Merge pull request #20 from indigo-iam/issue-17

Synchronise AUP
indigo-iam · Mar 29, 2024 · acb60e5 · acb60e5
2 parents b45d4ab + 0cb181f
commit acb60e5
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 2 deletions.
diff --git a/.devcontainer/assets/vomsdir/test.vo/meteora.cloud.cnaf.infn.it.lsc b/.devcontainer/assets/vomsdir/test.vo/meteora.cloud.cnaf.infn.it.lsc
@@ -0,0 +1,2 @@
+/DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=meteora.cloud.cnaf.infn.it
+/C=NL/O=GEANT Vereniging/CN=GEANT eScience SSL CA 4
diff --git a/.devcontainer/assets/vomses b/.devcontainer/assets/vomses
@@ -1 +1 @@
-"test.vo" "vgrid02.cnaf.infn.it" "15000" "/DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=vgrid02.cnaf.infn.it" "test.vo"
+"test.vo" "meteora.cloud.cnaf.infn.it" "15002" "/DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=meteora.cloud.cnaf.infn.it" "test.vo"
diff --git a/README.md b/README.md
@@ -6,11 +6,45 @@ VO into an IAM organization.
 ## Devcontainer support
 
 For those who use VSCode, there is support for a remote Devcontainer, which
-comes preconfigured with the test VOMS at `vgrid02.cnaf.infn.it`.
+comes preconfigured with the test VOMS at `meteora.cloud.cnaf.infn.it`.
 
 Note (and beware) that `$HOME/.globus` and `$HOME/.config/oidc-agent`
 are mounted from the host.
 
 To run the `vomsimporter` script, you first need to obtain an admin
 VOMS proxy with `voms-proxy-init` and an admin access token with
 `oidc-token`.
+
+### Running the importer
+
+This is an example to import users from the `test.vo` hosted in [meteora](https://meteora.cloud.cnaf.infn.it:8443), into [iam-dev](https://iam-dev.cloud.cnaf.infn.it).
+
+Pre-requisites
+* being an admin of [meteora](https://meteora.cloud.cnaf.infn.it:8443)
+* being an admin of [iam-dev](https://iam-dev.cloud.cnaf.infn.it)
+* the X.509 certificate linked to the VOMS admin has to be the same as for the IAM admin
+* having a local oidc-configuration (generated with Centos7) whith at least the following scopes allowed: `openid iam:admin.read iam:admin.write scim:read scim:write proxy:generate`
+
+Define the following environment variables:
+
+```
+OIDC_AGENT_ALIAS=<your-client-alias>
+OIDC_AGENT_SECRET=<your-client-secret>
+IAM_ENDPOINT=iam-dev.cloud.cnaf.infn.it
+IAM_HOST=https://iam-dev.cloud.cnaf.infn.it
+VOMS_HOST=meteora.cloud.cnaf.infn.it
+VOMS_VO=test.vo
+X509_USER_PROXY=/tmp/x509up_u1000
+```
+
+Initialize your admin credentials with
+
+```
+$ ./docker/init-credentials.sh
+```
+
+Run the importer with
+
+```
+python vomsimporter.py --vo ${VOMS_VO} --voms-host ${VOMS_HOST} --iam-host ${IAM_HOST} --skip-duplicate-accounts-checks --username-attr nickname --debug --voms-port 8443
+```
diff --git a/vomsimporter.py b/vomsimporter.py
@@ -374,6 +374,29 @@ def link_certificate(self, iam_user, cert):
                 logging.error("Error linking certificate: %s to account %s: %s",
                               cert, iam_user['id'], e.response.status_code)
 
+    def synchronise_aup(self, iam_user, voms_user):
+        url = "%s/iam/aup/signature/%s" % (self._base_url(), iam_user['id'])
+        headers = self._build_authz_header()
+        headers['Content-type'] = "application/json"
+        payload = {
+            'signatureTime': self.retrieve_aup_sign_time(voms_user)
+        }
+        try:
+            r = self._s.patch(url, headers=headers, json=payload)
+            r.raise_for_status()
+        except requests.exceptions.RequestException as e:
+            if e.response is None:
+                logging.error("Failed AUP synchronisation for account %s: %s",
+                            iam_user['id'], e)
+            else:
+                logging.error("Failed AUP synchronisation for account %s with error: %s",
+                            iam_user['id'], e.response.content)
+
+    def retrieve_aup_sign_time(self, voms_user):
+        for aup in voms_user['aupAcceptanceRecords']:
+            signatureTime = aup.get('lastAcceptanceDate')
+            return signatureTime
+
     def set_user_attribute(self, iam_user, attribute):
         url = "%s/iam/account/%s/attributes" % (self._base_url(), iam_user['id'])
         r = self._s.put(url, json=attribute)
@@ -518,6 +541,8 @@ def import_voms_user(self, voms_user):
             iam_user = self.create_user_from_voms(voms_user)
             new_user = True
 
+        self.synchronise_aup(iam_user, voms_user)
+
         iam_user_str = self.iam_user_str(iam_user)
         logging.info("Syncing group/role membership for user %s",
                      iam_user_str)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		/DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=meteora.cloud.cnaf.infn.it
		/C=NL/O=GEANT Vereniging/CN=GEANT eScience SSL CA 4
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		"test.vo" "vgrid02.cnaf.infn.it" "15000" "/DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=vgrid02.cnaf.infn.it" "test.vo"
		"test.vo" "meteora.cloud.cnaf.infn.it" "15002" "/DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=meteora.cloud.cnaf.infn.it" "test.vo"