Skip to content

Commit 6847532

Browse files
authored
Merge pull request #8503 from fstagni/fix_unsetXCD
fix: getCAs and CRLs unsetting X509_CERT_DIR
2 parents 6e00e38 + 0a798a5 commit 6847532

5 files changed

Lines changed: 59 additions & 24 deletions

File tree

src/DIRAC/FrameworkSystem/Client/BundleDeliveryClient.py

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
""" Client for interacting with Framework/BundleDelivery service
2-
"""
1+
"""Client for interacting with Framework/BundleDelivery service"""
2+
33
import getpass
44
import os
55
import tarfile
@@ -143,9 +143,10 @@ def syncCAs(self):
143143
if "X509_CERT_DIR" in os.environ:
144144
X509_CERT_DIR = os.environ["X509_CERT_DIR"]
145145
del os.environ["X509_CERT_DIR"]
146+
result = self.syncDir("CAs", Locations.getCAsLocation())
146147
if X509_CERT_DIR:
147148
os.environ["X509_CERT_DIR"] = X509_CERT_DIR
148-
return self.syncDir("CAs", Locations.getCAsLocation())
149+
return result
149150

150151
def syncCRLs(self):
151152
"""Synchronize CRLs
@@ -156,9 +157,10 @@ def syncCRLs(self):
156157
if "X509_CERT_DIR" in os.environ:
157158
X509_CERT_DIR = os.environ["X509_CERT_DIR"]
158159
del os.environ["X509_CERT_DIR"]
160+
result = self.syncDir("CRLs", Locations.getCAsLocation())
159161
if X509_CERT_DIR:
160162
os.environ["X509_CERT_DIR"] = X509_CERT_DIR
161-
return self.syncDir("CRLs", Locations.getCAsLocation())
163+
return result
162164

163165
def getCAs(self):
164166
"""This method can be used to create the CAs. If the file can not be created,

src/DIRAC/FrameworkSystem/Service/BundleDeliveryHandler.py

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
1-
""" Handler for CAs + CRLs bundles
2-
"""
1+
"""Handler for CAs + CRLs bundles"""
32

43
import io
54
import os
65
import tarfile
6+
from pathlib import Path
77

88
from DIRAC import S_ERROR, S_OK, gConfig, gLogger
99
from DIRAC.Core.DISET.RequestHandler import RequestHandler
@@ -66,12 +66,15 @@ def updateBundles(self):
6666
buffer_ = io.BytesIO()
6767
filesToBundle = sorted(File.getGlobbedFiles(bundlePaths))
6868
if filesToBundle:
69-
commonPath = os.path.commonprefix(filesToBundle)
70-
commonEnd = len(commonPath)
71-
gLogger.info(f"Bundle will have {len(filesToBundle)} files with common path {commonPath}")
69+
paths = [Path(f) for f in filesToBundle]
70+
# Path.parents is path-component-aware, unlike os.path.commonprefix
71+
commonParent = (
72+
Path(os.path.commonpath(paths)).parent if len(paths) == 1 else Path(os.path.commonpath(paths))
73+
)
74+
gLogger.info(f"Bundle will have {len(filesToBundle)} files with common path {commonParent}")
7275
with tarfile.open("dummy", "w:gz", buffer_) as tarBuffer:
73-
for filePath in filesToBundle:
74-
tarBuffer.add(filePath, filePath[commonEnd:])
76+
for p in paths:
77+
tarBuffer.add(str(p), str(p.relative_to(commonParent)))
7578
zippedData = buffer_.getvalue()
7679
buffer_.close()
7780
hash_ = File.getMD5ForFiles(filesToBundle)

tests/CI/docker-compose.yml

Lines changed: 30 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
volumes:
22
# Volume used to store the certificates of dirac
33
certs_data:
4+
# Volume used to store the crls of dirac
5+
crls_data:
46
# Volume used to store the config of diracx
57
diracx-cs-store:
68
# Volume used to store the pair of keys to sign the tokens
@@ -18,7 +20,13 @@ services:
1820
ports:
1921
- 3306:3306
2022
healthcheck:
21-
test: ["CMD", "sh", "-c", "${MYSQL_ADMIN_COMMAND} ping -h localhost > /tmp/health.log 2>&1;"]
23+
test:
24+
[
25+
"CMD",
26+
"sh",
27+
"-c",
28+
"${MYSQL_ADMIN_COMMAND} ping -h localhost > /tmp/health.log 2>&1;",
29+
]
2230
timeout: 20s
2331
retries: 10
2432
start_period: 60s
@@ -33,7 +41,8 @@ services:
3341
- 9200:9200
3442
env_file: "${ES_VER}.env"
3543
healthcheck:
36-
test: ["CMD", "curl", "-f", "-u", "elastic:changeme", "http://localhost:9200"]
44+
test:
45+
["CMD", "curl", "-f", "-u", "elastic:changeme", "http://localhost:9200"]
3746
interval: 5s
3847
timeout: 2s
3948
retries: 15
@@ -53,7 +62,13 @@ services:
5362
depends_on:
5463
- iam-init-keystore
5564
healthcheck:
56-
test: ["CMD", "curl", "-f", "http://localhost:8080/.well-known/openid-configuration"]
65+
test:
66+
[
67+
"CMD",
68+
"curl",
69+
"-f",
70+
"http://localhost:8080/.well-known/openid-configuration",
71+
]
5772
interval: 5s
5873
timeout: 2s
5974
retries: 15
@@ -116,6 +131,7 @@ services:
116131
container_name: dirac-init-certificates
117132
volumes:
118133
- certs_data:/ca/certs/
134+
- crls_data:/ca/crl/
119135
entrypoint: |
120136
/entrypoint.sh
121137
pull_policy: always
@@ -146,6 +162,7 @@ services:
146162
nofile: 8192
147163
volumes:
148164
- certs_data:/ca/certs
165+
- crls_data:/ca/crl/
149166
- diracx-cs-store:/cs_store
150167
- diracx-key-store:/keystore
151168
environment:
@@ -154,7 +171,6 @@ services:
154171
command: ["sleep", "infinity"] # This is necessary because of the issue described in https://github.com/moby/moby/issues/42275. What is added here is a hack/workaround.
155172
pull_policy: always
156173

157-
158174
dirac-client:
159175
platform: linux/amd64
160176
image: ${CI_REGISTRY_IMAGE}/${HOST_OS}-dirac
@@ -165,6 +181,7 @@ services:
165181
- dirac-server
166182
volumes:
167183
- certs_data:/ca/certs
184+
- crls_data:/ca/crl/
168185
ulimits:
169186
nofile: 8192
170187
command: ["sleep", "infinity"] # This is necessary because of the issue described in https://github.com/moby/moby/issues/42275. What is added here is a hack/workaround.
@@ -180,6 +197,7 @@ services:
180197
- dirac-server
181198
volumes:
182199
- certs_data:/ca/certs
200+
- crls_data:/ca/crl/
183201
- type: bind
184202
source: ${CVMFS_DIR}
185203
target: /cvmfs
@@ -195,7 +213,6 @@ services:
195213
start_period: 60s
196214
command: ["sleep", "infinity"] # This is necessary because of the issue described in https://github.com/moby/moby/issues/42275. What is added here is a hack/workaround.
197215

198-
199216
diracx-chmod:
200217
platform: linux/amd64
201218
image: ghcr.io/diracgrid/diracx/secret-generation:latest
@@ -210,7 +227,6 @@ services:
210227
bash -xc 'chmod -R o=u /keystore && chmod -R o=u /cs_store'
211228
pull_policy: always
212229

213-
214230
diracx-init-keystore:
215231
platform: linux/amd64
216232
image: ghcr.io/diracgrid/diracx/services:dev
@@ -308,7 +324,14 @@ services:
308324
/entrypoint.sh bash -xc 'uvicorn --factory diracx.routers:create_app --host=0.0.0.0'
309325
310326
healthcheck:
311-
test: ["CMD", "/entrypoint.sh", "python", "-c", "import requests; requests.get('http://localhost:8000/.well-known/openid-configuration').raise_for_status()"]
327+
test:
328+
[
329+
"CMD",
330+
"/entrypoint.sh",
331+
"python",
332+
"-c",
333+
"import requests; requests.get('http://localhost:8000/.well-known/openid-configuration').raise_for_status()",
334+
]
312335
interval: 5s
313336
timeout: 2s
314337
retries: 15

tests/CI/run_pilot.sh

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,22 +23,27 @@ mkdir -p /home/dirac/etc/grid-security/vomsdir
2323
mkdir -p /home/dirac/etc/grid-security/vomses
2424

2525
cp /ca/certs/ca.cert.pem /home/dirac/etc/grid-security/certificates
26+
cp /ca/certs/ca.crl.pem /home/dirac/etc/grid-security/certificates
2627
touch /home/dirac/etc/grid-security/vomsdir/vomsdir
2728
touch /home/dirac/etc/grid-security/vomses/vomses
29+
# Generate the hash link file required by openSSL to index CA certificates
30+
caHash=$(openssl x509 -in /home/dirac/etc/grid-security/certificates/ca.cert.pem -noout -hash)
31+
ln -s ca.cert.pem "/home/dirac/etc/grid-security/certificates/$caHash.0"
32+
tar --create --file "/home/dirac/etc/grid-security/certificates/$caHash.r0" --gzip /home/dirac/etc/grid-security/certificates/ca.crl.pem
2833

2934
# Copy over the pilot proxy
3035
cp /ca/certs/pilot_proxy /tmp/x509up_u$UID
3136

3237
eval "${PILOT_DOWNLOAD_COMMAND}"
3338

34-
echo "${PILOT_JSON}" > pilot.json
35-
jq < pilot.json
39+
echo "${PILOT_JSON}" >pilot.json
40+
jq <pilot.json
3641

37-
if command -v python &> /dev/null; then
42+
if command -v python &>/dev/null; then
3843
py='python'
39-
elif command -v python3 &> /dev/null; then
44+
elif command -v python3 &>/dev/null; then
4045
py='python3'
41-
elif command -v python2 &> /dev/null; then
46+
elif command -v python2 &>/dev/null; then
4247
py='python2'
4348
fi
4449

tests/Jenkins/dirac_ci.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -115,8 +115,9 @@ installSite() {
115115

116116
echo "==> CAs and certificates"
117117

118-
# Copy the CA to the list of trusted CA
118+
# Copy the CA and CRL to the list of trusted CA
119119
cp "/ca/certs/ca.cert.pem" "${SERVERINSTALLDIR}/diracos/etc/grid-security/certificates/"
120+
cp "/ca/certs/ca.crl.pem" "${SERVERINSTALLDIR}/diracos/etc/grid-security/certificates/"
120121

121122
# Copy the cert and host key to the certificates directory
122123
cp /ca/certs/hostcert.pem "${SERVERINSTALLDIR}/diracos/etc/grid-security/"
@@ -128,6 +129,7 @@ installSite() {
128129
# because otherwise the BundleDeliveryClient will send the full path, which
129130
# will be wrong on the client
130131
ln -s "ca.cert.pem" "${SERVERINSTALLDIR}/diracos/etc/grid-security/certificates/$caHash.0"
132+
tar --create --file "${SERVERINSTALLDIR}/diracos/etc/grid-security/certificates/$caHash.r0" --gzip "${SERVERINSTALLDIR}/diracos/etc/grid-security/certificates/ca.crl.pem"
131133

132134
rm -rf "${SERVERINSTALLDIR}/etc"
133135
ln -s "${SERVERINSTALLDIR}/diracos/etc" "${SERVERINSTALLDIR}/etc"

0 commit comments

Comments
 (0)