From 503fefc4a671dfae7eb648db2a09e2a2865b73aa Mon Sep 17 00:00:00 2001 From: Christophe Haen Date: Wed, 27 Sep 2023 16:52:52 +0200 Subject: [PATCH] feat (ProxyManager): query DiracX for a token --- src/DIRAC/Core/scripts/dirac_configure.py | 10 +++ .../Service/ProxyManagerHandler.py | 61 +++++++++---------- tests/CI/docker-compose.yml | 2 + tests/Jenkins/dirac_ci.sh | 2 +- 4 files changed, 41 insertions(+), 34 deletions(-) diff --git a/src/DIRAC/Core/scripts/dirac_configure.py b/src/DIRAC/Core/scripts/dirac_configure.py index d54a5a207aa..dbc8c0dde6d 100755 --- a/src/DIRAC/Core/scripts/dirac_configure.py +++ b/src/DIRAC/Core/scripts/dirac_configure.py @@ -76,6 +76,7 @@ def __init__(self): self.outputFile = "" self.skipVOMSDownload = False self.extensions = "" + self.legacyExchangeApiKey = "" def setGateway(self, optionValue): self.gatewayServer = optionValue @@ -174,6 +175,12 @@ def setIssuer(self, optionValue): DIRAC.gConfig.setOptionValue("/DIRAC/Security/Authorization/issuer", self.issuer) return DIRAC.S_OK() + def setLegacyExchangeApiKey(self, optionValue): + self.legacyExchangeApiKey = optionValue + Script.localCfg.addDefaultEntry("/DiracX/LegacyExchangeApiKey", self.legacyExchangeApiKey) + DIRAC.gConfig.setOptionValue(cfgInstallPath("LegacyExchangeApiKey"), self.vo) + return DIRAC.S_OK() + def _runConfigurationWizard(setups, defaultSetup): """The implementation of the configuration wizard""" @@ -361,6 +368,9 @@ def runDiracConfigure(params): Script.registerSwitch("n:", "SiteName=", "Set as DIRAC Site Name", params.setSiteName) Script.registerSwitch("N:", "CEName=", "Set as Computing Element name", params.setCEName) Script.registerSwitch("V:", "VO=", "Set the VO name", params.setVO) + Script.registerSwitch( + "K:", "LegacyExchangeApiKey=", "Set the Api Key to talk to DiracX", params.setLegacyExchangeApiKey + ) Script.registerSwitch("W:", "gateway=", "Configure as DIRAC Gateway for the site", params.setGateway) diff --git a/src/DIRAC/FrameworkSystem/Service/ProxyManagerHandler.py b/src/DIRAC/FrameworkSystem/Service/ProxyManagerHandler.py index 35847445dcd..0294d4bba21 100644 --- a/src/DIRAC/FrameworkSystem/Service/ProxyManagerHandler.py +++ b/src/DIRAC/FrameworkSystem/Service/ProxyManagerHandler.py @@ -7,7 +7,9 @@ :caption: ProxyManager options """ -from DIRAC import gLogger, S_OK, S_ERROR +import os +import requests +from DIRAC import gLogger, S_OK, S_ERROR, gConfig from DIRAC.Core.DISET.RequestHandler import RequestHandler, getServiceOption from DIRAC.Core.Security import Properties from DIRAC.Core.Utilities.ObjectLoader import ObjectLoader @@ -411,39 +413,32 @@ def export_getVOMSProxyWithToken(self, userDN, userGroup, requestPem, requiredLi def export_exchangeProxyForToken(self): """Exchange a proxy for an equivalent token to be used with diracx""" - try: - from diracx.routers.auth import ( # pylint: disable=import-error - AuthSettings, - create_token, - TokenResponse, - ) # pylint: disable=import-error - - authSettings = AuthSettings() - - from uuid import uuid4 - - credDict = self.getRemoteCredentials() - vo = Registry.getVOForGroup(credDict["group"]) - payload = { - "sub": f"{vo}:{credDict['username']}", - "vo": vo, - "aud": authSettings.token_audience, - "iss": authSettings.token_issuer, - "dirac_properties": list( - set(credDict.get("groupProperties", [])) | set(credDict.get("properties", [])) - ), - "jti": str(uuid4()), + + from diracx.core.preferences import get_diracx_preferences + + apiKey = gConfig.getValue("/DiracX/LegacyExchangeApiKey") + if not apiKey: + return S_ERROR("Missing mandatory /DiracX/LegacyExchangeApiKey configuration") + + diracxUrl = get_diracx_preferences().url + + credDict = self.getRemoteCredentials() + vo = Registry.getVOForGroup(credDict["group"]) + dirac_properties = list(set(credDict.get("groupProperties", [])) | set(credDict.get("properties", []))) + group = credDict["group"] + scopes = [f"vo:{vo}", f"group:{group}", [f"property:{prop}" for prop in dirac_properties]] + + r = requests.get( + f"{diracxUrl}/auth/legacy-exchange", + params={ "preferred_username": credDict["username"], - "dirac_group": credDict["group"], - } - return S_OK( - TokenResponse( - access_token=create_token(payload, authSettings), - expires_in=authSettings.access_token_expire_minutes * 60, - ).dict() - ) - except Exception as e: - return S_ERROR(f"Could not get token: {e!r}") + "scopes": " ".join(scopes), + }, + headers={"Authorization": f"Bearer {apiKey}"}, + ) + + r.raise_for_status() + return S_OK(r.json()) class ProxyManagerHandler(ProxyManagerHandlerMixin, RequestHandler): diff --git a/tests/CI/docker-compose.yml b/tests/CI/docker-compose.yml index 24273150ea4..35a5a7d31f3 100644 --- a/tests/CI/docker-compose.yml +++ b/tests/CI/docker-compose.yml @@ -152,6 +152,8 @@ services: - DIRACX_DB_URL_JOBDB=mysql+aiomysql://Dirac:Dirac@mysql/JobDB - DIRACX_SERVICE_AUTH_TOKEN_KEY=file:///signing-key/rs256.key - DIRACX_SERVICE_AUTH_ALLOWED_REDIRECTS=["http://diracx:8000/docs/oauth2-redirect"] + # Obtained with echo 'InsecureChangeMe' | base64 -d | openssl sha512 + - DIRACX_LEGACY_EXCHANGE_HASHED_API_KEY=07cddf6948d316ac9d186544dc3120c4c6697d8f994619665985c0a5bf76265a ports: - 8000:8000 depends_on: diff --git a/tests/Jenkins/dirac_ci.sh b/tests/Jenkins/dirac_ci.sh index 46d15d06f48..d4518e4aeee 100644 --- a/tests/Jenkins/dirac_ci.sh +++ b/tests/Jenkins/dirac_ci.sh @@ -135,7 +135,7 @@ installSite() { echo "==> Done installing, now configuring" source "${SERVERINSTALLDIR}/bashrc" - if ! dirac-configure --cfg "${SERVERINSTALLDIR}/install.cfg" "${DEBUG}"; then + if ! dirac-configure --cfg "${SERVERINSTALLDIR}/install.cfg" --LegacyExchangeApiKey='InsecureChangeMe' "${DEBUG}"; then echo "ERROR: dirac-configure failed" >&2 exit 1 fi