update setup_fnal_security for tokens

scripts/setup_fnal_security

@@ -8,20 +8,20 @@
 
 usage () {
     echo "" >&2
-    echo "Setup the tickets, certificates, and proxies required to use FNAL computing" >&2
+    echo "Setup the tickets and tokens required to use FNAL computing" >&2
     echo "">&2
     echo "usage: setup_fnal_security [options]" >&2
     echo "options:" >&2
     echo "     -h/--help:       Prints this usage message.                    " >&2
-    echo "     -f/--force:      Force a new proxy to be generated." >&2
-    echo "     -c/--check:      Just check the proxy, don't get a new one." >&2
+    echo "     -f/--force:      Force a new token to be generated." >&2
+    echo "     -c/--check:      Just check the token, don't get a new one." >&2
     echo "     -b/--batch:      Do not ask for user input." >&2
     echo "     -k/--kerberos:   Also check kerberos ticket." >&2
     echo "     -q/--quiet:      Suppress regular output, errors still shown" >&2
     echo "     -p/--production: Get a Production role proxy instead" >&2
     echo "                      shown. Can only be used in batch mode." >&2
     echo "                                                                 " >&2
-    exit 1 
+    exit 1
 }
 
 
@@ -108,82 +108,55 @@ do_kinit ()
 }
 
 
-###################################################################################
-# Get a certificate
-###################################################################################
-
-do_getcert ()
-{
-    # Check the CI certificate
-    RETRY=0
-    #while ! cigetcert -ns fifebatch.fnal.gov; do
-    while ! kx509; do
-        let RETRY=RETRY+1
-        if [ $RETRY -gt 3 ]; then
-            echo "Failed 3 times. Aborting."
-            exit 1
-        fi
-
-        echo "Failed to get a certificate."
-        do_kinit
-    done
-}
-
 
 ###################################################################################
 # Main body for this script
 ###################################################################################
 
 main () {
-        
-    # Check the proxy location
-    default_proxy=/tmp/x509up_u$(id -u)
-    if [[ ! -z $X509_USER_PROXY ]]; then
-        if [[ $X509_USER_PROXY != $default_proxy ]]; then
+
+    # Check token location
+    default_token=/tmp/bt_token_dune_${ROLE}_$(id -u)
+    if [[ ! -z $BEARER_TOKEN_FILE ]]; then
+        if [[ $BEARER_TOKEN_FILE != $default_token ]]; then
             echo "##########"
             echo "WARNING:"
-            echo "Warning: The X509_USER_PROXY environment variable is set to a non-standard location: $X509_USER_PROXY."
+            echo "The BEARER_TOKEN_FILE environment variable is set to a non-standard location: $BEARER_TOKEN_FILE."
             echo "If authentication is not working, try reverting to the default value:"
-            echo "export X509_USER_PROXY=$default_proxy"
+            echo "export BEARER_TOKEN_FILE=$default_token"
             echo "##########"
             echo ""
         fi
+    else
+        export BEARER_TOKEN_FILE=$default_token
     fi
 
-    # If the -f/--force option is given force a new proxy to be made
-    if [[ ! -z $FORCE ]]; then
-        echo "Forcing regeneration of proxy by removing existing one from X509_USER_PROXY=$X509_USER_PROXY"
-        if [[ -z $X509_USER_PROXY ]]; then
-            echo "X509_USER_PROXY is not set, so remove from default location $default_proxy"
-            X509_USER_PROXY=$default_proxy
+
+    # If the -f/--force option is given, remove existing token
+    if [[ -f $BEARER_TOKEN_FILE ]]; then
+        if [[ -z $FORCE ]]; then
+            echo "Existing token found at BEARER_TOKEN_FILE=$BEARER_TOKEN_FILE"
+        else
+            echo "Forcing regeneration of token by removing existing one from BEARER_TOKEN_FILE=$BEARER_TOKEN_FILE"
+            echo "rm $BEARER_TOKEN_FILE"
+            rm $BEARER_TOKEN_FILE
         fi
-        echo "rm $X509_USER_PROXY"
-        rm $X509_USER_PROXY
+    else
+        echo "Generating a token at BEARER_TOKEN_FILE=$BEARER_TOKEN_FILE"
     fi
-
-
+
+    # get a new token if there is no existing one
+    if [[ ! -f $BEARER_TOKEN_FILE ]]; then
+        htgettoken -a htvaultprod.fnal.gov -i nova
+    fi
+
     # Check Kerberos Ticket
     if [[ ! -z $KERBEROS ]]; then
         if ! klist -5 -s && ! klist -s; then
             do_kinit
         fi
     fi
-
-    do_getcert
-
-    # Check the VOMS proxy
-    if [ -z "`voms-proxy-info -all|grep "^attribute.*$ROLE"`" ]; then
-        if [ -z "`voms-proxy-info -all|grep "^attribute"`" ]; then
-            echo "No valid VOMS proxy found, getting one"
-        else
-            echo "Proxy with the wrong role found, replacing it."
-            rm $X509_USER_PROXY
-            do_getcert
-        fi
-        voms-proxy-init -rfc -noregen -voms=dune:/dune/Role=$ROLE -valid 120:00 
-    fi
-
-
+
 }
 
 
@@ -192,19 +165,20 @@ main () {
 ###################################################################################
 
 check () {
-
-    # Check the proxy location
-    default_proxy=/tmp/x509up_u$(id -u)
-    if [[ ! -z $X509_USER_PROXY ]]; then
-        if [[ $X509_USER_PROXY != $default_proxy ]]; then
-            echo "##########"
-            echo "WARNING:"
-            echo "Warning: The X509_USER_PROXY environment variable is set to a non-standard location: $X509_USER_PROXY."
-            echo "If authentication is not working, try reverting to the default value:"
-            echo "export X509_USER_PROXY=$default_proxy"
-            echo "##########"
-            echo ""
-        fi
+
+    # Check token location
+    default_token=/tmp/bt_token_dune_${ROLE}_$(id -u)
+    if [[ ! -z $BEARER_TOKEN_FILE ]]; then
+        echo "BEARER_TOKEN_FILE is set to a non-standard location: $BEARER_TOKEN_FILE"
+    else
+        export BEARER_TOKEN_FILE=$default_token
+        echo "BEARER_TOKEN_FILE is set to the standard location: $BEARER_TOKEN_FILE"
+    fi
+    if [[ ! -f $BEARER_TOKEN_FILE ]]; then
+        echo "No token found."
+        exit 1
+    else
+        echo "Existing token found."
     fi
 
     # Check Kerberos Ticket
@@ -214,17 +188,6 @@ check () {
             exit 1
         fi
     fi
-
-    # Check the VOMS proxy
-    if [ -z "`voms-proxy-info -all|grep "^attribute.*$ROLE"`" ]; then
-        if [ -z "`voms-proxy-info -all|grep "^attribute"`" ]; then
-            echo "No valid VOMS proxy found"
-            exit 1
-        else
-            echo "VOMS proxy found with the wrong role."
-            exit 1
-        fi
-    fi
 
 }