DIRACCAProxyProvider

ProxyProvider implementation for the proxy generation using local (DIRAC) CA credentials

This class is a simple, limited CA, its main purpose is to generate a simple proxy for DIRAC users who do not have any certificate register on the fly.

Required parameters in the DIRAC configuration for its implementation:

/Resources/ProxyProviders section
  MY_DIRACCA
  {

    # Main option, to show which proxy provider type you want to register.
    ProviderType = DIRACCA

    # The path to the CA certificate. This option is required.
    CertFile = /opt/dirac/etc/grid-security/DIRACCA-EOSH/cert.pem

    # The path to the CA key. This option is required.
    KeyFile = /opt/dirac/etc/grid-security/DIRACCA-EOSH/key.pem

    # The distinguished name fields that must contain the exact same contents as that field in the CA's
    # DN. If this parameter is not specified, the default value will be a empty list.
    Match = O, OU

    # The distinguished name fields list that must be present. If this parameter is not specified, the
    # default value will be a "CN".
    Supplied = C, CN

    # The distinguished name fields list that are allowed, but not required. If this parameter is not
    # specified, the default value will be a "C, O, OU, emailAddress"
    Optional = emailAddress

    # Order of the distinguished name fields in a created user certificate. If this parameter is not
    # specified, the default value will be a "C, O, OU, CN, emailAddress"
    DNOrder = C, O, OU, emailAddress, CN

    # To set default value for distinguished name field.
    C = FR
    O = DIRAC
    OU = DIRAC TEST

    # The path to the openssl configuration file. This is optional and not recomended to use.
    # But if you choose to use this option, it is recommended to use a relatively simple configuration.
    # All required parameters will be taken from the configuration file, except "DNOrder".
    CAConfigFile = /opt/dirac/pro/etc/openssl_config_ca.cnf
  }

Also, as an additional feature, this class can read properties from a simple openssl CA configuration file. To do this, just set the path to an existing configuration file as a CAConfigFile parameter. In this case, the distinguished names order in the created proxy will be the same as in the configuration file policy block.

The Proxy provider supports the following distinguished names (https://www.cryptosys.net/pki/manpki/pki_distnames.html):

SN(surname)
GN(givenName)
C(countryName)
CN(commonName)
L(localityName)
Email(emailAddress)
O(organizationName)
OU(organizationUnitName)
SP,ST(stateOrProvinceName)
SERIALNUMBER(serialNumber)
class DIRAC.Resources.ProxyProvider.DIRACCAProxyProvider.DIRACCAProxyProvider(parameters=None)

Bases: ProxyProvider

__init__(parameters=None)

Constructor

checkStatus(userDN)

Read ready to work status of proxy provider

Parameters:

userDN (str) – user DN

Returns:

S_OK()/S_ERROR()

generateDN(**kwargs)

Get DN of the user certificate that will be created

Parameters:

kwargs (dict) – user description dictionary with possible fields: - FullName or CN - Email or emailAddress

Returns:

S_OK(str)/S_ERROR() – contain DN

getProxy(userDN)

Generate user proxy

Parameters:

userDN (str) – user DN

Returns:

S_OK(str)/S_ERROR() – contain a proxy string

setParameters(parameters)

Set new parameters

Parameters:

parameters (dict) – provider parameters

Returns:

S_OK()/S_ERROR()