def test_bad_x509(pubkey, errty, errmatch, inputfile):
"""
Uses the public key from fixtures to form a fake activation
requirements response, then attempts to fill the activation
requirements with bad x509 files. Confirms value errors
"""
activation_requirements = {
"DATA_TYPE":
"activation_requirements",
"DATA": [
{
"DATA_TYPE": "activation_requirement",
"type": "delegate_proxy",
"name": "public_key",
"value": pubkey,
},
{
"DATA_TYPE": "activation_requirement",
"type": "delegate_proxy",
"name": "proxy_chain",
"value": None,
},
],
}
with pytest.raises(errty, match=errmatch):
fill_delegate_proxy_activation_requirements(activation_requirements,
inputfile)
def test_fill_delegate_proxy_activation_requirements(self):
"""
Uses the public key from constants to form a fake activation
requirements response, and an expired proxy to test
fill_delegate_proxy_activation_requirements.
"""
# file containing an expired x509 from a myproxy-logon
x509 = "tests/framework/files/cert.pem"
activation_requirements = {
"DATA_TYPE":
"activation_requirements",
"DATA": [{
"DATA_TYPE": "activation_requirement",
"type": "delegate_proxy",
"name": "public_key",
"value": PUBLIC_KEY
}, {
"DATA_TYPE": "activation_requirement",
"type": "delegate_proxy",
"name": "proxy_chain",
"value": None
}]
}
filled_requirements = fill_delegate_proxy_activation_requirements(
activation_requirements, x509)
# assert the proxy_chain now contains a certificate
self.assertIn("-----BEGIN CERTIFICATE-----",
filled_requirements["DATA"][1]["value"])
self.assertIn("-----END CERTIFICATE-----",
filled_requirements["DATA"][1]["value"])
def test_bad_x509(self):
"""
Uses the public key from constants to form a fake activation
requirements response, then attempts to fill the activation
requirements with bad x509 files. Confirms value errors
"""
activation_requirements = {
"DATA_TYPE": "activation_requirements",
"DATA": [
{
"DATA_TYPE": "activation_requirement",
"type": "delegate_proxy",
"name": "public_key",
"value": PUBLIC_KEY,
},
{
"DATA_TYPE": "activation_requirement",
"type": "delegate_proxy",
"name": "proxy_chain",
"value": None,
},
],
}
# no file
with self.assertRaises(IOError) as err:
fill_delegate_proxy_activation_requirements(
activation_requirements, "nosuchfile.pem"
)
self.assertIn("No such file", str(err.exception))
# non pem file
with self.assertRaises(ValueError) as err:
fill_delegate_proxy_activation_requirements(
activation_requirements, "tests/framework/constants.py"
)
self.assertIn("Unable to parse PEM data", str(err.exception))
# no private key
with self.assertRaises(ValueError) as err:
fill_delegate_proxy_activation_requirements(
activation_requirements, "tests/framework/files/no_key.pem"
)
self.assertIn("Failed to decode PEM data", str(err.exception))
# only private key
with self.assertRaises(ValueError) as err:
fill_delegate_proxy_activation_requirements(
activation_requirements, "tests/framework/files/no_cert.pem"
)
self.assertIn("Unable to parse PEM data", str(err.exception))
def test_fill_delegate_proxy_activation_requirements(self):
"""
Uses the public key from constants to form a fake activation
requirements response, and an expired proxy to test
fill_delegate_proxy_activation_requirements.
"""
# file containing an expired x509 from a myproxy-logon
x509 = "tests/framework/files/cert.pem"
activation_requirements = {
"DATA_TYPE": "activation_requirements",
"DATA": [
{
"DATA_TYPE": "activation_requirement",
"type": "delegate_proxy",
"name": "public_key",
"value": PUBLIC_KEY,
},
{
"DATA_TYPE": "activation_requirement",
"type": "delegate_proxy",
"name": "proxy_chain",
"value": None,
},
],
}
filled_requirements = fill_delegate_proxy_activation_requirements(
activation_requirements, x509
)
# assert the proxy_chain now contains a certificate
self.assertIn(
"-----BEGIN CERTIFICATE-----", filled_requirements["DATA"][1]["value"]
)
self.assertIn(
"-----END CERTIFICATE-----", filled_requirements["DATA"][1]["value"]
)
def test_fill_delegate_proxy_activation_requirements(pubkey):
"""
Uses the public key from fixtures to form a fake activation
requirements response, and an expired proxy to test
fill_delegate_proxy_activation_requirements.
"""
# file containing an expired x509 from a myproxy-logon
x509 = "tests/files/cert.pem"
activation_requirements = {
"DATA_TYPE":
"activation_requirements",
"DATA": [
{
"DATA_TYPE": "activation_requirement",
"type": "delegate_proxy",
"name": "public_key",
"value": pubkey,
},
{
"DATA_TYPE": "activation_requirement",
"type": "delegate_proxy",
"name": "proxy_chain",
"value": None,
},
],
}
filled_requirements = fill_delegate_proxy_activation_requirements(
activation_requirements, x509)
# assert the proxy_chain now contains a certificate
assert "-----BEGIN CERTIFICATE-----" in filled_requirements["DATA"][1][
"value"]
assert "-----END CERTIFICATE-----" in filled_requirements["DATA"][1][
"value"]
def endpoint_activate(endpoint_id, myproxy, myproxy_username, myproxy_password,
myproxy_lifetime, web, no_browser, delegate_proxy,
proxy_lifetime, no_autoactivate, force):
"""
Executor for `globus endpoint activate`
"""
default_myproxy_username = lookup_option(MYPROXY_USERNAME_OPTNAME)
client = get_client()
# validate options
if web + myproxy + bool(delegate_proxy) > 1:
raise click.UsageError(
"--web, --myproxy, and --delegate-proxy are mutually exclusive.")
if no_autoactivate and not (myproxy or web or delegate_proxy):
raise click.UsageError(
"--no-autoactivate requires another activation method be given.")
if myproxy_username and not myproxy:
raise click.UsageError("--myproxy-username requires --myproxy.")
if myproxy_password and not myproxy:
raise click.UsageError("--myproxy-password requires --myproxy.")
# NOTE: "0" is a legitimate, though weird, value
# In the case where someone is setting this value programatically,
# respecting it behaves more consistently/predictably
if myproxy_lifetime is not None and not myproxy:
raise click.UsageError("--myproxy-lifetime requires --myproxy.")
if no_browser and not web:
raise click.UsageError("--no-browser requires --web.")
if proxy_lifetime and not delegate_proxy:
raise click.UsageError("--proxy-lifetime requires --delegate-proxy.")
# check if endpoint is already activated unless --force
if not force:
res = client.endpoint_autoactivate(endpoint_id, if_expires_in=60)
if "AlreadyActivated" == res["code"]:
formatted_print(
res,
simple_text=("Endpoint is already activated. Activation "
"expires at {}".format(res["expire_time"])))
return
# attempt autoactivation unless --no-autoactivate
if not no_autoactivate:
res = client.endpoint_autoactivate(endpoint_id)
if "AutoActivated" in res["code"]:
formatted_print(
res,
simple_text=(
"Autoactivation succeeded with message: {}".format(
res["message"])))
return
# override potentially confusing autoactivation failure response
else:
message = ("The endpoint could not be auto-activated.\n\n" +
activation_requirements_help_text(res, endpoint_id))
res = {"message": message}
# myproxy activation
if myproxy:
# get username and password
if not (myproxy_username or default_myproxy_username):
myproxy_username = click.prompt("Myproxy username")
if not myproxy_password:
myproxy_password = click.prompt("Myproxy password",
hide_input=True)
no_server_msg = ("This endpoint has no myproxy server "
"and so cannot be activated through myproxy")
requirements_data = client.endpoint_get_activation_requirements(
endpoint_id).data
if not len(requirements_data["DATA"]):
raise click.ClickException(no_server_msg)
for data in requirements_data["DATA"]:
# skip non-myproxy values
# although the API does not practice this today, in theory other
# activation types may have fields with the same names...
if data["type"] != "myproxy":
continue
if data["name"] == "passphrase":
data["value"] = myproxy_password
if data["name"] == "username":
data["value"] = myproxy_username or default_myproxy_username
if data["name"] == "hostname" and data["value"] is None:
raise click.ClickException(no_server_msg)
# NOTE: remember that "0" is a possible value
if (data["name"] == "lifetime_in_hours"
and myproxy_lifetime is not None):
data["value"] = str(myproxy_lifetime)
res = client.endpoint_activate(endpoint_id, requirements_data)
# web activation
elif web:
url = ("https://www.globus.org/app/"
"endpoints/{}/activate".format(endpoint_id))
if no_browser or is_remote_session():
res = {"message": "Web activation url: {}".format(url), "url": url}
else:
webbrowser.open(url, new=1)
res = {
"message": "Browser opened to web activation page",
"url": url
}
# delegate proxy activation
elif delegate_proxy:
requirements_data = client.endpoint_get_activation_requirements(
endpoint_id).data
filled_requirements_data = fill_delegate_proxy_activation_requirements(
requirements_data,
delegate_proxy,
lifetime_hours=proxy_lifetime or 12)
res = client.endpoint_activate(endpoint_id, filled_requirements_data)
# output
formatted_print(res, text_format=FORMAT_TEXT_RAW, response_key='message')
def endpoint_activate(
endpoint_id,
myproxy,
myproxy_username,
myproxy_password,
myproxy_lifetime,
web,
no_browser,
delegate_proxy,
proxy_lifetime,
no_autoactivate,
force,
):
"""
Executor for `globus endpoint activate`
"""
default_myproxy_username = lookup_option(MYPROXY_USERNAME_OPTNAME)
client = get_client()
# validate options
if web + myproxy + bool(delegate_proxy) > 1:
raise click.UsageError(
"--web, --myproxy, and --delegate-proxy are mutually exclusive."
)
if no_autoactivate and not (myproxy or web or delegate_proxy):
raise click.UsageError(
"--no-autoactivate requires another activation method be given."
)
if myproxy_username and not myproxy:
raise click.UsageError("--myproxy-username requires --myproxy.")
if myproxy_password and not myproxy:
raise click.UsageError("--myproxy-password requires --myproxy.")
# NOTE: "0" is a legitimate, though weird, value
# In the case where someone is setting this value programatically,
# respecting it behaves more consistently/predictably
if myproxy_lifetime is not None and not myproxy:
raise click.UsageError("--myproxy-lifetime requires --myproxy.")
if no_browser and not web:
raise click.UsageError("--no-browser requires --web.")
if proxy_lifetime and not delegate_proxy:
raise click.UsageError("--proxy-lifetime requires --delegate-proxy.")
# check if endpoint is already activated unless --force
if not force:
res = client.endpoint_autoactivate(endpoint_id, if_expires_in=60)
if "AlreadyActivated" == res["code"]:
formatted_print(
res,
simple_text=(
"Endpoint is already activated. Activation "
"expires at {}".format(res["expire_time"])
),
)
return
# attempt autoactivation unless --no-autoactivate
if not no_autoactivate:
res = client.endpoint_autoactivate(endpoint_id)
if "AutoActivated" in res["code"]:
formatted_print(
res,
simple_text=(
"Autoactivation succeeded with message: {}".format(res["message"])
),
)
return
# override potentially confusing autoactivation failure response
else:
message = (
"The endpoint could not be auto-activated.\n\n"
+ activation_requirements_help_text(res, endpoint_id)
)
res = {"message": message}
# myproxy activation
if myproxy:
# get username and password
if not (myproxy_username or default_myproxy_username):
myproxy_username = click.prompt("Myproxy username")
if not myproxy_password:
myproxy_password = click.prompt("Myproxy password", hide_input=True)
no_server_msg = (
"This endpoint has no myproxy server "
"and so cannot be activated through myproxy"
)
requirements_data = client.endpoint_get_activation_requirements(
endpoint_id
).data
if not len(requirements_data["DATA"]):
raise click.ClickException(no_server_msg)
for data in requirements_data["DATA"]:
# skip non-myproxy values
# although the API does not practice this today, in theory other
# activation types may have fields with the same names...
if data["type"] != "myproxy":
continue
if data["name"] == "passphrase":
data["value"] = myproxy_password
if data["name"] == "username":
data["value"] = myproxy_username or default_myproxy_username
if data["name"] == "hostname" and data["value"] is None:
raise click.ClickException(no_server_msg)
# NOTE: remember that "0" is a possible value
if data["name"] == "lifetime_in_hours" and myproxy_lifetime is not None:
data["value"] = str(myproxy_lifetime)
res = client.endpoint_activate(endpoint_id, requirements_data)
# web activation
elif web:
url = "https://app.globus.org/file-manager" "?origin_id={}".format(endpoint_id)
if no_browser or is_remote_session():
res = {"message": "Web activation url: {}".format(url), "url": url}
else:
webbrowser.open(url, new=1)
res = {"message": "Browser opened to web activation page", "url": url}
# delegate proxy activation
elif delegate_proxy:
requirements_data = client.endpoint_get_activation_requirements(
endpoint_id
).data
filled_requirements_data = fill_delegate_proxy_activation_requirements(
requirements_data, delegate_proxy, lifetime_hours=proxy_lifetime or 12
)
res = client.endpoint_activate(endpoint_id, filled_requirements_data)
# output
formatted_print(res, text_format=FORMAT_TEXT_RAW, response_key="message")
def endpoint_activate(
endpoint_id,
myproxy,
myproxy_username,
myproxy_password,
myproxy_lifetime,
web,
no_browser,
delegate_proxy,
proxy_lifetime,
no_autoactivate,
force,
):
"""
Activate an endpoint using Autoactivation, Myproxy, Delegate Proxy,
or Web activation.
Note that --web, --delegate-proxy, and --myproxy activation are mutually
exclusive options.
\b
Autoactivation will always be attempted unless the --no-autoactivate
option is given. If autoactivation succeeds any other activation options
will be ignored as the endpoint has already been successfully activated.
\b
To use Web activation use the --web option.
The CLI will try to open your default browser to the endpoint's activation
page, but if a remote CLI session is detected, or the --no-browser option
is given, a url will be printed for you to manually follow and activate
the endpoint.
\b
To use Myproxy activation give the --myproxy option.
Myproxy activation requires your username and password for the myproxy
server the endpoint is using for authentication. e.g. for default
Globus Connect Server endpoints this will be your login credentials for the
server the endpoint is hosted on.
You can enter your username when prompted, give your username with the
--myproxy-username option, or set a default myproxy username in config with
"globus config init" or "globus config set cli.default_myproxy_username".
For security it is recommended that you only enter your password when
prompted to hide your inputs and keep your password out of your
command history, but you may pass your password with the hidden
--myproxy-password or -P options.
\b
To use Delegate Proxy activation use the --delegate-proxy option with a
file containing an X.509 certificate as an argument (e.g. an X.509
gotten from the myproxy-logon command). This certificate must
be a valid credential or proxy credential for the user from an identity
provider accepted by the endpoint being activated, and the endpoint must be
configured with a gridmap that will match the globus user using this
command with the local user the certificate was made to. Note if the X.509
is valid, but the endpoint does not recognize the identity provider or the
user the error will not be detected until the user attempts to perform an
operation on the endpoint.
"""
default_myproxy_username = lookup_option(MYPROXY_USERNAME_OPTNAME)
client = get_client()
# validate options
if web + myproxy + bool(delegate_proxy) > 1:
raise click.UsageError(
"--web, --myproxy, and --delegate-proxy are mutually exclusive.")
if no_autoactivate and not (myproxy or web or delegate_proxy):
raise click.UsageError(
"--no-autoactivate requires another activation method be given.")
if myproxy_username and not myproxy:
raise click.UsageError("--myproxy-username requires --myproxy.")
if myproxy_password and not myproxy:
raise click.UsageError("--myproxy-password requires --myproxy.")
# NOTE: "0" is a legitimate, though weird, value
# In the case where someone is setting this value programatically,
# respecting it behaves more consistently/predictably
if myproxy_lifetime is not None and not myproxy:
raise click.UsageError("--myproxy-lifetime requires --myproxy.")
if no_browser and not web:
raise click.UsageError("--no-browser requires --web.")
if proxy_lifetime and not delegate_proxy:
raise click.UsageError("--proxy-lifetime requires --delegate-proxy.")
# check if endpoint is already activated unless --force
if not force:
res = client.endpoint_autoactivate(endpoint_id, if_expires_in=60)
if "AlreadyActivated" == res["code"]:
formatted_print(
res,
simple_text=("Endpoint is already activated. Activation "
"expires at {}".format(res["expire_time"])),
)
return
# attempt autoactivation unless --no-autoactivate
if not no_autoactivate:
res = client.endpoint_autoactivate(endpoint_id)
if "AutoActivated" in res["code"]:
formatted_print(
res,
simple_text=(
"Autoactivation succeeded with message: {}".format(
res["message"])),
)
return
# override potentially confusing autoactivation failure response
else:
message = ("The endpoint could not be auto-activated.\n\n" +
activation_requirements_help_text(res, endpoint_id))
res = {"message": message}
# myproxy activation
if myproxy:
# fetch activation requirements
requirements_data = client.endpoint_get_activation_requirements(
endpoint_id).data
# filter to the myproxy requirements; ensure that there are values
myproxy_requirements_data = [
x for x in requirements_data["DATA"] if x["type"] == "myproxy"
]
if not len(myproxy_requirements_data):
raise click.ClickException(
"This endpoint does not support myproxy activation")
# get username and password
if not (myproxy_username or default_myproxy_username):
myproxy_username = click.prompt("Myproxy username")
if not myproxy_password:
myproxy_password = click.prompt("Myproxy password",
hide_input=True)
# fill out the requirements data -- note that because everything has been done
# by reference, `requirements_data` still refers to the document containing
# these values
for data in myproxy_requirements_data:
if data["name"] == "passphrase":
data["value"] = myproxy_password
if data["name"] == "username":
data["value"] = myproxy_username or default_myproxy_username
if data["name"] == "hostname" and data["value"] is None:
raise click.ClickException(
"This endpoint has no myproxy server "
"and so cannot be activated through myproxy")
# NOTE: remember that "0" is a possible value
if data["name"] == "lifetime_in_hours" and myproxy_lifetime is not None:
data["value"] = str(myproxy_lifetime)
res = client.endpoint_activate(endpoint_id, requirements_data)
# web activation
elif web:
url = "https://app.globus.org/file-manager?origin_id={}".format(
endpoint_id)
if no_browser or is_remote_session():
res = {"message": "Web activation url: {}".format(url), "url": url}
else:
webbrowser.open(url, new=1)
res = {
"message": "Browser opened to web activation page",
"url": url
}
# delegate proxy activation
elif delegate_proxy:
requirements_data = client.endpoint_get_activation_requirements(
endpoint_id).data
filled_requirements_data = fill_delegate_proxy_activation_requirements(
requirements_data,
delegate_proxy,
lifetime_hours=proxy_lifetime or 12)
res = client.endpoint_activate(endpoint_id, filled_requirements_data)
# output
formatted_print(res, text_format=FORMAT_TEXT_RAW, response_key="message")