def authenticate(openid_uri, password):
try:
filepath = utils.user_url_to_filepath(openid_uri)
host = urlparse(openid_uri.strip()).netloc;
user = openid_uri.rsplit('/', 1)[1]
except IndexError:
raise MyProxyClientError('Invalid OpenID identifier')
if not host or not user:
raise MyProxyClientError('Invalid OpenID identifier')
try:
myproxy = MyProxyClient(hostname=host)
credentials = myproxy.logon(user, password, bootstrap=True)
cert_filepath = utils.user_cert_file(openid_uri)
dir = os.path.dirname(cert_filepath);
if not os.path.exists(dir):
os.makedirs(dir)
with open(cert_filepath, 'w') as fd:
fd.write(credentials[0])
fd.write(credentials[1])
except socket.gaierror:
raise MyProxyClientError('Invalid OpenID identifier')
class MyProxyUtils(object):
def __init__(self):
self.config = config.read_config()
self.cacertdir = os.path.expanduser("~/.esg/certificates")
self.credsfile = os.path.expanduser("~/.esg/credentials.pem")
self.myproxy = MyProxyClient(hostname=self.config['nodes']['idp_node'])
self.myproxy._setCACertDir(self.cacertdir)
def get_trustroots(self):
# Get trust roots
self.trustRoots = self.myproxy.getTrustRoots(
self.config['account']['username'],
self.config['account']['password'],
writeToCACertDir=True,
bootstrap=True)
def get_credentials(self):
# Get credentials (and trustroots)
self.credentials = self.myproxy.logon(
self.config['account']['username'],
self.config['account']['password'])
# Write Credentials
with open(self.credsfile, 'w') as f:
f.write(self.credentials[0] + self.credentials[1])
os.chmod(self.credsfile, self.myproxy.PROXY_FILE_PERMISSIONS)
def delete_credentials(self):
# Delete credentials file
if os.path.exists(self.credsfile):
os.remove(self.credsfile)
def delete_trustroots(self):
# Delete trustroots and cacert directory
if os.path.exists(self.cacertdir):
shutil.rmtree(self.cacertdir)
def authenticate(request):
if request.method != 'POST':
return Response('Error: GET is not supported')
data = json.loads(request.body.decode('utf-8'))
openid = data.get('openid')
password = data.get('password')
(server, username) = utils.decompose_openid(openid)
# Get X.509 certificate chain from MyProxy server
log.info("Getting X.509 certificate from %s for %s" % (server, username))
myproxy_client = MyProxyClient(hostname=server)
cred_chain_pem_tuple = None
try:
cred_chain_pem_tuple = myproxy_client.logon(username, password, lifetime=7*24*3600)
except Exception as e:
request.response.status = 400
return {'status': 'Error', 'message': '%s' % e}
cred_chain_pem = ''
for e in cred_chain_pem_tuple:
cred_chain_pem += e
cert_pem = cred_chain_pem_tuple[0]
# Get 'Not After' date
cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
not_after_asn1 = cert.get_notAfter()
not_after = not_after_asn1.decode()
dt = datetime.strptime(not_after, '%Y%m%d%H%M%SZ')
# Check the publisher role in X509v3 extension 1.2.3.4.4.3.2.1.7.8
if not authentication.is_publisher(openid, cert):
request.response.status = 400
return {'status': 'Error', 'message': 'The user does not have the publisher role'}
# Store the X.509 certificate chain in a tmp file, so it can be used later by esgcet
cred_file = open('/tmp/x509in_%s_%s' % (server, username), 'w')
cred_file.write(cred_chain_pem)
cred_file.close()
# Add or update Publisher object in the database
publisher = DBSession.query(Publisher).filter(Publisher.openid==openid).first()
if publisher:
publisher.x509_pem = cred_chain_pem
publisher.expiration = dt
else:
publisher = Publisher(openid=openid, x509_pem=cred_chain_pem, expiration=dt)
DBSession.add(publisher)
# Save openid in auth_tk cookie
headers = remember(request, openid)
resp = Response()
resp.headers = headers
return resp
def renew_certificate (host,port,username,password):
sdlog.info("SDMYPROX-002","Renew certificate..")
# we need a mkdir here to prevent 'No such file or directory' myproxyclient error (see TAGFERE5435 for more info)
sd=sdconfig.get_security_dir()
if not os.path.isdir(sd):
os.makedirs(sd)
# currently, we set bootstrap option everytime
#
# TODO: change this to set only the first time (i.e. if .esg/certificates is empty)
#
bootstrap=True
# currently, we set trustroots option everytime
updateTrustRoots=True
authnGetTrustRootsCall=False
# TODO: maybe add option in 'synda certificate' to use specify another path for cadir (for debugging purpose)
#ROOT_TRUSTROOT_DIR = '/etc/grid-security/certificates'
#USER_TRUSTROOT_DIR = '~/.globus/certificates'
# set env.
os.environ['ESGF_CREDENTIAL']=sdconfig.esgf_x509_proxy
os.environ['ESGF_CERT_DIR']=sdconfig.esgf_x509_cert_dir
os.environ['X509_CERT_DIR']=sdconfig.esgf_x509_cert_dir
if 'X509_USER_PROXY' in os.environ:
del os.environ['X509_USER_PROXY']
#if 'GLOBUS_LOCATION' in os.environ:
# del os.environ['GLOBUS_LOCATION']
# main
myproxy_clnt = MyProxyClient(hostname=host,
port=port,
caCertDir=sdconfig.esgf_x509_cert_dir,
proxyCertLifetime=43200) # 12 hours
# credname=credname
creds=myproxy_clnt.logon(username, password,
bootstrap=bootstrap,
updateTrustRoots=updateTrustRoots,
authnGetTrustRootsCall=authnGetTrustRootsCall)
# store cert on disk
fout = open(sdconfig.esgf_x509_proxy, 'w')
for cred in creds:
fout.write(cred)
fout.close()
def renew_certificate(host, port, username, password):
sdlog.info("SDMYPROX-002", "Renew certificate..")
# we need a mkdir here to prevent 'No such file or directory' myproxyclient error (see TAGFERE5435 for more info)
sd = sdconfig.get_security_dir()
if not os.path.isdir(sd):
os.makedirs(sd)
# currently, we set bootstrap option everytime
#
# TODO: change this to set only the first time (i.e. if .esg/certificates is empty)
#
bootstrap = True
# currently, we set trustroots option everytime
updateTrustRoots = True
authnGetTrustRootsCall = False
# TODO: maybe add option in 'synda certificate' to use specify another path for cadir (for debugging purpose)
#ROOT_TRUSTROOT_DIR = '/etc/grid-security/certificates'
#USER_TRUSTROOT_DIR = '~/.globus/certificates'
# set env.
os.environ['ESGF_CREDENTIAL'] = sdconfig.esgf_x509_proxy
os.environ['ESGF_CERT_DIR'] = sdconfig.esgf_x509_cert_dir
os.environ['X509_CERT_DIR'] = sdconfig.esgf_x509_cert_dir
if 'X509_USER_PROXY' in os.environ:
del os.environ['X509_USER_PROXY']
#if 'GLOBUS_LOCATION' in os.environ:
# del os.environ['GLOBUS_LOCATION']
# main
myproxy_clnt = MyProxyClient(hostname=host,
port=port,
caCertDir=sdconfig.esgf_x509_cert_dir,
proxyCertLifetime=43200) # 12 hours
# credname=credname
creds = myproxy_clnt.logon(username,
password,
bootstrap=bootstrap,
updateTrustRoots=updateTrustRoots,
authnGetTrustRootsCall=authnGetTrustRootsCall)
# store cert on disk
fout = open(sdconfig.esgf_x509_proxy, 'w')
for cred in creds:
fout.write(cred)
fout.close()
def logon(config,
myproxy_username=None,
myproxy_password=None,
myproxy_hostname=None):
"""
Use MyProxyClient to generate a certificate for publication.
Generate appropriate directories if not exists
:param config config: Configuration instance, e.g. from getConfig()
:param str myproxy_username: Myproxy username
:param str myproxy_password: Myproxy password
:param str myproxy_hostname: Myproxy hostname
"""
from myproxy.client import MyProxyClient
myproxy_cert_location = config.get('DEFAULT', 'hessian_service_certfile')
# try to get the myproxy info from ini file if not specified
if not myproxy_hostname:
myproxy_hostname = get_myproxy_value_from_config(config, 'hostname')
if not myproxy_username:
myproxy_username = get_myproxy_value_from_config(config, 'username')
if not myproxy_password:
myproxy_password = get_myproxy_value_from_config(config, 'password')
myproxy_dir = os.path.dirname(myproxy_cert_location)
myproxy_certs_dir = os.path.join(myproxy_dir, 'certificates')
if not os.path.isdir(myproxy_dir):
os.mkdir(myproxy_dir)
if not os.path.isdir(myproxy_certs_dir):
os.mkdir(myproxy_certs_dir)
if myproxy_hostname is None:
print '\nEnter myproxy hostname:',
myproxy_hostname = raw_input()
if myproxy_username is None:
print 'Enter myproxy username:'******'Enter password for %s: ' %
myproxy_username)
myproxy = MyProxyClient(hostname=myproxy_hostname,
caCertDir=myproxy_certs_dir)
credentials = myproxy.logon(myproxy_username,
myproxy_password,
bootstrap=True,
lifetime=259200)
myproxy.writeProxyFile(credentials[0],
credentials[1],
credentials[2],
filePath=myproxy_cert_location)
def login_mpc(request):
try:
common.authentication_required(request)
form = forms.MPCForm(request.POST)
data = common.validate_form(form, ('username', 'password'))
logger.info('Authenticating MyProxyClient for {}'.format(
data['username']))
services = openid.services(request.user.auth.openid_url, (URN_MPC, ))
g = re.match('socket://(.*):(.*)', services[0].server_url)
if g is None or len(g.groups()) != 2:
raise MPCEndpointParseError()
host, port = g.groups()
from OpenSSL import SSL
MyProxyClient.SSL_METHOD = SSL.TLSv1_2_METHOD
try:
m = MyProxyClient(hostname=host, caCertDir=settings.WPS_CA_PATH)
c = m.logon(data['username'], data['password'], bootstrap=True)
except Exception as e:
raise common.AuthenticationError(user=data['username'])
logger.info(
'Authenticated with MyProxyClient backend for user {}'.format(
data['username']))
request.user.auth.update('myproxyclient', c)
except WPSError as e:
logger.exception('Error authenticating MyProxyClient')
return common.failed(str(e))
else:
metrics.track_login(metrics.WPS_MPC_LOGIN_SUCCESS,
request.user.auth.openid_url)
return common.success({
'type': request.user.auth.type,
'api_key': request.user.auth.api_key
})
finally:
if not request.user.is_anonymous:
metrics.track_login(metrics.WPS_MPC_LOGIN,
request.user.auth.openid_url)
class MyProxyController(object):
def __init__(self, port, hostname, serverDN, proxyCertMaxLifetime=None, proxyCertLifetime=None):
self._client = MyProxyClient()
self._client.port = port
self._client.hostname = hostname
self._client.serverDN = serverDN
if proxyCertMaxLifetime:
self._client.proxyCertMaxLifetime = proxyCertMaxLifetime
if proxyCertLifetime:
self._client.proxyCertLifetime = proxyCertLifetime
def login(self, username, password, certPath, vdtLocation=None):
proxyFileName = self.formProxyFileName(username, certPath)
if not username or len(username) == 0:
raise ValueError("invalid username")
if not password or len(password) == 0:
raise ValueError("invalid username")
else:
logger.info("myproxy logon with username: %s", username)
if vdtLocation:
context = {
"username": username,
"serverDN": self._client.serverDN,
"hostname": self._client.hostname,
"password": password,
"proxyFileName": proxyFileName,
"certPath": certPath,
"vdtLocation": vdtLocation,
}
command = """
. ${vdtLocation}/setup.sh && \
echo ${password} | \
MYPROXY_SERVER_DN='${serverDN}' \
myproxy-get-delegation \
--pshost ${hostname} \
--username ${username} \
--stdin_pass \
--out ${proxyFileName} >> ${certPath}/../logs/myproxy.log 2>&1 """
os.system(Template(command).substitute(context))
else:
proxy = self._client.logon(username=username, passphrase=password)
logger.info(
"writing proxy certificate retrieved from myproxy for user [%s] at [%s]", username, certPath
)
if not os.path.exists(certPath):
os.makedirs(certPath)
GraysonUtil.writeFile(outputPath=proxyFileName, data=proxy[0])
def formProxyFileName(self, username, certPath):
return os.path.join(certPath, "x509_proxy_%s" % username)
def logon(self,
username=None,
password=None,
hostname=None,
bootstrap=False,
update_trustroots=True,
interactive=True):
"""
Obtain ESGF credentials from the specified MyProxy service.
If ``interactive == True`` then any missing parameters of ``password``,
``username`` or ``hostname`` will be prompted for at the terminal.
:param interactive: Whether to ask for input at the terminal for
any missing information. I.e. username, password or hostname.
:param bootstrap: Whether to bootstrap the trustroots for this
MyProxy service.
:param update_trustroots: Whether to update the trustroots for this
MyProxy service.
"""
if interactive:
if hostname is None:
print 'Enter myproxy hostname:',
hostname = raw_input()
if username is None:
print 'Enter myproxy username:'******'Enter password for %s: ' % username)
if None in (hostname, username, password):
raise OpenidResolutionError('Full logon details not available')
c = MyProxyClient(hostname=hostname, caCertDir=self.esgf_certs_dir)
creds = c.logon(username,
password,
bootstrap=bootstrap,
updateTrustRoots=update_trustroots)
with open(self.esgf_credentials, 'w') as fh:
for cred in creds:
fh.write(cred)
def logon(config, myproxy_username=None, myproxy_password=None, myproxy_hostname=None):
"""
Use MyProxyClient to generate a certificate for publication.
Generate appropriate directories if not exists
:param config config: Configuration instance, e.g. from getConfig()
:param str myproxy_username: Myproxy username
:param str myproxy_password: Myproxy password
:param str myproxy_hostname: Myproxy hostname
"""
from myproxy.client import MyProxyClient
myproxy_cert_location = config.get('DEFAULT', 'hessian_service_certfile')
# try to get the myproxy info from ini file if not specified
if not myproxy_hostname:
myproxy_hostname = get_myproxy_value_from_config(config, 'hostname')
if not myproxy_username:
myproxy_username = get_myproxy_value_from_config(config, 'username')
if not myproxy_password:
myproxy_password = get_myproxy_value_from_config(config, 'password')
myproxy_dir = os.path.dirname(myproxy_cert_location)
myproxy_certs_dir = os.path.join(myproxy_dir, 'certificates')
if not os.path.isdir(myproxy_dir):
os.mkdir(myproxy_dir)
if not os.path.isdir(myproxy_certs_dir):
os.mkdir(myproxy_certs_dir)
if myproxy_hostname is None:
print '\nEnter myproxy hostname:',
myproxy_hostname = raw_input()
if myproxy_username is None:
print 'Enter myproxy username:'******'Enter password for %s: ' % myproxy_username)
myproxy = MyProxyClient(hostname=myproxy_hostname, caCertDir=myproxy_certs_dir)
credentials = myproxy.logon(myproxy_username, myproxy_password, bootstrap=True, lifetime=259200)
myproxy.writeProxyFile(credentials[0], credentials[1], credentials[2], filePath=myproxy_cert_location)
def logon(self, username=None, password=None, hostname=None,
bootstrap=False, update_trustroots=True,
interactive=True):
"""
Obtain ESGF credentials from the specified MyProxy service.
If ``interactive == True`` then any missing parameters of ``password``,
``username`` or ``hostname`` will be prompted for at the terminal.
:param interactive: Whether to ask for input at the terminal for
any missing information. I.e. username, password or hostname.
:param bootstrap: Whether to bootstrap the trustroots for this
MyProxy service.
:param update_trustroots: Whether to update the trustroots for this
MyProxy service.
"""
if interactive:
if hostname is None:
print('Enter myproxy hostname:'),
hostname = input()
if username is None:
print('Enter myproxy username:'******'Enter password for %s: ' % username)
if None in (hostname, username, password):
raise OpenidResolutionError('Full logon details not available')
c = MyProxyClient(hostname=hostname, caCertDir=self.esgf_certs_dir)
creds = c.logon(username, password,
bootstrap=bootstrap,
updateTrustRoots=update_trustroots)
with open(self.esgf_credentials, 'wb') as fh:
for cred in creds:
fh.write(cred)
class MyProxyUtils(object):
def __init__(self):
self.config = config.read_config()
self.cacertdir = os.path.expanduser("~/.esg/certificates")
self.credsfile = os.path.expanduser("~/.esg/credentials.pem")
self.myproxy = MyProxyClient(hostname=self.config['nodes']['idp_node'])
self.myproxy._setCACertDir(self.cacertdir)
def get_trustroots(self):
# Get trust roots
self.trustRoots = self.myproxy.getTrustRoots(self.config['account']['username'],
self.config['account']['password'],
writeToCACertDir=True,
bootstrap=True)
def get_credentials(self):
# Get credentials (and trustroots)
self.credentials = self.myproxy.logon(self.config['account']['username'],
self.config['account']['password'])
# Write Credentials
with open(self.credsfile, 'w') as f:
f.write(self.credentials[0]+self.credentials[1])
os.chmod(self.credsfile, self.myproxy.PROXY_FILE_PERMISSIONS)
def delete_credentials(self):
# Delete credentials file
if os.path.exists(self.credsfile):
os.remove(self.credsfile)
def delete_trustroots(self):
# Delete trustroots and cacert directory
if os.path.exists(self.cacertdir):
shutil.rmtree(self.cacertdir)
class MyProxyProvisionedSessionMiddleware(SSLCtxSessionMiddleware):
"""Provisions a session object with PKI credentials from a MyProxy server.
Call MyProxy logon to populate a session based SSL context object with
client PKI credentials to make SSL calls to other services.
@cvar DEFAULT_CERT_EXPIRY_OFFSET: default time offset prior to certificate
expiry used to trigger certificate renewal. e.g. if the offset is 1 day
and the certificate will expiry within one day then certificate renewal
is invoked with a fresh MyProxy logon call.
@type DEFAULT_CERT_EXPIRY_OFFSET: timedelta
"""
__slots__ = (
'__myProxyClient',
'__certExpiryOffset',
'__myProxyClientSSLCertFile',
'__myProxyClientSSLKeyFile',
'__myProxyClientSSLKeyFilePassphrase'
)
PARAM_NAMES = tuple([i[2:] for i in __slots__])
del i
DEFAULT_ENVIRON_SESSION_KEYNAME = "ndg.security.session"
DEFAULT_PARAM_PREFIX = 'myproxy_provision_session.'
MYPROXY_CLIENT_PARAM_PREFIX = 'myproxy_client.'
DEFAULT_CERT_EXPIRY_OFFSET = timedelta(days=1)
def __init__(self, app):
super(MyProxyProvisionedSessionMiddleware, self).__init__(app)
self.__myProxyClient = MyProxyClient()
self.__certExpiryOffset = self.__class__.DEFAULT_CERT_EXPIRY_OFFSET
self.__myProxyClientSSLCertFile = None
self.__myProxyClientSSLKeyFile = None
self.__myProxyClientSSLKeyFilePassphrase = None
@property
def myProxyClient(self):
'''MyProxy client used to make calls to MyProxy server to retrieve
credentials for user
'''
return self.__myProxyClient
@myProxyClient.setter
def myProxyClient(self, val):
'''MyProxy client used to make calls to MyProxy server to retrieve
credentials for user
'''
if not isinstance(val, MyProxyClient):
raise TypeError('Expecting %r type for "myProxyClient", got %r' %
(MyProxyClient, type(val)))
self.__myProxyClient = val
@property
def certExpiryOffset(self):
'''Certificate expiry offset measured in seconds before current time
'''
return self.__certExpiryOffset
@certExpiryOffset.setter
def certExpiryOffset(self, val):
'''Certificate expiry offset measured in seconds before current time
'''
if isinstance(val, basestring):
self.__certExpiryOffset = timedelta(seconds=float(val))
elif isinstance(val, (float, int, long)):
self.__certExpiryOffset = timedelta(seconds=val)
elif isinstance(val, timedelta):
self.__certExpiryOffset = val
else:
raise TypeError('Expecting string, int, long, float or timedelta '
'type for "certExpiryOffset", got %r' % type(val))
@property
def myProxyClientSSLCertFile(self):
return self.__myProxyClientSSLCertFile
@myProxyClientSSLCertFile.setter
def myProxyClientSSLCertFile(self, val):
if not isinstance(val, basestring):
raise TypeError('Expecting string type for '
'"myProxyClientSSLCertFile"; got %r' % type(val))
if not os.access(val, os.R_OK):
raise IOError('Error accessing "myProxyClientSSLCertFile" file %r' %
val)
self.__myProxyClientSSLCertFile = val
@property
def myProxyClientSSLKeyFile(self):
return self.__myProxyClientSSLKeyFile
@myProxyClientSSLKeyFile.setter
def myProxyClientSSLKeyFile(self, val):
if not isinstance(val, basestring):
raise TypeError('Expecting string type for '
'myProxyClientSSLKeyFile"; got %r' % type(val))
if not os.access(val, os.R_OK):
raise IOError('Error accessing "myProxyClientSSLKeyFile" file %r' %
val)
self.__myProxyClientSSLKeyFile = val
@property
def myProxyClientSSLKeyFilePassphrase(self):
return self.__myProxyClientSSLKeyFilePassphrase
@myProxyClientSSLKeyFilePassphrase.setter
def myProxyClientSSLKeyFilePassphrase(self, val):
if not isinstance(val, basestring):
raise TypeError('Expecting string type for '
'myProxyClientSSLKeyFilePassphrase"; got %r' %
type(val))
self.__myProxyClientSSLKeyFilePassphrase = val
def initialise(self, app_conf,
prefix=DEFAULT_PARAM_PREFIX,
myProxyClientPrefix=MYPROXY_CLIENT_PARAM_PREFIX,
**local_conf):
"""Parse dictionary of configuration items updating the relevant
attributes of this instance
@type prefix: basestring
@param prefix: prefix for configuration items
@type myProxyClientPrefix: basestring
@param myProxyClientPrefix: explicit prefix for MyProxyClient class
specific configuration items
@type app_conf: dict
@param app_conf: PasteDeploy application specific configuration
dictionary
"""
super(MyProxyProvisionedSessionMiddleware, self).initialise(app_conf,
prefix=prefix,
**local_conf)
# Sanity check
if not isinstance(prefix, basestring):
prefix = ''
# Get MyProxyClient initialisation parameters
myProxyClientFullPrefix = prefix + myProxyClientPrefix
myProxyClientKw = dict([(k.replace(myProxyClientFullPrefix, ''), v)
for k,v in app_conf.items()
if k.startswith(myProxyClientFullPrefix)])
self.myProxyClient = MyProxyClient(**myProxyClientKw)
for k in local_conf:
paramName = k.replace(prefix, '', 1)
if paramName in self.__class__.PARAM_NAMES:
setattr(self, paramName, local_conf[k])
@classmethod
def filter_app_factory(cls, app, app_conf, **kw):
"""Configure filter and associated SSL Context session middleware
"""
_app = cls(app)
_app.initialise(app_conf, **kw)
# Set SSL Context middleware upstream from this app
_app = SSLCtxSessionMiddleware.filter_app_factory(_app, app_conf, **kw)
return _app
@wsgify
def __call__(self, request):
'''
@param request: WSGI request object
@type request: WebOb.Request
@return: WSGI response
@rtype: iterable
'''
resp = super(MyProxyProvisionedSessionMiddleware, self).__call__(
request)
session = self.getSession(request)
# if not certificate has been set or if it is present but expired,
# renew
if (not self.__class__._is_cert_set(session) or
self._is_cert_expired(session)):
self._refresh_credentials(request)
return resp
def _getMyProxyLogonCallCreds(self, request):
"""Get credentials for MyProxy logon. Override to give custom behaviour
@param request: WSGI request object
@type request: WebOb.Request
@rtype: tuple
@return: two element tuple containing username and password to use with
logon call to MyProxy. None is set by default for the case where the
client authenticates over SSL with a client certificate.
"""
return (request.environ.get('REMOTE_USER'), None)
def _refresh_credentials(self, request):
"""Refresh credentials by making a MyProxy server logon request"""
username, password = self._getMyProxyLogonCallCreds(request)
try:
credentials = self.__myProxyClient.logon(username, password,
sslCertFile=self.myProxyClientSSLCertFile,
sslKeyFile=self.myProxyClientSSLKeyFile)
except MyProxyClientError, e:
raise httpexceptions.HTTPUnauthorized(str(e))
except socket.error, e:
raise MyProxyRetrievalSocketError("Socket error with MyProxy "
"server %r: %s" %
(self.__myProxyClient.hostname,e))
myproxyserver = None
myproxyuser = None
myproxypass = None
with open(auth_file) as fa:
lines = fa.readlines()
for line in lines:
if len(line) > 0 and not line.startswith("#"):
line = line.strip()
if line.find("myproxyserver = ") != -1:
proxy_found = True
tokens = line.split(";")
for token in tokens:
key_value = token.split(" = ")
value = key_value[1].strip().replace("\\n","\n")
key = key_value[0].strip()
if key == "myproxyserver":
myproxyserver = value
elif key == "myproxyuser":
myproxyuser = value
elif key == "myproxypass":
myproxypass = value
if myproxyserver and myproxyuser and myproxypass:
from myproxy.client import MyProxyClient
myproxy = MyProxyClient(hostname=myproxyserver, caCertDir=cadir)
credentials = myproxy.logon(myproxyuser, myproxypass)
with open(proxy_file, "w") as fp:
for cred in credentials:
fp.write(cred)
def get_user_proxy(self, myproxy_server, userDN, force_remote=False):
"""Retrieve user proxy for the correct activity from myproxy and save it in memcache
:param myproxy_server: myproxy server hostname
:type myproxy_server: str
:param userDN: user DN
:type userDN: str
:param force_remote: force retrieving from myproxy, defaults to False
:param force_remote: bool, optional
:return: user proxy
:rtype: tuple
"""
cert = self.hostcert
ckey = self.hostkey
# Generate myproxy key
key = sha1(userDN + "_" + self.cmsweb_endpoint).hexdigest()
result_cache = REGION_SHORT.get(key)
validity_h = 2
if isinstance(result_cache, NoValue) or force_remote:
logging.info("Refresh user certificates for %s", userDN)
else:
logging.info(
"User certificates from memcache. Checking validity...")
try:
certfile = tempfile.NamedTemporaryFile(delete=True)
for crt in result_cache:
certfile.write(crt)
command = 'grid-proxy-info -f %s -e -h %s' % (certfile.name,
validity_h)
logging.debug('grid-proxy-info -f %s -e -h %s', certfile.name,
validity_h)
subprocess.check_call(command, shell=True)
certfile.close()
except subprocess.CalledProcessError as ex:
certfile.close()
if ex.returncode == 1:
logging.warn("Credential timeleft < %sh", validity_h)
else:
logging.exception("Credential validity check failed")
else:
return result_cache
logging.info(
"myproxy_client = MyProxyClient(hostname='myproxy.cern.ch'")
logging.info(
"myproxy_client.logon('%s', None, sslCertFile='%s', sslKeyFile='%s')",
key, cert, ckey)
# Retrieve proxy
myproxy_client = MyProxyClient(hostname=myproxy_server)
try:
cert = myproxy_client.logon(key,
None,
sslCertFile=cert,
sslKeyFile=ckey)
except MyProxyClientGetError:
logging.error("MyProxy client exception during GET proxy")
raise
except MyProxyClientRetrieveError:
logging.error("MyProxy client exception retrieving proxy")
raise
except gaierror:
logging.error("Invalid myproxy url")
raise
except TypeError:
logging.error("Invalid arguments provided for myproxy client")
raise
REGION_SHORT.set(key, cert)
return cert
myproxyserver = None
myproxyuser = None
myproxypass = None
with open(auth_file) as fa:
lines = fa.readlines()
for line in lines:
if len(line) > 0 and not line.startswith("#"):
line = line.strip()
if line.find("myproxyserver = ") != -1:
proxy_found = True
tokens = line.split(";")
for token in tokens:
key_value = token.split(" = ")
value = key_value[1].strip().replace("\\n", "\n")
key = key_value[0].strip()
if key == "myproxyserver":
myproxyserver = value
elif key == "myproxyuser":
myproxyuser = value
elif key == "myproxypass":
myproxypass = value
if myproxyserver and myproxyuser and myproxypass:
from myproxy.client import MyProxyClient
myproxy = MyProxyClient(hostname=myproxyserver, caCertDir=cadir)
credentials = myproxy.logon(myproxyuser, myproxypass)
with open(proxy_file, "w") as fp:
for cred in credentials:
fp.write(cred)
def renew_certificate_NG(force,quiet=True):
"""Renew ESGF certificate."""
from myproxy.client import MyProxyClient
myproxy_clnt = MyProxyClient(hostname="myproxy.somewhere.ac.uk")
cert, private_key = myproxy_clnt.logon(username, password, bootstrap=True)
class MyProxyProvisionedSessionMiddleware(SSLCtxSessionMiddleware):
"""Provisions a session object with PKI credentials from a MyProxy server.
Call MyProxy logon to populate a session based SSL context object with
client PKI credentials to make SSL calls to other services.
@cvar DEFAULT_CERT_EXPIRY_OFFSET: default time offset prior to certificate
expiry used to trigger certificate renewal. e.g. if the offset is 1 day
and the certificate will expiry within one day then certificate renewal
is invoked with a fresh MyProxy logon call.
@type DEFAULT_CERT_EXPIRY_OFFSET: timedelta
"""
__slots__ = (
'__myProxyClient',
'__certExpiryOffset',
'__myProxyClientSSLCertFile',
'__myProxyClientSSLKeyFile',
'__myProxyClientSSLKeyFilePassphrase'
)
PARAM_NAMES = tuple([i[2:] for i in __slots__])
del i
DEFAULT_ENVIRON_SESSION_KEYNAME = "ndg.security.session"
DEFAULT_PARAM_PREFIX = 'myproxy_provision_session.'
MYPROXY_CLIENT_PARAM_PREFIX = 'myproxy_client.'
DEFAULT_CERT_EXPIRY_OFFSET = timedelta(days=1)
def __init__(self, app):
super(MyProxyProvisionedSessionMiddleware, self).__init__(app)
self.__myProxyClient = MyProxyClient()
self.__certExpiryOffset = self.__class__.DEFAULT_CERT_EXPIRY_OFFSET
self.__myProxyClientSSLCertFile = None
self.__myProxyClientSSLKeyFile = None
self.__myProxyClientSSLKeyFilePassphrase = None
@property
def myProxyClient(self):
'''MyProxy client used to make calls to MyProxy server to retrieve
credentials for user
'''
return self.__myProxyClient
@myProxyClient.setter
def myProxyClient(self, val):
'''MyProxy client used to make calls to MyProxy server to retrieve
credentials for user
'''
if not isinstance(val, MyProxyClient):
raise TypeError('Expecting %r type for "myProxyClient", got %r' %
(MyProxyClient, type(val)))
self.__myProxyClient = val
@property
def certExpiryOffset(self):
'''Certificate expiry offset measured in seconds before current time
'''
return self.__certExpiryOffset
@certExpiryOffset.setter
def certExpiryOffset(self, val):
'''Certificate expiry offset measured in seconds before current time
'''
if isinstance(val, basestring):
self.__certExpiryOffset = timedelta(seconds=float(val))
elif isinstance(val, (float, int, long)):
self.__certExpiryOffset = timedelta(seconds=val)
elif isinstance(val, timedelta):
self.__certExpiryOffset = val
else:
raise TypeError('Expecting string, int, long, float or timedelta '
'type for "certExpiryOffset", got %r' % type(val))
@property
def myProxyClientSSLCertFile(self):
return self.__myProxyClientSSLCertFile
@myProxyClientSSLCertFile.setter
def myProxyClientSSLCertFile(self, val):
if not isinstance(val, basestring):
raise TypeError('Expecting string type for '
'"myProxyClientSSLCertFile"; got %r' % type(val))
if not os.access(val, os.R_OK):
raise IOError('Error accessing "myProxyClientSSLCertFile" file %r' %
val)
self.__myProxyClientSSLCertFile = val
@property
def myProxyClientSSLKeyFile(self):
return self.__myProxyClientSSLKeyFile
@myProxyClientSSLKeyFile.setter
def myProxyClientSSLKeyFile(self, val):
if not isinstance(val, basestring):
raise TypeError('Expecting string type for '
'myProxyClientSSLKeyFile"; got %r' % type(val))
if not os.access(val, os.R_OK):
raise IOError('Error accessing "myProxyClientSSLKeyFile" file %r' %
val)
self.__myProxyClientSSLKeyFile = val
@property
def myProxyClientSSLKeyFilePassphrase(self):
return self.__myProxyClientSSLKeyFilePassphrase
@myProxyClientSSLKeyFilePassphrase.setter
def myProxyClientSSLKeyFilePassphrase(self, val):
if not isinstance(val, basestring):
raise TypeError('Expecting string type for '
'myProxyClientSSLKeyFilePassphrase"; got %r' %
type(val))
self.__myProxyClientSSLKeyFilePassphrase = val
def initialise(self, app_conf,
prefix=DEFAULT_PARAM_PREFIX,
myProxyClientPrefix=MYPROXY_CLIENT_PARAM_PREFIX,
**local_conf):
"""Parse dictionary of configuration items updating the relevant
attributes of this instance
@type prefix: basestring
@param prefix: prefix for configuration items
@type myProxyClientPrefix: basestring
@param myProxyClientPrefix: explicit prefix for MyProxyClient class
specific configuration items
@type app_conf: dict
@param app_conf: PasteDeploy application specific configuration
dictionary
"""
super(MyProxyProvisionedSessionMiddleware, self).initialise(app_conf,
prefix=prefix,
**local_conf)
# Sanity check
if not isinstance(prefix, basestring):
prefix = ''
# Get MyProxyClient initialisation parameters
myProxyClientFullPrefix = prefix + myProxyClientPrefix
myProxyClientKw = dict([(k.replace(myProxyClientFullPrefix, ''), v)
for k,v in app_conf.items()
if k.startswith(myProxyClientFullPrefix)])
self.myProxyClient = MyProxyClient(**myProxyClientKw)
for k in local_conf:
paramName = k.replace(prefix, '', 1)
if paramName in self.__class__.PARAM_NAMES:
setattr(self, paramName, local_conf[k])
@classmethod
def filter_app_factory(cls, app, app_conf, **kw):
"""Configure filter and associated SSL Context session middleware
"""
_app = cls(app)
_app.initialise(app_conf, **kw)
# Set SSL Context middleware upstream from this app
_app = SSLCtxSessionMiddleware.filter_app_factory(_app, app_conf, **kw)
return _app
@wsgify
def __call__(self, request):
'''
@param request: WSGI request object
@type request: WebOb.Request
@return: WSGI response
@rtype: iterable
'''
resp = super(MyProxyProvisionedSessionMiddleware, self).__call__(
request)
session = self.getSession(request)
# if not certificate has been set or if it is present but expired,
# renew
if (not self.__class__._is_cert_set(session) or
self._is_cert_expired(session)):
self._refresh_credentials(request)
return resp
def _getMyProxyLogonCallCreds(self, request):
"""Get credentials for MyProxy logon. Override to give custom behaviour
@param request: WSGI request object
@type request: WebOb.Request
@rtype: tuple
@return: two element tuple containing username and password to use with
logon call to MyProxy. None is set by default for the case where the
client authenticates over SSL with a client certificate.
"""
return (request.environ.get('REMOTE_USER'), None)
def _refresh_credentials(self, request):
"""Refresh credentials by making a MyProxy server logon request"""
username, password = self._getMyProxyLogonCallCreds(request)
try:
credentials = self.__myProxyClient.logon(username, password,
sslCertFile=self.myProxyClientSSLCertFile,
sslKeyFile=self.myProxyClientSSLKeyFile)
except MyProxyClientError, e:
raise httpexceptions.HTTPUnauthorized(str(e))
except socket.error, e:
raise MyProxyRetrievalSocketError("Socket error with MyProxy "
"server %r: %s" %
(self.__myProxyClient.hostname,e))
