def uploadProxy(params): DIRAC.gLogger.info("Loading user proxy") proxyLoc = params.proxyLoc if not proxyLoc: proxyLoc = Locations.getDefaultProxyLocation() if not proxyLoc: return S_ERROR("Can't find any proxy") if params.onTheFly: DIRAC.gLogger.info("Uploading proxy on-the-fly") certLoc = params.certLoc keyLoc = params.keyLoc if not certLoc or not keyLoc: cakLoc = Locations.getCertificateAndKeyLocation() if not cakLoc: return S_ERROR("Can't find user certificate and key") if not certLoc: certLoc = cakLoc[0] if not keyLoc: keyLoc = cakLoc[1] DIRAC.gLogger.info("Cert file %s" % certLoc) DIRAC.gLogger.info("Key file %s" % keyLoc) testChain = X509Chain() retVal = testChain.loadKeyFromFile(keyLoc, password=params.userPasswd) if not retVal['OK']: passwdPrompt = "Enter Certificate password:"******"\n") else: userPasswd = getpass.getpass(passwdPrompt) params.userPasswd = userPasswd DIRAC.gLogger.info("Loading cert and key") chain = X509Chain() # Load user cert and key retVal = chain.loadChainFromFile(certLoc) if not retVal['OK']: return S_ERROR("Can't load %s" % certLoc) retVal = chain.loadKeyFromFile(keyLoc, password=params.userPasswd) if not retVal['OK']: return S_ERROR("Can't load %s" % keyLoc) DIRAC.gLogger.info("User credentials loaded") restrictLifeTime = params.proxyLifeTime else: proxyChain = X509Chain() retVal = proxyChain.loadProxyFromFile(proxyLoc) if not retVal['OK']: return S_ERROR("Can't load proxy file %s: %s" % (params.proxyLoc, retVal['Message'])) chain = proxyChain restrictLifeTime = 0 DIRAC.gLogger.info(" Uploading...") return gProxyManager.uploadProxy(proxy=chain, restrictLifeTime=restrictLifeTime, rfcIfPossible=params.rfcIfPossible)
def main(): """ main program entry point """ options = Params() options.registerCLISwitches() Script.parseCommandLine(ignoreErrors=True) if options.delete_all and options.vos: gLogger.error( "-a and -v options are mutually exclusive. Please pick one or the other." ) return 1 proxyLoc = Locations.getDefaultProxyLocation() if not os.path.exists(proxyLoc): gLogger.error("No local proxy found in %s, exiting." % proxyLoc) return 1 result = ProxyInfo.getProxyInfo(proxyLoc, True) if not result['OK']: raise RuntimeError('Failed to get local proxy info.') if result['Value']['secondsLeft'] < 60 and options.needsValidProxy(): raise RuntimeError( 'Lifetime of local proxy too short, please renew proxy.') userDN = result['Value']['identity'] if options.delete_all: # delete remote proxies remote_groups = getProxyGroups() if not remote_groups: gLogger.notice('No remote proxies found.') for vo_group in remote_groups: deleteRemoteProxy(userDN, vo_group) # delete local proxy deleteLocalProxy(proxyLoc) elif options.vos: vo_groups = set() for voname in options.vos: vo_groups.update(mapVoToGroups(voname)) # filter set of all groups to only contain groups for which there is a user proxy user_groups = getProxyGroups() vo_groups.intersection_update(user_groups) if not vo_groups: gLogger.notice( 'You have no proxies registered for any of the specified VOs.') for group in vo_groups: deleteRemoteProxy(userDN, group) else: deleteLocalProxy(proxyLoc) return 0
def main(): """ main program entry point """ options = Params() options.registerCLISwitches() Script.parseCommandLine( ignoreErrors = True ) if options.delete_all and options.vos: gLogger.error( "-a and -v options are mutually exclusive. Please pick one or the other." ) return 1 proxyLoc = Locations.getDefaultProxyLocation() if not os.path.exists( proxyLoc ): gLogger.error( "No local proxy found in %s, exiting." % proxyLoc ) return 1 result = ProxyInfo.getProxyInfo( proxyLoc, True ) if not result[ 'OK' ]: raise RuntimeError( 'Failed to get local proxy info.' ) if result[ 'Value' ][ 'secondsLeft' ] < 60 and options.needsValidProxy(): raise RuntimeError( 'Lifetime of local proxy too short, please renew proxy.' ) userDN=result[ 'Value' ][ 'identity' ] if options.delete_all: # delete remote proxies remote_groups = getProxyGroups() if not remote_groups: gLogger.notice( 'No remote proxies found.' ) for vo_group in remote_groups: deleteRemoteProxy( userDN, vo_group ) # delete local proxy deleteLocalProxy( proxyLoc ) elif options.vos: vo_groups = set() for voname in options.vos: vo_groups.update(mapVoToGroups( voname ) ) # filter set of all groups to only contain groups for which there is a user proxy user_groups = getProxyGroups() vo_groups.intersection_update( user_groups ) if not vo_groups: gLogger.notice( 'You have no proxies registered for any of the specified VOs.' ) for group in vo_groups: deleteRemoteProxy( userDN, group ) else: deleteLocalProxy( proxyLoc ) return 0
def generateProxy( params ): if params.checkClock: result = getClockDeviation() if result[ 'OK' ]: deviation = result[ 'Value' ] if deviation > 600: gLogger.error( "Your host clock seems to be off by more than TEN MINUTES! Thats really bad." ) gLogger.error( "We're cowardly refusing to generate a proxy. Please fix your system time" ) sys.exit( 1 ) elif deviation > 180: gLogger.error( "Your host clock seems to be off by more than THREE minutes! Thats bad." ) gLogger.notice( "We'll generate the proxy but please fix your system time" ) elif deviation > 60: gLogger.error( "Your host clock seems to be off by more than a minute! Thats not good." ) gLogger.notice( "We'll generate the proxy but please fix your system time" ) certLoc = params.certLoc keyLoc = params.keyLoc if not certLoc or not keyLoc: cakLoc = Locations.getCertificateAndKeyLocation() if not cakLoc: return S_ERROR( "Can't find user certificate and key" ) if not certLoc: certLoc = cakLoc[0] if not keyLoc: keyLoc = cakLoc[1] params.certLoc = certLoc params.keyLoc = keyLoc #Load password testChain = X509Chain() retVal = testChain.loadChainFromFile( params.certLoc ) if not retVal[ 'OK' ]: return S_ERROR( "Cannot load certificate %s: %s" % ( params.certLoc, retVal[ 'Message' ] ) ) timeLeft = testChain.getRemainingSecs()[ 'Value' ] / 86400 if timeLeft < 30: gLogger.notice( "\nYour certificate will expire in %d days. Please renew it!\n" % timeLeft ) retVal = testChain.loadKeyFromFile( params.keyLoc, password = params.userPasswd ) if not retVal[ 'OK' ]: passwdPrompt = "Enter Certificate password:"******"\n" ) else: userPasswd = getpass.getpass( passwdPrompt ) params.userPasswd = userPasswd #Find location proxyLoc = params.proxyLoc if not proxyLoc: proxyLoc = Locations.getDefaultProxyLocation() chain = X509Chain() #Load user cert and key retVal = chain.loadChainFromFile( certLoc ) if not retVal[ 'OK' ]: gLogger.warn( retVal[ 'Message' ] ) return S_ERROR( "Can't load %s" % certLoc ) retVal = chain.loadKeyFromFile( keyLoc, password = params.userPasswd ) if not retVal[ 'OK' ]: gLogger.warn( retVal[ 'Message' ] ) if 'bad decrypt' in retVal[ 'Message' ]: return S_ERROR( "Bad passphrase" ) return S_ERROR( "Can't load %s" % keyLoc ) if params.checkWithCS: retVal = chain.generateProxyToFile( proxyLoc, params.proxyLifeTime, strength = params.proxyStrength, limited = params.limitedProxy, rfc = params.rfc ) gLogger.info( "Contacting CS..." ) retVal = Script.enableCS() if not retVal[ 'OK' ]: gLogger.warn( retVal[ 'Message' ] ) if 'Unauthorized query' in retVal[ 'Message' ]: # add hint for users return S_ERROR( "Can't contact DIRAC CS: %s (User possibly not registered with dirac server) " % retVal[ 'Message' ] ) return S_ERROR( "Can't contact DIRAC CS: %s" % retVal[ 'Message' ] ) userDN = chain.getCertInChain( -1 )['Value'].getSubjectDN()['Value'] if not params.diracGroup: result = Registry.findDefaultGroupForDN( userDN ) if not result[ 'OK' ]: gLogger.warn( "Could not get a default group for DN %s: %s" % ( userDN, result[ 'Message' ] ) ) else: params.diracGroup = result[ 'Value' ] gLogger.info( "Default discovered group is %s" % params.diracGroup ) gLogger.info( "Checking DN %s" % userDN ) retVal = Registry.getUsernameForDN( userDN ) if not retVal[ 'OK' ]: gLogger.warn( retVal[ 'Message' ] ) return S_ERROR( "DN %s is not registered" % userDN ) username = retVal[ 'Value' ] gLogger.info( "Username is %s" % username ) retVal = Registry.getGroupsForUser( username ) if not retVal[ 'OK' ]: gLogger.warn( retVal[ 'Message' ] ) return S_ERROR( "User %s has no groups defined" % username ) groups = retVal[ 'Value' ] if params.diracGroup not in groups: return S_ERROR( "Requested group %s is not valid for DN %s" % ( params.diracGroup, userDN ) ) gLogger.info( "Creating proxy for %s@%s (%s)" % ( username, params.diracGroup, userDN ) ) if params.summary: h = int( params.proxyLifeTime / 3600 ) m = int( params.proxyLifeTime / 60 ) - h * 60 gLogger.notice( "Proxy lifetime will be %02d:%02d" % ( h, m ) ) gLogger.notice( "User cert is %s" % certLoc ) gLogger.notice( "User key is %s" % keyLoc ) gLogger.notice( "Proxy will be written to %s" % proxyLoc ) if params.diracGroup: gLogger.notice( "DIRAC Group will be set to %s" % params.diracGroup ) else: gLogger.notice( "No DIRAC Group will be set" ) gLogger.notice( "Proxy strength will be %s" % params.proxyStrength ) if params.limitedProxy: gLogger.notice( "Proxy will be limited" ) retVal = chain.generateProxyToFile( proxyLoc, params.proxyLifeTime, params.diracGroup, strength = params.proxyStrength, limited = params.limitedProxy, rfc = params.rfc ) if not retVal[ 'OK' ]: gLogger.warn( retVal[ 'Message' ] ) return S_ERROR( "Couldn't generate proxy: %s" % retVal[ 'Message' ] ) return S_OK( proxyLoc )
def uploadProxy( params ): DIRAC.gLogger.info( "Loading user proxy" ) proxyLoc = params.proxyLoc if not proxyLoc: proxyLoc = Locations.getDefaultProxyLocation() if not proxyLoc: return S_ERROR( "Can't find any proxy" ) if params.onTheFly: DIRAC.gLogger.info( "Uploading proxy on-the-fly" ) certLoc = params.certLoc keyLoc = params.keyLoc if not certLoc or not keyLoc: cakLoc = Locations.getCertificateAndKeyLocation() if not cakLoc: return S_ERROR( "Can't find user certificate and key" ) if not certLoc: certLoc = cakLoc[0] if not keyLoc: keyLoc = cakLoc[1] DIRAC.gLogger.info( "Cert file %s" % certLoc ) DIRAC.gLogger.info( "Key file %s" % keyLoc ) testChain = X509Chain() retVal = testChain.loadKeyFromFile( keyLoc, password = params.userPasswd ) if not retVal[ 'OK' ]: passwdPrompt = "Enter Certificate password:"******"\n" ) else: userPasswd = getpass.getpass( passwdPrompt ) params.userPasswd = userPasswd DIRAC.gLogger.info( "Loading cert and key" ) chain = X509Chain() #Load user cert and key retVal = chain.loadChainFromFile( certLoc ) if not retVal[ 'OK' ]: return S_ERROR( "Can't load %s" % certLoc ) retVal = chain.loadKeyFromFile( keyLoc, password = params.userPasswd ) if not retVal[ 'OK' ]: return S_ERROR( "Can't load %s" % keyLoc ) DIRAC.gLogger.info( "User credentials loaded" ) diracGroup = params.diracGroup if not diracGroup: result = chain.getCredentials() if not result['OK']: return result if 'group' not in result['Value']: return S_ERROR( 'Can not get Group from existing credentials' ) diracGroup = result['Value']['group'] restrictLifeTime = params.proxyLifeTime else: proxyChain = X509Chain() retVal = proxyChain.loadProxyFromFile( proxyLoc ) if not retVal[ 'OK' ]: return S_ERROR( "Can't load proxy file %s: %s" % ( params.proxyLoc, retVal[ 'Message' ] ) ) chain = proxyChain diracGroup = params.diracGroup if params.diracGroup: # Check that there is no conflict with the already present DIRAC group result = chain.getDIRACGroup( ignoreDefault = True ) if result['OK'] and result['Value'] and result['Value'] == params.diracGroup: # No need to embed a new DIRAC group diracGroup = False restrictLifeTime = 0 DIRAC.gLogger.info( " Uploading..." ) return gProxyManager.uploadProxy( chain, diracGroup, restrictLifeTime = restrictLifeTime, rfcIfPossible = params.rfcIfPossible )
def uploadProxy( params ): DIRAC.gLogger.info( "Loading user proxy" ) proxyLoc = params.proxyLoc if not proxyLoc: proxyLoc = Locations.getDefaultProxyLocation() if not proxyLoc: return S_ERROR( "Can't find any proxy" ) proxyChain = X509Chain() retVal = proxyChain.loadProxyFromFile( proxyLoc ) if not retVal[ 'OK' ]: return S_ERROR( "Can't load proxy file %s: %s" % ( params.proxyLoc, retVal[ 'Message' ] ) ) if params.onTheFly: DIRAC.gLogger.info( "Uploading proxy on-the-fly" ) certLoc = params.certLoc keyLoc = params.keyLoc if not certLoc or not keyLoc: cakLoc = Locations.getCertificateAndKeyLocation() if not cakLoc: return S_ERROR( "Can't find user certificate and key" ) if not certLoc: certLoc = cakLoc[0] if not keyLoc: keyLoc = cakLoc[1] DIRAC.gLogger.info( "Cert file %s" % certLoc ) DIRAC.gLogger.info( "Key file %s" % keyLoc ) testChain = X509Chain() retVal = testChain.loadKeyFromFile( keyLoc, password = params.userPasswd ) if not retVal[ 'OK' ]: passwdPrompt = "Enter Certificate password:"******"\n" ) else: userPasswd = getpass.getpass( passwdPrompt ) params.userPasswd = userPasswd DIRAC.gLogger.info( "Loading cert and key" ) chain = X509Chain() #Load user cert and key retVal = chain.loadChainFromFile( certLoc ) if not retVal[ 'OK' ]: return S_ERROR( "Can't load %s" % certLoc ) retVal = chain.loadKeyFromFile( keyLoc, password = params.userPasswd ) if not retVal[ 'OK' ]: return S_ERROR( "Can't load %s" % keyLoc ) DIRAC.gLogger.info( "User credentials loaded" ) diracGroup = params.diracGroup if not diracGroup: diracGroup = CS.getDefaultUserGroup() restrictLifeTime = params.proxyLifeTime else: chain = proxyChain diracGroup = False restrictLifeTime = 0 DIRAC.gLogger.info( " Uploading..." ) return gProxyManager.uploadProxy( chain, diracGroup, restrictLifeTime = restrictLifeTime )
def uploadProxy(params): DIRAC.gLogger.info("Loading user proxy") proxyLoc = params.proxyLoc if not proxyLoc: proxyLoc = Locations.getDefaultProxyLocation() if not proxyLoc: return S_ERROR("Can't find any proxy") if params.onTheFly: DIRAC.gLogger.info("Uploading proxy on-the-fly") certLoc = params.certLoc keyLoc = params.keyLoc if not certLoc or not keyLoc: cakLoc = Locations.getCertificateAndKeyLocation() if not cakLoc: return S_ERROR("Can't find user certificate and key") if not certLoc: certLoc = cakLoc[0] if not keyLoc: keyLoc = cakLoc[1] DIRAC.gLogger.info("Cert file %s" % certLoc) DIRAC.gLogger.info("Key file %s" % keyLoc) testChain = X509Chain() retVal = testChain.loadKeyFromFile(keyLoc, password=params.userPasswd) if not retVal['OK']: passwdPrompt = "Enter Certificate password:"******"\n") else: userPasswd = getpass.getpass(passwdPrompt) params.userPasswd = userPasswd DIRAC.gLogger.info("Loading cert and key") chain = X509Chain() # Load user cert and key retVal = chain.loadChainFromFile(certLoc) if not retVal['OK']: return S_ERROR("Can't load %s" % certLoc) retVal = chain.loadKeyFromFile(keyLoc, password=params.userPasswd) if not retVal['OK']: return S_ERROR("Can't load %s" % keyLoc) DIRAC.gLogger.info("User credentials loaded") diracGroup = params.diracGroup if not diracGroup: result = chain.getCredentials() if not result['OK']: return result if 'group' not in result['Value']: return S_ERROR('Can not get Group from existing credentials') diracGroup = result['Value']['group'] restrictLifeTime = params.proxyLifeTime else: proxyChain = X509Chain() retVal = proxyChain.loadProxyFromFile(proxyLoc) if not retVal['OK']: return S_ERROR("Can't load proxy file %s: %s" % (params.proxyLoc, retVal['Message'])) chain = proxyChain diracGroup = params.diracGroup if params.diracGroup: # Check that there is no conflict with the already present DIRAC group result = chain.getDIRACGroup(ignoreDefault=True) if result['OK'] and result['Value'] and result['Value'] == params.diracGroup: # No need to embed a new DIRAC group diracGroup = False restrictLifeTime = 0 DIRAC.gLogger.info(" Uploading...") return gProxyManager.uploadProxy( chain, diracGroup, restrictLifeTime=restrictLifeTime, rfcIfPossible=params.rfcIfPossible)
def generateProxy(params): if params.checkClock: result = getClockDeviation() if result['OK']: deviation = result['Value'] if deviation > 600: gLogger.error( "Your host clock seems to be off by more than TEN MINUTES! Thats really bad." ) gLogger.error( "We're cowardly refusing to generate a proxy. Please fix your system time" ) sys.exit(1) elif deviation > 180: gLogger.error( "Your host clock seems to be off by more than THREE minutes! Thats bad." ) gLogger.notice( "We'll generate the proxy but please fix your system time") elif deviation > 60: gLogger.error( "Your host clock seems to be off by more than a minute! Thats not good." ) gLogger.notice( "We'll generate the proxy but please fix your system time") certLoc = params.certLoc keyLoc = params.keyLoc if not certLoc or not keyLoc: cakLoc = Locations.getCertificateAndKeyLocation() if not cakLoc: return S_ERROR("Can't find user certificate and key") if not certLoc: certLoc = cakLoc[0] if not keyLoc: keyLoc = cakLoc[1] params.certLoc = certLoc params.keyLoc = keyLoc #Load password testChain = X509Chain() retVal = testChain.loadChainFromFile(params.certLoc) if not retVal['OK']: return S_ERROR("Cannot load certificate %s: %s" % (params.certLoc, retVal['Message'])) timeLeft = testChain.getRemainingSecs()['Value'] / 86400 if timeLeft < 30: gLogger.notice( "\nYour certificate will expire in %d days. Please renew it!\n" % timeLeft) retVal = testChain.loadKeyFromFile(params.keyLoc, password=params.userPasswd) if not retVal['OK']: passwdPrompt = "Enter Certificate password:"******"\n") else: userPasswd = getpass.getpass(passwdPrompt) params.userPasswd = userPasswd #Find location proxyLoc = params.proxyLoc if not proxyLoc: proxyLoc = Locations.getDefaultProxyLocation() chain = X509Chain() #Load user cert and key retVal = chain.loadChainFromFile(certLoc) if not retVal['OK']: gLogger.warn(retVal['Message']) return S_ERROR("Can't load %s" % certLoc) retVal = chain.loadKeyFromFile(keyLoc, password=params.userPasswd) if not retVal['OK']: gLogger.warn(retVal['Message']) if 'bad decrypt' in retVal['Message']: return S_ERROR("Bad passphrase") return S_ERROR("Can't load %s" % keyLoc) if params.checkWithCS: retVal = chain.generateProxyToFile(proxyLoc, params.proxyLifeTime, strength=params.proxyStrength, limited=params.limitedProxy) gLogger.info("Contacting CS...") retVal = Script.enableCS() if not retVal['OK']: gLogger.warn(retVal['Message']) if 'Unauthorized query' in retVal['Message']: # add hint for users return S_ERROR( "Can't contact DIRAC CS: %s (User possibly not registered with dirac server) " % retVal['Message']) return S_ERROR("Can't contact DIRAC CS: %s" % retVal['Message']) userDN = chain.getCertInChain(-1)['Value'].getSubjectDN()['Value'] if not params.diracGroup: result = Registry.findDefaultGroupForDN(userDN) if not result['OK']: gLogger.warn("Could not get a default group for DN %s: %s" % (userDN, result['Message'])) else: params.diracGroup = result['Value'] gLogger.info("Default discovered group is %s" % params.diracGroup) gLogger.info("Checking DN %s" % userDN) retVal = Registry.getUsernameForDN(userDN) if not retVal['OK']: gLogger.warn(retVal['Message']) return S_ERROR("DN %s is not registered" % userDN) username = retVal['Value'] gLogger.info("Username is %s" % username) retVal = Registry.getGroupsForUser(username) if not retVal['OK']: gLogger.warn(retVal['Message']) return S_ERROR("User %s has no groups defined" % username) groups = retVal['Value'] if params.diracGroup not in groups: return S_ERROR("Requested group %s is not valid for DN %s" % (params.diracGroup, userDN)) gLogger.info("Creating proxy for %s@%s (%s)" % (username, params.diracGroup, userDN)) if params.summary: h = int(params.proxyLifeTime / 3600) m = int(params.proxyLifeTime / 60) - h * 60 gLogger.notice("Proxy lifetime will be %02d:%02d" % (h, m)) gLogger.notice("User cert is %s" % certLoc) gLogger.notice("User key is %s" % keyLoc) gLogger.notice("Proxy will be written to %s" % proxyLoc) if params.diracGroup: gLogger.notice("DIRAC Group will be set to %s" % params.diracGroup) else: gLogger.notice("No DIRAC Group will be set") gLogger.notice("Proxy strength will be %s" % params.proxyStrength) if params.limitedProxy: gLogger.notice("Proxy will be limited") retVal = chain.generateProxyToFile(proxyLoc, params.proxyLifeTime, params.diracGroup, strength=params.proxyStrength, limited=params.limitedProxy) if not retVal['OK']: gLogger.warn(retVal['Message']) return S_ERROR("Couldn't generate proxy: %s" % retVal['Message']) return S_OK(proxyLoc)
def generateProxy(params): if params.checkClock: result = getClockDeviation() if result['OK']: deviation = result['Value'] if deviation > 600: print "Error: Your host clock seems to be off by more than TEN MINUTES! Thats really bad." print "We're cowardly refusing to generate a proxy. Please fix your system time" DIRAC.exit(1) elif deviation > 180: print "Error: Your host clock seems to be off by more than THREE minutes! Thats bad." print "Warn : We'll generate the proxy but please fix your system time" elif deviation > 60: print "Error: Your host clock seems to be off by more than a minute! Thats not good." print "Warn : We'll generate the proxy but please fix your system time" certLoc = params.certLoc keyLoc = params.keyLoc if not certLoc or not keyLoc: cakLoc = Locations.getCertificateAndKeyLocation() if not cakLoc: return S_ERROR("Can't find user certificate and key") if not certLoc: certLoc = cakLoc[0] if not keyLoc: keyLoc = cakLoc[1] testChain = X509Chain() retVal = testChain.loadKeyFromFile(keyLoc, password=params.userPasswd) if not retVal['OK']: passwdPrompt = "Enter Certificate password:"******"\n") else: userPasswd = getpass.getpass(passwdPrompt) params.userPasswd = userPasswd proxyLoc = params.proxyLoc if not proxyLoc: proxyLoc = Locations.getDefaultProxyLocation() if params.debug: h = int(params.proxyLifeTime / 3600) m = int(params.proxyLifeTime / 60) - h * 60 print "Proxy lifetime will be %02d:%02d" % (h, m) print "User cert is %s" % certLoc print "User key is %s" % keyLoc print "Proxy will be written to %s" % proxyLoc if params.diracGroup: print "DIRAC Group will be set to %s" % params.diracGroup else: print "No DIRAC Group will be set" print "Proxy strength will be %s" % params.proxyStrength if params.limitedProxy: print "Proxy will be limited" chain = X509Chain() #Load user cert and key retVal = chain.loadChainFromFile(certLoc) if not retVal['OK']: params.debugMsg("ERROR: %s" % retVal['Message']) return S_ERROR("Can't load %s" % certLoc) retVal = chain.loadKeyFromFile(keyLoc, password=params.userPasswd) if not retVal['OK']: params.debugMsg("ERROR: %s" % retVal['Message']) return S_ERROR("Can't load %s" % keyLoc) if params.checkWithCS and params.diracGroup: retVal = chain.generateProxyToFile(proxyLoc, params.proxyLifeTime, strength=params.proxyStrength, limited=params.limitedProxy) params.debugMsg("Contacting CS...") retVal = Script.enableCS() if not retVal['OK']: params.debugMsg("ERROR: %s" % retVal['Message']) return S_ERROR("Can't contact DIRAC CS: %s" % retVal['Message']) if not params.diracGroup: params.diracGroup = CS.getDefaultUserGroup() userDN = chain.getCertInChain(-1)['Value'].getSubjectDN()['Value'] params.debugMsg("Checking DN %s" % userDN) retVal = CS.getUsernameForDN(userDN) if not retVal['OK']: params.debugMsg("ERROR: %s" % retVal['Message']) return S_ERROR("DN %s is not registered" % userDN) username = retVal['Value'] params.debugMsg("Username is %s" % username) retVal = CS.getGroupsForUser(username) if not retVal['OK']: params.debugMsg("ERROR: %s" % retVal['Message']) return S_ERROR("User %s has no groups defined" % username) groups = retVal['Value'] if params.diracGroup not in groups: return S_ERROR("Requested group %s is not valid for user %s" % (params.diracGroup, username)) params.debugMsg("Creating proxy for %s@%s (%s)" % (username, params.diracGroup, userDN)) retVal = chain.generateProxyToFile(proxyLoc, params.proxyLifeTime, params.diracGroup, strength=params.proxyStrength, limited=params.limitedProxy) if not retVal['OK']: params.debugMsg("ERROR: %s" % retVal['Message']) return S_ERROR("Couldn't generate proxy: %s" % retVal['Message']) return S_OK(proxyLoc)
def generateProxy( params ): if params.checkClock: result = getClockDeviation() if result[ 'OK' ]: deviation = result[ 'Value' ] if deviation > 600: print "Error: Your host clock seems to be off by more than TEN MINUTES! Thats really bad." print "We're cowardly refusing to generate a proxy. Please fix your system time" DIRAC.exit( 1 ) elif deviation > 180: print "Error: Your host clock seems to be off by more than THREE minutes! Thats bad." print "Warn : We'll generate the proxy but please fix your system time" elif deviation > 60: print "Error: Your host clock seems to be off by more than a minute! Thats not good." print "Warn : We'll generate the proxy but please fix your system time" certLoc = params.certLoc keyLoc = params.keyLoc if not certLoc or not keyLoc: cakLoc = Locations.getCertificateAndKeyLocation() if not cakLoc: return S_ERROR( "Can't find user certificate and key" ) if not certLoc: certLoc = cakLoc[0] if not keyLoc: keyLoc = cakLoc[1] testChain = X509Chain() retVal = testChain.loadKeyFromFile( keyLoc, password = params.userPasswd ) if not retVal[ 'OK' ]: passwdPrompt = "Enter Certificate password:"******"\n" ) else: userPasswd = getpass.getpass( passwdPrompt ) params.userPasswd = userPasswd proxyLoc = params.proxyLoc if not proxyLoc: proxyLoc = Locations.getDefaultProxyLocation() if params.debug: h = int( params.proxyLifeTime / 3600 ) m = int( params.proxyLifeTime / 60 ) - h * 60 print "Proxy lifetime will be %02d:%02d" % ( h, m ) print "User cert is %s" % certLoc print "User key is %s" % keyLoc print "Proxy will be written to %s" % proxyLoc if params.diracGroup: print "DIRAC Group will be set to %s" % params.diracGroup else: print "No DIRAC Group will be set" print "Proxy strength will be %s" % params.proxyStrength if params.limitedProxy: print "Proxy will be limited" chain = X509Chain() #Load user cert and key retVal = chain.loadChainFromFile( certLoc ) if not retVal[ 'OK' ]: params.debugMsg( "ERROR: %s" % retVal[ 'Message' ] ) return S_ERROR( "Can't load %s" % certLoc ) retVal = chain.loadKeyFromFile( keyLoc, password = params.userPasswd ) if not retVal[ 'OK' ]: params.debugMsg( "ERROR: %s" % retVal[ 'Message' ] ) return S_ERROR( "Can't load %s" % keyLoc ) if params.checkWithCS and params.diracGroup: retVal = chain.generateProxyToFile( proxyLoc, params.proxyLifeTime, strength = params.proxyStrength, limited = params.limitedProxy ) params.debugMsg( "Contacting CS..." ) retVal = Script.enableCS() if not retVal[ 'OK' ]: params.debugMsg( "ERROR: %s" % retVal[ 'Message' ] ) return S_ERROR( "Can't contact DIRAC CS: %s" % retVal[ 'Message' ] ) if not params.diracGroup: params.diracGroup = CS.getDefaultUserGroup() userDN = chain.getCertInChain( -1 )['Value'].getSubjectDN()['Value'] params.debugMsg( "Checking DN %s" % userDN ) retVal = CS.getUsernameForDN( userDN ) if not retVal[ 'OK' ]: params.debugMsg( "ERROR: %s" % retVal[ 'Message' ] ) return S_ERROR( "DN %s is not registered" % userDN ) username = retVal[ 'Value' ] params.debugMsg( "Username is %s" % username ) retVal = CS.getGroupsForUser( username ) if not retVal[ 'OK' ]: params.debugMsg( "ERROR: %s" % retVal[ 'Message' ] ) return S_ERROR( "User %s has no groups defined" % username ) groups = retVal[ 'Value' ] if params.diracGroup not in groups: return S_ERROR( "Requested group %s is not valid for user %s" % ( params.diracGroup, username ) ) params.debugMsg( "Creating proxy for %s@%s (%s)" % ( username, params.diracGroup, userDN ) ) retVal = chain.generateProxyToFile( proxyLoc, params.proxyLifeTime, params.diracGroup, strength = params.proxyStrength, limited = params.limitedProxy ) if not retVal[ 'OK' ]: params.debugMsg( "ERROR: %s" % retVal[ 'Message' ] ) return S_ERROR( "Couldn't generate proxy: %s" % retVal[ 'Message' ] ) return S_OK( proxyLoc )