Changeset 7125

Timestamp:

30/06/10 11:24:36 (11 years ago)

Author:

spascoe

Message:

Updated the myproxyclient script. This is now a mutli-command script
with one sub-command implemented: "myproxyclient logon". It is mainly
compatible with myproxy-logon. See the module docstring and
"myproxyclient --help" for details.

File:

• TI12-security/trunk/MyProxyClient/myproxy/script.py (modified) (3 diffs)

TI12-security/trunk/MyProxyClient/myproxy/script.py

@@ +1 @@
+
 """
 Lightweight command-line interface to MyProxyClient.
+
+Sub commands
+------------
+
+``myproxyclient logon`` a replacement for myproxy-logon.  It understands most of the same options and tries to behave the same with a few exceptions:
+
+  1. -C/--cadir allows you to override the CA directory
+  2. It will not write the credentials to /tmp.  You must either set
+     X509_USER_PROXY or specify the ``-o`` option.
 
 """
@@ -28 +38 @@
 
 def make_optparser():
-    usage = "usage: %prog [options] [proxyfile]"
+    usage = """\
+usage: %prog [command] [options]
+
+commands:
+  logon        Retrieve credentials from a MyProxy service
+"""
+
     op = optparse.OptionParser(usage=usage)
 
-    op.add_option('-C', '--cacertdir', dest='cacertdir', 
+    op.add_option('-o', '--out', dest='outfile',
                   action='store', type='string',
-                  help='Set location of trusted certificates')
-    op.add_option('-H', '--hostname', dest='hostname',
+                  help='''\
+Set the file to store the retrieved creentials.
+If not specified credentials will be stored in X509_USER_PROXY environment
+variable.  To write the credential tostdout use -o -.
+''')
+    op.add_option('-C', '--cadir', dest='cadir', 
+                  action='store', type='string',
+                  help='''\
+Set location of trusted certificates.  By default this is the X509_CERT_DIR 
+environment variable or ~/.globus/certificates or /etc/grid-security.
+''')
+    op.add_option('-s', '--pshost', dest='hostname',
                   action='store', type='string',
                   help='Set hostname of myproxy server')
-    op.add_option('-p', '--port', dest='port', 
+    op.add_option('-p', '--psport', dest='port', 
                   action='store', type='int',
                   help='Set port of myproxy server')
-    op.add_option('-l', '--lifetime', dest='lifetime',
-                  action='store', type='int',
+    #!NOTE: convert hours to minutes
+    def set_lifetime(opt, opt_str, val, op):
+        op.values.lifetime = val * 60
+    op.add_option('-t', '--proxy_lifetime', type='int', 
+                  action='callback', callback=set_lifetime,
                   help='Set proxy certificate Lifetime')
-    op.add_option('-m', '--maxlifetime', dest='maxlifetime',
-                  action='store', type='int',
-                  help='Set proxy certificate Lifetime')
+    op.add_option('-S', '--stdin_pass', dest='stdin_pass',
+                  action='store_true',
+                  help='Read the password directly from stdin')
+    #!TODO: What is the myproxy-logon equivilent of this option?
+    #op.add_option('-m', '--maxlifetime', dest='maxlifetime',
+    #              action='store', type='int',
+    #              help='Set proxy certificate Lifetime')
     op.add_option('-b', '--bootstrap', dest='bootstrap',
                   action='store_true',
                   help='Download trusted CA certificates')
-    op.add_option('-k', '--keyfile', dest='keyfile', 
-                  action='store', type='string', metavar='KEYFILE',
-                  help='Write the private key to KEYFILE rather than proxyfile')
-    op.add_option('-c', '--certfile', dest='certfile',
-                  action='store', type='string', metavar='CERTFILE',
-                  help='Write the proxy certificate to CERTFILE rather than proxyfile')
-    op.add_option('-O', '--openid', dest='openid',
-                  action='store', type='string', metavar='OPENID',
-                  help='Shortcut for ESG Security login.  The myproxy server is calculated as myproxy.<OPENID-hostname>')
-    op.add_option('-u', '--username', dest='username',
+    op.add_option('-T', '--trustroots', dest='trustroots',
+                  action='store_true',
+                  help='Update trustroots')
+    op.add_option('-l', '--username', dest='username',
                   action='store', type='string',
                   help='Set username')
 
 
-    op.set_defaults(cacertdir=MyProxyClient.PROPERTY_DEFAULTS['caCertDir'],
-                    hostname=MyProxyClient.PROPERTY_DEFAULTS['hostname'],
-                    port=MyProxyClient.PROPERTY_DEFAULTS['port'],
-                    lifetime=MyProxyClient.PROPERTY_DEFAULTS['proxyCertLifetime'],
-                    maxlifetime=MyProxyClient.PROPERTY_DEFAULTS['proxyCertMaxLifetime'],
-                    bootstrap=False,
-                    keyfile=None,
-                    certfile=None,
-                    openid=None,
-                    username=None,
-                    )
+    
+
+    op.set_defaults(
+        outfile=None,
+        cadir=MyProxyClient.PROPERTY_DEFAULTS['caCertDir'],
+        hostname=MyProxyClient.PROPERTY_DEFAULTS['hostname'],
+        port=MyProxyClient.PROPERTY_DEFAULTS['port'],
+        lifetime=MyProxyClient.PROPERTY_DEFAULTS['proxyCertLifetime'],
+        #maxlifetime=MyProxyClient.PROPERTY_DEFAULTS['proxyCertMaxLifetime'],
+        bootstrap=False,
+        trustroots=False,
+        openid=None,
+        username=None,
+        stdin_pass=False,
+        )
 
     return op
@@ -81 +112 @@
     op = make_optparser()
 
-    options, args = op.parse_args(argv[1:])
-    if args:
-        outfile = args[0]
+    logname = os.environ.get('LOGNAME')
+
+    command = argv[1]
+    # Catch example of just specifying --help or '-h'
+    if command in ['--help', '-h']:
+        argl = argv[1:2]
+        command = None
     else:
-        outfile = None
+        argl = argv[2:]
+    options, args = op.parse_args(argl)
 
-    if options.openid:
-        username = options.openid
-        hostname = 'myproxy.%s' % urlparse.urlparse(options.openid)[1]
+    if options.outfile is None:
+        if 'X509_USER_PROXY' in os.environ:
+            options.outfile = os.environ['X509_USER_PROXY']
+        else:
+            op.error("Credential output file must be specified or X509_USER_PROXY set")
+            
+    if options.username is None:
+        options.username = logname
+
+    if options.cadir:
+        cadir = options.cadir
+    elif 'X509_CERT_DIR' in os.environ:
+        cadir = os.environ['X509_CERT_DIR']
+    elif logname == 'root':
+        cadir = '/etc/grid-security'
     else:
-        username = options.username
-        hostname = options.hostname
+        cadir = os.path.join(os.path.expanduser('~'),'.globus/certificates')
 
-    if username is None:
-        username = os.getlogin()
 
-    client_props = dict(caCertDir=options.cacertdir,
-                        hostname=hostname,
+    client_props = dict(caCertDir=cadir,
+                        hostname=options.hostname,
                         port=options.port,
                         proxyCertLifetime=options.lifetime,
-                        proxyCertMaxLifetime=options.maxlifetime)
-    #!FIXME: caCertDir must be unset and not just None.  
-    #  This bug exists in MyProxyClient and the underlying SSL package.
-    if client_props['caCertDir'] is None:
-        del client_props['caCertDir']
+                        #proxyCertMaxLifetime=options.maxlifetime,
+                        )
 
     myproxy = MyProxyClient(**client_props)
 
-    password = getpass.getpass('Enter password for user %s on myproxy %s:'
-                               % (username, options.hostname))
+    if command == 'logon':
+        do_logon(myproxy, options)
+    else:
+        op.error('Command %s not supported' % command)
 
-    creds = myproxy.logon(username, password, bootstrap=options.bootstrap)
 
-    #!TODO: Confirm order of creds
-    cert, key = creds
 
-    if outfile:
-        fout = open(outfile, 'w')
+def do_logon(myproxy, options):
+    if options.stdin_pass:
+        #!TODO: Is this right to read just the first line of stdin?
+        password = sys.stdin.readline().rstrip()
     else:
+        password = getpass.getpass('Enter password for user %s on myproxy %s:'
+                                   % (options.username, options.hostname))
+
+    creds = myproxy.logon(options.username, password, 
+                          bootstrap=options.bootstrap,
+                          updateTrustRoots=options.trustroots)
+    
+    if options.outfile == '-':
         fout = sys.stdout
-
-    if options.certfile:
-        fh = open(options.certfile, 'w')
-        fh.write(cert)
-        fh.close()
     else:
-        fout.write(cert)
-
-    if options.keyfile:
-        fh = open(options.keyfile, 'w')
-        fh.write(key)
-        fh.close()
-    else:
-        fout.write(key)
+        fout = open(options.outfile, 'w')
+    
+    for cred in creds:
+        fout.write(cred)
+    
+    #!TODO: Would we want to close stdout?
+    fout.close()