rucio 35.7.0__py3-none-any.whl → 37.0.0__py3-none-any.whl

rucio/core/oidc.py

@@ -36,9 +36,8 @@ from oic.utils.authn.client import CLIENT_AUTHN_METHOD
 from sqlalchemy import delete, select, update
 from sqlalchemy.sql.expression import true
 
-from rucio.common import types
-from rucio.common.cache import make_region_memcached
-from rucio.common.config import config_get, config_get_int
+from rucio.common.cache import MemcacheRegion
+from rucio.common.config import config_get, config_get_bool, config_get_int
 from rucio.common.exception import CannotAuthenticate, CannotAuthorize, RucioException
 from rucio.common.stopwatch import Stopwatch
 from rucio.common.utils import all_oidc_req_claims_present, build_url, val_to_space_sep_str
@@ -52,12 +51,14 @@ from rucio.db.sqla.session import read_session, transactional_session
 if TYPE_CHECKING:
     from sqlalchemy.orm import Session
 
+    from rucio.common.types import InternalAccount
+
 # The WLCG Common JWT Profile dictates that the lifetime of access and ID tokens
 # should range from five minutes to six hours.
 TOKEN_MIN_LIFETIME: Final = config_get_int('oidc', 'token_min_lifetime', default=300)
 TOKEN_MAX_LIFETIME: Final = config_get_int('oidc', 'token_max_lifetime', default=21600)
 
-REGION: Final = make_region_memcached(expiration_time=TOKEN_MAX_LIFETIME)
+REGION: Final = MemcacheRegion(expiration_time=TOKEN_MAX_LIFETIME)
 METRICS = MetricManager(module=__name__)
 
 # worokaround for a bug in pyoidc (as of Dec 2019)
@@ -218,11 +219,11 @@ def __initialize_oidc_clients() -> None:
     """
 
     try:
-        ALL_OIDC_CLIENTS = __get_rucio_oidc_clients()
+        all_oidc_clients = __get_rucio_oidc_clients()
         global OIDC_CLIENTS
         global OIDC_ADMIN_CLIENTS
-        OIDC_CLIENTS = ALL_OIDC_CLIENTS[0]
-        OIDC_ADMIN_CLIENTS = ALL_OIDC_CLIENTS[1]
+        OIDC_CLIENTS = all_oidc_clients[0]
+        OIDC_ADMIN_CLIENTS = all_oidc_clients[1]
     except Exception as error:
         logging.debug("OIDC clients not properly loaded: %s", error)
         pass
@@ -297,7 +298,8 @@ def __get_init_oidc_client(token_object: models.Token = None, token_type: str =
                      "state": kwargs.get('state', rndstr()),
                      "nonce": kwargs.get('nonce', rndstr())}
         auth_args["scope"] = token_object.oidc_scope if token_object else kwargs.get('scope', " ")
-        auth_args["audience"] = token_object.audience if token_object else kwargs.get('audience', " ")
+        if config_get_bool('oidc', 'supports_audience', raise_exception=False, default=True):
+            auth_args["audience"] = token_object.audience if token_object else kwargs.get('audience', " ")
 
         if token_object:
             issuer = token_object.identity.split(", ")[1].split("=")[1]
@@ -643,7 +645,7 @@ def get_token_oidc(
 
 
 @transactional_session
-def __get_admin_token_oidc(account: types.InternalAccount, req_scope, req_audience, issuer, *, session: "Session"):
+def __get_admin_token_oidc(account: 'InternalAccount', req_scope, req_audience, issuer, *, session: "Session"):
     """
     Get a token for Rucio application to act on behalf of itself.
     client_credential flow is used for this purpose.

rucio/core/permission/__init__.py

@@ -13,12 +13,15 @@
 # limitations under the License.
 
 import importlib
+import logging
 from configparser import NoOptionError, NoSectionError
 from os import environ
 from typing import TYPE_CHECKING, Any
 
+import rucio.core.permission.generic
 from rucio.common import config, exception
-from rucio.common.utils import check_policy_package_version
+from rucio.common.plugins import check_policy_package_version
+from rucio.common.policy import get_policy
 
 if TYPE_CHECKING:
     from typing import Optional
@@ -27,6 +30,8 @@ if TYPE_CHECKING:
 
     from rucio.common.types import InternalAccount
 
+LOGGER = logging.getLogger('policy')
+
 # dictionary of permission modules for each VO
 permission_modules = {}
 
@@ -37,83 +42,120 @@ except (NoOptionError, NoSectionError):
 
 # in multi-vo mode packages are loaded on demand when needed
 if not multivo:
-    GENERIC_FALLBACK = 'generic'
+    generic_fallback = 'generic'
 
-    if config.config_has_section('permission'):
-        try:
-            FALLBACK_POLICY = config.config_get('permission', 'policy')
-        except (NoOptionError, NoSectionError):
-            FALLBACK_POLICY = GENERIC_FALLBACK
-    elif config.config_has_section('policy'):
-        try:
-            FALLBACK_POLICY = config.config_get('policy', 'permission')
-        except (NoOptionError, NoSectionError):
-            FALLBACK_POLICY = GENERIC_FALLBACK
-    else:
-        FALLBACK_POLICY = GENERIC_FALLBACK
+    fallback_policy = get_policy()
+    if fallback_policy == 'def':
+        fallback_policy = generic_fallback
 
     if config.config_has_section('policy'):
         try:
             if 'RUCIO_POLICY_PACKAGE' in environ:
-                POLICY = environ['RUCIO_POLICY_PACKAGE']
+                policy = environ['RUCIO_POLICY_PACKAGE']
             else:
-                POLICY = config.config_get('policy', 'package', check_config_table=False)
-            check_policy_package_version(POLICY)
-            POLICY = POLICY + ".permission"
+                policy = config.config_get('policy', 'package', check_config_table=False)
+            check_policy_package_version(policy)
+            policy = policy + ".permission"
         except (NoOptionError, NoSectionError):
             # fall back to old system for now
-            POLICY = 'rucio.core.permission.' + FALLBACK_POLICY.lower()
+            policy = 'rucio.core.permission.' + fallback_policy.lower()
     else:
-        POLICY = 'rucio.core.permission.' + GENERIC_FALLBACK.lower()
+        policy = 'rucio.core.permission.' + generic_fallback.lower()
 
     try:
-        module = importlib.import_module(POLICY)
+        module = importlib.import_module(policy)
     except ModuleNotFoundError:
-        raise exception.PolicyPackageNotFound(POLICY)
+        # if policy package does not contain permission module, load fallback module instead
+        # this allows a policy package to omit modules that do not need customisation
+        try:
+            LOGGER.warning('Unable to load permission module %s from policy package, falling back to %s'
+                           % (policy, fallback_policy))
+            policy = 'rucio.core.permission.' + fallback_policy.lower()
+            module = importlib.import_module(policy)
+        except ModuleNotFoundError:
+            raise exception.PolicyPackageNotFound(policy)
+        except ImportError:
+            raise exception.ErrorLoadingPolicyPackage(policy)
     except ImportError:
-        raise exception.ErrorLoadingPolicyPackage(POLICY)
+        raise exception.ErrorLoadingPolicyPackage(policy)
 
     permission_modules["def"] = module
 
 
 def load_permission_for_vo(vo: str) -> None:
-    GENERIC_FALLBACK = 'generic_multi_vo'
+    generic_fallback = 'generic_multi_vo'
     if config.config_has_section('policy'):
         try:
             env_name = 'RUCIO_POLICY_PACKAGE_' + vo.upper()
             if env_name in environ:
-                POLICY = environ[env_name]
+                policy = environ[env_name]
             else:
-                POLICY = config.config_get('policy', 'package-' + vo)
-            check_policy_package_version(POLICY)
-            POLICY = POLICY + ".permission"
+                policy = config.config_get('policy', 'package-' + vo)
+            check_policy_package_version(policy)
+            policy = policy + ".permission"
         except (NoOptionError, NoSectionError):
             # fall back to old system for now
             try:
-                POLICY = config.config_get('policy', 'permission')
+                policy = config.config_get('policy', 'permission')
             except (NoOptionError, NoSectionError):
-                POLICY = GENERIC_FALLBACK
-            POLICY = 'rucio.core.permission.' + POLICY.lower()
+                policy = generic_fallback
+            policy = 'rucio.core.permission.' + policy.lower()
     else:
-        POLICY = 'rucio.core.permission.' + GENERIC_FALLBACK.lower()
+        policy = 'rucio.core.permission.' + generic_fallback.lower()
 
     try:
-        module = importlib.import_module(POLICY)
+        module = importlib.import_module(policy)
     except ModuleNotFoundError:
-        raise exception.PolicyPackageNotFound(POLICY)
+        # if policy package does not contain permission module, load fallback module instead
+        # this allows a policy package to omit modules that do not need customisation
+        try:
+            LOGGER.warning('Unable to load permission module %s from policy package, falling back to %s'
+                           % (policy, generic_fallback))
+            policy = 'rucio.core.permission.' + generic_fallback.lower()
+            module = importlib.import_module(policy)
+        except ModuleNotFoundError:
+            raise exception.PolicyPackageNotFound(policy)
+        except ImportError:
+            raise exception.ErrorLoadingPolicyPackage(policy)
+        raise exception.PolicyPackageNotFound(policy)
     except ImportError:
-        raise exception.ErrorLoadingPolicyPackage(POLICY)
+        raise exception.ErrorLoadingPolicyPackage(policy)
 
     permission_modules[vo] = module
 
 
+class PermissionResult:
+    """
+    Represents the result of a permission check, allowing an optional message to be
+    included to give the user more information.
+    """
+    def __init__(self, allowed: bool, message: "Optional[str]" = "") -> None:
+        self.allowed = allowed
+        self.message = message
+
+    # allow this to be tested as a bool for backwards compatibility
+    def __bool__(self) -> bool:
+        return self.allowed
+
+
 def has_permission(
         issuer: "InternalAccount",
         action: str,
         kwargs: dict[str, Any],
         *,
         session: "Optional[Session]" = None
-) -> bool:
+) -> PermissionResult:
     if issuer.vo not in permission_modules:
         load_permission_for_vo(issuer.vo)
-    return permission_modules[issuer.vo].has_permission(issuer, action, kwargs, session=session)
+    try:
+        result = permission_modules[issuer.vo].has_permission(issuer, action, kwargs, session=session)
+    except TypeError:
+        # will be thrown if policy package is missing the action in its perm dictionary
+        result = None
+    # if this permission is missing from the policy package, fallback to generic
+    if result is None:
+        result = rucio.core.permission.generic.has_permission(issuer, action, kwargs, session=session)
+    # continue to support policy packages that just return a boolean and no message
+    if isinstance(result, bool):
+        result = PermissionResult(result)
+    return result

rucio/core/permission/generic.py

@@ -410,13 +410,7 @@ def perm_add_dids(issuer: "InternalAccount", kwargs: dict[str, Any], *, session:
     :returns: True if account is allowed, otherwise False
     """
     # Check the accounts of the issued rules
-    if not _is_root(issuer) and not has_account_attribute(account=issuer, key='admin', session=session):
-        for did in kwargs['dids']:
-            for rule in did.get('rules', []):
-                if rule['account'] != issuer:
-                    return False
-
-    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+    return all(perm_add_did(issuer, kwargs=did, session=session) for did in kwargs['dids'])
 
 
 def perm_attach_dids(issuer: "InternalAccount", kwargs: dict[str, Any], *, session: "Optional[Session]" = None) -> bool:

rucio/core/permission/generic_multi_vo.py

@@ -412,13 +412,7 @@ def perm_add_dids(issuer, kwargs, *, session: "Optional[Session]" = None):
     :returns: True if account is allowed, otherwise False
     """
     # Check the accounts of the issued rules
-    if not _is_root(issuer) and not has_account_attribute(account=issuer, key='admin', session=session):
-        for did in kwargs['dids']:
-            for rule in did.get('rules', []):
-                if rule['account'] != issuer:
-                    return False
-
-    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+    return all(perm_add_did(issuer, kwargs=did, session=session) for did in kwargs['dids'])
 
 
 def perm_attach_dids(issuer, kwargs, *, session: "Optional[Session]" = None):

rucio/core/quarantined_replica.py

@@ -13,7 +13,6 @@
 # limitations under the License.
 
 import datetime
-from collections.abc import Iterable
 from typing import TYPE_CHECKING, Any, Optional
 
 from sqlalchemy import and_, delete, or_, select
@@ -24,6 +23,8 @@ from rucio.db.sqla import filter_thread_work, models
 from rucio.db.sqla.session import read_session, transactional_session
 
 if TYPE_CHECKING:
+    from collections.abc import Iterable
+
     from sqlalchemy.orm import Session
 
 
@@ -88,7 +89,7 @@ def add_quarantined_replicas(rse_id: str, replicas: list[dict[str, Any]], *, ses
 
 
 @transactional_session
-def delete_quarantined_replicas(rse_id: str, replicas: Iterable[dict[str, Any]], *, session: "Session") -> None:
+def delete_quarantined_replicas(rse_id: str, replicas: "Iterable[dict[str, Any]]", *, session: "Session") -> None:
     """
     Delete file replicas.
 
@@ -158,7 +159,7 @@ def list_quarantined_replicas(rse_id: str, limit: int, worker_number: Optional[i
         limit
     )
     for path, bytes_, scope, name, created_at in session.execute(stmt).all():
-        if not (scope, name) in quarantined_replicas:
+        if (scope, name) not in quarantined_replicas:
             quarantined_replicas[(scope, name)] = []
             replicas_clause.append(and_(models.RSEFileAssociation.scope == scope,
                                         models.RSEFileAssociation.name == name))