search

CMSCompOps / WmAgentScripts

CMS Workflow Team Scripts
6 stars 51 forks source link

Use auth-get-sso-cookie package for requesting SSO cookies #1203

Closed ggonzr closed 8 months ago

ggonzr commented 1 year ago

Use “auth-get-sso-cookie” CLI package instead of “cern-get-sso-cookie” for requesting a SSO cookie to authenticate to McM. This update is related with CERN’s SSO migration [1]. Please be sure this new CLI package is available into your runtime environment. If you need more details about how to install it or how does the new package work, please see the documentation available in [2].

References

[1] CERN SSO migration: https://cern.service-now.com/service-portal?id=outage&n=OTG0072195 [2] Command line tools – CERN Authentication team docs: https://auth.docs.cern.ch/applications/command-line-tools/

Fixes #1202

Status

not-tested

Description

Update McM client

Is it backward compatible (if not, which system it affects?)

YES

External dependencies / deployment changes

External packages: auth-get-sso-cookie For more details, please see: https://auth.docs.cern.ch/applications/command-line-tools/

Mention people to look at PRs

@z4027163

haozturk commented 11 months ago

Hi @ggonzr thanks for the PR. Currently, we cannot get the cookie for McM with this tool. Are we going to be able to get it when you enable it tomorrow?

We can get it for JIRA for instance, so I don't think we have a problem on our side.

[cmsunified@vocms0272 install]$ auth-get-sso-cookie -u https://its.cern.ch/jira/loginCern.jsp  -o jira_cookie.txt 
[cmsunified@vocms0272 install]$ 
[cmsunified@vocms0272 install]$ auth-get-sso-cookie -u https://cms-pdmv.cern.ch/mcm/ -o mcm_cookie.txt 
ERROR: An error occurred while trying to log in and save cookies.
ERROR: HTTPSConnectionPool(host='cms-pdmv.cern.ch', port=443): Max retries exceeded with url: /mcm/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))
[cmsunified@vocms0272 install]$
ggonzr commented 11 months ago

Hi @haozturk, thanks for the feedback. I forgot something, McM is currently exposed by a vocms VM so it is required to provide the CERN CA bundle to properly verify this VM’s certificate. I have included a new commit to solve this. Please can you test the following script and tell me if it works.

Thanks

Best regards

Geovanny

Script:

#!/bin/bash

export URL='https://cms-pdmv.cern.ch/mcm/'
export OUTPUT="$(pwd)/cookie.txt"
export REQUESTS_CA_BUNDLE='/etc/pki/tls/certs/ca-bundle.trust.crt'
auth-get-sso-cookie -u $URL -o $OUTPUT -vv
haozturk commented 11 months ago

Thanks @ggonzr we didn't have to do this before and it was working fine. What has changed now so that we have to do this extra step?

ggonzr commented 11 months ago

Hi @haozturk, Thanks for the answer. There are no changes on PdmV side. Not completely sure, but there is an issue related with auth-get-sso-cookie package (built using Requests library) and the runtime environment for the client (ex: vocms0272 from your side and pdmvserv@lxplus.cern.ch, another example which also raises the same problem). As shared into the last comment, it is required to provide “CERN Grid Certificate Authority” certificate to properly validate the upstream connection to McM. By default, Requests uses the CA certificates reachable from a package called “certifi” to validate a connection to a HTTPS service, so if CERN CA certificates are not reachable from it, it is going to fail. One option to include them is to use the VM CA bundle that includes CERN CA certs via REQUESTS_CA_BUNDLE environment variable.

The reason why the example you shared works is because JIRA page certificate is issued by Sectigo and not by CERN, so there is not required to use the CERN CA certificate to verify it. To conclude, I am including some stacktraces that describe this issue.

Thanks

Best regards

Geovanny

[pdmvserv@lxplus792 ~]$ auth-get-sso-cookie -u 'https://cms-pdmv.cern.ch/mcm/' -o cookie.txt
ERROR: An error occurred while trying to log in and save cookies.
ERROR: HTTPSConnectionPool(host='cms-pdmv.cern.ch', port=443): Max retries exceeded with url: /mcm/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))
[pdmvserv@lxplus792 ~]$ export REQUESTS_CA_BUNDLE='/etc/pki/tls/certs/ca-bundle.trust.crt'
[pdmvserv@lxplus792 ~]$ auth-get-sso-cookie -u 'https://cms-pdmv.cern.ch/mcm/' -o cookie.txt
[pdmvserv@lxplus792 ~]$ curl --cookie cookie.txt 'https://cms-pdmv.cern.ch/mcm/'
<!DOCTYPE html>
<html lang="eng" ng-app="testApp" xmlns:ng="http://angularjs.org" id="ng-app">

<head>
  <title>McM</title>
  <base href="/mcm/">
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
.....
<Output cutted: It displays McM Home Page>
.....
[pdmvserv@lxplus792 ~]$

# Others runtime environments don't expose this behaviour, for instance:
[geovanny@lxplus901 ~]$ auth-get-sso-cookie -u 'https://cms-pdmv.cern.ch/mcm/' -o cookie.txt
[geovanny@lxplus901 ~]$