Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
178 commits
Select commit Hold shift + click to select a range
ee7b62e
add identity providers
TaykYoku May 19, 2021
8eb3455
add authorization server
TaykYoku May 19, 2021
a0946bb
fix tests
TaykYoku May 19, 2021
c6e5bb8
Update src/DIRAC/ConfigurationSystem/Client/Utilities.py
TaykYoku May 20, 2021
0d10464
Update src/DIRAC/Core/Security/TokenFile.py
TaykYoku May 20, 2021
3d07ee5
add new packages to setup.cfg
TaykYoku May 20, 2021
547d949
fix new packages, add scripts to setup
TaykYoku May 20, 2021
121a3c0
add test
TaykYoku May 20, 2021
1e89d96
add AuthDB to cfg
TaykYoku May 20, 2021
86895db
smal fixes
TaykYoku May 20, 2021
0ed89fd
Update src/DIRAC/ConfigurationSystem/Client/Helpers/Resources.py
TaykYoku May 21, 2021
3bccdf1
Update src/DIRAC/Core/Security/TokenFile.py
TaykYoku May 21, 2021
8366600
fix discoverCredentialsToUse
TaykYoku May 21, 2021
2cfb5f5
fix bugs, issues
TaykYoku May 21, 2021
ef4219a
fix conf method
TaykYoku May 24, 2021
9ce128d
verify token on client
TaykYoku May 24, 2021
99e5357
add refresh jwks, fix bugs
TaykYoku May 24, 2021
0313f37
fix bugs
TaykYoku May 24, 2021
285a779
fix AuthDB
TaykYoku May 24, 2021
214e449
move getClient to Client object
TaykYoku May 24, 2021
27a479d
fix idps
TaykYoku May 24, 2021
30aea4b
remove comment in cs
TaykYoku May 24, 2021
a1ca351
add dirac AS clients
TaykYoku May 24, 2021
9958908
fix package versions
TaykYoku May 24, 2021
5cff7a9
fix tests
TaykYoku May 24, 2021
c892f6d
fix issues
TaykYoku May 26, 2021
df5f4d2
whitespace
TaykYoku May 26, 2021
66b0189
fix bugs
TaykYoku May 27, 2021
5592c44
remove tornado_start_AS
TaykYoku May 27, 2021
19a033b
add fetch tokens to base client
TaykYoku Jun 1, 2021
c9a5900
change authz with tokens, more docs
TaykYoku Jun 1, 2021
4ae8cd2
add refresh token encryption
TaykYoku Jun 1, 2021
4e94c02
align with changes
TaykYoku Jun 1, 2021
fd0fe19
remove DIRAC tokens
TaykYoku Jun 1, 2021
af05628
update clients, token class
TaykYoku Jun 1, 2021
ca09fa0
update dirac-login, add dirac-logout
TaykYoku Jun 1, 2021
d0c1141
align with changes
TaykYoku Jun 1, 2021
a5568fd
fix checkin
TaykYoku Jun 2, 2021
bdaf818
fix tests
TaykYoku Jun 2, 2021
dccbaf1
fix Token scope
TaykYoku Jun 2, 2021
533f142
fix datetime
TaykYoku Jun 2, 2021
dd9cc3f
fix
TaykYoku Jun 2, 2021
4cf71d6
fix setup
TaykYoku Jun 2, 2021
c86f520
update authz method
TaykYoku Jun 4, 2021
f250f24
add env description
TaykYoku Jun 4, 2021
292c9dd
provide methods to wrap userID as DN
TaykYoku Jun 16, 2021
7e84753
move Authorization conf section to DIRAC/Security
TaykYoku Jun 16, 2021
7215564
move BaseRequestHandler to private, update TornadoService and Tornado…
TaykYoku Jun 16, 2021
deb9922
add DErrno errors
TaykYoku Jun 16, 2021
cd7cb62
add TokenManager
TaykYoku Jun 16, 2021
5df72c4
update DIRAC AS client description
TaykYoku Jun 16, 2021
ce92f35
fix
TaykYoku Jun 16, 2021
0c4d372
optimize DeviceFlow
TaykYoku Jun 16, 2021
054d9ef
fix Token class
TaykYoku Jun 16, 2021
f565be7
fix dirac-login
TaykYoku Jun 16, 2021
b67a701
add refresh token reuse protection, fixes
TaykYoku Jun 16, 2021
ff2792f
add DIRAC_USE_ACCESS_TOKEN description
TaykYoku Jun 16, 2021
a06b035
fix
TaykYoku Jun 16, 2021
dd1a921
fix issues
TaykYoku Jun 17, 2021
634658d
fix bug
TaykYoku Jun 17, 2021
61fe0f0
fix white space
TaykYoku Jun 17, 2021
fdfa654
fix rebase
TaykYoku Jun 17, 2021
017e186
delete DIRACCLIIdProvider DIRACWebIdProvider
TaykYoku Jun 17, 2021
ff08c15
fix py3 things
TaykYoku Jun 22, 2021
002f224
fix py3 things
TaykYoku Jun 22, 2021
559c092
update authlib to authlib >=1.0.0.a2
TaykYoku Jun 22, 2021
2026596
update authlib
TaykYoku Jun 22, 2021
959ec69
update authlib
TaykYoku Jun 22, 2021
07d4e80
update authlib
TaykYoku Jun 22, 2021
6598034
update authlib
TaykYoku Jun 23, 2021
99391b2
Update src/DIRAC/ConfigurationSystem/Client/Helpers/Registry.py
TaykYoku Jun 23, 2021
7de26b0
Update docs/source/AdministratorGuide/ServerInstallations/environment…
TaykYoku Jun 23, 2021
e693ca6
Update docs/source/AdministratorGuide/ServerInstallations/environment…
TaykYoku Jun 23, 2021
ed3796e
remove TokenManager service from local CS
TaykYoku Jun 23, 2021
0876f00
fix TornadoBaseClient
TaykYoku Jun 23, 2021
019ace4
move TornadoConfigurationHandler fixes to separate PR
TaykYoku Jun 23, 2021
d6d990c
fix issues
TaykYoku Jun 23, 2021
db70752
fix bug
TaykYoku Jun 23, 2021
232b470
fix env py2
TaykYoku Jun 23, 2021
80fe3ae
fix pylint
TaykYoku Jun 23, 2021
fab2dc9
add TokenManager to ignore services
TaykYoku Jun 23, 2021
b2dc34c
add commands to docs
TaykYoku Jun 23, 2021
d91f8a0
optimize
TaykYoku Jun 23, 2021
e7dfd22
fix docs
TaykYoku Jun 23, 2021
75d2a60
fix
TaykYoku Jun 23, 2021
8fc0e00
add tests
TaykYoku Jun 23, 2021
a9978da
use pytest
TaykYoku Jun 23, 2021
0cc5cd4
fix
TaykYoku Jun 23, 2021
af78dc3
fix bugs
TaykYoku Jun 23, 2021
49280cd
fix
TaykYoku Jun 23, 2021
d55a66d
add pytest-mock to extras_require testing
TaykYoku Jun 23, 2021
c2dcd37
fix tests
TaykYoku Jun 24, 2021
7ea2d36
fix tests
TaykYoku Jun 24, 2021
413af23
fix tests
TaykYoku Jun 24, 2021
ae99399
compatibility with py2
TaykYoku Jun 28, 2021
b0918d5
compatibility with py2
TaykYoku Jun 28, 2021
85aad1f
add mocker, fix authzSSL
TaykYoku Jun 29, 2021
820fcfb
add mock for testing
TaykYoku Jun 29, 2021
73d5c6b
take into account the lack of packages in DIRACOS
TaykYoku Jun 29, 2021
add96f2
disable token authentication for python 2
TaykYoku Jun 29, 2021
b46b034
fix tests
TaykYoku Jun 29, 2021
06a1ebc
fix tests
TaykYoku Jun 29, 2021
b275358
fix tests
TaykYoku Jun 29, 2021
88ad7fe
add TornadoResponse
TaykYoku Jul 4, 2021
0717bd0
fix rebase
TaykYoku Jul 5, 2021
6e4c90b
fix bugs
TaykYoku Jul 5, 2021
72e09c5
fix log
TaykYoku Jul 5, 2021
3b69097
fix refresher with asyncio issue
TaykYoku Jul 6, 2021
509d74c
fix BaseRequestHandler for WebApp case
TaykYoku Jul 6, 2021
dd1494c
comment sslDebug
TaykYoku Jul 6, 2021
97d9b48
add utilities, change LOCATION
TaykYoku Jul 6, 2021
c167bf5
fix pylint
TaykYoku Jul 6, 2021
e9e89bc
fix
TaykYoku Jul 7, 2021
d6eefb4
fix bugs
TaykYoku Jul 12, 2021
dee1157
update getAuthorizationServerMetadata to ignore CS errors
TaykYoku Jul 15, 2021
9f1c5fc
fixes
TaykYoku Jul 15, 2021
64910e5
add bytes decoding to JEncode
TaykYoku Jul 15, 2021
7d2150d
add tokens to dirac_configure
TaykYoku Jul 15, 2021
8825d86
add additional info to well-known
TaykYoku Jul 15, 2021
67ff227
other fixes
TaykYoku Jul 15, 2021
3c3858c
other fixes
TaykYoku Jul 15, 2021
c481d4e
fix bug
TaykYoku Jul 19, 2021
9b31c33
optimize
TaykYoku Jul 19, 2021
69b3b08
optimize
TaykYoku Jul 19, 2021
e222588
add getUserInfo
TaykYoku Jul 19, 2021
99c88f4
add properties to OAuth2Request
TaykYoku Jul 19, 2021
1cdae99
fix bug
TaykYoku Jul 19, 2021
94442d7
fix DIRAC_USE_ACCESS_TOKEN
TaykYoku Jul 19, 2021
8b6a8f7
modify getGroupScopes
TaykYoku Jul 19, 2021
2bb50b2
fix pylint
TaykYoku Jul 20, 2021
ca4f497
remove unused
TaykYoku Jul 29, 2021
8d2394d
fix rebase
TaykYoku Jul 29, 2021
8afdbde
fix rebase
TaykYoku Jul 29, 2021
ec406a4
fix rebase
TaykYoku Jul 29, 2021
5d18b5b
pass args_kwargs to target method
TaykYoku Aug 1, 2021
aa04255
fix rebase
TaykYoku Aug 7, 2021
bb5e65d
fix target method args
TaykYoku Aug 8, 2021
55206c4
fix target method args
TaykYoku Aug 8, 2021
e38b5bb
fix target method args
TaykYoku Aug 8, 2021
0a4ca00
fix bug
TaykYoku Aug 11, 2021
2aa6a7c
fix tests
TaykYoku Aug 11, 2021
43ab502
fix pylint
TaykYoku Aug 11, 2021
7ed460c
fix pylint
TaykYoku Aug 12, 2021
b6ee4e4
fix decode
TaykYoku Aug 12, 2021
5461b7a
make https bundle delivery
TaykYoku Aug 15, 2021
a96772e
add info in dirac-info
TaykYoku Aug 15, 2021
66d8feb
set issuer if present
TaykYoku Aug 15, 2021
4db9fe6
fix
TaykYoku Aug 15, 2021
f69eafa
add information about user auth
TaykYoku Aug 15, 2021
1150ffe
add notification
TaykYoku Aug 15, 2021
9f83748
fix BundleDelivery
TaykYoku Aug 15, 2021
708632b
add BundleDelivery to template
TaykYoku Aug 15, 2021
d73b499
fix pylint
TaykYoku Aug 15, 2021
ccbc606
fix
TaykYoku Aug 17, 2021
3aceaeb
fix rebase
TaykYoku Aug 18, 2021
cbad237
add UI
TaykYoku Aug 19, 2021
cce156a
fix pylint
TaykYoku Aug 19, 2021
ffa1a2f
unquote args
TaykYoku Aug 21, 2021
aa99c8d
quote args
TaykYoku Aug 21, 2021
08696f3
optimize
TaykYoku Aug 21, 2021
fe292b0
fix dirac-login
TaykYoku Aug 22, 2021
abb751b
handle 404 error
TaykYoku Aug 22, 2021
a2dc51c
add status code to TornadoResponse
TaykYoku Aug 22, 2021
69350fb
optimize, catch errors
TaykYoku Aug 22, 2021
5aead5f
fix tests
TaykYoku Aug 22, 2021
68ea649
fix docs
TaykYoku Aug 22, 2021
f4d3ee7
remove unuse
TaykYoku Aug 23, 2021
60ce206
fix py3
TaykYoku Aug 25, 2021
f3dffab
fix
TaykYoku Aug 25, 2021
4b6ace7
fix initialize
TaykYoku Aug 25, 2021
dfbb532
fix int to str
TaykYoku Aug 26, 2021
5fe2e1b
fix JobManagerHandler
TaykYoku Aug 28, 2021
3801f89
fix issues
TaykYoku Sep 2, 2021
d2a1941
afterrebase fix
TaykYoku Sep 2, 2021
38e6132
fix
TaykYoku Sep 2, 2021
42e4f6d
getDN --> getUserDN
TaykYoku Sep 3, 2021
9876263
after rebase
TaykYoku Sep 4, 2021
1dc322d
after rebase
TaykYoku Sep 4, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions dirac.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,9 @@ Registry
# Real VOMS VO name, if this VO is associated with VOMS VO
VOMSName = lhcb

# Registered identity provider associated with VO
IdP = CheckIn

# Section to describe all the VOMS servers that can be used with the given VOMS VO
VOMSServers
{
Expand Down Expand Up @@ -99,6 +102,9 @@ Registry

# Role of the users in the VO
VOMSRole = /lhcb

# Scope associated with a role of the user in the VO
IdPRole = some_special_scope

# Virtual organization associated with the group
VOMSVO = lhcb
Expand Down Expand Up @@ -418,6 +424,20 @@ Systems
}
Resources
{
IdProviders
{
CheckIn
{
# What supported type of provider does it belong to
ProviderType = OAuth2
# Description of the client parameters registered on the identity provider side.
# Look here for information about client parameters description https://tools.ietf.org/html/rfc8414#section-2
issuer = https://aai-dev.egi.eu/oidc
client_id = type_client_id_here_receved_after_client_registration
client_secret = type_client_secret_here_receved_after_client_registration
scope = openid, profile, offline_access, eduperson_entitlement, cert_entitlement
}
}

# Section for proxy providers, subsections is the names of the proxy providers
# https://dirac.readthedocs.org/en/latest/AdministratorGuide/Resources/proxyprovider.html
Expand Down
3 changes: 3 additions & 0 deletions docs/source/AdministratorGuide/CommandReference/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,9 @@ Other commands:
.. toctree::
:maxdepth: 2

dirac-login
dirac-logout

dirac-admin-accounting-cli

dirac-admin-sysadmin-cli
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,12 @@ DIRAC_X509_HOST_KEY

X509_VOMSES
Must be set to point to a folder containing VOMSES information. See :ref:`multi_vo_dirac`

BEARER_TOKEN
If the environment variable is set, then the value is taken to be the token contents (https://doi.org/10.5281/zenodo.3937438).

BEARER_TOKEN_FILE
If the environment variable is set, then its value is interpreted as a filename. The content of the specified file is used as token string (https://doi.org/10.5281/zenodo.3937438).

DIRAC_USE_ACCESS_TOKEN
If this environment is set to ``true`` or ``yes``, the concurrent.futures.ThreadPoolExecutor will be used (default=false)
4 changes: 4 additions & 0 deletions environment-py3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,10 @@ dependencies:
- typing >=3.6.6
- pyyaml
- pip:
# Prerelease of the required package for integration of OAuth2
- Authlib>=1.0.0.a2
- dominate
- pyjwt
# This is a fork of tornado with a patch to allow for configurable iostream
# It should eventually be part of DIRACGrid
- git+https://github.com/DIRACGrid/tornado.git@iostreamConfigurable
Expand Down
4 changes: 4 additions & 0 deletions environment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,10 @@ dependencies:
- selectors2
- pip:
- diraccfg
# OAuth2
- dominate
- authlib
- pyjwt
# This is a fork of tornado with a patch to allow for configurable iostream
- git+https://github.com/DIRACGrid/tornado.git@iostreamConfigurable
# This is an extension of Tornado to use M2Crypto
Expand Down
6 changes: 6 additions & 0 deletions setup.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,9 @@ install_requires =
six
sqlalchemy
subprocess32
Authlib >=1.0.0.a2
pyjwt
dominate
zip_safe = False
include_package_data = True

Expand Down Expand Up @@ -92,6 +95,7 @@ testing =
parameterized
pytest
pytest-cov
pytest-mock
pycodestyle

[options.entry_points]
Expand Down Expand Up @@ -158,6 +162,8 @@ console_scripts =
dirac-dms-user-lfns = DIRAC.DataManagementSystem.scripts.dirac_dms_user_lfns:main
dirac-dms-user-quota = DIRAC.DataManagementSystem.scripts.dirac_dms_user_quota:main
# FrameworkSystem
dirac-login = DIRAC.FrameworkSystem.scripts.dirac_login:main
dirac-logout = DIRAC.FrameworkSystem.scripts.dirac_logout:main
dirac-admin-get-CAs = DIRAC.FrameworkSystem.scripts.dirac_admin_get_CAs:main [server]
dirac-admin-get-proxy = DIRAC.FrameworkSystem.scripts.dirac_admin_get_proxy:main [admin]
dirac-admin-proxy-upload = DIRAC.FrameworkSystem.scripts.dirac_admin_proxy_upload:main [admin]
Expand Down
34 changes: 34 additions & 0 deletions src/DIRAC/ConfigurationSystem/Client/Helpers/Registry.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@

__RCSID__ = "$Id$"

ID_DN_PREFIX = "/O=DIRAC/CN="

# pylint: disable=missing-docstring

gBaseRegistrySection = "/Registry"
Expand Down Expand Up @@ -428,6 +430,16 @@ def getVOForGroup(group):
return getVO() or gConfig.getValue("%s/Groups/%s/VO" % (gBaseRegistrySection, group), "")


def getIdPForGroup(group):
""" Get identity provider for group VO

:param str group: group name

:return: str
"""
return getVOOption(getVOForGroup(group), 'IdP')


def getDefaultVOMSAttribute():
""" Get default VOMS attribute

Expand Down Expand Up @@ -697,3 +709,25 @@ def getEmailsForGroup(groupName):
email = getUserOption(username, 'Email', [])
emails.append(email)
return emails


def wrapIDAsDN(userID):
""" Wrap user ID as user DN

:param str userID: user ID

:return: str
"""
return '/O=DIRAC/CN=' + userID


def getIDFromDN(userDN):
""" Parse user ID from user DN

:param str userDN: user DN

:return: S_OK(str)/S_ERROR()
"""
if not userDN.startswith(ID_DN_PREFIX):
return S_ERROR("%s DN does not contain user ID." % userDN)
return S_OK(userDN[len(ID_DN_PREFIX):])
11 changes: 11 additions & 0 deletions src/DIRAC/ConfigurationSystem/Client/PathFinder.py
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,17 @@ def getComponentSection(system, component=False, setup=False, componentCategory=
)


def getAPISection(system, endpointName=False, setup=False):
""" Get API section in a system

:param str system: system name
:param str endpointName: endpoint name

:return: str
"""
return getComponentSection(system, component=endpointName, setup=setup, componentCategory="APIs")


def getServiceSection(system, serviceName=False, setup=False):
""" Get service section in a system

Expand Down
59 changes: 49 additions & 10 deletions src/DIRAC/ConfigurationSystem/Client/Utilities.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
from DIRAC.ConfigurationSystem.Client.PathFinder import getDatabaseSection
from DIRAC.Core.Utilities.Glue2 import getGlue2CEInfo
from DIRAC.Core.Utilities.SiteSEMapping import getSEHosts
from DIRAC.ConfigurationSystem.Client.PathFinder import getSystemInstance
from DIRAC.DataManagementSystem.Utilities.DMSHelpers import DMSHelpers


Expand Down Expand Up @@ -536,16 +537,6 @@ def getElasticDBParameters(fullname):
return S_OK(parameters)


def getOAuthAPI(instance='Production'):
""" Get OAuth API url

:param str instance: instance

:return: str
"""
return gConfig.getValue("/Systems/Framework/%s/URLs/OAuthAPI" % instance)


def getDIRACGOCDictionary():
"""
Create a dictionary containing DIRAC site names and GOCDB site names
Expand Down Expand Up @@ -578,3 +569,51 @@ def getDIRACGOCDictionary():

log.debug('End function.')
return S_OK(dictionary)


def getAuthAPI():
""" Get Auth REST API url

:return: str
"""
return gConfig.getValue("/Systems/Framework/%s/URLs/AuthAPI" % getSystemInstance("Framework"))


def getAuthorizationServerMetadata(issuer=None, ignoreErrors=False):
""" Get authorization server metadata

:param str issuer: issuer
:param bool ignoreErrors: igrnore configuration errors

:return: S_OK(dict)/S_ERROR()
"""
data = {}
try:
result = gConfig.getOptionsDictRecursively('/DIRAC/Security/Authorization')
if not result['OK']:
return S_OK({'issuer': issuer}) if issuer else result
data = result['Value']
except Exception as e:
if ignoreErrors:
gLogger.warn(repr(e))
else:
raise e

# Search DIRAC Authorization Server issuer
data['issuer'] = data.get('issuer', issuer)
if not data['issuer']:
try:
data['issuer'] = getAuthAPI()
except Exception as e:
return S_ERROR('No issuer found in DIRAC authorization server: %s' % repr(e))
Comment thread
TaykYoku marked this conversation as resolved.

return S_OK(data) if data['issuer'] else S_ERROR('Cannot find DIRAC Authorization Server issuer.')


def isDownloadablePersonalProxy():
""" Get downloadablePersonalProxy flag

:return: S_OK(bool)/S_ERROR()
Comment thread
TaykYoku marked this conversation as resolved.
"""
cs_path = '/Systems/Framework/%s/APIs/Auth' % getSystemInstance("Framework")
return gConfig.getValue(cs_path + '/downloadablePersonalProxy', "false").lower() in ("y", "yes", "true")
9 changes: 7 additions & 2 deletions src/DIRAC/ConfigurationSystem/private/TornadoRefresher.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@

__RCSID__ = "$Id$"

from six import PY3
import time

from tornado import gen
Expand Down Expand Up @@ -76,9 +77,13 @@ def __refreshLoop(self):
yield gen.sleep(gConfigurationData.getPropagationTime())
# Publish step is blocking so we have to run it in executor
# If we are not doing it, when master try to ping we block the IOLoop
yield _IOLoop.current().run_in_executor(None, self.__AutoRefresh)

@gen.coroutine
# When switching from python 2 to python 3, the following error occurs:
# RuntimeError: There is no current event loop in thread..
# The reason seems to be that asyncio.get_event_loop() is called in some thread other than the main thread,
# asyncio only generates an event loop for the main thread.
yield _IOLoop.current().run_in_executor(None, self.__AutoRefresh if PY3 else gen.coroutine(self.__AutoRefresh))

def __AutoRefresh(self):
"""
Auto refresh the configuration
Expand Down
Loading