def export_requestDelegationUpload(self, requestedUploadTime, userGroup):
""" Request a delegation. Send a delegation request to client
"""
credDict = self.getRemoteCredentials()
userDN = credDict['DN']
userName = credDict['username']
if not userGroup:
userGroup = credDict['group']
retVal = Registry.getGroupsForUser(credDict['username'])
if not retVal['OK']:
return retVal
groupsAvailable = retVal['Value']
if userGroup not in groupsAvailable:
return S_ERROR("%s is not a valid group for user %s" %
(userGroup, userName))
clientChain = credDict['x509Chain']
clientSecs = clientChain.getIssuerCert()['Value'].getRemainingSecs(
)['Value']
requestedUploadTime = min(requestedUploadTime,
clientSecs) # FIXME: this is useless now...
result = self.__proxyDB.generateDelegationRequest(
credDict['x509Chain'], userDN)
if result['OK']:
gLogger.info("Upload request by %s:%s given id %s" %
(userName, userGroup, result['Value']['id']))
else:
gLogger.error(
"Upload request failed",
"by %s:%s : %s" % (userName, userGroup, result['Message']))
return result
def export_requestDelegationUpload( self, requestedUploadTime, userGroup ):
""" Request a delegation. Send a delegation request to client
"""
credDict = self.getRemoteCredentials()
userDN = credDict[ 'DN' ]
userName = credDict[ 'username' ]
if not userGroup:
userGroup = credDict[ 'group' ]
retVal = Registry.getGroupsForUser( credDict[ 'username' ] )
if not retVal[ 'OK' ]:
return retVal
groupsAvailable = retVal[ 'Value' ]
if userGroup not in groupsAvailable:
return S_ERROR( "%s is not a valid group for user %s" % ( userGroup, userName ) )
clientChain = credDict[ 'x509Chain' ]
clientSecs = clientChain.getIssuerCert()[ 'Value' ].getRemainingSecs()[ 'Value' ]
requestedUploadTime = min( requestedUploadTime, clientSecs )
retVal = self.__proxyDB.getRemainingTime( userDN, userGroup )
if not retVal[ 'OK' ]:
return retVal
remainingSecs = retVal[ 'Value' ]
# If we have a proxy longer than the one uploading it's not needed
# ten minute margin to compensate just in case
if remainingSecs >= requestedUploadTime - 600:
gLogger.info( "Upload request not necessary by %s:%s" % ( userName, userGroup ) )
return self.__addKnownUserProxiesInfo( S_OK() )
result = self.__proxyDB.generateDelegationRequest( credDict[ 'x509Chain' ], userDN )
if result[ 'OK' ]:
gLogger.info( "Upload request by %s:%s given id %s" % ( userName, userGroup, result['Value']['id'] ) )
else:
gLogger.error( "Upload request failed", "by %s:%s : %s" % ( userName, userGroup, result['Message'] ) )
return result
def getCredentials( self ):
if not self.__loadedChain:
return S_ERROR( "No chain loaded" )
credDict = { 'subject' : self.__certList[0].get_subject().one_line(),
'issuer' : self.__certList[0].get_issuer().one_line(),
'secondsLeft' : self.getRemainingSecs()[ 'Value' ],
'isProxy' : self.__isProxy,
'isLimitedProxy' : self.__isProxy and self.__isLimitedProxy,
'validDN' : False,
'validGroup' : False }
if self.__isProxy:
retVal = self.getDIRACGroup()
if not retVal[ 'OK' ]:
return retVal
diracGroup = retVal[ 'Value' ]
if not diracGroup:
diracGroup = Registry.getDefaultUserGroup()
credDict[ 'group' ] = diracGroup
credDict[ 'identity'] = self.__certList[ self.__firstProxyStep + 1 ].get_subject().one_line()
retVal = Registry.getUsernameForDN( credDict[ 'identity' ] )
if retVal[ 'OK' ]:
credDict[ 'username' ] = retVal[ 'Value' ]
credDict[ 'validDN' ] = True
retVal = Registry.getGroupsForUser( credDict[ 'username' ] )
if retVal[ 'OK' ] and diracGroup in retVal[ 'Value']:
credDict[ 'validGroup' ] = True
credDict[ 'groupProperties' ] = Registry.getPropertiesForGroup( diracGroup )
else:
retVal = Registry.getHostnameForDN( credDict['subject'] )
retVal[ 'group' ] = 'hosts'
if retVal[ 'OK' ]:
credDict[ 'hostname' ] = retVal[ 'Value' ]
credDict[ 'validDN' ] = True
credDict[ 'validGroup' ] = True
return S_OK( credDict )
def export_requestDelegationUpload(self, requestedUploadTime, diracGroup=None):
""" Request a delegation. Send a delegation request to client
:param int,long requestedUploadTime: requested live time
:return: S_OK(dict)/S_ERROR() -- dict contain id and proxy as string of the request
"""
if diracGroup:
# WARN: Since v7r1, DIRAC has implemented the ability to store only one proxy and
# WARN: dynamically add a group at the request of a proxy. This means that group extensions
# WARN: doesn't need for storing proxies.
self.log.warn("Proxy with DIRAC group or VOMS extensions must be not allowed to be uploaded.")
credDict = self.getRemoteCredentials()
userDN = credDict['DN']
userName = credDict['username']
userGroup = diracGroup or credDict['group']
retVal = Registry.getGroupsForUser(credDict['username'])
if not retVal['OK']:
return retVal
groupsAvailable = retVal['Value']
if userGroup not in groupsAvailable:
return S_ERROR("%s is not a valid group for user %s" % (userGroup, userName))
clientChain = credDict['x509Chain']
clientSecs = clientChain.getIssuerCert()['Value'].getRemainingSecs()['Value']
requestedUploadTime = min(requestedUploadTime, clientSecs) # FIXME: this is useless now...
result = self.__proxyDB.generateDelegationRequest(credDict['x509Chain'], userDN)
if result['OK']:
gLogger.info("Upload request by %s:%s given id %s" % (userName, userGroup, result['Value']['id']))
else:
gLogger.error("Upload request failed", "by %s:%s : %s" % (userName, userGroup, result['Message']))
return result
def getCredentials( self, ignoreDefault = False ):
if not self.__loadedChain:
return S_ERROR( "No chain loaded" )
credDict = { 'subject' : self.__certList[0].get_subject().one_line(),
'issuer' : self.__certList[0].get_issuer().one_line(),
'secondsLeft' : self.getRemainingSecs()[ 'Value' ],
'isProxy' : self.__isProxy,
'isLimitedProxy' : self.__isProxy and self.__isLimitedProxy,
'validDN' : False,
'validGroup' : False,
'groupProperties' : [] }
if self.__isProxy:
credDict[ 'identity'] = self.__certList[ self.__firstProxyStep + 1 ].get_subject().one_line()
retVal = Registry.getUsernameForDN( credDict[ 'identity' ] )
if retVal[ 'OK' ]:
credDict[ 'username' ] = retVal[ 'Value' ]
credDict[ 'validDN' ] = True
retVal = self.getDIRACGroup( ignoreDefault = ignoreDefault )
if retVal[ 'OK' ]:
diracGroup = retVal[ 'Value' ]
credDict[ 'group' ] = diracGroup
retVal = Registry.getGroupsForUser( credDict[ 'username' ] )
if retVal[ 'OK' ] and diracGroup in retVal[ 'Value' ]:
credDict[ 'validGroup' ] = True
credDict[ 'groupProperties' ] = Registry.getPropertiesForGroup( diracGroup )
else:
retVal = Registry.getHostnameForDN( credDict['subject'] )
retVal[ 'group' ] = 'hosts'
if retVal[ 'OK' ]:
credDict[ 'hostname' ] = retVal[ 'Value' ]
credDict[ 'validDN' ] = True
credDict[ 'validGroup' ] = True
return S_OK( credDict )
def getCredentials(self, ignoreDefault=False):
if not self.__loadedChain:
return S_ERROR(DErrno.ENOCHAIN)
credDict = {
'subject': self.__certList[0].get_subject().one_line(),
'issuer': self.__certList[0].get_issuer().one_line(),
'secondsLeft': self.getRemainingSecs()['Value'],
'isProxy': self.__isProxy,
'isLimitedProxy': self.__isProxy and self.__isLimitedProxy,
'validDN': False,
'validGroup': False
}
if self.__isProxy:
credDict['identity'] = self.__certList[self.__firstProxyStep +
1].get_subject().one_line()
# Check if we have the PUSP case
result = self.isPUSP()
if result['OK'] and result['Value']:
credDict['identity'] = result['Identity']
credDict['subproxyUser'] = result['SubproxyUser']
credDict['rfc'] = self.__isRFC
retVal = Registry.getUsernameForDN(credDict['identity'])
if not retVal['OK']:
return S_OK(credDict)
credDict['username'] = retVal['Value']
credDict['validDN'] = True
retVal = self.getDIRACGroup(ignoreDefault=ignoreDefault)
if retVal['OK']:
diracGroup = retVal['Value']
credDict['group'] = diracGroup
retVal = Registry.getGroupsForUser(credDict['username'])
if retVal['OK'] and diracGroup in retVal['Value']:
credDict['validGroup'] = True
credDict[
'groupProperties'] = Registry.getPropertiesForGroup(
diracGroup)
else:
retVal = Registry.getHostnameForDN(credDict['subject'])
if retVal['OK']:
credDict['group'] = 'hosts'
credDict['hostname'] = retVal['Value']
credDict['validDN'] = True
credDict['validGroup'] = True
credDict['groupProperties'] = Registry.getHostOption(
credDict['hostname'], 'Properties')
retVal = Registry.getUsernameForDN(credDict['subject'])
if retVal['OK']:
credDict['username'] = retVal['Value']
credDict['validDN'] = True
return S_OK(credDict)
def getCredentials(self, ignoreDefault=False):
if not self.__loadedChain:
return S_ERROR(DErrno.ENOCHAIN)
credDict = {'subject': self.__certList[0].get_subject().one_line(),
'issuer': self.__certList[0].get_issuer().one_line(),
'secondsLeft': self.getRemainingSecs()['Value'],
'isProxy': self.__isProxy,
'isLimitedProxy': self.__isProxy and self.__isLimitedProxy,
'validDN': False,
'validGroup': False}
if self.__isProxy:
credDict['identity'] = self.__certList[self.__firstProxyStep + 1].get_subject().one_line()
# Check if we have the PUSP case
result = self.isPUSP()
if result['OK'] and result['Value']:
credDict['identity'] = result['Identity']
credDict['subproxyUser'] = result['SubproxyUser']
credDict['rfc'] = self.__isRFC
retVal = Registry.getUsernameForDN(credDict['identity'])
if not retVal['OK']:
return S_OK(credDict)
credDict['username'] = retVal['Value']
credDict['validDN'] = True
retVal = self.getDIRACGroup(ignoreDefault=ignoreDefault)
if retVal['OK']:
diracGroup = retVal['Value']
credDict['group'] = diracGroup
retVal = Registry.getGroupsForUser(credDict['username'])
if retVal['OK'] and diracGroup in retVal['Value']:
credDict['validGroup'] = True
credDict['groupProperties'] = Registry.getPropertiesForGroup(diracGroup)
else:
retVal = Registry.getHostnameForDN(credDict['subject'])
if retVal['OK']:
credDict['group'] = 'hosts'
credDict['hostname'] = retVal['Value']
credDict['validDN'] = True
credDict['validGroup'] = True
credDict['groupProperties'] = Registry.getHostOption(credDict['hostname'], 'Properties')
retVal = Registry.getUsernameForDN(credDict['subject'])
if retVal['OK']:
credDict['username'] = retVal['Value']
credDict['validDN'] = True
return S_OK(credDict)
def getCredentials(self, ignoreDefault=False):
if not self.__loadedChain:
return S_ERROR("No chain loaded")
credDict = {
"subject": self.__certList[0].get_subject().one_line(),
"issuer": self.__certList[0].get_issuer().one_line(),
"secondsLeft": self.getRemainingSecs()["Value"],
"isProxy": self.__isProxy,
"isLimitedProxy": self.__isProxy and self.__isLimitedProxy,
"validDN": False,
"validGroup": False,
}
if self.__isProxy:
credDict["identity"] = self.__certList[self.__firstProxyStep + 1].get_subject().one_line()
retVal = Registry.getUsernameForDN(credDict["identity"])
if not retVal["OK"]:
return S_OK(credDict)
credDict["username"] = retVal["Value"]
credDict["validDN"] = True
retVal = self.getDIRACGroup(ignoreDefault=ignoreDefault)
if retVal["OK"]:
diracGroup = retVal["Value"]
credDict["group"] = diracGroup
retVal = Registry.getGroupsForUser(credDict["username"])
if retVal["OK"] and diracGroup in retVal["Value"]:
credDict["validGroup"] = True
credDict["groupProperties"] = Registry.getPropertiesForGroup(diracGroup)
else:
retVal = Registry.getHostnameForDN(credDict["subject"])
if retVal["OK"]:
credDict["group"] = "hosts"
credDict["hostname"] = retVal["Value"]
credDict["validDN"] = True
credDict["validGroup"] = True
credDict["groupProperties"] = Registry.getHostOption(credDict["hostname"], "Properties")
retVal = Registry.getUsernameForDN(credDict["subject"])
if retVal["OK"]:
credDict["username"] = retVal["Value"]
credDict["validDN"] = True
return S_OK(credDict)
def getCredentials( self, ignoreDefault = False ):
if not self.__loadedChain:
return S_ERROR( "No chain loaded" )
credDict = { 'subject' : self.__certList[0].get_subject().one_line(),
'issuer' : self.__certList[0].get_issuer().one_line(),
'secondsLeft' : self.getRemainingSecs()[ 'Value' ],
'isProxy' : self.__isProxy,
'isLimitedProxy' : self.__isProxy and self.__isLimitedProxy,
'validDN' : False,
'validGroup' : False }
if self.__isProxy:
credDict[ 'identity'] = self.__certList[ self.__firstProxyStep + 1 ].get_subject().one_line()
retVal = Registry.getUsernameForDN( credDict[ 'identity' ] )
if not retVal[ 'OK' ]:
# We could not contact the CS most likely, which is possible, e.g. when doing
# dirac-proxy-init -x
credDict[ 'username' ] = 'unknown'
else:
credDict[ 'username' ] = retVal[ 'Value' ]
credDict[ 'validDN' ] = True
retVal = self.getDIRACGroup( ignoreDefault = ignoreDefault )
if retVal[ 'OK' ]:
diracGroup = retVal[ 'Value' ]
credDict[ 'group' ] = diracGroup
retVal = Registry.getGroupsForUser( credDict[ 'username' ] )
if retVal[ 'OK' ] and diracGroup in retVal[ 'Value' ]:
credDict[ 'validGroup' ] = True
credDict[ 'groupProperties' ] = Registry.getPropertiesForGroup( diracGroup )
else:
retVal = Registry.getHostnameForDN( credDict['subject'] )
if retVal[ 'OK' ]:
credDict[ 'group' ] = 'hosts'
credDict[ 'hostname' ] = retVal[ 'Value' ]
credDict[ 'validDN' ] = True
credDict[ 'validGroup' ] = True
retVal = Registry.getUsernameForDN( credDict[ 'subject' ] )
if retVal[ 'OK' ]:
credDict[ 'username' ] = retVal[ 'Value' ]
credDict[ 'validDN' ] = True
return S_OK( credDict )
def export_requestDelegationUpload(self, requestedUploadTime, userGroup):
""" Request a delegation. Send a delegation request to client
"""
credDict = self.getRemoteCredentials()
userDN = credDict['DN']
userName = credDict['username']
if not userGroup:
userGroup = credDict['group']
retVal = Registry.getGroupsForUser(credDict['username'])
if not retVal['OK']:
return retVal
groupsAvailable = retVal['Value']
if userGroup not in groupsAvailable:
return S_ERROR("%s is not a valid group for user %s" %
(userGroup, userName))
clientChain = credDict['x509Chain']
clientSecs = clientChain.getIssuerCert()['Value'].getRemainingSecs(
)['Value']
requestedUploadTime = min(requestedUploadTime, clientSecs)
retVal = self.__proxyDB.getRemainingTime(userDN, userGroup)
if not retVal['OK']:
return retVal
remainingSecs = retVal['Value']
# If we have a proxy longer than the one uploading it's not needed
# ten minute margin to compensate just in case
if remainingSecs >= requestedUploadTime - 600:
gLogger.info("Upload request not necessary by %s:%s" %
(userName, userGroup))
return self.__addKnownUserProxiesInfo(S_OK())
result = self.__proxyDB.generateDelegationRequest(
credDict['x509Chain'], userDN)
if result['OK']:
gLogger.info("Upload request by %s:%s given id %s" %
(userName, userGroup, result['Value']['id']))
else:
gLogger.error(
"Upload request failed",
"by %s:%s : %s" % (userName, userGroup, result['Message']))
return result
def export_requestDelegationUpload( self, requestedUploadTime, userGroup ):
""" Request a delegation. Send a delegation request to client
"""
credDict = self.getRemoteCredentials()
userDN = credDict[ 'DN' ]
userName = credDict[ 'username' ]
if not userGroup:
userGroup = credDict[ 'group' ]
retVal = Registry.getGroupsForUser( credDict[ 'username' ] )
if not retVal[ 'OK' ]:
return retVal
groupsAvailable = retVal[ 'Value' ]
if userGroup not in groupsAvailable:
return S_ERROR( "%s is not a valid group for user %s" % ( userGroup, userName ) )
clientChain = credDict[ 'x509Chain' ]
clientSecs = clientChain.getIssuerCert()[ 'Value' ].getRemainingSecs()[ 'Value' ]
requestedUploadTime = min( requestedUploadTime, clientSecs ) #FIXME: this is useless now...
result = self.__proxyDB.generateDelegationRequest( credDict[ 'x509Chain' ], userDN )
if result[ 'OK' ]:
gLogger.info( "Upload request by %s:%s given id %s" % ( userName, userGroup, result['Value']['id'] ) )
else:
gLogger.error( "Upload request failed", "by %s:%s : %s" % ( userName, userGroup, result['Message'] ) )
return result
def generateProxy( params ):
if params.checkClock:
result = getClockDeviation()
if result[ 'OK' ]:
deviation = result[ 'Value' ]
if deviation > 600:
gLogger.error( "Your host clock seems to be off by more than TEN MINUTES! Thats really bad." )
gLogger.error( "We're cowardly refusing to generate a proxy. Please fix your system time" )
sys.exit( 1 )
elif deviation > 180:
gLogger.error( "Your host clock seems to be off by more than THREE minutes! Thats bad." )
gLogger.notice( "We'll generate the proxy but please fix your system time" )
elif deviation > 60:
gLogger.error( "Your host clock seems to be off by more than a minute! Thats not good." )
gLogger.notice( "We'll generate the proxy but please fix your system time" )
certLoc = params.certLoc
keyLoc = params.keyLoc
if not certLoc or not keyLoc:
cakLoc = Locations.getCertificateAndKeyLocation()
if not cakLoc:
return S_ERROR( "Can't find user certificate and key" )
if not certLoc:
certLoc = cakLoc[0]
if not keyLoc:
keyLoc = cakLoc[1]
params.certLoc = certLoc
params.keyLoc = keyLoc
#Load password
testChain = X509Chain()
retVal = testChain.loadChainFromFile( params.certLoc )
if not retVal[ 'OK' ]:
return S_ERROR( "Cannot load certificate %s: %s" % ( params.certLoc, retVal[ 'Message' ] ) )
timeLeft = testChain.getRemainingSecs()[ 'Value' ] / 86400
if timeLeft < 30:
gLogger.notice( "\nYour certificate will expire in %d days. Please renew it!\n" % timeLeft )
retVal = testChain.loadKeyFromFile( params.keyLoc, password = params.userPasswd )
if not retVal[ 'OK' ]:
passwdPrompt = "Enter Certificate password:"******"\n" )
else:
userPasswd = getpass.getpass( passwdPrompt )
params.userPasswd = userPasswd
#Find location
proxyLoc = params.proxyLoc
if not proxyLoc:
proxyLoc = Locations.getDefaultProxyLocation()
chain = X509Chain()
#Load user cert and key
retVal = chain.loadChainFromFile( certLoc )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
return S_ERROR( "Can't load %s" % certLoc )
retVal = chain.loadKeyFromFile( keyLoc, password = params.userPasswd )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
if 'bad decrypt' in retVal[ 'Message' ]:
return S_ERROR( "Bad passphrase" )
return S_ERROR( "Can't load %s" % keyLoc )
if params.checkWithCS:
retVal = chain.generateProxyToFile( proxyLoc,
params.proxyLifeTime,
strength = params.proxyStrength,
limited = params.limitedProxy,
rfc = params.rfc )
gLogger.info( "Contacting CS..." )
retVal = Script.enableCS()
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
if 'Unauthorized query' in retVal[ 'Message' ]:
# add hint for users
return S_ERROR( "Can't contact DIRAC CS: %s (User possibly not registered with dirac server) "
% retVal[ 'Message' ] )
return S_ERROR( "Can't contact DIRAC CS: %s" % retVal[ 'Message' ] )
userDN = chain.getCertInChain( -1 )['Value'].getSubjectDN()['Value']
if not params.diracGroup:
result = Registry.findDefaultGroupForDN( userDN )
if not result[ 'OK' ]:
gLogger.warn( "Could not get a default group for DN %s: %s" % ( userDN, result[ 'Message' ] ) )
else:
params.diracGroup = result[ 'Value' ]
gLogger.info( "Default discovered group is %s" % params.diracGroup )
gLogger.info( "Checking DN %s" % userDN )
retVal = Registry.getUsernameForDN( userDN )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
return S_ERROR( "DN %s is not registered" % userDN )
username = retVal[ 'Value' ]
gLogger.info( "Username is %s" % username )
retVal = Registry.getGroupsForUser( username )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
return S_ERROR( "User %s has no groups defined" % username )
groups = retVal[ 'Value' ]
if params.diracGroup not in groups:
return S_ERROR( "Requested group %s is not valid for DN %s" % ( params.diracGroup, userDN ) )
gLogger.info( "Creating proxy for %s@%s (%s)" % ( username, params.diracGroup, userDN ) )
if params.summary:
h = int( params.proxyLifeTime / 3600 )
m = int( params.proxyLifeTime / 60 ) - h * 60
gLogger.notice( "Proxy lifetime will be %02d:%02d" % ( h, m ) )
gLogger.notice( "User cert is %s" % certLoc )
gLogger.notice( "User key is %s" % keyLoc )
gLogger.notice( "Proxy will be written to %s" % proxyLoc )
if params.diracGroup:
gLogger.notice( "DIRAC Group will be set to %s" % params.diracGroup )
else:
gLogger.notice( "No DIRAC Group will be set" )
gLogger.notice( "Proxy strength will be %s" % params.proxyStrength )
if params.limitedProxy:
gLogger.notice( "Proxy will be limited" )
retVal = chain.generateProxyToFile( proxyLoc,
params.proxyLifeTime,
params.diracGroup,
strength = params.proxyStrength,
limited = params.limitedProxy,
rfc = params.rfc )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
return S_ERROR( "Couldn't generate proxy: %s" % retVal[ 'Message' ] )
return S_OK( proxyLoc )
def getCredentials(self, ignoreDefault=False, withRegistryInfo=True):
"""Returns a summary of the credentials contained in the current chain
:params ignoreDefault: (default False) If True and if no DIRAC group is found in the proxy, lookup the CS
:params withRegistryInfo: (default True) if set to True, will enhance the returned dict with info
from the registry
:returns: S_OK with the credential dict. Some parameters of the dict are always there, other depends
on the nature of the Chain
Always present:
* subject: str. The last DN in the chain
* issuer: str. The issuer of the last cert in the chain
* secondsLeft: validity of the chain in seconds (see :py:meth:`.getRemainingSecs`)
* isProxy: boolean (see :py:meth:`.isProxy`)
* isLimitedProxy: boolean (see :py:meth:`.isLimitedProxy`)
* validDN: boolean if the DN is known to DIRAC
* validGroup: False (see further definition)
* DN: either the DN of the host, or the DN of the user corresponding to the proxy
Only for proxy:
* identity: If it is a normal proxy, it is the DN of the certificate.
If it is a PUSP, it contains the identity as in :py:meth:`.isPUSP`
* username: DIRAC username associated to the DN (needs withRegistryInfo)
(see :py:func:`DIRAC.ConfigurationSystem.Client.Helpers.Registry.getUsernameForDN`)
* group: DIRAC group, depending on ignoreDefault param(see :py:meth:`.getDIRACGroup`)
* validGroup: True if the group found is in the list of groups the user belongs to
* groupProperty: (only if validGroup) get the properties of the group
For Host certificate (needs withRegistryInfo):
* group: always `hosts`
* hostname: name of the host as registered in the CS
(see :py:func:`DIRAC.ConfigurationSystem.Client.Helpers.Registry.getHostnameForDN`)
* validGroup: True
* groupProperties: host options
(see :py:func:`DIRAC.ConfigurationSystem.Client.Helpers.Registry.getHostOption`)
If it is a user certificate (needs withRegistryInfo):
* username: like for proxy
* validDN: like proxy
"""
credDict = {
"subject": str(self._certList[0].getSubjectDN()["Value"]), # ['Value'] :(
"issuer": self._certList[0].getIssuerDN()["Value"], # ['Value'] :(
"secondsLeft": self.getRemainingSecs()["Value"],
"isProxy": self.__isProxy,
"isLimitedProxy": self.__isProxy and self.__isLimitedProxy,
"validDN": False,
"validGroup": False,
}
# Add the DN entry as the subject.
credDict["DN"] = credDict["subject"]
if self.__isProxy:
credDict["identity"] = str(
self._certList[self.__firstProxyStep + 1].getSubjectDN()["Value"]
) # ['Value'] :(
# if the chain is a proxy, then the DN we want to work with is the real one of the
# user, not the one of his proxy
credDict["DN"] = credDict["identity"]
# Check if we have the PUSP case
result = self.isPUSP()
if result["OK"] and result["Value"]:
credDict["identity"] = result["Identity"]
credDict["subproxyUser"] = result["SubproxyUser"]
if withRegistryInfo:
retVal = Registry.getUsernameForDN(credDict["identity"])
if not retVal["OK"]:
return S_OK(credDict)
credDict["username"] = retVal["Value"]
credDict["validDN"] = True
retVal = self.getDIRACGroup(ignoreDefault=ignoreDefault)
if retVal["OK"]:
diracGroup = retVal["Value"]
credDict["group"] = diracGroup
if withRegistryInfo:
retVal = Registry.getGroupsForUser(credDict["username"])
if retVal["OK"] and diracGroup in retVal["Value"]:
credDict["validGroup"] = True
credDict["groupProperties"] = Registry.getPropertiesForGroup(diracGroup)
elif withRegistryInfo:
retVal = Registry.getHostnameForDN(credDict["subject"])
if retVal["OK"]:
credDict["group"] = "hosts"
credDict["hostname"] = retVal["Value"]
credDict["validDN"] = True
credDict["validGroup"] = True
credDict["groupProperties"] = Registry.getHostOption(credDict["hostname"], "Properties")
retVal = Registry.getUsernameForDN(credDict["subject"])
if retVal["OK"]:
credDict["username"] = retVal["Value"]
credDict["validDN"] = True
return S_OK(credDict)
def generateProxy(params):
if params.checkClock:
result = getClockDeviation()
if result['OK']:
deviation = result['Value']
if deviation > 600:
gLogger.error(
"Your host clock seems to be off by more than TEN MINUTES! Thats really bad."
)
gLogger.error(
"We're cowardly refusing to generate a proxy. Please fix your system time"
)
sys.exit(1)
elif deviation > 180:
gLogger.error(
"Your host clock seems to be off by more than THREE minutes! Thats bad."
)
gLogger.notice(
"We'll generate the proxy but please fix your system time")
elif deviation > 60:
gLogger.error(
"Your host clock seems to be off by more than a minute! Thats not good."
)
gLogger.notice(
"We'll generate the proxy but please fix your system time")
certLoc = params.certLoc
keyLoc = params.keyLoc
if not certLoc or not keyLoc:
cakLoc = Locations.getCertificateAndKeyLocation()
if not cakLoc:
return S_ERROR("Can't find user certificate and key")
if not certLoc:
certLoc = cakLoc[0]
if not keyLoc:
keyLoc = cakLoc[1]
params.certLoc = certLoc
params.keyLoc = keyLoc
#Load password
testChain = X509Chain()
retVal = testChain.loadChainFromFile(params.certLoc)
if not retVal['OK']:
return S_ERROR("Cannot load certificate %s: %s" %
(params.certLoc, retVal['Message']))
timeLeft = testChain.getRemainingSecs()['Value'] / 86400
if timeLeft < 30:
gLogger.notice(
"\nYour certificate will expire in %d days. Please renew it!\n" %
timeLeft)
retVal = testChain.loadKeyFromFile(params.keyLoc,
password=params.userPasswd)
if not retVal['OK']:
passwdPrompt = "Enter Certificate password:"******"\n")
else:
userPasswd = getpass.getpass(passwdPrompt)
params.userPasswd = userPasswd
#Find location
proxyLoc = params.proxyLoc
if not proxyLoc:
proxyLoc = Locations.getDefaultProxyLocation()
chain = X509Chain()
#Load user cert and key
retVal = chain.loadChainFromFile(certLoc)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
return S_ERROR("Can't load %s" % certLoc)
retVal = chain.loadKeyFromFile(keyLoc, password=params.userPasswd)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
if 'bad decrypt' in retVal['Message']:
return S_ERROR("Bad passphrase")
return S_ERROR("Can't load %s" % keyLoc)
if params.checkWithCS:
retVal = chain.generateProxyToFile(proxyLoc,
params.proxyLifeTime,
strength=params.proxyStrength,
limited=params.limitedProxy)
gLogger.info("Contacting CS...")
retVal = Script.enableCS()
if not retVal['OK']:
gLogger.warn(retVal['Message'])
if 'Unauthorized query' in retVal['Message']:
# add hint for users
return S_ERROR(
"Can't contact DIRAC CS: %s (User possibly not registered with dirac server) "
% retVal['Message'])
return S_ERROR("Can't contact DIRAC CS: %s" % retVal['Message'])
userDN = chain.getCertInChain(-1)['Value'].getSubjectDN()['Value']
if not params.diracGroup:
result = Registry.findDefaultGroupForDN(userDN)
if not result['OK']:
gLogger.warn("Could not get a default group for DN %s: %s" %
(userDN, result['Message']))
else:
params.diracGroup = result['Value']
gLogger.info("Default discovered group is %s" %
params.diracGroup)
gLogger.info("Checking DN %s" % userDN)
retVal = Registry.getUsernameForDN(userDN)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
return S_ERROR("DN %s is not registered" % userDN)
username = retVal['Value']
gLogger.info("Username is %s" % username)
retVal = Registry.getGroupsForUser(username)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
return S_ERROR("User %s has no groups defined" % username)
groups = retVal['Value']
if params.diracGroup not in groups:
return S_ERROR("Requested group %s is not valid for DN %s" %
(params.diracGroup, userDN))
gLogger.info("Creating proxy for %s@%s (%s)" %
(username, params.diracGroup, userDN))
if params.summary:
h = int(params.proxyLifeTime / 3600)
m = int(params.proxyLifeTime / 60) - h * 60
gLogger.notice("Proxy lifetime will be %02d:%02d" % (h, m))
gLogger.notice("User cert is %s" % certLoc)
gLogger.notice("User key is %s" % keyLoc)
gLogger.notice("Proxy will be written to %s" % proxyLoc)
if params.diracGroup:
gLogger.notice("DIRAC Group will be set to %s" % params.diracGroup)
else:
gLogger.notice("No DIRAC Group will be set")
gLogger.notice("Proxy strength will be %s" % params.proxyStrength)
if params.limitedProxy:
gLogger.notice("Proxy will be limited")
retVal = chain.generateProxyToFile(proxyLoc,
params.proxyLifeTime,
params.diracGroup,
strength=params.proxyStrength,
limited=params.limitedProxy)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
return S_ERROR("Couldn't generate proxy: %s" % retVal['Message'])
return S_OK(proxyLoc)
def getCredentials(self, ignoreDefault=False):
""" Returns a summary of the credentials contained in the current chain
:params ignoreDefault: (default False) If True and if no DIRAC group is found in the proxy, lookup the CS
:returns: S_OK with the credential dict. Some parameters of the dict are always there, other depends
on the nature of the Chain
Always present:
* subject: str. The last DN in the chain
* issuer: str. The issuer of the last cert in the chain
* secondsLeft: validity of the chain in seconds (see :py:meth:`.getRemainingSecs`)
* isProxy: boolean (see :py:meth:`.isProxy`)
* isLimitedProxy: boolean (see :py:meth:`.isLimitedProxy`)
* validDN: boolean if the DN is known to DIRAC
* validGroup: False (see further definition)
Only for proxy:
* identity: If it is a normal proxy, it is the DN of the certificate.
If it is a PUSP, it contains the identity as in :py:meth:`.isPUSP`
* username: DIRAC username associated to the DN
(see :py:func:`DIRAC.ConfigurationSystem.Client.Helpers.Registry.getUsernameForDN`)
* group: DIRAC group, depending on ignoreDefault param(see :py:meth:`.getDIRACGroup`)
* validGroup: True if the group found is in the list of groups the user belongs to
* groupProperty: (only if validGroup) get the properties of the group
For Host certificate:
* group: always `hosts`
* hostname: name of the host as registered in the CS
(see :py:func:`DIRAC.ConfigurationSystem.Client.Helpers.Registry.getHostnameForDN`)
* validGroup: True
* groupProperties: host options
(see :py:func:`DIRAC.ConfigurationSystem.Client.Helpers.Registry.getHostOption`)
If it is a user certificate:
* username: like for proxy
* validDN: like proxy
"""
credDict = {
'subject':
str(self._certList[0].getSubjectDN()['Value']), # ['Value'] :(
'issuer': self._certList[0].getIssuerDN()['Value'], # ['Value'] :(
'secondsLeft': self.getRemainingSecs()['Value'],
'isProxy': self.__isProxy,
'isLimitedProxy': self.__isProxy and self.__isLimitedProxy,
'validDN': False,
'validGroup': False
}
if self.__isProxy:
credDict['identity'] = str(
self._certList[self.__firstProxyStep +
1].getSubjectDN()['Value']) # ['Value'] :(
# Check if we have the PUSP case
result = self.isPUSP()
if result['OK'] and result['Value']:
credDict['identity'] = result['Identity']
credDict['subproxyUser'] = result['SubproxyUser']
retVal = Registry.getUsernameForDN(credDict['identity'])
if not retVal['OK']:
return S_OK(credDict)
credDict['username'] = retVal['Value']
credDict['validDN'] = True
retVal = self.getDIRACGroup(ignoreDefault=ignoreDefault)
if retVal['OK']:
diracGroup = retVal['Value']
credDict['group'] = diracGroup
retVal = Registry.getGroupsForUser(credDict['username'])
if retVal['OK'] and diracGroup in retVal['Value']:
credDict['validGroup'] = True
credDict[
'groupProperties'] = Registry.getPropertiesForGroup(
diracGroup)
else:
retVal = Registry.getHostnameForDN(credDict['subject'])
if retVal['OK']:
credDict['group'] = 'hosts'
credDict['hostname'] = retVal['Value']
credDict['validDN'] = True
credDict['validGroup'] = True
credDict['groupProperties'] = Registry.getHostOption(
credDict['hostname'], 'Properties')
retVal = Registry.getUsernameForDN(credDict['subject'])
if retVal['OK']:
credDict['username'] = retVal['Value']
credDict['validDN'] = True
return S_OK(credDict)
