def configure_gridmap_verify_myproxy_callout(self, conf_file_name, conf_link_name, **kwargs):
self.logger.debug("ENTER: configure_gridmap_verify_myproxy_callout()")
conf_file = file(conf_file_name, "w")
try:
conf_file.write("$GSI_AUTHZ_CONF \"%s\"\n" % (
os.path.join(
self.conf.root, "etc",
"gridmap_verify_myproxy_callout-gsi_authz.conf"
)
)
)
myproxy_certpath = None
myproxy_signing_policy = None
myproxy_ca_dn = self.conf.get_myproxy_ca_subject_dn()
myproxy_server = self.conf.get_myproxy_server()
if myproxy_ca_dn is None and \
myproxy_server is not None and \
self.is_local_myproxy():
myproxy_ca_dir = self.conf.get_myproxy_ca_directory()
myproxy_ca_dn = security.get_certificate_subject(
os.path.join(myproxy_ca_dir, "cacert.pem"))
else:
# Assume the CA name is the same as the MyProxy server's
# subject
myproxy_ca_dn = self.conf.get_myproxy_dn()
if myproxy_ca_dn is None:
myproxy_ca_dn = self.get_myproxy_dn_from_server()
cadir = self.conf.get_security_trusted_certificate_directory()
self.logger.debug("MyProxy CA DN is " + str(myproxy_ca_dn))
self.logger.debug("CA dir is " + str(cadir))
if self.is_local_myproxy():
myproxy_certpath = os.path.join(
self.conf.get_myproxy_ca_directory(),
"cacert.pem")
myproxy_signing_policy = os.path.join(
self.conf.get_myproxy_ca_directory(),
"signing-policy")
elif myproxy_ca_dn is not None:
self.logger.debug("Looking for MyProxy CA cert in " + cadir)
for certfile in os.listdir(cadir):
certpath = os.path.join(cadir, certfile)
if certfile[-2:] == '.0':
self.logger.debug("Checking to see if " + certfile + " matches MyProxyDN")
if security.get_certificate_subject(
certpath) == myproxy_ca_dn:
myproxy_certpath = certpath
(myproxy_signing_policy, _) = \
os.path.splitext(
myproxy_certpath)
myproxy_signing_policy += \
".signing_policy"
break
if myproxy_certpath is None:
raise Exception("ERROR: Unable to determine " +
"path to MyProxy CA certificate, set " + \
"CaCert option in MyProxy section of config.\n")
myproxy_ca_hash = security.get_certificate_hash(
myproxy_certpath)
cadir = \
self.conf.get_security_trusted_certificate_directory()
installed_cert = os.path.join(
cadir, myproxy_ca_hash + ".0")
installed_signing_policy = os.path.join(
cadir, myproxy_ca_hash + ".signing_policy")
if not os.path.exists(installed_cert):
self.logger.error("MyProxy CA not installed in trusted CA dir")
if not os.path.exists(installed_signing_policy):
self.logger.error("MyProxy CA signing policy not installed " + \
"in trusted CA dir")
conf_file.write(
"$GLOBUS_MYPROXY_CA_CERT \"%s\"\n" %
installed_cert)
os.symlink(conf_file_name, conf_link_name)
finally:
conf_file.close()
self.logger.debug("EXIT: configure_gridmap_verify_myproxy_callout()")
def configure_myproxy_ca(self, force=False):
if not self.conf.get_myproxy_ca():
self.logger.debug("Not using MyProxy CA, nothing to configure")
return
cadir = self.conf.get_myproxy_ca_directory()
if force:
if cadir is not None and os.path.exists(cadir):
shutil.rmtree(cadir, ignore_errors=True)
if cadir is not None and not os.path.exists(cadir):
ca_subject = self.conf.get_myproxy_ca_subject_dn()
if ca_subject is None:
ca_subject = security.get_certificate_subject(
self.conf.get_security_certificate_file(),
nameopt='RFC2253')
try:
args = [
'grid-ca-create',
'-nobuild',
'-verbose',
'-dir', self.conf.get_myproxy_ca_directory(),
'-subject', ca_subject,
'-noint']
if force:
args.append('-force')
ca_create = Popen(args, stdout = PIPE, stderr = PIPE)
(out, err) = ca_create.communicate()
out = "".join(s for s in out if s in string.printable)
err = "".join(s for s in err if s in string.printable)
self.logger.debug("ca create output: " + out)
self.logger.debug("ca create stderr: " + err)
finally:
pass
if ca_create.returncode != 0:
raise Exception("Error creating CA: " + \
str(ca_create.returncode) + out + err)
trustdir = self.conf.get_security_trusted_certificate_directory()
if trustdir is not None:
if not os.path.exists(trustdir):
os.makedirs(trustdir, 0755)
cert_path = os.path.join(cadir, "cacert.pem")
signing_policy_path = os.path.join(cadir, "signing-policy")
cahash = security.get_certificate_hash(cert_path)
installed_cert_path = os.path.join(trustdir, cahash + ".0")
installed_signing_policy = os.path.join(
trustdir, cahash + ".signing_policy")
shutil.copyfile(signing_policy_path, installed_signing_policy)
os.chmod(installed_signing_policy, 0644)
shutil.copyfile(cert_path, installed_cert_path)
os.chmod(installed_cert_path, 0644)
self.myproxy_ca_config = """
certificate_issuer_cert "%(cadir)s/cacert.pem"
certificate_issuer_key "%(cadir)s/private/cakey.pem"
certificate_issuer_key_passphrase "%(passphrase)s"
certificate_serialfile "%(cadir)s/serial"
certificate_out_dir "%(cadir)s/newcerts"
certificate_issuer_subca_certfile "%(cadir)s/cacert.pem"
max_cert_lifetime 168
cert_dir %(certdir)s
""" % {
'cadir': cadir,
'passphrase': self.conf.get_myproxy_ca_passphrase(),
'certdir': \
self.conf.get_security_trusted_certificate_directory()
}
def configure_gridmap_verify_myproxy_callout(self, conf_file_name, conf_link_name, **kwargs):
self.logger.debug("ENTER: configure_gridmap_verify_myproxy_callout()")
conf_file = file(conf_file_name, "w")
try:
conf_file.write(
'$GSI_AUTHZ_CONF "%s"\n'
% (os.path.join(self.conf.root, "etc", "gridmap_verify_myproxy_callout-gsi_authz.conf"))
)
myproxy_certpath = None
myproxy_signing_policy = None
myproxy_ca_dn = self.conf.get_myproxy_ca_subject_dn()
myproxy_server = self.conf.get_myproxy_server()
if myproxy_ca_dn is None and myproxy_server is not None and self.is_local_myproxy():
myproxy_ca_dir = self.conf.get_myproxy_ca_directory()
myproxy_ca_dn = security.get_certificate_subject(os.path.join(myproxy_ca_dir, "cacert.pem"))
else:
# Assume the CA name is the same as the MyProxy server's
# subject
myproxy_ca_dn = self.conf.get_myproxy_dn()
if myproxy_ca_dn is None:
myproxy_ca_dn = self.get_myproxy_dn_from_server()
cadir = self.conf.get_security_trusted_certificate_directory()
self.logger.debug("MyProxy CA DN is " + str(myproxy_ca_dn))
self.logger.debug("CA dir is " + str(cadir))
if self.is_local_myproxy():
myproxy_certpath = os.path.join(self.conf.get_myproxy_ca_directory(), "cacert.pem")
myproxy_signing_policy = os.path.join(self.conf.get_myproxy_ca_directory(), "signing-policy")
elif myproxy_ca_dn is not None:
self.logger.debug("Looking for MyProxy CA cert in " + cadir)
for certfile in os.listdir(cadir):
certpath = os.path.join(cadir, certfile)
if certfile[-2:] == ".0":
self.logger.debug("Checking to see if " + certfile + " matches MyProxyDN")
if security.get_certificate_subject(certpath) == myproxy_ca_dn:
myproxy_certpath = certpath
(myproxy_signing_policy, _) = os.path.splitext(myproxy_certpath)
myproxy_signing_policy += ".signing_policy"
break
if myproxy_certpath is None:
raise Exception(
"ERROR: Unable to determine "
+ "path to MyProxy CA certificate, set "
+ "CaCert option in MyProxy section of config.\n"
)
myproxy_ca_hash = security.get_certificate_hash(myproxy_certpath)
cadir = self.conf.get_security_trusted_certificate_directory()
installed_cert = os.path.join(cadir, myproxy_ca_hash + ".0")
installed_signing_policy = os.path.join(cadir, myproxy_ca_hash + ".signing_policy")
if not os.path.exists(installed_cert):
self.logger.error("MyProxy CA not installed in trusted CA dir")
if not os.path.exists(installed_signing_policy):
self.logger.error("MyProxy CA signing policy not installed " + "in trusted CA dir")
conf_file.write('$GLOBUS_MYPROXY_CA_CERT "%s"\n' % installed_cert)
os.symlink(conf_file_name, conf_link_name)
finally:
conf_file.close()
self.logger.debug("EXIT: configure_gridmap_verify_myproxy_callout()")
def configure_myproxy_ca(self, force=False):
if not self.conf.get_myproxy_ca():
self.logger.debug("Not using MyProxy CA, nothing to configure")
return
cadir = self.conf.get_myproxy_ca_directory()
if force:
if cadir is not None and os.path.exists(cadir):
shutil.rmtree(cadir, ignore_errors=True)
if cadir is not None and not os.path.exists(cadir):
ca_subject = self.conf.get_myproxy_ca_subject_dn()
if ca_subject is None:
ca_subject = security.get_certificate_subject(
self.conf.get_security_certificate_file(),
nameopt='RFC2253')
try:
args = [
'grid-ca-create', '-nobuild', '-verbose', '-dir',
self.conf.get_myproxy_ca_directory(), '-subject',
ca_subject, '-noint'
]
if force:
args.append('-force')
ca_create = Popen(args, stdout=PIPE, stderr=PIPE)
(out, err) = ca_create.communicate()
out = "".join(s for s in out if s in string.printable)
err = "".join(s for s in err if s in string.printable)
self.logger.debug("ca create output: " + out)
self.logger.debug("ca create stderr: " + err)
finally:
pass
if ca_create.returncode != 0:
raise Exception("Error creating CA: " + \
str(ca_create.returncode) + out + err)
trustdir = self.conf.get_security_trusted_certificate_directory()
if trustdir is not None:
if not os.path.exists(trustdir):
os.makedirs(trustdir, 0755)
cert_path = os.path.join(cadir, "cacert.pem")
signing_policy_path = os.path.join(cadir, "signing-policy")
cahash = security.get_certificate_hash(cert_path)
installed_cert_path = os.path.join(trustdir, cahash + ".0")
installed_signing_policy = os.path.join(trustdir,
cahash + ".signing_policy")
shutil.copyfile(signing_policy_path, installed_signing_policy)
os.chmod(installed_signing_policy, 0644)
shutil.copyfile(cert_path, installed_cert_path)
os.chmod(installed_cert_path, 0644)
self.myproxy_ca_config = """
certificate_issuer_cert "%(cadir)s/cacert.pem"
certificate_issuer_key "%(cadir)s/private/cakey.pem"
certificate_issuer_key_passphrase "%(passphrase)s"
certificate_serialfile "%(cadir)s/serial"
certificate_out_dir "%(cadir)s/newcerts"
certificate_issuer_subca_certfile "%(cadir)s/cacert.pem"
max_cert_lifetime 168
cert_dir %(certdir)s
""" % {
'cadir': cadir,
'passphrase': self.conf.get_myproxy_ca_passphrase(),
'certdir': \
self.conf.get_security_trusted_certificate_directory()
}
