def configure_gridmap_verify_myproxy_callout(self, conf_file_name, conf_link_name, **kwargs): self.logger.debug("ENTER: configure_gridmap_verify_myproxy_callout()") conf_file = file(conf_file_name, "w") try: conf_file.write("$GSI_AUTHZ_CONF \"%s\"\n" % ( os.path.join( self.conf.root, "etc", "gridmap_verify_myproxy_callout-gsi_authz.conf" ) ) ) myproxy_certpath = None myproxy_signing_policy = None myproxy_ca_dn = self.conf.get_myproxy_ca_subject_dn() myproxy_server = self.conf.get_myproxy_server() if myproxy_ca_dn is None and \ myproxy_server is not None and \ self.is_local_myproxy(): myproxy_ca_dir = self.conf.get_myproxy_ca_directory() myproxy_ca_dn = security.get_certificate_subject( os.path.join(myproxy_ca_dir, "cacert.pem")) else: # Assume the CA name is the same as the MyProxy server's # subject myproxy_ca_dn = self.conf.get_myproxy_dn() if myproxy_ca_dn is None: myproxy_ca_dn = self.get_myproxy_dn_from_server() cadir = self.conf.get_security_trusted_certificate_directory() self.logger.debug("MyProxy CA DN is " + str(myproxy_ca_dn)) self.logger.debug("CA dir is " + str(cadir)) if self.is_local_myproxy(): myproxy_certpath = os.path.join( self.conf.get_myproxy_ca_directory(), "cacert.pem") myproxy_signing_policy = os.path.join( self.conf.get_myproxy_ca_directory(), "signing-policy") elif myproxy_ca_dn is not None: self.logger.debug("Looking for MyProxy CA cert in " + cadir) for certfile in os.listdir(cadir): certpath = os.path.join(cadir, certfile) if certfile[-2:] == '.0': self.logger.debug("Checking to see if " + certfile + " matches MyProxyDN") if security.get_certificate_subject( certpath) == myproxy_ca_dn: myproxy_certpath = certpath (myproxy_signing_policy, _) = \ os.path.splitext( myproxy_certpath) myproxy_signing_policy += \ ".signing_policy" break if myproxy_certpath is None: raise Exception("ERROR: Unable to determine " + "path to MyProxy CA certificate, set " + \ "CaCert option in MyProxy section of config.\n") myproxy_ca_hash = security.get_certificate_hash( myproxy_certpath) cadir = \ self.conf.get_security_trusted_certificate_directory() installed_cert = os.path.join( cadir, myproxy_ca_hash + ".0") installed_signing_policy = os.path.join( cadir, myproxy_ca_hash + ".signing_policy") if not os.path.exists(installed_cert): self.logger.error("MyProxy CA not installed in trusted CA dir") if not os.path.exists(installed_signing_policy): self.logger.error("MyProxy CA signing policy not installed " + \ "in trusted CA dir") conf_file.write( "$GLOBUS_MYPROXY_CA_CERT \"%s\"\n" % installed_cert) os.symlink(conf_file_name, conf_link_name) finally: conf_file.close() self.logger.debug("EXIT: configure_gridmap_verify_myproxy_callout()")
def configure_myproxy_ca(self, force=False): if not self.conf.get_myproxy_ca(): self.logger.debug("Not using MyProxy CA, nothing to configure") return cadir = self.conf.get_myproxy_ca_directory() if force: if cadir is not None and os.path.exists(cadir): shutil.rmtree(cadir, ignore_errors=True) if cadir is not None and not os.path.exists(cadir): ca_subject = self.conf.get_myproxy_ca_subject_dn() if ca_subject is None: ca_subject = security.get_certificate_subject( self.conf.get_security_certificate_file(), nameopt='RFC2253') try: args = [ 'grid-ca-create', '-nobuild', '-verbose', '-dir', self.conf.get_myproxy_ca_directory(), '-subject', ca_subject, '-noint'] if force: args.append('-force') ca_create = Popen(args, stdout = PIPE, stderr = PIPE) (out, err) = ca_create.communicate() out = "".join(s for s in out if s in string.printable) err = "".join(s for s in err if s in string.printable) self.logger.debug("ca create output: " + out) self.logger.debug("ca create stderr: " + err) finally: pass if ca_create.returncode != 0: raise Exception("Error creating CA: " + \ str(ca_create.returncode) + out + err) trustdir = self.conf.get_security_trusted_certificate_directory() if trustdir is not None: if not os.path.exists(trustdir): os.makedirs(trustdir, 0755) cert_path = os.path.join(cadir, "cacert.pem") signing_policy_path = os.path.join(cadir, "signing-policy") cahash = security.get_certificate_hash(cert_path) installed_cert_path = os.path.join(trustdir, cahash + ".0") installed_signing_policy = os.path.join( trustdir, cahash + ".signing_policy") shutil.copyfile(signing_policy_path, installed_signing_policy) os.chmod(installed_signing_policy, 0644) shutil.copyfile(cert_path, installed_cert_path) os.chmod(installed_cert_path, 0644) self.myproxy_ca_config = """ certificate_issuer_cert "%(cadir)s/cacert.pem" certificate_issuer_key "%(cadir)s/private/cakey.pem" certificate_issuer_key_passphrase "%(passphrase)s" certificate_serialfile "%(cadir)s/serial" certificate_out_dir "%(cadir)s/newcerts" certificate_issuer_subca_certfile "%(cadir)s/cacert.pem" max_cert_lifetime 168 cert_dir %(certdir)s """ % { 'cadir': cadir, 'passphrase': self.conf.get_myproxy_ca_passphrase(), 'certdir': \ self.conf.get_security_trusted_certificate_directory() }
def configure_gridmap_verify_myproxy_callout(self, conf_file_name, conf_link_name, **kwargs): self.logger.debug("ENTER: configure_gridmap_verify_myproxy_callout()") conf_file = file(conf_file_name, "w") try: conf_file.write( '$GSI_AUTHZ_CONF "%s"\n' % (os.path.join(self.conf.root, "etc", "gridmap_verify_myproxy_callout-gsi_authz.conf")) ) myproxy_certpath = None myproxy_signing_policy = None myproxy_ca_dn = self.conf.get_myproxy_ca_subject_dn() myproxy_server = self.conf.get_myproxy_server() if myproxy_ca_dn is None and myproxy_server is not None and self.is_local_myproxy(): myproxy_ca_dir = self.conf.get_myproxy_ca_directory() myproxy_ca_dn = security.get_certificate_subject(os.path.join(myproxy_ca_dir, "cacert.pem")) else: # Assume the CA name is the same as the MyProxy server's # subject myproxy_ca_dn = self.conf.get_myproxy_dn() if myproxy_ca_dn is None: myproxy_ca_dn = self.get_myproxy_dn_from_server() cadir = self.conf.get_security_trusted_certificate_directory() self.logger.debug("MyProxy CA DN is " + str(myproxy_ca_dn)) self.logger.debug("CA dir is " + str(cadir)) if self.is_local_myproxy(): myproxy_certpath = os.path.join(self.conf.get_myproxy_ca_directory(), "cacert.pem") myproxy_signing_policy = os.path.join(self.conf.get_myproxy_ca_directory(), "signing-policy") elif myproxy_ca_dn is not None: self.logger.debug("Looking for MyProxy CA cert in " + cadir) for certfile in os.listdir(cadir): certpath = os.path.join(cadir, certfile) if certfile[-2:] == ".0": self.logger.debug("Checking to see if " + certfile + " matches MyProxyDN") if security.get_certificate_subject(certpath) == myproxy_ca_dn: myproxy_certpath = certpath (myproxy_signing_policy, _) = os.path.splitext(myproxy_certpath) myproxy_signing_policy += ".signing_policy" break if myproxy_certpath is None: raise Exception( "ERROR: Unable to determine " + "path to MyProxy CA certificate, set " + "CaCert option in MyProxy section of config.\n" ) myproxy_ca_hash = security.get_certificate_hash(myproxy_certpath) cadir = self.conf.get_security_trusted_certificate_directory() installed_cert = os.path.join(cadir, myproxy_ca_hash + ".0") installed_signing_policy = os.path.join(cadir, myproxy_ca_hash + ".signing_policy") if not os.path.exists(installed_cert): self.logger.error("MyProxy CA not installed in trusted CA dir") if not os.path.exists(installed_signing_policy): self.logger.error("MyProxy CA signing policy not installed " + "in trusted CA dir") conf_file.write('$GLOBUS_MYPROXY_CA_CERT "%s"\n' % installed_cert) os.symlink(conf_file_name, conf_link_name) finally: conf_file.close() self.logger.debug("EXIT: configure_gridmap_verify_myproxy_callout()")
def configure_myproxy_ca(self, force=False): if not self.conf.get_myproxy_ca(): self.logger.debug("Not using MyProxy CA, nothing to configure") return cadir = self.conf.get_myproxy_ca_directory() if force: if cadir is not None and os.path.exists(cadir): shutil.rmtree(cadir, ignore_errors=True) if cadir is not None and not os.path.exists(cadir): ca_subject = self.conf.get_myproxy_ca_subject_dn() if ca_subject is None: ca_subject = security.get_certificate_subject( self.conf.get_security_certificate_file(), nameopt='RFC2253') try: args = [ 'grid-ca-create', '-nobuild', '-verbose', '-dir', self.conf.get_myproxy_ca_directory(), '-subject', ca_subject, '-noint' ] if force: args.append('-force') ca_create = Popen(args, stdout=PIPE, stderr=PIPE) (out, err) = ca_create.communicate() out = "".join(s for s in out if s in string.printable) err = "".join(s for s in err if s in string.printable) self.logger.debug("ca create output: " + out) self.logger.debug("ca create stderr: " + err) finally: pass if ca_create.returncode != 0: raise Exception("Error creating CA: " + \ str(ca_create.returncode) + out + err) trustdir = self.conf.get_security_trusted_certificate_directory() if trustdir is not None: if not os.path.exists(trustdir): os.makedirs(trustdir, 0755) cert_path = os.path.join(cadir, "cacert.pem") signing_policy_path = os.path.join(cadir, "signing-policy") cahash = security.get_certificate_hash(cert_path) installed_cert_path = os.path.join(trustdir, cahash + ".0") installed_signing_policy = os.path.join(trustdir, cahash + ".signing_policy") shutil.copyfile(signing_policy_path, installed_signing_policy) os.chmod(installed_signing_policy, 0644) shutil.copyfile(cert_path, installed_cert_path) os.chmod(installed_cert_path, 0644) self.myproxy_ca_config = """ certificate_issuer_cert "%(cadir)s/cacert.pem" certificate_issuer_key "%(cadir)s/private/cakey.pem" certificate_issuer_key_passphrase "%(passphrase)s" certificate_serialfile "%(cadir)s/serial" certificate_out_dir "%(cadir)s/newcerts" certificate_issuer_subca_certfile "%(cadir)s/cacert.pem" max_cert_lifetime 168 cert_dir %(certdir)s """ % { 'cadir': cadir, 'passphrase': self.conf.get_myproxy_ca_passphrase(), 'certdir': \ self.conf.get_security_trusted_certificate_directory() }