def setUp(self):
self.authMgr = AuthManager('/Systems/Service/Authorization')
cfg = CFG()
cfg.loadFromBuffer(testSystemsCFG)
gConfig.loadCFG(cfg)
cfg.loadFromBuffer(testRegistryCFG)
gConfig.loadCFG(cfg)
self.noAuthCredDict = {'group': 'group_test'}
self.userCredDict = {
'DN': '/User/test/DN/CN=userA',
'group': 'group_test'
}
self.suspendedOtherVOUserCredDict = {
'DN': '/User/test/DN/CN=userS',
'group': 'group_test_other'
}
self.badUserCredDict = {
'DN': '/User/test/DN/CN=userB',
'group': 'group_bad'
}
self.suspendedUserCredDict = {
'DN': '/User/test/DN/CN=userS',
'group': 'group_test'
}
self.hostCredDict = {
'DN': '/User/test/DN/CN=test.hostA.ch',
'group': 'hosts'
}
self.badHostCredDict = {
'DN': '/User/test/DN/CN=test.hostB.ch',
'group': 'hosts'
}
def setUp(self):
self.authMgr = AuthManager("/Systems/Service/Authorization")
cfg = CFG()
cfg.loadFromBuffer(testSystemsCFG)
gConfig.loadCFG(cfg)
cfg.loadFromBuffer(testRegistryCFG)
gConfig.loadCFG(cfg)
self.noAuthCredDict = {"group": "group_test"}
self.userCredDict = {
"DN": "/User/test/DN/CN=userA",
"group": "group_test"
}
self.suspendedOtherVOUserCredDict = {
"DN": "/User/test/DN/CN=userS",
"group": "group_test_other"
}
self.badUserCredDict = {
"DN": "/User/test/DN/CN=userB",
"group": "group_bad"
}
self.suspendedUserCredDict = {
"DN": "/User/test/DN/CN=userS",
"group": "group_test"
}
self.hostCredDict = {
"DN": "/User/test/DN/CN=test.hostA.ch",
"group": "hosts"
}
self.badHostCredDict = {
"DN": "/User/test/DN/CN=test.hostB.ch",
"group": "hosts"
}
def setUp(self):
cfg = CFG()
cfg.loadFromBuffer(diracTestCACFG)
gConfig.loadCFG(cfg)
cfg.loadFromBuffer(userCFG)
gConfig.loadCFG(cfg)
result = ProxyProviderFactory().getProxyProvider('DIRAC_TEST_CA')
self.assertTrue(result['OK'], '\n%s' % result.get('Message') or 'Error message is absent.')
self.pp = result['Value']
self.userDictClean = {
"FullName": "DIRAC test user",
"EMail": "*****@*****.**"
}
self.userDictCleanDN = {
"DN": "/C=FR/O=DIRAC/OU=DIRAC Consortium/CN=DIRAC test user/[email protected]",
"EMail": "*****@*****.**"
}
self.userDictGroup = {
"FullName": "DIRAC test user",
"EMail": "*****@*****.**",
"DiracGroup": "dirac_user"
}
self.userDictNoGroup = {
"FullName": "DIRAC test user",
"EMail": "*****@*****.**",
"DiracGroup": "dirac_no_user"
}
def setUp(self):
cfg = CFG()
cfg.loadFromBuffer(diracTestCACFG)
gConfig.loadCFG(cfg)
cfg.loadFromBuffer(userCFG)
gConfig.loadCFG(cfg)
result = ProxyProviderFactory().getProxyProvider('DIRAC_TEST_CA')
self.assertTrue(
result['OK'], '\n%s' % result.get('Message')
or 'Error message is absent.')
self.pp = result['Value']
def setUp( self ):
self.authMgr = AuthManager( '/Systems/Service/Authorization' )
cfg = CFG()
cfg.loadFromBuffer( testSystemsCFG )
gConfig.loadCFG( cfg )
cfg.loadFromBuffer( testRegistryCFG )
gConfig.loadCFG( cfg )
self.noAuthCredDict = { 'group': 'group_test' }
self.userCredDict = { 'DN': '/User/test/DN/CN=userA',
'group': 'group_test' }
self.badUserCredDict = { 'DN': '/User/test/DN/CN=userB',
'group': 'group_bad' }
self.hostCredDict = { 'DN': '/User/test/DN/CN=test.hostA.ch',
'group': 'hosts' }
self.badHostCredDict = { 'DN': '/User/test/DN/CN=test.hostB.ch',
'group': 'hosts' }
current = expl.pop( 0 )
if not modCFG.isSection( current ):
continue
if modCFG.getOption( "%s/AbsoluteDefinition" % current, False ):
gLogger.verbose( "%s:%s is an absolute definition" % ( modName, current ) )
try:
webCFG.deleteKey( current )
except:
pass
modCFG.deleteKey( "%s/AbsoluteDefinition" % current )
else:
for sec in modCFG[ current ].listSections():
expl.append( "%s/%s" % ( current, sec ) )
#Add the modCFG
webCFG = webCFG.mergeWith( modCFG )
gConfig.loadCFG( webCFG )
def getRawSchema():
"""
Load the schema from the CS
"""
base = "%s/Schema" % ( BASECS )
schema = []
explore = [ ( "", schema ) ]
while len( explore ):
parentName, parentData = explore.pop( 0 )
fullName = "%s/%s" % ( base, parentName )
result = gConfig.getSections( fullName )
if not result[ 'OK' ]:
continue
sectionsList = result[ 'Value' ]
def initDIRAC( rootPath, enableDebug = False ):
# CONFIGURATION OPTIONS HERE (note: all config options will override
# any Pylons config options)
configDict = { 'webConfig' : {} }
configDict[ 'webConfig' ]['dirac.webroot'] = rootPath
diracRootPath = os.path.realpath( os.path.dirname( os.path.dirname( rootPath ) ) )
configDict[ 'webConfig' ]['dirac.root'] = diracRootPath
if diracRootPath not in sys.path:
sys.path.append( diracRootPath )
from DIRAC.FrameworkSystem.Client.Logger import gLogger
gLogger.registerBackends( [ 'stderr' ] )
from DIRAC.Core.Base import Script
Script.registerSwitch( "r", "reload", "Reload for pylons" )
Script.localCfg.addDefaultEntry( "/DIRAC/Security/UseServerCertificate", "yes" )
Script.localCfg.addDefaultEntry( "LogColor", True )
Script.initialize( script = "Website", ignoreErrors = True, initializeMonitor = False )
gLogger._systemName = "Framework"
gLogger.initialize( "Web", "/Website" )
gLogger.setLevel( "VERBOSE" )
from DIRAC import gMonitor, gConfig, rootPath as droot
from DIRAC.Core.Utilities import CFG
from DIRAC.ConfigurationSystem.Client.Helpers import getCSExtensions
gMonitor.setComponentType( gMonitor.COMPONENT_WEB )
gMonitor.initialize()
gMonitor.registerActivity( "pagesServed", "Pages served", "Framework", "pages", gMonitor.OP_SUM )
gLogger.info( "DIRAC Initialized" )
configDict['portalVersion'] = portalVersion( rootPath )
gLogger.info( "DIRAC portal version: %s" % configDict['portalVersion'] )
extModules = [ '%sDIRAC' % module for module in getCSExtensions() ]
#Load web.cfg of modules
cfgFilePaths = [ os.path.join( droot, "etc", "web.cfg" ) ]
for extModule in extModules:
gLogger.info( "Adding web.cfg for %s extension" % extModule )
extModulePath = os.path.join( diracRootPath, extModule )
webCFGPath = os.path.join( extModulePath, "Web", "web.cfg" )
cfgFilePaths.append( webCFGPath )
for systemDir in os.listdir( extModulePath ):
webCFGSystemPath = os.path.join( extModulePath, systemDir, "Web", "web.cfg" )
cfgFilePaths.append( webCFGSystemPath )
webCFG = CFG.CFG()
for webCFGPath in cfgFilePaths:
if not os.path.isfile( webCFGPath ):
gLogger.warn( "%s does not exist" % webCFGPath )
else:
gLogger.info( "Loading %s" % webCFGPath )
modCFG = CFG.CFG().loadFromFile( webCFGPath )
if modCFG.getOption( 'Website/AbsoluteDefinition', False ):
gLogger.info( "CFG %s is absolute" % webCFGPath )
webCFG = modCFG
else:
webCFG = webCFG.mergeWith( modCFG )
gConfig.loadCFG( webCFG )
gLogger.showHeaders( True )
gLogger._gLogger__initialized = False
gLogger.initialize( "Web", "/Website" )
#Define the controllers, templates and public directories
for type in ( 'controllers', 'templates', 'public' ):
configDict[ type ] = []
for extModule in extModules:
extModulePath = os.path.join( diracRootPath, extModule )
typePath = os.path.join( extModulePath, "Web", type )
if os.path.isdir( typePath ):
gLogger.info( "Adding %s path for module %s" % ( type, extModule ) )
configDict[ type ].append( typePath )
for systemDir in os.listdir( extModulePath ):
systemTypePath = os.path.join( extModulePath, systemDir, "Web", type )
if os.path.isdir( systemTypePath ):
gLogger.info( "Adding %s path for system %s in module %s" % ( type, systemDir, extModule ) )
configDict[ type ].append( systemTypePath )
#End of extensions
configDict[ type ].append( os.path.join( rootPath, type ) )
#Load debug.cfg?
if enableDebug:
debugCFGPath = os.path.join( rootPath, "debug.cfg" )
if os.path.isfile( debugCFGPath ):
gLogger.info( "Loading debug cfg file at %s" % debugCFGPath )
gConfig.loadFile( debugCFGPath )
gLogger.info( "Extension modules loaded" )
return configDict
IdProviders
{
SomeIdP
{
ProviderType = OAuth2
issuer = https://idp.url/
client_id = IdP_client_id
client_secret = IdP_client_secret
redirect_uri = https://dirac/redirect
jwks_uri = https://idp.url/jwk
scope = openid+profile+offline_access+eduperson_entitlement
}
}
}
""")
gConfig.loadCFG(cfg)
from authlib.jose import jwt
from DIRAC.Resources.IdProvider.IdProviderFactory import IdProviderFactory
from DIRAC.FrameworkSystem.private.authorization.utils.Clients import DEFAULT_CLIENTS
idps = IdProviderFactory()
def test_getDIRACClients():
"""Try to load default DIRAC authorization client"""
# Try to get DIRAC client authorization settings
result = idps.getIdProvider("DIRACCLI")
assert result["OK"], result["Message"]
assert result["Value"].issuer == "https://issuer.url/"
assert result["Value"].client_id == DEFAULT_CLIENTS["DIRACCLI"][
def initDIRAC(rootPath, enableDebug=False):
# CONFIGURATION OPTIONS HERE (note: all config options will override
# any Pylons config options)
configDict = {'webConfig': {}}
configDict['webConfig']['dirac.webroot'] = rootPath
diracRootPath = os.path.realpath(os.path.dirname(
os.path.dirname(rootPath)))
configDict['webConfig']['dirac.root'] = diracRootPath
if diracRootPath not in sys.path:
sys.path.append(diracRootPath)
from DIRAC.FrameworkSystem.Client.Logger import gLogger
gLogger.registerBackends(['stderr'])
from DIRAC.Core.Base import Script
Script.registerSwitch("r", "reload", "Reload for pylons")
Script.localCfg.addDefaultEntry("/DIRAC/Security/UseServerCertificate",
"yes")
Script.localCfg.addDefaultEntry("LogColor", True)
Script.initialize(script="Website",
ignoreErrors=True,
initializeMonitor=False)
gLogger._systemName = "Framework"
gLogger.initialize("Web", "/Website")
gLogger.setLevel("VERBOSE")
from DIRAC import gMonitor, gConfig, rootPath as droot
from DIRAC.Core.Utilities import CFG
from DIRAC.ConfigurationSystem.Client.Helpers import getCSExtensions
gMonitor.setComponentType(gMonitor.COMPONENT_WEB)
gMonitor.initialize()
gMonitor.registerActivity("pagesServed", "Pages served", "Framework",
"pages", gMonitor.OP_SUM)
gLogger.info("DIRAC Initialized")
configDict['portalVersion'] = portalVersion(rootPath)
gLogger.info("DIRAC portal version: %s" % configDict['portalVersion'])
extModules = ['%sDIRAC' % module for module in getCSExtensions()]
#Load web.cfg of modules
cfgFilePaths = [os.path.join(droot, "etc", "web.cfg")]
for extModule in extModules:
gLogger.info("Adding web.cfg for %s extension" % extModule)
extModulePath = os.path.join(diracRootPath, extModule)
webCFGPath = os.path.join(extModulePath, "Web", "web.cfg")
cfgFilePaths.append(webCFGPath)
for systemDir in os.listdir(extModulePath):
webCFGSystemPath = os.path.join(extModulePath, systemDir, "Web",
"web.cfg")
cfgFilePaths.append(webCFGSystemPath)
webCFG = CFG.CFG()
for webCFGPath in cfgFilePaths:
if not os.path.isfile(webCFGPath):
gLogger.warn("%s does not exist" % webCFGPath)
else:
gLogger.info("Loading %s" % webCFGPath)
modCFG = CFG.CFG().loadFromFile(webCFGPath)
if modCFG.getOption('Website/AbsoluteDefinition', False):
gLogger.info("CFG %s is absolute" % webCFGPath)
webCFG = modCFG
else:
webCFG = webCFG.mergeWith(modCFG)
gConfig.loadCFG(webCFG)
gLogger.showHeaders(True)
gLogger._gLogger__initialized = False
gLogger.initialize("Web", "/Website")
#Define the controllers, templates and public directories
for type in ('controllers', 'templates', 'public'):
configDict[type] = []
for extModule in extModules:
extModulePath = os.path.join(diracRootPath, extModule)
typePath = os.path.join(extModulePath, "Web", type)
if os.path.isdir(typePath):
gLogger.info("Adding %s path for module %s" %
(type, extModule))
configDict[type].append(typePath)
for systemDir in os.listdir(extModulePath):
systemTypePath = os.path.join(extModulePath, systemDir, "Web",
type)
if os.path.isdir(systemTypePath):
gLogger.info("Adding %s path for system %s in module %s" %
(type, systemDir, extModule))
configDict[type].append(systemTypePath)
#End of extensions
configDict[type].append(os.path.join(rootPath, type))
#Load debug.cfg?
if enableDebug:
debugCFGPath = os.path.join(rootPath, "debug.cfg")
if os.path.isfile(debugCFGPath):
gLogger.info("Loading debug cfg file at %s" % debugCFGPath)
gConfig.loadFile(debugCFGPath)
gLogger.info("Extension modules loaded")
return configDict
if not modCFG.isSection(current):
continue
if modCFG.getOption("%s/AbsoluteDefinition" % current, False):
gLogger.verbose("%s:%s is an absolute definition" %
(modName, current))
try:
webCFG.deleteKey(current)
except:
pass
modCFG.deleteKey("%s/AbsoluteDefinition" % current)
else:
for sec in modCFG[current].listSections():
expl.append("%s/%s" % (current, sec))
#Add the modCFG
webCFG = webCFG.mergeWith(modCFG)
gConfig.loadCFG(webCFG)
def getRawSchema():
"""
Load the schema from the CS
"""
base = "%s/Schema" % (BASECS)
schema = []
explore = [("", schema)]
while len(explore):
parentName, parentData = explore.pop(0)
fullName = "%s/%s" % (base, parentName)
result = gConfig.getSections(fullName)
if not result['OK']:
continue
def setUpClass(cls):
cls.failed = False
# Add configuration
cfg = CFG()
cfg.loadFromBuffer(diracTestCACFG)
gConfig.loadCFG(cfg)
cfg.loadFromBuffer(userCFG)
gConfig.loadCFG(cfg)
# Prepare CA
lines = []
cfgDict = {}
cls.caPath = os.path.join(certsPath, "ca")
cls.caConfigFile = os.path.join(cls.caPath, "openssl_config_ca.cnf")
# Save original configuration file
shutil.copyfile(cls.caConfigFile, cls.caConfigFile + "bak")
# Parse
fields = [
"dir", "database", "serial", "new_certs_dir", "private_key",
"certificate"
]
with open(cls.caConfigFile, "r") as caCFG:
for line in caCFG:
if re.findall("=", re.sub(r"#.*", "", line)):
field = re.sub(r"#.*", "",
line).replace(" ",
"").rstrip().split("=")[0]
line = "dir = %s #PUT THE RIGHT DIR HERE!\n" % (
cls.caPath) if field == "dir" else line
val = re.sub(r"#.*", "",
line).replace(" ", "").rstrip().split("=")[1]
if field in fields:
for i in fields:
if cfgDict.get(i):
val = val.replace("$%s" % i, cfgDict[i])
cfgDict[field] = val
if not cfgDict[field]:
cls.failed = "%s have empty value in %s" % (
field, cls.caConfigFile)
lines.append(line)
with open(cls.caConfigFile, "w") as caCFG:
caCFG.writelines(lines)
for field in fields:
if field not in cfgDict.keys():
cls.failed = "%s value is absent in %s" % (field,
cls.caConfigFile)
cls.hostCert = os.path.join(certsPath, "host/hostcert.pem")
cls.hostKey = os.path.join(certsPath, "host/hostkey.pem")
cls.caCert = cfgDict["certificate"]
cls.caKey = cfgDict["private_key"]
os.chmod(cls.caKey, stat.S_IREAD)
# Check directory for new certificates
cls.newCertDir = cfgDict["new_certs_dir"]
if not os.path.exists(cls.newCertDir):
os.makedirs(cls.newCertDir)
for f in os.listdir(cls.newCertDir):
os.remove(os.path.join(cls.newCertDir, f))
# Empty the certificate database
cls.index = cfgDict["database"]
with open(cls.index, "w") as indx:
indx.write("")
# Write down serial
cls.serial = cfgDict["serial"]
with open(cls.serial, "w") as serialFile:
serialFile.write("1000")
# Create temporaly directory for users certificates
cls.userDir = tempfile.mkdtemp(dir=certsPath)
# Create user certificates
for userName in ["no_user", "user", "user_1", "user_2", "user_3"]:
userConf = """[ req ]
default_bits = 4096
encrypt_key = yes
distinguished_name = req_dn
prompt = no
req_extensions = v3_req
[ req_dn ]
C = CC
O = DN
0.O = DIRAC
CN = %s
[ v3_req ]
# Extensions for client certificates (`man x509v3_config`).
nsComment = "OpenSSL Generated Client Certificate"
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
""" % (userName)
userConfFile = os.path.join(cls.userDir, userName + ".cnf")
userReqFile = os.path.join(cls.userDir, userName + ".req")
userKeyFile = os.path.join(cls.userDir, userName + ".key.pem")
userCertFile = os.path.join(cls.userDir, userName + ".cert.pem")
with open(userConfFile, "w") as f:
f.write(userConf)
status, output = commands.getstatusoutput(
"openssl genrsa -out %s" % userKeyFile)
if status:
gLogger.error(output)
exit()
gLogger.debug(output)
os.chmod(userKeyFile, stat.S_IREAD)
status, output = commands.getstatusoutput(
"openssl req -config %s -key %s -new -out %s" %
(userConfFile, userKeyFile, userReqFile))
if status:
gLogger.error(output)
exit()
gLogger.debug(output)
cmd = "openssl ca -config %s -extensions usr_cert -batch -days 375 -in %s -out %s"
cmd = cmd % (cls.caConfigFile, userReqFile, userCertFile)
status, output = commands.getstatusoutput(cmd)
if status:
gLogger.error(output)
exit()
gLogger.debug(output)
# Result
status, output = commands.getstatusoutput("ls -al %s" % cls.userDir)
if status:
gLogger.error(output)
exit()
gLogger.debug("User certificates:\n", output)
class App(object):
def __init__(self):
self.__handlerMgr = HandlerMgr(Conf.rootURL())
self.__servers = {}
self.log = gLogger.getSubLogger("Web")
def _logRequest(self, handler):
status = handler.get_status()
if status < 400:
logm = self.log.notice
elif status < 500:
logm = self.log.warn
else:
logm = self.log.error
request_time = 1000.0 * handler.request.request_time()
logm("%d %s %.2fms" %
(status, handler._request_summary(), request_time))
def __reloadAppCB(self):
gLogger.notice("\n !!!!!! Reloading web app...\n")
def _loadWebAppCFGFiles(self):
"""
Load WebApp/web.cfg definitions
"""
exts = []
for ext in CSGlobals.getCSExtensions():
if ext == "DIRAC":
continue
if ext[-5:] != "DIRAC":
ext = "%sDIRAC" % ext
if ext != "WebAppDIRAC":
exts.append(ext)
exts.append("DIRAC")
exts.append("WebAppDIRAC")
webCFG = CFG()
for modName in reversed(exts):
try:
modPath = imp.find_module(modName)[1]
except ImportError:
continue
gLogger.verbose("Found module %s at %s" % (modName, modPath))
cfgPath = os.path.join(modPath, "WebApp", "web.cfg")
if not os.path.isfile(cfgPath):
gLogger.verbose("Inexistant %s" % cfgPath)
continue
try:
modCFG = CFG().loadFromFile(cfgPath)
except Exception, excp:
gLogger.error("Could not load %s: %s" % (cfgPath, excp))
continue
gLogger.verbose("Loaded %s" % cfgPath)
expl = [Conf.BASECS]
while len(expl):
current = expl.pop(0)
if not modCFG.isSection(current):
continue
if modCFG.getOption("%s/AbsoluteDefinition" % current, False):
gLogger.verbose("%s:%s is an absolute definition" %
(modName, current))
try:
webCFG.deleteKey(current)
except:
pass
modCFG.deleteKey("%s/AbsoluteDefinition" % current)
else:
for sec in modCFG[current].listSections():
expl.append("%s/%s" % (current, sec))
# Add the modCFG
webCFG = webCFG.mergeWith(modCFG)
gConfig.loadCFG(webCFG)
isLoaded = False
else:
try:
modCFG = CFG().loadFromFile(cfgPath)
except Exception, excp:
isLoaded = False
gLogger.error("Could not load %s: %s" % (cfgPath, excp))
if modCFG:
if modCFG.isSection("/Website"):
gLogger.warn(
"%s configuration file is not correct. It is used by the old portal!"
% (cfgPath))
isLoaded = False
else:
gConfig.loadCFG(modCFG)
else:
isLoaded = False
return isLoaded
def stopChildProcesses(self, sig, frame):
"""
It is used to properly stop tornado when more than one process is used.
In principle this is doing the job of runsv....
:param int sig: the signal sent to the process
:param object frame: execution frame which contains the child processes
"""
# tornado.ioloop.IOLoop.instance().add_timeout(time.time()+5, sys.exit)
for child in frame.f_locals.get('children', []):
gLogger.info("Stopping child processes: %d" % child)
isLoaded = True
if not os.path.isfile( cfgPath ):
isLoaded = False
else:
try:
modCFG = CFG().loadFromFile( cfgPath )
except Exception, excp:
isLoaded = False
gLogger.error( "Could not load %s: %s" % ( cfgPath, excp ) )
if modCFG:
if modCFG.isSection( "/Website" ):
gLogger.warn( "%s configuration file is not correct. It is used by the old portal!" % ( cfgPath ) )
isLoaded = False
else:
gConfig.loadCFG( modCFG )
else:
isLoaded = False
return isLoaded
def stopChildProcesses( self, sig, frame ):
"""
It is used to properly stop tornado when more than one process is used.
In principle this is doing the job of runsv....
:param int sig: the signal sent to the process
:param object frame: execution frame which contains the child processes
"""
# tornado.ioloop.IOLoop.instance().add_timeout(time.time()+5, sys.exit)
for child in frame.f_locals.get( 'children', [] ):
gLogger.info( "Stopping child processes: %d" % child )
def setUpClass(cls):
cls.failed = False
# Add configuration
cfg = CFG()
cfg.loadFromBuffer(diracTestCACFG)
gConfig.loadCFG(cfg)
cfg.loadFromBuffer(userCFG)
gConfig.loadCFG(cfg)
# Prepare CA
lines = []
cfgDict = {}
cls.caPath = os.path.join(certsPath, 'ca')
cls.caConfigFile = os.path.join(cls.caPath, 'openssl_config_ca.cnf')
# Save original configuration file
shutil.copyfile(cls.caConfigFile, cls.caConfigFile + 'bak')
# Parse
fields = [
'dir', 'database', 'serial', 'new_certs_dir', 'private_key',
'certificate'
]
with open(cls.caConfigFile, "r") as caCFG:
for line in caCFG:
if re.findall('=', re.sub(r'#.*', '', line)):
field = re.sub(r'#.*', '',
line).replace(' ',
'').rstrip().split('=')[0]
line = 'dir = %s #PUT THE RIGHT DIR HERE!\n' % (
cls.caPath) if field == 'dir' else line
val = re.sub(r'#.*', '',
line).replace(' ', '').rstrip().split('=')[1]
if field in fields:
for i in fields:
if cfgDict.get(i):
val = val.replace('$%s' % i, cfgDict[i])
cfgDict[field] = val
if not cfgDict[field]:
cls.failed = '%s have empty value in %s' % (
field, cls.caConfigFile)
lines.append(line)
with open(cls.caConfigFile, "w") as caCFG:
caCFG.writelines(lines)
for field in fields:
if field not in cfgDict.keys():
cls.failed = '%s value is absent in %s' % (field,
cls.caConfigFile)
cls.hostCert = os.path.join(certsPath, 'host/hostcert.pem')
cls.hostKey = os.path.join(certsPath, 'host/hostkey.pem')
cls.caCert = cfgDict['certificate']
cls.caKey = cfgDict['private_key']
os.chmod(cls.caKey, stat.S_IREAD)
# Check directory for new certificates
cls.newCertDir = cfgDict['new_certs_dir']
if not os.path.exists(cls.newCertDir):
os.makedirs(cls.newCertDir)
for f in os.listdir(cls.newCertDir):
os.remove(os.path.join(cls.newCertDir, f))
# Empty the certificate database
cls.index = cfgDict['database']
with open(cls.index, 'w') as indx:
indx.write('')
# Write down serial
cls.serial = cfgDict['serial']
with open(cls.serial, 'w') as serialFile:
serialFile.write('1000')
# Create temporaly directory for users certificates
cls.userDir = tempfile.mkdtemp(dir=certsPath)
# Create user certificates
for userName in ['no_user', 'user_1', 'user_2', 'user_3']:
userConf = """[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
prompt = no
req_extensions = v3_req
[ req_dn ]
C = DN
O = DIRAC
CN = %s
[ v3_req ]
# Extensions for client certificates (`man x509v3_config`).
nsComment = "OpenSSL Generated Client Certificate"
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
""" % (userName)
userConfFile = os.path.join(cls.userDir, userName + '.cnf')
userReqFile = os.path.join(cls.userDir, userName + '.req')
userKeyFile = os.path.join(cls.userDir, userName + '.key.pem')
userCertFile = os.path.join(cls.userDir, userName + '.cert.pem')
with open(userConfFile, "w") as f:
f.write(userConf)
status, output = commands.getstatusoutput(
'openssl genrsa -out %s 2048' % userKeyFile)
if status:
gLogger.error(output)
exit()
gLogger.debug(output)
os.chmod(userKeyFile, stat.S_IREAD)
status, output = commands.getstatusoutput(
'openssl req -config %s -key %s -new -out %s' %
(userConfFile, userKeyFile, userReqFile))
if status:
gLogger.error(output)
exit()
gLogger.debug(output)
cmd = 'openssl ca -config %s -extensions usr_cert -batch -days 375 -in %s -out %s'
cmd = cmd % (cls.caConfigFile, userReqFile, userCertFile)
status, output = commands.getstatusoutput(cmd)
if status:
gLogger.error(output)
exit()
gLogger.debug(output)
