fermitools / htgettoken Goto Github PK

Consider having an option to let the user specify public key(s) to register for ssh rather than taking all of them in ssh-agent.

I think it will require a change to htvault-config to enable access again to auth/token/lookup-self api.

It would be nice if htdestroytoken would force getting a new bearer token, but because vault caches the bearer token in a different plugin than the ones used to create vault tokens, that is not always the case. Since htgettoken doesn't know what the default minsecs is, it doesn't have an easy way to force getting a new bearer token when a new vault token is retrieved (unless it was via oidc authentication which also updates the refresh token). It may require a change to the protocol with the puppetlabs vault plugin.

All the htvault-config servers have been upgraded to a version that supports the new sts API for token exchange. Use that instead of relying on my custom patch that adds support for scopes and audience to the creds API.

If htgettoken is executed with the --nobearertoken option and a --credkey is not given or found in ~/.config then it crashes:

$ htgettoken --nobearertoken
Traceback (most recent call last):
  File "/home/duncan/opt/mambaforge/envs/py311/bin/htgettoken", line 1488, in <module>
    main()
  File "/home/duncan/opt/mambaforge/envs/py311/bin/htgettoken", line 936, in main
    fullsecretpath = secretpath.replace("%credkey", credkey)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: replace() argument 2 must be str, not None

It looks like this was introduced by 48fa256.

Update htgettoken documentation to mention that multiple space-separated audiences may be provided to the --audience option.

htgettoken uses os.path.dirname(outfile) to find the name of the directory of the outfile, but unlike the dirname used at the command line, that does not default to "." if it is no directory component. So it tries to write it into '/'.

Limit the poll time to a maximum of about 2 minutes.

@DrDaveD is there a github tag/release for 1.9.1. I'm looking for the 'official' source distribution (tarball) with which to prepare a conda package.

Running htgettoken fails under python3.8, with the following error (and a warning):

python3 ./htgettoken -i $VO -a $VAULT_SERVER                                                                     
./htgettoken:961: SyntaxWarning: "is" with a literal. Did you mean "=="?
  if auth_url is "":
Attempting to get token from [VAULT_SERVER] ...Traceback (most recent call last):
  File "./htgettoken", line 1146, in <module>
    main()
  File "./htgettoken", line 841, in main
    bearertoken = getBearerToken(opener, vaultserver,
  File "./htgettoken", line 430, in getBearerToken
    body = handle.read()
  File "/usr/local/lib/python3.8/http/client.py", line 472, in read
    s = self._safe_read(self.length)
  File "/usr/local/lib/python3.8/http/client.py", line 615, in _safe_read
    raise IncompleteRead(data, amt-len(data))
http.client.IncompleteRead: IncompleteRead(1025 bytes read, 307 more expected)

I've replicated this error on SL7 with Python 3.8.12 (compiled from source), and on MacOS Big Sur 11.5.2 arm64 with Python 3.8.11 (installed from nixpkgs).

As discussed in #40 (comment), I think it would be extremely useful to expose a Python interface to htgettoken as well as the current shell executable interface.

This ticket is an epic metaticket that aims to track what I think are the necessary steps to achieving the above.

• #35
• #59
• Augment Python API to provide htgettoken.get_token() user interface

Make an htdestroytoken script to remove the current user's bearer and vault tokens. In fact consider removing /tmp/vt_u$(id -u)* to delete any tokens also created by condor_vault_storer.

Explicitly look up addresses in a DNS round-robin and timeout quickly & move on if no response is found from an address.

In order to validate future development/changes, a Github Actions CI pipeline should be added.

I am happy to do this.

In hgettoken.py the fatal() function prints a message before halting execution with a non-zero exit code (via sys.exit), is there any objection to (me) refactoring calls to this function to instead raise standard Python exception types?

The impact on the standard command-line execution would be that a traceback is printed (currently that is not printed).

IMO, this will greatly assist the planned Python interface by providing an interface for users to catch exceptions and handle them in a bespoke manner.

Invoking htgettoken for the first time appears to always require an initial first pass through the browser workflow which generates the ~/.config/htgettoken/credkey-ligo-default file, even when we have a valid kerberos ticket

E.g.:

$ kinit albert.einstein
Password for ...
$ htgettoken -v -a vault.ligo.org -i ligo
Attempting OIDC authentication with https://vault.ligo.org:8200

Complete the authentication via web browser at:
...

After which I can skip the browser step as normal in subsequent invocations.

Is this known/expected behavior? It generated some very minor confusion earlier where a new user was expecting to skip the browser step.

htgettoken-1.13 is not accepting wildcard host certs.

The xdg-open command that htgettoken calls when authorizing an OIDC connection hangs if lynx is installed. Timeout & kill the process if it takes more than 5 or 10 seconds.

There should be a man page for each of the helper commands not just htgettoken.

We are using ssh keys to renew tokens for a service account, and when I attempt to use --nobearertoken to only renew the vault token I get the following error:

htgettoken --nobearertoken --nooidc -v -a htvault.jlab.org -i issuername -r role
Initializing kerberos client for [email protected]
Kerberos init failed: GSSError: Unspecified GSS failure. Minor code may provide more information. SPNEGO cannot find mechanisms to negotiate.
Getting ssh nonce from https://htvault.jlab.org:8200/v1/auth/ssh/nonce
Connecting to 129.57.198.176
Attempting to login with ssh key1 at https://htvault.jlab.org:8200/v1/auth/ssh/login
Logging in with ssh key1 failed: HTTPError: HTTP Error 400: Bad Request: role must be provided
htgettoken: Failure getting token from https://htvault.jlab.org:8200

We're noticing with mu2e's tokens that httokendecode -H fails, but httokendecode works. The hangup seems to be that the human_dates function in httokendecode is choking on one of the scopes, but it's not clear to me why. Here are steps to reproduce:

Version of htgettoken: 1.15

$ htgettoken -a htvaultprod.fnal.gov -i mu2e
Attempting OIDC authentication with https://htvaultprod.fnal.gov:8200

Complete the authentication at:
    https://cilogon.org/device/?user_code=QLT-HKH-TJK
No web open command defined, please copy/paste the above to any web browser
Waiting for response in web browser
Storing vault token in /tmp/vt_u10610
Saving credkey to /home/sbhat/.config/htgettoken/credkey-mu2e-default
Saving refresh token ... done
Attempting to get token from https://htvaultprod.fnal.gov:8200 ... succeeded
Storing bearer token in /run/user/10610/bt_u10610
$ httokendecode
{
  "wlcg.ver": "1.0",
  "aud": "https://wlcg.cern.ch/jwt/v1/any",
  "sub": <redacted>, 
  "nbf": 1671833600,
  "scope": "storage.create:/mu2e/scratch/users/sbhat storage.read:/mu2e compute.create compute.read compute.cancel compute.modify storage.modify:/mu2e/scratch/users/sbhat",
  "iss": "https://cilogon.org/mu2e",
  "exp": 1671844405,
  "iat": 1671833605,
  "wlcg.groups": [
    "/mu2e"
  ],
  "jti": <redacted>
}
$ httokendecode -H
date: invalid date ‘@storage.read:/mu2e’
parse error: Expected separator between values at line 1, column 303
$

This issue was originally raised by @rlcee when testing jobsub_lite, and is reproducible on multiple machines.

Please let me know if you need any more information from me. Thanks!

The help message for --nobearertoken says it will get a vault token, not a bearer token. It actually does get one, but in many cases it will not store the vault token as one would expect from the description.

By default vault tokens are 28 days and htgettoken exchanges them for a shorter duration one. However the original one stays taking up lease space in vault. Delete or revoke that original one after the exchange is completed.

When attempting to run htgettoken from a conda environment on my laptop I get this:

$ python htgettoken -a fermicloud543.fnal.gov -i ligo
Attempting OIDC authentication with https://fermicloud543.fnal.gov:8200

htgettoken: Initiating authentication to https://fermicloud543.fnal.gov:8200 failed: SSLError: certificate verify failed

This does not happen from ldas-pcdev4.ligo.caltech.edu using the same set of conda packages. Is there some sort of domain/IP whitelisting for the LIGO issuer?

The httokendecode script depends on jq but the jq package is not a requirement in htgettoken.spec.

It would be great to have a setup.py (setuptools) or pyproject.toml (for poetry) to make building/installing this 'package' on different platforms much easier (I'm thinking about Windows in particular here), rather than manually copying files to the target directories.

If @DrDaveD is open to that I can write up a prototype and propose a pull request.

It would be great to be able to configure an environment with default values for the -i/--issuer and -a/--vaultserver options, so that instead of running htgettoken -a vault.ligo.org -i ligo, users can run just

htgettoken

Can support be added for HTGETTOKEN_ISSUER and HTGETTOKEN_VAULTSERVER environment variables, or similar?

Make nooidc the default when stdout & stderr are both not a tty, to prevent people from trying to use it from a background script.

Regression test 010-kerbprincipal is failing on an htgettoken built from the master branch when an alternate kerberos principal is available.

I realize these are just examples, but htvault.fnal.gov does not exist (yet? maybe we should ask for a CNAME pointing to the production vault server?). If that's intended I'd suggest using an example.com domain.

ht @LTrestka

Per the WLCG Profile:

If an entity is not entitled to a capability, the scope requested may be ignored by the server and the corresponding token may not have the corresponding claims; in this case, section 3.3 of RFC 6749 requires the token issuer to inform the client. A server may also return an error during the authorization request. Client software implementations should always verify the scopes present in the returned token.

On a Fermilab-managed interactive server, when attempting to get a token
while user's kerberos is expired, the process fails because the user home area is not
writable without a kerberos ticket. Suggest catching the error and exiting gracefully.

mu2egpvm01 ~ > htgettoken -i mu2e --vaultserver fermicloud543.fnal.gov
/bin/bash: /nashome/r/rlc/.bashrc: Key has expired
Attempting OIDC authentication with https://fermicloud543.fnal.gov:8200

Complete the authentication via web browser at:
https://cilogon.org/device/?user_code=NVJ-VXV-DD6
No web open command defined, please open URL manually
Waiting for response in web browser
Storing vault token in /tmp/vt_u1311
Saving credkey to /nashome/r/rlc/.config/htgettoken/credkey-mu2e-default
Traceback (most recent call last):
File "htgettoken", line 1079, in main
File "os.py", line 210, in makedirs
File "os.py", line 210, in makedirs
File "os.py", line 210, in makedirs
File "os.py", line 220, in makedirs
OSError: [Errno 127] Key has expired: '/nashome/r'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "htgettoken", line 1135, in
File "htgettoken", line 1081, in main
NameError: name 'configdir' is not defined
[8522] Failed to execute script 'htgettoken' due to unhandled exception!

Add a reference in README.md to
CHEP21_Paper_Htgettoken.pdf

Add an option to htgettoken to specify the command to run to try to open a URL. Set the default to be xdg-open (with the current setting of $BROWSER) only when $SSH_CLIENT is not set.