDict["identity"]) if not retVal["OK"]: return S_OK(credDict) credDict["username"] = retVal["Value"] credDict["validDN"] = True retVal = self.getDIRACGroup(ignoreDefault=ignoreDefault) if retVal["OK"]: diracGroup = retVal["Value"] credDict["group"] = diracGroup if withRegistryInfo: retVal = Registry.getGroupsForUser(credDict["username"]) if retVal["OK"] and diracGroup in retVal["Value"]: credDict["validGroup"] = True credDict["groupProperties"] = Registry.getPropertiesForGroup(diracGroup) elif withRegistryInfo: retVal = Registry.getHostnameForDN(credDict["subject"]) if retVal["OK"]: credDict["group"] = "hosts" credDict["hostname"] = retVal["Value"] credDict["validDN"] = True credDict["validGroup"] = True credDict["groupProperties"] = Registry.getHostOption(credDict["hostname"], "Properties") retVal = Registry.getUsernameForDN(credDict["subject"]) if retVal["OK"]: credDict["username"] = retVal["Value"] credDict["validDN"] = True return S_OK(credDict)
def generateProxy(params): if params.checkClock: result = getClockDeviation() if result['OK']: deviation = result['Value'] if deviation > 600: gLogger.error( "Your host clock seems to be off by more than TEN MINUTES! Thats really bad." ) gLogger.error( "We're cowardly refusing to generate a proxy. Please fix your system time" ) sys.exit(1) elif deviation > 180: gLogger.error( "Your host clock seems to be off by more than THREE minutes! Thats bad." ) gLogger.notice( "We'll generate the proxy but please fix your system time") elif deviation > 60: gLogger.error( "Your host clock seems to be off by more than a minute! Thats not good." ) gLogger.notice( "We'll generate the proxy but please fix your system time") certLoc = params.certLoc keyLoc = params.keyLoc if not certLoc or not keyLoc: cakLoc = Locations.getCertificateAndKeyLocation() if not cakLoc: return S_ERROR("Can't find user certificate and key") if not certLoc: certLoc = cakLoc[0] if not keyLoc: keyLoc = cakLoc[1] params.certLoc = certLoc params.keyLoc = keyLoc #Load password testChain = X509Chain() retVal = testChain.loadChainFromFile(params.certLoc) if not retVal['OK']: return S_ERROR("Cannot load certificate %s: %s" % (params.certLoc, retVal['Message'])) timeLeft = testChain.getRemainingSecs()['Value'] / 86400 if timeLeft < 30: gLogger.notice( "\nYour certificate will expire in %d days. Please renew it!\n" % timeLeft) retVal = testChain.loadKeyFromFile(params.keyLoc, password=params.userPasswd) if not retVal['OK']: passwdPrompt = "Enter Certificate password:"******"\n") else: userPasswd = getpass.getpass(passwdPrompt) params.userPasswd = userPasswd #Find location proxyLoc = params.proxyLoc if not proxyLoc: proxyLoc = Locations.getDefaultProxyLocation() chain = X509Chain() #Load user cert and key retVal = chain.loadChainFromFile(certLoc) if not retVal['OK']: gLogger.warn(retVal['Message']) return S_ERROR("Can't load %s" % certLoc) retVal = chain.loadKeyFromFile(keyLoc, password=params.userPasswd) if not retVal['OK']: gLogger.warn(retVal['Message']) if 'bad decrypt' in retVal['Message']: return S_ERROR("Bad passphrase") return S_ERROR("Can't load %s" % keyLoc) if params.checkWithCS: retVal = chain.generateProxyToFile(proxyLoc, params.proxyLifeTime, strength=params.proxyStrength, limited=params.limitedProxy) gLogger.info("Contacting CS...") retVal = Script.enableCS() if not retVal['OK']: gLogger.warn(retVal['Message']) if 'Unauthorized query' in retVal['Message']: # add hint for users return S_ERROR( "Can't contact DIRAC CS: %s (User possibly not registered with dirac server) " % retVal['Message']) return S_ERROR("Can't contact DIRAC CS: %s" % retVal['Message']) userDN = chain.getCertInChain(-1)['Value'].getSubjectDN()['Value'] if not params.diracGroup: result = Registry.findDefaultGroupForDN(userDN) if not result['OK']: gLogger.warn("Could not get a default group for DN %s: %s" % (userDN, result['Message'])) else: params.diracGroup = result['Value'] gLogger.info("Default discovered group is %s" % params.diracGroup) gLogger.info("Checking DN %s" % userDN) retVal = Registry.getUsernameForDN(userDN) if not retVal['OK']: gLogger.warn(retVal['Message']) return S_ERROR("DN %s is not registered" % userDN) username = retVal['Value'] gLogger.info("Username is %s" % username) retVal = Registry.getGroupsForUser(username) if not retVal['OK']: gLogger.warn(retVal['Message']) return S_ERROR("User %s has no groups defined" % username) groups = retVal['Value'] if params.diracGroup not in groups: return S_ERROR("Requested group %s is not valid for DN %s" % (params.diracGroup, userDN)) gLogger.info("Creating proxy for %s@%s (%s)" % (username, params.diracGroup, userDN)) if params.summary: h = int(params.proxyLifeTime / 3600) m = int(params.proxyLifeTime / 60) - h * 60 gLogger.notice("Proxy lifetime will be %02d:%02d" % (h, m)) gLogger.notice("User cert is %s" % certLoc) gLogger.notice("User key is %s" % keyLoc) gLogger.notice("Proxy will be written to %s" % proxyLoc) if params.diracGroup: gLogger.notice("DIRAC Group will be set to %s" % params.diracGroup) else: gLogger.notice("No DIRAC Group will be set") gLogger.notice("Proxy strength will be %s" % params.proxyStrength) if params.limitedProxy: gLogger.notice("Proxy will be limited") retVal = chain.generateProxyToFile(proxyLoc, params.proxyLifeTime, params.diracGroup, strength=params.proxyStrength, limited=params.limitedProxy) if not retVal['OK']: gLogger.warn(retVal['Message']) return S_ERROR("Couldn't generate proxy: %s" % retVal['Message']) return S_OK(proxyLoc)
def getCredentials(self, ignoreDefault=False): """ Returns a summary of the credentials contained in the current chain :params ignoreDefault: (default False) If True and if no DIRAC group is found in the proxy, lookup the CS :returns: S_OK with the credential dict. Some parameters of the dict are always there, other depends on the nature of the Chain Always present: * subject: str. The last DN in the chain * issuer: str. The issuer of the last cert in the chain * secondsLeft: validity of the chain in seconds (see :py:meth:`.getRemainingSecs`) * isProxy: boolean (see :py:meth:`.isProxy`) * isLimitedProxy: boolean (see :py:meth:`.isLimitedProxy`) * validDN: boolean if the DN is known to DIRAC * validGroup: False (see further definition) Only for proxy: * identity: If it is a normal proxy, it is the DN of the certificate. If it is a PUSP, it contains the identity as in :py:meth:`.isPUSP` * username: DIRAC username associated to the DN (see :py:func:`DIRAC.ConfigurationSystem.Client.Helpers.Registry.getUsernameForDN`) * group: DIRAC group, depending on ignoreDefault param(see :py:meth:`.getDIRACGroup`) * validGroup: True if the group found is in the list of groups the user belongs to * groupProperty: (only if validGroup) get the properties of the group For Host certificate: * group: always `hosts` * hostname: name of the host as registered in the CS (see :py:func:`DIRAC.ConfigurationSystem.Client.Helpers.Registry.getHostnameForDN`) * validGroup: True * groupProperties: host options (see :py:func:`DIRAC.ConfigurationSystem.Client.Helpers.Registry.getHostOption`) If it is a user certificate: * username: like for proxy * validDN: like proxy """ credDict = { 'subject': str(self._certList[0].getSubjectDN()['Value']), # ['Value'] :( 'issuer': self._certList[0].getIssuerDN()['Value'], # ['Value'] :( 'secondsLeft': self.getRemainingSecs()['Value'], 'isProxy': self.__isProxy, 'isLimitedProxy': self.__isProxy and self.__isLimitedProxy, 'validDN': False, 'validGroup': False } if self.__isProxy: credDict['identity'] = str( self._certList[self.__firstProxyStep + 1].getSubjectDN()['Value']) # ['Value'] :( # Check if we have the PUSP case result = self.isPUSP() if result['OK'] and result['Value']: credDict['identity'] = result['Identity'] credDict['subproxyUser'] = result['SubproxyUser'] retVal = Registry.getUsernameForDN(credDict['identity']) if not retVal['OK']: return S_OK(credDict) credDict['username'] = retVal['Value'] credDict['validDN'] = True retVal = self.getDIRACGroup(ignoreDefault=ignoreDefault) if retVal['OK']: diracGroup = retVal['Value'] credDict['group'] = diracGroup retVal = Registry.getGroupsForUser(credDict['username']) if retVal['OK'] and diracGroup in retVal['Value']: credDict['validGroup'] = True credDict[ 'groupProperties'] = Registry.getPropertiesForGroup( diracGroup) else: retVal = Registry.getHostnameForDN(credDict['subject']) if retVal['OK']: credDict['group'] = 'hosts' credDict['hostname'] = retVal['Value'] credDict['validDN'] = True credDict['validGroup'] = True credDict['groupProperties'] = Registry.getHostOption( credDict['hostname'], 'Properties') retVal = Registry.getUsernameForDN(credDict['subject']) if retVal['OK']: credDict['username'] = retVal['Value'] credDict['validDN'] = True return S_OK(credDict)