Merge pull request #2465 from htcondor/V23_8-HTCONDOR-2153_issue_cred…

…entials_for-branch (HTCONDOR-2153) issue_credentials()
htcondor · May 20, 2024 · b7bdce9 · b7bdce9
2 parents 7158b9a + 0164336
commit b7bdce9
Show file tree

Hide file tree

Showing 7 changed files with 184 additions and 17 deletions.
diff --git a/bindings/python/htcondor2/_submit.py b/bindings/python/htcondor2/_submit.py
@@ -26,6 +26,7 @@
     _display_dag_options,
     _submit_set_submit_method,
     _submit_get_submit_method,
+    _submit_issue_credentials,
     _submit_itemdata,
 )
 
@@ -336,6 +337,17 @@ def from_dag(filename : str, options : Dict[str, Union[int, bool, str]] = {}) ->
         return Submit(subfile_text)
 
 
+    def issue_credentials(self) -> Union[str, None]:
+        '''
+        Issue credentials for this job description.
+
+        :return:  A string containing a URL that the submitter must visit
+                  in order to complete an OAuth2 flow, or :py:obj:`None`
+                  if no such visit is necessary.
+        '''
+        return _submit_issue_credentials(self._handle)
+
+
     @staticmethod
     def from_dag_options():
         """

diff --git a/nmi_tools/glue/build/make-tarball-from-rpms b/nmi_tools/glue/build/make-tarball-from-rpms
@@ -40,8 +40,11 @@ for file in $rpmdir/*.rpm; do
     elif [[ $file == */python2-* ]]; then
         # Skip Python 2 bindings
         echo Skipping $file
-    elif [[ $file == *-credmon-* ]]; then
-        # Skip any credmon
+    elif [[ $file == *-credmon-ouath* ]]; then
+        # We only want sbin/condor_credmon_ouath for tests, for now,
+        # but that's in the credmon-local package for some reaosn.
+        echo Skipping $file
+    elif [[ $file == *-credmon-vault* ]]; then
         echo Skipping $file
     else
         eval $(perl -e "(\$package, \$version, \$release, \$dist, \$arch) = '$file' =~ m:^.*/(.*)-([0-9][0-9.]*)-([0-9][0-9.]*)\.([^.]+)\.([^.]+)\.rpm$:; print \"package=\$package version=\$version release=\$release dist=\$dist arch=\$arch\";")

diff --git a/nmi_tools/nmi-build-platforms b/nmi_tools/nmi-build-platforms
@@ -1,24 +1,24 @@
 # One platform per line. Comments (starting with #) and blank lines are ignored.
 
 # Officially supported platforms
-docker://htcondor/nmi-build:aarch64_AlmaLinux8-23070101
-docker://htcondor/nmi-build:aarch64_AlmaLinux9-23070101
-docker://htcondor/nmi-build:ppc64le_AlmaLinux8-23070101
-docker://htcondor/nmi-build:ppc64le_Ubuntu20-23070101
-docker://htcondor/nmi-build:x86_64_AlmaLinux8-23070101
-docker://htcondor/nmi-build:x86_64_AlmaLinux9-23070101
-docker://htcondor/nmi-build:x86_64_AmazonLinux2023-23070101
-docker://htcondor/nmi-build:x86_64_CentOS7-23070101
-docker://htcondor/nmi-build:x86_64_Debian11-23070101
-docker://htcondor/nmi-build:x86_64_Debian12-23070101
-docker://htcondor/nmi-build:x86_64_openSUSE15-23070101
-docker://htcondor/nmi-build:x86_64_Ubuntu20-23070101
-docker://htcondor/nmi-build:x86_64_Ubuntu22-23070101
-docker://htcondor/nmi-build:x86_64_Ubuntu24-23070101
+docker://htcondor/nmi-build:aarch64_AlmaLinux8-23070200
+docker://htcondor/nmi-build:aarch64_AlmaLinux9-23070200
+docker://htcondor/nmi-build:ppc64le_AlmaLinux8-23070200
+docker://htcondor/nmi-build:ppc64le_Ubuntu20-23070200
+docker://htcondor/nmi-build:x86_64_AlmaLinux8-23070200
+docker://htcondor/nmi-build:x86_64_AlmaLinux9-23070200
+docker://htcondor/nmi-build:x86_64_AmazonLinux2023-23070200
+docker://htcondor/nmi-build:x86_64_CentOS7-23070100
+docker://htcondor/nmi-build:x86_64_Debian11-23070200
+docker://htcondor/nmi-build:x86_64_Debian12-23070200
+docker://htcondor/nmi-build:x86_64_openSUSE15-23070200
+docker://htcondor/nmi-build:x86_64_Ubuntu20-23070200
+docker://htcondor/nmi-build:x86_64_Ubuntu22-23070200
+docker://htcondor/nmi-build:x86_64_Ubuntu24-23070200
 x86_64_macOS13
 # Windows 9 is really Windows 10 in disquise
 x86_64_Windows9
 x86_64_Windows10
 
 # We want to build on Fedora because it is our "warning check" platform
-docker://htcondor/nmi-build:x86_64_Fedora40-23070101
+docker://htcondor/nmi-build:x86_64_Fedora40-23070200
diff --git a/src/condor_tests/CMakeLists.txt b/src/condor_tests/CMakeLists.txt
@@ -342,6 +342,14 @@ endif ()
 				condor_pl_test(test_job_token_transfer "Test secure token transfer from shadow to starter" "quick;ctest" CTEST DEPENDS "src/condor_tests/ornithology;src/condor_tests/conftest.py;src/condor_scripts/condor_credmon_oauth_dummy")
 			endif()
 
+			# This test requires the Python scitokens library, which
+			# has unresolvable depedencies on CentOS 7.
+			if (NOT ${SYSTEM_NAME} MATCHES "centos7")
+				if (NOT ${SYSTEM_NAME} MATCHES "Ubuntu.*20")
+					condor_pl_test(test_issue_credentials "Test issue_credentials()" "quick;ctest" CTEST DEPENDS "src/condor_tests/ornithology;src/condor_tests/conftest.py")
+				endif()
+			endif()
+
 			# The AES test depends on strace'ing the condor_shadow binary.  Strace isn't supported under 
 			# qemu, which is where we run our ppc and arm tests. 
 			# And strace is only available on linux.

diff --git a/src/condor_tests/test_issue_credentials.py b/src/condor_tests/test_issue_credentials.py
@@ -0,0 +1,109 @@
+#!/usr/bin/env pytest
+
+from pathlib import Path
+from getpass import getuser
+
+from ornithology import (
+    config,
+    standup,
+    action,
+    Condor,
+)
+
+import htcondor2
+htcondor2.enable_debug()
+
+import logging
+
+
+logger = logging.getLogger(__name__)
+logger.setLevel(logging.DEBUG)
+
+
+TEST_CASES = {
+    "local_issuer": {
+        "config": {
+            "SEC_CREDENTIAL_DIRECTORY_OAUTH":       "$(LOCAL_DIR)/oauth_credentials",
+            "CREDMON_OAUTH_LOG":                    "$(LOG)/CredMonOAuthLog",
+            "DAEMON_LIST":                          "$(DAEMON_LIST),CREDMON_OAUTH",
+            "AUTO_INCLUDE_CREDD_IN_DAEMON_LIST":    "True",
+            "TRUST_CREDENTIAL_DIRECTORY":           "True",
+            "LOCAL_CREDMON_PROVIDER_NAME":          "scitokens",
+            "LOCAL_CREDMON_TOKEN_AUDIENCE":         "https://localhost",
+            "CREDD_PORT":                           "-1",
+            "ALLOW_DAEMON":                         "*",
+            "LOCAL_CREDMON_PRIVATE_KEY":            "$(LOCAL_DIR)/trust_domain_ca_privkey.pem",
+            "CREDD_DEBUG":                          "D_FULLDEBUG",
+        },
+        "the_directory":    "{local_dir}/oauth_credentials",
+        "the_filename":     "scitokens.top",
+    },
+}
+
+
+@action(params={name: name for name in TEST_CASES})
+def the_test_tuple(request):
+    return (request.param, TEST_CASES[request.param])
+
+
+@action
+def the_test_name(the_test_tuple):
+    return the_test_tuple[0]
+
+
+@action
+def the_test_case(the_test_tuple):
+    return the_test_tuple[1]
+
+
+@action
+def the_local_dir(the_test_name, test_dir):
+    return Path(str(test_dir)) / the_test_name
+
+
+@action
+def the_directory(the_test_case, the_local_dir):
+    return the_test_case['the_directory'].format(local_dir=the_local_dir)
+
+
+@action
+def the_username():
+    # Seems like we should have a way to get this from HTCondor.
+    return getuser()
+
+
+@action
+def the_filename(the_test_case):
+    return the_test_case['the_filename']
+
+
+@action
+def the_condor(the_test_case, the_local_dir):
+    with Condor(
+        local_dir=the_local_dir,
+        config=the_test_case['config']
+    ) as the_condor:
+       yield the_condor
+
+
+class TestIssueCredentials:
+
+    def test_top_file_created(self, the_test_name, the_condor, the_directory, the_username, the_filename):
+        # Strictly speaking, this would be a set-up error.
+        assert not (Path(the_directory) / the_username / the_filename).exists()
+
+        # Strictly speaking, this should be an @action.
+        submit = htcondor2.Submit(
+                f"""
+                executable = /bin/sleep
+                transfer_executable = false
+                arguments = 5
+
+                log = {the_test_name}.log
+                """
+        )
+        with the_condor.use_config():
+            submit.issue_credentials()
+
+        # Check for a .use file as well?
+        assert (Path(the_directory) / the_username / the_filename).exists()
diff --git a/src/python-bindings/htcondor2/submit.cpp b/src/python-bindings/htcondor2/submit.cpp
@@ -72,6 +72,10 @@ struct SubmitBlob {
         void reset_itemdata_state() { m_ms_inline.rewind_to( 0, 0 ); }
         void insert_macro( const char * name, const std::string & value );
 
+        int process_job_credentials( std::string & URL, std::string & error_string ) {
+            return ::process_job_credentials( m_hash, 0, URL, error_string );
+        }
+
     private:
         SubmitHash m_hash;
         MACRO_SOURCE m_src_pystring;
@@ -685,3 +689,33 @@ _submit_itemdata( PyObject *, PyObject * args ) {
     sb->reset_itemdata_state();
     return PyUnicode_FromString(value.c_str());
 }
+
+
+static PyObject *
+_submit_issue_credentials( PyObject *, PyObject * args ) {
+    // _submit_issue_credentials(self.handle_t)
+
+    PyObject_Handle * handle = NULL;
+
+    if(! PyArg_ParseTuple( args, "O", (PyObject **)& handle )) {
+        // PyArg_ParseTuple() has already set an exception for us.
+        return NULL;
+    }
+
+    SubmitBlob * sb = (SubmitBlob *)handle->t;
+
+    std::string URL;
+    std::string error_string;
+    int rv = sb->process_job_credentials( URL, error_string );
+
+    if(rv != 0) {
+        PyErr_SetString( PyExc_RuntimeError, error_string.c_str() );
+        return NULL;
+    }
+
+    if(! URL.empty()) {
+        return PyUnicode_FromString(URL.c_str());
+    }
+
+    Py_RETURN_NONE;
+}
diff --git a/src/python-bindings/htcondor2_impl.cpp b/src/python-bindings/htcondor2_impl.cpp
@@ -156,6 +156,7 @@ static PyMethodDef htcondor2_impl_methods[] = {
 	{"_display_dag_options", &_display_dag_options, METH_VARARGS, NULL},
 	{"_submit_set_submit_method", &_submit_set_submit_method, METH_VARARGS, NULL},
 	{"_submit_get_submit_method", &_submit_get_submit_method, METH_VARARGS, NULL},
+	{"_submit_issue_credentials", &_submit_issue_credentials, METH_VARARGS, NULL},
 	{"_submit_itemdata", &_submit_itemdata, METH_VARARGS, NULL},