DIRAC 9.0.0a54__py3-none-any.whl → 9.0.7__py3-none-any.whl

DIRAC/ConfigurationSystem/Client/PathFinder.py

@@ -1,7 +1,12 @@
 """ Collection of utilities for finding paths in the CS
 """
+import re
+from copy import deepcopy
+from collections.abc import Iterable
 from urllib import parse
 
+from cachetools import cached, TTLCache
+
 from DIRAC.Core.Utilities import List
 from DIRAC.ConfigurationSystem.Client.ConfigurationData import gConfigurationData
 from DIRAC.ConfigurationSystem.Client.Helpers import Path
@@ -151,6 +156,43 @@ def getSystemURLs(system, failover=False):
     return urlDict
 
 
+def groupURLsByPriority(urls: Iterable[str]) -> list[set[str]]:
+    """Group URLs by priority.
+
+    :param Iterable[str] preferredURLPatterns: patterns to check in ranked order
+    :param set[str] urls: URLs to check
+
+    :return: list[set[str]] -- list of URL groups, ordered by priority
+    """
+    return deepcopy(_groupURLsByPriority(frozenset(urls)))
+
+
+@cached(cache=TTLCache(maxsize=1024, ttl=300))
+def _groupURLsByPriority(urls: frozenset[str]) -> list[set[str]]:
+    preferredURLPatterns = []
+    if patterns := gConfigurationData.extractOptionFromCFG("/DIRAC/PreferredURLPatterns"):
+        preferredURLPatterns = [re.compile(pattern) for pattern in List.fromChar(patterns)]
+
+    urlGroups = [set() for _ in range(len(preferredURLPatterns) + 1)]
+    for url in urls:
+        urlGroups[findURLPriority(preferredURLPatterns, url)].add(url)
+    return urlGroups
+
+
+def findURLPriority(preferredURLPatterns: list[re.Pattern[str]], url: str) -> int:
+    """Find which preferred URL pattern the URL matches.
+
+    :param str preferredURLPatterns: patterns to check in ranked order
+    :param str url: URL to check
+
+    :return: int -- index of the pattern that matched, smallest is the most preferred
+    """
+    for i, pattern in enumerate(preferredURLPatterns):
+        if re.match(pattern, url):
+            return i
+    return len(preferredURLPatterns)
+
+
 def getServiceURLs(system, service=None, failover=False):
     """Generate url.
 
@@ -168,8 +210,8 @@ def getServiceURLs(system, service=None, failover=False):
     # Add failover URLs at the end of the list
     failover = "Failover" if failover else ""
     for fURLs in ["", "Failover"] if failover else [""]:
-        urlList = []
         urls = List.fromChar(gConfigurationData.extractOptionFromCFG(f"{systemSection}/{fURLs}URLs/{service}"))
+        urlList = set()
 
         # Be sure that urls not None
         for url in urls or []:
@@ -186,16 +228,13 @@ def getServiceURLs(system, service=None, failover=False):
 
                 for srv in mainServers:
                     _url = checkComponentURL(url.replace("$MAINSERVERS$", srv), system, service, pathMandatory=True)
-                    if _url not in urlList:
-                        urlList.append(_url)
+                    urlList.add(_url)
                 continue
 
-            _url = checkComponentURL(url, system, service, pathMandatory=True)
-            if _url not in urlList:
-                urlList.append(_url)
+            urlList.add(checkComponentURL(url, system, service, pathMandatory=True))
 
-        # Randomize list if needed
-        resList.extend(List.randomize(urlList))
+        for urlGroup in groupURLsByPriority(urlList):
+            resList.extend(List.randomize(urlGroup))
 
     return resList
 

DIRAC/ConfigurationSystem/Client/SyncPlugins/CERNLDAPSyncPlugin.py

@@ -32,6 +32,9 @@ class CERNLDAPSyncPlugin:
         else:
             userDict["PrimaryCERNAccount"] = self._findOwnerAccountName(username, attributes)
 
+        if userDict["CERNAccountType"] in ["Primary", "Secondary"]:
+            userDict["CERNPersonId"] = attributes.get("employeeId", [None])[0]
+
     def _findOwnerAccountName(self, username, attributes):
         """Find the owner account from a CERN LDAP entry.
 
@@ -64,7 +67,7 @@ class CERNLDAPSyncPlugin:
         status, result, response, _ = self._connection.search(
             "OU=Users,OU=Organic Units,DC=cern,DC=ch",
             f"(CN={commonName})",
-            attributes=["cernAccountOwner", "cernAccountType"],
+            attributes=["cernAccountOwner", "cernAccountType", "employeeId"],
         )
         if not status:
             raise ValueError(f"Bad status from LDAP search: {result}")

DIRAC/ConfigurationSystem/Client/VOMS2CSSynchronizer.py

@@ -87,8 +87,15 @@ def _getUserNameFromDN(dn, vo):
                     return nname
                 else:
                     robot = False
+                    # only pop if the remains are sufficient (i.e. not just digits)
                     if names[0].lower().startswith("robot"):
-                        names.pop(0)
+                        nameok = False
+                        if len(names) > 1:
+                            for name in names[1:]:
+                                if not name.isdigit():
+                                    nameok = True
+                        if nameok:
+                            names.pop(0)
                         robot = True
                     for name in list(names):
                         if name[0].isdigit() or "@" in name:
@@ -587,7 +594,7 @@ class VOMS2CSSynchronizer:
 
         # Try to fill in the DiracX section
         if self.useIAM:
-            iam_subs = self.iamSrv.getUsersSub()
+            iam_subs = self.iamSrv.getUsersSub(self.vo)
             diracx_vo_config = {"DiracX": {"CsSync": {"VOs": {self.vo: {"UserSubjects": iam_subs}}}}}
             iam_sub_cfg = CFG()
             iam_sub_cfg.loadFromDict(diracx_vo_config)

DIRAC/ConfigurationSystem/Client/test/Test_PathFinder.py

@@ -11,9 +11,26 @@ from DIRAC.ConfigurationSystem.private.ConfigurationData import ConfigurationDat
 localCFGData = ConfigurationData(False)
 mergedCFG = CFG()
 mergedCFG.loadFromBuffer(
-    """
+    r"""
+DIRAC
+{
+  PreferredURLPatterns = dips://.*\.site:.*
+  PreferredURLPatterns += dips://.*\.other:.*
+}
 Systems
 {
+  Configuration
+  {
+    URLs
+    {
+      Server = dips://server1.site:1234/Configuration/Server
+      Server += dips://server2.site:1234/Configuration/Server
+      Server += dips://server3.site:1234/Configuration/Server
+      Server += dips://server4.site:1234/Configuration/Server
+      Server += dips://server.other:1234/Configuration/Server
+      Server += dips://server.external:1234/Configuration/Server
+    }
+  }
   WorkloadManagement
   {
     URLs
@@ -181,6 +198,29 @@ def test_getServiceURLs(pathFinder, serviceName, service, failover, result):
     assert set(pathFinder.getServiceURLs(serviceName, service=service, failover=failover)) == result
 
 
+def test_getServiceURLsOrdering(pathFinder):
+    """Ensure the PreferredURLPattern option is respected"""
+    all_results = set()
+    for _ in range(10_000):
+        urls = pathFinder.getServiceURLs("Configuration", service="Server")
+        assert set(urls) == {
+            "dips://server1.site:1234/Configuration/Server",
+            "dips://server2.site:1234/Configuration/Server",
+            "dips://server3.site:1234/Configuration/Server",
+            "dips://server4.site:1234/Configuration/Server",
+            "dips://server.other:1234/Configuration/Server",
+            "dips://server.external:1234/Configuration/Server",
+        }
+        # The second to last URL should always be "other"
+        assert urls[-2] == "dips://server.other:1234/Configuration/Server"
+        # The last URL should always be the one which isn't preferred
+        assert urls[-1] == "dips://server.external:1234/Configuration/Server"
+        all_results.add(tuple(urls))
+    # There are 4! = 24 possible orderings of the preferred URLs, we should have seen all
+    # of them at least once in 10_000 iterations
+    assert len(all_results) >= 24
+
+
 @pytest.mark.parametrize(
     "system, failover, result",
     [

DIRAC/ConfigurationSystem/private/RefresherBase.py

@@ -1,7 +1,7 @@
 import time
 
 from DIRAC.ConfigurationSystem.Client.ConfigurationData import gConfigurationData
-from DIRAC.ConfigurationSystem.Client.PathFinder import getGatewayURLs
+from DIRAC.ConfigurationSystem.Client.PathFinder import getGatewayURLs, groupURLsByPriority
 from DIRAC.Core.Utilities import List
 from DIRAC.Core.Utilities.EventDispatcher import gEventDispatcher
 from DIRAC.Core.Utilities.ReturnValues import S_ERROR, S_OK
@@ -138,7 +138,9 @@ class RefresherBase:
         if not initialServerList:
             return S_OK()
 
-        randomServerList = List.randomize(initialServerList)
+        randomServerList = []
+        for urlGroup in groupURLsByPriority(initialServerList):
+            randomServerList.extend(List.randomize(urlGroup))
         gLogger.debug(f"Randomized server list is {', '.join(randomServerList)}")
 
         for sServer in randomServerList:

DIRAC/Core/DISET/ServiceReactor.py

@@ -200,6 +200,7 @@ class ServiceReactor:
                                   services at the same time
         """
         sel = self.__getListeningSelector(svcName)
+        throttleExpires = None
         while self.__alive:
             clientTransport = None
             try:
@@ -223,12 +224,19 @@ class ServiceReactor:
                 gLogger.warn(f"Client connected from banned ip {clientIP}")
                 clientTransport.close()
                 continue
+            # Handle throttling
+            if self.__services[svcName].wantsThrottle and throttleExpires is None:
+                throttleExpires = time.time() + THROTTLE_SERVICE_SLEEP_SECONDS
+            if throttleExpires:
+                if time.time() > throttleExpires:
+                    throttleExpires = None
+                else:
+                    gLogger.warn("Rejecting client due to throttling", str(clientTransport.getRemoteAddress()))
+                    clientTransport.close()
+                    continue
             # Handle connection
             self.__stats.connectionStablished()
             self.__services[svcName].handleConnection(clientTransport)
-            while self.__services[svcName].wantsThrottle:
-                gLogger.warn("Sleeping as service requested throttling", svcName)
-                time.sleep(THROTTLE_SERVICE_SLEEP_SECONDS)
             # Renew context?
             now = time.time()
             renewed = False

DIRAC/Core/DISET/private/BaseClient.py

@@ -323,7 +323,7 @@ class BaseClient:
             pass
 
         # We randomize the list, and add at the end the failover URLs (System/FailoverURLs/Component)
-        urlsList = List.randomize(List.fromChar(urls, ",")) + failoverUrls
+        urlsList = List.fromChar(urls, ",") + failoverUrls
         self.__nbOfUrls = len(urlsList)
         self.__nbOfRetry = (
             2 if self.__nbOfUrls > 2 else 3
@@ -445,7 +445,6 @@ and this is thread {cThID}
             return self.__initStatus
         if self.__enableThreadCheck:
             self.__checkThreadID()
-
         gLogger.debug(f"Trying to connect to: {self.serviceURL}")
         try:
             # Calls the transport method of the apropriate protocol.

DIRAC/Core/DISET/private/Transports/M2SSLTransport.py

@@ -110,19 +110,18 @@ class SSLTransport(BaseTransport):
         if self.serverMode():
             raise RuntimeError("SSLTransport is in server mode.")
 
-        error = None
+        errors = []
         host, port = self.stServerAddress
 
         # The following piece of code was inspired by the python socket documentation
         # as well as the implementation of M2Crypto.httpslib.HTTPSConnection
 
-        # We ignore the returned sockaddr because SSL.Connection.connect needs
-        # a host name.
+        # Get all available addresses (IPv6 and IPv4) and try them in order
         try:
             addrInfoList = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM)
         except OSError as e:
             return S_ERROR(f"DNS lookup failed {e!r}")
-        for family, _socketType, _proto, _canonname, _socketAddress in addrInfoList:
+        for family, _socketType, _proto, _canonname, socketAddress in addrInfoList:
             try:
                 self.oSocket = SSL.Connection(self.__ctx, family=family)
 
@@ -138,7 +137,10 @@ class SSLTransport(BaseTransport):
                 # set SNI server name since we know it at this point
                 self.oSocket.set_tlsext_host_name(host)
 
-                self.oSocket.connect((host, port))
+                # tell the connection which host we are connecting to so we can
+                # use the address we obtained from DNS
+                self.oSocket.set1_host(host)
+                self.oSocket.connect(socketAddress)
 
                 # Once the connection is established, we can use the timeout
                 # asked for RPC
@@ -151,12 +153,12 @@ class SSLTransport(BaseTransport):
             # They should be propagated upwards and caught by the BaseClient
             # not to enter the retry loop
             except OSError as e:
-                error = f"{e}:{repr(e)}"
+                errors.append(f"{socketAddress} {e}:{repr(e)}")
 
                 if self.oSocket is not None:
                     self.close()
 
-        return S_ERROR(error)
+        return S_ERROR("; ".join(errors))
 
     def initAsServer(self):
         """Prepare this server socket for use."""

DIRAC/Core/Security/DiracX.py

@@ -40,14 +40,14 @@ from DIRAC.Core.Utilities.ReturnValues import convertToReturnValue, returnValueO
 
 PEM_BEGIN = "-----BEGIN DIRACX-----"
 PEM_END = "-----END DIRACX-----"
-RE_DIRACX_PEM = re.compile(rf"{PEM_BEGIN}\n(.*)\n{PEM_END}", re.MULTILINE | re.DOTALL)
+RE_DIRACX_PEM = re.compile(rf"{PEM_BEGIN}\n(.*?)\n{PEM_END}", re.DOTALL)
 
 
 @convertToReturnValue
 def addTokenToPEM(pemPath, group):
     from DIRAC.Core.Base.Client import Client
 
-    vo = Registry.getVOMSVOForGroup(group)
+    vo = Registry.getVOForGroup(group)
     if not vo:
         gLogger.error(f"ERROR: Could not find VO for group {group}, DiracX will not work!")
     disabledVOs = gConfig.getValue("/DiracX/DisabledVOs", [])
@@ -62,21 +62,26 @@ def addTokenToPEM(pemPath, group):
             token_type=token_content.get("token_type"),
             refresh_token=token_content.get("refresh_token"),
         )
-
         token_pem = f"{PEM_BEGIN}\n"
         data = base64.b64encode(serialize_credentials(token).encode("utf-8")).decode()
         token_pem += textwrap.fill(data, width=64)
         token_pem += f"\n{PEM_END}\n"
 
-        with open(pemPath, "a") as f:
-            f.write(token_pem)
+        pem = Path(pemPath).read_text()
+        # Remove any existing DiracX token there would be
+        new_pem = re.sub(RE_DIRACX_PEM, "", pem)
+        new_pem += token_pem
+
+        Path(pemPath).write_text(new_pem)
 
 
 def diracxTokenFromPEM(pemPath) -> dict[str, Any] | None:
     """Extract the DiracX token from the proxy PEM file"""
     pem = Path(pemPath).read_text()
-    if match := RE_DIRACX_PEM.search(pem):
-        match = match.group(1)
+    if match := RE_DIRACX_PEM.findall(pem):
+        if len(match) > 1:
+            raise ValueError("Found multiple DiracX tokens, this should never happen")
+        match = match[0]
         return json.loads(base64.b64decode(match).decode("utf-8"))
 
 

DIRAC/Core/Security/IAMService.py

@@ -144,7 +144,7 @@ class IAMService:
         result = S_OK({"Users": users, "Errors": errors})
         return result
 
-    def getUsersSub(self) -> dict[str, str]:
+    def getUsersSub(self, vo=None) -> dict[str, str]:
         """
         Return the mapping based on IAM sub:
         {nickname : sub}
@@ -152,6 +152,7 @@ class IAMService:
         iam_users_raw = self._getIamUserDump()
         diracx_user_section = {}
         for user_info in iam_users_raw:
+            userGroups = [grp["display"] for grp in user_info.get("groups", [])]
             # The nickname is available in the list of attributes
             # (if configured so)
             # in the form {'name': 'nickname', 'value': 'chaen'}
@@ -165,8 +166,8 @@ class IAMService:
             except (KeyError, IndexError):
                 nickname = user_info["userName"]
             sub = user_info["id"]
-
-            diracx_user_section[nickname] = sub
+            if not vo or vo in userGroups:
+                diracx_user_section[nickname] = sub
         # reorder it
         diracx_user_section = dict(sorted(diracx_user_section.items()))
 

DIRAC/Core/Security/ProxyInfo.py

@@ -1,10 +1,13 @@
 """
- Set of utilities to retrieve Information from proxy
+Set of utilities to retrieve Information from proxy
 """
+
 import base64
 
 from DIRAC import S_ERROR, S_OK, gLogger
 from DIRAC.ConfigurationSystem.Client.Helpers import Registry
+from DIRAC.ConfigurationSystem.Client.Helpers.CSGlobals import getVO
+
 from DIRAC.Core.Security import Locations
 from DIRAC.Core.Security.DiracX import diracxTokenFromPEM
 from DIRAC.Core.Security.VOMS import VOMS
@@ -207,10 +210,11 @@ def getVOfromProxyGroup():
     """
     Return the VO associated to the group in the proxy
     """
-    voName = Registry.getVOForGroup("NoneExistingGroup")
+
     ret = getProxyInfo(disableVOMS=True)
-    if not ret["OK"]:
-        return S_OK(voName)
-    if "group" in ret["Value"]:
+    if not ret["OK"] or "group" not in ret["Value"]:
+        voName = getVO()
+    else:
         voName = Registry.getVOForGroup(ret["Value"]["group"])
+
     return S_OK(voName)

DIRAC/Core/Security/test/test_diracx_token_from_pem.py

@@ -0,0 +1,161 @@
+import base64
+import json
+import pytest
+import tempfile
+from pathlib import Path
+from unittest.mock import patch, mock_open
+
+from DIRAC.Core.Security.DiracX import diracxTokenFromPEM, PEM_BEGIN, PEM_END, RE_DIRACX_PEM
+
+
+class TestDiracxTokenFromPEM:
+    """Test cases for diracxTokenFromPEM function"""
+
+    def create_valid_token_data(self):
+        """Create valid token data for testing"""
+        return {
+            "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.test",
+            "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.refresh",
+            "expires_in": 3600,
+            "token_type": "Bearer",
+        }
+
+    def create_pem_content(self, token_data=None, include_other_content=True):
+        """Create PEM content with embedded DiracX token"""
+        if token_data is None:
+            token_data = self.create_valid_token_data()
+
+        # Encode token data
+        token_json = json.dumps(token_data)
+        encoded_token = base64.b64encode(token_json.encode("utf-8")).decode()
+
+        # Create PEM content
+        pem_content = ""
+        if include_other_content:
+            pem_content += "-----BEGIN CERTIFICATE-----\n"
+            pem_content += "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...\n"
+            pem_content += "-----END CERTIFICATE-----\n"
+
+        pem_content += f"{PEM_BEGIN}\n"
+        pem_content += encoded_token + "\n"
+        pem_content += f"{PEM_END}\n"
+
+        return pem_content
+
+    def test_valid_token_extraction(self):
+        """Test successful extraction of valid token from PEM file"""
+        token_data = self.create_valid_token_data()
+        pem_content = self.create_pem_content(token_data)
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".pem") as f:
+            f.write(pem_content)
+            temp_path = f.name
+
+        try:
+            result = diracxTokenFromPEM(temp_path)
+            assert result == token_data
+        finally:
+            Path(temp_path).unlink()
+
+    def test_no_token_in_pem(self):
+        """Test behavior when no DiracX token is present in PEM file"""
+        pem_content = """-----BEGIN CERTIFICATE-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
+-----END CERTIFICATE-----"""
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".pem") as f:
+            f.write(pem_content)
+            temp_path = f.name
+
+        try:
+            result = diracxTokenFromPEM(temp_path)
+            assert result is None
+        finally:
+            Path(temp_path).unlink()
+
+    def test_multiple_tokens_error(self):
+        """Test that multiple tokens raise ValueError"""
+        token_data = self.create_valid_token_data()
+
+        # Create PEM with two tokens
+        pem_content = self.create_pem_content(token_data)
+        pem_content += "\n" + self.create_pem_content(token_data, include_other_content=False)
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".pem") as f:
+            f.write(pem_content)
+            temp_path = f.name
+
+        try:
+            with pytest.raises(ValueError, match="Found multiple DiracX tokens"):
+                diracxTokenFromPEM(temp_path)
+        finally:
+            Path(temp_path).unlink()
+
+    def test_malformed_base64(self):
+        """Test behavior with malformed base64 data"""
+        pem_content = f"""{PEM_BEGIN}
+invalid_base64_data_that_will_cause_error!
+{PEM_END}"""
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".pem") as f:
+            f.write(pem_content)
+            temp_path = f.name
+
+        try:
+            with pytest.raises(Exception):  # base64.b64decode will raise an exception
+                diracxTokenFromPEM(temp_path)
+        finally:
+            Path(temp_path).unlink()
+
+    def test_invalid_json_in_token(self):
+        """Test behavior with invalid JSON in token data"""
+        invalid_json = "this is not valid json"
+        encoded_invalid = base64.b64encode(invalid_json.encode("utf-8")).decode()
+
+        pem_content = f"""{PEM_BEGIN}
+{encoded_invalid}
+{PEM_END}"""
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".pem") as f:
+            f.write(pem_content)
+            temp_path = f.name
+
+        try:
+            with pytest.raises(json.JSONDecodeError):
+                diracxTokenFromPEM(temp_path)
+        finally:
+            Path(temp_path).unlink()
+
+    def test_token_with_unicode_characters(self):
+        """Test token with unicode characters"""
+        unicode_token = {
+            "access_token": "token_with_unicode_ñ_é_ü",
+            "refresh_token": "refresh_with_emoji_🚀_🎉",
+            "expires_in": 3600,
+            "token_type": "Bearer",
+        }
+
+        pem_content = self.create_pem_content(unicode_token)
+
+        with tempfile.NamedTemporaryFile(mode="w", delete=False, suffix=".pem") as f:
+            f.write(pem_content)
+            temp_path = f.name
+
+        try:
+            result = diracxTokenFromPEM(temp_path)
+            assert result == unicode_token
+        finally:
+            Path(temp_path).unlink()
+
+    def test_regex_pattern_validation(self):
+        """Test that the regex pattern correctly identifies DiracX tokens"""
+        # Test that the regex matches the expected pattern
+        token_data = self.create_valid_token_data()
+        token_json = json.dumps(token_data)
+        encoded_token = base64.b64encode(token_json.encode("utf-8")).decode()
+
+        test_content = f"{PEM_BEGIN}\n{encoded_token}\n{PEM_END}"
+        matches = RE_DIRACX_PEM.findall(test_content)
+
+        assert len(matches) == 1
+        assert matches[0] == encoded_token

DIRAC/Core/Tornado/Client/ClientSelector.py

@@ -17,7 +17,6 @@ from DIRAC.Core.DISET.RPCClient import RPCClient
 from DIRAC.Core.DISET.TransferClient import TransferClient
 from DIRAC.Core.Tornado.Client.TornadoClient import TornadoClient
 
-
 sLog = gLogger.getSubLogger(__name__)
 
 
@@ -82,6 +81,10 @@ def ClientSelector(disetClient, *args, **kwargs):  # We use same interface as RP
             rpc = tornadoClient(*args, **kwargs)
         else:
             rpc = disetClient(*args, **kwargs)
+    except NotImplementedError as e:
+        # We catch explicitly NotImplementedError to avoid just printing "there's an error"
+        # If we mis-configured the CS for legacy adapted services, we MUST have an error.
+        raise e
     except Exception as e:  # pylint: disable=broad-except
         # If anything went wrong in the resolution, we return default RPCClient
         # So the behaviour is exactly the same as before implementation of Tornado

DIRAC/Core/Tornado/Server/TornadoService.py

@@ -73,7 +73,7 @@ class TornadoService(BaseRequestHandler):  # pylint: disable=abstract-method
     :py:class:`BaseRequestHandler <DIRAC.Core.Tornado.Server.private.BaseRequestHandler.BaseRequestHandler>` for more details.
 
     In order to pass information around and keep some states, we use instance attributes.
-    These are initialized in the :py:meth:`.initialize` method.
+    These are initialized in the ``initialize`` methods.
 
     The handler only define the ``post`` verb. Please refer to :py:meth:`.post` for the details.