From 167e4944dd0ed7e64ff8e343ca286d9c63b39be5 Mon Sep 17 00:00:00 2001
From: tmaeno <tmaeno@bnl.gov>
Date: Tue, 16 Jul 2024 09:15:20 +0200
Subject: [PATCH 1/2] added get_access_token

---
 pandaserver/jobdispatcher/JobDispatcher.py | 21 +++++++++++----------
 pandaserver/server/panda.py                |  1 +
 pandaserver/srvcore/allowed_methods.py     |  1 +
 pandaserver/srvcore/panda_request.py       |  7 ++++++-
 4 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/pandaserver/jobdispatcher/JobDispatcher.py b/pandaserver/jobdispatcher/JobDispatcher.py
index 0d9d81fad..d14723168 100755
--- a/pandaserver/jobdispatcher/JobDispatcher.py
+++ b/pandaserver/jobdispatcher/JobDispatcher.py
@@ -819,7 +819,7 @@ def getResourceTypes(self, timeout, accept_json):
         return response.encode(accept_json)
 
     # get proxy
-    def get_proxy(self, real_distinguished_name, role, target_distinguished_name, tokenized, token_key) -> str | dict:
+    def get_proxy(self, real_distinguished_name: str, role: str | None, target_distinguished_name: str | None, tokenized: bool, token_key: str | None) -> dict:
         """
         Get proxy for a user with a role
 
@@ -830,7 +830,7 @@ def get_proxy(self, real_distinguished_name, role, target_distinguished_name, to
         :param tokenized: whether the response should contain a token instead of a proxy
         :param token_key: key to get the token from the token cache
 
-        :return: response in URL encoded string or dictionary
+        :return: response in dictionary
         """
         if target_distinguished_name is None:
             target_distinguished_name = real_distinguished_name
@@ -1666,18 +1666,19 @@ def getKeyPair(req, publicKeyName, privateKeyName):
 
 
 # get proxy
-def getProxy(req, role=None, dn=None, tokenized=None, token_key=None):
+def getProxy(req, role=None, dn=None):
     # get DN
     realDN = _getDN(req)
     if role == "":
         role = None
-    if isinstance(tokenized, bool):
-        pass
-    elif tokenized == "True":
-        tokenized = True
-    else:
-        tokenized = False
-    return jobDispatcher.get_proxy(realDN, role, dn, tokenized, token_key)
+    return jobDispatcher.get_proxy(realDN, role, dn, False, None)
+
+
+# get access token
+def get_access_token(req, client_name, token_key=None):
+    # get DN
+    real_dn = _getDN(req)
+    return jobDispatcher.get_proxy(real_dn, None, client_name, True, token_key)
 
 
 # get a token key
diff --git a/pandaserver/server/panda.py b/pandaserver/server/panda.py
index 9e739d860..337ad7da1 100755
--- a/pandaserver/server/panda.py
+++ b/pandaserver/server/panda.py
@@ -31,6 +31,7 @@
     checkEventsAvailability,
     checkJobStatus,
     genPilotToken,
+    get_access_token,
     get_events_status,
     get_max_worker_id,
     get_token_key,
diff --git a/pandaserver/srvcore/allowed_methods.py b/pandaserver/srvcore/allowed_methods.py
index 9d3351252..7b8b4b1ae 100644
--- a/pandaserver/srvcore/allowed_methods.py
+++ b/pandaserver/srvcore/allowed_methods.py
@@ -32,6 +32,7 @@
     "updateEventRanges",
     "getDNsForS3",
     "getProxy",
+    "get_access_token",
     "get_token_key",
     "getCommands",
     "ackCommands",
diff --git a/pandaserver/srvcore/panda_request.py b/pandaserver/srvcore/panda_request.py
index fae149e3f..a20c0c388 100644
--- a/pandaserver/srvcore/panda_request.py
+++ b/pandaserver/srvcore/panda_request.py
@@ -62,7 +62,12 @@ def __init__(self, env, tmp_log):
                     else:
                         # robot
                         if vo_role in panda_config.auth_vo_dict and "robot_ids" in panda_config.auth_vo_dict[vo_role]:
-                            robot_ids = [i for i in panda_config.auth_vo_dict[vo_role].get("robot_ids").split(",") if i]
+                            robot_ids = panda_config.auth_vo_dict[vo_role].get("robot_ids")
+                            if isinstance(robot_ids, str):
+                                robot_ids = robot_ids.split(",")
+                            if not robot_ids:
+                                robot_ids = []
+                            robot_ids = [i for i in robot_ids if i]
                             if token["sub"] in robot_ids:
                                 if "groups" not in token:
                                     if role:

From f6614120e26cd2b74cb6e2fb9a649ddb907944fb Mon Sep 17 00:00:00 2001
From: tmaeno <tmaeno@bnl.gov>
Date: Tue, 16 Jul 2024 10:57:11 +0200
Subject: [PATCH 2/2] added get_access_token

---
 pandaserver/jobdispatcher/JobDispatcher.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pandaserver/jobdispatcher/JobDispatcher.py b/pandaserver/jobdispatcher/JobDispatcher.py
index d14723168..8d12f63cf 100755
--- a/pandaserver/jobdispatcher/JobDispatcher.py
+++ b/pandaserver/jobdispatcher/JobDispatcher.py
@@ -869,7 +869,7 @@ def get_proxy(self, real_distinguished_name: str, role: str | None, target_disti
                 # invalid token key
                 tmp_msg += f"failed since token key is invalid for {target_distinguished_name}"
                 tmp_log.debug(tmp_msg)
-                response = Protocol.Response(Protocol.SC_Perms, tmp_msg)
+                response = Protocol.Response(Protocol.SC_Invalid, tmp_msg)
             else:
                 # get proxy
                 response = Protocol.Response(Protocol.SC_Success, "")