Exemplo n.º 1
0
def authenticate(openid_uri, password):
    try:
        filepath = utils.user_url_to_filepath(openid_uri)
        host = urlparse(openid_uri.strip()).netloc;
        user = openid_uri.rsplit('/', 1)[1]
    except IndexError:
        raise MyProxyClientError('Invalid OpenID identifier')

    if not host or not user:
        raise MyProxyClientError('Invalid OpenID identifier')

    try:

        myproxy = MyProxyClient(hostname=host)
        credentials = myproxy.logon(user, password, bootstrap=True)
        cert_filepath = utils.user_cert_file(openid_uri)
        dir = os.path.dirname(cert_filepath);
        if not os.path.exists(dir):
            os.makedirs(dir)

        with open(cert_filepath, 'w') as fd:
            fd.write(credentials[0])
            fd.write(credentials[1])
    except socket.gaierror:
        raise MyProxyClientError('Invalid OpenID identifier')
Exemplo n.º 2
0
class MyProxyUtils(object):
    def __init__(self):
        self.config = config.read_config()
        self.cacertdir = os.path.expanduser("~/.esg/certificates")
        self.credsfile = os.path.expanduser("~/.esg/credentials.pem")
        self.myproxy = MyProxyClient(hostname=self.config['nodes']['idp_node'])
        self.myproxy._setCACertDir(self.cacertdir)

    def get_trustroots(self):
        # Get trust roots
        self.trustRoots = self.myproxy.getTrustRoots(
            self.config['account']['username'],
            self.config['account']['password'],
            writeToCACertDir=True,
            bootstrap=True)

    def get_credentials(self):
        # Get credentials (and trustroots)
        self.credentials = self.myproxy.logon(
            self.config['account']['username'],
            self.config['account']['password'])
        # Write Credentials
        with open(self.credsfile, 'w') as f:
            f.write(self.credentials[0] + self.credentials[1])
        os.chmod(self.credsfile, self.myproxy.PROXY_FILE_PERMISSIONS)

    def delete_credentials(self):
        # Delete credentials file
        if os.path.exists(self.credsfile):
            os.remove(self.credsfile)

    def delete_trustroots(self):
        # Delete trustroots and cacert directory
        if os.path.exists(self.cacertdir):
            shutil.rmtree(self.cacertdir)
Exemplo n.º 3
0
def authenticate(request):
    if request.method != 'POST':
        return Response('Error: GET is not supported')

    data = json.loads(request.body.decode('utf-8'))

    openid = data.get('openid')
    password = data.get('password')

    (server, username) = utils.decompose_openid(openid)

    # Get X.509 certificate chain from MyProxy server
    log.info("Getting X.509 certificate from %s for %s" % (server, username))
    myproxy_client = MyProxyClient(hostname=server)
    cred_chain_pem_tuple = None
    try:
        cred_chain_pem_tuple = myproxy_client.logon(username, password, lifetime=7*24*3600)
    except Exception as e:
        request.response.status = 400
        return {'status': 'Error', 'message': '%s' % e}

    cred_chain_pem = ''
    for e in cred_chain_pem_tuple:
        cred_chain_pem += e
    cert_pem = cred_chain_pem_tuple[0]

    # Get 'Not After' date
    cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
    not_after_asn1 = cert.get_notAfter()
    not_after = not_after_asn1.decode()
    dt = datetime.strptime(not_after, '%Y%m%d%H%M%SZ')

    # Check the publisher role in X509v3 extension 1.2.3.4.4.3.2.1.7.8
    if not authentication.is_publisher(openid, cert):
        request.response.status = 400
        return {'status': 'Error', 'message': 'The user does not have the publisher role'}


    # Store the X.509 certificate chain in a tmp file, so it can be used later by esgcet
    cred_file = open('/tmp/x509in_%s_%s' % (server, username), 'w')
    cred_file.write(cred_chain_pem)
    cred_file.close()

    # Add or update Publisher object in the database
    publisher = DBSession.query(Publisher).filter(Publisher.openid==openid).first()
    if publisher:
        publisher.x509_pem = cred_chain_pem
        publisher.expiration = dt
    else:
        publisher = Publisher(openid=openid, x509_pem=cred_chain_pem, expiration=dt)
        DBSession.add(publisher)

    # Save openid in auth_tk cookie
    headers = remember(request, openid)
    resp = Response()
    resp.headers = headers
    return resp
Exemplo n.º 4
0
def renew_certificate (host,port,username,password):

    sdlog.info("SDMYPROX-002","Renew certificate..")

    # we need a mkdir here to prevent 'No such file or directory' myproxyclient error (see TAGFERE5435 for more info)
    sd=sdconfig.get_security_dir()
    if not os.path.isdir(sd):
        os.makedirs(sd)

    # currently, we set bootstrap option everytime
    #
    # TODO: change this to set only the first time (i.e. if .esg/certificates is empty)
    #
    bootstrap=True

    # currently, we set trustroots option everytime
    updateTrustRoots=True
    authnGetTrustRootsCall=False


    # TODO: maybe add option in 'synda certificate' to use specify another path for cadir (for debugging purpose)
    #ROOT_TRUSTROOT_DIR = '/etc/grid-security/certificates'
    #USER_TRUSTROOT_DIR = '~/.globus/certificates'


    # set env.

    os.environ['ESGF_CREDENTIAL']=sdconfig.esgf_x509_proxy
    os.environ['ESGF_CERT_DIR']=sdconfig.esgf_x509_cert_dir
    os.environ['X509_CERT_DIR']=sdconfig.esgf_x509_cert_dir

    if 'X509_USER_PROXY' in os.environ: 
        del os.environ['X509_USER_PROXY']
    #if 'GLOBUS_LOCATION' in os.environ:
    #    del os.environ['GLOBUS_LOCATION']


    # main

    myproxy_clnt = MyProxyClient(hostname=host,
                                 port=port,
                                 caCertDir=sdconfig.esgf_x509_cert_dir,
                                 proxyCertLifetime=43200) # 12 hours

    # credname=credname
    creds=myproxy_clnt.logon(username, password,
                             bootstrap=bootstrap,
                             updateTrustRoots=updateTrustRoots,
                             authnGetTrustRootsCall=authnGetTrustRootsCall)


    # store cert on disk

    fout = open(sdconfig.esgf_x509_proxy, 'w')
    for cred in creds:
        fout.write(cred)
    fout.close()
Exemplo n.º 5
0
def renew_certificate(host, port, username, password):

    sdlog.info("SDMYPROX-002", "Renew certificate..")

    # we need a mkdir here to prevent 'No such file or directory' myproxyclient error (see TAGFERE5435 for more info)
    sd = sdconfig.get_security_dir()
    if not os.path.isdir(sd):
        os.makedirs(sd)

    # currently, we set bootstrap option everytime
    #
    # TODO: change this to set only the first time (i.e. if .esg/certificates is empty)
    #
    bootstrap = True

    # currently, we set trustroots option everytime
    updateTrustRoots = True
    authnGetTrustRootsCall = False

    # TODO: maybe add option in 'synda certificate' to use specify another path for cadir (for debugging purpose)
    #ROOT_TRUSTROOT_DIR = '/etc/grid-security/certificates'
    #USER_TRUSTROOT_DIR = '~/.globus/certificates'

    # set env.

    os.environ['ESGF_CREDENTIAL'] = sdconfig.esgf_x509_proxy
    os.environ['ESGF_CERT_DIR'] = sdconfig.esgf_x509_cert_dir
    os.environ['X509_CERT_DIR'] = sdconfig.esgf_x509_cert_dir

    if 'X509_USER_PROXY' in os.environ:
        del os.environ['X509_USER_PROXY']
    #if 'GLOBUS_LOCATION' in os.environ:
    #    del os.environ['GLOBUS_LOCATION']

    # main

    myproxy_clnt = MyProxyClient(hostname=host,
                                 port=port,
                                 caCertDir=sdconfig.esgf_x509_cert_dir,
                                 proxyCertLifetime=43200)  # 12 hours

    # credname=credname
    creds = myproxy_clnt.logon(username,
                               password,
                               bootstrap=bootstrap,
                               updateTrustRoots=updateTrustRoots,
                               authnGetTrustRootsCall=authnGetTrustRootsCall)

    # store cert on disk

    fout = open(sdconfig.esgf_x509_proxy, 'w')
    for cred in creds:
        fout.write(cred)
    fout.close()
Exemplo n.º 6
0
def logon(config,
          myproxy_username=None,
          myproxy_password=None,
          myproxy_hostname=None):
    """
    Use MyProxyClient to generate a certificate for publication.
    Generate appropriate directories if not exists

    :param config config: Configuration instance, e.g. from getConfig()
    :param str myproxy_username: Myproxy username
    :param str myproxy_password: Myproxy password
    :param str myproxy_hostname: Myproxy hostname

    """
    from myproxy.client import MyProxyClient

    myproxy_cert_location = config.get('DEFAULT', 'hessian_service_certfile')

    # try to get the myproxy info from ini file if not specified
    if not myproxy_hostname:
        myproxy_hostname = get_myproxy_value_from_config(config, 'hostname')
    if not myproxy_username:
        myproxy_username = get_myproxy_value_from_config(config, 'username')
    if not myproxy_password:
        myproxy_password = get_myproxy_value_from_config(config, 'password')

    myproxy_dir = os.path.dirname(myproxy_cert_location)
    myproxy_certs_dir = os.path.join(myproxy_dir, 'certificates')

    if not os.path.isdir(myproxy_dir):
        os.mkdir(myproxy_dir)
    if not os.path.isdir(myproxy_certs_dir):
        os.mkdir(myproxy_certs_dir)

    if myproxy_hostname is None:
        print '\nEnter myproxy hostname:',
        myproxy_hostname = raw_input()
    if myproxy_username is None:
        print 'Enter myproxy username:'******'Enter password for %s: ' %
                                           myproxy_username)

    myproxy = MyProxyClient(hostname=myproxy_hostname,
                            caCertDir=myproxy_certs_dir)
    credentials = myproxy.logon(myproxy_username,
                                myproxy_password,
                                bootstrap=True,
                                lifetime=259200)
    myproxy.writeProxyFile(credentials[0],
                           credentials[1],
                           credentials[2],
                           filePath=myproxy_cert_location)
Exemplo n.º 7
0
def login_mpc(request):
    try:
        common.authentication_required(request)

        form = forms.MPCForm(request.POST)

        data = common.validate_form(form, ('username', 'password'))

        logger.info('Authenticating MyProxyClient for {}'.format(
            data['username']))

        services = openid.services(request.user.auth.openid_url, (URN_MPC, ))

        g = re.match('socket://(.*):(.*)', services[0].server_url)

        if g is None or len(g.groups()) != 2:
            raise MPCEndpointParseError()

        host, port = g.groups()

        from OpenSSL import SSL

        MyProxyClient.SSL_METHOD = SSL.TLSv1_2_METHOD

        try:
            m = MyProxyClient(hostname=host, caCertDir=settings.WPS_CA_PATH)

            c = m.logon(data['username'], data['password'], bootstrap=True)
        except Exception as e:
            raise common.AuthenticationError(user=data['username'])

        logger.info(
            'Authenticated with MyProxyClient backend for user {}'.format(
                data['username']))

        request.user.auth.update('myproxyclient', c)
    except WPSError as e:
        logger.exception('Error authenticating MyProxyClient')

        return common.failed(str(e))
    else:
        metrics.track_login(metrics.WPS_MPC_LOGIN_SUCCESS,
                            request.user.auth.openid_url)

        return common.success({
            'type': request.user.auth.type,
            'api_key': request.user.auth.api_key
        })
    finally:
        if not request.user.is_anonymous:
            metrics.track_login(metrics.WPS_MPC_LOGIN,
                                request.user.auth.openid_url)
Exemplo n.º 8
0
class MyProxyController(object):
    def __init__(self, port, hostname, serverDN, proxyCertMaxLifetime=None, proxyCertLifetime=None):
        self._client = MyProxyClient()
        self._client.port = port
        self._client.hostname = hostname
        self._client.serverDN = serverDN
        if proxyCertMaxLifetime:
            self._client.proxyCertMaxLifetime = proxyCertMaxLifetime
        if proxyCertLifetime:
            self._client.proxyCertLifetime = proxyCertLifetime

    def login(self, username, password, certPath, vdtLocation=None):
        proxyFileName = self.formProxyFileName(username, certPath)
        if not username or len(username) == 0:
            raise ValueError("invalid username")
        if not password or len(password) == 0:
            raise ValueError("invalid username")
        else:
            logger.info("myproxy logon with username: %s", username)
            if vdtLocation:
                context = {
                    "username": username,
                    "serverDN": self._client.serverDN,
                    "hostname": self._client.hostname,
                    "password": password,
                    "proxyFileName": proxyFileName,
                    "certPath": certPath,
                    "vdtLocation": vdtLocation,
                }

                command = """
                . ${vdtLocation}/setup.sh  &&                                         \
                echo ${password} |                                                    \
                MYPROXY_SERVER_DN='${serverDN}'                                       \
                myproxy-get-delegation                                                \
                   --pshost ${hostname}                                               \
                   --username ${username}                                             \
                   --stdin_pass                                                       \
                   --out ${proxyFileName} >> ${certPath}/../logs/myproxy.log 2>&1 """
                os.system(Template(command).substitute(context))
            else:
                proxy = self._client.logon(username=username, passphrase=password)

                logger.info(
                    "writing proxy certificate retrieved from myproxy for user [%s] at [%s]", username, certPath
                )
                if not os.path.exists(certPath):
                    os.makedirs(certPath)
                GraysonUtil.writeFile(outputPath=proxyFileName, data=proxy[0])

    def formProxyFileName(self, username, certPath):
        return os.path.join(certPath, "x509_proxy_%s" % username)
Exemplo n.º 9
0
    def logon(self,
              username=None,
              password=None,
              hostname=None,
              bootstrap=False,
              update_trustroots=True,
              interactive=True):
        """
        Obtain ESGF credentials from the specified MyProxy service.

        If ``interactive == True`` then any missing parameters of ``password``,
        ``username`` or ``hostname`` will be prompted for at the terminal.
        
        :param interactive: Whether to ask for input at the terminal for
            any missing information.  I.e. username, password or hostname.
        :param bootstrap: Whether to bootstrap the trustroots for this
            MyProxy service.
        :param update_trustroots: Whether to update the trustroots for this
            MyProxy service.

        """
        if interactive:
            if hostname is None:
                print 'Enter myproxy hostname:',
                hostname = raw_input()
            if username is None:
                print 'Enter myproxy username:'******'Enter password for %s: ' % username)

        if None in (hostname, username, password):
            raise OpenidResolutionError('Full logon details not available')

        c = MyProxyClient(hostname=hostname, caCertDir=self.esgf_certs_dir)

        creds = c.logon(username,
                        password,
                        bootstrap=bootstrap,
                        updateTrustRoots=update_trustroots)
        with open(self.esgf_credentials, 'w') as fh:
            for cred in creds:
                fh.write(cred)
Exemplo n.º 10
0
def logon(config, myproxy_username=None, myproxy_password=None, myproxy_hostname=None):
    """
    Use MyProxyClient to generate a certificate for publication.
    Generate appropriate directories if not exists

    :param config config: Configuration instance, e.g. from getConfig()
    :param str myproxy_username: Myproxy username
    :param str myproxy_password: Myproxy password
    :param str myproxy_hostname: Myproxy hostname

    """
    from myproxy.client import MyProxyClient

    myproxy_cert_location = config.get('DEFAULT', 'hessian_service_certfile')

    # try to get the myproxy info from ini file if not specified
    if not myproxy_hostname:
        myproxy_hostname = get_myproxy_value_from_config(config, 'hostname')
    if not myproxy_username:
        myproxy_username = get_myproxy_value_from_config(config, 'username')
    if not myproxy_password:
        myproxy_password = get_myproxy_value_from_config(config, 'password')

    myproxy_dir = os.path.dirname(myproxy_cert_location)
    myproxy_certs_dir = os.path.join(myproxy_dir, 'certificates')

    if not os.path.isdir(myproxy_dir):
        os.mkdir(myproxy_dir)
    if not os.path.isdir(myproxy_certs_dir):
        os.mkdir(myproxy_certs_dir)

    if myproxy_hostname is None:
        print '\nEnter myproxy hostname:',
        myproxy_hostname = raw_input()
    if myproxy_username is None:
        print 'Enter myproxy username:'******'Enter password for %s: ' % myproxy_username)

    myproxy = MyProxyClient(hostname=myproxy_hostname, caCertDir=myproxy_certs_dir)
    credentials = myproxy.logon(myproxy_username, myproxy_password, bootstrap=True, lifetime=259200)
    myproxy.writeProxyFile(credentials[0], credentials[1], credentials[2], filePath=myproxy_cert_location)
Exemplo n.º 11
0
    def logon(self, username=None, password=None, hostname=None,
              bootstrap=False, update_trustroots=True,
              interactive=True):
        """
        Obtain ESGF credentials from the specified MyProxy service.

        If ``interactive == True`` then any missing parameters of ``password``,
        ``username`` or ``hostname`` will be prompted for at the terminal.

        :param interactive: Whether to ask for input at the terminal for
            any missing information.  I.e. username, password or hostname.
        :param bootstrap: Whether to bootstrap the trustroots for this
            MyProxy service.
        :param update_trustroots: Whether to update the trustroots for this
            MyProxy service.

        """
        if interactive:
            if hostname is None:
                print('Enter myproxy hostname:'),
                hostname = input()
            if username is None:
                print('Enter myproxy username:'******'Enter password for %s: ' % username)

        if None in (hostname, username, password):
            raise OpenidResolutionError('Full logon details not available')

        c = MyProxyClient(hostname=hostname, caCertDir=self.esgf_certs_dir)

        creds = c.logon(username, password,
                        bootstrap=bootstrap,
                        updateTrustRoots=update_trustroots)
        with open(self.esgf_credentials, 'wb') as fh:
            for cred in creds:
                fh.write(cred)
Exemplo n.º 12
0
class MyProxyUtils(object):
	def __init__(self):
		self.config = config.read_config()
		self.cacertdir = os.path.expanduser("~/.esg/certificates")
		self.credsfile = os.path.expanduser("~/.esg/credentials.pem")
		self.myproxy = MyProxyClient(hostname=self.config['nodes']['idp_node'])
		self.myproxy._setCACertDir(self.cacertdir)


	def get_trustroots(self):
		# Get trust roots
		self.trustRoots = self.myproxy.getTrustRoots(self.config['account']['username'],
							     	     self.config['account']['password'],
	         					     	     writeToCACertDir=True,
	  				       	             	     bootstrap=True)

	def get_credentials(self):
		# Get credentials (and trustroots)
                self.credentials = self.myproxy.logon(self.config['account']['username'],
                                                      	      self.config['account']['password'])
		# Write Credentials
		with open(self.credsfile, 'w') as f:
			f.write(self.credentials[0]+self.credentials[1])
            	os.chmod(self.credsfile, self.myproxy.PROXY_FILE_PERMISSIONS)
	

	def delete_credentials(self):
		# Delete credentials file
		if os.path.exists(self.credsfile):
			os.remove(self.credsfile)


	def delete_trustroots(self):
		# Delete trustroots and cacert directory
		if os.path.exists(self.cacertdir):
                        shutil.rmtree(self.cacertdir)
Exemplo n.º 13
0
class MyProxyProvisionedSessionMiddleware(SSLCtxSessionMiddleware):
    """Provisions a session object with PKI credentials from a MyProxy server.
    Call MyProxy logon to populate a session based SSL context object with
    client PKI credentials to make SSL calls to other services.
    
    @cvar DEFAULT_CERT_EXPIRY_OFFSET: default time offset prior to certificate
    expiry used to trigger certificate renewal. e.g. if the offset is 1 day
    and the certificate will expiry within one day then certificate renewal
    is invoked with a fresh MyProxy logon call.
    @type DEFAULT_CERT_EXPIRY_OFFSET: timedelta
    """
    __slots__ = (
        '__myProxyClient',
        '__certExpiryOffset',
        '__myProxyClientSSLCertFile',
        '__myProxyClientSSLKeyFile',
        '__myProxyClientSSLKeyFilePassphrase'
    )
    PARAM_NAMES = tuple([i[2:] for i in __slots__])
    del i
    DEFAULT_ENVIRON_SESSION_KEYNAME = "ndg.security.session"
    DEFAULT_PARAM_PREFIX = 'myproxy_provision_session.'
    MYPROXY_CLIENT_PARAM_PREFIX = 'myproxy_client.'
    DEFAULT_CERT_EXPIRY_OFFSET = timedelta(days=1)
    
    def __init__(self, app):
        super(MyProxyProvisionedSessionMiddleware, self).__init__(app)
        self.__myProxyClient = MyProxyClient()
        self.__certExpiryOffset = self.__class__.DEFAULT_CERT_EXPIRY_OFFSET
        self.__myProxyClientSSLCertFile = None
        self.__myProxyClientSSLKeyFile = None
        self.__myProxyClientSSLKeyFilePassphrase = None
        
    @property
    def myProxyClient(self):
        '''MyProxy client used to make calls to MyProxy server to retrieve 
        credentials for user
        '''
        return self.__myProxyClient
    
    @myProxyClient.setter
    def myProxyClient(self, val):
        '''MyProxy client used to make calls to MyProxy server to retrieve 
        credentials for user
        '''
        if not isinstance(val, MyProxyClient):
            raise TypeError('Expecting %r type for "myProxyClient", got %r' % 
                            (MyProxyClient, type(val)))
        self.__myProxyClient = val
            
                    
    @property
    def certExpiryOffset(self):
        '''Certificate expiry offset measured in seconds before current time
        '''
        return self.__certExpiryOffset
    
    @certExpiryOffset.setter
    def certExpiryOffset(self, val):
        '''Certificate expiry offset measured in seconds before current time
        '''
        if isinstance(val, basestring):
            self.__certExpiryOffset = timedelta(seconds=float(val))
            
        elif isinstance(val, (float, int, long)):
            self.__certExpiryOffset = timedelta(seconds=val)
            
        elif isinstance(val, timedelta):
            self.__certExpiryOffset = val
            
        else:
            raise TypeError('Expecting string, int, long, float or timedelta '
                            'type for "certExpiryOffset", got %r' % type(val))
      
    @property      
    def myProxyClientSSLCertFile(self):
        return self.__myProxyClientSSLCertFile
    
    @myProxyClientSSLCertFile.setter
    def myProxyClientSSLCertFile(self, val):
        if not isinstance(val, basestring):
            raise TypeError('Expecting string type for '
                            '"myProxyClientSSLCertFile"; got %r' % type(val))
            
        if not os.access(val, os.R_OK):
            raise IOError('Error accessing "myProxyClientSSLCertFile" file %r' %
                          val)
         
        self.__myProxyClientSSLCertFile = val
        
    @property      
    def myProxyClientSSLKeyFile(self):
        return self.__myProxyClientSSLKeyFile
    
    @myProxyClientSSLKeyFile.setter
    def myProxyClientSSLKeyFile(self, val):
        if not isinstance(val, basestring):
            raise TypeError('Expecting string type for '
                            'myProxyClientSSLKeyFile"; got %r' % type(val))
            
        if not os.access(val, os.R_OK):
            raise IOError('Error accessing "myProxyClientSSLKeyFile" file %r' % 
                          val)
            
        self.__myProxyClientSSLKeyFile = val
        
    @property      
    def myProxyClientSSLKeyFilePassphrase(self):
        return self.__myProxyClientSSLKeyFilePassphrase
    
    @myProxyClientSSLKeyFilePassphrase.setter
    def myProxyClientSSLKeyFilePassphrase(self, val):
        if not isinstance(val, basestring):
            raise TypeError('Expecting string type for '
                            'myProxyClientSSLKeyFilePassphrase"; got %r' %
                            type(val))
            
        self.__myProxyClientSSLKeyFilePassphrase = val
    
    def initialise(self, app_conf, 
                   prefix=DEFAULT_PARAM_PREFIX,
                   myProxyClientPrefix=MYPROXY_CLIENT_PARAM_PREFIX,
                   **local_conf):
        """Parse dictionary of configuration items updating the relevant 
        attributes of this instance
        
        @type prefix: basestring
        @param prefix: prefix for configuration items
        @type myProxyClientPrefix: basestring
        @param myProxyClientPrefix: explicit prefix for MyProxyClient class 
        specific configuration items
        @type app_conf: dict        
        @param app_conf: PasteDeploy application specific configuration 
        dictionary
        """
        super(MyProxyProvisionedSessionMiddleware, self).initialise(app_conf,
                                                                prefix=prefix,
                                                                **local_conf)
        
        # Sanity check
        if not isinstance(prefix, basestring):
            prefix = ''
            
        # Get MyProxyClient initialisation parameters
        myProxyClientFullPrefix = prefix + myProxyClientPrefix
                            
        myProxyClientKw = dict([(k.replace(myProxyClientFullPrefix, ''), v) 
                                 for k,v in app_conf.items() 
                                 if k.startswith(myProxyClientFullPrefix)])
        
        self.myProxyClient = MyProxyClient(**myProxyClientKw)
        
        for k in local_conf:
            paramName = k.replace(prefix, '', 1)
            if paramName in self.__class__.PARAM_NAMES:
                setattr(self, paramName, local_conf[k])
                             
    @classmethod
    def filter_app_factory(cls, app, app_conf, **kw):
        """Configure filter and associated SSL Context session middleware
        """
        _app = cls(app)
        _app.initialise(app_conf, **kw)
        
        # Set SSL Context middleware upstream from this app
        _app = SSLCtxSessionMiddleware.filter_app_factory(_app, app_conf, **kw)
        return _app
    
    @wsgify
    def __call__(self, request):
        '''
        @param request: WSGI request object
        @type request: WebOb.Request
        @return: WSGI response
        @rtype: iterable
        '''
        resp = super(MyProxyProvisionedSessionMiddleware, self).__call__(
                                                                        request)
        session = self.getSession(request)

        # if not certificate has been set or if it is present but expired,
        # renew        
        if (not self.__class__._is_cert_set(session) or 
            self._is_cert_expired(session)):
            self._refresh_credentials(request)
            
        return resp
    
    def _getMyProxyLogonCallCreds(self, request):
        """Get credentials for MyProxy logon.  Override to give custom behaviour
        @param request: WSGI request object
        @type request: WebOb.Request
        @rtype: tuple
        @return: two element tuple containing username and password to use with
        logon call to MyProxy.  None is set by default for the case where the
        client authenticates over SSL with a client certificate.
        """        
        return (request.environ.get('REMOTE_USER'), None)

    def _refresh_credentials(self, request):
        """Refresh credentials by making a MyProxy server logon request"""
        
        username, password = self._getMyProxyLogonCallCreds(request)
        try:
            credentials = self.__myProxyClient.logon(username, password,
                                     sslCertFile=self.myProxyClientSSLCertFile,
                                     sslKeyFile=self.myProxyClientSSLKeyFile)
                   
        except MyProxyClientError, e:
            raise httpexceptions.HTTPUnauthorized(str(e))
        
        except socket.error, e:
            raise MyProxyRetrievalSocketError("Socket error with MyProxy "
                                              "server %r: %s" % 
                                              (self.__myProxyClient.hostname,e))
Exemplo n.º 14
0
myproxyserver = None
myproxyuser = None
myproxypass = None
with open(auth_file) as fa:
	lines = fa.readlines()
	for line in lines:
		if len(line) > 0 and not line.startswith("#"):
			line = line.strip()
			if line.find("myproxyserver = ") != -1:
				proxy_found = True
				tokens = line.split(";")
				for token in tokens:
					key_value = token.split(" = ")
					value = key_value[1].strip().replace("\\n","\n")
					key = key_value[0].strip()
					
					if key == "myproxyserver":
						myproxyserver = value
					elif key == "myproxyuser":
						myproxyuser = value
					elif key == "myproxypass":
						myproxypass = value

if myproxyserver and myproxyuser and myproxypass:
	from myproxy.client import MyProxyClient
	myproxy = MyProxyClient(hostname=myproxyserver, caCertDir=cadir)
	credentials = myproxy.logon(myproxyuser, myproxypass)
	with open(proxy_file, "w") as fp: 
		for cred in credentials:
			fp.write(cred) 
Exemplo n.º 15
0
    def get_user_proxy(self, myproxy_server, userDN, force_remote=False):
        """Retrieve user proxy for the correct activity from myproxy and save it in memcache

        :param myproxy_server: myproxy server hostname
        :type myproxy_server: str
        :param userDN: user DN
        :type userDN: str

        :param force_remote: force retrieving from myproxy, defaults to False
        :param force_remote: bool, optional

        :return: user proxy
        :rtype: tuple
        """
        cert = self.hostcert
        ckey = self.hostkey

        # Generate myproxy key
        key = sha1(userDN + "_" + self.cmsweb_endpoint).hexdigest()

        result_cache = REGION_SHORT.get(key)
        validity_h = 2

        if isinstance(result_cache, NoValue) or force_remote:
            logging.info("Refresh user certificates for %s", userDN)
        else:
            logging.info(
                "User certificates from memcache. Checking validity...")
            try:
                certfile = tempfile.NamedTemporaryFile(delete=True)
                for crt in result_cache:
                    certfile.write(crt)
                command = 'grid-proxy-info -f %s -e -h %s' % (certfile.name,
                                                              validity_h)
                logging.debug('grid-proxy-info -f %s -e -h %s', certfile.name,
                              validity_h)
                subprocess.check_call(command, shell=True)

                certfile.close()
            except subprocess.CalledProcessError as ex:
                certfile.close()
                if ex.returncode == 1:
                    logging.warn("Credential timeleft < %sh", validity_h)
                else:
                    logging.exception("Credential validity check failed")
            else:
                return result_cache

        logging.info(
            "myproxy_client = MyProxyClient(hostname='myproxy.cern.ch'")
        logging.info(
            "myproxy_client.logon('%s', None, sslCertFile='%s', sslKeyFile='%s')",
            key, cert, ckey)

        # Retrieve proxy
        myproxy_client = MyProxyClient(hostname=myproxy_server)
        try:
            cert = myproxy_client.logon(key,
                                        None,
                                        sslCertFile=cert,
                                        sslKeyFile=ckey)
        except MyProxyClientGetError:
            logging.error("MyProxy client exception during GET proxy")
            raise
        except MyProxyClientRetrieveError:
            logging.error("MyProxy client exception retrieving proxy")
            raise
        except gaierror:
            logging.error("Invalid myproxy url")
            raise
        except TypeError:
            logging.error("Invalid arguments provided for myproxy client")
            raise

        REGION_SHORT.set(key, cert)

        return cert
Exemplo n.º 16
0
myproxyserver = None
myproxyuser = None
myproxypass = None
with open(auth_file) as fa:
    lines = fa.readlines()
    for line in lines:
        if len(line) > 0 and not line.startswith("#"):
            line = line.strip()
            if line.find("myproxyserver = ") != -1:
                proxy_found = True
                tokens = line.split(";")
                for token in tokens:
                    key_value = token.split(" = ")
                    value = key_value[1].strip().replace("\\n", "\n")
                    key = key_value[0].strip()

                    if key == "myproxyserver":
                        myproxyserver = value
                    elif key == "myproxyuser":
                        myproxyuser = value
                    elif key == "myproxypass":
                        myproxypass = value

if myproxyserver and myproxyuser and myproxypass:
    from myproxy.client import MyProxyClient
    myproxy = MyProxyClient(hostname=myproxyserver, caCertDir=cadir)
    credentials = myproxy.logon(myproxyuser, myproxypass)
    with open(proxy_file, "w") as fp:
        for cred in credentials:
            fp.write(cred)
Exemplo n.º 17
0
def renew_certificate_NG(force,quiet=True):
    """Renew ESGF certificate."""
    from myproxy.client import MyProxyClient
    myproxy_clnt = MyProxyClient(hostname="myproxy.somewhere.ac.uk")
    cert, private_key = myproxy_clnt.logon(username, password, bootstrap=True)
Exemplo n.º 18
0
class MyProxyProvisionedSessionMiddleware(SSLCtxSessionMiddleware):
    """Provisions a session object with PKI credentials from a MyProxy server.
    Call MyProxy logon to populate a session based SSL context object with
    client PKI credentials to make SSL calls to other services.
    
    @cvar DEFAULT_CERT_EXPIRY_OFFSET: default time offset prior to certificate
    expiry used to trigger certificate renewal. e.g. if the offset is 1 day
    and the certificate will expiry within one day then certificate renewal
    is invoked with a fresh MyProxy logon call.
    @type DEFAULT_CERT_EXPIRY_OFFSET: timedelta
    """
    __slots__ = (
        '__myProxyClient',
        '__certExpiryOffset',
        '__myProxyClientSSLCertFile',
        '__myProxyClientSSLKeyFile',
        '__myProxyClientSSLKeyFilePassphrase'
    )
    PARAM_NAMES = tuple([i[2:] for i in __slots__])
    del i
    DEFAULT_ENVIRON_SESSION_KEYNAME = "ndg.security.session"
    DEFAULT_PARAM_PREFIX = 'myproxy_provision_session.'
    MYPROXY_CLIENT_PARAM_PREFIX = 'myproxy_client.'
    DEFAULT_CERT_EXPIRY_OFFSET = timedelta(days=1)
    
    def __init__(self, app):
        super(MyProxyProvisionedSessionMiddleware, self).__init__(app)
        self.__myProxyClient = MyProxyClient()
        self.__certExpiryOffset = self.__class__.DEFAULT_CERT_EXPIRY_OFFSET
        self.__myProxyClientSSLCertFile = None
        self.__myProxyClientSSLKeyFile = None
        self.__myProxyClientSSLKeyFilePassphrase = None
        
    @property
    def myProxyClient(self):
        '''MyProxy client used to make calls to MyProxy server to retrieve 
        credentials for user
        '''
        return self.__myProxyClient
    
    @myProxyClient.setter
    def myProxyClient(self, val):
        '''MyProxy client used to make calls to MyProxy server to retrieve 
        credentials for user
        '''
        if not isinstance(val, MyProxyClient):
            raise TypeError('Expecting %r type for "myProxyClient", got %r' % 
                            (MyProxyClient, type(val)))
        self.__myProxyClient = val
            
                    
    @property
    def certExpiryOffset(self):
        '''Certificate expiry offset measured in seconds before current time
        '''
        return self.__certExpiryOffset
    
    @certExpiryOffset.setter
    def certExpiryOffset(self, val):
        '''Certificate expiry offset measured in seconds before current time
        '''
        if isinstance(val, basestring):
            self.__certExpiryOffset = timedelta(seconds=float(val))
            
        elif isinstance(val, (float, int, long)):
            self.__certExpiryOffset = timedelta(seconds=val)
            
        elif isinstance(val, timedelta):
            self.__certExpiryOffset = val
            
        else:
            raise TypeError('Expecting string, int, long, float or timedelta '
                            'type for "certExpiryOffset", got %r' % type(val))
      
    @property      
    def myProxyClientSSLCertFile(self):
        return self.__myProxyClientSSLCertFile
    
    @myProxyClientSSLCertFile.setter
    def myProxyClientSSLCertFile(self, val):
        if not isinstance(val, basestring):
            raise TypeError('Expecting string type for '
                            '"myProxyClientSSLCertFile"; got %r' % type(val))
            
        if not os.access(val, os.R_OK):
            raise IOError('Error accessing "myProxyClientSSLCertFile" file %r' %
                          val)
         
        self.__myProxyClientSSLCertFile = val
        
    @property      
    def myProxyClientSSLKeyFile(self):
        return self.__myProxyClientSSLKeyFile
    
    @myProxyClientSSLKeyFile.setter
    def myProxyClientSSLKeyFile(self, val):
        if not isinstance(val, basestring):
            raise TypeError('Expecting string type for '
                            'myProxyClientSSLKeyFile"; got %r' % type(val))
            
        if not os.access(val, os.R_OK):
            raise IOError('Error accessing "myProxyClientSSLKeyFile" file %r' % 
                          val)
            
        self.__myProxyClientSSLKeyFile = val
        
    @property      
    def myProxyClientSSLKeyFilePassphrase(self):
        return self.__myProxyClientSSLKeyFilePassphrase
    
    @myProxyClientSSLKeyFilePassphrase.setter
    def myProxyClientSSLKeyFilePassphrase(self, val):
        if not isinstance(val, basestring):
            raise TypeError('Expecting string type for '
                            'myProxyClientSSLKeyFilePassphrase"; got %r' %
                            type(val))
            
        self.__myProxyClientSSLKeyFilePassphrase = val
    
    def initialise(self, app_conf, 
                   prefix=DEFAULT_PARAM_PREFIX,
                   myProxyClientPrefix=MYPROXY_CLIENT_PARAM_PREFIX,
                   **local_conf):
        """Parse dictionary of configuration items updating the relevant 
        attributes of this instance
        
        @type prefix: basestring
        @param prefix: prefix for configuration items
        @type myProxyClientPrefix: basestring
        @param myProxyClientPrefix: explicit prefix for MyProxyClient class 
        specific configuration items
        @type app_conf: dict        
        @param app_conf: PasteDeploy application specific configuration 
        dictionary
        """
        super(MyProxyProvisionedSessionMiddleware, self).initialise(app_conf,
                                                                prefix=prefix,
                                                                **local_conf)
        
        # Sanity check
        if not isinstance(prefix, basestring):
            prefix = ''
            
        # Get MyProxyClient initialisation parameters
        myProxyClientFullPrefix = prefix + myProxyClientPrefix
                            
        myProxyClientKw = dict([(k.replace(myProxyClientFullPrefix, ''), v) 
                                 for k,v in app_conf.items() 
                                 if k.startswith(myProxyClientFullPrefix)])
        
        self.myProxyClient = MyProxyClient(**myProxyClientKw)
        
        for k in local_conf:
            paramName = k.replace(prefix, '', 1)
            if paramName in self.__class__.PARAM_NAMES:
                setattr(self, paramName, local_conf[k])
                             
    @classmethod
    def filter_app_factory(cls, app, app_conf, **kw):
        """Configure filter and associated SSL Context session middleware
        """
        _app = cls(app)
        _app.initialise(app_conf, **kw)
        
        # Set SSL Context middleware upstream from this app
        _app = SSLCtxSessionMiddleware.filter_app_factory(_app, app_conf, **kw)
        return _app
    
    @wsgify
    def __call__(self, request):
        '''
        @param request: WSGI request object
        @type request: WebOb.Request
        @return: WSGI response
        @rtype: iterable
        '''
        resp = super(MyProxyProvisionedSessionMiddleware, self).__call__(
                                                                        request)
        session = self.getSession(request)

        # if not certificate has been set or if it is present but expired,
        # renew        
        if (not self.__class__._is_cert_set(session) or 
            self._is_cert_expired(session)):
            self._refresh_credentials(request)
            
        return resp
    
    def _getMyProxyLogonCallCreds(self, request):
        """Get credentials for MyProxy logon.  Override to give custom behaviour
        @param request: WSGI request object
        @type request: WebOb.Request
        @rtype: tuple
        @return: two element tuple containing username and password to use with
        logon call to MyProxy.  None is set by default for the case where the
        client authenticates over SSL with a client certificate.
        """        
        return (request.environ.get('REMOTE_USER'), None)

    def _refresh_credentials(self, request):
        """Refresh credentials by making a MyProxy server logon request"""
        
        username, password = self._getMyProxyLogonCallCreds(request)
        try:
            credentials = self.__myProxyClient.logon(username, password,
                                     sslCertFile=self.myProxyClientSSLCertFile,
                                     sslKeyFile=self.myProxyClientSSLKeyFile)
                   
        except MyProxyClientError, e:
            raise httpexceptions.HTTPUnauthorized(str(e))
        
        except socket.error, e:
            raise MyProxyRetrievalSocketError("Socket error with MyProxy "
                                              "server %r: %s" % 
                                              (self.__myProxyClient.hostname,e))