def populate_group_security(client_security, params, sub_params, group_name): factory_dns = [] for collectors in (params.match.factory.collectors, sub_params.match.factory.collectors): for el in collectors: dn = el.DN if dn is None: raise RuntimeError("DN not defined for factory %s" % el.node) # don't worry about conflict... there is nothing wrong if the DN is listed twice factory_dns.append(dn) client_security['factory_DNs'] = factory_dns schedd_dns = [] for schedds in (params.match.job.schedds, sub_params.match.job.schedds): for el in schedds: dn = el.DN if dn is None: raise RuntimeError("DN not defined for schedd %s" % el.fullname) # don't worry about conflict... there is nothing wrong if the DN is listed twice schedd_dns.append(dn) client_security['schedd_DNs'] = schedd_dns pilot_dns = [] for credentials in (params.security.credentials, sub_params.security.credentials): if is_true(params.groups[group_name].enabled): for pel in credentials: if pel['pilotabsfname'] is None: proxy_fname = pel['absfname'] else: proxy_fname = pel['pilotabsfname'] if (pel['pool_idx_len'] is None) and (pel['pool_idx_list'] is None): # only one dn = x509Support.extract_DN(proxy_fname) # don't worry about conflict... there is nothing wrong if the DN is listed twice pilot_dns.append(dn) else: # pool pool_idx_list_expanded_strings = get_pool_list(pel) for idx in pool_idx_list_expanded_strings: real_proxy_fname = "%s%s" % (proxy_fname, idx) dn = x509Support.extract_DN(real_proxy_fname) # don't worry about conflict... there is nothing wrong if the DN is listed twice pilot_dns.append(dn) client_security['pilot_DNs'] = pilot_dns
def populate_group_security(client_security,params,sub_params): factory_dns=[] for collectors in (params.match.factory.collectors, sub_params.match.factory.collectors): for el in collectors: dn=el.DN if dn is None: raise RuntimeError,"DN not defined for factory %s"%el.node # don't worry about conflict... there is nothing wrong if the DN is listed twice factory_dns.append(dn) client_security['factory_DNs']=factory_dns schedd_dns=[] for schedds in (params.match.job.schedds, sub_params.match.job.schedds): for el in schedds: dn=el.DN if dn is None: raise RuntimeError,"DN not defined for schedd %s"%el.fullname # don't worry about conflict... there is nothing wrong if the DN is listed twice schedd_dns.append(dn) client_security['schedd_DNs']=schedd_dns pilot_dns=[] for credentials in (params.security.credentials, sub_params.security.credentials): for pel in credentials: if pel['pilotabsfname'] is None: proxy_fname=pel['absfname'] else: proxy_fname=pel['pilotabsfname'] if (pel['pool_idx_len'] is None) and (pel['pool_idx_list'] is None): # only one dn=x509Support.extract_DN(proxy_fname) # don't worry about conflict... there is nothing wrong if the DN is listed twice pilot_dns.append(dn) else: # pool pool_idx_list_expanded_strings = get_pool_list(pel) for idx in pool_idx_list_expanded_strings: real_proxy_fname = "%s%s" % (proxy_fname, idx) dn=x509Support.extract_DN(real_proxy_fname) # don't worry about conflict... there is nothing wrong if the DN is listed twice pilot_dns.append(dn) client_security['pilot_DNs']=pilot_dns
def file_id(self, filename, ignoredn=False): """ Generate hash for the credential id """ if ("grid_proxy" in self.type) and not ignoredn: dn = x509Support.extract_DN(filename) hash_str = filename + dn else: hash_str = filename return str(abs(hash(hash_str)) % 1000000)
def main(): """Main entrypoint """ config = ConfigParser.ConfigParser(DEFAULTS) config.read(CONFIG) proxies = config.sections() # Verify config sections if proxies.count('COMMON') != 1: raise ConfigError("there must be only one [COMMON] section in %s" % CONFIG) if len([x for x in proxies if x.startswith('PILOT')]) < 1: raise ConfigError("there must be at least one [PILOT] section in %s" % CONFIG) # Proxies need to be owned by the 'frontend' user try: fe_user = pwd.getpwnam(config.get('COMMON', 'owner')) except KeyError: raise RuntimeError("missing 'frontend' user") # Load VOMS Admin server info for case-sensitive VO name and for faking the VOMS Admin server URI vomses = os.getenv('VOMS_USERCONF', '/etc/vomses') with open(vomses, 'r') as _: vo_name_map, vo_uri_map = parse_vomses(_.read()) retcode = 0 # Proxy renewals proxies.remove('COMMON') # no proxy renewal info in the COMMON section for proxy_section in proxies: proxy_config = dict(config.items(proxy_section)) proxy = Proxy(proxy_config['proxy_cert'], proxy_config['proxy_key'], proxy_config['output'], proxy_config['lifetime'], fe_user.pw_uid, fe_user.pw_gid) # Users used to be able to control the frequency of the renewal when they were instructed to write their own # script and cronjob. Since the automatic proxy renewal cron/timer runs every hour, we allow the users to # control this via the 'frequency' config option. If more than 'frequency' hours have elapsed in a proxy's # lifetime, renew it. Otherwise, skip the renewal. def has_time_left(time_remaining): return int(proxy.lifetime)*3600 - time_remaining < int(proxy_config['frequency'])*3600 if proxy_section == 'FRONTEND': if has_time_left(proxy.timeleft()): print('Skipping renewal of %s: time remaining within the specified frequency' % proxy.output) proxy.cleanup() continue stdout, stderr, client_rc = voms_proxy_init(proxy) elif proxy_section.startswith('PILOT'): if has_time_left(proxy.timeleft()) and has_time_left(proxy.actimeleft()): print('Skipping renewal of %s: time remaining within the specified frequency' % proxy.output) proxy.cleanup() continue vo_attr = VO(vo_name_map[proxy_config['vo'].lower()], proxy_config['fqan']) if safe_boolcomp(proxy_config['use_voms_server'], True): stdout, stderr, client_rc = voms_proxy_init(proxy, vo_attr) else: vo_attr.cert = proxy_config['vo_cert'] vo_attr.key = proxy_config['vo_key'] try: vo_attr.uri = vo_uri_map[x509Support.extract_DN(vo_attr.cert)] except KeyError: retcode = 1 print("ERROR: Failed to renew proxy {0}: ".format(proxy.output) + "Could not find entry in {0} for {1}. ".format(vomses, vo_attr.cert) + "Please verify your VO data installation.") proxy.cleanup() continue stdout, stderr, client_rc = voms_proxy_fake(proxy, vo_attr) else: print("WARNING: Unrecognized configuration section %s found in %s.\n" % (proxy, CONFIG) + "Valid configuration sections: 'FRONTEND' or 'PILOT'.") client_rc = -1 stderr = "Unrecognized configuration section '%s', renewal not attempted." % proxy_section stdout = "" if client_rc == 0: proxy.write() print("Renewed proxy from '%s' to '%s'." % (proxy.cert, proxy.output)) else: retcode = 1 # don't raise an exception here to continue renewing other proxies print("ERROR: Failed to renew proxy %s:\n%s%s" % (proxy.output, stdout, stderr)) proxy.cleanup() return retcode
def test_extract_dn(self): fname = '/etc/grid-security/hostcert.pem' cmd = "openssl x509 -in %s -noout -subject" % fname out = glideinwms.lib.subprocessSupport.iexe_cmd(cmd) expected = ' '.join(out.split()[1:]) self.assertEqual(expected, extract_DN(fname))
def main(): """Main entrypoint """ config = ConfigParser.ConfigParser(DEFAULTS) config.read(CONFIG) proxies = config.sections() # Verify config sections if proxies.count('COMMON') != 1: raise ConfigError("there must be only one [COMMON] section in %s" % CONFIG) if len([x for x in proxies if x.startswith('PILOT')]) < 1: raise ConfigError("there must be at least one [PILOT] section in %s" % CONFIG) # Proxies need to be owned by the 'frontend' user try: fe_user = pwd.getpwnam(config.get('COMMON', 'owner')) except KeyError: raise RuntimeError("missing 'frontend' user") # Load VOMS Admin server info for case-sensitive VO name and for faking the VOMS Admin server URI vomses = os.getenv('VOMS_USERCONF', '/etc/vomses') with open(vomses, 'r') as _: # "<VO ALIAS> " "<VOMS ADMIN HOSTNAME>" "<VOMS ADMIN PORT>" "<VOMS CERT DN>" "<VO NAME>" # "osg" "voms.grid.iu.edu" "15027" "/DC=org/DC=opensciencegrid/O=Open Science Grid/OU=Services/CN=voms.grid.iu.edu" "osg" vo_info = re.findall(r'"\w+"\s+"([^"]+)"\s+"(\d+)"\s+"([^"]+)"\s+"(\w+)"', _.read(), re.IGNORECASE) # VO names are case-sensitive but we don't expect users to get the case right in the proxies.ini vo_name_map = dict([(vo[3].lower(), vo[3]) for vo in vo_info]) # A mapping between VO certificate subject DNs and VOMS URI of the form "<HOSTNAME>:<PORT>" # We had to separate this out from the VO name because a VO could have multiple vomses entries vo_uri_map = dict([(vo[2], vo[0] + ':' + vo[1]) for vo in vo_info]) retcode = 0 # Proxy renewals proxies.remove('COMMON') # no proxy renewal info in the COMMON section for proxy_section in proxies: proxy_config = dict(config.items(proxy_section)) proxy = Proxy(proxy_config['proxy_cert'], proxy_config['proxy_key'], proxy_config['output'], proxy_config['lifetime'], fe_user.pw_uid, fe_user.pw_gid) # Users used to be able to control the frequency of the renewal when they were instructed to write their own # script and cronjob. Since the automatic proxy renewal cron/timer runs every hour, we allow the users to # control this via the 'frequency' config option. If more than 'frequency' hours have elapsed in a proxy's # lifetime, renew it. Otherwise, skip the renewal. def has_time_left(time_remaining): return int(proxy.lifetime)*3600 - time_remaining < int(proxy_config['frequency'])*3600 if proxy_section == 'FRONTEND': if has_time_left(proxy.timeleft()): print('Skipping renewal of %s: time remaining within the specified frequency' % proxy.output) proxy.cleanup() continue stdout, stderr, client_rc = voms_proxy_init(proxy) elif proxy_section.startswith('PILOT'): if has_time_left(proxy.timeleft()) and has_time_left(proxy.actimeleft()): print('Skipping renewal of %s: time remaining within the specified frequency' % proxy.output) proxy.cleanup() continue vo_attr = VO(vo_name_map[proxy_config['vo'].lower()], proxy_config['fqan']) if safe_boolcomp(proxy_config['use_voms_server'], True): # we specify '-order' because some European CEs care about VOMS AC order # The '-order' option chokes if a Capability is specified but we want to make sure we request it # in '-voms' because we're not sure if anything is looking for it fqan = re.sub(r'\/Capability=\w+$', '', vo_attr.fqan) stdout, stderr, client_rc = voms_proxy_init(proxy, '-voms', vo_attr.voms, '-order', fqan) else: vo_attr.cert = proxy_config['vo_cert'] vo_attr.key = proxy_config['vo_key'] try: vo_attr.uri = vo_uri_map[x509Support.extract_DN(vo_attr.cert)] except KeyError: retcode = 1 print("ERROR: Failed to renew proxy {0}: ".format(proxy.output) + "Could not find entry in {0} for {1}. ".format(vomses, vo_attr.cert) + "Please verify your VO data installation.") proxy.cleanup() continue stdout, stderr, client_rc = voms_proxy_fake(proxy, vo_attr) else: print("WARNING: Unrecognized configuration section %s found in %s.\n" % (proxy, CONFIG) + "Valid configuration sections: 'FRONTEND' or 'PILOT'.") client_rc = -1 stderr = "Unrecognized configuration section '%s', renewal not attempted." % proxy_section stdout = "" if client_rc == 0: proxy.write() print("Renewed proxy from '%s' to '%s'." % (proxy.cert, proxy.output)) else: retcode = 1 # don't raise an exception here to continue renewing other proxies print("ERROR: Failed to renew proxy %s:\n%s%s" % (proxy.output, stdout, stderr)) proxy.cleanup() return retcode
def test_extract_dn(self): fname = 'fixtures/hostcert.pem' cmd = "openssl x509 -in %s -noout -subject" % fname out = glideinwms.lib.subprocessSupport.iexe_cmd(cmd) expected = ' '.join(out.split()[1:]) self.assertEqual(expected, extract_DN(fname))