From 7ae7754243b9b51510563f96c461763ee81d1064 Mon Sep 17 00:00:00 2001 From: micafer Date: Wed, 27 Jan 2021 09:03:43 +0100 Subject: [PATCH 01/10] Implements #1111 --- IM/InfrastructureManager.py | 5 +++-- IM/connectors/OpenNebula.py | 3 ++- IM/openid/OpenIDClient.py | 10 ++++------ IM/tts/onetts.py | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/IM/InfrastructureManager.py b/IM/InfrastructureManager.py index 0626eab9b..3ce56a2a7 100644 --- a/IM/InfrastructureManager.py +++ b/IM/InfrastructureManager.py @@ -1334,7 +1334,8 @@ def check_oidc_token(im_auth): if Config.OIDC_SCOPES and Config.OIDC_CLIENT_ID and Config.OIDC_CLIENT_SECRET: success, res = OpenIDClient.get_token_introspection(token, Config.OIDC_CLIENT_ID, - Config.OIDC_CLIENT_SECRET) + Config.OIDC_CLIENT_SECRET, + Config.VERIFI_SSL) if not success: raise InvaliddUserException("Invalid InfrastructureManager credentials. " "Invalid token or Client credentials.") @@ -1357,7 +1358,7 @@ def check_oidc_token(im_auth): try: # Now try to get user info - success, userinfo = OpenIDClient.get_user_info_request(token) + success, userinfo = OpenIDClient.get_user_info_request(token, Config.VERIFI_SSL) if success: # convert to username to use it in the rest of the IM im_auth['username'] = IM.InfrastructureInfo.InfrastructureInfo.OPENID_USER_PREFIX diff --git a/IM/connectors/OpenNebula.py b/IM/connectors/OpenNebula.py index 00531d135..ed9df18be 100644 --- a/IM/connectors/OpenNebula.py +++ b/IM/connectors/OpenNebula.py @@ -237,7 +237,8 @@ def getSessionID(self, auth_data): return auth['username'] + ":" + passwd elif 'token' in auth: username, passwd = ONETTSClient.get_auth_from_tts(ConfigOpenNebula.TTS_URL, - self.cloud.server, auth['token']) + self.cloud.server, auth['token'], + Config.VERIFI_SSL) if not username or not passwd: raise Exception("Error getting ONE credentials using TTS.") auth["username"] = username diff --git a/IM/openid/OpenIDClient.py b/IM/openid/OpenIDClient.py index 547717963..8449f534e 100644 --- a/IM/openid/OpenIDClient.py +++ b/IM/openid/OpenIDClient.py @@ -24,10 +24,8 @@ class OpenIDClient(object): - VERIFY_SSL = False - @staticmethod - def get_user_info_request(token): + def get_user_info_request(token, verify_ssl=False): """ Get a the user info from a token """ @@ -35,7 +33,7 @@ def get_user_info_request(token): decoded_token = JWT().get_info(token) headers = {'Authorization': 'Bearer %s' % token} url = "%s%s" % (decoded_token['iss'], "/userinfo") - resp = requests.request("GET", url, verify=OpenIDClient.VERIFY_SSL, headers=headers) + resp = requests.request("GET", url, verify=verify_ssl, headers=headers) if resp.status_code != 200: return False, "Code: %d. Message: %s." % (resp.status_code, resp.text) return True, json.loads(resp.text) @@ -43,14 +41,14 @@ def get_user_info_request(token): return False, str(ex) @staticmethod - def get_token_introspection(token, client_id, client_secret): + def get_token_introspection(token, client_id, client_secret, verify_ssl=False): """ Get token introspection """ try: decoded_token = JWT().get_info(token) url = "%s%s" % (decoded_token['iss'], "/introspect?token=%s&token_type_hint=access_token" % token) - resp = requests.request("GET", url, verify=OpenIDClient.VERIFY_SSL, + resp = requests.request("GET", url, verify=verify_ssl, auth=requests.auth.HTTPBasicAuth(client_id, client_secret)) if resp.status_code != 200: return False, "Code: %d. Message: %s." % (resp.status_code, resp.text) diff --git a/IM/tts/onetts.py b/IM/tts/onetts.py index d5d64d4f1..3142d865e 100644 --- a/IM/tts/onetts.py +++ b/IM/tts/onetts.py @@ -17,7 +17,7 @@ class ONETTSClient(): """ @staticmethod - def get_auth_from_tts(tts_url, one_server, token): + def get_auth_from_tts(tts_url, one_server, token, verify_ssl=False): """ Get username and password from the TTS service """ @@ -30,7 +30,7 @@ def get_auth_from_tts(tts_url, one_server, token): host = parts[0] port = int(parts[1]) - ttsc = TTSClient(token, host, port, scheme) + ttsc = TTSClient(token, host, port, scheme, verify_ssl) success, svc = ttsc.find_service(one_server) if not success: From 8e1ebefa9552cd0719ecb65a2ad4f65f117d9850 Mon Sep 17 00:00:00 2001 From: micafer Date: Wed, 27 Jan 2021 09:08:08 +0100 Subject: [PATCH 02/10] Update docs --- doc/source/gstarted.rst | 2 ++ doc/source/radl.rst | 2 ++ 2 files changed, 4 insertions(+) diff --git a/doc/source/gstarted.rst b/doc/source/gstarted.rst index 646236235..b97a4a808 100644 --- a/doc/source/gstarted.rst +++ b/doc/source/gstarted.rst @@ -77,6 +77,8 @@ Cloud providers: * **appdb:///?**, for FedCloud OCCI connector using AppDB info (from ver. 1.6.0). * **docker://**, for Docker images. * **fbw:///**, for FogBow images. + * **lin://linode/**, for Linode images. + * **ora:///**, for Orange Flexible Engine images. See full information about RADL language at :ref:`radl`. More RADL examples are available at the IM GitHub repo `examples folder `_. diff --git a/doc/source/radl.rst b/doc/source/radl.rst index ef4fd56bf..3fc518725 100644 --- a/doc/source/radl.rst +++ b/doc/source/radl.rst @@ -313,6 +313,8 @@ machine. The supported features are: * ``appdb:///?``, for FedCloud OCCI or OpenStack connector using AppDB info (from vers. 1.6.0 and 1.8.6). * ``docker://``, for Docker images. * ``fbw:///``, for FogBow images. + * ``lin://linode/``, for Linode images. + * ``ora:///``, for Orange Flexible Engine images. In case of using a list of URLs, the IM will select the final image based on the credentials provided by the user. From 05c02f7396fd052b95703d1276fc10e1c4dac662 Mon Sep 17 00:00:00 2001 From: micafer Date: Wed, 27 Jan 2021 13:29:12 +0100 Subject: [PATCH 03/10] Fix ubuntu 20 ctxt issue --- contextualization/conf-ansible.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contextualization/conf-ansible.yml b/contextualization/conf-ansible.yml index f456c9f53..d8e75955d 100644 --- a/contextualization/conf-ansible.yml +++ b/contextualization/conf-ansible.yml @@ -77,7 +77,7 @@ when: ansible_os_family == "Debian" and not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 20) - name: Install pip in in Ubuntu 20+ - shell: wget https://bootstrap.pypa.io/get-pip.py && python2 get-pip.py warn=false creates=/usr/local/bin/pip2 chdir=/tmp + shell: wget https://bootstrap.pypa.io/2.7/get-pip.py && python2 get-pip.py warn=false creates=/usr/local/bin/pip2 chdir=/tmp when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int >= 20 - name: Ubuntu 14 extra packages needed From f8e96ffad7dc00e7f50690185e70ad1cbf8614c0 Mon Sep 17 00:00:00 2001 From: micafer Date: Wed, 27 Jan 2021 13:45:03 +0100 Subject: [PATCH 04/10] Fix ubuntu 16 ctxt issue --- contextualization/conf-ansible.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/contextualization/conf-ansible.yml b/contextualization/conf-ansible.yml index d8e75955d..b3f962edc 100644 --- a/contextualization/conf-ansible.yml +++ b/contextualization/conf-ansible.yml @@ -136,8 +136,11 @@ ######################################### Use pip to enable to set the version ############################################# + # Version over 21 raises error in older S.O. as ubuntu 16 - name: Upgrade pip - pip: name=pip version=9.0.3 + pip: + name: pip>=9.0.3,<21.0 + executable: pip3 - name: Upgrade setuptools with Pip pip: name=setuptools state=latest From cff0113a8497737f30d110e8fbb8990d19b1244c Mon Sep 17 00:00:00 2001 From: micafer Date: Wed, 27 Jan 2021 15:32:34 +0100 Subject: [PATCH 05/10] Fix ubuntu 16 ctxt issue --- contextualization/conf-ansible.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/contextualization/conf-ansible.yml b/contextualization/conf-ansible.yml index b3f962edc..cd6f75571 100644 --- a/contextualization/conf-ansible.yml +++ b/contextualization/conf-ansible.yml @@ -140,7 +140,6 @@ - name: Upgrade pip pip: name: pip>=9.0.3,<21.0 - executable: pip3 - name: Upgrade setuptools with Pip pip: name=setuptools state=latest From 89a77afa800c584a1709a4d4de098e4870d10934 Mon Sep 17 00:00:00 2001 From: micafer Date: Mon, 1 Feb 2021 12:05:57 +0100 Subject: [PATCH 06/10] Fix ctxt error in ubuntu 14 --- contextualization/conf-ansible.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/contextualization/conf-ansible.yml b/contextualization/conf-ansible.yml index cd6f75571..806daeb06 100644 --- a/contextualization/conf-ansible.yml +++ b/contextualization/conf-ansible.yml @@ -145,10 +145,6 @@ pip: name=setuptools state=latest when: ansible_os_family != "RedHat" or ansible_distribution_major_version|int > 6 - - name: Install pyOpenSSL - pip: name=pyOpenSSL state=latest - when: ansible_os_family != "RedHat" or ansible_distribution_major_version|int > 6 - - name: Ubuntu 14 extra pip packages needed to avoid https issues pip: name=urllib3,ndg-httpsclient,pyasn1 when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int <= 14 @@ -157,6 +153,10 @@ pip: name=cryptography version=2.9.2 when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int <= 14 + - name: Install pyOpenSSL + pip: name=pyOpenSSL state=latest + when: ansible_os_family != "RedHat" or ansible_distribution_major_version|int > 6 + - name: Install pkgs with Pip in RH6 pip: name="{{ item.name }}" version="{{ item.version }}" when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int <= 6 From 40b7ec4c12cde4e6c100347e0ba3ea319c1a1457 Mon Sep 17 00:00:00 2001 From: micafer Date: Mon, 1 Feb 2021 12:22:45 +0100 Subject: [PATCH 07/10] Fix ctxt error in ubuntu 14 --- contextualization/conf-ansible.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/contextualization/conf-ansible.yml b/contextualization/conf-ansible.yml index 806daeb06..54c3cb61f 100644 --- a/contextualization/conf-ansible.yml +++ b/contextualization/conf-ansible.yml @@ -140,6 +140,12 @@ - name: Upgrade pip pip: name: pip>=9.0.3,<21.0 + when: not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int <= 14) + + - name: Upgrade pip + pip: + name: pip>=9.0.3,<21.0 + when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int <= 14 - name: Upgrade setuptools with Pip pip: name=setuptools state=latest From 79c049cf1a17099e08c84e6c258b326b264ce885 Mon Sep 17 00:00:00 2001 From: Miguel Caballer Date: Tue, 2 Feb 2021 08:27:08 +0100 Subject: [PATCH 08/10] Fix ctxt error in ubuntu 14 --- contextualization/conf-ansible.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contextualization/conf-ansible.yml b/contextualization/conf-ansible.yml index 54c3cb61f..e226f1ef8 100644 --- a/contextualization/conf-ansible.yml +++ b/contextualization/conf-ansible.yml @@ -144,7 +144,7 @@ - name: Upgrade pip pip: - name: pip>=9.0.3,<21.0 + name: pip==9.0.3 when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int <= 14 - name: Upgrade setuptools with Pip From f11b9a6d39a7d00aad14b848642452de284ca0e3 Mon Sep 17 00:00:00 2001 From: Miguel Caballer Date: Mon, 1 Mar 2021 10:39:03 +0100 Subject: [PATCH 09/10] Add fix to #1111 --- IM/InfrastructureManager.py | 5 +++-- IM/connectors/OpenNebula.py | 3 ++- IM/openid/OpenIDClient.py | 10 ++++------ IM/tts/onetts.py | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/IM/InfrastructureManager.py b/IM/InfrastructureManager.py index 06f1f6d85..eef047233 100644 --- a/IM/InfrastructureManager.py +++ b/IM/InfrastructureManager.py @@ -1326,7 +1326,8 @@ def check_oidc_token(im_auth): if Config.OIDC_SCOPES and Config.OIDC_CLIENT_ID and Config.OIDC_CLIENT_SECRET: success, res = OpenIDClient.get_token_introspection(token, Config.OIDC_CLIENT_ID, - Config.OIDC_CLIENT_SECRET) + Config.OIDC_CLIENT_SECRET, + Config.VERIFI_SSL) if not success: raise InvaliddUserException("Invalid InfrastructureManager credentials. " "Invalid token or Client credentials.") @@ -1349,7 +1350,7 @@ def check_oidc_token(im_auth): try: # Now try to get user info - success, userinfo = OpenIDClient.get_user_info_request(token) + success, userinfo = OpenIDClient.get_user_info_request(token, Config.VERIFI_SSL) if success: # convert to username to use it in the rest of the IM im_auth['username'] = IM.InfrastructureInfo.InfrastructureInfo.OPENID_USER_PREFIX diff --git a/IM/connectors/OpenNebula.py b/IM/connectors/OpenNebula.py index a325ee006..489920727 100644 --- a/IM/connectors/OpenNebula.py +++ b/IM/connectors/OpenNebula.py @@ -288,7 +288,8 @@ def getSessionID(self, auth_data): return auth['username'] + ":" + passwd elif 'token' in auth: username, passwd = ONETTSClient.get_auth_from_tts(ConfigOpenNebula.TTS_URL, - self.cloud.server, auth['token']) + self.cloud.server, auth['token'], + Config.VERIFI_SSL) if not username or not passwd: raise Exception("Error getting ONE credentials using TTS.") auth["username"] = username diff --git a/IM/openid/OpenIDClient.py b/IM/openid/OpenIDClient.py index 547717963..8449f534e 100644 --- a/IM/openid/OpenIDClient.py +++ b/IM/openid/OpenIDClient.py @@ -24,10 +24,8 @@ class OpenIDClient(object): - VERIFY_SSL = False - @staticmethod - def get_user_info_request(token): + def get_user_info_request(token, verify_ssl=False): """ Get a the user info from a token """ @@ -35,7 +33,7 @@ def get_user_info_request(token): decoded_token = JWT().get_info(token) headers = {'Authorization': 'Bearer %s' % token} url = "%s%s" % (decoded_token['iss'], "/userinfo") - resp = requests.request("GET", url, verify=OpenIDClient.VERIFY_SSL, headers=headers) + resp = requests.request("GET", url, verify=verify_ssl, headers=headers) if resp.status_code != 200: return False, "Code: %d. Message: %s." % (resp.status_code, resp.text) return True, json.loads(resp.text) @@ -43,14 +41,14 @@ def get_user_info_request(token): return False, str(ex) @staticmethod - def get_token_introspection(token, client_id, client_secret): + def get_token_introspection(token, client_id, client_secret, verify_ssl=False): """ Get token introspection """ try: decoded_token = JWT().get_info(token) url = "%s%s" % (decoded_token['iss'], "/introspect?token=%s&token_type_hint=access_token" % token) - resp = requests.request("GET", url, verify=OpenIDClient.VERIFY_SSL, + resp = requests.request("GET", url, verify=verify_ssl, auth=requests.auth.HTTPBasicAuth(client_id, client_secret)) if resp.status_code != 200: return False, "Code: %d. Message: %s." % (resp.status_code, resp.text) diff --git a/IM/tts/onetts.py b/IM/tts/onetts.py index d5d64d4f1..3142d865e 100644 --- a/IM/tts/onetts.py +++ b/IM/tts/onetts.py @@ -17,7 +17,7 @@ class ONETTSClient(): """ @staticmethod - def get_auth_from_tts(tts_url, one_server, token): + def get_auth_from_tts(tts_url, one_server, token, verify_ssl=False): """ Get username and password from the TTS service """ @@ -30,7 +30,7 @@ def get_auth_from_tts(tts_url, one_server, token): host = parts[0] port = int(parts[1]) - ttsc = TTSClient(token, host, port, scheme) + ttsc = TTSClient(token, host, port, scheme, verify_ssl) success, svc = ttsc.find_service(one_server) if not success: From de04afc57ac3f9a7dea9f97a15844a09fa0b2b88 Mon Sep 17 00:00:00 2001 From: Miguel Caballer Date: Mon, 1 Mar 2021 10:45:13 +0100 Subject: [PATCH 10/10] Merge 1_10_master --- contextualization/conf-ansible.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/contextualization/conf-ansible.yml b/contextualization/conf-ansible.yml index c9e66a6b2..ec8b67d67 100644 --- a/contextualization/conf-ansible.yml +++ b/contextualization/conf-ansible.yml @@ -174,10 +174,6 @@ pip: name=cryptography version=2.9.2 executable=pip3 when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version|int <= 14 - - name: Install pyOpenSSL - pip: name=pyOpenSSL state=latest - when: ansible_os_family != "RedHat" or ansible_distribution_major_version|int > 6 - - name: Install pkgs with Pip in RH6 pip: name="{{ item.name }}" version="{{ item.version }}" executable=pip3 when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int <= 6