Merge pull request #112 from indigo-dc/devel

Merge Devel

IM/ConfManager.py

@@ -773,13 +773,15 @@ def configure_master(self):
                             ssh = SSHRetry(ansible_host.getHost(),
                                            user, passwd, private_key)
                             ssh.sftp_mkdir(remote_dir)
+                            ssh.sftp_chmod(remote_dir, 448)
                             ssh.sftp_put_files(files)
                             # Copy the utils helper files
                             ssh.sftp_mkdir(remote_dir + "/" + "/utils")
                             ssh.sftp_put_dir(
                                 Config.RECIPES_DIR + "/utils", remote_dir + "/" + "/utils")
                     else:
                         ssh.sftp_mkdir(remote_dir)
+                        ssh.sftp_chmod(remote_dir, 448)
                         ssh.sftp_put_files(files)
                         # Copy the utils helper files
                         ssh.sftp_mkdir(remote_dir + "/" + "/utils")
@@ -974,13 +976,6 @@ def generate_playbooks_and_hosts(self):
                 ssh.sftp_mkdir(remote_dir)
                 ssh.sftp_put_files(recipe_files)
 
-                # Change the permissions of the conf_file because inside is the
-                # password of the sudo user
-                success = ssh.sftp_chmod(remote_dir + "/" + conf_file, 384)
-                if not success:
-                    ConfManager.logger.warn(
-                        "Inf ID: " + str(self.inf.id) + ": Error setting conf file permissions.")
-
             self.inf.set_configured(True)
         except Exception, ex:
             self.inf.set_configured(False)
@@ -1340,8 +1335,8 @@ def configure_ansible(self, ssh, tmp_dir):
                                      ": Preparing Ansible playbook to copy Ansible modules: " + str(modules))
 
             ssh.sftp_mkdir(Config.REMOTE_CONF_DIR)
-            ssh.sftp_mkdir(Config.REMOTE_CONF_DIR +
-                           "/" + str(self.inf.id) + "/")
+            ssh.sftp_mkdir(Config.REMOTE_CONF_DIR + "/" + str(self.inf.id) + "/")
+            ssh.sftp_chmod(Config.REMOTE_CONF_DIR + "/" + str(self.inf.id) + "/", 448)
 
             for galaxy_name in modules:
                 if galaxy_name:

IM/InfrastructureManager.py

@@ -1206,35 +1206,37 @@ def check_im_user(auth):
             return True
 
     @staticmethod
-    def check_iam_token(im_auth):
+    def check_oidc_token(im_auth):
         token = im_auth["token"]
         success = False
         try:
             # decode the token to get the issuer
             decoded_token = JWT().get_info(token)
-            success, userinfo = OpenIDClient.get_user_info_request(token)
-            if success:
-                # convert to username to use it in the rest of the IM
-                im_auth['username'] = str(userinfo.get("preferred_username"))
-                im_auth['password'] = str(decoded_token['iss']) + str(userinfo.get("sub"))
+            if decoded_token['iss'] in Config.OIDC_ISSUERS:
+                success, userinfo = OpenIDClient.get_user_info_request(token)
+                if success:
+                    # convert to username to use it in the rest of the IM
+                    im_auth['username'] = str(userinfo.get("preferred_username"))
+                    im_auth['password'] = str(decoded_token['iss']) + str(userinfo.get("sub"))
+            else:
+                InfrastructureManager.logger.error("Incorrect OIDC issuer: %s" % decoded_token['iss'])
+                raise InvaliddUserException("Invalid InfrastructureManager credentials. Issuer not accepted.")
         except Exception, ex:
-            InfrastructureManager.logger.exception(
-                "Error trying to validate auth token: %s" % str(ex))
-            raise Exception("Error trying to validate auth token: %s" % str(ex))
+            InfrastructureManager.logger.exception("Error trying to validate OIDC auth token: %s" % str(ex))
+            raise Exception("Error trying to validate OIDC auth token: %s" % str(ex))
 
         if not success:
-            InfrastructureManager.logger.error(
-                "Incorrect auth token: %s" % userinfo)
-            raise InvaliddUserException("Invalid InfrastructureManager credentials %s" % userinfo)
+            InfrastructureManager.logger.error("Incorrect OIDC auth token: %s" % userinfo)
+            raise InvaliddUserException("Invalid InfrastructureManager credentials. %s." % userinfo)
 
     @staticmethod
     def check_auth_data(auth):
         # First check if it is configured to check the users from a list
         im_auth = auth.getAuthInfo("InfrastructureManager")
 
-        # First check if the IAM token is included
+        # First check if an OIDC token is included
         if "token" in im_auth[0]:
-            InfrastructureManager.check_iam_token(im_auth[0])
+            InfrastructureManager.check_oidc_token(im_auth[0])
         else:
             # if not assume the basic user/password auth data
             if not InfrastructureManager.check_im_user(im_auth):

IM/config.py

@@ -95,6 +95,7 @@ class Config:
     SINGLE_SITE_TYPE = ''
     SINGLE_SITE_AUTH_HOST = ''
     SINGLE_SITE_IMAGE_URL_PREFIX = ''
+    OIDC_ISSUERS = ["https://iam-test.indigo-datacloud.eu/"]
 
 config = ConfigParser.ConfigParser()
 config.read([Config.IM_PATH + '/../im.cfg', Config.IM_PATH +

etc/im.cfg

@@ -113,6 +113,9 @@ SINGLE_SITE_AUTH_HOST = http://server.com:2633
 # Set the url prefix of the images of the single site
 SINGLE_SITE_IMAGE_URL_PREFIX = one://server.com/
 
+# List of OIDC issuers supported
+OIDC_ISSUERS = https://iam-test.indigo-datacloud.eu/
+
 [OpenNebula]
 # OpenNebula connector configuration values
 

setup.py

@@ -24,6 +24,9 @@
 if not hasattr(sys, 'version_info') or sys.version_info < (2, 6):
     raise SystemExit("IM requires Python version 2.6 or above.")
 
+if 'bdist_wheel' in sys.argv:
+    raise RuntimeError("This setup.py does not support wheels")
+
 # Add contextualization dir files
 install_path = '/usr/share/im'
 datafiles = [(os.path.join(install_path, root), [os.path.join(root, f) for f in files])

test/loadtest/load-test-infa.radl

@@ -32,14 +32,59 @@ disk.0.os.flavour='ubuntu' and
 disk.0.os.credentials.new.password = 'Tututu+01'
 )
 
+configure docker (
+@begin
+    - name: add docker apt key
+      apt_key: keyserver=hkp://pgp.mit.edu:80 id=58118E89F3A912897C070ADBF76221572C52609D state=present 
 
-configure im (
+    - name: add docker repository
+      apt_repository: repo="deb https://apt.dockerproject.org/repo ubuntu-trusty main" state=present update_cache=yes 
+      when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version == "14"  
+
+    - name: add docker repository
+      apt_repository: repo="deb https://apt.dockerproject.org/repo ubuntu-xenial main" state=present update_cache=yes 
+      when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version == "16"  
+
+    - name: install docker
+      apt: pkg=docker-engine,python-pip state=present update_cache=yes
+
+    - name: start docker
+      service: name=docker state=started enabled=yes
+
+    - name: Upgrade pip version
+      pip: name=pip extra_args='-I' state=latest
+
+    - name: install docker-py
+    # user 1.9 version as ansible fails in case of 1.10 or higher 
+      pip: name=docker-py version=1.9.0
+
+@end
+)
+
+configure imdocker (
 @begin
 ---
-  - tasks:
+    - include: docker.yml
+
+    - name: im container
+      docker:
+        name: im
+        image: "grycap/im"
+        state: started
+        ports:
+        - "8800:8800"
+        - "8899:8899"
+        expose:
+        - 8899
+        - 8800
+@end
+)
 
+configure iminstall (
+@begin
+---
     - name: Install Reqs
-      apt: name=git,sysstat,gcc,python-dev,python-pip,python-mysqldb,openssh-client,sshpass,libssl-dev,libffi-dev update_cache=yes cache_valid_time=3600
+      apt: name=git,gcc,python-dev,python-pip,python-mysqldb,openssh-client,sshpass,libssl-dev,libffi-dev update_cache=yes cache_valid_time=3600
 
     - name: Install backports.ssl_match_hostname with Pip
       pip: name=backports.ssl_match_hostname
@@ -52,7 +97,21 @@ configure im (
 
     - name: Start IM
       service: name=im state=started
-
+@end
+)
+
+configure im (
+@begin
+---
+  - tasks:
+# To test the im directly installed at the VM
+    - include: iminstall.yml
+# To test the im from a docker container
+#    - include: imdocker.yml
+
+    - name: Install Reqs
+      apt: name=sysstat update_cache=yes cache_valid_time=3600
+
     - name: Configure sysstat
       lineinfile: dest=/etc/default/sysstat regexp="^ENABLED=" line='ENABLED="true"'
 

test/unit/test_im_logic.py

@@ -646,7 +646,7 @@ def test_tosca_get_outputs(self):
                                                     'user': 'ubuntu'}})
 
     @patch('httplib.HTTPSConnection')
-    def test_check_iam_token(self, connection):
+    def test_check_oidc_token(self, connection):
         im_auth = {"token": ("eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJkYzVkNWFiNy02ZGI5LTQwNzktOTg1Yy04MGF"
                              "jMDUwMTcwNjYiLCJpc3MiOiJodHRwczpcL1wvaWFtLXRlc3QuaW5kaWdvLWRhdGFjbG91ZC5ldVwvIiwiZXhwI"
                              "joxNDY1NDcxMzU0LCJpYXQiOjE0NjU0Njc3NTUsImp0aSI6IjA3YjlkYmE4LTc3NWMtNGI5OS1iN2QzLTk4Njg"
@@ -664,11 +664,19 @@ def test_check_iam_token(self, connection):
         resp.read.return_value = user_info
         conn.getresponse.return_value = resp
 
-        IM.check_iam_token(im_auth)
+        IM.check_oidc_token(im_auth)
 
         self.assertEqual(im_auth['username'], "micafer")
         self.assertEqual(im_auth['password'], "https://iam-test.indigo-datacloud.eu/sub")
 
+        Config.OIDC_ISSUERS = ["https://other_issuer"]
+
+        with self.assertRaises(Exception) as ex:
+            IM.check_oidc_token(im_auth)
+        self.assertEqual(str(ex.exception),
+                         ("Error trying to validate OIDC auth token: Invalid "
+                          "InfrastructureManager credentials. Issuer not accepted."))
+
     @patch('IM.InfrastructureManager.DataBase.connect')
     @patch('IM.InfrastructureManager.DataBase.table_exists')
     @patch('IM.InfrastructureManager.DataBase.select')