def token(
oidc_client_id,
oidc_client_secret,
oidc_refresh_token,
oidc_access_token,
oidc_url,
oidc_agent_account,
site,
project_id,
):
"""
Get scoped keystone token from site and project ID
"""
access_token = get_access_token(
oidc_access_token,
oidc_refresh_token,
oidc_client_id,
oidc_client_secret,
oidc_url,
oidc_agent_account,
)
# Getting sites from GOCDB
# assume first one is ok
ep = find_endpoint("org.openstack.nova", site=site).pop()
os_auth_url = ep[2]
scoped_token, _ = get_scoped_token(os_auth_url, access_token, project_id)
print('export OS_TOKEN="%s"' % scoped_token)
def env(
oidc_client_id,
oidc_client_secret,
oidc_refresh_token,
oidc_access_token,
oidc_url,
oidc_agent_account,
site,
project_id,
):
"""
Generating OS environment variables for specific project/site
"""
access_token = get_access_token(oidc_access_token, oidc_refresh_token,
oidc_client_id, oidc_client_secret,
oidc_url, oidc_agent_account)
# Get the right endpoint from GOCDB
# assume first one is ok
ep = find_endpoint("org.openstack.nova", site=site).pop()
os_auth_url = ep[2]
scoped_token, protocol = get_scoped_token(os_auth_url, access_token,
project_id)
print("# environment for %s" % site)
print('export OS_AUTH_URL="%s"' % os_auth_url)
print('export OS_AUTH_TYPE="v3oidcaccesstoken"')
print('export OS_IDENTITY_PROVIDER="egi.eu"')
print('export OS_PROTOCOL="%s"' % protocol)
print('export OS_ACCESS_TOKEN="%s"' % access_token)
print('export OS_PROJECT_ID="%s"' % project_id)
def projects(
oidc_client_id,
oidc_client_secret,
oidc_refresh_token,
oidc_access_token,
oidc_url,
oidc_agent_account,
site,
):
"""
List of all project from specific site/sites
"""
access_token = get_access_token(
oidc_access_token,
oidc_refresh_token,
oidc_client_id,
oidc_client_secret,
oidc_url,
oidc_agent_account,
)
if site == "ALL_SITES":
site = None
project_list = get_projects_from_sites(access_token, site)
print(tabulate(project_list, headers=["id", "Name", "enabled", "site"]))
def wrapper(*args, **kwargs):
from fedcloudclient.checkin import get_access_token
access_token = get_access_token(
kwargs.pop("oidc_access_token"),
kwargs.pop("oidc_refresh_token"),
kwargs.pop("oidc_client_id"),
kwargs.pop("oidc_client_secret"),
kwargs.pop("oidc_url"),
kwargs.pop("oidc_agent_account"),
)
kwargs["access_token"] = access_token
return func(*args, **kwargs)
def ec3(
oidc_client_id,
oidc_client_secret,
oidc_refresh_token,
oidc_access_token,
oidc_url,
oidc_agent_account,
site,
project_id,
auth_file,
template_dir,
force,
):
if os.path.exists(auth_file) and not force:
print(
"Auth file already exists, not replacing unless --force option is included"
)
raise click.Abort()
access_token = get_access_token(oidc_access_token, oidc_refresh_token,
oidc_client_id, oidc_client_secret,
oidc_url, oidc_agent_account)
# Get the right endpoint from GOCDB
# assume first one is ok
ep = find_endpoint("org.openstack.nova", site=site).pop()
os_auth_url = ep[2]
site_auth = [
"id = %s" % site, "type = OpenStack", "username = egi.eu",
"tenant = openid", "auth_version = 3.x_oidc_access_token",
"host = %s" % os_auth_url,
"domain = %s" % project_id,
"password = '******'" % access_token
]
auth_file_contents = [";".join(site_auth)]
if os.path.exists(auth_file):
with open(auth_file, "r") as f:
for line in f.readlines():
if 'OpenStack' in line:
continue
auth_file_contents.append(line)
with open(auth_file, "w+") as f:
f.write("\n".join(auth_file_contents))
if not os.path.exists(template_dir):
os.mkdir(template_dir)
with open(os.path.join(template_dir, "refresh.radl"), "w+") as f:
v = dict(client_id=oidc_client_id,
client_secret=oidc_client_secret,
refresh_token=oidc_refresh_token)
f.write(EC3_REFRESHTOKEN_TEMPLATE % v)
def openstack_int(
oidc_client_id,
oidc_client_secret,
oidc_refresh_token,
oidc_access_token,
oidc_url,
oidc_agent_account,
openstack_auth_protocol,
openstack_auth_type,
openstack_auth_provider,
site,
vo,
):
"""
Interactive OpenStack client on site and VO
"""
if not check_openstack_client_installation():
print('Error: OpenStack command-line client "openstack" not found')
exit(1)
access_token = get_access_token(
oidc_access_token,
oidc_refresh_token,
oidc_client_id,
oidc_client_secret,
oidc_url,
oidc_agent_account,
)
endpoint, project_id, protocol = find_endpoint_and_project_id(site, vo)
if endpoint is None:
raise SystemExit("Error: VO %s not found on site %s" % (vo, site))
if protocol is None:
protocol = openstack_auth_protocol
my_env = os.environ.copy()
my_env["OS_AUTH_URL"] = endpoint
my_env["OS_AUTH_TYPE"] = openstack_auth_type
my_env["OS_PROTOCOL"] = protocol
my_env["OS_IDENTITY_PROVIDER"] = openstack_auth_provider
my_env["OS_ACCESS_TOKEN"] = access_token
my_env["OS_PROJECT_ID"] = project_id
# Calling OpenStack client as subprocess
# Ignore bandit warning
subprocess.run(__OPENSTACK_CLIENT, env=my_env) # nosec
def refresh(
oidc_client_id,
oidc_client_secret,
oidc_refresh_token,
oidc_access_token,
oidc_url,
oidc_agent_account,
auth_file,
):
# Get the right endpoint from GOCDB
auth_file_contents = []
with open(auth_file, "r") as f:
for raw_line in f.readlines():
line = raw_line.strip()
if "OpenStack" in line:
auth_tokens = []
for token in line.split(";"):
if token.strip().startswith("password"):
access_token = token.split("=")[1].strip()
if access_token[0] in ["'", '"']:
access_token = access_token[1:-1]
# FIXME(enolfc): add verification
payload = jwt.decode(
access_token, options={"verify_signature": False})
now = int(time.time())
expires = int(payload["exp"])
if expires - now < 300:
access_token = get_access_token(
oidc_access_token,
oidc_refresh_token,
oidc_client_id,
oidc_client_secret,
oidc_url,
oidc_agent_account,
)
auth_tokens.append("password = %s" % access_token)
else:
auth_tokens.append(token.strip())
auth_file_contents.append("; ".join(auth_tokens))
elif line:
auth_file_contents.append(line)
with open(auth_file, "w+") as f:
f.write("\n".join(auth_file_contents))
def openstack(
oidc_client_id,
oidc_client_secret,
oidc_refresh_token,
oidc_access_token,
oidc_url,
oidc_agent_account,
openstack_auth_protocol,
openstack_auth_type,
openstack_auth_provider,
site,
vo,
ignore_missing_vo,
json_output,
openstack_command,
):
"""
Executing OpenStack commands on site and VO
"""
if not check_openstack_client_installation():
print('Error: OpenStack command-line client "openstack" not found')
exit(1)
access_token = get_access_token(
oidc_access_token,
oidc_refresh_token,
oidc_client_id,
oidc_client_secret,
oidc_url,
oidc_agent_account,
)
if site == "ALL_SITES":
sites = list_sites()
else:
sites = [site]
# Multi-thread execution of OpenStack commands
with concurrent.futures.ThreadPoolExecutor(
max_workers=__MAX_WORKER_THREAD) as executor:
# Start OpenStack operation with each site
results = {
executor.submit(
fedcloud_openstack_full,
access_token,
openstack_auth_protocol,
openstack_auth_type,
openstack_auth_provider,
site,
vo,
openstack_command,
json_output,
): site
for site in sites
}
# Get results and print them
first = True
# Get the result, first come first serve
for future in concurrent.futures.as_completed(results):
site = results[future]
exc_msg = None
try:
error_code, result = future.result()
except Exception as exc:
exc_msg = exc
# Print result
print_result(
site,
vo,
openstack_command,
exc_msg,
error_code,
result,
json_output,
ignore_missing_vo,
first,
)
first = False
# Print list enclosing ']' for JSON
if json_output:
print("]")
def init(
oidc_client_id,
oidc_client_secret,
oidc_refresh_token,
oidc_access_token,
oidc_url,
oidc_agent_account,
site,
vo,
auth_file,
template_dir,
force,
):
if os.path.exists(auth_file) and not force:
print(
"Auth file already exists, not replacing unless --force option is included"
)
raise click.Abort()
access_token = get_access_token(
oidc_access_token,
oidc_refresh_token,
oidc_client_id,
oidc_client_secret,
oidc_url,
oidc_agent_account,
)
if site == "ALL_SITES":
print("ec3 command cannot be used with ALL_SITES")
raise click.Abort()
endpoint, project_id, protocol = find_endpoint_and_project_id(site, vo)
site_auth = [
"id = %s" % site,
"type = OpenStack",
"username = egi.eu",
"tenant = %s" % protocol,
"auth_version = 3.x_oidc_access_token",
"host = %s" % endpoint,
"domain = %s" % project_id,
"password = '******'" % access_token,
]
auth_file_contents = [";".join(site_auth)]
if os.path.exists(auth_file):
with open(auth_file, "r") as f:
for line in f.readlines():
if "OpenStack" in line:
continue
auth_file_contents.append(line)
with open(auth_file, "w+") as f:
f.write("\n".join(auth_file_contents))
if not os.path.exists(template_dir):
os.mkdir(template_dir)
# FIXME: this should not be used at all!
with open(os.path.join(template_dir, "refresh.radl"), "w+") as f:
v = dict(
client_id=oidc_client_id,
client_secret=oidc_client_secret,
refresh_token=oidc_refresh_token,
)
f.write(EC3_REFRESHTOKEN_TEMPLATE % v)