def getCredentials( self ):
if not self.__loadedChain:
return S_ERROR( "No chain loaded" )
credDict = { 'subject' : self.__certList[0].get_subject().one_line(),
'issuer' : self.__certList[0].get_issuer().one_line(),
'secondsLeft' : self.getRemainingSecs()[ 'Value' ],
'isProxy' : self.__isProxy,
'isLimitedProxy' : self.__isProxy and self.__isLimitedProxy,
'validDN' : False,
'validGroup' : False }
if self.__isProxy:
retVal = self.getDIRACGroup()
if not retVal[ 'OK' ]:
return retVal
diracGroup = retVal[ 'Value' ]
if not diracGroup:
diracGroup = Registry.getDefaultUserGroup()
credDict[ 'group' ] = diracGroup
credDict[ 'identity'] = self.__certList[ self.__firstProxyStep + 1 ].get_subject().one_line()
retVal = Registry.getUsernameForDN( credDict[ 'identity' ] )
if retVal[ 'OK' ]:
credDict[ 'username' ] = retVal[ 'Value' ]
credDict[ 'validDN' ] = True
retVal = Registry.getGroupsForUser( credDict[ 'username' ] )
if retVal[ 'OK' ] and diracGroup in retVal[ 'Value']:
credDict[ 'validGroup' ] = True
credDict[ 'groupProperties' ] = Registry.getPropertiesForGroup( diracGroup )
else:
retVal = Registry.getHostnameForDN( credDict['subject'] )
retVal[ 'group' ] = 'hosts'
if retVal[ 'OK' ]:
credDict[ 'hostname' ] = retVal[ 'Value' ]
credDict[ 'validDN' ] = True
credDict[ 'validGroup' ] = True
return S_OK( credDict )
def completeDelegation(self, requestId, userDN, delegatedPem):
"""
Complete a delegation and store it in the db
"""
retVal = self.retrieveDelegationRequest(requestId, userDN)
if not retVal['OK']:
return retVal
request = retVal['Value']
chain = X509Chain(keyObj=request.getPKey())
retVal = chain.loadChainFromString(delegatedPem)
if not retVal['OK']:
return retVal
retVal = chain.isValidProxy(ignoreDefault=True)
noGroupFlag = False
if not retVal['OK']:
if retVal['Message'] == "Proxy does not have an explicit group":
noGroupFlag = True
else:
return retVal
result = chain.isVOMS()
if result['OK'] and result['Value']:
return S_ERROR(
"Proxies with VOMS extensions are not allowed to be uploaded")
retVal = request.checkChain(chain)
if not retVal['OK']:
return retVal
if not retVal['Value']:
return S_ERROR("Received chain does not match request: %s" %
retVal['Message'])
retVal = chain.getDIRACGroup()
if not retVal['OK']:
return retVal
userGroup = retVal['Value']
if not userGroup:
userGroup = Registry.getDefaultUserGroup()
retVal = Registry.getGroupsForDN(userDN)
if not retVal['OK']:
return retVal
if not userGroup in retVal['Value']:
return S_ERROR("%s group is not valid for %s" %
(userGroup, userDN))
# For proxies without embedded DIRAC group only one default is allowed
# Cleaning all the proxies for this DN if any before uploading the new one.
if noGroupFlag:
retVal = self.deleteProxy(userDN)
if not retVal['OK']:
return retVal
retVal = self.storeProxy(userDN, userGroup, chain)
if not retVal['OK']:
return retVal
retVal = self.deleteRequest(requestId)
if not retVal['OK']:
return retVal
return S_OK()
def completeDelegation( self, requestId, userDN, delegatedPem ):
"""
Complete a delegation and store it in the db
"""
retVal = self.retrieveDelegationRequest( requestId, userDN )
if not retVal[ 'OK' ]:
return retVal
request = retVal[ 'Value' ]
chain = X509Chain( keyObj = request.getPKey() )
retVal = chain.loadChainFromString( delegatedPem )
if not retVal[ 'OK' ]:
return retVal
retVal = chain.isValidProxy( ignoreDefault = True )
noGroupFlag = False
if not retVal[ 'OK' ]:
if DErrno.cmpError( retVal, DErrno.ENOGROUP ):
noGroupFlag = True
else:
return retVal
result = chain.isVOMS()
if result[ 'OK' ] and result[ 'Value' ]:
return S_ERROR( "Proxies with VOMS extensions are not allowed to be uploaded" )
retVal = request.checkChain( chain )
if not retVal[ 'OK' ]:
return retVal
if not retVal[ 'Value' ]:
return S_ERROR( "Received chain does not match request: %s" % retVal[ 'Message' ] )
retVal = chain.getDIRACGroup()
if not retVal[ 'OK' ]:
return retVal
userGroup = retVal[ 'Value' ]
if not userGroup:
userGroup = Registry.getDefaultUserGroup()
retVal = Registry.getGroupsForDN( userDN )
if not retVal[ 'OK' ]:
return retVal
if not userGroup in retVal[ 'Value' ]:
return S_ERROR( "%s group is not valid for %s" % ( userGroup, userDN ) )
# For proxies without embedded DIRAC group only one default is allowed
# Cleaning all the proxies for this DN if any before uploading the new one.
if noGroupFlag:
retVal = self.deleteProxy( userDN )
if not retVal[ 'OK' ]:
return retVal
retVal = self.storeProxy( userDN, userGroup, chain )
if not retVal[ 'OK' ]:
return retVal
retVal = self.deleteRequest( requestId )
if not retVal[ 'OK' ]:
return retVal
return S_OK()
def completeDelegation(self, requestId, userDN, delegatedPem):
"""
Complete a delegation and store it in the db
"""
retVal = self.retrieveDelegationRequest(requestId, userDN)
if not retVal['OK']:
return retVal
request = retVal['Value']
chain = X509Chain(keyObj=request.getPKey())
retVal = chain.loadChainFromString(delegatedPem)
if not retVal['OK']:
return retVal
retVal = chain.isValidProxy()
if not retVal['OK']:
return retVal
if not retVal['Value']:
return S_ERROR("Chain received is not a valid proxy: %s" %
retVal['Message'])
retVal = request.checkChain(chain)
if not retVal['OK']:
return retVal
if not retVal['Value']:
return S_ERROR("Received chain does not match request: %s" %
retVal['Message'])
retVal = chain.getDIRACGroup()
if not retVal['OK']:
return retVal
userGroup = retVal['Value']
if not userGroup:
userGroup = Registry.getDefaultUserGroup()
retVal = Registry.getGroupsForDN(userDN)
if not retVal['OK']:
return retVal
if not userGroup in retVal['Value']:
return S_ERROR("%s group is not valid for %s" %
(userGroup, userDN))
retVal = self.__checkVOMSisAlignedWithGroup(userGroup, chain)
if not retVal['OK']:
return retVal
retVal = self.storeProxy(userDN, userGroup, chain)
if not retVal['OK']:
return retVal
retVal = self.deleteRequest(requestId)
if not retVal['OK']:
return retVal
return S_OK()
def completeDelegation(self, requestId, userDN, delegatedPem):
"""
Complete a delegation and store it in the db
"""
retVal = self.retrieveDelegationRequest(requestId, userDN)
if not retVal['OK']:
return retVal
request = retVal['Value']
chain = X509Chain(keyObj=request.getPKey())
retVal = chain.loadChainFromString(delegatedPem)
if not retVal['OK']:
return retVal
retVal = chain.isValidProxy(ignoreDefault=True)
if not retVal['OK']:
return retVal
result = chain.isVOMS()
if result['OK'] and result['Value']:
return S_ERROR(
"Proxies with VOMS extensions are not allowed to be uploaded")
retVal = request.checkChain(chain)
if not retVal['OK']:
return retVal
if not retVal['Value']:
return S_ERROR("Received chain does not match request: %s" %
retVal['Message'])
retVal = chain.getDIRACGroup()
if not retVal['OK']:
return retVal
userGroup = retVal['Value']
if not userGroup:
userGroup = Registry.getDefaultUserGroup()
retVal = Registry.getGroupsForDN(userDN)
if not retVal['OK']:
return retVal
if not userGroup in retVal['Value']:
return S_ERROR("%s group is not valid for %s" %
(userGroup, userDN))
retVal = self.storeProxy(userDN, userGroup, chain)
if not retVal['OK']:
return retVal
retVal = self.deleteRequest(requestId)
if not retVal['OK']:
return retVal
return S_OK()
def completeDelegation( self, requestId, userDN, delegatedPem ):
"""
Complete a delegation and store it in the db
"""
retVal = self.retrieveDelegationRequest( requestId, userDN )
if not retVal[ 'OK' ]:
return retVal
request = retVal[ 'Value' ]
chain = X509Chain( keyObj = request.getPKey() )
retVal = chain.loadChainFromString( delegatedPem )
if not retVal[ 'OK' ]:
return retVal
retVal = chain.isValidProxy()
if not retVal[ 'OK' ]:
return retVal
if not retVal[ 'Value' ]:
return S_ERROR( "Chain received is not a valid proxy: %s" % retVal[ 'Message' ] )
retVal = request.checkChain( chain )
if not retVal[ 'OK' ]:
return retVal
if not retVal[ 'Value' ]:
return S_ERROR( "Received chain does not match request: %s" % retVal[ 'Message' ] )
retVal = chain.getDIRACGroup()
if not retVal[ 'OK' ]:
return retVal
userGroup = retVal[ 'Value' ]
if not userGroup:
userGroup = Registry.getDefaultUserGroup()
retVal = Registry.getGroupsForDN( userDN )
if not retVal[ 'OK' ]:
return retVal
if not userGroup in retVal[ 'Value' ]:
return S_ERROR( "%s group is not valid for %s" % ( userGroup, userDN ) )
retVal = self.__checkVOMSisAlignedWithGroup( userGroup, chain )
if not retVal[ 'OK' ]:
return retVal
retVal = self.storeProxy( userDN, userGroup, chain )
if not retVal[ 'OK' ]:
return retVal
retVal = self.deleteRequest( requestId )
if not retVal[ 'OK' ]:
return retVal
return S_OK()
def completeDelegation( self, requestId, userDN, delegatedPem ):
"""
Complete a delegation and store it in the db
"""
retVal = self.retrieveDelegationRequest( requestId, userDN )
if not retVal[ 'OK' ]:
return retVal
request = retVal[ 'Value' ]
chain = X509Chain( keyObj = request.getPKey() )
retVal = chain.loadChainFromString( delegatedPem )
if not retVal[ 'OK' ]:
return retVal
retVal = chain.isValidProxy( ignoreDefault = True )
if not retVal[ 'OK' ]:
return retVal
result = chain.isVOMS()
if result[ 'OK' ] and result[ 'Value' ]:
return S_ERROR( "Proxies with VOMS extensions are not allowed to be uploaded" )
retVal = request.checkChain( chain )
if not retVal[ 'OK' ]:
return retVal
if not retVal[ 'Value' ]:
return S_ERROR( "Received chain does not match request: %s" % retVal[ 'Message' ] )
retVal = chain.getDIRACGroup()
if not retVal[ 'OK' ]:
return retVal
userGroup = retVal[ 'Value' ]
if not userGroup:
userGroup = Registry.getDefaultUserGroup()
retVal = Registry.getGroupsForDN( userDN )
if not retVal[ 'OK' ]:
return retVal
if not userGroup in retVal[ 'Value' ]:
return S_ERROR( "%s group is not valid for %s" % ( userGroup, userDN ) )
retVal = self.storeProxy( userDN, userGroup, chain )
if not retVal[ 'OK' ]:
return retVal
retVal = self.deleteRequest( requestId )
if not retVal[ 'OK' ]:
return retVal
return S_OK()
def getCredentials(self):
if not self.__loadedChain:
return S_ERROR("No chain loaded")
credDict = {
"subject": self.__certList[0].get_subject().one_line(),
"issuer": self.__certList[0].get_issuer().one_line(),
"secondsLeft": self.getRemainingSecs()["Value"],
"isProxy": self.__isProxy,
"isLimitedProxy": self.__isProxy and self.__isLimitedProxy,
"validDN": False,
"validGroup": False,
}
if self.__isProxy:
retVal = self.getDIRACGroup()
if not retVal["OK"]:
return retVal
diracGroup = retVal["Value"]
if not diracGroup:
diracGroup = Registry.getDefaultUserGroup()
credDict["group"] = diracGroup
credDict["identity"] = self.__certList[self.__firstProxyStep + 1].get_subject().one_line()
retVal = Registry.getUsernameForDN(credDict["identity"])
if retVal["OK"]:
credDict["username"] = retVal["Value"]
credDict["validDN"] = True
retVal = Registry.getGroupsForUser(credDict["username"])
if retVal["OK"] and diracGroup in retVal["Value"]:
credDict["validGroup"] = True
credDict["groupProperties"] = Registry.getPropertiesForGroup(diracGroup)
else:
retVal = Registry.getHostnameForDN(credDict["subject"])
retVal["group"] = "hosts"
if retVal["OK"]:
credDict["hostname"] = retVal["Value"]
credDict["validDN"] = True
credDict["validGroup"] = True
return S_OK(credDict)
def storeProxy(self, userDN, userGroup, chain):
""" Store user proxy into the Proxy repository for a user specified by his
DN and group.
"""
retVal = Registry.getUsernameForDN(userDN)
if not retVal['OK']:
return retVal
userName = retVal['Value']
#Get remaining secs
retVal = chain.getRemainingSecs()
if not retVal['OK']:
return retVal
remainingSecs = retVal['Value']
if remainingSecs < self._minSecsToAllowStore:
return S_ERROR(
"Cannot store proxy, remaining secs %s is less than %s" %
(remainingSecs, self._minSecsToAllowStore))
#Compare the DNs
retVal = chain.getIssuerCert()
if not retVal['OK']:
return retVal
proxyIdentityDN = retVal['Value'].getSubjectDN()['Value']
if not userDN == proxyIdentityDN:
msg = "Mismatch in the user DN"
vMsg = "Proxy says %s and credentials are %s" % (proxyIdentityDN,
userDN)
self.log.error(msg, vMsg)
return S_ERROR("%s. %s" % (msg, vMsg))
#Check the groups
retVal = chain.getDIRACGroup()
if not retVal['OK']:
return retVal
proxyGroup = retVal['Value']
if not proxyGroup:
proxyGroup = Registry.getDefaultUserGroup()
if not userGroup == proxyGroup:
msg = "Mismatch in the user group"
vMsg = "Proxy says %s and credentials are %s" % (proxyGroup,
userGroup)
self.log.error(msg, vMsg)
return S_ERROR("%s. %s" % (msg, vMsg))
#Check if its limited
if chain.isLimitedProxy()['Value']:
return S_ERROR("Limited proxies are not allowed to be stored")
dLeft = remainingSecs / 86400
hLeft = remainingSecs / 3600 - dLeft * 24
mLeft = remainingSecs / 60 - hLeft * 60 - dLeft * 1440
sLeft = remainingSecs - hLeft * 3600 - mLeft * 60 - dLeft * 86400
self.log.info(
"Storing proxy for credentials %s (%d:%02d:%02d:%02d left)" %
(proxyIdentityDN, dLeft, hLeft, mLeft, sLeft))
try:
sUserDN = self._escapeString(userDN)['Value']
sUserGroup = self._escapeString(userGroup)['Value']
except KeyError:
return S_ERROR("Cannot escape DN")
# Check what we have already got in the repository
cmd = "SELECT TIMESTAMPDIFF( SECOND, UTC_TIMESTAMP(), ExpirationTime ), Pem FROM `ProxyDB_Proxies` WHERE UserDN=%s AND UserGroup=%s" % (
sUserDN, sUserGroup)
result = self._query(cmd)
if not result['OK']:
return result
# check if there is a previous ticket for the DN
data = result['Value']
sqlInsert = True
if len(data) > 0:
sqlInsert = False
pem = data[0][1]
if pem:
remainingSecsInDB = data[0][0]
if remainingSecs <= remainingSecsInDB:
self.log.info(
"Proxy stored is longer than uploaded, omitting.",
"%s in uploaded, %s in db" %
(remainingSecs, remainingSecsInDB))
return S_OK()
pemChain = chain.dumpAllToString()['Value']
dValues = {
'UserName':
self._escapeString(userName)['Value'],
'UserDN':
sUserDN,
'UserGroup':
sUserGroup,
'Pem':
self._escapeString(pemChain)['Value'],
'ExpirationTime':
'TIMESTAMPADD( SECOND, %d, UTC_TIMESTAMP() )' % int(remainingSecs),
'PersistentFlag':
"'False'"
}
if sqlInsert:
sqlFields = []
sqlValues = []
for key in dValues:
sqlFields.append(key)
sqlValues.append(dValues[key])
cmd = "INSERT INTO `ProxyDB_Proxies` ( %s ) VALUES ( %s )" % (
", ".join(sqlFields), ", ".join(sqlValues))
else:
sqlSet = []
sqlWhere = []
for k in dValues:
if k in ('UserDN', 'UserGroup'):
sqlWhere.append("%s = %s" % (k, dValues[k]))
else:
sqlSet.append("%s = %s" % (k, dValues[k]))
cmd = "UPDATE `ProxyDB_Proxies` SET %s WHERE %s" % (
", ".join(sqlSet), " AND ".join(sqlWhere))
self.logAction("store proxy", userDN, userGroup, userDN, userGroup)
return self._update(cmd)
def storeProxy( self, userDN, userGroup, chain ):
""" Store user proxy into the Proxy repository for a user specified by his
DN and group.
"""
retVal = Registry.getUsernameForDN( userDN )
if not retVal[ 'OK' ]:
return retVal
userName = retVal[ 'Value' ]
#Get remaining secs
retVal = chain.getRemainingSecs()
if not retVal[ 'OK' ]:
return retVal
remainingSecs = retVal[ 'Value' ]
if remainingSecs < self._minSecsToAllowStore:
return S_ERROR( "Cannot store proxy, remaining secs %s is less than %s" % ( remainingSecs, self._minSecsToAllowStore ) )
#Compare the DNs
retVal = chain.getIssuerCert()
if not retVal[ 'OK' ]:
return retVal
proxyIdentityDN = retVal[ 'Value' ].getSubjectDN()[ 'Value' ]
if not userDN == proxyIdentityDN:
msg = "Mismatch in the user DN"
vMsg = "Proxy says %s and credentials are %s" % ( proxyIdentityDN, userDN )
self.log.error( msg, vMsg )
return S_ERROR( "%s. %s" % ( msg, vMsg ) )
#Check the groups
retVal = chain.getDIRACGroup()
if not retVal[ 'OK' ]:
return retVal
proxyGroup = retVal[ 'Value' ]
if not proxyGroup:
proxyGroup = Registry.getDefaultUserGroup()
if not userGroup == proxyGroup:
msg = "Mismatch in the user group"
vMsg = "Proxy says %s and credentials are %s" % ( proxyGroup, userGroup )
self.log.error( msg, vMsg )
return S_ERROR( "%s. %s" % ( msg, vMsg ) )
#Check if its limited
if chain.isLimitedProxy()['Value']:
return S_ERROR( "Limited proxies are not allowed to be stored" )
dLeft = remainingSecs / 86400
hLeft = remainingSecs / 3600 - dLeft * 24
mLeft = remainingSecs / 60 - hLeft * 60 - dLeft * 1440
sLeft = remainingSecs - hLeft * 3600 - mLeft * 60 - dLeft * 86400
self.log.info( "Storing proxy for credentials %s (%d:%02d:%02d:%02d left)" % ( proxyIdentityDN, dLeft, hLeft, mLeft, sLeft ) )
# Check what we have already got in the repository
cmd = "SELECT TIMESTAMPDIFF( SECOND, UTC_TIMESTAMP(), ExpirationTime ), Pem FROM `ProxyDB_Proxies` WHERE UserDN='%s' AND UserGroup='%s'" % ( userDN,
userGroup )
result = self._query( cmd )
if not result['OK']:
return result
# check if there is a previous ticket for the DN
data = result[ 'Value' ]
sqlInsert = True
if len( data ) > 0:
sqlInsert = False
pem = data[0][1]
if pem:
remainingSecsInDB = data[0][0]
if remainingSecs <= remainingSecsInDB:
self.log.info( "Proxy stored is longer than uploaded, omitting.", "%s in uploaded, %s in db" % ( remainingSecs, remainingSecsInDB ) )
return S_OK()
pemChain = chain.dumpAllToString()['Value']
dValues = { 'UserName' : self._escapeString( userName )[ 'Value' ],
'UserDN' : self._escapeString( userDN )[ 'Value' ],
'UserGroup' : self._escapeString( userGroup )[ 'Value' ],
'Pem' : self._escapeString( pemChain )[ 'Value' ],
'ExpirationTime' : 'TIMESTAMPADD( SECOND, %s, UTC_TIMESTAMP() )' % int( remainingSecs ),
'PersistentFlag' : "'False'" }
if sqlInsert:
sqlFields = []
sqlValues = []
for key in dValues:
sqlFields.append( key )
sqlValues.append( dValues[ key ] )
cmd = "INSERT INTO `ProxyDB_Proxies` ( %s ) VALUES ( %s )" % ( ", ".join( sqlFields ), ", ".join( sqlValues ) )
else:
sqlSet = []
sqlWhere = []
for k in dValues:
if k in ( 'UserDN', 'UserGroup' ):
sqlWhere.append( "%s = %s" % ( k, dValues[k] ) )
else:
sqlSet.append( "%s = %s" % ( k, dValues[k] ) )
cmd = "UPDATE `ProxyDB_Proxies` SET %s WHERE %s" % ( ", ".join( sqlSet ), " AND ".join( sqlWhere ) )
self.logAction( "store proxy", userDN, userGroup, userDN, userGroup )
return self._update( cmd )