def __discoverExtraCredentials(self):
""" Add extra credentials informations.
* self.__extraCredentials
-> if KW_EXTRA_CREDENTIALS in kwargs, we set it
-> Otherwise, if we use the server certificate, we set it to VAL_EXTRA_CREDENTIALS_HOST
-> If we have a delegation (see bellow), we set it to (delegatedDN, delegatedGroup)
-> otherwise it is an empty string
* delegation:
-> if KW_DELEGATED_DN in kwargs, or delegatedDN in threadConfig, put in in self.kwargs
-> if KW_DELEGATED_GROUP in kwargs or delegatedGroup in threadConfig, put it in self.kwargs
-> If we have a delegated DN but not group, we find the corresponding group in the CS
:return: S_OK()/S_ERROR()
"""
# which extra credentials to use?
self.__extraCredentials = self.VAL_EXTRA_CREDENTIALS_HOST if self.__useCertificates else ""
if self.KW_EXTRA_CREDENTIALS in self.kwargs:
self.__extraCredentials = self.kwargs[self.KW_EXTRA_CREDENTIALS]
# Are we delegating something?
delegatedDN = self.kwargs.get(self.KW_DELEGATED_DN) or self.__threadConfig.getDN()
delegatedGroup = self.kwargs.get(self.KW_DELEGATED_GROUP) or self.__threadConfig.getGroup()
if delegatedDN:
self.kwargs[self.KW_DELEGATED_DN] = delegatedDN
if not delegatedGroup:
result = Registry.findDefaultGroupForDN(delegatedDN)
if not result['OK']:
return result
delegatedGroup = result['Value']
self.kwargs[self.KW_DELEGATED_GROUP] = delegatedGroup
self.__extraCredentials = (delegatedDN, delegatedGroup)
return S_OK()
def getUsername(self, credDict):
"""
Discover the username associated to the DN. It will check if the selected group is valid.
The username will be included in the credentials dictionary.
:type credDict: dictionary
:param credDict: Credentials to check
:return: Boolean specifying whether the username was found
"""
if self.KW_DN not in credDict:
return True
if self.KW_GROUP not in credDict:
result = Registry.findDefaultGroupForDN(credDict[self.KW_DN])
if not result['OK']:
return False
credDict[self.KW_GROUP] = result['Value']
credDict[self.KW_PROPERTIES] = Registry.getPropertiesForGroup(
credDict[self.KW_GROUP], [])
usersInGroup = Registry.getUsersInGroup(credDict[self.KW_GROUP], [])
if not usersInGroup:
return False
retVal = Registry.getUsernameForDN(credDict[self.KW_DN], usersInGroup)
if retVal['OK']:
credDict[self.KW_USERNAME] = retVal['Value']
return True
return False
def getDIRACGroup(self, ignoreDefault=False):
"""
Get the dirac group if present
If no group is found in the certificate, we query the CS to get the default group
for the given user. This can be disabled using the ignoreDefault parameter
Note that the lookup in the CS only can work for a proxy of first generation,
since we search based on the issuer DN
:param ignoreDefault: if True, do not lookup the CS
:returns: S_OK(group name/bool)
"""
try:
return S_OK(asn1_utils.decodeDIRACGroup(self.__certObj))
except LookupError:
pass
if ignoreDefault:
return S_OK(False)
# And here is the flaw :)
result = self.getIssuerDN()
if not result['OK']:
return result
return Registry.findDefaultGroupForDN(result['Value'])
def getShifterProxy(shifterType, fileName=False):
""" This method returns a shifter's proxy
:param str shifterType: ProductionManager / DataManager...
:param str fileName: file name
:return: S_OK(dict)/S_ERROR()
"""
if fileName:
mkDir(os.path.dirname(fileName))
opsHelper = Operations()
userName = opsHelper.getValue(cfgPath('Shifter', shifterType, 'User'), '')
if not userName:
return S_ERROR("No shifter User defined for %s" % shifterType)
result = Registry.getDNForUsername(userName)
if not result['OK']:
return result
userDN = result['Value'][0]
result = Registry.findDefaultGroupForDN(userDN)
if not result['OK']:
return result
defaultGroup = result['Value']
userGroup = opsHelper.getValue(cfgPath('Shifter', shifterType, 'Group'),
defaultGroup)
vomsAttr = Registry.getVOMSAttributeForGroup(userGroup)
if vomsAttr:
gLogger.info("Getting VOMS [%s] proxy for shifter %s@%s (%s)" %
(vomsAttr, userName, userGroup, userDN))
result = gProxyManager.downloadVOMSProxyToFile(userDN,
userGroup,
filePath=fileName,
requiredTimeLeft=86400,
cacheTime=86400)
else:
gLogger.info("Getting proxy for shifter %s@%s (%s)" %
(userName, userGroup, userDN))
result = gProxyManager.downloadProxyToFile(userDN,
userGroup,
filePath=fileName,
requiredTimeLeft=86400,
cacheTime=86400)
if not result['OK']:
return result
chain = result['chain']
fileName = result['Value']
return S_OK({
'DN': userDN,
'username': userName,
'group': userGroup,
'chain': chain,
'proxyFile': fileName
})
def getDIRACGroup( self, ignoreDefault = False ):
"""
Get the dirac group if present
"""
if not self.__valid:
return S_ERROR( "No certificate loaded" )
extList = self.__certObj.get_extensions()
for ext in extList:
if ext.get_sn() == "diracGroup":
return S_OK( ext.get_value() )
if ignoreDefault:
return S_OK( False )
result = self.getIssuerDN()
if not result[ 'OK' ]:
return result
return Registry.findDefaultGroupForDN( result['Value'] )
def __auth(self, handlerRoute, group):
"""
Authenticate request
"""
userDN = self.getUserDN()
if group:
self.__credDict['group'] = group
else:
if userDN:
result = Registry.findDefaultGroupForDN(userDN)
if result['OK']:
self.__credDict['group'] = result['Value']
auth = AuthManager(Conf.getAuthSectionForHandler(handlerRoute))
ok = auth.authQuery("", self.__credDict, self.AUTH_PROPS)
if ok and userDN:
self.__credDict['validGroup'] = True
return ok
def __auth( self, handlerRoute, group ):
"""
Authenticate request
"""
userDN = self.getUserDN()
if group:
self.__credDict[ 'group' ] = group
else:
if userDN:
result = Registry.findDefaultGroupForDN( userDN )
if result[ 'OK' ]:
self.__credDict[ 'group' ] = result[ 'Value' ]
auth = AuthManager( Conf.getAuthSectionForHandler( handlerRoute ) )
ok = auth.authQuery( "", self.__credDict, self.AUTH_PROPS )
if ok and userDN:
self.__credDict[ 'validGroup' ] = True
return ok
def __auth(self, handlerRoute, group):
"""
Authenticate request
"""
userDN = self.getUserDN()
if group:
self.__credDict['group'] = group
else:
if userDN:
result = Registry.findDefaultGroupForDN(userDN)
if result['OK']:
self.__credDict['group'] = result['Value']
self.__credDict['validGroup'] = False
if type(self.AUTH_PROPS) not in (types.ListType, types.TupleType):
self.AUTH_PROPS = [
p.strip() for p in self.AUTH_PROPS.split(",") if p.strip()
]
allAllowed = False
for p in self.AUTH_PROPS:
if p.lower() in ('all', 'any'):
allAllowed = True
auth = AuthManager(Conf.getAuthSectionForHandler(handlerRoute))
ok = auth.authQuery("", self.__credDict, self.AUTH_PROPS)
if ok:
if userDN:
self.__credDict['validGroup'] = True
self.log.info("AUTH OK: %s by %s@%s (%s)" %
(handlerRoute, self.__credDict['username'],
self.__credDict['group'], userDN))
else:
self.__credDict['validDN'] = False
self.log.info("AUTH OK: %s by visitor" % (handlerRoute))
elif allAllowed:
self.log.info("AUTH ALL: %s by %s" % (handlerRoute, userDN))
ok = True
else:
self.log.info("AUTH KO: %s by %s@%s" %
(handlerRoute, userDN, group))
return ok
def __auth(self, handlerRoute, group, method):
"""
Authenticate request
:param str handlerRoute: the name of the handler
:param str group: DIRAC group
:param str method: the name of the method
:return: bool
"""
userDN = self.getUserDN()
if group:
self.__credDict['group'] = group
else:
if userDN:
result = Registry.findDefaultGroupForDN(userDN)
if result['OK']:
self.__credDict['group'] = result['Value']
self.__credDict['validGroup'] = False
if type(self.AUTH_PROPS) not in (types.ListType, types.TupleType):
self.AUTH_PROPS = [
p.strip() for p in self.AUTH_PROPS.split(",") if p.strip()
]
auth = AuthManager(Conf.getAuthSectionForHandler(handlerRoute))
ok = auth.authQuery(method, self.__credDict, self.AUTH_PROPS)
if ok:
if userDN:
self.__credDict['validGroup'] = True
self.log.info("AUTH OK: %s by %s@%s (%s)" %
(handlerRoute, self.__credDict['username'],
self.__credDict['group'], userDN))
else:
self.__credDict['validDN'] = False
self.log.info("AUTH OK: %s by visitor" % (handlerRoute))
elif self.isTrustedHost(self.__credDict.get('DN')):
self.log.info("Request is coming from Trusted host")
return True
else:
self.log.info("AUTH KO: %s by %s@%s" %
(handlerRoute, userDN, group))
return ok
def __auth( self, handlerRoute, methodName, group ):
"""
Authenticate request
"""
userDN = self.getUserDN()
if group:
self.__credDict[ 'group' ] = group
else:
if userDN:
result = Registry.findDefaultGroupForDN( userDN )
if result[ 'OK' ]:
self.__credDict[ 'group' ] = result[ 'Value' ]
auth = AuthManager( Conf.getAuthSectionForRoute( handlerRoute ) )
try:
defProps = getattr( self, "auth_%s" % methodName )
except AttributeError:
defProps = [ 'all' ]
ok = auth.authQuery( methodName, self.__credDict, defProps )
if ok and userDN:
self.__credDict[ 'validGroup' ] = True
return ok
def __auth(self, handlerRoute, methodName, group):
"""
Authenticate request
"""
userDN = self.getUserDN()
if group:
self.__credDict['group'] = group
else:
if userDN:
result = Registry.findDefaultGroupForDN(userDN)
if result['OK']:
self.__credDict['group'] = result['Value']
auth = AuthManager(Conf.getAuthSectionForRoute(handlerRoute))
try:
defProps = getattr(self, "auth_%s" % methodName)
except AttributeError:
defProps = ['all']
ok = auth.authQuery(methodName, self.__credDict, defProps)
if ok and userDN:
self.__credDict['validGroup'] = True
return ok
def __auth(self, handlerRoute, group, method):
"""
Authenticate request
:param str handlerRoute: the name of the handler
:param str group: DIRAC group
:param str method: the name of the method
:return: bool
"""
userDN = self.getUserDN()
if group:
self.__credDict['group'] = group
else:
if userDN:
result = Registry.findDefaultGroupForDN(userDN)
if result['OK']:
self.__credDict['group'] = result['Value']
self.__credDict['validGroup'] = False
if type(self.AUTH_PROPS) not in (types.ListType, types.TupleType):
self.AUTH_PROPS = [p.strip() for p in self.AUTH_PROPS.split(",") if p.strip()]
auth = AuthManager(Conf.getAuthSectionForHandler(handlerRoute))
ok = auth.authQuery(method, self.__credDict, self.AUTH_PROPS)
if ok:
if userDN:
self.__credDict['validGroup'] = True
self.log.info("AUTH OK: %s by %s@%s (%s)" %
(handlerRoute, self.__credDict['username'], self.__credDict['group'], userDN))
else:
self.__credDict['validDN'] = False
self.log.info("AUTH OK: %s by visitor" % (handlerRoute))
elif self.isTrustedHost(self.__credDict.get('DN')):
self.log.info("Request is coming from Trusted host")
return True
else:
self.log.info("AUTH KO: %s by %s@%s" % (handlerRoute, userDN, group))
return ok
def __auth( self, handlerRoute, group ):
"""
Authenticate request
"""
userDN = self.getUserDN()
if group:
self.__credDict[ 'group' ] = group
else:
if userDN:
result = Registry.findDefaultGroupForDN( userDN )
if result[ 'OK' ]:
self.__credDict[ 'group' ] = result[ 'Value' ]
self.__credDict[ 'validGroup' ] = False
if type( self.AUTH_PROPS ) not in ( types.ListType, types.TupleType ):
self.AUTH_PROPS = [ p.strip() for p in self.AUTH_PROPS.split( "," ) if p.strip() ]
allAllowed = False
for p in self.AUTH_PROPS:
if p.lower() in ( 'all', 'any' ):
allAllowed = True
auth = AuthManager( Conf.getAuthSectionForHandler( handlerRoute ) )
ok = auth.authQuery( "", self.__credDict, self.AUTH_PROPS )
if ok:
if userDN:
self.__credDict[ 'validGroup' ] = True
self.log.info( "AUTH OK: %s by %s@%s (%s)" % ( handlerRoute, self.__credDict[ 'username' ], self.__credDict[ 'group' ], userDN ) )
else:
self.__credDict[ 'validDN' ] = False
self.log.info( "AUTH OK: %s by visitor" % ( handlerRoute ) )
elif allAllowed:
self.log.info( "AUTH ALL: %s by %s" % ( handlerRoute, userDN ) )
ok = True
else:
self.log.info( "AUTH KO: %s by %s@%s" % ( handlerRoute, userDN, group ) )
return ok
def generateProxy( params ):
if params.checkClock:
result = getClockDeviation()
if result[ 'OK' ]:
deviation = result[ 'Value' ]
if deviation > 600:
gLogger.error( "Your host clock seems to be off by more than TEN MINUTES! Thats really bad." )
gLogger.error( "We're cowardly refusing to generate a proxy. Please fix your system time" )
sys.exit( 1 )
elif deviation > 180:
gLogger.error( "Your host clock seems to be off by more than THREE minutes! Thats bad." )
gLogger.notice( "We'll generate the proxy but please fix your system time" )
elif deviation > 60:
gLogger.error( "Your host clock seems to be off by more than a minute! Thats not good." )
gLogger.notice( "We'll generate the proxy but please fix your system time" )
certLoc = params.certLoc
keyLoc = params.keyLoc
if not certLoc or not keyLoc:
cakLoc = Locations.getCertificateAndKeyLocation()
if not cakLoc:
return S_ERROR( "Can't find user certificate and key" )
if not certLoc:
certLoc = cakLoc[0]
if not keyLoc:
keyLoc = cakLoc[1]
params.certLoc = certLoc
params.keyLoc = keyLoc
#Load password
testChain = X509Chain()
retVal = testChain.loadChainFromFile( params.certLoc )
if not retVal[ 'OK' ]:
return S_ERROR( "Cannot load certificate %s: %s" % ( params.certLoc, retVal[ 'Message' ] ) )
timeLeft = testChain.getRemainingSecs()[ 'Value' ] / 86400
if timeLeft < 30:
gLogger.notice( "\nYour certificate will expire in %d days. Please renew it!\n" % timeLeft )
retVal = testChain.loadKeyFromFile( params.keyLoc, password = params.userPasswd )
if not retVal[ 'OK' ]:
passwdPrompt = "Enter Certificate password:"******"\n" )
else:
userPasswd = getpass.getpass( passwdPrompt )
params.userPasswd = userPasswd
#Find location
proxyLoc = params.proxyLoc
if not proxyLoc:
proxyLoc = Locations.getDefaultProxyLocation()
chain = X509Chain()
#Load user cert and key
retVal = chain.loadChainFromFile( certLoc )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
return S_ERROR( "Can't load %s" % certLoc )
retVal = chain.loadKeyFromFile( keyLoc, password = params.userPasswd )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
if 'bad decrypt' in retVal[ 'Message' ]:
return S_ERROR( "Bad passphrase" )
return S_ERROR( "Can't load %s" % keyLoc )
if params.checkWithCS:
retVal = chain.generateProxyToFile( proxyLoc,
params.proxyLifeTime,
strength = params.proxyStrength,
limited = params.limitedProxy,
rfc = params.rfc )
gLogger.info( "Contacting CS..." )
retVal = Script.enableCS()
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
if 'Unauthorized query' in retVal[ 'Message' ]:
# add hint for users
return S_ERROR( "Can't contact DIRAC CS: %s (User possibly not registered with dirac server) "
% retVal[ 'Message' ] )
return S_ERROR( "Can't contact DIRAC CS: %s" % retVal[ 'Message' ] )
userDN = chain.getCertInChain( -1 )['Value'].getSubjectDN()['Value']
if not params.diracGroup:
result = Registry.findDefaultGroupForDN( userDN )
if not result[ 'OK' ]:
gLogger.warn( "Could not get a default group for DN %s: %s" % ( userDN, result[ 'Message' ] ) )
else:
params.diracGroup = result[ 'Value' ]
gLogger.info( "Default discovered group is %s" % params.diracGroup )
gLogger.info( "Checking DN %s" % userDN )
retVal = Registry.getUsernameForDN( userDN )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
return S_ERROR( "DN %s is not registered" % userDN )
username = retVal[ 'Value' ]
gLogger.info( "Username is %s" % username )
retVal = Registry.getGroupsForUser( username )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
return S_ERROR( "User %s has no groups defined" % username )
groups = retVal[ 'Value' ]
if params.diracGroup not in groups:
return S_ERROR( "Requested group %s is not valid for DN %s" % ( params.diracGroup, userDN ) )
gLogger.info( "Creating proxy for %s@%s (%s)" % ( username, params.diracGroup, userDN ) )
if params.summary:
h = int( params.proxyLifeTime / 3600 )
m = int( params.proxyLifeTime / 60 ) - h * 60
gLogger.notice( "Proxy lifetime will be %02d:%02d" % ( h, m ) )
gLogger.notice( "User cert is %s" % certLoc )
gLogger.notice( "User key is %s" % keyLoc )
gLogger.notice( "Proxy will be written to %s" % proxyLoc )
if params.diracGroup:
gLogger.notice( "DIRAC Group will be set to %s" % params.diracGroup )
else:
gLogger.notice( "No DIRAC Group will be set" )
gLogger.notice( "Proxy strength will be %s" % params.proxyStrength )
if params.limitedProxy:
gLogger.notice( "Proxy will be limited" )
retVal = chain.generateProxyToFile( proxyLoc,
params.proxyLifeTime,
params.diracGroup,
strength = params.proxyStrength,
limited = params.limitedProxy,
rfc = params.rfc )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
return S_ERROR( "Couldn't generate proxy: %s" % retVal[ 'Message' ] )
return S_OK( proxyLoc )
def authQuery(self, methodQuery, credDict, defaultProperties=False):
"""
Check if the query is authorized for a credentials dictionary
:type methodQuery: string
:param methodQuery: Method to test
:type credDict: dictionary
:param credDict: dictionary containing credentials for test. The dictionary can contain the DN
and selected group.
:return: Boolean result of test
"""
userString = ""
if self.KW_DN in credDict:
userString += "DN=%s" % credDict[self.KW_DN]
if self.KW_GROUP in credDict:
userString += " group=%s" % credDict[self.KW_GROUP]
if self.KW_EXTRA_CREDENTIALS in credDict:
userString += " extraCredentials=%s" % str(
credDict[self.KW_EXTRA_CREDENTIALS])
self.__authLogger.debug("Trying to authenticate %s" % userString)
# Get properties
requiredProperties = self.getValidPropertiesForMethod(
methodQuery, defaultProperties)
# Extract valid groups
validGroups = self.getValidGroups(requiredProperties)
lowerCaseProperties = [prop.lower() for prop in requiredProperties]
if not lowerCaseProperties:
lowerCaseProperties = ['any']
allowAll = "any" in lowerCaseProperties or "all" in lowerCaseProperties
# Set no properties by default
credDict[self.KW_PROPERTIES] = []
# Check non secure backends
if self.KW_DN not in credDict or not credDict[self.KW_DN]:
if allowAll and not validGroups:
self.__authLogger.debug(
"Accepted request from unsecure transport")
return True
else:
self.__authLogger.debug(
"Explicit property required and query seems to be coming through an unsecure transport"
)
return False
# Check if query comes though a gateway/web server
if self.forwardedCredentials(credDict):
self.__authLogger.debug("Query comes from a gateway")
self.unpackForwardedCredentials(credDict)
return self.authQuery(methodQuery, credDict, requiredProperties)
# Get the properties
# Check for invalid forwarding
if self.KW_EXTRA_CREDENTIALS in credDict:
# Invalid forwarding?
if not isinstance(credDict[self.KW_EXTRA_CREDENTIALS], basestring):
self.__authLogger.debug(
"The credentials seem to be forwarded by a host, but it is not a trusted one"
)
return False
# Is it a host?
if self.KW_EXTRA_CREDENTIALS in credDict and credDict[
self.KW_EXTRA_CREDENTIALS] == self.KW_HOSTS_GROUP:
# Get the nickname of the host
credDict[self.KW_GROUP] = credDict[self.KW_EXTRA_CREDENTIALS]
# HACK TO MAINTAIN COMPATIBILITY
else:
if self.KW_EXTRA_CREDENTIALS in credDict and self.KW_GROUP not in credDict:
credDict[self.KW_GROUP] = credDict[self.KW_EXTRA_CREDENTIALS]
# END OF HACK
# Get the username
if self.KW_DN in credDict and credDict[self.KW_DN]:
if self.KW_GROUP not in credDict:
result = Registry.findDefaultGroupForDN(credDict[self.KW_DN])
if not result['OK']:
credDict[self.KW_USERNAME] = "anonymous"
credDict[self.KW_GROUP] = "visitor"
else:
credDict[self.KW_GROUP] = result['Value']
if credDict[self.KW_GROUP] == self.KW_HOSTS_GROUP:
# For host
if not self.getHostNickName(credDict):
self.__authLogger.warn("Host is invalid")
if not allowAll:
return False
# If all, then set anon credentials
credDict[self.KW_USERNAME] = "anonymous"
credDict[self.KW_GROUP] = "visitor"
else:
# For users
username = self.getUsername(credDict)
suspended = self.isUserSuspended(credDict)
if not username:
self.__authLogger.warn(
"User is invalid or does not belong to the group it's saying"
)
if suspended:
self.__authLogger.warn("User is Suspended")
if not username or suspended:
if not allowAll:
return False
# If all, then set anon credentials
credDict[self.KW_USERNAME] = "anonymous"
credDict[self.KW_GROUP] = "visitor"
else:
if not allowAll:
return False
credDict[self.KW_USERNAME] = "anonymous"
credDict[self.KW_GROUP] = "visitor"
# If any or all in the props, allow
allowGroup = not validGroups or credDict[self.KW_GROUP] in validGroups
if allowAll and allowGroup:
return True
# Check authorized groups
if "authenticated" in lowerCaseProperties and allowGroup:
return True
if not self.matchProperties(credDict, requiredProperties):
self.__authLogger.warn(
"Client is not authorized\nValid properties: %s\nClient: %s" %
(requiredProperties, credDict))
return False
elif not allowGroup:
self.__authLogger.warn(
"Client is not authorized\nValid groups: %s\nClient: %s" %
(validGroups, credDict))
return False
return True
def generateProxy(params):
if params.checkClock:
result = getClockDeviation()
if result['OK']:
deviation = result['Value']
if deviation > 600:
gLogger.error(
"Your host clock seems to be off by more than TEN MINUTES! Thats really bad."
)
gLogger.error(
"We're cowardly refusing to generate a proxy. Please fix your system time"
)
sys.exit(1)
elif deviation > 180:
gLogger.error(
"Your host clock seems to be off by more than THREE minutes! Thats bad."
)
gLogger.notice(
"We'll generate the proxy but please fix your system time")
elif deviation > 60:
gLogger.error(
"Your host clock seems to be off by more than a minute! Thats not good."
)
gLogger.notice(
"We'll generate the proxy but please fix your system time")
certLoc = params.certLoc
keyLoc = params.keyLoc
if not certLoc or not keyLoc:
cakLoc = Locations.getCertificateAndKeyLocation()
if not cakLoc:
return S_ERROR("Can't find user certificate and key")
if not certLoc:
certLoc = cakLoc[0]
if not keyLoc:
keyLoc = cakLoc[1]
params.certLoc = certLoc
params.keyLoc = keyLoc
#Load password
testChain = X509Chain()
retVal = testChain.loadChainFromFile(params.certLoc)
if not retVal['OK']:
return S_ERROR("Cannot load certificate %s: %s" %
(params.certLoc, retVal['Message']))
timeLeft = testChain.getRemainingSecs()['Value'] / 86400
if timeLeft < 30:
gLogger.notice(
"\nYour certificate will expire in %d days. Please renew it!\n" %
timeLeft)
retVal = testChain.loadKeyFromFile(params.keyLoc,
password=params.userPasswd)
if not retVal['OK']:
passwdPrompt = "Enter Certificate password:"******"\n")
else:
userPasswd = getpass.getpass(passwdPrompt)
params.userPasswd = userPasswd
#Find location
proxyLoc = params.proxyLoc
if not proxyLoc:
proxyLoc = Locations.getDefaultProxyLocation()
chain = X509Chain()
#Load user cert and key
retVal = chain.loadChainFromFile(certLoc)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
return S_ERROR("Can't load %s" % certLoc)
retVal = chain.loadKeyFromFile(keyLoc, password=params.userPasswd)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
if 'bad decrypt' in retVal['Message']:
return S_ERROR("Bad passphrase")
return S_ERROR("Can't load %s" % keyLoc)
if params.checkWithCS:
retVal = chain.generateProxyToFile(proxyLoc,
params.proxyLifeTime,
strength=params.proxyStrength,
limited=params.limitedProxy)
gLogger.info("Contacting CS...")
retVal = Script.enableCS()
if not retVal['OK']:
gLogger.warn(retVal['Message'])
if 'Unauthorized query' in retVal['Message']:
# add hint for users
return S_ERROR(
"Can't contact DIRAC CS: %s (User possibly not registered with dirac server) "
% retVal['Message'])
return S_ERROR("Can't contact DIRAC CS: %s" % retVal['Message'])
userDN = chain.getCertInChain(-1)['Value'].getSubjectDN()['Value']
if not params.diracGroup:
result = Registry.findDefaultGroupForDN(userDN)
if not result['OK']:
gLogger.warn("Could not get a default group for DN %s: %s" %
(userDN, result['Message']))
else:
params.diracGroup = result['Value']
gLogger.info("Default discovered group is %s" %
params.diracGroup)
gLogger.info("Checking DN %s" % userDN)
retVal = Registry.getUsernameForDN(userDN)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
return S_ERROR("DN %s is not registered" % userDN)
username = retVal['Value']
gLogger.info("Username is %s" % username)
retVal = Registry.getGroupsForUser(username)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
return S_ERROR("User %s has no groups defined" % username)
groups = retVal['Value']
if params.diracGroup not in groups:
return S_ERROR("Requested group %s is not valid for DN %s" %
(params.diracGroup, userDN))
gLogger.info("Creating proxy for %s@%s (%s)" %
(username, params.diracGroup, userDN))
if params.summary:
h = int(params.proxyLifeTime / 3600)
m = int(params.proxyLifeTime / 60) - h * 60
gLogger.notice("Proxy lifetime will be %02d:%02d" % (h, m))
gLogger.notice("User cert is %s" % certLoc)
gLogger.notice("User key is %s" % keyLoc)
gLogger.notice("Proxy will be written to %s" % proxyLoc)
if params.diracGroup:
gLogger.notice("DIRAC Group will be set to %s" % params.diracGroup)
else:
gLogger.notice("No DIRAC Group will be set")
gLogger.notice("Proxy strength will be %s" % params.proxyStrength)
if params.limitedProxy:
gLogger.notice("Proxy will be limited")
retVal = chain.generateProxyToFile(proxyLoc,
params.proxyLifeTime,
params.diracGroup,
strength=params.proxyStrength,
limited=params.limitedProxy)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
return S_ERROR("Couldn't generate proxy: %s" % retVal['Message'])
return S_OK(proxyLoc)
