forked from rucio/rucio
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Tests: add test transfer with tokens
Add required clients and scopes to indigoiam. I didn't try to make it work with keycloak yet. Configure xrootd to accept webdav requests, but I doubt it actually performs any authentication/authorisation of the tokens which are passed to it. Add a test which submits a transfer and verifies that the 'oauth2' authentication was actually used by fts.
- Loading branch information
Radu Carpa
committed
Jan 15, 2024
1 parent
2f0cdf3
commit b382bb9
Showing
12 changed files
with
302 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| #!/bin/bash | ||
| # -*- coding: utf-8 -*- | ||
| # Copyright European Organization for Nuclear Research (CERN) since 2012 | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| # wait for MySQL readiness | ||
| /usr/local/bin/wait-for-it.sh -h ftsdb -p 3306 -t 3600 | ||
|
|
||
| # TODO: remove following code once FTS fixes the schema on their side | ||
| rm -f /usr/share/fts-mysql/fts-schema-9.0.0.sql /usr/share/fts-mysql/fts-diff-9.0.0.sql | ||
| cp /tmp/fts-diff-9.0.0.sql /usr/share/fts-mysql/ | ||
|
|
||
| # initialise / upgrade the database | ||
| /usr/share/fts/fts-database-upgrade.py -y | ||
|
|
||
| # Configure the OIDC provider and the mapping and the mapping between the OIDC client id to the VO | ||
| # Note: 6fe2a9f5e8876772 is the "automatically generated" vo for the rucios test certificate. It will change if we re-generate the cert. | ||
| echo \ | ||
| "insert into t_token_provider (name,issuer,client_id,client_secret) values('indigoiam', 'https://indigoiam/', 'd6dad80f-11f7-4cf4-a4ef-fbd081ec7f98', 'AJWL5JZtM6I2iaj7XHYq98kPGo6-8Wde2ScSHJhHNvCLeKppTj9fBmeq2xGWi3RCFlj6cPJFjz-BxXIBva4kDYo');" \ | ||
| "insert into t_gridmap (dn,vo) values ('85e6f7a5-580b-4a1c-a6d2-39055143063d', '6fe2a9f5e8876772');" \ | ||
| | mysql -h ftsdb -u fts --password=fts fts | ||
|
|
||
| # fix Apache configuration | ||
| /usr/bin/sed -i 's/Listen 80/#Listen 80/g' /etc/httpd/conf/httpd.conf | ||
| cp /opt/rh/httpd24/root/usr/lib64/httpd/modules/mod_rh-python36-wsgi.so /lib64/httpd/modules | ||
| cp /opt/rh/httpd24/root/etc/httpd/conf.modules.d/10-rh-python36-wsgi.conf /etc/httpd/conf.modules.d | ||
|
|
||
| # Regenerate CA bundle in case new CAs where mounted into /etc/pki/ca-trust/source/anchors/ | ||
| update-ca-trust | ||
|
|
||
| # startup the FTS services | ||
| /usr/sbin/fts_server # main FTS server daemonizes | ||
| /usr/sbin/fts_msg_bulk # daemon to send messages to activemq | ||
| /usr/sbin/httpd -DFOREGROUND # FTS REST frontend & FTSMON |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| -- | ||
| -- FTS3 Schema 9.0.0 | ||
| -- [FTS-1928] REST API should accept and validate FTS submission token | ||
| -- | ||
|
|
||
| CREATE TABLE `t_token_provider` ( | ||
| `name` varchar(255) NOT NULL, | ||
| `issuer` varchar(1024) NOT NULL, | ||
| `client_id` varchar(255) NOT NULL, | ||
| `client_secret` varchar(255) NOT NULL, | ||
| PRIMARY KEY (`issuer`) | ||
| ) ENGINE=InnoDB DEFAULT CHARSET=latin1; | ||
|
|
||
| CREATE TABLE `t_token` ( | ||
| `token_id` char(16) NOT NULL, | ||
| `access_token` longtext NOT NULL, | ||
| `refresh_token` longtext, | ||
| `issuer` varchar(1024) NOT NULL, | ||
| `scope` varchar(1024) NOT NULL, | ||
| `audience` varchar(1024) NOT NULL, | ||
| `retry_timestamp` timestamp NULL DEFAULT NULL, | ||
| `retry_delay_m` int unsigned NULL DEFAULT 0, | ||
| `attempts` int unsigned NULL DEFAULT 0, | ||
| PRIMARY KEY (`token_id`), | ||
| CONSTRAINT `fk_token_issuer` FOREIGN KEY (`issuer`) REFERENCES `t_token_provider` (`issuer`) ON DELETE RESTRICT ON UPDATE RESTRICT | ||
| ) ENGINE=InnoDB DEFAULT CHARSET=latin1; | ||
|
|
||
| ALTER TABLE `t_file` | ||
| ADD COLUMN `src_token_id` char(16) DEFAULT NULL, | ||
| ADD COLUMN `dst_token_id` char(16) DEFAULT NULL, | ||
| MODIFY COLUMN `file_state` enum('STAGING','ARCHIVING','QOS_TRANSITION','QOS_REQUEST_SUBMITTED','STARTED','SUBMITTED','READY','ACTIVE','FINISHED','FAILED','CANCELED','NOT_USED','ON_HOLD','ON_HOLD_STAGING','FORCE_START','TOKEN_PREP') NOT NULL, | ||
| ADD CONSTRAINT `src_token_id` FOREIGN KEY (`src_token_id`) REFERENCES `t_token` (`token_id`) ON DELETE RESTRICT ON UPDATE RESTRICT, | ||
| ADD CONSTRAINT `dst_token_id` FOREIGN KEY (`dst_token_id`) REFERENCES `t_token` (`token_id`) ON DELETE RESTRICT ON UPDATE RESTRICT; | ||
|
|
||
| ALTER TABLE `t_file_backup` | ||
| ADD COLUMN `src_token_id` char(16) DEFAULT NULL, | ||
| ADD COLUMN `dst_token_id` char(16) DEFAULT NULL, | ||
| MODIFY COLUMN `file_state` enum('STAGING','ARCHIVING','QOS_TRANSITION','QOS_REQUEST_SUBMITTED','STARTED','SUBMITTED','READY','ACTIVE','FINISHED','FAILED','CANCELED','NOT_USED','ON_HOLD','ON_HOLD_STAGING','FORCE_START','TOKEN_PREP') NOT NULL; | ||
|
|
||
| INSERT INTO t_schema_vers (major, minor, patch, message) | ||
| VALUES (9, 0, 0, 'FTS-1925: Full OAuth2 capabilities in FTS for submission, transfers and tape operations'); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| SiteName=DOCKER | ||
|
|
||
| AuthorizedVO=* | ||
|
|
||
| DbType=mysql | ||
| DbUserName=fts | ||
| DbPassword=fts | ||
| DbConnectString=ftsdb/fts | ||
|
|
||
| #OpenID parameters | ||
| ValidateAccessTokenOffline=True | ||
| JWKCacheSeconds=86400 | ||
| TokenRefreshDaemonIntervalInSeconds=600 | ||
|
|
||
| #The alias used for the FTS endpoint, will be published as such in the dashboard transfers UI http://dashb-wlcg-transfers.cern.ch/ui/ | ||
| Alias=rucio/fts | ||
|
|
||
| MonitoringMessaging=false | ||
|
|
||
| [sqlalchemy] | ||
| pool_timeout=10 | ||
| pool_size=10 | ||
|
|
||
| [providers] | ||
| provider1 = https://indigoiam/ | ||
| provider1_ClientId = d6dad80f-11f7-4cf4-a4ef-fbd081ec7f98 | ||
| provider1_ClientSecret = AJWL5JZtM6I2iaj7XHYq98kPGo6-8Wde2ScSHJhHNvCLeKppTj9fBmeq2xGWi3RCFlj6cPJFjz-BxXIBva4kDYo | ||
|
|
||
| [roles] | ||
| Public = vo:transfer;all:datamanagement | ||
| lcgadmin = all:config | ||
|
|
||
| # Logging configuration | ||
| [loggers] | ||
| keys = root, routes, fts3rest, sqlalchemy | ||
|
|
||
| [handlers] | ||
| keys = console, log_file | ||
|
|
||
| [formatters] | ||
| keys = generic | ||
|
|
||
| [logger_root] | ||
| level = INFO | ||
| handlers = log_file | ||
|
|
||
| [logger_routes] | ||
| level = INFO | ||
| handlers = | ||
| qualname = routes.middleware | ||
| # "level = DEBUG" logs the route matched and routing variables. | ||
|
|
||
| [logger_fts3rest] | ||
| level = INFO | ||
| handlers = | ||
| qualname = fts3rest | ||
|
|
||
| [logger_sqlalchemy] | ||
| level = WARN | ||
| handlers = | ||
| qualname = sqlalchemy.engine | ||
| # "level = INFO" logs SQL queries. | ||
| # "level = DEBUG" logs SQL queries and results. | ||
| # "level = WARN" logs neither. (Recommended for production systems.) | ||
|
|
||
| [handler_console] | ||
| class = StreamHandler | ||
| args = (sys.stderr,) | ||
| level = NOTSET | ||
| formatter = generic | ||
|
|
||
| [handler_log_file] | ||
| class = logging.FileHandler | ||
| args = ('/var/log/fts3rest/fts3rest.log', 'a') | ||
| level = NOTSET | ||
| formatter = generic | ||
|
|
||
| [formatter_generic] | ||
| format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(module)s] %(message)s | ||
| datefmt = %H:%M:%S |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| ErrorLog /proc/self/fd/2 | ||
| <VirtualHost *:443> | ||
| ServerName localhost | ||
| DocumentRoot /var/www/webdav/data/ | ||
| AllowEncodedSlashes on | ||
|
|
||
| CustomLog /proc/self/fd/1 combined | ||
|
|
||
| SSLEngine on | ||
| SSLCertificateFile /etc/grid-security/hostcert.pem | ||
| SSLCertificateKeyFile /etc/grid-security/hostkey.pem | ||
| SSLCACertificatePath /etc/grid-security/certificates/ | ||
| SSLVerifyClient optional | ||
| SSLVerifyDepth 10 | ||
| SSLOptions +StdEnvVars | ||
| SSLProtocol TLSv1.2 | ||
| SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS | ||
|
|
||
| OAuth2TokenVerify jwks_uri https://indigoiam/jwk jwks_uri.ssl_verify=false | ||
|
|
||
| <Location /> | ||
| Dav On | ||
| Options Indexes FollowSymLinks | ||
|
|
||
| <If "%{HTTP:Authorization} =~ m#^Bearer#i"> | ||
| AuthType oauth2 | ||
| Require oauth2_claim aud:web2 | ||
| </If> | ||
| <ElseIf "%{SSL_CLIENT_VERIFY} == 'SUCCESS'"> | ||
| Require all granted | ||
| </ElseIf> | ||
| <Else> | ||
| Require all denied | ||
| </Else> | ||
| </Location> | ||
| </VirtualHost> |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.