def main():
params = Params()
Script.registerSwitch("f:", "file=", "File to use as proxy", params.setProxyLocation)
Script.registerSwitch("D", "DN", "Use DN as myproxy username", params.setDNAsUsername)
Script.addDefaultOptionValue("LogLevel", "always")
Script.parseCommandLine()
from DIRAC.Core.Security.MyProxy import MyProxy
from DIRAC.Core.Security import Locations
if not params.proxyLoc:
params.proxyLoc = Locations.getProxyLocation()
if not params.proxyLoc:
print("Can't find any valid proxy")
sys.exit(1)
print("Uploading proxy file %s" % params.proxyLoc)
mp = MyProxy()
retVal = mp.uploadProxy(params.proxyLoc, params.dnAsUsername)
if not retVal["OK"]:
print("Can't upload proxy:")
print(" ", retVal["Message"])
sys.exit(1)
print("Proxy uploaded")
sys.exit(0)
def uploadProxy(self,
proxy=None,
restrictLifeTime: int = 0,
rfcIfPossible=None):
"""Upload a proxy to the proxy management service using delegation
:param X509Chain proxy: proxy as a chain
:param restrictLifeTime: proxy live time in a seconds
:return: S_OK(dict)/S_ERROR() -- dict contain proxies
"""
if rfcIfPossible is not None:
if os.environ.get("DIRAC_DEPRECATED_FAIL", None):
raise NotImplementedError(
"'rfcIfPossible' argument is deprecated.")
gLogger.warn("'rfcIfPossible' argument is deprecated.")
# Discover proxy location
if isinstance(proxy, X509Chain):
chain = proxy
proxyLocation = ""
else:
if not proxy:
proxyLocation = Locations.getProxyLocation()
if not proxyLocation:
return S_ERROR("Can't find a valid proxy")
elif isinstance(proxy, str):
proxyLocation = proxy
else:
return S_ERROR("Can't find a valid proxy")
chain = X509Chain()
result = chain.loadProxyFromFile(proxyLocation)
if not result["OK"]:
return S_ERROR(
f"Can't load {proxyLocation}: {result['Message']}")
# Make sure it's valid
if chain.hasExpired().get("Value"):
return S_ERROR(f"Proxy {proxyLocation} has expired")
if chain.getDIRACGroup(ignoreDefault=True).get(
"Value") or chain.isVOMS().get("Value"):
return S_ERROR(
"Cannot upload proxy with DIRAC group or VOMS extensions")
rpcClient = Client(url="Framework/ProxyManager", timeout=120)
# Get a delegation request
result = rpcClient.requestDelegationUpload()
if not result["OK"]:
return result
reqDict = result["Value"]
# Generate delegated chain
chainLifeTime = chain.getRemainingSecs()["Value"] - 60
if restrictLifeTime and restrictLifeTime < chainLifeTime:
chainLifeTime = restrictLifeTime
result = chain.generateChainFromRequestString(reqDict["request"],
lifetime=chainLifeTime)
if result["OK"]:
result = rpcClient.completeDelegationUpload(
reqDict["id"], pemChain := result["Value"])
return result
def uploadProxy(self, proxy=None, restrictLifeTime=0, rfcIfPossible=False):
""" Upload a proxy to the proxy management service using delegation
:param X509Chain proxy: proxy as a chain
:param int restrictLifeTime: proxy live time in a seconds
:param boolean rfcIfPossible: make rfc proxy if possible
:return: S_OK(dict)/S_ERROR() -- dict contain proxies
"""
# Discover proxy location
if isinstance(proxy, X509Chain):
chain = proxy
proxyLocation = ""
else:
if not proxy:
proxyLocation = Locations.getProxyLocation()
if not proxyLocation:
return S_ERROR("Can't find a valid proxy")
elif isinstance(proxy, six.string_types):
proxyLocation = proxy
else:
return S_ERROR("Can't find a valid proxy")
chain = X509Chain()
result = chain.loadProxyFromFile(proxyLocation)
if not result['OK']:
return S_ERROR("Can't load %s: %s " %
(proxyLocation, result['Message']))
# Make sure it's valid
if chain.hasExpired().get('Value'):
return S_ERROR("Proxy %s has expired" % proxyLocation)
if chain.getDIRACGroup().get('Value') or chain.isVOMS().get('Value'):
return S_ERROR(
"Cannot upload proxy with DIRAC group or VOMS extensions")
rpcClient = RPCClient("Framework/ProxyManager", timeout=120)
# Get a delegation request
# WARN: Since v7r1 requestDelegationUpload method use only first argument!
# WARN: Second argument for compatibility with older versions
result = rpcClient.requestDelegationUpload(
chain.getRemainingSecs()['Value'], None)
if not result['OK']:
return result
reqDict = result['Value']
# Generate delegated chain
chainLifeTime = chain.getRemainingSecs()['Value'] - 60
if restrictLifeTime and restrictLifeTime < chainLifeTime:
chainLifeTime = restrictLifeTime
retVal = chain.generateChainFromRequestString(reqDict['request'],
lifetime=chainLifeTime,
rfc=rfcIfPossible)
if not retVal['OK']:
return retVal
# Upload!
result = rpcClient.completeDelegationUpload(reqDict['id'],
retVal['Value'])
if not result['OK']:
return result
return S_OK(result.get('proxies') or result['Value'])
def uploadProxy(self, proxy=None, restrictLifeTime=0, rfcIfPossible=False):
"""Upload a proxy to the proxy management service using delegation
:param X509Chain proxy: proxy as a chain
:param int restrictLifeTime: proxy live time in a seconds
:param boolean rfcIfPossible: make rfc proxy if possible
:return: S_OK(dict)/S_ERROR() -- dict contain proxies
"""
# Discover proxy location
if isinstance(proxy, X509Chain):
chain = proxy
proxyLocation = ""
else:
if not proxy:
proxyLocation = Locations.getProxyLocation()
if not proxyLocation:
return S_ERROR("Can't find a valid proxy")
elif isinstance(proxy, six.string_types):
proxyLocation = proxy
else:
return S_ERROR("Can't find a valid proxy")
chain = X509Chain()
result = chain.loadProxyFromFile(proxyLocation)
if not result["OK"]:
return S_ERROR("Can't load %s: %s " %
(proxyLocation, result["Message"]))
# Make sure it's valid
if chain.hasExpired().get("Value"):
return S_ERROR("Proxy %s has expired" % proxyLocation)
if chain.getDIRACGroup(ignoreDefault=True).get(
"Value") or chain.isVOMS().get("Value"):
return S_ERROR(
"Cannot upload proxy with DIRAC group or VOMS extensions")
rpcClient = Client(url="Framework/ProxyManager", timeout=120)
# Get a delegation request
result = rpcClient.requestDelegationUpload(
chain.getRemainingSecs()["Value"])
if not result["OK"]:
return result
reqDict = result["Value"]
# Generate delegated chain
chainLifeTime = chain.getRemainingSecs()["Value"] - 60
if restrictLifeTime and restrictLifeTime < chainLifeTime:
chainLifeTime = restrictLifeTime
retVal = chain.generateChainFromRequestString(reqDict["request"],
lifetime=chainLifeTime,
rfc=rfcIfPossible)
if not retVal["OK"]:
return retVal
# Upload!
result = rpcClient.completeDelegationUpload(reqDict["id"],
retVal["Value"])
if not result["OK"]:
return result
return S_OK(result.get("proxies") or result["Value"])
def uploadProxy( self, proxy = False, diracGroup = False, chainToConnect = False, restrictLifeTime = 0, rfcIfPossible = False ):
"""
Upload a proxy to the proxy management service using delegation
"""
#Discover proxy location
if type( proxy ) == g_X509ChainType:
chain = proxy
proxyLocation = ""
else:
if not proxy:
proxyLocation = Locations.getProxyLocation()
if not proxyLocation:
return S_ERROR( "Can't find a valid proxy" )
elif isinstance( proxy, basestring ):
proxyLocation = proxy
else:
return S_ERROR( "Can't find a valid proxy" )
chain = X509Chain()
result = chain.loadProxyFromFile( proxyLocation )
if not result[ 'OK' ]:
return S_ERROR( "Can't load %s: %s " % ( proxyLocation, result[ 'Message' ] ) )
if not chainToConnect:
chainToConnect = chain
#Make sure it's valid
if chain.hasExpired()[ 'Value' ]:
return S_ERROR( "Proxy %s has expired" % proxyLocation )
#rpcClient = RPCClient( "Framework/ProxyManager", proxyChain = chainToConnect )
rpcClient = RPCClient( "Framework/ProxyManager", timeout = 120 )
#Get a delegation request
result = rpcClient.requestDelegationUpload( chain.getRemainingSecs()['Value'], diracGroup )
if not result[ 'OK' ]:
return result
#Check if the delegation has been granted
if 'Value' not in result or not result[ 'Value' ]:
if 'proxies' in result:
return S_OK( result[ 'proxies' ] )
else:
return S_OK()
reqDict = result[ 'Value' ]
#Generate delegated chain
chainLifeTime = chain.getRemainingSecs()[ 'Value' ] - 60
if restrictLifeTime and restrictLifeTime < chainLifeTime:
chainLifeTime = restrictLifeTime
retVal = chain.generateChainFromRequestString( reqDict[ 'request' ],
lifetime = chainLifeTime,
diracGroup = diracGroup, rfc = rfcIfPossible)
if not retVal[ 'OK' ]:
return retVal
#Upload!
result = rpcClient.completeDelegationUpload( reqDict[ 'id' ], retVal[ 'Value' ] )
if not result[ 'OK' ]:
return result
if 'proxies' in result:
return S_OK( result[ 'proxies' ] )
return S_OK()
def getProxyInfo(proxy=False, disableVOMS=False):
"""
:Returns: a dict with all the proxy info:
* values that will be there always
* 'chain' : chain object containing the proxy
* 'subject' : subject of the proxy
* 'issuer' : issuer of the proxy
* 'isProxy' : bool
* 'isLimitedProxy' : bool
* 'validDN' : Valid DN in DIRAC
* 'validGroup' : Valid Group in DIRAC
* 'secondsLeft' : Seconds left
* values that can be there
* 'path' : path to the file,
* 'group' : DIRAC group
* 'groupProperties' : Properties that apply to the DIRAC Group
* 'username' : DIRAC username
* 'identity' : DN that generated the proxy
* 'hostname' : DIRAC host nickname
* 'VOMS'
"""
# Discover proxy location
proxyLocation = False
if isinstance(proxy, X509Chain):
chain = proxy
else:
if not proxy:
proxyLocation = Locations.getProxyLocation()
elif isinstance(proxy, basestring):
proxyLocation = proxy
if not proxyLocation:
return S_ERROR(DErrno.EPROXYFIND)
chain = X509Chain()
retVal = chain.loadProxyFromFile(proxyLocation)
if not retVal['OK']:
return S_ERROR(DErrno.EPROXYREAD,
"%s: %s " % (proxyLocation, retVal['Message']))
retVal = chain.getCredentials()
if not retVal['OK']:
return retVal
infoDict = retVal['Value']
infoDict['chain'] = chain
if proxyLocation:
infoDict['path'] = proxyLocation
if not disableVOMS and chain.isVOMS()['Value']:
infoDict['hasVOMS'] = True
retVal = VOMS().getVOMSAttributes(chain)
if retVal['OK']:
infoDict['VOMS'] = retVal['Value']
else:
infoDict['VOMSError'] = retVal['Message'].strip()
return S_OK(infoDict)
def uploadProxy( self, proxy = False, diracGroup = False, chainToConnect = False, restrictLifeTime = 0 ):
"""
Upload a proxy to the proxy management service using delgation
"""
#Discover proxy location
if type( proxy ) == g_X509ChainType:
chain = proxy
proxyLocation = ""
else:
if not proxy:
proxyLocation = Locations.getProxyLocation()
if not proxyLocation:
return S_ERROR( "Can't find a valid proxy" )
elif type( proxy ) in ( types.StringType, types.UnicodeType ):
proxyLocation = proxy
else:
return S_ERROR( "Can't find a valid proxy" )
chain = X509Chain()
result = chain.loadProxyFromFile( proxyLocation )
if not result[ 'OK' ]:
return S_ERROR( "Can't load %s: %s " % ( proxyLocation, result[ 'Message' ] ) )
if not chainToConnect:
chainToConnect = chain
#Make sure it's valid
if chain.hasExpired()[ 'Value' ]:
return S_ERROR( "Proxy %s has expired" % proxyLocation )
#rpcClient = RPCClient( "Framework/ProxyManager", proxyChain = chainToConnect )
rpcClient = RPCClient( "Framework/ProxyManager", timeout = 120 )
#Get a delegation request
result = rpcClient.requestDelegationUpload( chain.getRemainingSecs()['Value'], diracGroup )
if not result[ 'OK' ]:
return result
#Check if the delegation has been granted
if 'Value' not in result or not result[ 'Value' ]:
if 'proxies' in result:
return S_OK( result[ 'proxies' ] )
else:
return S_OK()
reqDict = result[ 'Value' ]
#Generate delegated chain
chainLifeTime = chain.getRemainingSecs()[ 'Value' ] - 60
if restrictLifeTime and restrictLifeTime < chainLifeTime:
chainLifeTime = restrictLifeTime
retVal = chain.generateChainFromRequestString( reqDict[ 'request' ],
lifetime = chainLifeTime,
diracGroup = diracGroup )
if not retVal[ 'OK' ]:
return retVal
#Upload!
result = rpcClient.completeDelegationUpload( reqDict[ 'id' ], retVal[ 'Value' ] )
if not result[ 'OK' ]:
return result
if 'proxies' in result:
return S_OK( result[ 'proxies' ] )
return S_OK()
def getProxyInfo( proxy = False, disableVOMS = False ):
"""
:Returns: a dict with all the proxy info:
* values that will be there always
* 'chain' : chain object containing the proxy
* 'subject' : subject of the proxy
* 'issuer' : issuer of the proxy
* 'isProxy' : bool
* 'isLimitedProxy' : bool
* 'validDN' : Valid DN in DIRAC
* 'validGroup' : Valid Group in DIRAC
* 'secondsLeft' : Seconds left
* values that can be there
* 'path' : path to the file,
* 'group' : DIRAC group
* 'groupProperties' : Properties that apply to the DIRAC Group
* 'username' : DIRAC username
* 'identity' : DN that generated the proxy
* 'hostname' : DIRAC host nickname
* 'VOMS'
"""
#Discover proxy location
proxyLocation = False
if type( proxy ) == g_X509ChainType:
chain = proxy
else:
if not proxy:
proxyLocation = Locations.getProxyLocation()
elif isinstance( proxy, basestring ):
proxyLocation = proxy
if not proxyLocation:
return S_ERROR( DErrno.EPROXYFIND )
chain = X509Chain()
retVal = chain.loadProxyFromFile( proxyLocation )
if not retVal[ 'OK' ]:
return S_ERROR( DErrno.EPROXYREAD, "%s: %s " % ( proxyLocation, retVal[ 'Message' ] ) )
retVal = chain.getCredentials()
if not retVal[ 'OK' ]:
return retVal
infoDict = retVal[ 'Value' ]
infoDict[ 'chain' ] = chain
if proxyLocation:
infoDict[ 'path' ] = proxyLocation
if not disableVOMS and chain.isVOMS()['Value']:
infoDict[ 'hasVOMS' ] = True
retVal = VOMS().getVOMSAttributes( chain )
if retVal[ 'OK' ]:
infoDict[ 'VOMS' ] = retVal[ 'Value' ]
else:
infoDict[ 'VOMSError' ] = retVal[ 'Message' ].strip()
return S_OK( infoDict )
def getProxyInfo(proxy=False, disableVOMS=False):
"""
Returns a dict with all the proxy info
* values that will be there always
'chain' : chain object containing the proxy
'subject' : subject of the proxy
'issuer' : issuer of the proxy
'isProxy' : bool
'isLimitedProxy' : bool
'validDN' : Valid DN in DIRAC
'validGroup' : Valid Group in DIRAC
'secondsLeft' : Seconds left
* values that can be there
'path' : path to the file,
'group' : DIRAC group
'groupProperties' : Properties that apply to the DIRAC Group
'username' : DIRAC username
'identity' : DN that generated the proxy
'hostname' : DIRAC host nickname
'VOMS'
"""
#Discover proxy location
proxyLocation = False
if type(proxy) == g_X509ChainType:
chain = proxy
else:
if not proxy:
proxyLocation = Locations.getProxyLocation()
elif type(proxy) in (types.StringType, types.UnicodeType):
proxyLocation = proxy
if not proxyLocation:
return S_ERROR("Can't find a valid proxy")
chain = X509Chain()
retVal = chain.loadProxyFromFile(proxyLocation)
if not retVal['OK']:
return S_ERROR("Can't load %s: %s " %
(proxyLocation, retVal['Message']))
retVal = chain.getCredentials()
if not retVal['OK']:
return retVal
infoDict = retVal['Value']
infoDict['chain'] = chain
if proxyLocation:
infoDict['path'] = proxyLocation
if not disableVOMS and chain.isVOMS()['Value']:
infoDict['hasVOMS'] = True
retVal = VOMS().getVOMSAttributes(chain)
if retVal['OK']:
infoDict['VOMS'] = retVal['Value']
else:
infoDict['VOMSError'] = retVal['Message'].strip()
return S_OK(infoDict)
def getProxyInfo( proxy = False, disableVOMS = False ):
"""
Returns a dict with all the proxy info
* values that will be there always
'chain' : chain object containing the proxy
'subject' : subject of the proxy
'issuer' : issuer of the proxy
'isProxy' : bool
'isLimitedProxy' : bool
'validDN' : Valid DN in DIRAC
'validGroup' : Valid Group in DIRAC
'secondsLeft' : Seconds left
* values that can be there
'path' : path to the file,
'group' : DIRAC group
'groupProperties' : Properties that apply to the DIRAC Group
'username' : DIRAC username
'identity' : DN that generated the proxy
'hostname' : DIRAC host nickname
'VOMS'
"""
#Discover proxy location
proxyLocation = False
if type( proxy ) == g_X509ChainType:
chain = proxy
else:
if not proxy:
proxyLocation = Locations.getProxyLocation()
elif type( proxy ) in ( types.StringType, types.UnicodeType ):
proxyLocation = proxy
if not proxyLocation:
return S_ERROR( "Can't find a valid proxy" )
chain = X509Chain()
retVal = chain.loadProxyFromFile( proxyLocation )
if not retVal[ 'OK' ]:
return S_ERROR( "Can't load %s: %s " % ( proxyLocation, retVal[ 'Message' ] ) )
retVal = chain.getCredentials()
if not retVal[ 'OK' ]:
return retVal
infoDict = retVal[ 'Value' ]
infoDict[ 'chain' ] = chain
if proxyLocation:
infoDict[ 'path' ] = proxyLocation
if not disableVOMS and chain.isVOMS()['Value']:
infoDict[ 'hasVOMS' ] = True
retVal = VOMS().getVOMSAttributes( chain )
if retVal[ 'OK' ]:
infoDict[ 'VOMS' ] = retVal[ 'Value' ]
else:
infoDict[ 'VOMSError' ] = retVal[ 'Message' ].strip()
return S_OK( infoDict )
def __loadM2SSLCTXProxy(ctx, proxyPath=None):
""" Load proxy from proxyPath (or default location if not specified) and
set it as the certificate & key to use for this SSL context.
Returns None.
"""
if not proxyPath:
proxyPath = Locations.getProxyLocation()
if not proxyPath:
raise RuntimeError("Proxy location not set")
if not os.path.isfile(proxyPath):
raise RuntimeError("Proxy file (%s) is missing" % proxyPath)
# See __loadM2SSLCTXHostcert for description of why lambda is needed.
ctx.load_cert_chain(proxyPath, proxyPath, callback=lambda: "")
def __generateContextWithProxy(self):
if 'proxyLocation' in self.infoDict:
proxyPath = self.infoDict['proxyLocation']
if not os.path.isfile(proxyPath):
return S_ERROR("Defined proxy is not a file")
else:
proxyPath = Locations.getProxyLocation()
if not proxyPath:
return S_ERROR("No valid proxy found")
self.setLocalCredentialsLocation((proxyPath, proxyPath))
gLogger.debug("Using proxy %s" % proxyPath)
retVal = self.__createContext()
if not retVal['OK']:
return retVal
self.sslContext.use_certificate_chain_file(proxyPath)
self.sslContext.use_privatekey_file(proxyPath)
return S_OK()
def __getProxyID(self):
proxyLocation = Locations.getProxyLocation()
if not proxyLocation:
gLogger.error("No proxy found!")
return False
chain = X509Chain()
if not chain.loadProxyFromFile(proxyLocation):
gLogger.error("Can't read proxy!", proxyLocation)
return False
retVal = chain.getIssuerCert()
if not retVal['OK']:
gLogger.error("Can't parse proxy!", retVal['Message'])
return False
idCert = retVal['Value']
self.__userDN = idCert.getSubjectDN()['Value']
self.__userGroup = chain.getDIRACGroup()['Value']
return True
def __generateContextWithProxy( self ):
if 'proxyLocation' in self.infoDict:
proxyPath = self.infoDict[ 'proxyLocation' ]
if not os.path.isfile( proxyPath ):
return S_ERROR( "Defined proxy is not a file" )
else:
proxyPath = Locations.getProxyLocation()
if not proxyPath:
return S_ERROR( "No valid proxy found" )
self.setLocalCredentialsLocation( ( proxyPath, proxyPath ) )
gLogger.debug( "Using proxy %s" % proxyPath )
retVal = self.__createContext()
if not retVal[ 'OK' ]:
return retVal
self.sslContext.use_certificate_chain_file( proxyPath )
self.sslContext.use_privatekey_file( proxyPath )
return S_OK()
def __getProxyID( self ):
proxyLocation = Locations.getProxyLocation()
if not proxyLocation:
gLogger.error( "No proxy found!" )
return False
chain = X509Chain()
if not chain.loadProxyFromFile( proxyLocation ):
gLogger.error( "Can't read proxy!", proxyLocation )
return False
retVal = chain.getIssuerCert()
if not retVal[ 'OK' ]:
gLogger.error( "Can't parse proxy!", retVal[ 'Message' ] )
return False
idCert = retVal[ 'Value' ]
self.__userDN = idCert.getSubjectDN()[ 'Value' ]
self.__userGroup = idCert.getDIRACGroup()[ 'Value' ]
return True
def delegate(delegationRequest, kwargs):
"""
Check delegate!
"""
if kwargs.get("useCertificates"):
chain = X509Chain()
certTuple = Locations.getHostCertificateAndKeyLocation()
chain.loadChainFromFile(certTuple[0])
chain.loadKeyFromFile(certTuple[1])
elif "proxyObject" in kwargs:
chain = kwargs["proxyObject"]
else:
if "proxyLocation" in kwargs:
procLoc = kwargs["proxyLocation"]
else:
procLoc = Locations.getProxyLocation()
chain = X509Chain()
chain.loadChainFromFile(procLoc)
chain.loadKeyFromFile(procLoc)
return chain.generateChainFromRequestString(delegationRequest)
def delegate( delegationRequest, kwargs ):
"""
Check delegate!
"""
if "useCertificates" in kwargs and kwargs[ 'useCertificates' ]:
chain = X509Chain()
certTuple = Locations.getHostCertificateAndKeyLocation()
chain.loadChainFromFile( certTuple[0] )
chain.loadKeyFromFile( certTuple[1] )
elif "proxyObject" in kwargs:
chain = kwargs[ 'proxyObject' ]
else:
if "proxyLocation" in kwargs:
procLoc = kwargs[ "proxyLocation" ]
else:
procLoc = Locations.getProxyLocation()
chain = X509Chain()
chain.loadChainFromFile( procLoc )
chain.loadKeyFromFile( procLoc )
return chain.generateChainFromRequestString( delegationRequest )
def __getProxyID(self):
"""Get proxy identity information
:return: S_OK()/S_ERROR()
"""
proxyLocation = Locations.getProxyLocation()
if not proxyLocation:
return S_ERROR("No proxy found!")
chain = X509Chain()
if not chain.loadProxyFromFile(proxyLocation):
return S_ERROR("Can't read proxy!", proxyLocation)
retVal = chain.getIssuerCert()
if not retVal["OK"]:
return S_ERROR("Can't parse proxy!", retVal["Message"])
idCert = retVal["Value"]
result = idCert.getSubjectDN()
if result["OK"]:
self.__userDN = result["Value"]
result = chain.getDIRACGroup()
if not result["OK"]:
return result
self.__userGroup = result["Value"]
return S_OK()
def _getCurrentUser(self):
"""Simple function to return current DIRAC username.
"""
proxy = Locations.getProxyLocation()
if not proxy:
return S_ERROR('No proxy found in local environment')
else:
self.log.verbose('Current proxy is %s' % proxy)
chain = X509Chain()
result = chain.loadProxyFromFile(proxy)
if not result['OK']:
return result
result = chain.getIssuerCert()
if not result['OK']:
return result
issuerCert = result['Value']
dn = issuerCert.getSubjectDN()['Value']
result = CS.getUsernameForDN(dn)
if not result['OK']:
return result
return result
def _getCurrentUser( self ):
"""Simple function to return current DIRAC username.
"""
proxy = Locations.getProxyLocation()
if not proxy:
return S_ERROR( 'No proxy found in local environment' )
else:
self.log.verbose( 'Current proxy is %s' % proxy )
chain = X509Chain()
result = chain.loadProxyFromFile( proxy )
if not result[ 'OK' ]:
return result
result = chain.getIssuerCert()
if not result[ 'OK' ]:
return result
issuerCert = result[ 'Value' ]
dn = issuerCert.getSubjectDN()[ 'Value' ]
result = CS.getUsernameForDN( dn )
if not result[ 'OK' ]:
return result
return result
def checkSanity(urlTuple, kwargs):
"""
Check that all ssl environment is ok
"""
useCerts = False
if "useCertificates" in kwargs and kwargs['useCertificates']:
certTuple = Locations.getHostCertificateAndKeyLocation()
if not certTuple:
gLogger.error("No cert/key found! ")
return S_ERROR("No cert/key found! ")
certFile = certTuple[0]
useCerts = True
elif "proxyString" in kwargs:
if type(kwargs['proxyString']) != types.StringType:
gLogger.error("proxyString parameter is not a valid type")
return S_ERROR("proxyString parameter is not a valid type")
else:
if "proxyLocation" in kwargs:
certFile = kwargs["proxyLocation"]
else:
certFile = Locations.getProxyLocation()
if not certFile:
gLogger.error("No proxy found")
return S_ERROR("No proxy found")
elif not os.path.isfile(certFile):
gLogger.error("%s proxy file does not exist" % certFile)
return S_ERROR("%s proxy file does not exist" % certFile)
#For certs always check CA's. For clients skipServerIdentityCheck
if 'skipCACheck' not in kwargs or not kwargs['skipCACheck']:
if not Locations.getCAsLocation():
gLogger.error("No CAs found!")
return S_ERROR("No CAs found!")
if "proxyString" in kwargs:
certObj = X509Chain()
retVal = certObj.loadChainFromString(kwargs['proxyString'])
if not retVal['OK']:
gLogger.error("Can't load proxy string")
return S_ERROR("Can't load proxy string")
else:
if useCerts:
certObj = X509Certificate()
certObj.loadFromFile(certFile)
else:
certObj = X509Chain()
certObj.loadChainFromFile(certFile)
retVal = certObj.hasExpired()
if not retVal['OK']:
gLogger.error("Can't verify file %s:%s" %
(certFile, retVal['Message']))
return S_ERROR("Can't verify file %s:%s" %
(certFile, retVal['Message']))
else:
if retVal['Value']:
notAfter = certObj.getNotAfterDate()
if notAfter['OK']:
notAfter = notAfter['Value']
else:
notAfter = "unknown"
gLogger.error("PEM file has expired",
"%s is not valid after %s" % (certFile, notAfter))
return S_ERROR("PEM file %s has expired, not valid after %s" %
(certFile, notAfter))
idDict = {}
retVal = certObj.getDIRACGroup(ignoreDefault=True)
if retVal['OK'] and retVal['Value'] != False:
idDict['group'] = retVal['Value']
if useCerts:
idDict['DN'] = certObj.getSubjectDN()['Value']
else:
idDict['DN'] = certObj.getIssuerCert()['Value'].getSubjectDN()['Value']
return S_OK(idDict)
def checkSanity( urlTuple, kwargs ):
"""
Check that all ssl environment is ok
"""
useCerts = False
certFile = ''
if "useCertificates" in kwargs and kwargs[ 'useCertificates' ]:
certTuple = Locations.getHostCertificateAndKeyLocation()
if not certTuple:
gLogger.error( "No cert/key found! " )
return S_ERROR( "No cert/key found! " )
certFile = certTuple[0]
useCerts = True
elif "proxyString" in kwargs:
if not isinstance( kwargs[ 'proxyString' ], basestring ):
gLogger.error( "proxyString parameter is not a valid type", str( type( kwargs[ 'proxyString' ] ) ) )
return S_ERROR( "proxyString parameter is not a valid type" )
else:
if "proxyLocation" in kwargs:
certFile = kwargs[ "proxyLocation" ]
else:
certFile = Locations.getProxyLocation()
if not certFile:
gLogger.error( "No proxy found" )
return S_ERROR( "No proxy found" )
elif not os.path.isfile( certFile ):
gLogger.error( "Proxy file does not exist", certFile )
return S_ERROR( "%s proxy file does not exist" % certFile )
#For certs always check CA's. For clients skipServerIdentityCheck
if 'skipCACheck' not in kwargs or not kwargs[ 'skipCACheck' ]:
if not Locations.getCAsLocation():
gLogger.error( "No CAs found!" )
return S_ERROR( "No CAs found!" )
if "proxyString" in kwargs:
certObj = X509Chain()
retVal = certObj.loadChainFromString( kwargs[ 'proxyString' ] )
if not retVal[ 'OK' ]:
gLogger.error( "Can't load proxy string" )
return S_ERROR( "Can't load proxy string" )
else:
if useCerts:
certObj = X509Certificate()
certObj.loadFromFile( certFile )
else:
certObj = X509Chain()
certObj.loadChainFromFile( certFile )
retVal = certObj.hasExpired()
if not retVal[ 'OK' ]:
gLogger.error( "Can't verify proxy or certificate file", "%s:%s" % ( certFile, retVal[ 'Message' ] ) )
return S_ERROR( "Can't verify file %s:%s" % ( certFile, retVal[ 'Message' ] ) )
else:
if retVal[ 'Value' ]:
notAfter = certObj.getNotAfterDate()
if notAfter[ 'OK' ]:
notAfter = notAfter[ 'Value' ]
else:
notAfter = "unknown"
gLogger.error( "PEM file has expired", "%s is not valid after %s" % ( certFile, notAfter ) )
return S_ERROR( "PEM file %s has expired, not valid after %s" % ( certFile, notAfter ) )
idDict = {}
retVal = certObj.getDIRACGroup( ignoreDefault = True )
if retVal[ 'OK' ] and retVal[ 'Value' ] != False:
idDict[ 'group' ] = retVal[ 'Value' ]
if useCerts:
idDict[ 'DN' ] = certObj.getSubjectDN()[ 'Value' ]
else:
idDict[ 'DN' ] = certObj.getIssuerCert()[ 'Value' ].getSubjectDN()[ 'Value' ]
return S_OK( idDict )
params = Params()
Script.registerSwitch("f:", "file=", "File to use as proxy", params.setProxyLocation)
Script.registerSwitch("D", "DN", "Use DN as myproxy username", params.setDNAsUsername)
Script.registerSwitch("i", "version", "Print version", params.showVersion)
Script.addDefaultOptionValue("LogLevel", "always")
Script.parseCommandLine()
from DIRAC.FrameworkSystem.Client.ProxyManagerClient import gProxyManager
from DIRAC.Core.Security.MyProxy import MyProxy
from DIRAC.Core.Security.X509Chain import X509Chain
from DIRAC.Core.Security import Locations, CS
if not params.proxyLoc:
params.proxyLoc = Locations.getProxyLocation()
if not params.proxyLoc:
print "Can't find any valid proxy"
sys.exit(1)
print "Uploading proxy file %s" % params.proxyLoc
mp = MyProxy()
retVal = mp.uploadProxy(params.proxyLoc, params.dnAsUsername)
if not retVal["OK"]:
print "Can't upload proxy:"
print " ", retVal["Message"]
sys.exit(1)
print "Proxy uploaded"
sys.exit(0)
def _request(self, retry=0, outputFile=None, **kwargs):
"""
Sends the request to server
:param retry: internal parameters for recursive call. TODO: remove ?
:param outputFile: (default None) path to a file where to store the received data.
If set, the server response will be streamed for optimization
purposes, and the response data will not go through the
JDecode process
:param **kwargs: Any argument there is used as a post parameter. They are detailed bellow.
:param method: (mandatory) name of the distant method
:param args: (mandatory) json serialized list of argument for the procedure
:returns: The received data. If outputFile is set, return always S_OK
"""
# Adding some informations to send
if self.__extraCredentials:
kwargs[self.KW_EXTRA_CREDENTIALS] = encode(self.__extraCredentials)
kwargs["clientVO"] = self.vo
kwargs["clientSetup"] = self.setup
# Getting URL
url = self.__findServiceURL()
if not url["OK"]:
return url
url = url["Value"]
# Getting CA file (or skip verification)
verify = not self.kwargs.get(self.KW_SKIP_CA_CHECK)
if verify:
if not self.__ca_location:
self.__ca_location = Locations.getCAsLocation()
if not self.__ca_location:
gLogger.error("No CAs found!")
return S_ERROR("No CAs found!")
verify = self.__ca_location
# getting certificate
# Do we use the server certificate ?
if self.kwargs[self.KW_USE_CERTIFICATES]:
cert = Locations.getHostCertificateAndKeyLocation()
elif self.kwargs.get(self.KW_PROXY_STRING):
tmpHandle, cert = tempfile.mkstemp()
fp = os.fdopen(tmpHandle, "wb")
fp.write(self.kwargs[self.KW_PROXY_STRING])
fp.close()
# CHRIS 04.02.21
# TODO: add proxyLocation check ?
else:
cert = Locations.getProxyLocation()
if not cert:
gLogger.error("No proxy found")
return S_ERROR("No proxy found")
# We have a try/except for all the exceptions
# whose default behavior is to try again,
# maybe to different server
try:
# And we have a second block to handle specific exceptions
# which makes it not worth retrying
try:
rawText = None
# Default case, just return the result
if not outputFile:
call = requests.post(url, data=kwargs, timeout=self.timeout, verify=verify, cert=cert)
# raising the exception for status here
# means essentialy that we are losing here the information of what is returned by the server
# as error message, since it is not passed to the exception
# However, we can store the text and return it raw as an error,
# since there is no guarantee that it is any JEncoded text
# Note that we would get an exception only if there is an exception on the server side which
# is not handled.
# Any standard S_ERROR will be transfered as an S_ERROR with a correct code.
rawText = call.text
call.raise_for_status()
return decode(rawText)[0]
else:
# Instruct the server not to encode the response
kwargs["rawContent"] = True
rawText = None
# Stream download
# https://requests.readthedocs.io/en/latest/user/advanced/#body-content-workflow
with requests.post(
url, data=kwargs, timeout=self.timeout, verify=verify, cert=cert, stream=True
) as r:
rawText = r.text
r.raise_for_status()
with open(outputFile, "wb") as f:
for chunk in r.iter_content(4096):
# if chunk: # filter out keep-alive new chuncks
f.write(chunk)
return S_OK()
# Some HTTPError are not worth retrying
except requests.exceptions.HTTPError as e:
status_code = e.response.status_code
if status_code == http_client.NOT_IMPLEMENTED:
return S_ERROR(errno.ENOSYS, "%s is not implemented" % kwargs.get("method"))
elif status_code in (http_client.FORBIDDEN, http_client.UNAUTHORIZED):
return S_ERROR(errno.EACCES, "No access to %s" % url)
# if it is something else, retry
raise
# Whatever exception we have here, we deem worth retrying
except Exception as e:
# CHRIS TODO review this part: retry logic is fishy
# self.__bannedUrls is emptied in findServiceURLs
if url not in self.__bannedUrls:
self.__bannedUrls += [url]
if retry < self.__nbOfUrls - 1:
self._request(retry=retry + 1, outputFile=outputFile, **kwargs)
errStr = "%s: %s" % (str(e), rawText)
return S_ERROR(errStr)
Script.registerSwitch("f:", "file=", "File to use as proxy",
params.setProxyLocation)
Script.registerSwitch("D", "DN", "Use DN as myproxy username",
params.setDNAsUsername)
Script.registerSwitch("i", "version", "Print version", params.showVersion)
Script.addDefaultOptionValue("LogLevel", "always")
Script.parseCommandLine()
from DIRAC.FrameworkSystem.Client.ProxyManagerClient import gProxyManager
from DIRAC.Core.Security.MyProxy import MyProxy
from DIRAC.Core.Security.X509Chain import X509Chain
from DIRAC.Core.Security import Locations, CS
if not params.proxyLoc:
params.proxyLoc = Locations.getProxyLocation()
if not params.proxyLoc:
print "Can't find any valid proxy"
sys.exit(1)
print "Uploading proxy file %s" % params.proxyLoc
mp = MyProxy()
retVal = mp.uploadProxy(params.proxyLoc, params.dnAsUsername)
if not retVal['OK']:
print "Can't upload proxy:"
print " ", retVal['Message']
sys.exit(1)
print "Proxy uploaded"
sys.exit(0)
def _getProxyLocation( ): return Locations.getProxyLocation( )
def checkSanity(urlTuple, kwargs):
"""
Check that all ssl environment is ok
"""
useCerts = False
certFile = ""
if "useCertificates" in kwargs and kwargs["useCertificates"]:
certTuple = Locations.getHostCertificateAndKeyLocation()
if not certTuple:
gLogger.error("No cert/key found! ")
return S_ERROR("No cert/key found! ")
certFile = certTuple[0]
useCerts = True
elif "proxyString" in kwargs:
if not isinstance(kwargs["proxyString"], six.string_types if six.PY2 else bytes):
gLogger.error("proxyString parameter is not a valid type", str(type(kwargs["proxyString"])))
return S_ERROR("proxyString parameter is not a valid type")
else:
if "proxyLocation" in kwargs:
certFile = kwargs["proxyLocation"]
else:
certFile = Locations.getProxyLocation()
if not certFile:
gLogger.error("No proxy found")
return S_ERROR("No proxy found")
elif not os.path.isfile(certFile):
gLogger.error("Proxy file does not exist", certFile)
return S_ERROR("%s proxy file does not exist" % certFile)
# For certs always check CA's. For clients skipServerIdentityCheck
if "skipCACheck" not in kwargs or not kwargs["skipCACheck"]:
if not Locations.getCAsLocation():
gLogger.error("No CAs found!")
return S_ERROR("No CAs found!")
if "proxyString" in kwargs:
certObj = X509Chain()
retVal = certObj.loadChainFromString(kwargs["proxyString"])
if not retVal["OK"]:
gLogger.error("Can't load proxy string")
return S_ERROR("Can't load proxy string")
else:
if useCerts:
certObj = X509Certificate()
certObj.loadFromFile(certFile)
else:
certObj = X509Chain()
certObj.loadChainFromFile(certFile)
retVal = certObj.hasExpired()
if not retVal["OK"]:
gLogger.error("Can't verify proxy or certificate file", "%s:%s" % (certFile, retVal["Message"]))
return S_ERROR("Can't verify file %s:%s" % (certFile, retVal["Message"]))
else:
if retVal["Value"]:
notAfter = certObj.getNotAfterDate()
if notAfter["OK"]:
notAfter = notAfter["Value"]
else:
notAfter = "unknown"
gLogger.error("PEM file has expired", "%s is not valid after %s" % (certFile, notAfter))
return S_ERROR("PEM file %s has expired, not valid after %s" % (certFile, notAfter))
idDict = {}
retVal = certObj.getDIRACGroup(ignoreDefault=True)
if retVal["OK"] and retVal["Value"] is not False:
idDict["group"] = retVal["Value"]
if useCerts:
idDict["DN"] = certObj.getSubjectDN()["Value"]
else:
idDict["DN"] = certObj.getIssuerCert()["Value"].getSubjectDN()["Value"]
return S_OK(idDict)
