diff --git a/integration_tests.py b/integration_tests.py index 2bc115d4117..e04d4ffb723 100755 --- a/integration_tests.py +++ b/integration_tests.py @@ -358,7 +358,7 @@ def install_server(): # This runs a continuous loop that exports the config in yaml # for the diracx container to use typer.secho("Starting configuration export loop for diracx", fg=c.GREEN) - base_cmd = _build_docker_cmd("server", tty=False, daemon=True) + base_cmd = _build_docker_cmd("server", tty=False, daemon=True, use_root=True) subprocess.run( base_cmd + ["bash", "/home/dirac/LocalRepo/ALTERNATIVE_MODULES/DIRAC/tests/CI/exportCSLoop.sh"], check=True, diff --git a/src/DIRAC/FrameworkSystem/Service/ProxyManagerHandler.py b/src/DIRAC/FrameworkSystem/Service/ProxyManagerHandler.py index 0294d4bba21..4b2177b87a5 100644 --- a/src/DIRAC/FrameworkSystem/Service/ProxyManagerHandler.py +++ b/src/DIRAC/FrameworkSystem/Service/ProxyManagerHandler.py @@ -426,18 +426,23 @@ def export_exchangeProxyForToken(self): vo = Registry.getVOForGroup(credDict["group"]) dirac_properties = list(set(credDict.get("groupProperties", [])) | set(credDict.get("properties", []))) group = credDict["group"] - scopes = [f"vo:{vo}", f"group:{group}", [f"property:{prop}" for prop in dirac_properties]] - - r = requests.get( - f"{diracxUrl}/auth/legacy-exchange", - params={ - "preferred_username": credDict["username"], - "scopes": " ".join(scopes), - }, - headers={"Authorization": f"Bearer {apiKey}"}, - ) + scopes = [f"vo:{vo}", f"group:{group}"] + [f"property:{prop}" for prop in dirac_properties] + + try: + r = requests.get( + f"{diracxUrl}/auth/legacy-exchange", + params={ + "preferred_username": credDict["username"], + "scope": " ".join(scopes), + }, + headers={"Authorization": f"Bearer {apiKey}"}, + ) + except requests.exceptions.RequestException as exc: + return S_ERROR(f"Failed to contact DiracX: {exc}") + else: + if not r.ok: + return S_ERROR(f"Failed to contact DiracX: {r.status_code} {r.text}") - r.raise_for_status() return S_OK(r.json()) diff --git a/tests/CI/docker-compose.yml b/tests/CI/docker-compose.yml index 35a5a7d31f3..4841ff07afd 100644 --- a/tests/CI/docker-compose.yml +++ b/tests/CI/docker-compose.yml @@ -65,7 +65,6 @@ services: pull_policy: always diracx-wait-for-db: - image: ${MYSQL_VER} container_name: diracx-wait-for-db depends_on: @@ -74,7 +73,6 @@ services: command: /home/dirac/LocalRepo/ALTERNATIVE_MODULES/DIRAC/tests/CI/check_db_initialized.sh pull_policy: always - dirac-server: image: ${CI_REGISTRY_IMAGE}/${HOST_OS}-dirac container_name: server @@ -91,7 +89,7 @@ services: iam-login-service: condition: service_started diracx-init-key: - condition: service_completed_successfully # Let the init container create the cs + condition: service_completed_successfully # Let the init container create the singing key diracx-init-cs: condition: service_completed_successfully # Let the init container create the cs ulimits: @@ -115,8 +113,6 @@ services: nofile: 8192 pull_policy: always - - diracx-init-key: image: ghcr.io/diracgrid/diracx/server container_name: diracx-init-key @@ -143,13 +139,27 @@ services: /dockerMicroMambaEntrypoint.sh dirac internal generate-cs /cs_store/initialRepo --vo=diracAdmin --user-group=admin --idp-url=http://dsdsd.csds/a/b pull_policy: always + diracx-init-db: + image: ghcr.io/diracgrid/diracx/server + container_name: diracx-init-db + depends_on: + mysql: + condition: service_healthy + environment: + - DIRACX_DB_URL_AUTHDB=mysql+aiomysql://Dirac:Dirac@mysql/AuthDB + entrypoint: | + /dockerMicroMambaEntrypoint.sh bash -xc 'micromamba install -c conda-forge mysql-client && mysql -h mysql -u root --password=password -e "CREATE DATABASE `DiracXAuthDB`" && mysql -h mysql -u root --password=password -e "GRANT SELECT,INSERT,LOCK TABLES,UPDATE,DELETE,CREATE,DROP,ALTER,REFERENCES,CREATE VIEW,SHOW VIEW,INDEX,TRIGGER,ALTER ROUTINE,CREATE ROUTINE ON `DiracXAuthDB`.* TO '"'"'Dirac'"'"'@'"'"'%'"'"'" && python -m diracx.db init-sql' + pull_policy: always + diracx: image: ghcr.io/diracgrid/diracx/server container_name: diracx environment: - DIRACX_CONFIG_BACKEND_URL=git+file:///cs_store/initialRepo - - "DIRACX_DB_URL_AUTHDB=sqlite+aiosqlite:///:memory:" + - DIRACX_DB_URL_AUTHDB=mysql+aiomysql://Dirac:Dirac@mysql/AuthDB - DIRACX_DB_URL_JOBDB=mysql+aiomysql://Dirac:Dirac@mysql/JobDB + - DIRACX_DB_URL_JOBLOGGINGDB=mysql+aiomysql://Dirac:Dirac@mysql/JobLoggingDB + - DIRACX_DB_URL_SANDBOXMETADATADB=mysql+aiomysql://Dirac:Dirac@mysql/SandboxMetadataDB - DIRACX_SERVICE_AUTH_TOKEN_KEY=file:///signing-key/rs256.key - DIRACX_SERVICE_AUTH_ALLOWED_REDIRECTS=["http://diracx:8000/docs/oauth2-redirect"] # Obtained with echo 'InsecureChangeMe' | base64 -d | openssl sha512 @@ -157,6 +167,8 @@ services: ports: - 8000:8000 depends_on: + diracx-init-db: + condition: service_completed_successfully diracx-wait-for-db: condition: service_completed_successfully volumes: diff --git a/tests/CI/exportCSLoop.sh b/tests/CI/exportCSLoop.sh index c5eb5132ad8..88710288d9e 100755 --- a/tests/CI/exportCSLoop.sh +++ b/tests/CI/exportCSLoop.sh @@ -9,6 +9,6 @@ git config --global user.email "dirac-server-ci@invalid" while true; do curl -L https://gitlab.cern.ch/chaen/chris-hackaton-cs/-/raw/master/convert-from-legacy.py |DIRAC_COMPAT_ENABLE_CS_CONVERSION=True ~/ServerInstallDIR/diracos/bin/python - ~/ServerInstallDIR/etc/Production.cfg /cs_store/initialRepo/ - git -C /cs_store/initialRepo/ commit -am "export $(date)" + git --git-dir=.git -C /cs_store/initialRepo/ commit -am "export $(date)" sleep 5; done diff --git a/tests/Jenkins/dirac_ci.sh b/tests/Jenkins/dirac_ci.sh index d4518e4aeee..8d827f83f0e 100644 --- a/tests/Jenkins/dirac_ci.sh +++ b/tests/Jenkins/dirac_ci.sh @@ -135,7 +135,7 @@ installSite() { echo "==> Done installing, now configuring" source "${SERVERINSTALLDIR}/bashrc" - if ! dirac-configure --cfg "${SERVERINSTALLDIR}/install.cfg" --LegacyExchangeApiKey='InsecureChangeMe' "${DEBUG}"; then + if ! dirac-configure --cfg "${SERVERINSTALLDIR}/install.cfg" --LegacyExchangeApiKey='diracx:legacy:InsecureChangeMe' "${DEBUG}"; then echo "ERROR: dirac-configure failed" >&2 exit 1 fi