Пример #1
0
def token(
    oidc_client_id,
    oidc_client_secret,
    oidc_refresh_token,
    oidc_access_token,
    oidc_url,
    oidc_agent_account,
    site,
    project_id,
):
    """
    Get scoped keystone token from site and project ID
    """
    access_token = get_access_token(
        oidc_access_token,
        oidc_refresh_token,
        oidc_client_id,
        oidc_client_secret,
        oidc_url,
        oidc_agent_account,
    )
    # Getting sites from GOCDB
    # assume first one is ok
    ep = find_endpoint("org.openstack.nova", site=site).pop()
    os_auth_url = ep[2]
    scoped_token, _ = get_scoped_token(os_auth_url, access_token, project_id)
    print('export OS_TOKEN="%s"' % scoped_token)
Пример #2
0
def env(
    oidc_client_id,
    oidc_client_secret,
    oidc_refresh_token,
    oidc_access_token,
    oidc_url,
    oidc_agent_account,
    site,
    project_id,
):
    """
    Generating OS environment variables for specific project/site
    """

    access_token = get_access_token(oidc_access_token, oidc_refresh_token,
                                    oidc_client_id, oidc_client_secret,
                                    oidc_url, oidc_agent_account)
    # Get the right endpoint from GOCDB
    # assume first one is ok
    ep = find_endpoint("org.openstack.nova", site=site).pop()
    os_auth_url = ep[2]
    scoped_token, protocol = get_scoped_token(os_auth_url, access_token,
                                              project_id)
    print("# environment for %s" % site)
    print('export OS_AUTH_URL="%s"' % os_auth_url)
    print('export OS_AUTH_TYPE="v3oidcaccesstoken"')
    print('export OS_IDENTITY_PROVIDER="egi.eu"')
    print('export OS_PROTOCOL="%s"' % protocol)
    print('export OS_ACCESS_TOKEN="%s"' % access_token)
    print('export OS_PROJECT_ID="%s"' % project_id)
Пример #3
0
def projects(
    oidc_client_id,
    oidc_client_secret,
    oidc_refresh_token,
    oidc_access_token,
    oidc_url,
    oidc_agent_account,
    site,
):
    """
    List of all project from specific site/sites
    """
    access_token = get_access_token(
        oidc_access_token,
        oidc_refresh_token,
        oidc_client_id,
        oidc_client_secret,
        oidc_url,
        oidc_agent_account,
    )
    if site == "ALL_SITES":
        site = None

    project_list = get_projects_from_sites(access_token, site)
    print(tabulate(project_list, headers=["id", "Name", "enabled", "site"]))
Пример #4
0
    def wrapper(*args, **kwargs):
        from fedcloudclient.checkin import get_access_token

        access_token = get_access_token(
            kwargs.pop("oidc_access_token"),
            kwargs.pop("oidc_refresh_token"),
            kwargs.pop("oidc_client_id"),
            kwargs.pop("oidc_client_secret"),
            kwargs.pop("oidc_url"),
            kwargs.pop("oidc_agent_account"),
        )
        kwargs["access_token"] = access_token
        return func(*args, **kwargs)
Пример #5
0
def ec3(
    oidc_client_id,
    oidc_client_secret,
    oidc_refresh_token,
    oidc_access_token,
    oidc_url,
    oidc_agent_account,
    site,
    project_id,
    auth_file,
    template_dir,
    force,
):
    if os.path.exists(auth_file) and not force:
        print(
            "Auth file already exists, not replacing unless --force option is included"
        )
        raise click.Abort()

    access_token = get_access_token(oidc_access_token, oidc_refresh_token,
                                    oidc_client_id, oidc_client_secret,
                                    oidc_url, oidc_agent_account)

    # Get the right endpoint from GOCDB
    # assume first one is ok
    ep = find_endpoint("org.openstack.nova", site=site).pop()
    os_auth_url = ep[2]
    site_auth = [
        "id = %s" % site, "type = OpenStack", "username = egi.eu",
        "tenant = openid", "auth_version = 3.x_oidc_access_token",
        "host = %s" % os_auth_url,
        "domain = %s" % project_id,
        "password = '******'" % access_token
    ]
    auth_file_contents = [";".join(site_auth)]
    if os.path.exists(auth_file):
        with open(auth_file, "r") as f:
            for line in f.readlines():
                if 'OpenStack' in line:
                    continue
                auth_file_contents.append(line)
    with open(auth_file, "w+") as f:
        f.write("\n".join(auth_file_contents))
    if not os.path.exists(template_dir):
        os.mkdir(template_dir)
    with open(os.path.join(template_dir, "refresh.radl"), "w+") as f:
        v = dict(client_id=oidc_client_id,
                 client_secret=oidc_client_secret,
                 refresh_token=oidc_refresh_token)
        f.write(EC3_REFRESHTOKEN_TEMPLATE % v)
Пример #6
0
def openstack_int(
    oidc_client_id,
    oidc_client_secret,
    oidc_refresh_token,
    oidc_access_token,
    oidc_url,
    oidc_agent_account,
    openstack_auth_protocol,
    openstack_auth_type,
    openstack_auth_provider,
    site,
    vo,
):
    """
    Interactive OpenStack client on site and VO
    """

    if not check_openstack_client_installation():
        print('Error: OpenStack command-line client "openstack" not found')
        exit(1)

    access_token = get_access_token(
        oidc_access_token,
        oidc_refresh_token,
        oidc_client_id,
        oidc_client_secret,
        oidc_url,
        oidc_agent_account,
    )

    endpoint, project_id, protocol = find_endpoint_and_project_id(site, vo)
    if endpoint is None:
        raise SystemExit("Error: VO %s not found on site %s" % (vo, site))

    if protocol is None:
        protocol = openstack_auth_protocol
    my_env = os.environ.copy()
    my_env["OS_AUTH_URL"] = endpoint
    my_env["OS_AUTH_TYPE"] = openstack_auth_type
    my_env["OS_PROTOCOL"] = protocol
    my_env["OS_IDENTITY_PROVIDER"] = openstack_auth_provider
    my_env["OS_ACCESS_TOKEN"] = access_token
    my_env["OS_PROJECT_ID"] = project_id

    # Calling OpenStack client as subprocess
    # Ignore bandit warning
    subprocess.run(__OPENSTACK_CLIENT, env=my_env)  # nosec
Пример #7
0
def refresh(
    oidc_client_id,
    oidc_client_secret,
    oidc_refresh_token,
    oidc_access_token,
    oidc_url,
    oidc_agent_account,
    auth_file,
):
    # Get the right endpoint from GOCDB
    auth_file_contents = []
    with open(auth_file, "r") as f:
        for raw_line in f.readlines():
            line = raw_line.strip()
            if "OpenStack" in line:
                auth_tokens = []
                for token in line.split(";"):
                    if token.strip().startswith("password"):
                        access_token = token.split("=")[1].strip()
                        if access_token[0] in ["'", '"']:
                            access_token = access_token[1:-1]
                        # FIXME(enolfc): add verification
                        payload = jwt.decode(
                            access_token, options={"verify_signature": False})
                        now = int(time.time())
                        expires = int(payload["exp"])
                        if expires - now < 300:
                            access_token = get_access_token(
                                oidc_access_token,
                                oidc_refresh_token,
                                oidc_client_id,
                                oidc_client_secret,
                                oidc_url,
                                oidc_agent_account,
                            )
                        auth_tokens.append("password = %s" % access_token)
                    else:
                        auth_tokens.append(token.strip())
                auth_file_contents.append("; ".join(auth_tokens))
            elif line:
                auth_file_contents.append(line)
    with open(auth_file, "w+") as f:
        f.write("\n".join(auth_file_contents))
Пример #8
0
def openstack(
    oidc_client_id,
    oidc_client_secret,
    oidc_refresh_token,
    oidc_access_token,
    oidc_url,
    oidc_agent_account,
    openstack_auth_protocol,
    openstack_auth_type,
    openstack_auth_provider,
    site,
    vo,
    ignore_missing_vo,
    json_output,
    openstack_command,
):
    """
    Executing OpenStack commands on site and VO
    """

    if not check_openstack_client_installation():
        print('Error: OpenStack command-line client "openstack" not found')
        exit(1)

    access_token = get_access_token(
        oidc_access_token,
        oidc_refresh_token,
        oidc_client_id,
        oidc_client_secret,
        oidc_url,
        oidc_agent_account,
    )

    if site == "ALL_SITES":
        sites = list_sites()
    else:
        sites = [site]

    # Multi-thread execution of OpenStack commands
    with concurrent.futures.ThreadPoolExecutor(
            max_workers=__MAX_WORKER_THREAD) as executor:
        # Start OpenStack operation with each site
        results = {
            executor.submit(
                fedcloud_openstack_full,
                access_token,
                openstack_auth_protocol,
                openstack_auth_type,
                openstack_auth_provider,
                site,
                vo,
                openstack_command,
                json_output,
            ): site
            for site in sites
        }

        # Get results and print them
        first = True

        # Get the result, first come first serve
        for future in concurrent.futures.as_completed(results):
            site = results[future]
            exc_msg = None
            try:
                error_code, result = future.result()
            except Exception as exc:
                exc_msg = exc

            # Print result
            print_result(
                site,
                vo,
                openstack_command,
                exc_msg,
                error_code,
                result,
                json_output,
                ignore_missing_vo,
                first,
            )
            first = False

        # Print list enclosing ']' for JSON
        if json_output:
            print("]")
Пример #9
0
def init(
    oidc_client_id,
    oidc_client_secret,
    oidc_refresh_token,
    oidc_access_token,
    oidc_url,
    oidc_agent_account,
    site,
    vo,
    auth_file,
    template_dir,
    force,
):
    if os.path.exists(auth_file) and not force:
        print(
            "Auth file already exists, not replacing unless --force option is included"
        )
        raise click.Abort()

    access_token = get_access_token(
        oidc_access_token,
        oidc_refresh_token,
        oidc_client_id,
        oidc_client_secret,
        oidc_url,
        oidc_agent_account,
    )

    if site == "ALL_SITES":
        print("ec3 command cannot be used with ALL_SITES")
        raise click.Abort()

    endpoint, project_id, protocol = find_endpoint_and_project_id(site, vo)
    site_auth = [
        "id = %s" % site,
        "type = OpenStack",
        "username = egi.eu",
        "tenant = %s" % protocol,
        "auth_version = 3.x_oidc_access_token",
        "host = %s" % endpoint,
        "domain = %s" % project_id,
        "password = '******'" % access_token,
    ]
    auth_file_contents = [";".join(site_auth)]
    if os.path.exists(auth_file):
        with open(auth_file, "r") as f:
            for line in f.readlines():
                if "OpenStack" in line:
                    continue
                auth_file_contents.append(line)
    with open(auth_file, "w+") as f:
        f.write("\n".join(auth_file_contents))
    if not os.path.exists(template_dir):
        os.mkdir(template_dir)
    # FIXME: this should not be used at all!
    with open(os.path.join(template_dir, "refresh.radl"), "w+") as f:
        v = dict(
            client_id=oidc_client_id,
            client_secret=oidc_client_secret,
            refresh_token=oidc_refresh_token,
        )
        f.write(EC3_REFRESHTOKEN_TEMPLATE % v)