[WIP] Enabling host certificate

ConfigurationSystem/Client/Helpers/RESTConf.py

@@ -48,6 +48,9 @@ def key():
 def setup():
   return gConfig.getValue( "/DIRAC/Setup" )
 
+def getValue( path ):
+  return gConfig.getValue( path )
+
 def generateCAFile():
   """
   Generate a single CA file with all the PEMs

RESTSystem/API/CS/CSHandler.py

@@ -0,0 +1,35 @@
+import types
+import os
+import shutil
+import json
+from tornado import web, gen
+from RESTDIRAC.RESTSystem.Base.RESTHandler import WErr, WOK, TmpDir, RESTHandler
+from RESTDIRAC.ConfigurationSystem.Client.Helpers import RESTConf
+
+class CSHandler( RESTHandler ):
+
+  ROUTE = "/config/(Sections|Options|Value)"
+
+  @web.asynchronous
+  def get( self, reqType ):
+    if reqType == "Sections":
+      return self.SectionsAction()
+    elif reqType == "Options":
+      return self.OptionsAction()
+    elif reqType == "Value":
+      return self.ValueAction()
+
+
+  @gen.engine
+  def ValueAction( self ):
+    args = self.request.arguments
+    try:
+      path = args[ 'ValuePath' ][0]
+    except KeyError:
+      self.send_error( 400 )
+      return
+    condDict = {}
+    if 'allOwners' not in self.request.arguments:
+      condDict[ 'Owner' ] = self.getUserName()
+    result = RESTConf.getValue( path )
+    self.finish( result )

RESTSystem/API/oa2/TokenHandler.py

@@ -75,12 +75,19 @@ def __getGroups( self, DN = False ):
         return WErr( 401, "No certificate received to issue a token" )
       DN = credDict[ 'subject' ]
       if not credDict[ 'validDN' ]:
-       return WErr( 401, "Unknown DN %s" % DN )
+        return WErr( 401, "Unknown DN %s" % DN )
     result = Registry.getGroupsForDN( DN )
     if not result[ 'OK' ]:
       return WErr( 500, result[ 'Message' ] )
     return WOK( { 'groups' : result[ 'Value' ] } )
 
+  def __getHostProperties ( self, group, DN ):
+    result = Registry.getPropertiesForEntity( group, dn = DN )
+    if not result:
+      return WErr( 500, "Can't get the Property for the host" )
+    return WOK( { 'groups' : result} )
+
+
   def groupsAction( self ):
       result = self.__getGroups()
       if not result.ok:
@@ -140,7 +147,11 @@ def __clientCredentialsRequest( self ):
     if not credDict[ 'validDN' ]:
       return WErr( 401, "Unknown DN %s" % DN )
     #Check group
-    result = self.__getGroups( DN )
+    if credDict.has_key( 'group' ):
+      if credDict['group'] == 'hosts':
+        result = self.__getHostProperties( 'hosts', DN )
+    else:
+      result = self.__getGroups( DN )
     if not result.ok:
       return result
     groups = result.data[ 'groups' ]

RESTSystem/Base/RESTHandler.py

@@ -155,6 +155,8 @@ def prepare( self ):
         self.send_error( 401 )
       else:
         data = result[ 'Value' ]
+        if data[ 'UserGroup' ] == 'TrustedHost':
+          data[ 'UserGroup' ] = 'hosts'
         self.__uData = { 'DN' : data[ 'UserDN' ],
                          'username' : data[ 'UserName' ],
                          'group' : data[ 'UserGroup' ],
@@ -166,7 +168,6 @@ def prepare( self ):
         self.log.info( "Setting DISET for %s" % cs )
     elif self.REQUIRE_ACCESS:
       raise WErr( 401, "No token provided" )
-
     self.end_prepare()
 
 

RESTSystem/DB/OATokenDB.py

@@ -71,7 +71,7 @@ def __initializeDB( self ):
                                                          'Code' : 'CHAR(28)',
                                                          'Secret' : 'CHAR(28)',
                                                          'ClientID' : 'CHAR(28)',
-                                                         'UserName': 'VARCHAR(16) NOT NULL',
+                                                         'UserName': 'VARCHAR(32) NOT NULL',
                                                          'UserDN': 'VARCHAR(128) NOT NULL',
                                                          'UserGroup': 'VARCHAR(16) NOT NULL',
                                                          'UserSetup': 'VARCHAR(32) NOT NULL',
@@ -292,7 +292,10 @@ def generateToken( self, userDN, userGroup, userSetup, scope = "", cid = False,
     if code:
       inData[ 'Code' ] = code
 
-    result = Registry.getUsernameForDN( userDN )
+    if userGroup == 'TrustedHost':
+      result = Registry.getHostnameForDN( userDN )
+    else:
+      result = Registry.getUsernameForDN( userDN )
     if not result[ 'OK' ]:
       return result
     inData[ 'UserName' ] = result[ 'Value' ]

RESTSystem/Test/CStest.py

@@ -0,0 +1,38 @@
+import requests
+import json
+import os
+
+# The REST server url
+REST_URL = 'https://0.0.0.0:9910'
+
+###########################################
+# Get the access token first
+
+# GET request parameters
+params = {'grant_type':'client_credentials',
+          'group':'TrustedHost',
+          'setup':'LHCb-Certification'}
+
+# The user certificate, password will be asked for to the user
+# before request submission
+#certificate = ('/home/cinzia/.globus/usercert.pem',
+#               '/home/cinzia/.globus/userkey.pem')
+
+
+certificate = ('/home/cinzia/devRoot/etc/grid-security/hostcert.pem','/home/cinzia/devRoot/etc/grid-security/hostkey.pem')
+proxies=('/tmp/x509up_u1000','/tmp/x509up_u1000')
+
+#result = requests.get(REST_URL+"/oauth2/token",params=params,cert=proxies, verify=False)
+result = requests.get(REST_URL+"/oauth2/token",params=params,cert=certificate,verify=False)
+
+
+# the output is returned as a json encoded string, decode it here
+resultDict = json.loads( result.text )
+access_token = resultDict['token']
+
+JobHistory = requests.get(REST_URL+'/jobs/history',params={'access_token':access_token},
+                      verify=False)
+
+PilotCommands = requests.get(REST_URL+'/config/Value',params={'access_token':access_token,'ValuePath':'/Operations/LHCb-Certification/Pilot/Commands/BOINC'}, verify=False)
+
+########################################