DIRAC 9.0.0a42__py3-none-any.whl → 9.0.7__py3-none-any.whl

DIRAC/Core/Security/Locations.py

@@ -1,6 +1,7 @@
 """ Collection of utilities for locating certs, proxy, CAs
 """
 import os
+
 import DIRAC
 from DIRAC import gConfig
 
@@ -24,12 +25,6 @@ def getProxyLocation():
     if os.path.isfile(f"/tmp/{proxyName}"):
         return f"/tmp/{proxyName}"
 
-    # No gridproxy found
-    return False
-
-
-# Retrieve CA's location
-
 
 def getCAsLocation():
     """Retrieve the CA's files location"""
@@ -63,22 +58,36 @@ def getCAsLocationNoConfig():
     casPath = "/etc/grid-security/certificates"
     if os.path.isdir(casPath):
         return casPath
-    # No CA's location found
-    return False
-
-
-# Retrieve CA's location
-
-
-def getCAsDefaultLocation():
-    """Retrievethe CAs Location inside DIRAC etc directory"""
     # rootPath./etc/grid-security/certificates
     casPath = f"{DIRAC.rootPath}/etc/grid-security/certificates"
-    return casPath
+    if os.path.isdir(casPath):
+        return casPath
 
 
-# TODO: Static depending on files specified on CS
-# Retrieve certificate
+def getVOMSLocation():
+    """Retrieve the CA's files location"""
+    # Grid-Security
+    retVal = gConfig.getOption(f"{g_SecurityConfPath}/Grid-Security")
+    if retVal["OK"]:
+        vomsPath = f"{retVal['Value']}/vomsdir"
+        if os.path.isdir(vomsPath):
+            return vomsPath
+    # Look up the X509_VOMS_DIR environment variable
+    if "X509_VOMS_DIR" in os.environ:
+        vomsPath = os.environ["X509_VOMS_DIR"]
+        return vomsPath
+    # rootPath./etc/grid-security/vomsdir
+    vomsPath = f"{DIRAC.rootPath}/etc/grid-security/vomsdir"
+    if os.path.isdir(vomsPath):
+        return vomsPath
+    # /etc/grid-security/vomsdir
+    vomsPath = "/etc/grid-security/vomsdir"
+    if os.path.isdir(vomsPath):
+        return vomsPath
+    # rootPath./etc/grid-security/vomsdir
+    vomsPath = f"{DIRAC.rootPath}/etc/grid-security/vomsdir"
+    if os.path.isdir(vomsPath):
+        return vomsPath
 
 
 def getHostCertificateAndKeyLocation(specificLocation=None):

DIRAC/Core/Security/ProxyInfo.py

@@ -1,10 +1,13 @@
 """
- Set of utilities to retrieve Information from proxy
+Set of utilities to retrieve Information from proxy
 """
+
 import base64
 
 from DIRAC import S_ERROR, S_OK, gLogger
 from DIRAC.ConfigurationSystem.Client.Helpers import Registry
+from DIRAC.ConfigurationSystem.Client.Helpers.CSGlobals import getVO
+
 from DIRAC.Core.Security import Locations
 from DIRAC.Core.Security.DiracX import diracxTokenFromPEM
 from DIRAC.Core.Security.VOMS import VOMS
@@ -207,10 +210,11 @@ def getVOfromProxyGroup():
     """
     Return the VO associated to the group in the proxy
     """
-    voName = Registry.getVOForGroup("NoneExistingGroup")
+
     ret = getProxyInfo(disableVOMS=True)
-    if not ret["OK"]:
-        return S_OK(voName)
-    if "group" in ret["Value"]:
+    if not ret["OK"] or "group" not in ret["Value"]:
+        voName = getVO()
+    else:
         voName = Registry.getVOForGroup(ret["Value"]["group"])
+
     return S_OK(voName)

DIRAC/Core/Security/VOMSService.py

@@ -64,8 +64,6 @@ class VOMSService:
         if not self.urls:
             return S_ERROR(DErrno.ENOAUTH, "No VOMS server defined")
 
-        userProxy = getProxyLocation()
-        caPath = getCAsLocation()
         rawUserList = []
         result = None
         for url in self.urls:
@@ -79,8 +77,8 @@ class VOMSService:
                     result = requests.get(
                         url,
                         headers={"X-VOMS-CSRF-GUARD": "y"},
-                        cert=userProxy,
-                        verify=caPath,
+                        cert=getProxyLocation(),
+                        verify=getCAsLocation(),
                         params={"startIndex": str(startIndex), "pageSize": "100"},
                     )
                 except requests.ConnectionError as exc:

DIRAC/Core/Security/m2crypto/X509Certificate.py

@@ -99,13 +99,11 @@ class X509Certificate:
         proxySubject = M2Crypto.X509.X509_Name()
 
         issuerSubjectObj = x509Issuer.__certObj.get_subject()
-        # pylint: disable=no-member
-        issuerSubjectParts = issuerSubjectObj.as_text(flags=M2Crypto.m2.XN_FLAG_RFC2253).split(",")
 
-        # XN_FLAG_RFC2253 prints in reverse order but DIRAC has historically used the standard order
-        for isPart in issuerSubjectParts[::-1]:
-            nid, val = isPart.split("=", 1)
-            proxySubject.add_entry_by_txt(field=nid, type=M2Crypto.ASN1.MBSTRING_ASC, entry=val, len=-1, loc=-1, set=0)
+        # Copy the X509 entry components into the new name
+        for entry in issuerSubjectObj:
+            # pylint: disable=no-member
+            M2Crypto.m2.x509_name_add_entry(proxySubject.x509_name, entry.x509_name_entry, -1, 0)
 
         # Finally we add a random Common Name  component. And we might as well use the serial.. :)
         proxySubject.add_entry_by_txt(

DIRAC/Core/Security/m2crypto/asn1_utils.py

@@ -14,6 +14,8 @@ This is now pure python, but it might be interesting to wrap the existing
 C library (https://github.com/italiangrid/voms) instead...
 
 """
+from functools import lru_cache
+
 from pyasn1.codec.der.decoder import decode as der_decode
 from pyasn1.error import PyAsn1Error
 from pyasn1.type import namedtype, univ, char as asn1char
@@ -93,6 +95,11 @@ def decodeDIRACGroup(m2cert):
     """
 
     diracGroupOctetString = retrieveExtension(m2cert, DIRAC_GROUP_OID)
+    return _decodeDIRACGroup(diracGroupOctetString)
+
+
+@lru_cache
+def _decodeDIRACGroup(diracGroupOctetString):
     diracGroupUTF8Str, _rest = der_decode(diracGroupOctetString, asn1Spec=asn1char.IA5String())
 
     return diracGroupUTF8Str.asOctets().decode()
@@ -336,11 +343,7 @@ def retrieveExtension(m2Cert, extensionOID):
 
     :raises: LookupError if it does not have the extension
     """
-
-    # Decode the certificate as a RFC2459 Certificate object.It is compatible
-    # with the RFC proxy definition
-    cert, _rest = der_decode(m2Cert.as_der(), asn1Spec=rfc2459.Certificate())
-    extensions = cert["tbsCertificate"]["extensions"]
+    extensions = _extensionsFromCertDER(m2Cert.as_der())
 
     # Construct an OID object for comparison purpose
     extensionOIDObj = univ.ObjectIdentifier(extensionOID)
@@ -354,3 +357,12 @@ def retrieveExtension(m2Cert, extensionOID):
 
     # If we are here, it means that we could not find the expected extension.
     raise LookupError(f"Could not find extension with OID {extensionOID}")
+
+
+@lru_cache(maxsize=1024)
+def _extensionsFromCertDER(der):
+    # Decode the certificate as a RFC2459 Certificate object.It is compatible
+    # with the RFC proxy definition
+    cert, _rest = der_decode(der, asn1Spec=rfc2459.Certificate())
+    extensions = cert["tbsCertificate"]["extensions"]
+    return extensions

DIRAC/Core/Security/test/test_diracx_token_from_pem.py

@@ -0,0 +1,161 @@
+import base64
+import json
+import pytest
+import tempfile
+from pathlib import Path
+from unittest.mock import patch, mock_open
+
+from DIRAC.Core.Security.DiracX import diracxTokenFromPEM, PEM_BEGIN, PEM_END, RE_DIRACX_PEM
+
+
+class TestDiracxTokenFromPEM:
+    """Test cases for diracxTokenFromPEM function"""
+
+    def create_valid_token_data(self):
+        """Create valid token data for testing"""
+        return {
+            "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.test",
+            "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.refresh",
+            "expires_in": 3600,
+            "token_type": "Bearer",
+        }
+
+    def create_pem_content(self, token_data=None, include_other_content=True):
+        """Create PEM content with embedded DiracX token"""
+        if token_data is None:
+            token_data = self.create_valid_token_data()
+
+        # Encode token data
+        token_json = json.dumps(token_data)
+        encoded_token = base64.b64encode(token_json.encode("utf-8")).decode()
+
+        # Create PEM content
+        pem_content = ""
+        if include_other_content:
+            pem_content += "-----BEGIN CERTIFICATE-----\n"
+            pem_content += "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...\n"
+            pem_content += "-----END CERTIFICATE-----\n"
+
+        pem_content += f"{PEM_BEGIN}\n"
+        pem_content += encoded_token + "\n"
+        pem_content += f"{PEM_END}\n"
+
+        return pem_content
+
+    def test_valid_token_extraction(self):
+        """Test successful extraction of valid token from PEM file"""
+        token_data = self.create_valid_token_data()
+        pem_content = self.create_pem_content(token_data)
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".pem") as f:
+            f.write(pem_content)
+            temp_path = f.name
+
+        try:
+            result = diracxTokenFromPEM(temp_path)
+            assert result == token_data
+        finally:
+            Path(temp_path).unlink()
+
+    def test_no_token_in_pem(self):
+        """Test behavior when no DiracX token is present in PEM file"""
+        pem_content = """-----BEGIN CERTIFICATE-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
+-----END CERTIFICATE-----"""
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".pem") as f:
+            f.write(pem_content)
+            temp_path = f.name
+
+        try:
+            result = diracxTokenFromPEM(temp_path)
+            assert result is None
+        finally:
+            Path(temp_path).unlink()
+
+    def test_multiple_tokens_error(self):
+        """Test that multiple tokens raise ValueError"""
+        token_data = self.create_valid_token_data()
+
+        # Create PEM with two tokens
+        pem_content = self.create_pem_content(token_data)
+        pem_content += "\n" + self.create_pem_content(token_data, include_other_content=False)
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".pem") as f:
+            f.write(pem_content)
+            temp_path = f.name
+
+        try:
+            with pytest.raises(ValueError, match="Found multiple DiracX tokens"):
+                diracxTokenFromPEM(temp_path)
+        finally:
+            Path(temp_path).unlink()
+
+    def test_malformed_base64(self):
+        """Test behavior with malformed base64 data"""
+        pem_content = f"""{PEM_BEGIN}
+invalid_base64_data_that_will_cause_error!
+{PEM_END}"""
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".pem") as f:
+            f.write(pem_content)
+            temp_path = f.name
+
+        try:
+            with pytest.raises(Exception):  # base64.b64decode will raise an exception
+                diracxTokenFromPEM(temp_path)
+        finally:
+            Path(temp_path).unlink()
+
+    def test_invalid_json_in_token(self):
+        """Test behavior with invalid JSON in token data"""
+        invalid_json = "this is not valid json"
+        encoded_invalid = base64.b64encode(invalid_json.encode("utf-8")).decode()
+
+        pem_content = f"""{PEM_BEGIN}
+{encoded_invalid}
+{PEM_END}"""
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".pem") as f:
+            f.write(pem_content)
+            temp_path = f.name
+
+        try:
+            with pytest.raises(json.JSONDecodeError):
+                diracxTokenFromPEM(temp_path)
+        finally:
+            Path(temp_path).unlink()
+
+    def test_token_with_unicode_characters(self):
+        """Test token with unicode characters"""
+        unicode_token = {
+            "access_token": "token_with_unicode_ñ_é_ü",
+            "refresh_token": "refresh_with_emoji_🚀_🎉",
+            "expires_in": 3600,
+            "token_type": "Bearer",
+        }
+
+        pem_content = self.create_pem_content(unicode_token)
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".pem") as f:
+            f.write(pem_content)
+            temp_path = f.name
+
+        try:
+            result = diracxTokenFromPEM(temp_path)
+            assert result == unicode_token
+        finally:
+            Path(temp_path).unlink()
+
+    def test_regex_pattern_validation(self):
+        """Test that the regex pattern correctly identifies DiracX tokens"""
+        # Test that the regex matches the expected pattern
+        token_data = self.create_valid_token_data()
+        token_json = json.dumps(token_data)
+        encoded_token = base64.b64encode(token_json.encode("utf-8")).decode()
+
+        test_content = f"{PEM_BEGIN}\n{encoded_token}\n{PEM_END}"
+        matches = RE_DIRACX_PEM.findall(test_content)
+
+        assert len(matches) == 1
+        assert matches[0] == encoded_token

DIRAC/Core/Tornado/Client/ClientSelector.py

@@ -17,7 +17,6 @@ from DIRAC.Core.DISET.RPCClient import RPCClient
 from DIRAC.Core.DISET.TransferClient import TransferClient
 from DIRAC.Core.Tornado.Client.TornadoClient import TornadoClient
 
-
 sLog = gLogger.getSubLogger(__name__)
 
 
@@ -82,6 +81,10 @@ def ClientSelector(disetClient, *args, **kwargs):  # We use same interface as RP
             rpc = tornadoClient(*args, **kwargs)
         else:
             rpc = disetClient(*args, **kwargs)
+    except NotImplementedError as e:
+        # We catch explicitly NotImplementedError to avoid just printing "there's an error"
+        # If we mis-configured the CS for legacy adapted services, we MUST have an error.
+        raise e
     except Exception as e:  # pylint: disable=broad-except
         # If anything went wrong in the resolution, we return default RPCClient
         # So the behaviour is exactly the same as before implementation of Tornado

DIRAC/Core/Tornado/Server/TornadoService.py

@@ -73,7 +73,7 @@ class TornadoService(BaseRequestHandler):  # pylint: disable=abstract-method
     :py:class:`BaseRequestHandler <DIRAC.Core.Tornado.Server.private.BaseRequestHandler.BaseRequestHandler>` for more details.
 
     In order to pass information around and keep some states, we use instance attributes.
-    These are initialized in the :py:meth:`.initialize` method.
+    These are initialized in the ``initialize`` methods.
 
     The handler only define the ``post`` verb. Please refer to :py:meth:`.post` for the details.