PyPI - DIRAC - Versions diffs - 9.0.0a42__py3-none-any.whl → 9.0.7__py3-none-any.whl - Mend

DIRAC 9.0.0a42py3-none-any.whl → 9.0.7py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (236) hide show

DIRAC/ConfigurationSystem/Client/PathFinder.py CHANGED Viewed

@@ -1,7 +1,12 @@
 """ Collection of utilities for finding paths in the CS
 """
+import re
+from copy import deepcopy
+from collections.abc import Iterable
 from urllib import parse
+from cachetools import cached, TTLCache
 from DIRAC.Core.Utilities import List
 from DIRAC.ConfigurationSystem.Client.ConfigurationData import gConfigurationData
 from DIRAC.ConfigurationSystem.Client.Helpers import Path
@@ -151,6 +156,43 @@ def getSystemURLs(system, failover=False):
     return urlDict
+def groupURLsByPriority(urls: Iterable[str]) -> list[set[str]]:
+    """Group URLs by priority.
+    :param Iterable[str] preferredURLPatterns: patterns to check in ranked order
+    :param set[str] urls: URLs to check
+    :return: list[set[str]] -- list of URL groups, ordered by priority
+    """
+    return deepcopy(_groupURLsByPriority(frozenset(urls)))
+@cached(cache=TTLCache(maxsize=1024, ttl=300))
+def _groupURLsByPriority(urls: frozenset[str]) -> list[set[str]]:
+    preferredURLPatterns = []
+    if patterns := gConfigurationData.extractOptionFromCFG("/DIRAC/PreferredURLPatterns"):
+        preferredURLPatterns = [re.compile(pattern) for pattern in List.fromChar(patterns)]
+    urlGroups = [set() for _ in range(len(preferredURLPatterns) + 1)]
+    for url in urls:
+        urlGroups[findURLPriority(preferredURLPatterns, url)].add(url)
+    return urlGroups
+def findURLPriority(preferredURLPatterns: list[re.Pattern[str]], url: str) -> int:
+    """Find which preferred URL pattern the URL matches.
+    :param str preferredURLPatterns: patterns to check in ranked order
+    :param str url: URL to check
+    :return: int -- index of the pattern that matched, smallest is the most preferred
+    """
+    for i, pattern in enumerate(preferredURLPatterns):
+        if re.match(pattern, url):
+            return i
+    return len(preferredURLPatterns)
 def getServiceURLs(system, service=None, failover=False):
     """Generate url.
@@ -168,8 +210,8 @@ def getServiceURLs(system, service=None, failover=False):
     # Add failover URLs at the end of the list
     failover = "Failover" if failover else ""
     for fURLs in ["", "Failover"] if failover else [""]:
-        urlList = []
         urls = List.fromChar(gConfigurationData.extractOptionFromCFG(f"{systemSection}/{fURLs}URLs/{service}"))
+        urlList = set()
         # Be sure that urls not None
         for url in urls or []:
@@ -186,16 +228,13 @@ def getServiceURLs(system, service=None, failover=False):
                 for srv in mainServers:
                     _url = checkComponentURL(url.replace("$MAINSERVERS$", srv), system, service, pathMandatory=True)
-                    if _url not in urlList:
-                        urlList.append(_url)
+                    urlList.add(_url)
                 continue
-            _url = checkComponentURL(url, system, service, pathMandatory=True)
-            if _url not in urlList:
-                urlList.append(_url)
+            urlList.add(checkComponentURL(url, system, service, pathMandatory=True))
-        # Randomize list if needed
-        resList.extend(List.randomize(urlList))
+        for urlGroup in groupURLsByPriority(urlList):
+            resList.extend(List.randomize(urlGroup))
     return resList

DIRAC/ConfigurationSystem/Client/SyncPlugins/CERNLDAPSyncPlugin.py CHANGED Viewed

@@ -32,6 +32,9 @@ class CERNLDAPSyncPlugin:
         else:
             userDict["PrimaryCERNAccount"] = self._findOwnerAccountName(username, attributes)
+        if userDict["CERNAccountType"] in ["Primary", "Secondary"]:
+            userDict["CERNPersonId"] = attributes.get("employeeId", [None])[0]
     def _findOwnerAccountName(self, username, attributes):
         """Find the owner account from a CERN LDAP entry.
@@ -64,7 +67,7 @@ class CERNLDAPSyncPlugin:
         status, result, response, _ = self._connection.search(
             "OU=Users,OU=Organic Units,DC=cern,DC=ch",
             f"(CN={commonName})",
-            attributes=["cernAccountOwner", "cernAccountType"],
+            attributes=["cernAccountOwner", "cernAccountType", "employeeId"],
         )
         if not status:
             raise ValueError(f"Bad status from LDAP search: {result}")

DIRAC/ConfigurationSystem/Client/VOMS2CSSynchronizer.py CHANGED Viewed

@@ -5,22 +5,23 @@
 from collections import defaultdict
 from diraccfg import CFG
-from DIRAC import S_OK, S_ERROR, gLogger, gConfig
-from DIRAC.Core.Utilities.ReturnValues import returnValueOrRaise, convertToReturnValue
-from DIRAC.Core.Security.IAMService import IAMService
-from DIRAC.Core.Security.VOMSService import VOMSService
-from DIRAC.Core.Utilities.List import fromChar
-from DIRAC.Core.Utilities.ObjectLoader import ObjectLoader
-from DIRAC.Core.Utilities.PrettyPrint import printTable
+from DIRAC import S_ERROR, S_OK, gConfig, gLogger
 from DIRAC.ConfigurationSystem.Client.CSAPI import CSAPI
 from DIRAC.ConfigurationSystem.Client.Helpers.Registry import (
-    getVOOption,
-    getVOMSRoleGroupMapping,
-    getUsersInVO,
     getAllUsers,
-    getUserOption,
     getGroupsForUser,
+    getUserOption,
+    getUsersInVO,
+    getVOMSRoleGroupMapping,
+    getVOOption,
 )
+from DIRAC.Core.Security.IAMService import IAMService
+from DIRAC.Core.Security.VOMSService import VOMSService
+from DIRAC.Core.Utilities.List import fromChar
+from DIRAC.Core.Utilities.ObjectLoader import ObjectLoader
+from DIRAC.Core.Utilities.PrettyPrint import printTable
+from DIRAC.Core.Utilities.ReturnValues import convertToReturnValue, returnValueOrRaise
 def _getUserNameFromMail(mail):
@@ -86,8 +87,15 @@ def _getUserNameFromDN(dn, vo):
                     return nname
                 else:
                     robot = False
+                    # only pop if the remains are sufficient (i.e. not just digits)
                     if names[0].lower().startswith("robot"):
-                        names.pop(0)
+                        nameok = False
+                        if len(names) > 1:
+                            for name in names[1:]:
+                                if not name.isdigit():
+                                    nameok = True
+                        if nameok:
+                            names.pop(0)
                         robot = True
                     for name in list(names):
                         if name[0].isdigit() or "@" in name:
@@ -345,11 +353,6 @@ class VOMS2CSSynchronizer:
                 # We have a real new user
                 if not diracName:
-                    # Do not consider users with Suspended status in VOMS
-                    if self.vomsUserDict[dn]["suspended"] or self.vomsUserDict[dn]["certSuspended"]:
-                        resultDict["SuspendedUsers"].append(newDiracName)
-                        continue
                     # if we have a nickname, we use the nickname no
                     # matter what so we can have users from different
                     # VOs with the same nickname / username
@@ -366,6 +369,11 @@ class VOMS2CSSynchronizer:
                             newDiracName = "%s_%d" % (trialName, ind)
                             ind += 1
+                    # Do not consider users with Suspended status in VOMS
+                    if self.vomsUserDict[dn]["suspended"] or self.vomsUserDict[dn]["certSuspended"]:
+                        resultDict["SuspendedUsers"].append(newDiracName)
+                        continue
                     # We now have everything to add the new user
                     userDict = {"DN": dn, "CA": self.vomsUserDict[dn]["CA"], "Email": self.vomsUserDict[dn]["mail"]}
                     groupsWithRole = []
@@ -396,11 +404,16 @@ class VOMS2CSSynchronizer:
                         self.log.info(f"Adding new user {newDiracName}: {str(userDict)}")
                         result = self.csapi.modifyUser(newDiracName, userDict, createIfNonExistant=True)
                         if not result["OK"]:
-                            self.log.warn(f"Failed adding new user {newDiracName}")
+                            self.log.warn(f"Failed adding new user {newDiracName}", result["Message"])
                         resultDict["NewUsers"].append(newDiracName)
                         newAddedUserDict[newDiracName] = userDict
                     continue
+            # If we have a new user with multiple DN,
+            # it's a bit tricky, so first create it with a single one
+            # and at the next iteration add more DNs
+            if diracName in newAddedUserDict:
+                continue
             # We have an already existing user
             modified = False
             suspendedInVOMS = self.vomsUserDict[dn]["suspended"] or self.vomsUserDict[dn]["certSuspended"]
@@ -581,7 +594,7 @@ class VOMS2CSSynchronizer:
         # Try to fill in the DiracX section
         if self.useIAM:
-            iam_subs = self.iamSrv.getUsersSub()
+            iam_subs = self.iamSrv.getUsersSub(self.vo)
             diracx_vo_config = {"DiracX": {"CsSync": {"VOs": {self.vo: {"UserSubjects": iam_subs}}}}}
             iam_sub_cfg = CFG()
             iam_sub_cfg.loadFromDict(diracx_vo_config)

DIRAC/ConfigurationSystem/Client/test/Test_PathFinder.py CHANGED Viewed

@@ -11,9 +11,26 @@ from DIRAC.ConfigurationSystem.private.ConfigurationData import ConfigurationDat
 localCFGData = ConfigurationData(False)
 mergedCFG = CFG()
 mergedCFG.loadFromBuffer(
-    """
+    r"""
+DIRAC
+{
+  PreferredURLPatterns = dips://.*\.site:.*
+  PreferredURLPatterns += dips://.*\.other:.*
+}
 Systems
 {
+  Configuration
+  {
+    URLs
+    {
+      Server = dips://server1.site:1234/Configuration/Server
+      Server += dips://server2.site:1234/Configuration/Server
+      Server += dips://server3.site:1234/Configuration/Server
+      Server += dips://server4.site:1234/Configuration/Server
+      Server += dips://server.other:1234/Configuration/Server
+      Server += dips://server.external:1234/Configuration/Server
+    }
+  }
   WorkloadManagement
   {
     URLs
@@ -181,6 +198,29 @@ def test_getServiceURLs(pathFinder, serviceName, service, failover, result):
     assert set(pathFinder.getServiceURLs(serviceName, service=service, failover=failover)) == result
+def test_getServiceURLsOrdering(pathFinder):
+    """Ensure the PreferredURLPattern option is respected"""
+    all_results = set()
+    for _ in range(10_000):
+        urls = pathFinder.getServiceURLs("Configuration", service="Server")
+        assert set(urls) == {
+            "dips://server1.site:1234/Configuration/Server",
+            "dips://server2.site:1234/Configuration/Server",
+            "dips://server3.site:1234/Configuration/Server",
+            "dips://server4.site:1234/Configuration/Server",
+            "dips://server.other:1234/Configuration/Server",
+            "dips://server.external:1234/Configuration/Server",
+        }
+        # The second to last URL should always be "other"
+        assert urls[-2] == "dips://server.other:1234/Configuration/Server"
+        # The last URL should always be the one which isn't preferred
+        assert urls[-1] == "dips://server.external:1234/Configuration/Server"
+        all_results.add(tuple(urls))
+    # There are 4! = 24 possible orderings of the preferred URLs, we should have seen all
+    # of them at least once in 10_000 iterations
+    assert len(all_results) >= 24
 @pytest.mark.parametrize(
     "system, failover, result",
     [

DIRAC/ConfigurationSystem/private/RefresherBase.py CHANGED Viewed

@@ -1,7 +1,7 @@
 import time
 from DIRAC.ConfigurationSystem.Client.ConfigurationData import gConfigurationData
-from DIRAC.ConfigurationSystem.Client.PathFinder import getGatewayURLs
+from DIRAC.ConfigurationSystem.Client.PathFinder import getGatewayURLs, groupURLsByPriority
 from DIRAC.Core.Utilities import List
 from DIRAC.Core.Utilities.EventDispatcher import gEventDispatcher
 from DIRAC.Core.Utilities.ReturnValues import S_ERROR, S_OK
@@ -138,7 +138,9 @@ class RefresherBase:
         if not initialServerList:
             return S_OK()
-        randomServerList = List.randomize(initialServerList)
+        randomServerList = []
+        for urlGroup in groupURLsByPriority(initialServerList):
+            randomServerList.extend(List.randomize(urlGroup))
         gLogger.debug(f"Randomized server list is {', '.join(randomServerList)}")
         for sServer in randomServerList:

DIRAC/Core/Base/API.py CHANGED Viewed

@@ -3,13 +3,11 @@
 import pprint
 import sys
-from DIRAC import gLogger, gConfig, S_OK, S_ERROR
-from DIRAC.Core.Security.ProxyInfo import getProxyInfo, formatProxyInfoAsString
-from DIRAC.Core.Utilities.Version import getCurrentVersion
+from DIRAC import S_ERROR, S_OK, gLogger
 from DIRAC.ConfigurationSystem.Client.Helpers.Registry import getDNForUsername
 from DIRAC.ConfigurationSystem.Client.Helpers.Resources import getSites
-COMPONENT_NAME = "API"
+from DIRAC.Core.Security.ProxyInfo import formatProxyInfoAsString, getProxyInfo
+from DIRAC.Core.Utilities.Version import getCurrentVersion
 def _printFormattedDictList(dictList, fields, uniqueField, orderBy):
@@ -60,8 +58,7 @@ class API:
     def __init__(self):
         """c'tor"""
         self._printFormattedDictList = _printFormattedDictList
-        self.log = gLogger.getSubLogger(COMPONENT_NAME)
-        self.section = COMPONENT_NAME
+        self.log = gLogger.getSubLogger(self.__class__.__name__)
         self.pPrint = pprint.PrettyPrinter()
         # Global error dictionary
         self.errorDict = {}

DIRAC/Core/Base/SQLAlchemyDB.py CHANGED Viewed

@@ -3,6 +3,7 @@
     Uses sqlalchemy
 """
 import datetime
 from urllib import parse as urlparse
 from sqlalchemy import create_engine, desc, exc

DIRAC/Core/DISET/ServiceReactor.py CHANGED Viewed

@@ -200,6 +200,7 @@ class ServiceReactor:
                                   services at the same time
         """
         sel = self.__getListeningSelector(svcName)
+        throttleExpires = None
         while self.__alive:
             clientTransport = None
             try:
@@ -223,12 +224,19 @@ class ServiceReactor:
                 gLogger.warn(f"Client connected from banned ip {clientIP}")
                 clientTransport.close()
                 continue
+            # Handle throttling
+            if self.__services[svcName].wantsThrottle and throttleExpires is None:
+                throttleExpires = time.time() + THROTTLE_SERVICE_SLEEP_SECONDS
+            if throttleExpires:
+                if time.time() > throttleExpires:
+                    throttleExpires = None
+                else:
+                    gLogger.warn("Rejecting client due to throttling", str(clientTransport.getRemoteAddress()))
+                    clientTransport.close()
+                    continue
             # Handle connection
             self.__stats.connectionStablished()
             self.__services[svcName].handleConnection(clientTransport)
-            while self.__services[svcName].wantsThrottle:
-                gLogger.warn("Sleeping as service requested throttling", svcName)
-                time.sleep(THROTTLE_SERVICE_SLEEP_SECONDS)
             # Renew context?
             now = time.time()
             renewed = False

DIRAC/Core/DISET/private/BaseClient.py CHANGED Viewed

@@ -323,7 +323,7 @@ class BaseClient:
             pass
         # We randomize the list, and add at the end the failover URLs (System/FailoverURLs/Component)
-        urlsList = List.randomize(List.fromChar(urls, ",")) + failoverUrls
+        urlsList = List.fromChar(urls, ",") + failoverUrls
         self.__nbOfUrls = len(urlsList)
         self.__nbOfRetry = (
             2 if self.__nbOfUrls > 2 else 3
@@ -445,7 +445,6 @@ and this is thread {cThID}
             return self.__initStatus
         if self.__enableThreadCheck:
             self.__checkThreadID()
         gLogger.debug(f"Trying to connect to: {self.serviceURL}")
         try:
             # Calls the transport method of the apropriate protocol.

DIRAC/Core/DISET/private/Transports/M2SSLTransport.py CHANGED Viewed

@@ -110,19 +110,18 @@ class SSLTransport(BaseTransport):
         if self.serverMode():
             raise RuntimeError("SSLTransport is in server mode.")
-        error = None
+        errors = []
         host, port = self.stServerAddress
         # The following piece of code was inspired by the python socket documentation
         # as well as the implementation of M2Crypto.httpslib.HTTPSConnection
-        # We ignore the returned sockaddr because SSL.Connection.connect needs
-        # a host name.
+        # Get all available addresses (IPv6 and IPv4) and try them in order
         try:
             addrInfoList = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM)
         except OSError as e:
             return S_ERROR(f"DNS lookup failed {e!r}")
-        for family, _socketType, _proto, _canonname, _socketAddress in addrInfoList:
+        for family, _socketType, _proto, _canonname, socketAddress in addrInfoList:
             try:
                 self.oSocket = SSL.Connection(self.__ctx, family=family)
@@ -138,7 +137,10 @@ class SSLTransport(BaseTransport):
                 # set SNI server name since we know it at this point
                 self.oSocket.set_tlsext_host_name(host)
-                self.oSocket.connect((host, port))
+                # tell the connection which host we are connecting to so we can
+                # use the address we obtained from DNS
+                self.oSocket.set1_host(host)
+                self.oSocket.connect(socketAddress)
                 # Once the connection is established, we can use the timeout
                 # asked for RPC
@@ -151,12 +153,12 @@ class SSLTransport(BaseTransport):
             # They should be propagated upwards and caught by the BaseClient
             # not to enter the retry loop
             except OSError as e:
-                error = f"{e}:{repr(e)}"
+                errors.append(f"{socketAddress} {e}:{repr(e)}")
                 if self.oSocket is not None:
                     self.close()
-        return S_ERROR(error)
+        return S_ERROR("; ".join(errors))
     def initAsServer(self):
         """Prepare this server socket for use."""

DIRAC/Core/DISET/private/Transports/SSL/M2Utils.py CHANGED Viewed

@@ -116,7 +116,9 @@ def getM2SSLContext(ctx=None, **kwargs):
     # CHRIS: I think clientMode was just an internal of pyGSI implementation
     # if kwargs.get('clientMode', False) and not kwargs.get('useCertificates', False):
     # if not kwargs.get('useCertificates', False):
-    if kwargs.get("bServerMode", False) or kwargs.get("useCertificates", False):
+    if kwargs.get("bServerMode", False) or (
+        kwargs.get("useCertificates", False) and not kwargs.get("proxyLocation", False)
+    ):
         # Server mode always uses hostcert
         __loadM2SSLCTXHostcert(ctx)

DIRAC/Core/LCG/GOCDBClient.py CHANGED Viewed

@@ -210,11 +210,11 @@ class GOCDBClient:
         if ongoing:
             params += "&ongoing_only=yes"
-        caPath = getCAsLocation()
         try:
             response = requests.get(
-                "https://goc.egi.eu/gocdbpi/public/?method=get_downtime&topentity=" + params, verify=caPath, timeout=20
+                "https://goc.egi.eu/gocdbpi/public/?method=get_downtime&topentity=" + params,
+                verify=getCAsLocation(),
+                timeout=20,
             )
             response.raise_for_status()
         except requests.exceptions.RequestException as e:
@@ -269,8 +269,7 @@ class GOCDBClient:
                 gocdb_ep = gocdb_ep + "&topentity=" + entity
         gocdb_ep = gocdb_ep + when + gocdbpi_startDate + "&scope="
-        caPath = getCAsLocation()
-        dtPage = requests.get(gocdb_ep, verify=caPath, timeout=20)
+        dtPage = requests.get(gocdb_ep, verify=getCAsLocation(), timeout=20)
         dt = dtPage.text
@@ -294,8 +293,7 @@ class GOCDBClient:
         # GOCDB-PI query
         gocdb_ep = "https://goc.egi.eu/gocdbpi/public/?method=get_service_endpoint&" + granularity + "=" + entity
-        caPath = getCAsLocation()
-        service_endpoint_page = requests.get(gocdb_ep, verify=caPath, timeout=20)
+        service_endpoint_page = requests.get(gocdb_ep, verify=getCAsLocation(), timeout=20)
         return service_endpoint_page.text

DIRAC/Core/Security/DiracX.py CHANGED Viewed

@@ -10,21 +10,28 @@ __all__ = (
 import base64
 import functools
+import hashlib
 import importlib
 import json
 import re
 import textwrap
+from collections.abc import Iterator
 from contextlib import contextmanager
 from pathlib import Path
-from tempfile import NamedTemporaryFile
+from tempfile import NamedTemporaryFile, gettempdir
 from typing import Any
-from diracx.client import DiracClient as _DiracClient
+try:
+    from diracx.client.sync import SyncDiracClient
+except ImportError:
+    # TODO: Remove this once diracx is tagged
+    from diracx.client import DiracClient as SyncDiracClient
 from diracx.core.models import TokenResponse
 from diracx.core.preferences import DiracxPreferences
 from diracx.core.utils import serialize_credentials
 from DIRAC import gConfig, gLogger
+from DIRAC.Core.Utilities.File import secureOpenForWrite
 from DIRAC.ConfigurationSystem.Client.Helpers import Registry
 from DIRAC.Core.Security.Locations import getDefaultProxyLocation
@@ -33,14 +40,14 @@ from DIRAC.Core.Utilities.ReturnValues import convertToReturnValue, returnValueO
 PEM_BEGIN = "-----BEGIN DIRACX-----"
 PEM_END = "-----END DIRACX-----"
-RE_DIRACX_PEM = re.compile(rf"{PEM_BEGIN}\n(.*)\n{PEM_END}", re.MULTILINE | re.DOTALL)
+RE_DIRACX_PEM = re.compile(rf"{PEM_BEGIN}\n(.*?)\n{PEM_END}", re.DOTALL)
 @convertToReturnValue
 def addTokenToPEM(pemPath, group):
     from DIRAC.Core.Base.Client import Client
-    vo = Registry.getVOMSVOForGroup(group)
+    vo = Registry.getVOForGroup(group)
     if not vo:
         gLogger.error(f"ERROR: Could not find VO for group {group}, DiracX will not work!")
     disabledVOs = gConfig.getValue("/DiracX/DisabledVOs", [])
@@ -55,21 +62,26 @@ def addTokenToPEM(pemPath, group):
             token_type=token_content.get("token_type"),
             refresh_token=token_content.get("refresh_token"),
         )
         token_pem = f"{PEM_BEGIN}\n"
         data = base64.b64encode(serialize_credentials(token).encode("utf-8")).decode()
         token_pem += textwrap.fill(data, width=64)
         token_pem += f"\n{PEM_END}\n"
-        with open(pemPath, "a") as f:
-            f.write(token_pem)
+        pem = Path(pemPath).read_text()
+        # Remove any existing DiracX token there would be
+        new_pem = re.sub(RE_DIRACX_PEM, "", pem)
+        new_pem += token_pem
+        Path(pemPath).write_text(new_pem)
 def diracxTokenFromPEM(pemPath) -> dict[str, Any] | None:
     """Extract the DiracX token from the proxy PEM file"""
     pem = Path(pemPath).read_text()
-    if match := RE_DIRACX_PEM.search(pem):
-        match = match.group(1)
+    if match := RE_DIRACX_PEM.findall(pem):
+        if len(match) > 1:
+            raise ValueError("Found multiple DiracX tokens, this should never happen")
+        match = match[0]
         return json.loads(base64.b64decode(match).decode("utf-8"))
@@ -82,7 +94,7 @@ class FutureClient:
 @contextmanager
-def DiracXClient() -> _DiracClient:
+def DiracXClient() -> Iterator[SyncDiracClient]:
     """Get a DiracX client instance with the current user's credentials"""
     diracxUrl = gConfig.getValue("/DiracX/URL")
     if not diracxUrl:
@@ -93,14 +105,16 @@ def DiracXClient() -> _DiracClient:
     if not diracxToken:
         raise ValueError(f"No diracx token in the proxy file {proxyLocation}")
-    with NamedTemporaryFile(mode="wt") as token_file:
-        token_file.write(json.dumps(diracxToken))
-        token_file.flush()
-        token_file.seek(0)
+    hash = hashlib.sha256(diracxToken["refresh_token"].split(".")[1].encode())
+    token_file = Path(gettempdir()) / f"dx_{hash.hexdigest()}"
+    if not token_file.exists():
+        token_file.parent.mkdir(parents=True, exist_ok=True)
+        with secureOpenForWrite(token_file) as (fd, _):
+            fd.write(json.dumps(diracxToken))
-        pref = DiracxPreferences(url=diracxUrl, credentials_path=token_file.name)
-        with _DiracClient(diracx_preferences=pref) as api:
-            yield api
+    pref = DiracxPreferences(url=diracxUrl, credentials_path=token_file)
+    with SyncDiracClient(diracx_preferences=pref) as api:
+        yield api
 def addRPCStub(meth):

DIRAC/Core/Security/IAMService.py CHANGED Viewed

@@ -3,11 +3,7 @@
 import requests
-from DIRAC import gConfig, gLogger, S_OK, S_ERROR
-from DIRAC.Core.Utilities import DErrno
-from DIRAC.Core.Security.Locations import getProxyLocation, getCAsLocation
-from DIRAC.Core.Utilities.Decorators import deprecated
-from DIRAC.ConfigurationSystem.Client.Helpers.Registry import getVOOption
+from DIRAC import S_OK, gConfig, gLogger
 from DIRAC.ConfigurationSystem.Client.Helpers.CSGlobals import getVO
@@ -148,15 +144,15 @@ class IAMService:
         result = S_OK({"Users": users, "Errors": errors})
         return result
-    def getUsersSub(self) -> dict[str, str]:
+    def getUsersSub(self, vo=None) -> dict[str, str]:
         """
         Return the mapping based on IAM sub:
         {nickname : sub}
         """
         iam_users_raw = self._getIamUserDump()
         diracx_user_section = {}
         for user_info in iam_users_raw:
+            userGroups = [grp["display"] for grp in user_info.get("groups", [])]
             # The nickname is available in the list of attributes
             # (if configured so)
             # in the form {'name': 'nickname', 'value': 'chaen'}
@@ -170,9 +166,8 @@ class IAMService:
             except (KeyError, IndexError):
                 nickname = user_info["userName"]
             sub = user_info["id"]
-            diracx_user_section[nickname] = sub
+            if not vo or vo in userGroups:
+                diracx_user_section[nickname] = sub
         # reorder it
         diracx_user_section = dict(sorted(diracx_user_section.items()))

DIRAC 9.0.0a42__py3-none-any.whl → 9.0.7__py3-none-any.whl

DIRAC 9.0.0a42py3-none-any.whl → 9.0.7py3-none-any.whl