def getVOMSProxy( self, userDN, userGroup, requiredLifeTime = False, requestedVOMSAttr = False ): """ Get proxy string from the Proxy Repository for use with userDN in the userGroup and VOMS attr """ retVal = self.__getVOMSAttribute( userGroup, requestedVOMSAttr ) if not retVal[ 'OK' ]: return retVal vomsAttr = retVal[ 'Value' ][ 'attribute' ] vomsVO = retVal[ 'Value' ][ 'VOMSVO' ] #Look in the cache retVal = self.__getPemAndTimeLeft( userDN, userGroup, vomsAttr ) if retVal[ 'OK' ]: pemData = retVal[ 'Value' ][0] vomsTime = retVal[ 'Value' ][1] chain = X509Chain() retVal = chain.loadProxyFromString( pemData ) if retVal[ 'OK' ]: retVal = chain.getRemainingSecs() if retVal[ 'OK' ]: remainingSecs = retVal[ 'Value' ] if requiredLifeTime and requiredLifeTime <= vomsTime and requiredLifeTime <= remainingSecs: return S_OK( ( chain, min( vomsTime, remainingSecs ) ) ) retVal = self.getProxy( userDN, userGroup, requiredLifeTime ) if not retVal[ 'OK' ]: return retVal chain, secsLeft = retVal[ 'Value' ] if requiredLifeTime and requiredLifeTime > secsLeft: return S_ERROR( "Stored proxy is not long lived enough" ) vomsMgr = VOMS() retVal = vomsMgr.getVOMSAttributes( chain ) if retVal[ 'OK' ]: attrs = retVal[ 'Value' ] if len( attrs ) > 0: if attrs[0] != vomsAttr: return S_ERROR( "Stored proxy has already a different VOMS attribute %s than requested %s" % ( vomsAttr, attrs[0] ) ) else: result = self.__storeVOMSProxy( userDN, userGroup, vomsAttr, chain ) if not result[ 'OK' ]: return result secsLeft = result[ 'Value' ] if requiredLifeTime and requiredLifeTime <= secsLeft: return S_OK( ( chain, secsLeft ) ) return S_ERROR( "Stored proxy has already a different VOMS attribute and is not long lived enough" ) retVal = vomsMgr.setVOMSAttributes( chain , vomsAttr, vo = vomsVO ) if not retVal[ 'OK' ]: return S_ERROR( "Cannot append voms extension: %s" % retVal[ 'Message' ] ) chain = retVal[ 'Value' ] result = self.__storeVOMSProxy( userDN, userGroup, vomsAttr, chain ) if not result[ 'OK' ]: return result secsLeft = result[ 'Value' ] return S_OK( ( chain, secsLeft ) )
def getVOMSAttributes(self, chain): """ Get the voms attributes for a chain :param X509Chain chain: proxy as a chain :return: S_OK(str)/S_ERROR() """ return VOMS().getVOMSAttributes(chain)
def __storeVOMSProxy(self, userDN, userGroup, vomsAttr, chain): retVal = self._getConnection() if not retVal['OK']: return retVal connObj = retVal['Value'] retVal1 = VOMS().getVOMSProxyInfo(chain, 'actimeleft') retVal2 = VOMS().getVOMSProxyInfo(chain, 'timeleft') if not retVal1['OK']: return retVal1 if not retVal2['OK']: return retVal2 try: vomsSecsLeft1 = int(retVal1['Value'].strip()) vomsSecsLeft2 = int(retVal2['Value'].strip()) vomsSecsLeft = min(vomsSecsLeft1, vomsSecsLeft2) except Exception, e: return S_ERROR("Can't parse VOMS time left: %s" % str(e))
def getProxyInfo(proxy=False, disableVOMS=False): """ :Returns: a dict with all the proxy info: * values that will be there always * 'chain' : chain object containing the proxy * 'subject' : subject of the proxy * 'issuer' : issuer of the proxy * 'isProxy' : bool * 'isLimitedProxy' : bool * 'validDN' : Valid DN in DIRAC * 'validGroup' : Valid Group in DIRAC * 'secondsLeft' : Seconds left * values that can be there * 'path' : path to the file, * 'group' : DIRAC group * 'groupProperties' : Properties that apply to the DIRAC Group * 'username' : DIRAC username * 'identity' : DN that generated the proxy * 'hostname' : DIRAC host nickname * 'VOMS' """ # Discover proxy location proxyLocation = False if isinstance(proxy, X509Chain): chain = proxy else: if not proxy: proxyLocation = Locations.getProxyLocation() elif isinstance(proxy, basestring): proxyLocation = proxy if not proxyLocation: return S_ERROR(DErrno.EPROXYFIND) chain = X509Chain() retVal = chain.loadProxyFromFile(proxyLocation) if not retVal['OK']: return S_ERROR(DErrno.EPROXYREAD, "%s: %s " % (proxyLocation, retVal['Message'])) retVal = chain.getCredentials() if not retVal['OK']: return retVal infoDict = retVal['Value'] infoDict['chain'] = chain if proxyLocation: infoDict['path'] = proxyLocation if not disableVOMS and chain.isVOMS()['Value']: infoDict['hasVOMS'] = True retVal = VOMS().getVOMSAttributes(chain) if retVal['OK']: infoDict['VOMS'] = retVal['Value'] else: infoDict['VOMSError'] = retVal['Message'].strip() return S_OK(infoDict)
def getProxyInfo(proxy=False, disableVOMS=False): """ Returns a dict with all the proxy info * values that will be there always 'chain' : chain object containing the proxy 'subject' : subject of the proxy 'issuer' : issuer of the proxy 'isProxy' : bool 'isLimitedProxy' : bool 'validDN' : Valid DN in DIRAC 'validGroup' : Valid Group in DIRAC 'secondsLeft' : Seconds left * values that can be there 'path' : path to the file, 'group' : DIRAC group 'groupProperties' : Properties that apply to the DIRAC Group 'username' : DIRAC username 'identity' : DN that generated the proxy 'hostname' : DIRAC host nickname 'VOMS' """ #Discover proxy location proxyLocation = False if type(proxy) == g_X509ChainType: chain = proxy else: if not proxy: proxyLocation = Locations.getProxyLocation() elif type(proxy) in (types.StringType, types.UnicodeType): proxyLocation = proxy if not proxyLocation: return S_ERROR("Can't find a valid proxy") chain = X509Chain() retVal = chain.loadProxyFromFile(proxyLocation) if not retVal['OK']: return S_ERROR("Can't load %s: %s " % (proxyLocation, retVal['Message'])) retVal = chain.getCredentials() if not retVal['OK']: return retVal infoDict = retVal['Value'] infoDict['chain'] = chain if proxyLocation: infoDict['path'] = proxyLocation if not disableVOMS and chain.isVOMS()['Value']: infoDict['hasVOMS'] = True retVal = VOMS().getVOMSAttributes(chain) if retVal['OK']: infoDict['VOMS'] = retVal['Value'] else: infoDict['VOMSError'] = retVal['Message'].strip() return S_OK(infoDict)
def __storeVOMSProxy(self, userDN, userGroup, vomsAttr, chain): retVal = self._getConnection() if not retVal['OK']: return retVal connObj = retVal['Value'] cmd = "DELETE FROM `ProxyDB_VOMSProxies` WHERE UserDN='%s' AND UserGroup='%s' AND VOMSAttr='%s'" % ( userDN, userGroup, vomsAttr) retVal = self._update(cmd, conn=connObj) if not retVal['OK']: return retVal retVal1 = VOMS().getVOMSProxyInfo(chain, 'actimeleft') retVal2 = VOMS().getVOMSProxyInfo(chain, 'timeleft') if not retVal1['OK']: return retVal1 if not retVal2['OK']: return retVal2 try: vomsSecsLeft1 = int(retVal1['Value'].strip()) vomsSecsLeft2 = int(retVal2['Value'].strip()) vomsSecsLeft = min(vomsSecsLeft1, vomsSecsLeft2) except Exception, e: return S_ERROR("Can't parse VOMS time left: %s" % str(e))
def __checkVOMSisAlignedWithGroup( self, userGroup, chain ): #HACK: We deny proxies with VOMS extensions result = chain.isVOMS() if result[ 'OK' ] and result[ 'Value' ]: return S_ERROR( "Proxies with VOMS extensions are not allowed to be uploaded" ) #END HACK voms = VOMS() if not voms.vomsInfoAvailable(): if self.__vomsRequired: return S_ERROR( "VOMS is required, but it's not available" ) self.log.warn( "voms-proxy-info is not available" ) return S_OK() retVal = voms.getVOMSAttributes( chain ) if not retVal[ 'OK' ]: return retVal attr = retVal[ 'Value' ] validVOMSAttr = Registry.getVOMSAttributeForGroup( userGroup ) if len( attr ) == 0 or attr[0] == validVOMSAttr: return S_OK( 'OK' ) msg = "VOMS attributes are not aligned with dirac group" msg += "Attributes are %s and allowed is %s for group %s" % ( attr, validVOMSAttr, userGroup ) return S_ERROR( msg )
def __storeVOMSProxy(self, userDN, userGroup, vomsAttr, chain): retVal = self._getConnection() if not retVal['OK']: return retVal connObj = retVal['Value'] retVal1 = VOMS().getVOMSProxyInfo(chain, 'actimeleft') retVal2 = VOMS().getVOMSProxyInfo(chain, 'timeleft') if not retVal1['OK']: return retVal1 if not retVal2['OK']: return retVal2 try: vomsSecsLeft1 = int(retVal1['Value'].strip()) vomsSecsLeft2 = int(retVal2['Value'].strip()) vomsSecsLeft = min(vomsSecsLeft1, vomsSecsLeft2) except Exception as e: return S_ERROR("Can't parse VOMS time left: %s" % str(e)) secsLeft = min(vomsSecsLeft, chain.getRemainingSecs()['Value']) pemData = chain.dumpAllToString()['Value'] result = Registry.getUsernameForDN(userDN) if not result['OK']: userName = "" else: userName = result['Value'] try: sUserName = self._escapeString(userName)['Value'] sUserDN = self._escapeString(userDN)['Value'] sUserGroup = self._escapeString(userGroup)['Value'] sVomsAttr = self._escapeString(vomsAttr)['Value'] sPemData = self._escapeString(pemData)['Value'] except KeyError: return S_ERROR("Could not escape some data") cmd = "REPLACE INTO `ProxyDB_VOMSProxies` ( UserName, UserDN, UserGroup, VOMSAttr, Pem, ExpirationTime ) VALUES " cmd += "( %s, %s, %s, %s, %s, TIMESTAMPADD( SECOND, %d, UTC_TIMESTAMP() ) )" % ( sUserName, sUserDN, sUserGroup, sVomsAttr, sPemData, secsLeft) result = self._update(cmd, conn=connObj) if not result['OK']: return result return S_OK(secsLeft)
def __checkVOMSisAlignedWithGroup(self, userGroup, chain): #HACK: We deny proxies with VOMS extensions result = chain.isVOMS() if result['OK'] and result['Value']: return S_ERROR( "Proxies with VOMS extensions are not allowed to be uploaded") #END HACK voms = VOMS() if not voms.vomsInfoAvailable(): if self.__vomsRequired: return S_ERROR("VOMS is required, but it's not available") self.log.warn("voms-proxy-info is not available") return S_OK() retVal = voms.getVOMSAttributes(chain) if not retVal['OK']: return retVal attr = retVal['Value'] validVOMSAttr = CS.getVOMSAttributeForGroup(userGroup) if len(attr) == 0 or attr[0] == validVOMSAttr: return S_OK('OK') msg = "VOMS attributes are not aligned with dirac group" msg += "Attributes are %s and allowed is %s for group %s" % ( attr, validVOMSAttr, userGroup) return S_ERROR(msg)
def hash(self): if not self.__loadedChain: return S_ERROR("No chain loaded") if self.__hash: return S_OK(self.__hash) sha1 = hashlib.sha1() for cert in self.__certList: sha1.update(cert.get_subject().one_line()) sha1.update(str(self.getRemainingSecs()['Value'] / 3600)) sha1.update(self.getDIRACGroup()['Value']) if self.isVOMS(): sha1.update("VOMS") from DIRAC.Core.Security.VOMS import VOMS result = VOMS().getVOMSAttributes(self) if result['OK']: sha1.update(str(result['Value'])) self.__hash = sha1.hexdigest() return S_OK(self.__hash)
def hash(self): """ Get a hash of the chain In practice, this is only used to index the chain in a DictCache :returns: S_OK(string hash) """ if self.__hash: return S_OK(self.__hash) sha1 = hashlib.sha1() for cert in self._certList: sha1.update(str(cert.getSubjectNameObject())) sha1.update(str(self.getRemainingSecs()['Value'] / 3600)) sha1.update(self.getDIRACGroup()['Value']) if self.isVOMS(): sha1.update("VOMS") from DIRAC.Core.Security.VOMS import VOMS result = VOMS().getVOMSAttributes(self) if result['OK']: sha1.update(str(result['Value'])) self.__hash = sha1.hexdigest() return S_OK(self.__hash)
def renewProxy(self, proxyToBeRenewed=None, minLifeTime=3600, newProxyLifeTime=43200, proxyToConnect=None): """ Renew a proxy using the ProxyManager :param X509Chain proxyToBeRenewed: proxy to renew :param int minLifeTime: if proxy life time is less than this, renew. Skip otherwise :param int newProxyLifeTime: life time of new proxy :param X509Chain proxyToConnect: proxy to use for connecting to the service :return: S_OK(X509Chain)/S_ERROR() """ retVal = multiProxyArgument(proxyToBeRenewed) if not retVal['Value']: return retVal proxyToRenewDict = retVal['Value'] secs = proxyToRenewDict['chain'].getRemainingSecs()['Value'] if secs > minLifeTime: deleteMultiProxy(proxyToRenewDict) return S_OK() if not proxyToConnect: proxyToConnectDict = {'chain': False, 'tempFile': False} else: retVal = multiProxyArgument(proxyToConnect) if not retVal['Value']: deleteMultiProxy(proxyToRenewDict) return retVal proxyToConnectDict = retVal['Value'] userDN = proxyToRenewDict['chain'].getIssuerCert()['Value'].getSubjectDN()['Value'] retVal = proxyToRenewDict['chain'].getDIRACGroup() if not retVal['OK']: deleteMultiProxy(proxyToRenewDict) deleteMultiProxy(proxyToConnectDict) return retVal userGroup = retVal['Value'] limited = proxyToRenewDict['chain'].isLimitedProxy()['Value'] voms = VOMS() retVal = voms.getVOMSAttributes(proxyToRenewDict['chain']) if not retVal['OK']: deleteMultiProxy(proxyToRenewDict) deleteMultiProxy(proxyToConnectDict) return retVal vomsAttrs = retVal['Value'] if vomsAttrs: retVal = self.downloadVOMSProxy(userDN, userGroup, limited=limited, requiredTimeLeft=newProxyLifeTime, requiredVOMSAttribute=vomsAttrs[0], proxyToConnect=proxyToConnectDict['chain']) else: retVal = self.downloadProxy(userDN, userGroup, limited=limited, requiredTimeLeft=newProxyLifeTime, proxyToConnect=proxyToConnectDict['chain']) deleteMultiProxy(proxyToRenewDict) deleteMultiProxy(proxyToConnectDict) if not retVal['OK']: return retVal chain = retVal['Value'] if not proxyToRenewDict['tempFile']: return chain.dumpAllToFile(proxyToRenewDict['file']) return S_OK(chain)
def getVOMSAttributes(self, chain): """ Get the voms attributes for a chain """ return VOMS().getVOMSAttributes(chain)
def _monitorProxy(self, payloadProxy=None): """Base class for the monitor and update of the payload proxy, to be used in derived classes for the basic renewal of the proxy, if further actions are necessary they should be implemented there :param str payloadProxy: location of the payload proxy file :returns: S_OK(filename)/S_ERROR """ if not payloadProxy: return S_ERROR("No payload proxy") # This will get the pilot proxy ret = getProxyInfo() if not ret["OK"]: pilotProxy = None else: pilotProxy = ret["Value"]["path"] self.log.notice("Pilot Proxy:", pilotProxy) retVal = getProxyInfo(payloadProxy) if not retVal["OK"]: self.log.error("Could not get payload proxy info", retVal) return retVal self.log.verbose("Payload Proxy information:\n%s" % formatProxyInfoAsString(retVal["Value"])) payloadProxyDict = retVal["Value"] payloadSecs = payloadProxyDict["chain"].getRemainingSecs()["Value"] if payloadSecs > self.minProxyTime: self.log.verbose("No need to renew payload Proxy") return S_OK() # if there is no pilot proxy, assume there is a certificate and try a renewal if not pilotProxy: self.log.info( "Using default credentials to get a new payload Proxy") return gProxyManager.renewProxy( proxyToBeRenewed=payloadProxy, minLifeTime=self.minProxyTime, newProxyLifeTime=self.defaultProxyTime, proxyToConnect=pilotProxy, ) # if there is pilot proxy retVal = getProxyInfo(pilotProxy) if not retVal["OK"]: return retVal pilotProxyDict = retVal["Value"] if "groupProperties" not in pilotProxyDict: self.log.error("Invalid Pilot Proxy", "Group has no properties defined") return S_ERROR("Proxy has no group properties defined") pilotProps = pilotProxyDict["groupProperties"] # if running with a pilot proxy, use it to renew the proxy of the payload if Properties.PILOT in pilotProps or Properties.GENERIC_PILOT in pilotProps: self.log.info("Using Pilot credentials to get a new payload Proxy") return gProxyManager.renewProxy( proxyToBeRenewed=payloadProxy, minLifeTime=self.minProxyTime, newProxyLifeTime=self.defaultProxyTime, proxyToConnect=pilotProxy, ) # if we are running with other type of proxy check if they are for the same user and group # and copy the pilot proxy if necessary self.log.info("Trying to copy pilot Proxy to get a new payload Proxy") pilotProxySecs = pilotProxyDict["chain"].getRemainingSecs()["Value"] if pilotProxySecs <= payloadSecs: errorStr = "Pilot Proxy is not longer than payload Proxy" self.log.error(errorStr) return S_ERROR("Can not renew by copy: %s" % errorStr) # check if both proxies belong to the same user and group pilotDN = pilotProxyDict["chain"].getIssuerCert( )["Value"].getSubjectDN()["Value"] retVal = pilotProxyDict["chain"].getDIRACGroup() if not retVal["OK"]: return retVal pilotGroup = retVal["Value"] payloadDN = payloadProxyDict["chain"].getIssuerCert( )["Value"].getSubjectDN()["Value"] retVal = payloadProxyDict["chain"].getDIRACGroup() if not retVal["OK"]: return retVal payloadGroup = retVal["Value"] if pilotDN != payloadDN or pilotGroup != payloadGroup: errorStr = "Pilot Proxy and payload Proxy do not have same DN and Group" self.log.error(errorStr) return S_ERROR("Can not renew by copy: %s" % errorStr) if pilotProxyDict.get("hasVOMS", False): return pilotProxyDict["chain"].dumpAllToFile(payloadProxy) attribute = Registry.getVOMSAttributeForGroup(payloadGroup) vo = Registry.getVOMSVOForGroup(payloadGroup) retVal = VOMS().setVOMSAttributes(pilotProxyDict["chain"], attribute=attribute, vo=vo) if not retVal["OK"]: return retVal chain = retVal["Value"] return chain.dumpAllToFile(payloadProxy)
def renewProxy( self, proxyToBeRenewed = False, minLifeTime = 3600, newProxyLifeTime = 43200, proxyToConnect = False ): """ Renew a proxy using the ProxyManager Arguments: proxyToBeRenewed : proxy to renew minLifeTime : if proxy life time is less than this, renew. Skip otherwise newProxyLifeTime : life time of new proxy proxyToConnect : proxy to use for connecting to the service """ retVal = multiProxyArgument( proxyToBeRenewed ) if not retVal[ 'Value' ]: return retVal proxyToRenewDict = retVal[ 'Value' ] secs = proxyToRenewDict[ 'chain' ].getRemainingSecs()[ 'Value' ] if secs > minLifeTime: deleteMultiProxy( proxyToRenewDict ) return S_OK() if not proxyToConnect: proxyToConnectDict = { 'chain': False, 'tempFile': False } else: retVal = multiProxyArgument( proxyToConnect ) if not retVal[ 'Value' ]: deleteMultiProxy( proxyToRenewDict ) return retVal proxyToConnectDict = retVal[ 'Value' ] userDN = proxyToRenewDict[ 'chain' ].getIssuerCert()[ 'Value' ].getSubjectDN()[ 'Value' ] retVal = proxyToRenewDict[ 'chain' ].getDIRACGroup() if not retVal[ 'OK' ]: deleteMultiProxy( proxyToRenewDict ) deleteMultiProxy( proxyToConnectDict ) return retVal userGroup = retVal[ 'Value' ] limited = proxyToRenewDict[ 'chain' ].isLimitedProxy()[ 'Value' ] voms = VOMS() retVal = voms.getVOMSAttributes( proxyToRenewDict[ 'chain' ] ) if not retVal[ 'OK' ]: deleteMultiProxy( proxyToRenewDict ) deleteMultiProxy( proxyToConnectDict ) return retVal vomsAttrs = retVal[ 'Value' ] if vomsAttrs: retVal = self.downloadVOMSProxy( userDN, userGroup, limited = limited, requiredTimeLeft = newProxyLifeTime, requiredVOMSAttribute = vomsAttrs[0], proxyToConnect = proxyToConnectDict[ 'chain' ] ) else: retVal = self.downloadProxy( userDN, userGroup, limited = limited, requiredTimeLeft = newProxyLifeTime, proxyToConnect = proxyToConnectDict[ 'chain' ] ) deleteMultiProxy( proxyToRenewDict ) deleteMultiProxy( proxyToConnectDict ) if not retVal[ 'OK' ]: return retVal chain = retVal['Value'] if not proxyToRenewDict[ 'tempFile' ]: return chain.dumpAllToFile( proxyToRenewDict[ 'file' ] ) return S_OK( chain )
if not success and cliParams.strict: sys.exit( 1 ) cliParams.setDIRACGroup( proxyInfo[ 'group' ] ) if myProxyFlag: uploadProxyToMyProxy( cliParams, False ) success = uploadProxyToDIRACProxyManager( cliParams ) if not success and cliParams.strict: sys.exit( 1 ) finalChain = proxyInfo[ 'chain' ] vomsMapping = CS.getVOMSAttributeForGroup( proxyInfo[ 'group' ] ) vo = CS.getVOMSVOForGroup( proxyInfo[ 'group' ] ) if vomsMapping: voms = VOMS() retVal = voms.setVOMSAttributes( finalChain, vomsMapping, vo ) if not retVal[ 'OK' ]: #print "Cannot add voms attribute %s to proxy %s: %s" % ( attr, proxyInfo[ 'path' ], retVal[ 'Message' ] ) msg = "Warning : Cannot add voms attribute %s to proxy\n" % ( vomsMapping ) msg += " Accessing data in the grid storage from the user interface will not be possible.\n" msg += " The grid jobs will not be affected." if cliParams.strict: gLogger.error( msg ) sys.exit( 1 ) gLogger.warn( msg ) else: finalChain = retVal[ 'Value' ] retVal = finalChain.dumpAllToFile( proxyInfo[ 'path' ] ) if not retVal[ 'OK' ]:
def getVOMSProxy(self, userDN, userGroup, requiredLifeTime=False, requestedVOMSAttr=False): """ Get proxy string from the Proxy Repository for use with userDN in the userGroup and VOMS attr """ retVal = self.__getVOMSAttribute(userGroup, requestedVOMSAttr) if not retVal['OK']: return retVal vomsAttr = retVal['Value']['attribute'] vomsVO = retVal['Value']['VOMSVO'] #Look in the cache retVal = self.__getPemAndTimeLeft(userDN, userGroup, vomsAttr) if retVal['OK']: pemData = retVal['Value'][0] vomsTime = retVal['Value'][1] chain = X509Chain() retVal = chain.loadProxyFromString(pemData) if retVal['OK']: retVal = chain.getRemainingSecs() if retVal['OK']: remainingSecs = retVal['Value'] if requiredLifeTime and requiredLifeTime <= vomsTime and requiredLifeTime <= remainingSecs: return S_OK((chain, min(vomsTime, remainingSecs))) retVal = self.getProxy(userDN, userGroup, requiredLifeTime) if not retVal['OK']: return retVal chain, secsLeft = retVal['Value'] if requiredLifeTime and requiredLifeTime > secsLeft: return S_ERROR("Stored proxy is not long lived enough") vomsMgr = VOMS() retVal = vomsMgr.getVOMSAttributes(chain) if retVal['OK']: attrs = retVal['Value'] if len(attrs) > 0: if attrs[0] != vomsAttr: return S_ERROR( "Stored proxy has already a different VOMS attribute %s than requested %s" % (vomsAttr, attrs[0])) else: result = self.__storeVOMSProxy(userDN, userGroup, vomsAttr, chain) if not result['OK']: return result secsLeft = result['Value'] if requiredLifeTime and requiredLifeTime <= secsLeft: return S_OK((chain, secsLeft)) return S_ERROR( "Stored proxy has already a different VOMS attribute and is not long lived enough" ) retVal = vomsMgr.setVOMSAttributes(chain, vomsAttr, vo=vomsVO) if not retVal['OK']: return S_ERROR("Cannot append voms extension: %s" % retVal['Message']) chain = retVal['Value'] result = self.__storeVOMSProxy(userDN, userGroup, vomsAttr, chain) if not result['OK']: return result secsLeft = result['Value'] return S_OK((chain, secsLeft))
# Create local proxy with group self.outputFile = self.outputFile or getDefaultProxyLocation() parameters = (self.outputFile, int(self.lifetime or 12) * 3600, self.group) # Add a VOMS extension if the group requires it if (result := chain.generateProxyToFile(*parameters))["OK"] and (result := self.__enableCS())["OK"]: if not self.group and (result := findDefaultGroupForDN(credentials["DN"]))["OK"]: self.group = result["Value"] # Use default group if user don't set it # based on the configuration we decide whether to add VOMS extensions if getGroupOption(self.group, "AutoAddVOMS", False): if not (vomsAttr := getVOMSAttributeForGroup(self.group)): print(HTML(f"<yellow>No VOMS attribute foud for {self.group}</yellow>")) else: vo = getVOMSVOForGroup(self.group) if not (result := VOMS().setVOMSAttributes(self.outputFile, attribute=vomsAttr, vo=vo))["OK"]: return S_ERROR(f"Failed adding VOMS attribute: {result['Message']}") chain = result["Value"] result = chain.generateProxyToFile(*parameters) if not result["OK"]: return S_ERROR(f"Couldn't generate proxy: {result['Message']}") if self.enableCS: # After creating the proxy, we can try to connect to the server if not (result := self.__enableCS())["OK"]: return result # Step 2: Upload proxy to DIRAC server result = gProxyManager.getUploadedProxyLifeTime(credentials["subject"]) if not result["OK"]: return result
def _monitorProxy(self, pilotProxy, payloadProxy): """Base class for the monitor and update of the payload proxy, to be used in derived classes for the basic renewal of the proxy, if further actions are necessary they should be implemented there """ retVal = getProxyInfo(payloadProxy) if not retVal['OK']: self.log.error('Could not get payload proxy info', retVal) return retVal self.log.verbose('Payload Proxy information:\n%s' % formatProxyInfoAsString(retVal['Value'])) payloadProxyDict = retVal['Value'] payloadSecs = payloadProxyDict['chain'].getRemainingSecs()['Value'] if payloadSecs > self.minProxyTime: self.log.verbose('No need to renew payload Proxy') return S_OK() # if there is no pilot proxy, assume there is a certificate and try a renewal if not pilotProxy: self.log.info( 'Using default credentials to get a new payload Proxy') return gProxyManager.renewProxy( proxyToBeRenewed=payloadProxy, minLifeTime=self.minProxyTime, newProxyLifeTime=self.defaultProxyTime, proxyToConnect=pilotProxy) # if there is pilot proxy retVal = getProxyInfo(pilotProxy) if not retVal['OK']: return retVal pilotProxyDict = retVal['Value'] if not 'groupProperties' in pilotProxyDict: self.log.error('Invalid Pilot Proxy', 'Group has no properties defined') return S_ERROR('Proxy has no group properties defined') pilotProps = pilotProxyDict['groupProperties'] # if running with a pilot proxy, use it to renew the proxy of the payload if Properties.PILOT in pilotProps or Properties.GENERIC_PILOT in pilotProps: self.log.info('Using Pilot credentials to get a new payload Proxy') return gProxyManager.renewProxy( proxyToBeRenewed=payloadProxy, minLifeTime=self.minProxyTime, newProxyLifeTime=self.defaultProxyTime, proxyToConnect=pilotProxy) # if we are running with other type of proxy check if they are for the same user and group # and copy the pilot proxy if necessary self.log.info('Trying to copy pilot Proxy to get a new payload Proxy') pilotProxySecs = pilotProxyDict['chain'].getRemainingSecs()['Value'] if pilotProxySecs <= payloadSecs: errorStr = 'Pilot Proxy is not longer than payload Proxy' self.log.error(errorStr) return S_ERROR('Can not renew by copy: %s' % errorStr) # check if both proxies belong to the same user and group pilotDN = pilotProxyDict['chain'].getIssuerCert( )['Value'].getSubjectDN()['Value'] retVal = pilotProxyDict['chain'].getDIRACGroup() if not retVal['OK']: return retVal pilotGroup = retVal['Value'] payloadDN = payloadProxyDict['chain'].getIssuerCert( )['Value'].getSubjectDN()['Value'] retVal = payloadProxyDict['chain'].getDIRACGroup() if not retVal['OK']: return retVal payloadGroup = retVal['Value'] if pilotDN != payloadDN or pilotGroup != payloadGroup: errorStr = 'Pilot Proxy and payload Proxy do not have same DN and Group' self.log.error(errorStr) return S_ERROR('Can not renew by copy: %s' % errorStr) if pilotProxyDict.get('hasVOMS', False): return pilotProxyDict['chain'].dumpAllToFile(payloadProxy) attribute = CS.getVOMSAttributeForGroup(payloadGroup) vo = CS.getVOMSVOForGroup(payloadGroup) retVal = VOMS().setVOMSAttributes(pilotProxyDict['chain'], attribute=attribute, vo=vo) if not retVal['OK']: return retVal chain = retVal['Value'] return chain.dumpAllToFile(payloadProxy)
#uploadProxyToMyProxy( cliParams, True ) success = uploadProxyToDIRACProxyManager(cliParams) if not success and cliParams.strict: sys.exit(1) cliParams.setDIRACGroup(proxyInfo['group']) #uploadProxyToMyProxy( cliParams, False ) success = uploadProxyToDIRACProxyManager(cliParams) if not success and cliParams.strict: sys.exit(1) finalChain = proxyInfo['chain'] vomsMapping = CS.getVOMSAttributeForGroup(proxyInfo['group']) if vomsMapping: voms = VOMS() retVal = voms.setVOMSAttributes(finalChain, vomsMapping, 'vo.cta.in2p3.fr') if not retVal['OK']: #print "Cannot add voms attribute %s to proxy %s: %s" % ( attr, proxyInfo[ 'path' ], retVal[ 'Message' ] ) print "Warning : Cannot add voms attribute %s to proxy" % (vomsMapping) print " Accessing data in the grid storage from the user interface will not be possible." print " The grid jobs will not be affected." if cliParams.strict: sys.exit(1) else: finalChain = retVal['Value'] retVal = finalChain.dumpAllToFile(proxyInfo['path']) if not retVal['OK']: print "Cannot write proxy to file %s" % proxyInfo['path'] sys.exit(1)