def uploadProxy(params):
DIRAC.gLogger.info("Loading user proxy")
proxyLoc = params.proxyLoc
if not proxyLoc:
proxyLoc = Locations.getDefaultProxyLocation()
if not proxyLoc:
return S_ERROR("Can't find any proxy")
if params.onTheFly:
DIRAC.gLogger.info("Uploading proxy on-the-fly")
certLoc = params.certLoc
keyLoc = params.keyLoc
if not certLoc or not keyLoc:
cakLoc = Locations.getCertificateAndKeyLocation()
if not cakLoc:
return S_ERROR("Can't find user certificate and key")
if not certLoc:
certLoc = cakLoc[0]
if not keyLoc:
keyLoc = cakLoc[1]
DIRAC.gLogger.info("Cert file %s" % certLoc)
DIRAC.gLogger.info("Key file %s" % keyLoc)
testChain = X509Chain()
retVal = testChain.loadKeyFromFile(keyLoc, password=params.userPasswd)
if not retVal['OK']:
passwdPrompt = "Enter Certificate password:"******"\n")
else:
userPasswd = getpass.getpass(passwdPrompt)
params.userPasswd = userPasswd
DIRAC.gLogger.info("Loading cert and key")
chain = X509Chain()
# Load user cert and key
retVal = chain.loadChainFromFile(certLoc)
if not retVal['OK']:
return S_ERROR("Can't load %s" % certLoc)
retVal = chain.loadKeyFromFile(keyLoc, password=params.userPasswd)
if not retVal['OK']:
return S_ERROR("Can't load %s" % keyLoc)
DIRAC.gLogger.info("User credentials loaded")
restrictLifeTime = params.proxyLifeTime
else:
proxyChain = X509Chain()
retVal = proxyChain.loadProxyFromFile(proxyLoc)
if not retVal['OK']:
return S_ERROR("Can't load proxy file %s: %s" %
(params.proxyLoc, retVal['Message']))
chain = proxyChain
restrictLifeTime = 0
DIRAC.gLogger.info(" Uploading...")
return gProxyManager.uploadProxy(proxy=chain,
restrictLifeTime=restrictLifeTime,
rfcIfPossible=params.rfcIfPossible)
def main():
"""
main program entry point
"""
options = Params()
options.registerCLISwitches()
Script.parseCommandLine(ignoreErrors=True)
if options.delete_all and options.vos:
gLogger.error(
"-a and -v options are mutually exclusive. Please pick one or the other."
)
return 1
proxyLoc = Locations.getDefaultProxyLocation()
if not os.path.exists(proxyLoc):
gLogger.error("No local proxy found in %s, exiting." % proxyLoc)
return 1
result = ProxyInfo.getProxyInfo(proxyLoc, True)
if not result['OK']:
raise RuntimeError('Failed to get local proxy info.')
if result['Value']['secondsLeft'] < 60 and options.needsValidProxy():
raise RuntimeError(
'Lifetime of local proxy too short, please renew proxy.')
userDN = result['Value']['identity']
if options.delete_all:
# delete remote proxies
remote_groups = getProxyGroups()
if not remote_groups:
gLogger.notice('No remote proxies found.')
for vo_group in remote_groups:
deleteRemoteProxy(userDN, vo_group)
# delete local proxy
deleteLocalProxy(proxyLoc)
elif options.vos:
vo_groups = set()
for voname in options.vos:
vo_groups.update(mapVoToGroups(voname))
# filter set of all groups to only contain groups for which there is a user proxy
user_groups = getProxyGroups()
vo_groups.intersection_update(user_groups)
if not vo_groups:
gLogger.notice(
'You have no proxies registered for any of the specified VOs.')
for group in vo_groups:
deleteRemoteProxy(userDN, group)
else:
deleteLocalProxy(proxyLoc)
return 0
def main():
"""
main program entry point
"""
options = Params()
options.registerCLISwitches()
Script.parseCommandLine( ignoreErrors = True )
if options.delete_all and options.vos:
gLogger.error( "-a and -v options are mutually exclusive. Please pick one or the other." )
return 1
proxyLoc = Locations.getDefaultProxyLocation()
if not os.path.exists( proxyLoc ):
gLogger.error( "No local proxy found in %s, exiting." % proxyLoc )
return 1
result = ProxyInfo.getProxyInfo( proxyLoc, True )
if not result[ 'OK' ]:
raise RuntimeError( 'Failed to get local proxy info.' )
if result[ 'Value' ][ 'secondsLeft' ] < 60 and options.needsValidProxy():
raise RuntimeError( 'Lifetime of local proxy too short, please renew proxy.' )
userDN=result[ 'Value' ][ 'identity' ]
if options.delete_all:
# delete remote proxies
remote_groups = getProxyGroups()
if not remote_groups:
gLogger.notice( 'No remote proxies found.' )
for vo_group in remote_groups:
deleteRemoteProxy( userDN, vo_group )
# delete local proxy
deleteLocalProxy( proxyLoc )
elif options.vos:
vo_groups = set()
for voname in options.vos:
vo_groups.update(mapVoToGroups( voname ) )
# filter set of all groups to only contain groups for which there is a user proxy
user_groups = getProxyGroups()
vo_groups.intersection_update( user_groups )
if not vo_groups:
gLogger.notice( 'You have no proxies registered for any of the specified VOs.' )
for group in vo_groups:
deleteRemoteProxy( userDN, group )
else:
deleteLocalProxy( proxyLoc )
return 0
def generateProxy( params ):
if params.checkClock:
result = getClockDeviation()
if result[ 'OK' ]:
deviation = result[ 'Value' ]
if deviation > 600:
gLogger.error( "Your host clock seems to be off by more than TEN MINUTES! Thats really bad." )
gLogger.error( "We're cowardly refusing to generate a proxy. Please fix your system time" )
sys.exit( 1 )
elif deviation > 180:
gLogger.error( "Your host clock seems to be off by more than THREE minutes! Thats bad." )
gLogger.notice( "We'll generate the proxy but please fix your system time" )
elif deviation > 60:
gLogger.error( "Your host clock seems to be off by more than a minute! Thats not good." )
gLogger.notice( "We'll generate the proxy but please fix your system time" )
certLoc = params.certLoc
keyLoc = params.keyLoc
if not certLoc or not keyLoc:
cakLoc = Locations.getCertificateAndKeyLocation()
if not cakLoc:
return S_ERROR( "Can't find user certificate and key" )
if not certLoc:
certLoc = cakLoc[0]
if not keyLoc:
keyLoc = cakLoc[1]
params.certLoc = certLoc
params.keyLoc = keyLoc
#Load password
testChain = X509Chain()
retVal = testChain.loadChainFromFile( params.certLoc )
if not retVal[ 'OK' ]:
return S_ERROR( "Cannot load certificate %s: %s" % ( params.certLoc, retVal[ 'Message' ] ) )
timeLeft = testChain.getRemainingSecs()[ 'Value' ] / 86400
if timeLeft < 30:
gLogger.notice( "\nYour certificate will expire in %d days. Please renew it!\n" % timeLeft )
retVal = testChain.loadKeyFromFile( params.keyLoc, password = params.userPasswd )
if not retVal[ 'OK' ]:
passwdPrompt = "Enter Certificate password:"******"\n" )
else:
userPasswd = getpass.getpass( passwdPrompt )
params.userPasswd = userPasswd
#Find location
proxyLoc = params.proxyLoc
if not proxyLoc:
proxyLoc = Locations.getDefaultProxyLocation()
chain = X509Chain()
#Load user cert and key
retVal = chain.loadChainFromFile( certLoc )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
return S_ERROR( "Can't load %s" % certLoc )
retVal = chain.loadKeyFromFile( keyLoc, password = params.userPasswd )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
if 'bad decrypt' in retVal[ 'Message' ]:
return S_ERROR( "Bad passphrase" )
return S_ERROR( "Can't load %s" % keyLoc )
if params.checkWithCS:
retVal = chain.generateProxyToFile( proxyLoc,
params.proxyLifeTime,
strength = params.proxyStrength,
limited = params.limitedProxy,
rfc = params.rfc )
gLogger.info( "Contacting CS..." )
retVal = Script.enableCS()
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
if 'Unauthorized query' in retVal[ 'Message' ]:
# add hint for users
return S_ERROR( "Can't contact DIRAC CS: %s (User possibly not registered with dirac server) "
% retVal[ 'Message' ] )
return S_ERROR( "Can't contact DIRAC CS: %s" % retVal[ 'Message' ] )
userDN = chain.getCertInChain( -1 )['Value'].getSubjectDN()['Value']
if not params.diracGroup:
result = Registry.findDefaultGroupForDN( userDN )
if not result[ 'OK' ]:
gLogger.warn( "Could not get a default group for DN %s: %s" % ( userDN, result[ 'Message' ] ) )
else:
params.diracGroup = result[ 'Value' ]
gLogger.info( "Default discovered group is %s" % params.diracGroup )
gLogger.info( "Checking DN %s" % userDN )
retVal = Registry.getUsernameForDN( userDN )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
return S_ERROR( "DN %s is not registered" % userDN )
username = retVal[ 'Value' ]
gLogger.info( "Username is %s" % username )
retVal = Registry.getGroupsForUser( username )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
return S_ERROR( "User %s has no groups defined" % username )
groups = retVal[ 'Value' ]
if params.diracGroup not in groups:
return S_ERROR( "Requested group %s is not valid for DN %s" % ( params.diracGroup, userDN ) )
gLogger.info( "Creating proxy for %s@%s (%s)" % ( username, params.diracGroup, userDN ) )
if params.summary:
h = int( params.proxyLifeTime / 3600 )
m = int( params.proxyLifeTime / 60 ) - h * 60
gLogger.notice( "Proxy lifetime will be %02d:%02d" % ( h, m ) )
gLogger.notice( "User cert is %s" % certLoc )
gLogger.notice( "User key is %s" % keyLoc )
gLogger.notice( "Proxy will be written to %s" % proxyLoc )
if params.diracGroup:
gLogger.notice( "DIRAC Group will be set to %s" % params.diracGroup )
else:
gLogger.notice( "No DIRAC Group will be set" )
gLogger.notice( "Proxy strength will be %s" % params.proxyStrength )
if params.limitedProxy:
gLogger.notice( "Proxy will be limited" )
retVal = chain.generateProxyToFile( proxyLoc,
params.proxyLifeTime,
params.diracGroup,
strength = params.proxyStrength,
limited = params.limitedProxy,
rfc = params.rfc )
if not retVal[ 'OK' ]:
gLogger.warn( retVal[ 'Message' ] )
return S_ERROR( "Couldn't generate proxy: %s" % retVal[ 'Message' ] )
return S_OK( proxyLoc )
def uploadProxy( params ):
DIRAC.gLogger.info( "Loading user proxy" )
proxyLoc = params.proxyLoc
if not proxyLoc:
proxyLoc = Locations.getDefaultProxyLocation()
if not proxyLoc:
return S_ERROR( "Can't find any proxy" )
if params.onTheFly:
DIRAC.gLogger.info( "Uploading proxy on-the-fly" )
certLoc = params.certLoc
keyLoc = params.keyLoc
if not certLoc or not keyLoc:
cakLoc = Locations.getCertificateAndKeyLocation()
if not cakLoc:
return S_ERROR( "Can't find user certificate and key" )
if not certLoc:
certLoc = cakLoc[0]
if not keyLoc:
keyLoc = cakLoc[1]
DIRAC.gLogger.info( "Cert file %s" % certLoc )
DIRAC.gLogger.info( "Key file %s" % keyLoc )
testChain = X509Chain()
retVal = testChain.loadKeyFromFile( keyLoc, password = params.userPasswd )
if not retVal[ 'OK' ]:
passwdPrompt = "Enter Certificate password:"******"\n" )
else:
userPasswd = getpass.getpass( passwdPrompt )
params.userPasswd = userPasswd
DIRAC.gLogger.info( "Loading cert and key" )
chain = X509Chain()
#Load user cert and key
retVal = chain.loadChainFromFile( certLoc )
if not retVal[ 'OK' ]:
return S_ERROR( "Can't load %s" % certLoc )
retVal = chain.loadKeyFromFile( keyLoc, password = params.userPasswd )
if not retVal[ 'OK' ]:
return S_ERROR( "Can't load %s" % keyLoc )
DIRAC.gLogger.info( "User credentials loaded" )
diracGroup = params.diracGroup
if not diracGroup:
result = chain.getCredentials()
if not result['OK']:
return result
if 'group' not in result['Value']:
return S_ERROR( 'Can not get Group from existing credentials' )
diracGroup = result['Value']['group']
restrictLifeTime = params.proxyLifeTime
else:
proxyChain = X509Chain()
retVal = proxyChain.loadProxyFromFile( proxyLoc )
if not retVal[ 'OK' ]:
return S_ERROR( "Can't load proxy file %s: %s" % ( params.proxyLoc, retVal[ 'Message' ] ) )
chain = proxyChain
diracGroup = params.diracGroup
if params.diracGroup:
# Check that there is no conflict with the already present DIRAC group
result = chain.getDIRACGroup( ignoreDefault = True )
if result['OK'] and result['Value'] and result['Value'] == params.diracGroup:
# No need to embed a new DIRAC group
diracGroup = False
restrictLifeTime = 0
DIRAC.gLogger.info( " Uploading..." )
return gProxyManager.uploadProxy( chain, diracGroup, restrictLifeTime = restrictLifeTime, rfcIfPossible = params.rfcIfPossible )
def uploadProxy( params ):
DIRAC.gLogger.info( "Loading user proxy" )
proxyLoc = params.proxyLoc
if not proxyLoc:
proxyLoc = Locations.getDefaultProxyLocation()
if not proxyLoc:
return S_ERROR( "Can't find any proxy" )
proxyChain = X509Chain()
retVal = proxyChain.loadProxyFromFile( proxyLoc )
if not retVal[ 'OK' ]:
return S_ERROR( "Can't load proxy file %s: %s" % ( params.proxyLoc, retVal[ 'Message' ] ) )
if params.onTheFly:
DIRAC.gLogger.info( "Uploading proxy on-the-fly" )
certLoc = params.certLoc
keyLoc = params.keyLoc
if not certLoc or not keyLoc:
cakLoc = Locations.getCertificateAndKeyLocation()
if not cakLoc:
return S_ERROR( "Can't find user certificate and key" )
if not certLoc:
certLoc = cakLoc[0]
if not keyLoc:
keyLoc = cakLoc[1]
DIRAC.gLogger.info( "Cert file %s" % certLoc )
DIRAC.gLogger.info( "Key file %s" % keyLoc )
testChain = X509Chain()
retVal = testChain.loadKeyFromFile( keyLoc, password = params.userPasswd )
if not retVal[ 'OK' ]:
passwdPrompt = "Enter Certificate password:"******"\n" )
else:
userPasswd = getpass.getpass( passwdPrompt )
params.userPasswd = userPasswd
DIRAC.gLogger.info( "Loading cert and key" )
chain = X509Chain()
#Load user cert and key
retVal = chain.loadChainFromFile( certLoc )
if not retVal[ 'OK' ]:
return S_ERROR( "Can't load %s" % certLoc )
retVal = chain.loadKeyFromFile( keyLoc, password = params.userPasswd )
if not retVal[ 'OK' ]:
return S_ERROR( "Can't load %s" % keyLoc )
DIRAC.gLogger.info( "User credentials loaded" )
diracGroup = params.diracGroup
if not diracGroup:
diracGroup = CS.getDefaultUserGroup()
restrictLifeTime = params.proxyLifeTime
else:
chain = proxyChain
diracGroup = False
restrictLifeTime = 0
DIRAC.gLogger.info( " Uploading..." )
return gProxyManager.uploadProxy( chain, diracGroup, restrictLifeTime = restrictLifeTime )
def uploadProxy(params):
DIRAC.gLogger.info("Loading user proxy")
proxyLoc = params.proxyLoc
if not proxyLoc:
proxyLoc = Locations.getDefaultProxyLocation()
if not proxyLoc:
return S_ERROR("Can't find any proxy")
if params.onTheFly:
DIRAC.gLogger.info("Uploading proxy on-the-fly")
certLoc = params.certLoc
keyLoc = params.keyLoc
if not certLoc or not keyLoc:
cakLoc = Locations.getCertificateAndKeyLocation()
if not cakLoc:
return S_ERROR("Can't find user certificate and key")
if not certLoc:
certLoc = cakLoc[0]
if not keyLoc:
keyLoc = cakLoc[1]
DIRAC.gLogger.info("Cert file %s" % certLoc)
DIRAC.gLogger.info("Key file %s" % keyLoc)
testChain = X509Chain()
retVal = testChain.loadKeyFromFile(keyLoc, password=params.userPasswd)
if not retVal['OK']:
passwdPrompt = "Enter Certificate password:"******"\n")
else:
userPasswd = getpass.getpass(passwdPrompt)
params.userPasswd = userPasswd
DIRAC.gLogger.info("Loading cert and key")
chain = X509Chain()
# Load user cert and key
retVal = chain.loadChainFromFile(certLoc)
if not retVal['OK']:
return S_ERROR("Can't load %s" % certLoc)
retVal = chain.loadKeyFromFile(keyLoc, password=params.userPasswd)
if not retVal['OK']:
return S_ERROR("Can't load %s" % keyLoc)
DIRAC.gLogger.info("User credentials loaded")
diracGroup = params.diracGroup
if not diracGroup:
result = chain.getCredentials()
if not result['OK']:
return result
if 'group' not in result['Value']:
return S_ERROR('Can not get Group from existing credentials')
diracGroup = result['Value']['group']
restrictLifeTime = params.proxyLifeTime
else:
proxyChain = X509Chain()
retVal = proxyChain.loadProxyFromFile(proxyLoc)
if not retVal['OK']:
return S_ERROR("Can't load proxy file %s: %s" % (params.proxyLoc, retVal['Message']))
chain = proxyChain
diracGroup = params.diracGroup
if params.diracGroup:
# Check that there is no conflict with the already present DIRAC group
result = chain.getDIRACGroup(ignoreDefault=True)
if result['OK'] and result['Value'] and result['Value'] == params.diracGroup:
# No need to embed a new DIRAC group
diracGroup = False
restrictLifeTime = 0
DIRAC.gLogger.info(" Uploading...")
return gProxyManager.uploadProxy(
chain,
diracGroup,
restrictLifeTime=restrictLifeTime,
rfcIfPossible=params.rfcIfPossible)
def generateProxy(params):
if params.checkClock:
result = getClockDeviation()
if result['OK']:
deviation = result['Value']
if deviation > 600:
gLogger.error(
"Your host clock seems to be off by more than TEN MINUTES! Thats really bad."
)
gLogger.error(
"We're cowardly refusing to generate a proxy. Please fix your system time"
)
sys.exit(1)
elif deviation > 180:
gLogger.error(
"Your host clock seems to be off by more than THREE minutes! Thats bad."
)
gLogger.notice(
"We'll generate the proxy but please fix your system time")
elif deviation > 60:
gLogger.error(
"Your host clock seems to be off by more than a minute! Thats not good."
)
gLogger.notice(
"We'll generate the proxy but please fix your system time")
certLoc = params.certLoc
keyLoc = params.keyLoc
if not certLoc or not keyLoc:
cakLoc = Locations.getCertificateAndKeyLocation()
if not cakLoc:
return S_ERROR("Can't find user certificate and key")
if not certLoc:
certLoc = cakLoc[0]
if not keyLoc:
keyLoc = cakLoc[1]
params.certLoc = certLoc
params.keyLoc = keyLoc
#Load password
testChain = X509Chain()
retVal = testChain.loadChainFromFile(params.certLoc)
if not retVal['OK']:
return S_ERROR("Cannot load certificate %s: %s" %
(params.certLoc, retVal['Message']))
timeLeft = testChain.getRemainingSecs()['Value'] / 86400
if timeLeft < 30:
gLogger.notice(
"\nYour certificate will expire in %d days. Please renew it!\n" %
timeLeft)
retVal = testChain.loadKeyFromFile(params.keyLoc,
password=params.userPasswd)
if not retVal['OK']:
passwdPrompt = "Enter Certificate password:"******"\n")
else:
userPasswd = getpass.getpass(passwdPrompt)
params.userPasswd = userPasswd
#Find location
proxyLoc = params.proxyLoc
if not proxyLoc:
proxyLoc = Locations.getDefaultProxyLocation()
chain = X509Chain()
#Load user cert and key
retVal = chain.loadChainFromFile(certLoc)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
return S_ERROR("Can't load %s" % certLoc)
retVal = chain.loadKeyFromFile(keyLoc, password=params.userPasswd)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
if 'bad decrypt' in retVal['Message']:
return S_ERROR("Bad passphrase")
return S_ERROR("Can't load %s" % keyLoc)
if params.checkWithCS:
retVal = chain.generateProxyToFile(proxyLoc,
params.proxyLifeTime,
strength=params.proxyStrength,
limited=params.limitedProxy)
gLogger.info("Contacting CS...")
retVal = Script.enableCS()
if not retVal['OK']:
gLogger.warn(retVal['Message'])
if 'Unauthorized query' in retVal['Message']:
# add hint for users
return S_ERROR(
"Can't contact DIRAC CS: %s (User possibly not registered with dirac server) "
% retVal['Message'])
return S_ERROR("Can't contact DIRAC CS: %s" % retVal['Message'])
userDN = chain.getCertInChain(-1)['Value'].getSubjectDN()['Value']
if not params.diracGroup:
result = Registry.findDefaultGroupForDN(userDN)
if not result['OK']:
gLogger.warn("Could not get a default group for DN %s: %s" %
(userDN, result['Message']))
else:
params.diracGroup = result['Value']
gLogger.info("Default discovered group is %s" %
params.diracGroup)
gLogger.info("Checking DN %s" % userDN)
retVal = Registry.getUsernameForDN(userDN)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
return S_ERROR("DN %s is not registered" % userDN)
username = retVal['Value']
gLogger.info("Username is %s" % username)
retVal = Registry.getGroupsForUser(username)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
return S_ERROR("User %s has no groups defined" % username)
groups = retVal['Value']
if params.diracGroup not in groups:
return S_ERROR("Requested group %s is not valid for DN %s" %
(params.diracGroup, userDN))
gLogger.info("Creating proxy for %s@%s (%s)" %
(username, params.diracGroup, userDN))
if params.summary:
h = int(params.proxyLifeTime / 3600)
m = int(params.proxyLifeTime / 60) - h * 60
gLogger.notice("Proxy lifetime will be %02d:%02d" % (h, m))
gLogger.notice("User cert is %s" % certLoc)
gLogger.notice("User key is %s" % keyLoc)
gLogger.notice("Proxy will be written to %s" % proxyLoc)
if params.diracGroup:
gLogger.notice("DIRAC Group will be set to %s" % params.diracGroup)
else:
gLogger.notice("No DIRAC Group will be set")
gLogger.notice("Proxy strength will be %s" % params.proxyStrength)
if params.limitedProxy:
gLogger.notice("Proxy will be limited")
retVal = chain.generateProxyToFile(proxyLoc,
params.proxyLifeTime,
params.diracGroup,
strength=params.proxyStrength,
limited=params.limitedProxy)
if not retVal['OK']:
gLogger.warn(retVal['Message'])
return S_ERROR("Couldn't generate proxy: %s" % retVal['Message'])
return S_OK(proxyLoc)
def generateProxy(params):
if params.checkClock:
result = getClockDeviation()
if result['OK']:
deviation = result['Value']
if deviation > 600:
print "Error: Your host clock seems to be off by more than TEN MINUTES! Thats really bad."
print "We're cowardly refusing to generate a proxy. Please fix your system time"
DIRAC.exit(1)
elif deviation > 180:
print "Error: Your host clock seems to be off by more than THREE minutes! Thats bad."
print "Warn : We'll generate the proxy but please fix your system time"
elif deviation > 60:
print "Error: Your host clock seems to be off by more than a minute! Thats not good."
print "Warn : We'll generate the proxy but please fix your system time"
certLoc = params.certLoc
keyLoc = params.keyLoc
if not certLoc or not keyLoc:
cakLoc = Locations.getCertificateAndKeyLocation()
if not cakLoc:
return S_ERROR("Can't find user certificate and key")
if not certLoc:
certLoc = cakLoc[0]
if not keyLoc:
keyLoc = cakLoc[1]
testChain = X509Chain()
retVal = testChain.loadKeyFromFile(keyLoc, password=params.userPasswd)
if not retVal['OK']:
passwdPrompt = "Enter Certificate password:"******"\n")
else:
userPasswd = getpass.getpass(passwdPrompt)
params.userPasswd = userPasswd
proxyLoc = params.proxyLoc
if not proxyLoc:
proxyLoc = Locations.getDefaultProxyLocation()
if params.debug:
h = int(params.proxyLifeTime / 3600)
m = int(params.proxyLifeTime / 60) - h * 60
print "Proxy lifetime will be %02d:%02d" % (h, m)
print "User cert is %s" % certLoc
print "User key is %s" % keyLoc
print "Proxy will be written to %s" % proxyLoc
if params.diracGroup:
print "DIRAC Group will be set to %s" % params.diracGroup
else:
print "No DIRAC Group will be set"
print "Proxy strength will be %s" % params.proxyStrength
if params.limitedProxy:
print "Proxy will be limited"
chain = X509Chain()
#Load user cert and key
retVal = chain.loadChainFromFile(certLoc)
if not retVal['OK']:
params.debugMsg("ERROR: %s" % retVal['Message'])
return S_ERROR("Can't load %s" % certLoc)
retVal = chain.loadKeyFromFile(keyLoc, password=params.userPasswd)
if not retVal['OK']:
params.debugMsg("ERROR: %s" % retVal['Message'])
return S_ERROR("Can't load %s" % keyLoc)
if params.checkWithCS and params.diracGroup:
retVal = chain.generateProxyToFile(proxyLoc,
params.proxyLifeTime,
strength=params.proxyStrength,
limited=params.limitedProxy)
params.debugMsg("Contacting CS...")
retVal = Script.enableCS()
if not retVal['OK']:
params.debugMsg("ERROR: %s" % retVal['Message'])
return S_ERROR("Can't contact DIRAC CS: %s" % retVal['Message'])
if not params.diracGroup:
params.diracGroup = CS.getDefaultUserGroup()
userDN = chain.getCertInChain(-1)['Value'].getSubjectDN()['Value']
params.debugMsg("Checking DN %s" % userDN)
retVal = CS.getUsernameForDN(userDN)
if not retVal['OK']:
params.debugMsg("ERROR: %s" % retVal['Message'])
return S_ERROR("DN %s is not registered" % userDN)
username = retVal['Value']
params.debugMsg("Username is %s" % username)
retVal = CS.getGroupsForUser(username)
if not retVal['OK']:
params.debugMsg("ERROR: %s" % retVal['Message'])
return S_ERROR("User %s has no groups defined" % username)
groups = retVal['Value']
if params.diracGroup not in groups:
return S_ERROR("Requested group %s is not valid for user %s" %
(params.diracGroup, username))
params.debugMsg("Creating proxy for %s@%s (%s)" %
(username, params.diracGroup, userDN))
retVal = chain.generateProxyToFile(proxyLoc,
params.proxyLifeTime,
params.diracGroup,
strength=params.proxyStrength,
limited=params.limitedProxy)
if not retVal['OK']:
params.debugMsg("ERROR: %s" % retVal['Message'])
return S_ERROR("Couldn't generate proxy: %s" % retVal['Message'])
return S_OK(proxyLoc)
def generateProxy( params ):
if params.checkClock:
result = getClockDeviation()
if result[ 'OK' ]:
deviation = result[ 'Value' ]
if deviation > 600:
print "Error: Your host clock seems to be off by more than TEN MINUTES! Thats really bad."
print "We're cowardly refusing to generate a proxy. Please fix your system time"
DIRAC.exit( 1 )
elif deviation > 180:
print "Error: Your host clock seems to be off by more than THREE minutes! Thats bad."
print "Warn : We'll generate the proxy but please fix your system time"
elif deviation > 60:
print "Error: Your host clock seems to be off by more than a minute! Thats not good."
print "Warn : We'll generate the proxy but please fix your system time"
certLoc = params.certLoc
keyLoc = params.keyLoc
if not certLoc or not keyLoc:
cakLoc = Locations.getCertificateAndKeyLocation()
if not cakLoc:
return S_ERROR( "Can't find user certificate and key" )
if not certLoc:
certLoc = cakLoc[0]
if not keyLoc:
keyLoc = cakLoc[1]
testChain = X509Chain()
retVal = testChain.loadKeyFromFile( keyLoc, password = params.userPasswd )
if not retVal[ 'OK' ]:
passwdPrompt = "Enter Certificate password:"******"\n" )
else:
userPasswd = getpass.getpass( passwdPrompt )
params.userPasswd = userPasswd
proxyLoc = params.proxyLoc
if not proxyLoc:
proxyLoc = Locations.getDefaultProxyLocation()
if params.debug:
h = int( params.proxyLifeTime / 3600 )
m = int( params.proxyLifeTime / 60 ) - h * 60
print "Proxy lifetime will be %02d:%02d" % ( h, m )
print "User cert is %s" % certLoc
print "User key is %s" % keyLoc
print "Proxy will be written to %s" % proxyLoc
if params.diracGroup:
print "DIRAC Group will be set to %s" % params.diracGroup
else:
print "No DIRAC Group will be set"
print "Proxy strength will be %s" % params.proxyStrength
if params.limitedProxy:
print "Proxy will be limited"
chain = X509Chain()
#Load user cert and key
retVal = chain.loadChainFromFile( certLoc )
if not retVal[ 'OK' ]:
params.debugMsg( "ERROR: %s" % retVal[ 'Message' ] )
return S_ERROR( "Can't load %s" % certLoc )
retVal = chain.loadKeyFromFile( keyLoc, password = params.userPasswd )
if not retVal[ 'OK' ]:
params.debugMsg( "ERROR: %s" % retVal[ 'Message' ] )
return S_ERROR( "Can't load %s" % keyLoc )
if params.checkWithCS and params.diracGroup:
retVal = chain.generateProxyToFile( proxyLoc,
params.proxyLifeTime,
strength = params.proxyStrength,
limited = params.limitedProxy )
params.debugMsg( "Contacting CS..." )
retVal = Script.enableCS()
if not retVal[ 'OK' ]:
params.debugMsg( "ERROR: %s" % retVal[ 'Message' ] )
return S_ERROR( "Can't contact DIRAC CS: %s" % retVal[ 'Message' ] )
if not params.diracGroup:
params.diracGroup = CS.getDefaultUserGroup()
userDN = chain.getCertInChain( -1 )['Value'].getSubjectDN()['Value']
params.debugMsg( "Checking DN %s" % userDN )
retVal = CS.getUsernameForDN( userDN )
if not retVal[ 'OK' ]:
params.debugMsg( "ERROR: %s" % retVal[ 'Message' ] )
return S_ERROR( "DN %s is not registered" % userDN )
username = retVal[ 'Value' ]
params.debugMsg( "Username is %s" % username )
retVal = CS.getGroupsForUser( username )
if not retVal[ 'OK' ]:
params.debugMsg( "ERROR: %s" % retVal[ 'Message' ] )
return S_ERROR( "User %s has no groups defined" % username )
groups = retVal[ 'Value' ]
if params.diracGroup not in groups:
return S_ERROR( "Requested group %s is not valid for user %s" % ( params.diracGroup, username ) )
params.debugMsg( "Creating proxy for %s@%s (%s)" % ( username, params.diracGroup, userDN ) )
retVal = chain.generateProxyToFile( proxyLoc,
params.proxyLifeTime,
params.diracGroup,
strength = params.proxyStrength,
limited = params.limitedProxy )
if not retVal[ 'OK' ]:
params.debugMsg( "ERROR: %s" % retVal[ 'Message' ] )
return S_ERROR( "Couldn't generate proxy: %s" % retVal[ 'Message' ] )
return S_OK( proxyLoc )
