def main(): params = Params() Script.registerSwitch("f:", "file=", "File to use as proxy", params.setProxyLocation) Script.registerSwitch("D", "DN", "Use DN as myproxy username", params.setDNAsUsername) Script.addDefaultOptionValue("LogLevel", "always") Script.parseCommandLine() from DIRAC.Core.Security.MyProxy import MyProxy from DIRAC.Core.Security import Locations if not params.proxyLoc: params.proxyLoc = Locations.getProxyLocation() if not params.proxyLoc: print("Can't find any valid proxy") sys.exit(1) print("Uploading proxy file %s" % params.proxyLoc) mp = MyProxy() retVal = mp.uploadProxy(params.proxyLoc, params.dnAsUsername) if not retVal["OK"]: print("Can't upload proxy:") print(" ", retVal["Message"]) sys.exit(1) print("Proxy uploaded") sys.exit(0)
def uploadProxy(self, proxy=None, restrictLifeTime: int = 0, rfcIfPossible=None): """Upload a proxy to the proxy management service using delegation :param X509Chain proxy: proxy as a chain :param restrictLifeTime: proxy live time in a seconds :return: S_OK(dict)/S_ERROR() -- dict contain proxies """ if rfcIfPossible is not None: if os.environ.get("DIRAC_DEPRECATED_FAIL", None): raise NotImplementedError( "'rfcIfPossible' argument is deprecated.") gLogger.warn("'rfcIfPossible' argument is deprecated.") # Discover proxy location if isinstance(proxy, X509Chain): chain = proxy proxyLocation = "" else: if not proxy: proxyLocation = Locations.getProxyLocation() if not proxyLocation: return S_ERROR("Can't find a valid proxy") elif isinstance(proxy, str): proxyLocation = proxy else: return S_ERROR("Can't find a valid proxy") chain = X509Chain() result = chain.loadProxyFromFile(proxyLocation) if not result["OK"]: return S_ERROR( f"Can't load {proxyLocation}: {result['Message']}") # Make sure it's valid if chain.hasExpired().get("Value"): return S_ERROR(f"Proxy {proxyLocation} has expired") if chain.getDIRACGroup(ignoreDefault=True).get( "Value") or chain.isVOMS().get("Value"): return S_ERROR( "Cannot upload proxy with DIRAC group or VOMS extensions") rpcClient = Client(url="Framework/ProxyManager", timeout=120) # Get a delegation request result = rpcClient.requestDelegationUpload() if not result["OK"]: return result reqDict = result["Value"] # Generate delegated chain chainLifeTime = chain.getRemainingSecs()["Value"] - 60 if restrictLifeTime and restrictLifeTime < chainLifeTime: chainLifeTime = restrictLifeTime result = chain.generateChainFromRequestString(reqDict["request"], lifetime=chainLifeTime) if result["OK"]: result = rpcClient.completeDelegationUpload( reqDict["id"], pemChain := result["Value"]) return result
def uploadProxy(self, proxy=None, restrictLifeTime=0, rfcIfPossible=False): """ Upload a proxy to the proxy management service using delegation :param X509Chain proxy: proxy as a chain :param int restrictLifeTime: proxy live time in a seconds :param boolean rfcIfPossible: make rfc proxy if possible :return: S_OK(dict)/S_ERROR() -- dict contain proxies """ # Discover proxy location if isinstance(proxy, X509Chain): chain = proxy proxyLocation = "" else: if not proxy: proxyLocation = Locations.getProxyLocation() if not proxyLocation: return S_ERROR("Can't find a valid proxy") elif isinstance(proxy, six.string_types): proxyLocation = proxy else: return S_ERROR("Can't find a valid proxy") chain = X509Chain() result = chain.loadProxyFromFile(proxyLocation) if not result['OK']: return S_ERROR("Can't load %s: %s " % (proxyLocation, result['Message'])) # Make sure it's valid if chain.hasExpired().get('Value'): return S_ERROR("Proxy %s has expired" % proxyLocation) if chain.getDIRACGroup().get('Value') or chain.isVOMS().get('Value'): return S_ERROR( "Cannot upload proxy with DIRAC group or VOMS extensions") rpcClient = RPCClient("Framework/ProxyManager", timeout=120) # Get a delegation request # WARN: Since v7r1 requestDelegationUpload method use only first argument! # WARN: Second argument for compatibility with older versions result = rpcClient.requestDelegationUpload( chain.getRemainingSecs()['Value'], None) if not result['OK']: return result reqDict = result['Value'] # Generate delegated chain chainLifeTime = chain.getRemainingSecs()['Value'] - 60 if restrictLifeTime and restrictLifeTime < chainLifeTime: chainLifeTime = restrictLifeTime retVal = chain.generateChainFromRequestString(reqDict['request'], lifetime=chainLifeTime, rfc=rfcIfPossible) if not retVal['OK']: return retVal # Upload! result = rpcClient.completeDelegationUpload(reqDict['id'], retVal['Value']) if not result['OK']: return result return S_OK(result.get('proxies') or result['Value'])
def uploadProxy(self, proxy=None, restrictLifeTime=0, rfcIfPossible=False): """Upload a proxy to the proxy management service using delegation :param X509Chain proxy: proxy as a chain :param int restrictLifeTime: proxy live time in a seconds :param boolean rfcIfPossible: make rfc proxy if possible :return: S_OK(dict)/S_ERROR() -- dict contain proxies """ # Discover proxy location if isinstance(proxy, X509Chain): chain = proxy proxyLocation = "" else: if not proxy: proxyLocation = Locations.getProxyLocation() if not proxyLocation: return S_ERROR("Can't find a valid proxy") elif isinstance(proxy, six.string_types): proxyLocation = proxy else: return S_ERROR("Can't find a valid proxy") chain = X509Chain() result = chain.loadProxyFromFile(proxyLocation) if not result["OK"]: return S_ERROR("Can't load %s: %s " % (proxyLocation, result["Message"])) # Make sure it's valid if chain.hasExpired().get("Value"): return S_ERROR("Proxy %s has expired" % proxyLocation) if chain.getDIRACGroup(ignoreDefault=True).get( "Value") or chain.isVOMS().get("Value"): return S_ERROR( "Cannot upload proxy with DIRAC group or VOMS extensions") rpcClient = Client(url="Framework/ProxyManager", timeout=120) # Get a delegation request result = rpcClient.requestDelegationUpload( chain.getRemainingSecs()["Value"]) if not result["OK"]: return result reqDict = result["Value"] # Generate delegated chain chainLifeTime = chain.getRemainingSecs()["Value"] - 60 if restrictLifeTime and restrictLifeTime < chainLifeTime: chainLifeTime = restrictLifeTime retVal = chain.generateChainFromRequestString(reqDict["request"], lifetime=chainLifeTime, rfc=rfcIfPossible) if not retVal["OK"]: return retVal # Upload! result = rpcClient.completeDelegationUpload(reqDict["id"], retVal["Value"]) if not result["OK"]: return result return S_OK(result.get("proxies") or result["Value"])
def uploadProxy( self, proxy = False, diracGroup = False, chainToConnect = False, restrictLifeTime = 0, rfcIfPossible = False ): """ Upload a proxy to the proxy management service using delegation """ #Discover proxy location if type( proxy ) == g_X509ChainType: chain = proxy proxyLocation = "" else: if not proxy: proxyLocation = Locations.getProxyLocation() if not proxyLocation: return S_ERROR( "Can't find a valid proxy" ) elif isinstance( proxy, basestring ): proxyLocation = proxy else: return S_ERROR( "Can't find a valid proxy" ) chain = X509Chain() result = chain.loadProxyFromFile( proxyLocation ) if not result[ 'OK' ]: return S_ERROR( "Can't load %s: %s " % ( proxyLocation, result[ 'Message' ] ) ) if not chainToConnect: chainToConnect = chain #Make sure it's valid if chain.hasExpired()[ 'Value' ]: return S_ERROR( "Proxy %s has expired" % proxyLocation ) #rpcClient = RPCClient( "Framework/ProxyManager", proxyChain = chainToConnect ) rpcClient = RPCClient( "Framework/ProxyManager", timeout = 120 ) #Get a delegation request result = rpcClient.requestDelegationUpload( chain.getRemainingSecs()['Value'], diracGroup ) if not result[ 'OK' ]: return result #Check if the delegation has been granted if 'Value' not in result or not result[ 'Value' ]: if 'proxies' in result: return S_OK( result[ 'proxies' ] ) else: return S_OK() reqDict = result[ 'Value' ] #Generate delegated chain chainLifeTime = chain.getRemainingSecs()[ 'Value' ] - 60 if restrictLifeTime and restrictLifeTime < chainLifeTime: chainLifeTime = restrictLifeTime retVal = chain.generateChainFromRequestString( reqDict[ 'request' ], lifetime = chainLifeTime, diracGroup = diracGroup, rfc = rfcIfPossible) if not retVal[ 'OK' ]: return retVal #Upload! result = rpcClient.completeDelegationUpload( reqDict[ 'id' ], retVal[ 'Value' ] ) if not result[ 'OK' ]: return result if 'proxies' in result: return S_OK( result[ 'proxies' ] ) return S_OK()
def getProxyInfo(proxy=False, disableVOMS=False): """ :Returns: a dict with all the proxy info: * values that will be there always * 'chain' : chain object containing the proxy * 'subject' : subject of the proxy * 'issuer' : issuer of the proxy * 'isProxy' : bool * 'isLimitedProxy' : bool * 'validDN' : Valid DN in DIRAC * 'validGroup' : Valid Group in DIRAC * 'secondsLeft' : Seconds left * values that can be there * 'path' : path to the file, * 'group' : DIRAC group * 'groupProperties' : Properties that apply to the DIRAC Group * 'username' : DIRAC username * 'identity' : DN that generated the proxy * 'hostname' : DIRAC host nickname * 'VOMS' """ # Discover proxy location proxyLocation = False if isinstance(proxy, X509Chain): chain = proxy else: if not proxy: proxyLocation = Locations.getProxyLocation() elif isinstance(proxy, basestring): proxyLocation = proxy if not proxyLocation: return S_ERROR(DErrno.EPROXYFIND) chain = X509Chain() retVal = chain.loadProxyFromFile(proxyLocation) if not retVal['OK']: return S_ERROR(DErrno.EPROXYREAD, "%s: %s " % (proxyLocation, retVal['Message'])) retVal = chain.getCredentials() if not retVal['OK']: return retVal infoDict = retVal['Value'] infoDict['chain'] = chain if proxyLocation: infoDict['path'] = proxyLocation if not disableVOMS and chain.isVOMS()['Value']: infoDict['hasVOMS'] = True retVal = VOMS().getVOMSAttributes(chain) if retVal['OK']: infoDict['VOMS'] = retVal['Value'] else: infoDict['VOMSError'] = retVal['Message'].strip() return S_OK(infoDict)
def uploadProxy( self, proxy = False, diracGroup = False, chainToConnect = False, restrictLifeTime = 0 ): """ Upload a proxy to the proxy management service using delgation """ #Discover proxy location if type( proxy ) == g_X509ChainType: chain = proxy proxyLocation = "" else: if not proxy: proxyLocation = Locations.getProxyLocation() if not proxyLocation: return S_ERROR( "Can't find a valid proxy" ) elif type( proxy ) in ( types.StringType, types.UnicodeType ): proxyLocation = proxy else: return S_ERROR( "Can't find a valid proxy" ) chain = X509Chain() result = chain.loadProxyFromFile( proxyLocation ) if not result[ 'OK' ]: return S_ERROR( "Can't load %s: %s " % ( proxyLocation, result[ 'Message' ] ) ) if not chainToConnect: chainToConnect = chain #Make sure it's valid if chain.hasExpired()[ 'Value' ]: return S_ERROR( "Proxy %s has expired" % proxyLocation ) #rpcClient = RPCClient( "Framework/ProxyManager", proxyChain = chainToConnect ) rpcClient = RPCClient( "Framework/ProxyManager", timeout = 120 ) #Get a delegation request result = rpcClient.requestDelegationUpload( chain.getRemainingSecs()['Value'], diracGroup ) if not result[ 'OK' ]: return result #Check if the delegation has been granted if 'Value' not in result or not result[ 'Value' ]: if 'proxies' in result: return S_OK( result[ 'proxies' ] ) else: return S_OK() reqDict = result[ 'Value' ] #Generate delegated chain chainLifeTime = chain.getRemainingSecs()[ 'Value' ] - 60 if restrictLifeTime and restrictLifeTime < chainLifeTime: chainLifeTime = restrictLifeTime retVal = chain.generateChainFromRequestString( reqDict[ 'request' ], lifetime = chainLifeTime, diracGroup = diracGroup ) if not retVal[ 'OK' ]: return retVal #Upload! result = rpcClient.completeDelegationUpload( reqDict[ 'id' ], retVal[ 'Value' ] ) if not result[ 'OK' ]: return result if 'proxies' in result: return S_OK( result[ 'proxies' ] ) return S_OK()
def getProxyInfo( proxy = False, disableVOMS = False ): """ :Returns: a dict with all the proxy info: * values that will be there always * 'chain' : chain object containing the proxy * 'subject' : subject of the proxy * 'issuer' : issuer of the proxy * 'isProxy' : bool * 'isLimitedProxy' : bool * 'validDN' : Valid DN in DIRAC * 'validGroup' : Valid Group in DIRAC * 'secondsLeft' : Seconds left * values that can be there * 'path' : path to the file, * 'group' : DIRAC group * 'groupProperties' : Properties that apply to the DIRAC Group * 'username' : DIRAC username * 'identity' : DN that generated the proxy * 'hostname' : DIRAC host nickname * 'VOMS' """ #Discover proxy location proxyLocation = False if type( proxy ) == g_X509ChainType: chain = proxy else: if not proxy: proxyLocation = Locations.getProxyLocation() elif isinstance( proxy, basestring ): proxyLocation = proxy if not proxyLocation: return S_ERROR( DErrno.EPROXYFIND ) chain = X509Chain() retVal = chain.loadProxyFromFile( proxyLocation ) if not retVal[ 'OK' ]: return S_ERROR( DErrno.EPROXYREAD, "%s: %s " % ( proxyLocation, retVal[ 'Message' ] ) ) retVal = chain.getCredentials() if not retVal[ 'OK' ]: return retVal infoDict = retVal[ 'Value' ] infoDict[ 'chain' ] = chain if proxyLocation: infoDict[ 'path' ] = proxyLocation if not disableVOMS and chain.isVOMS()['Value']: infoDict[ 'hasVOMS' ] = True retVal = VOMS().getVOMSAttributes( chain ) if retVal[ 'OK' ]: infoDict[ 'VOMS' ] = retVal[ 'Value' ] else: infoDict[ 'VOMSError' ] = retVal[ 'Message' ].strip() return S_OK( infoDict )
def getProxyInfo(proxy=False, disableVOMS=False): """ Returns a dict with all the proxy info * values that will be there always 'chain' : chain object containing the proxy 'subject' : subject of the proxy 'issuer' : issuer of the proxy 'isProxy' : bool 'isLimitedProxy' : bool 'validDN' : Valid DN in DIRAC 'validGroup' : Valid Group in DIRAC 'secondsLeft' : Seconds left * values that can be there 'path' : path to the file, 'group' : DIRAC group 'groupProperties' : Properties that apply to the DIRAC Group 'username' : DIRAC username 'identity' : DN that generated the proxy 'hostname' : DIRAC host nickname 'VOMS' """ #Discover proxy location proxyLocation = False if type(proxy) == g_X509ChainType: chain = proxy else: if not proxy: proxyLocation = Locations.getProxyLocation() elif type(proxy) in (types.StringType, types.UnicodeType): proxyLocation = proxy if not proxyLocation: return S_ERROR("Can't find a valid proxy") chain = X509Chain() retVal = chain.loadProxyFromFile(proxyLocation) if not retVal['OK']: return S_ERROR("Can't load %s: %s " % (proxyLocation, retVal['Message'])) retVal = chain.getCredentials() if not retVal['OK']: return retVal infoDict = retVal['Value'] infoDict['chain'] = chain if proxyLocation: infoDict['path'] = proxyLocation if not disableVOMS and chain.isVOMS()['Value']: infoDict['hasVOMS'] = True retVal = VOMS().getVOMSAttributes(chain) if retVal['OK']: infoDict['VOMS'] = retVal['Value'] else: infoDict['VOMSError'] = retVal['Message'].strip() return S_OK(infoDict)
def getProxyInfo( proxy = False, disableVOMS = False ): """ Returns a dict with all the proxy info * values that will be there always 'chain' : chain object containing the proxy 'subject' : subject of the proxy 'issuer' : issuer of the proxy 'isProxy' : bool 'isLimitedProxy' : bool 'validDN' : Valid DN in DIRAC 'validGroup' : Valid Group in DIRAC 'secondsLeft' : Seconds left * values that can be there 'path' : path to the file, 'group' : DIRAC group 'groupProperties' : Properties that apply to the DIRAC Group 'username' : DIRAC username 'identity' : DN that generated the proxy 'hostname' : DIRAC host nickname 'VOMS' """ #Discover proxy location proxyLocation = False if type( proxy ) == g_X509ChainType: chain = proxy else: if not proxy: proxyLocation = Locations.getProxyLocation() elif type( proxy ) in ( types.StringType, types.UnicodeType ): proxyLocation = proxy if not proxyLocation: return S_ERROR( "Can't find a valid proxy" ) chain = X509Chain() retVal = chain.loadProxyFromFile( proxyLocation ) if not retVal[ 'OK' ]: return S_ERROR( "Can't load %s: %s " % ( proxyLocation, retVal[ 'Message' ] ) ) retVal = chain.getCredentials() if not retVal[ 'OK' ]: return retVal infoDict = retVal[ 'Value' ] infoDict[ 'chain' ] = chain if proxyLocation: infoDict[ 'path' ] = proxyLocation if not disableVOMS and chain.isVOMS()['Value']: infoDict[ 'hasVOMS' ] = True retVal = VOMS().getVOMSAttributes( chain ) if retVal[ 'OK' ]: infoDict[ 'VOMS' ] = retVal[ 'Value' ] else: infoDict[ 'VOMSError' ] = retVal[ 'Message' ].strip() return S_OK( infoDict )
def __loadM2SSLCTXProxy(ctx, proxyPath=None): """ Load proxy from proxyPath (or default location if not specified) and set it as the certificate & key to use for this SSL context. Returns None. """ if not proxyPath: proxyPath = Locations.getProxyLocation() if not proxyPath: raise RuntimeError("Proxy location not set") if not os.path.isfile(proxyPath): raise RuntimeError("Proxy file (%s) is missing" % proxyPath) # See __loadM2SSLCTXHostcert for description of why lambda is needed. ctx.load_cert_chain(proxyPath, proxyPath, callback=lambda: "")
def __generateContextWithProxy(self): if 'proxyLocation' in self.infoDict: proxyPath = self.infoDict['proxyLocation'] if not os.path.isfile(proxyPath): return S_ERROR("Defined proxy is not a file") else: proxyPath = Locations.getProxyLocation() if not proxyPath: return S_ERROR("No valid proxy found") self.setLocalCredentialsLocation((proxyPath, proxyPath)) gLogger.debug("Using proxy %s" % proxyPath) retVal = self.__createContext() if not retVal['OK']: return retVal self.sslContext.use_certificate_chain_file(proxyPath) self.sslContext.use_privatekey_file(proxyPath) return S_OK()
def __getProxyID(self): proxyLocation = Locations.getProxyLocation() if not proxyLocation: gLogger.error("No proxy found!") return False chain = X509Chain() if not chain.loadProxyFromFile(proxyLocation): gLogger.error("Can't read proxy!", proxyLocation) return False retVal = chain.getIssuerCert() if not retVal['OK']: gLogger.error("Can't parse proxy!", retVal['Message']) return False idCert = retVal['Value'] self.__userDN = idCert.getSubjectDN()['Value'] self.__userGroup = chain.getDIRACGroup()['Value'] return True
def __generateContextWithProxy( self ): if 'proxyLocation' in self.infoDict: proxyPath = self.infoDict[ 'proxyLocation' ] if not os.path.isfile( proxyPath ): return S_ERROR( "Defined proxy is not a file" ) else: proxyPath = Locations.getProxyLocation() if not proxyPath: return S_ERROR( "No valid proxy found" ) self.setLocalCredentialsLocation( ( proxyPath, proxyPath ) ) gLogger.debug( "Using proxy %s" % proxyPath ) retVal = self.__createContext() if not retVal[ 'OK' ]: return retVal self.sslContext.use_certificate_chain_file( proxyPath ) self.sslContext.use_privatekey_file( proxyPath ) return S_OK()
def __getProxyID( self ): proxyLocation = Locations.getProxyLocation() if not proxyLocation: gLogger.error( "No proxy found!" ) return False chain = X509Chain() if not chain.loadProxyFromFile( proxyLocation ): gLogger.error( "Can't read proxy!", proxyLocation ) return False retVal = chain.getIssuerCert() if not retVal[ 'OK' ]: gLogger.error( "Can't parse proxy!", retVal[ 'Message' ] ) return False idCert = retVal[ 'Value' ] self.__userDN = idCert.getSubjectDN()[ 'Value' ] self.__userGroup = idCert.getDIRACGroup()[ 'Value' ] return True
def delegate(delegationRequest, kwargs): """ Check delegate! """ if kwargs.get("useCertificates"): chain = X509Chain() certTuple = Locations.getHostCertificateAndKeyLocation() chain.loadChainFromFile(certTuple[0]) chain.loadKeyFromFile(certTuple[1]) elif "proxyObject" in kwargs: chain = kwargs["proxyObject"] else: if "proxyLocation" in kwargs: procLoc = kwargs["proxyLocation"] else: procLoc = Locations.getProxyLocation() chain = X509Chain() chain.loadChainFromFile(procLoc) chain.loadKeyFromFile(procLoc) return chain.generateChainFromRequestString(delegationRequest)
def delegate( delegationRequest, kwargs ): """ Check delegate! """ if "useCertificates" in kwargs and kwargs[ 'useCertificates' ]: chain = X509Chain() certTuple = Locations.getHostCertificateAndKeyLocation() chain.loadChainFromFile( certTuple[0] ) chain.loadKeyFromFile( certTuple[1] ) elif "proxyObject" in kwargs: chain = kwargs[ 'proxyObject' ] else: if "proxyLocation" in kwargs: procLoc = kwargs[ "proxyLocation" ] else: procLoc = Locations.getProxyLocation() chain = X509Chain() chain.loadChainFromFile( procLoc ) chain.loadKeyFromFile( procLoc ) return chain.generateChainFromRequestString( delegationRequest )
def __getProxyID(self): """Get proxy identity information :return: S_OK()/S_ERROR() """ proxyLocation = Locations.getProxyLocation() if not proxyLocation: return S_ERROR("No proxy found!") chain = X509Chain() if not chain.loadProxyFromFile(proxyLocation): return S_ERROR("Can't read proxy!", proxyLocation) retVal = chain.getIssuerCert() if not retVal["OK"]: return S_ERROR("Can't parse proxy!", retVal["Message"]) idCert = retVal["Value"] result = idCert.getSubjectDN() if result["OK"]: self.__userDN = result["Value"] result = chain.getDIRACGroup() if not result["OK"]: return result self.__userGroup = result["Value"] return S_OK()
def _getCurrentUser(self): """Simple function to return current DIRAC username. """ proxy = Locations.getProxyLocation() if not proxy: return S_ERROR('No proxy found in local environment') else: self.log.verbose('Current proxy is %s' % proxy) chain = X509Chain() result = chain.loadProxyFromFile(proxy) if not result['OK']: return result result = chain.getIssuerCert() if not result['OK']: return result issuerCert = result['Value'] dn = issuerCert.getSubjectDN()['Value'] result = CS.getUsernameForDN(dn) if not result['OK']: return result return result
def _getCurrentUser( self ): """Simple function to return current DIRAC username. """ proxy = Locations.getProxyLocation() if not proxy: return S_ERROR( 'No proxy found in local environment' ) else: self.log.verbose( 'Current proxy is %s' % proxy ) chain = X509Chain() result = chain.loadProxyFromFile( proxy ) if not result[ 'OK' ]: return result result = chain.getIssuerCert() if not result[ 'OK' ]: return result issuerCert = result[ 'Value' ] dn = issuerCert.getSubjectDN()[ 'Value' ] result = CS.getUsernameForDN( dn ) if not result[ 'OK' ]: return result return result
def checkSanity(urlTuple, kwargs): """ Check that all ssl environment is ok """ useCerts = False if "useCertificates" in kwargs and kwargs['useCertificates']: certTuple = Locations.getHostCertificateAndKeyLocation() if not certTuple: gLogger.error("No cert/key found! ") return S_ERROR("No cert/key found! ") certFile = certTuple[0] useCerts = True elif "proxyString" in kwargs: if type(kwargs['proxyString']) != types.StringType: gLogger.error("proxyString parameter is not a valid type") return S_ERROR("proxyString parameter is not a valid type") else: if "proxyLocation" in kwargs: certFile = kwargs["proxyLocation"] else: certFile = Locations.getProxyLocation() if not certFile: gLogger.error("No proxy found") return S_ERROR("No proxy found") elif not os.path.isfile(certFile): gLogger.error("%s proxy file does not exist" % certFile) return S_ERROR("%s proxy file does not exist" % certFile) #For certs always check CA's. For clients skipServerIdentityCheck if 'skipCACheck' not in kwargs or not kwargs['skipCACheck']: if not Locations.getCAsLocation(): gLogger.error("No CAs found!") return S_ERROR("No CAs found!") if "proxyString" in kwargs: certObj = X509Chain() retVal = certObj.loadChainFromString(kwargs['proxyString']) if not retVal['OK']: gLogger.error("Can't load proxy string") return S_ERROR("Can't load proxy string") else: if useCerts: certObj = X509Certificate() certObj.loadFromFile(certFile) else: certObj = X509Chain() certObj.loadChainFromFile(certFile) retVal = certObj.hasExpired() if not retVal['OK']: gLogger.error("Can't verify file %s:%s" % (certFile, retVal['Message'])) return S_ERROR("Can't verify file %s:%s" % (certFile, retVal['Message'])) else: if retVal['Value']: notAfter = certObj.getNotAfterDate() if notAfter['OK']: notAfter = notAfter['Value'] else: notAfter = "unknown" gLogger.error("PEM file has expired", "%s is not valid after %s" % (certFile, notAfter)) return S_ERROR("PEM file %s has expired, not valid after %s" % (certFile, notAfter)) idDict = {} retVal = certObj.getDIRACGroup(ignoreDefault=True) if retVal['OK'] and retVal['Value'] != False: idDict['group'] = retVal['Value'] if useCerts: idDict['DN'] = certObj.getSubjectDN()['Value'] else: idDict['DN'] = certObj.getIssuerCert()['Value'].getSubjectDN()['Value'] return S_OK(idDict)
def checkSanity( urlTuple, kwargs ): """ Check that all ssl environment is ok """ useCerts = False certFile = '' if "useCertificates" in kwargs and kwargs[ 'useCertificates' ]: certTuple = Locations.getHostCertificateAndKeyLocation() if not certTuple: gLogger.error( "No cert/key found! " ) return S_ERROR( "No cert/key found! " ) certFile = certTuple[0] useCerts = True elif "proxyString" in kwargs: if not isinstance( kwargs[ 'proxyString' ], basestring ): gLogger.error( "proxyString parameter is not a valid type", str( type( kwargs[ 'proxyString' ] ) ) ) return S_ERROR( "proxyString parameter is not a valid type" ) else: if "proxyLocation" in kwargs: certFile = kwargs[ "proxyLocation" ] else: certFile = Locations.getProxyLocation() if not certFile: gLogger.error( "No proxy found" ) return S_ERROR( "No proxy found" ) elif not os.path.isfile( certFile ): gLogger.error( "Proxy file does not exist", certFile ) return S_ERROR( "%s proxy file does not exist" % certFile ) #For certs always check CA's. For clients skipServerIdentityCheck if 'skipCACheck' not in kwargs or not kwargs[ 'skipCACheck' ]: if not Locations.getCAsLocation(): gLogger.error( "No CAs found!" ) return S_ERROR( "No CAs found!" ) if "proxyString" in kwargs: certObj = X509Chain() retVal = certObj.loadChainFromString( kwargs[ 'proxyString' ] ) if not retVal[ 'OK' ]: gLogger.error( "Can't load proxy string" ) return S_ERROR( "Can't load proxy string" ) else: if useCerts: certObj = X509Certificate() certObj.loadFromFile( certFile ) else: certObj = X509Chain() certObj.loadChainFromFile( certFile ) retVal = certObj.hasExpired() if not retVal[ 'OK' ]: gLogger.error( "Can't verify proxy or certificate file", "%s:%s" % ( certFile, retVal[ 'Message' ] ) ) return S_ERROR( "Can't verify file %s:%s" % ( certFile, retVal[ 'Message' ] ) ) else: if retVal[ 'Value' ]: notAfter = certObj.getNotAfterDate() if notAfter[ 'OK' ]: notAfter = notAfter[ 'Value' ] else: notAfter = "unknown" gLogger.error( "PEM file has expired", "%s is not valid after %s" % ( certFile, notAfter ) ) return S_ERROR( "PEM file %s has expired, not valid after %s" % ( certFile, notAfter ) ) idDict = {} retVal = certObj.getDIRACGroup( ignoreDefault = True ) if retVal[ 'OK' ] and retVal[ 'Value' ] != False: idDict[ 'group' ] = retVal[ 'Value' ] if useCerts: idDict[ 'DN' ] = certObj.getSubjectDN()[ 'Value' ] else: idDict[ 'DN' ] = certObj.getIssuerCert()[ 'Value' ].getSubjectDN()[ 'Value' ] return S_OK( idDict )
params = Params() Script.registerSwitch("f:", "file=", "File to use as proxy", params.setProxyLocation) Script.registerSwitch("D", "DN", "Use DN as myproxy username", params.setDNAsUsername) Script.registerSwitch("i", "version", "Print version", params.showVersion) Script.addDefaultOptionValue("LogLevel", "always") Script.parseCommandLine() from DIRAC.FrameworkSystem.Client.ProxyManagerClient import gProxyManager from DIRAC.Core.Security.MyProxy import MyProxy from DIRAC.Core.Security.X509Chain import X509Chain from DIRAC.Core.Security import Locations, CS if not params.proxyLoc: params.proxyLoc = Locations.getProxyLocation() if not params.proxyLoc: print "Can't find any valid proxy" sys.exit(1) print "Uploading proxy file %s" % params.proxyLoc mp = MyProxy() retVal = mp.uploadProxy(params.proxyLoc, params.dnAsUsername) if not retVal["OK"]: print "Can't upload proxy:" print " ", retVal["Message"] sys.exit(1) print "Proxy uploaded" sys.exit(0)
def _request(self, retry=0, outputFile=None, **kwargs): """ Sends the request to server :param retry: internal parameters for recursive call. TODO: remove ? :param outputFile: (default None) path to a file where to store the received data. If set, the server response will be streamed for optimization purposes, and the response data will not go through the JDecode process :param **kwargs: Any argument there is used as a post parameter. They are detailed bellow. :param method: (mandatory) name of the distant method :param args: (mandatory) json serialized list of argument for the procedure :returns: The received data. If outputFile is set, return always S_OK """ # Adding some informations to send if self.__extraCredentials: kwargs[self.KW_EXTRA_CREDENTIALS] = encode(self.__extraCredentials) kwargs["clientVO"] = self.vo kwargs["clientSetup"] = self.setup # Getting URL url = self.__findServiceURL() if not url["OK"]: return url url = url["Value"] # Getting CA file (or skip verification) verify = not self.kwargs.get(self.KW_SKIP_CA_CHECK) if verify: if not self.__ca_location: self.__ca_location = Locations.getCAsLocation() if not self.__ca_location: gLogger.error("No CAs found!") return S_ERROR("No CAs found!") verify = self.__ca_location # getting certificate # Do we use the server certificate ? if self.kwargs[self.KW_USE_CERTIFICATES]: cert = Locations.getHostCertificateAndKeyLocation() elif self.kwargs.get(self.KW_PROXY_STRING): tmpHandle, cert = tempfile.mkstemp() fp = os.fdopen(tmpHandle, "wb") fp.write(self.kwargs[self.KW_PROXY_STRING]) fp.close() # CHRIS 04.02.21 # TODO: add proxyLocation check ? else: cert = Locations.getProxyLocation() if not cert: gLogger.error("No proxy found") return S_ERROR("No proxy found") # We have a try/except for all the exceptions # whose default behavior is to try again, # maybe to different server try: # And we have a second block to handle specific exceptions # which makes it not worth retrying try: rawText = None # Default case, just return the result if not outputFile: call = requests.post(url, data=kwargs, timeout=self.timeout, verify=verify, cert=cert) # raising the exception for status here # means essentialy that we are losing here the information of what is returned by the server # as error message, since it is not passed to the exception # However, we can store the text and return it raw as an error, # since there is no guarantee that it is any JEncoded text # Note that we would get an exception only if there is an exception on the server side which # is not handled. # Any standard S_ERROR will be transfered as an S_ERROR with a correct code. rawText = call.text call.raise_for_status() return decode(rawText)[0] else: # Instruct the server not to encode the response kwargs["rawContent"] = True rawText = None # Stream download # https://requests.readthedocs.io/en/latest/user/advanced/#body-content-workflow with requests.post( url, data=kwargs, timeout=self.timeout, verify=verify, cert=cert, stream=True ) as r: rawText = r.text r.raise_for_status() with open(outputFile, "wb") as f: for chunk in r.iter_content(4096): # if chunk: # filter out keep-alive new chuncks f.write(chunk) return S_OK() # Some HTTPError are not worth retrying except requests.exceptions.HTTPError as e: status_code = e.response.status_code if status_code == http_client.NOT_IMPLEMENTED: return S_ERROR(errno.ENOSYS, "%s is not implemented" % kwargs.get("method")) elif status_code in (http_client.FORBIDDEN, http_client.UNAUTHORIZED): return S_ERROR(errno.EACCES, "No access to %s" % url) # if it is something else, retry raise # Whatever exception we have here, we deem worth retrying except Exception as e: # CHRIS TODO review this part: retry logic is fishy # self.__bannedUrls is emptied in findServiceURLs if url not in self.__bannedUrls: self.__bannedUrls += [url] if retry < self.__nbOfUrls - 1: self._request(retry=retry + 1, outputFile=outputFile, **kwargs) errStr = "%s: %s" % (str(e), rawText) return S_ERROR(errStr)
Script.registerSwitch("f:", "file=", "File to use as proxy", params.setProxyLocation) Script.registerSwitch("D", "DN", "Use DN as myproxy username", params.setDNAsUsername) Script.registerSwitch("i", "version", "Print version", params.showVersion) Script.addDefaultOptionValue("LogLevel", "always") Script.parseCommandLine() from DIRAC.FrameworkSystem.Client.ProxyManagerClient import gProxyManager from DIRAC.Core.Security.MyProxy import MyProxy from DIRAC.Core.Security.X509Chain import X509Chain from DIRAC.Core.Security import Locations, CS if not params.proxyLoc: params.proxyLoc = Locations.getProxyLocation() if not params.proxyLoc: print "Can't find any valid proxy" sys.exit(1) print "Uploading proxy file %s" % params.proxyLoc mp = MyProxy() retVal = mp.uploadProxy(params.proxyLoc, params.dnAsUsername) if not retVal['OK']: print "Can't upload proxy:" print " ", retVal['Message'] sys.exit(1) print "Proxy uploaded" sys.exit(0)
def _getProxyLocation( ): return Locations.getProxyLocation( )
def checkSanity(urlTuple, kwargs): """ Check that all ssl environment is ok """ useCerts = False certFile = "" if "useCertificates" in kwargs and kwargs["useCertificates"]: certTuple = Locations.getHostCertificateAndKeyLocation() if not certTuple: gLogger.error("No cert/key found! ") return S_ERROR("No cert/key found! ") certFile = certTuple[0] useCerts = True elif "proxyString" in kwargs: if not isinstance(kwargs["proxyString"], six.string_types if six.PY2 else bytes): gLogger.error("proxyString parameter is not a valid type", str(type(kwargs["proxyString"]))) return S_ERROR("proxyString parameter is not a valid type") else: if "proxyLocation" in kwargs: certFile = kwargs["proxyLocation"] else: certFile = Locations.getProxyLocation() if not certFile: gLogger.error("No proxy found") return S_ERROR("No proxy found") elif not os.path.isfile(certFile): gLogger.error("Proxy file does not exist", certFile) return S_ERROR("%s proxy file does not exist" % certFile) # For certs always check CA's. For clients skipServerIdentityCheck if "skipCACheck" not in kwargs or not kwargs["skipCACheck"]: if not Locations.getCAsLocation(): gLogger.error("No CAs found!") return S_ERROR("No CAs found!") if "proxyString" in kwargs: certObj = X509Chain() retVal = certObj.loadChainFromString(kwargs["proxyString"]) if not retVal["OK"]: gLogger.error("Can't load proxy string") return S_ERROR("Can't load proxy string") else: if useCerts: certObj = X509Certificate() certObj.loadFromFile(certFile) else: certObj = X509Chain() certObj.loadChainFromFile(certFile) retVal = certObj.hasExpired() if not retVal["OK"]: gLogger.error("Can't verify proxy or certificate file", "%s:%s" % (certFile, retVal["Message"])) return S_ERROR("Can't verify file %s:%s" % (certFile, retVal["Message"])) else: if retVal["Value"]: notAfter = certObj.getNotAfterDate() if notAfter["OK"]: notAfter = notAfter["Value"] else: notAfter = "unknown" gLogger.error("PEM file has expired", "%s is not valid after %s" % (certFile, notAfter)) return S_ERROR("PEM file %s has expired, not valid after %s" % (certFile, notAfter)) idDict = {} retVal = certObj.getDIRACGroup(ignoreDefault=True) if retVal["OK"] and retVal["Value"] is not False: idDict["group"] = retVal["Value"] if useCerts: idDict["DN"] = certObj.getSubjectDN()["Value"] else: idDict["DN"] = certObj.getIssuerCert()["Value"].getSubjectDN()["Value"] return S_OK(idDict)