Merge pull request PanDAWMS#450 from PanDAWMS/oidc

Fixes for OIDC-x509 co-existence
tmaeno · Nov 7, 2024 · 02abe5d · 02abe5d
2 parents e27e97c + 733d333
commit 02abe5d
Showing 1 changed file with 21 additions and 11 deletions.
diff --git a/pandaserver/userinterface/Client.py b/pandaserver/userinterface/Client.py
@@ -9,7 +9,6 @@
 import socket
 import sys
 import tempfile
-from cgi import logfile
 
 import requests
 from pandacommon.pandautils.net_utils import replace_hostname_in_url_randomly
@@ -18,6 +17,8 @@
 baseURL = os.environ.get("PANDA_URL", "http://pandaserver.cern.ch:25080/server/panda")
 baseURLSSL = os.environ.get("PANDA_URL_SSL", "https://pandaserver.cern.ch:25443/server/panda")
 
+DEFAULT_CERT_PATH = "/etc/grid-security/certificates"
+
 # exit code
 EC_Failed = 255
 
@@ -62,9 +63,10 @@ def __init__(self):
         self.id_token = os.getenv("PANDA_AUTH_ID_TOKEN") if self.oidc else None
 
     def _x509(self):
-        # retrieve the X509_USER_PROXY from the environment variables
+        # retrieve the X509_USER_PROXY from the environment variables and check if it is readable
         try:
-            return os.environ["X509_USER_PROXY"]
+            if "X509_USER_PROXY" in os.environ and os.access(os.environ["X509_USER_PROXY"], os.R_OK):
+                return os.environ["X509_USER_PROXY"]
         except Exception:
             pass
 
@@ -80,7 +82,10 @@ def _x509(self):
     def _prepare_url(self, url):
         """Modify URL with HTTPS check and hostname replacement."""
         use_https = is_https(url)
-        modified_url = replace_hostname_in_url_randomly(url)
+        if "PANDA_BEHIND_REAL_LB" in os.environ:
+            modified_url = url
+        else:
+            modified_url = replace_hostname_in_url_randomly(url)
         return modified_url, use_https
 
     def _prepare_headers(self):
@@ -98,17 +103,23 @@ def _prepare_headers(self):
 
     def _prepare_ssl(self, use_https):
         """Prepare SSL configuration based on HTTPS usage and verification settings."""
-        cert = None
-        verify = True
+        cert = None  # no certificate by default when no HTTS or using oidc headers
+        verify = True  # validate against default system CA certificates
+
         if use_https:
-            cert = (self.ssl_certificate, self.ssl_key)
+            # oidc tokens are added to the headers, we don't need to provide a certificate
+            if not self.oidc:
+                cert = (self.ssl_certificate, self.ssl_key)
 
+            # the host verification has been disabled in the configuration
             if not self.verifyHost:
                 verify = False
-            elif "X509_CERT_DIR" in os.environ:
+            # there is a path to the CA certificate folder and it exists
+            elif "X509_CERT_DIR" in os.environ and os.path.exists(os.environ["X509_CERT_DIR"]):
                 verify = os.environ["X509_CERT_DIR"]
-            elif os.path.exists("/etc/grid-security/certificates"):
-                verify = "/etc/grid-security/certificates"
+            # the CA certificate folder is available in the standard location
+            elif os.path.exists(DEFAULT_CERT_PATH):
+                verify = DEFAULT_CERT_PATH
 
         return cert, verify
 
@@ -150,7 +161,6 @@ def post_files(self, url, data):
                 else:
                     # we got a file to upload which specifies the destination name
                     files[key] = (data[key][0], open(data[key][1], "rb"))
-            print(f"cert: {cert}, verify: {verify}")
             response = requests.post(url, headers=headers, files=files, timeout=600, cert=cert, verify=verify)
             response.raise_for_status()
             return 0, response.text