Merge pull request #23 from jouvin/add_option_insecure

Add option --insecure + documentation improvements
indigo-iam · Dec 4, 2024 · 04a70b6 · 04a70b6
2 parents c955a93 + 1bb8f4e
commit 04a70b6
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -15,15 +15,43 @@ To run the `vomsimporter` script, you first need to obtain an admin
 VOMS proxy with `voms-proxy-init` and an admin access token with
 `oidc-token`.
 
+### Installing the importer
+
+**`vomsimporter` requires a Python 2.7 environment as some of its dependencies are available
+only for Python 2.** The following Python modules are required and can be installed from
+EL7 RPMs:
+
+- ldap (from OS repository)
+- voms-admin-client
+- python2-zsi (from UMD-4 repository)
+
+In addition it is necessary to build the executable `dn_converter` from
+`docker/rfc2253/rfc2253.cpp` and move it to the path (or add its path to `PATH`
+environment variable). The command to build the executable (see also the source file) is:
+
+```
+g++ -std=c++11 rfc2253.cpp -lcrypto -o dn_converter
+```
+
+You also need to have access to the `grid-proxy-init` command. Alternatively, you can use this command on another server where it is available and copy the proxy file in `/tmp` on the machine where you run `vomsimporter`.
+
 ### Running the importer
 
 This is an example to import users from the `test.vo` hosted in [meteora](https://meteora.cloud.cnaf.infn.it:8443), into [iam-dev](https://iam-dev.cloud.cnaf.infn.it).
 
 Pre-requisites
-* being an admin of [meteora](https://meteora.cloud.cnaf.infn.it:8443)
-* being an admin of [iam-dev](https://iam-dev.cloud.cnaf.infn.it)
+* be an admin of [meteora](https://meteora.cloud.cnaf.infn.it:8443)
+* be an admin of [iam-dev](https://iam-dev.cloud.cnaf.infn.it)
 * the X.509 certificate linked to the VOMS admin has to be the same as for the IAM admin
-* having a local oidc-configuration (generated with Centos7) whith at least the following scopes allowed: `openid iam:admin.read iam:admin.write scim:read scim:write proxy:generate`
+* have a local oidc-configuration (generated with Centos7) whith at least the following scopes allowed: `openid iam:admin.read iam:admin.write scim:read scim:write proxy:generate`
+* Load a proxy certificate into INDIGO IAM with a lifetime long enough to complete the VOMS
+migration (or you will have to refresh it once it is expired). This is done by
+clicking on button `Add managed proxy certificate` and pasting the contents of your grid proxy.
+To get a 1 week grid proxy, use the following command: 
+
+```
+grid-proxy-init -valid 240:0
+```
 
 Define the following environment variables:
 
@@ -43,8 +71,22 @@ Initialize your admin credentials with
 $ ./docker/init-credentials.sh
 ```
 
+This will initialize a proxy from the certificate loaded in INDIGO IAM and create a token.
+
 Run the importer with
 
 ```
 python vomsimporter.py --vo ${VOMS_VO} --voms-host ${VOMS_HOST} --iam-host ${IAM_HOST} --skip-duplicate-accounts-checks --username-attr nickname --debug --voms-port 8443
-```
+```
+
+If you have SSL errors running this command, you can use `curl` to validate that everything
+is ok in your configuration. After obtaining a proxy with the command `grid-proxy-init`
+(the proxy build by `init-credentials` does not work with `curl`), enter the following
+command (`/path/to/user/certificate` is the certificate used to generate the proxy in
+PEM format):
+
+```
+curl --cert /tmp/x509up_u1000  --cacert /path/to/user/certificate --capath /etc/grid-security/certificates/  https://meteora.cloud.cnaf.infn.it/voms/test.vo
+```
+
+Once you have fixed the problems with the `curl` command, try again to run `vomsimporter`. If it still fails, try to add the option `--insecure` which disables SSL certificate verification.
diff --git a/vomsimporter.py b/vomsimporter.py
@@ -57,11 +57,12 @@ class VomsError(Exception):
 
 
 class VomsService:
-    def __init__(self, host, port, vo, protocol="https"):
+    def __init__(self, host, port, vo, protocol="https", insecure=False):
         self._host = host
         self._port = port
         self._protocol = protocol
         self._vo = vo
+        self._insecure = insecure
         self._load_x509_credentials()
         self._init_voms_admin_proxy()
 
@@ -114,6 +115,7 @@ def get_voms_users(self, start=None, pagesize=None):
 
         r = self._session.get(
             url, params={'startIndex': start, 'pageSize': pagesize},
+            verify = False if ( self._insecure ) else True,
             headers= {'X-VOMS-CSRF-GUARD': "y"})
         r.raise_for_status()
         return r.json()
@@ -866,7 +868,7 @@ def __init__(self, args):
         self._args = args
 
         self._voms_service = VomsService(
-            host=args.voms_host, port=args.voms_port, vo=args.vo)
+            host=args.voms_host, port=args.voms_port, vo=args.vo, insecure=args.insecure)
 
         voms_groups = None
         voms_roles = None
@@ -1074,6 +1076,8 @@ def init_argparse():
                         help="Start from this index when syncing users", dest="start_index", default=0)
     parser.add_argument('--count', required=False, type=int,
                         help="Import at most 'count' user records", dest="count", default=-1)
+    parser.add_argument('--insecure', required=False, default=False, action='store_true',
+                        help="Disable SSL certificate verification when interacting with VOMS server")
     parser.add_argument('--username-attr', required=False, type=str,
                         help="Uses the VOMS GA passed as argument for building the username", dest="username_attr", default=None)
     parser.add_argument('--link-cern-sso', required=False,