def populate_group_security(client_security, params, sub_params, group_name):
factory_dns = []
for collectors in (params.match.factory.collectors,
sub_params.match.factory.collectors):
for el in collectors:
dn = el.DN
if dn is None:
raise RuntimeError("DN not defined for factory %s" % el.node)
# don't worry about conflict... there is nothing wrong if the DN is listed twice
factory_dns.append(dn)
client_security['factory_DNs'] = factory_dns
schedd_dns = []
for schedds in (params.match.job.schedds, sub_params.match.job.schedds):
for el in schedds:
dn = el.DN
if dn is None:
raise RuntimeError("DN not defined for schedd %s" %
el.fullname)
# don't worry about conflict... there is nothing wrong if the DN is listed twice
schedd_dns.append(dn)
client_security['schedd_DNs'] = schedd_dns
pilot_dns = []
for credentials in (params.security.credentials,
sub_params.security.credentials):
if is_true(params.groups[group_name].enabled):
for pel in credentials:
if pel['pilotabsfname'] is None:
proxy_fname = pel['absfname']
else:
proxy_fname = pel['pilotabsfname']
if (pel['pool_idx_len'] is None) and (pel['pool_idx_list'] is
None):
# only one
dn = x509Support.extract_DN(proxy_fname)
# don't worry about conflict... there is nothing wrong if the DN is listed twice
pilot_dns.append(dn)
else:
# pool
pool_idx_list_expanded_strings = get_pool_list(pel)
for idx in pool_idx_list_expanded_strings:
real_proxy_fname = "%s%s" % (proxy_fname, idx)
dn = x509Support.extract_DN(real_proxy_fname)
# don't worry about conflict... there is nothing wrong if the DN is listed twice
pilot_dns.append(dn)
client_security['pilot_DNs'] = pilot_dns
def populate_group_security(client_security,params,sub_params):
factory_dns=[]
for collectors in (params.match.factory.collectors, sub_params.match.factory.collectors):
for el in collectors:
dn=el.DN
if dn is None:
raise RuntimeError,"DN not defined for factory %s"%el.node
# don't worry about conflict... there is nothing wrong if the DN is listed twice
factory_dns.append(dn)
client_security['factory_DNs']=factory_dns
schedd_dns=[]
for schedds in (params.match.job.schedds, sub_params.match.job.schedds):
for el in schedds:
dn=el.DN
if dn is None:
raise RuntimeError,"DN not defined for schedd %s"%el.fullname
# don't worry about conflict... there is nothing wrong if the DN is listed twice
schedd_dns.append(dn)
client_security['schedd_DNs']=schedd_dns
pilot_dns=[]
for credentials in (params.security.credentials, sub_params.security.credentials):
for pel in credentials:
if pel['pilotabsfname'] is None:
proxy_fname=pel['absfname']
else:
proxy_fname=pel['pilotabsfname']
if (pel['pool_idx_len'] is None) and (pel['pool_idx_list'] is None):
# only one
dn=x509Support.extract_DN(proxy_fname)
# don't worry about conflict... there is nothing wrong if the DN is listed twice
pilot_dns.append(dn)
else:
# pool
pool_idx_list_expanded_strings = get_pool_list(pel)
for idx in pool_idx_list_expanded_strings:
real_proxy_fname = "%s%s" % (proxy_fname, idx)
dn=x509Support.extract_DN(real_proxy_fname)
# don't worry about conflict... there is nothing wrong if the DN is listed twice
pilot_dns.append(dn)
client_security['pilot_DNs']=pilot_dns
def file_id(self, filename, ignoredn=False):
"""
Generate hash for the credential id
"""
if ("grid_proxy" in self.type) and not ignoredn:
dn = x509Support.extract_DN(filename)
hash_str = filename + dn
else:
hash_str = filename
return str(abs(hash(hash_str)) % 1000000)
def main():
"""Main entrypoint
"""
config = ConfigParser.ConfigParser(DEFAULTS)
config.read(CONFIG)
proxies = config.sections()
# Verify config sections
if proxies.count('COMMON') != 1:
raise ConfigError("there must be only one [COMMON] section in %s" % CONFIG)
if len([x for x in proxies if x.startswith('PILOT')]) < 1:
raise ConfigError("there must be at least one [PILOT] section in %s" % CONFIG)
# Proxies need to be owned by the 'frontend' user
try:
fe_user = pwd.getpwnam(config.get('COMMON', 'owner'))
except KeyError:
raise RuntimeError("missing 'frontend' user")
# Load VOMS Admin server info for case-sensitive VO name and for faking the VOMS Admin server URI
vomses = os.getenv('VOMS_USERCONF', '/etc/vomses')
with open(vomses, 'r') as _:
vo_name_map, vo_uri_map = parse_vomses(_.read())
retcode = 0
# Proxy renewals
proxies.remove('COMMON') # no proxy renewal info in the COMMON section
for proxy_section in proxies:
proxy_config = dict(config.items(proxy_section))
proxy = Proxy(proxy_config['proxy_cert'], proxy_config['proxy_key'],
proxy_config['output'], proxy_config['lifetime'],
fe_user.pw_uid, fe_user.pw_gid)
# Users used to be able to control the frequency of the renewal when they were instructed to write their own
# script and cronjob. Since the automatic proxy renewal cron/timer runs every hour, we allow the users to
# control this via the 'frequency' config option. If more than 'frequency' hours have elapsed in a proxy's
# lifetime, renew it. Otherwise, skip the renewal.
def has_time_left(time_remaining):
return int(proxy.lifetime)*3600 - time_remaining < int(proxy_config['frequency'])*3600
if proxy_section == 'FRONTEND':
if has_time_left(proxy.timeleft()):
print('Skipping renewal of %s: time remaining within the specified frequency' % proxy.output)
proxy.cleanup()
continue
stdout, stderr, client_rc = voms_proxy_init(proxy)
elif proxy_section.startswith('PILOT'):
if has_time_left(proxy.timeleft()) and has_time_left(proxy.actimeleft()):
print('Skipping renewal of %s: time remaining within the specified frequency' % proxy.output)
proxy.cleanup()
continue
vo_attr = VO(vo_name_map[proxy_config['vo'].lower()], proxy_config['fqan'])
if safe_boolcomp(proxy_config['use_voms_server'], True):
stdout, stderr, client_rc = voms_proxy_init(proxy, vo_attr)
else:
vo_attr.cert = proxy_config['vo_cert']
vo_attr.key = proxy_config['vo_key']
try:
vo_attr.uri = vo_uri_map[x509Support.extract_DN(vo_attr.cert)]
except KeyError:
retcode = 1
print("ERROR: Failed to renew proxy {0}: ".format(proxy.output) +
"Could not find entry in {0} for {1}. ".format(vomses, vo_attr.cert) +
"Please verify your VO data installation.")
proxy.cleanup()
continue
stdout, stderr, client_rc = voms_proxy_fake(proxy, vo_attr)
else:
print("WARNING: Unrecognized configuration section %s found in %s.\n" % (proxy, CONFIG) +
"Valid configuration sections: 'FRONTEND' or 'PILOT'.")
client_rc = -1
stderr = "Unrecognized configuration section '%s', renewal not attempted." % proxy_section
stdout = ""
if client_rc == 0:
proxy.write()
print("Renewed proxy from '%s' to '%s'." % (proxy.cert, proxy.output))
else:
retcode = 1
# don't raise an exception here to continue renewing other proxies
print("ERROR: Failed to renew proxy %s:\n%s%s" % (proxy.output, stdout, stderr))
proxy.cleanup()
return retcode
def test_extract_dn(self):
fname = '/etc/grid-security/hostcert.pem'
cmd = "openssl x509 -in %s -noout -subject" % fname
out = glideinwms.lib.subprocessSupport.iexe_cmd(cmd)
expected = ' '.join(out.split()[1:])
self.assertEqual(expected, extract_DN(fname))
def main():
"""Main entrypoint
"""
config = ConfigParser.ConfigParser(DEFAULTS)
config.read(CONFIG)
proxies = config.sections()
# Verify config sections
if proxies.count('COMMON') != 1:
raise ConfigError("there must be only one [COMMON] section in %s" % CONFIG)
if len([x for x in proxies if x.startswith('PILOT')]) < 1:
raise ConfigError("there must be at least one [PILOT] section in %s" % CONFIG)
# Proxies need to be owned by the 'frontend' user
try:
fe_user = pwd.getpwnam(config.get('COMMON', 'owner'))
except KeyError:
raise RuntimeError("missing 'frontend' user")
# Load VOMS Admin server info for case-sensitive VO name and for faking the VOMS Admin server URI
vomses = os.getenv('VOMS_USERCONF', '/etc/vomses')
with open(vomses, 'r') as _:
# "<VO ALIAS> " "<VOMS ADMIN HOSTNAME>" "<VOMS ADMIN PORT>" "<VOMS CERT DN>" "<VO NAME>"
# "osg" "voms.grid.iu.edu" "15027" "/DC=org/DC=opensciencegrid/O=Open Science Grid/OU=Services/CN=voms.grid.iu.edu" "osg"
vo_info = re.findall(r'"\w+"\s+"([^"]+)"\s+"(\d+)"\s+"([^"]+)"\s+"(\w+)"', _.read(), re.IGNORECASE)
# VO names are case-sensitive but we don't expect users to get the case right in the proxies.ini
vo_name_map = dict([(vo[3].lower(), vo[3]) for vo in vo_info])
# A mapping between VO certificate subject DNs and VOMS URI of the form "<HOSTNAME>:<PORT>"
# We had to separate this out from the VO name because a VO could have multiple vomses entries
vo_uri_map = dict([(vo[2], vo[0] + ':' + vo[1]) for vo in vo_info])
retcode = 0
# Proxy renewals
proxies.remove('COMMON') # no proxy renewal info in the COMMON section
for proxy_section in proxies:
proxy_config = dict(config.items(proxy_section))
proxy = Proxy(proxy_config['proxy_cert'], proxy_config['proxy_key'],
proxy_config['output'], proxy_config['lifetime'],
fe_user.pw_uid, fe_user.pw_gid)
# Users used to be able to control the frequency of the renewal when they were instructed to write their own
# script and cronjob. Since the automatic proxy renewal cron/timer runs every hour, we allow the users to
# control this via the 'frequency' config option. If more than 'frequency' hours have elapsed in a proxy's
# lifetime, renew it. Otherwise, skip the renewal.
def has_time_left(time_remaining):
return int(proxy.lifetime)*3600 - time_remaining < int(proxy_config['frequency'])*3600
if proxy_section == 'FRONTEND':
if has_time_left(proxy.timeleft()):
print('Skipping renewal of %s: time remaining within the specified frequency' % proxy.output)
proxy.cleanup()
continue
stdout, stderr, client_rc = voms_proxy_init(proxy)
elif proxy_section.startswith('PILOT'):
if has_time_left(proxy.timeleft()) and has_time_left(proxy.actimeleft()):
print('Skipping renewal of %s: time remaining within the specified frequency' % proxy.output)
proxy.cleanup()
continue
vo_attr = VO(vo_name_map[proxy_config['vo'].lower()], proxy_config['fqan'])
if safe_boolcomp(proxy_config['use_voms_server'], True):
# we specify '-order' because some European CEs care about VOMS AC order
# The '-order' option chokes if a Capability is specified but we want to make sure we request it
# in '-voms' because we're not sure if anything is looking for it
fqan = re.sub(r'\/Capability=\w+$', '', vo_attr.fqan)
stdout, stderr, client_rc = voms_proxy_init(proxy, '-voms', vo_attr.voms, '-order', fqan)
else:
vo_attr.cert = proxy_config['vo_cert']
vo_attr.key = proxy_config['vo_key']
try:
vo_attr.uri = vo_uri_map[x509Support.extract_DN(vo_attr.cert)]
except KeyError:
retcode = 1
print("ERROR: Failed to renew proxy {0}: ".format(proxy.output) +
"Could not find entry in {0} for {1}. ".format(vomses, vo_attr.cert) +
"Please verify your VO data installation.")
proxy.cleanup()
continue
stdout, stderr, client_rc = voms_proxy_fake(proxy, vo_attr)
else:
print("WARNING: Unrecognized configuration section %s found in %s.\n" % (proxy, CONFIG) +
"Valid configuration sections: 'FRONTEND' or 'PILOT'.")
client_rc = -1
stderr = "Unrecognized configuration section '%s', renewal not attempted." % proxy_section
stdout = ""
if client_rc == 0:
proxy.write()
print("Renewed proxy from '%s' to '%s'." % (proxy.cert, proxy.output))
else:
retcode = 1
# don't raise an exception here to continue renewing other proxies
print("ERROR: Failed to renew proxy %s:\n%s%s" % (proxy.output, stdout, stderr))
proxy.cleanup()
return retcode
def test_extract_dn(self):
fname = 'fixtures/hostcert.pem'
cmd = "openssl x509 -in %s -noout -subject" % fname
out = glideinwms.lib.subprocessSupport.iexe_cmd(cmd)
expected = ' '.join(out.split()[1:])
self.assertEqual(expected, extract_DN(fname))
