def __processCredentials( self ):
"""
Extract the user credentials based on the certificate or what comes from the balancer
"""
self.__credDict = {}
#NGINX
if Conf.balancer() == "nginx":
headers = self.request.headers
if headers[ 'X-Scheme' ] == "https" and headers[ 'X-Ssl_client_verify' ] == 'SUCCESS':
DN = headers[ 'X-Ssl_client_s_dn' ]
self.__credDict[ 'subject' ] = DN
self.__credDict[ 'issuer' ] = headers[ 'X-Ssl_client_i_dn' ]
result = Registry.getUsernameForDN( DN )
if not result[ 'OK' ]:
self.__credDict[ 'validDN' ] = False
else:
self.__credDict[ 'validDN' ] = True
self.__credDict[ 'username' ] = result[ 'Value' ]
return
#TORNADO
if not self.request.protocol == "https":
return
derCert = self.request.get_ssl_certificate( binary_form = True )
if not derCert:
return
pemCert = ssl.DER_cert_to_PEM_cert( derCert )
chain = X509Chain()
chain.loadChainFromString( pemCert )
result = chain.getCredentials()
if not result[ 'OK' ]:
self.log.error( "Could not get client credentials %s" % result[ 'Message' ] )
return
self.__credDict = result[ 'Value' ]
def __processCredentials(self):
"""
Extract the user credentials based on the certificate or what comes from the balancer
"""
self.__credDict = {}
#NGINX
if Conf.balancer() == "nginx":
headers = self.request.headers
if headers['X-Scheme'] == "https" and headers[
'X-Ssl_client_verify'] == 'SUCCESS':
DN = headers['X-Ssl_client_s_dn']
self.__credDict['subject'] = DN
self.__credDict['issuer'] = headers['X-Ssl_client_i_dn']
result = Registry.getUsernameForDN(DN)
if not result['OK']:
self.__credDict['validDN'] = False
else:
self.__credDict['validDN'] = True
self.__credDict['username'] = result['Value']
return
#TORNADO
if not self.request.protocol == "https":
return
derCert = self.request.get_ssl_certificate(binary_form=True)
if not derCert:
return
pemCert = ssl.DER_cert_to_PEM_cert(derCert)
chain = X509Chain()
chain.loadChainFromString(pemCert)
result = chain.getCredentials()
if not result['OK']:
self.log.error("Could not get client credentials %s" %
result['Message'])
return
self.__credDict = result['Value']
def bootstrap(self):
"""
Configure and create web app
"""
self.log.always("\n ====== Starting DIRAC web app ====== \n")
#Load required CFG files
self.__loadWebAppCFGFiles()
#Debug mode?
devMode = Conf.devMode()
if devMode:
self.log.info("Configuring in developer mode...")
#Calculating routes
result = self.__handlerMgr.getRoutes()
if not result['OK']:
return result
routes = result['Value']
#Initialize the session data
SessionData.setHandlers(self.__handlerMgr.getHandlers()['Value'])
#Create the app
tLoader = TemplateLoader(self.__handlerMgr.getPaths("template"))
kw = dict(devMode=devMode,
template_loader=tLoader,
cookie_secret=Conf.cookieSecret(),
log_function=self._logRequest)
#Check processes if we're under a load balancert
if Conf.balancer() and Conf.numProcesses() not in (0, 1):
tornado.process.fork_processes(Conf.numProcesses(), max_restarts=0)
kw['devMode'] = False
#Configure tornado app
self.__app = tornado.web.Application(routes, **kw)
self.log.notice("Configuring HTTP on port %s" % (Conf.HTTPPort()))
#Create the web servers
srv = tornado.httpserver.HTTPServer(self.__app)
port = Conf.HTTPPort()
srv.listen(port)
self.__servers[('http', port)] = srv
if Conf.HTTPS():
self.log.notice("Configuring HTTPS on port %s" % Conf.HTTPSPort())
sslops = dict(certfile=Conf.HTTPSCert(),
keyfile=Conf.HTTPSKey(),
cert_reqs=ssl.CERT_OPTIONAL,
ca_certs=Conf.generateCAFile())
self.log.debug(
" - %s" %
"\n - ".join(["%s = %s" % (k, sslops[k]) for k in sslops]))
srv = tornado.httpserver.HTTPServer(self.__app, ssl_options=sslops)
port = Conf.HTTPSPort()
srv.listen(port)
self.__servers[('https', port)] = srv
return result
def bootstrap( self ):
"""
Configure and create web app
"""
self.log.always( "\n ====== Starting DIRAC web app ====== \n" )
#Load required CFG files
self.__loadWebAppCFGFiles()
#Debug mode?
devMode = Conf.devMode()
if devMode:
self.log.info( "Configuring in developer mode..." )
#Calculating routes
result = self.__handlerMgr.getRoutes()
if not result[ 'OK' ]:
return result
routes = result[ 'Value' ]
#Initialize the session data
SessionData.setHandlers( self.__handlerMgr.getHandlers()[ 'Value' ] )
#Create the app
tLoader = TemplateLoader( self.__handlerMgr.getPaths( "template" ) )
kw = dict( devMode = devMode, template_loader = tLoader, cookie_secret = Conf.cookieSecret(),
log_function = self._logRequest )
#Check processes if we're under a load balancert
if Conf.balancer() and Conf.numProcesses() not in ( 0, 1 ):
tornado.process.fork_processes( Conf.numProcesses(), max_restarts=0 )
kw[ 'devMode' ] = False
#Configure tornado app
self.__app = tornado.web.Application( routes, **kw )
self.log.notice( "Configuring HTTP on port %s" % ( Conf.HTTPPort() ) )
#Create the web servers
srv = tornado.httpserver.HTTPServer( self.__app )
port = Conf.HTTPPort()
srv.listen( port )
self.__servers[ ( 'http', port ) ] = srv
if Conf.HTTPS():
self.log.notice( "Configuring HTTPS on port %s" % Conf.HTTPSPort() )
sslops = dict( certfile = Conf.HTTPSCert(),
keyfile = Conf.HTTPSKey(),
cert_reqs = ssl.CERT_OPTIONAL,
ca_certs = Conf.generateCAFile() )
self.log.debug( " - %s" % "\n - ".join( [ "%s = %s" % ( k, sslops[k] ) for k in sslops ] ) )
srv = tornado.httpserver.HTTPServer( self.__app, ssl_options = sslops )
port = Conf.HTTPSPort()
srv.listen( port )
self.__servers[ ( 'https', port ) ] = srv
return result
def bootstrap(self):
"""
Configure and create web app
"""
self.log.always("\n ====== Starting DIRAC web app ====== \n")
# Load required CFG files
if not self._loadDefaultWebCFG(
): # if we have a web.cfg under etc directory we use it, otherwise we use the configuration file defined by the developer
self._loadWebAppCFGFiles()
# Calculating routes
result = self.__handlerMgr.getRoutes()
if not result['OK']:
return result
routes = result['Value']
# Initialize the session data
SessionData.setHandlers(self.__handlerMgr.getHandlers()['Value'])
# Create the app
tLoader = TemplateLoader(self.__handlerMgr.getPaths("template"))
kw = dict(debug=Conf.devMode(),
template_loader=tLoader,
cookie_secret=Conf.cookieSecret(),
log_function=self._logRequest,
autoreload=Conf.numProcesses() < 2)
#please do no move this lines. The lines must be before the fork_processes
signal.signal(signal.SIGTERM, self.stopChildProcesses)
signal.signal(signal.SIGINT, self.stopChildProcesses)
# Check processes if we're under a load balancert
if Conf.balancer() and Conf.numProcesses() not in (0, 1):
tornado.process.fork_processes(Conf.numProcesses(), max_restarts=0)
kw['debug'] = False
# Debug mode?
if kw['debug']:
self.log.info("Configuring in developer mode...")
# Configure tornado app
self.__app = tornado.web.Application(routes, **kw)
self.log.notice("Configuring HTTP on port %s" % (Conf.HTTPPort()))
# Create the web servers
srv = tornado.httpserver.HTTPServer(self.__app, xheaders=True)
port = Conf.HTTPPort()
srv.listen(port)
self.__servers[('http', port)] = srv
Conf.generateRevokedCertsFile() # it is used by nginx....
if Conf.HTTPS():
self.log.notice("Configuring HTTPS on port %s" % Conf.HTTPSPort())
sslops = dict(certfile=Conf.HTTPSCert(),
keyfile=Conf.HTTPSKey(),
cert_reqs=ssl.CERT_OPTIONAL,
ca_certs=Conf.generateCAFile(),
ssl_version=ssl.PROTOCOL_TLSv1)
sslprotocol = str(Conf.SSLProrocol())
aviableProtocols = [i for i in dir(ssl) if i.find('PROTOCOL') == 0]
if sslprotocol and sslprotocol != "":
if (sslprotocol in aviableProtocols):
sslops['ssl_version'] = getattr(ssl, sslprotocol)
else:
message = "%s protocol is not provided. The following protocols are provided: %s" % (
sslprotocol, str(aviableProtocols))
gLogger.warn(message)
self.log.debug(
" - %s" %
"\n - ".join(["%s = %s" % (k, sslops[k]) for k in sslops]))
srv = tornado.httpserver.HTTPServer(self.__app,
ssl_options=sslops,
xheaders=True)
port = Conf.HTTPSPort()
srv.listen(port)
self.__servers[('https', port)] = srv
else:
#when NGINX is used then the Conf.HTTPS return False, it means tornado does not have to be configured using 443 port
Conf.generateCAFile(
) # if we use Nginx we have to generate the cas as well...
return result
def __processCredentials(self):
"""
Extract the user credentials based on the certificate or what comes from the balancer
"""
if not self.request.protocol == "https":
return
# OIDC auth method
def oAuth2():
if self.get_secure_cookie("AccessToken"):
access_token = self.get_secure_cookie("AccessToken")
url = Conf.getCSValue(
"TypeAuths/%s/authority" % typeAuth) + '/userinfo'
heads = {
'Authorization': 'Bearer ' + access_token,
'Content-Type': 'application/json'
}
if 'error' in requests.get(url, headers=heads,
verify=False).json():
self.log.error('OIDC request error: %s' % requests.get(
url, headers=heads, verify=False).json()['error'])
return
ID = requests.get(url, headers=heads,
verify=False).json()['sub']
result = getUsernameForID(ID)
if result['OK']:
self.__credDict['username'] = result['Value']
result = getDNForUsername(self.__credDict['username'])
if result['OK']:
self.__credDict['validDN'] = True
self.__credDict['DN'] = result['Value'][0]
result = getCAForUsername(self.__credDict['username'])
if result['OK']:
self.__credDict['issuer'] = result['Value'][0]
return
# Type of Auth
if not self.get_secure_cookie("TypeAuth"):
self.set_secure_cookie("TypeAuth", 'Certificate')
typeAuth = self.get_secure_cookie("TypeAuth")
self.log.info("Type authentication: %s" % str(typeAuth))
if typeAuth == "Visitor":
return
retVal = Conf.getCSSections("TypeAuths")
if retVal['OK']:
if typeAuth in retVal.get("Value"):
method = Conf.getCSValue("TypeAuths/%s/method" % typeAuth,
'default')
if method == "oAuth2":
oAuth2()
# NGINX
if Conf.balancer() == "nginx":
headers = self.request.headers
if headers['X-Scheme'] == "https" and headers[
'X-Ssl_client_verify'] == 'SUCCESS':
DN = headers['X-Ssl_client_s_dn']
if not DN.startswith('/'):
items = DN.split(',')
items.reverse()
DN = '/' + '/'.join(items)
self.__credDict['DN'] = DN
self.__credDict['issuer'] = headers['X-Ssl_client_i_dn']
result = Registry.getUsernameForDN(DN)
if not result['OK']:
self.__credDict['validDN'] = False
else:
self.__credDict['validDN'] = True
self.__credDict['username'] = result['Value']
return
# TORNADO
derCert = self.request.get_ssl_certificate(binary_form=True)
if not derCert:
return
pemCert = ssl.DER_cert_to_PEM_cert(derCert)
chain = X509Chain()
chain.loadChainFromString(pemCert)
result = chain.getCredentials()
if not result['OK']:
self.log.error("Could not get client credentials %s" %
result['Message'])
return
self.__credDict = result['Value']
# Hack. Data coming from OSSL directly and DISET difer in DN/subject
try:
self.__credDict['DN'] = self.__credDict['subject']
except KeyError:
pass
def __processCredentials(self):
"""
Extract the user credentials based on the certificate or what comes from the balancer
"""
if not self.request.protocol == "https":
return
# OIDC auth method
def oAuth2():
if self.get_secure_cookie("AccessToken"):
access_token = self.get_secure_cookie("AccessToken")
url = Conf.getCSValue("TypeAuths/%s/authority" % typeAuth) + '/userinfo'
heads = {'Authorization': 'Bearer ' + access_token, 'Content-Type': 'application/json'}
if 'error' in requests.get(url, headers=heads, verify=False).json():
self.log.error('OIDC request error: %s' % requests.get(url, headers=heads, verify=False).json()['error'])
return
ID = requests.get(url, headers=heads, verify=False).json()['sub']
result = getUsernameForID(ID)
if result['OK']:
self.__credDict['username'] = result['Value']
result = getDNForUsername(self.__credDict['username'])
if result['OK']:
self.__credDict['validDN'] = True
self.__credDict['DN'] = result['Value'][0]
result = getCAForUsername(self.__credDict['username'])
if result['OK']:
self.__credDict['issuer'] = result['Value'][0]
return
# Type of Auth
if not self.get_secure_cookie("TypeAuth"):
self.set_secure_cookie("TypeAuth", 'Certificate')
typeAuth = self.get_secure_cookie("TypeAuth")
self.log.info("Type authentication: %s" % str(typeAuth))
if typeAuth == "Visitor":
return
retVal = Conf.getCSSections("TypeAuths")
if retVal['OK']:
if typeAuth in retVal.get("Value"):
method = Conf.getCSValue("TypeAuths/%s/method" % typeAuth, 'default')
if method == "oAuth2":
oAuth2()
# NGINX
if Conf.balancer() == "nginx":
headers = self.request.headers
if headers['X-Scheme'] == "https" and headers['X-Ssl_client_verify'] == 'SUCCESS':
DN = headers['X-Ssl_client_s_dn']
if not DN.startswith('/'):
items = DN.split(',')
items.reverse()
DN = '/' + '/'.join(items)
self.__credDict['DN'] = DN
self.__credDict['issuer'] = headers['X-Ssl_client_i_dn']
result = Registry.getUsernameForDN(DN)
if not result['OK']:
self.__credDict['validDN'] = False
else:
self.__credDict['validDN'] = True
self.__credDict['username'] = result['Value']
return
# TORNADO
derCert = self.request.get_ssl_certificate(binary_form=True)
if not derCert:
return
pemCert = ssl.DER_cert_to_PEM_cert(derCert)
chain = X509Chain()
chain.loadChainFromString(pemCert)
result = chain.getCredentials()
if not result['OK']:
self.log.error("Could not get client credentials %s" % result['Message'])
return
self.__credDict = result['Value']
# Hack. Data coming from OSSL directly and DISET difer in DN/subject
try:
self.__credDict['DN'] = self.__credDict['subject']
except KeyError:
pass
def bootstrap( self ):
"""
Configure and create web app
"""
self.log.always( "\n ====== Starting DIRAC web app ====== \n" )
# Load required CFG files
if not self._loadDefaultWebCFG(): # if we have a web.cfg under etc directory we use it, otherwise we use the configuration file defined by the developer
self._loadWebAppCFGFiles()
# Calculating routes
result = self.__handlerMgr.getRoutes()
if not result[ 'OK' ]:
return result
routes = result[ 'Value' ]
# Initialize the session data
SessionData.setHandlers( self.__handlerMgr.getHandlers()[ 'Value' ] )
# Create the app
tLoader = TemplateLoader( self.__handlerMgr.getPaths( "template" ) )
kw = dict( debug = Conf.devMode(), template_loader = tLoader, cookie_secret = Conf.cookieSecret(),
log_function = self._logRequest, autoreload = Conf.numProcesses() < 2 )
#please do no move this lines. The lines must be before the fork_processes
signal.signal(signal.SIGTERM, self.stopChildProcesses)
signal.signal(signal.SIGINT, self.stopChildProcesses)
# Check processes if we're under a load balancert
if Conf.balancer() and Conf.numProcesses() not in ( 0, 1 ):
tornado.process.fork_processes( Conf.numProcesses(), max_restarts = 0 )
kw[ 'debug' ] = False
# Debug mode?
if kw[ 'debug' ]:
self.log.info( "Configuring in developer mode..." )
# Configure tornado app
self.__app = tornado.web.Application( routes, **kw )
self.log.notice( "Configuring HTTP on port %s" % ( Conf.HTTPPort() ) )
# Create the web servers
srv = tornado.httpserver.HTTPServer( self.__app, xheaders = True )
port = Conf.HTTPPort()
srv.listen( port )
self.__servers[ ( 'http', port ) ] = srv
Conf.generateRevokedCertsFile() # it is used by nginx....
if Conf.HTTPS():
self.log.notice( "Configuring HTTPS on port %s" % Conf.HTTPSPort() )
sslops = dict( certfile = Conf.HTTPSCert(),
keyfile = Conf.HTTPSKey(),
cert_reqs = ssl.CERT_OPTIONAL,
ca_certs = Conf.generateCAFile(),
ssl_version = ssl.PROTOCOL_TLSv1 )
sslprotocol = str( Conf.SSLProrocol() )
aviableProtocols = [ i for i in dir( ssl ) if i.find( 'PROTOCOL' ) == 0]
if sslprotocol and sslprotocol != "":
if ( sslprotocol in aviableProtocols ):
sslops['ssl_version'] = getattr( ssl, sslprotocol )
else:
message = "%s protocol is not provided. The following protocols are provided: %s" % ( sslprotocol, str( aviableProtocols ) )
gLogger.warn( message )
self.log.debug( " - %s" % "\n - ".join( [ "%s = %s" % ( k, sslops[k] ) for k in sslops ] ) )
srv = tornado.httpserver.HTTPServer( self.__app, ssl_options = sslops, xheaders = True )
port = Conf.HTTPSPort()
srv.listen( port )
self.__servers[ ( 'https', port ) ] = srv
else:
#when NGINX is used then the Conf.HTTPS return False, it means tornado does not have to be configured using 443 port
Conf.generateCAFile() # if we use Nginx we have to generate the cas as well...
return result
