Merge pull request #73 from ARGOeu/devel

Version 0.1.13

Jenkinsfile

@@ -28,6 +28,11 @@ pipeline {
                         }
                         archiveArtifacts artifacts: '**/*.rpm', fingerprint: true
                     }
+                    post {
+                        always {
+                            cleanWs()
+                        }
+                    }
                 }
                 stage ('Build Centos 7') {
                     agent {
@@ -44,6 +49,11 @@ pipeline {
                         }
                         archiveArtifacts artifacts: '**/*.rpm', fingerprint: true
                     }
+                    post {
+                        always {
+                            cleanWs()
+                        }
+                    }
                 } 
             }
         }

README.md

@@ -169,3 +169,31 @@ $ authn_check.py [-h] --authn-host AUTHN_HOST --authn-port AUTHN_PORT
  --ams-host 127.0.0.1 --verify
 
  ```
+
+## Fetch token
+The probe is used to obtain an access token from a refresh token. If the token is successfully fetched, it is stored in `/etc/nagios/globus/oidc` file and success message is returned. In case there is a problem obtaining or storing token, critical error is raised.
+
+### Usage example
+
+```sh
+usage: refresh_token [-h] --client_id CLIENT_ID --client_secret CLIENT_SECRET
+                     --refresh_token REFRESH_TOKEN
+```
+
+* `--client_id`: the identifier of the client.
+* `--client_secret`: the secret value of the client.
+* `--refresh_token`: the value of the refresh token.
+* `--token_file`: the name of the file where token is going to be saved.
+* `--timeout`: request timeout.
+
+
+## Check refresh token validity
+
+The probe is used to check validity of the OIDC refresh token by checking its expiration date. If the token is about to expire in the next 30 days, warning error is raised. If the token is about to expire in less then 15 days, critical error is raised.
+
+```shell script
+usage: check-refresh-token-expiration [-h] --token TOKEN [-t TIMEOUT]
+```
+
+* `--token`: refresh token.
+* `-t`: probe timeout.

modules/refresh_token.py

@@ -0,0 +1,111 @@
+#!/usr/bin/env python
+import argparse
+import grp
+import os
+import pwd
+import sys
+
+import requests
+
+from NagiosResponse import NagiosResponse
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Nagios probe for fetching tokens."
+    )
+    parser.add_argument(
+        "--client_id", dest="client_id", type=str, required=True,
+        help="The identifier of the client"
+    )
+    parser.add_argument(
+        "--client_secret", dest="client_secret", type=str, required=True,
+        help="The secret value of the client"
+    )
+    parser.add_argument(
+        "--refresh_token", dest="refresh_token", type=str, required=True,
+        help="The value of the refresh token"
+    )
+    parser.add_argument(
+        "--token_file", dest="token_file", type=str,
+        default="/etc/nagios/globus/oidc",
+        help="File for storing obtained token"
+    )
+    parser.add_argument(
+        "-t", "--timeout", dest="timeout", type=int, default=60,
+        help="timeout"
+    )
+    args = parser.parse_args()
+
+    nagios = NagiosResponse("Access token fetched successfully.")
+
+    try:
+        response = requests.post(
+            "https://aai.egi.eu/oidc/token",
+            auth=(args.client_id, args.client_secret),
+            data={
+                "client_id": args.client_id,
+                "client_secret": args.client_secret,
+                "grant_type": "refresh_token",
+                "refresh_token": args.refresh_token,
+                "scope": "openid email profile"
+            },
+            timeout=args.timeout
+        )
+        response.raise_for_status()
+
+        access_token = response.json()["access_token"]
+
+        with open(args.token_file, "w") as f:
+            f.write(access_token)
+
+        try:
+            uid = pwd.getpwnam("nagios").pw_uid
+
+        except KeyError:
+            nagios.writeCriticalMessage("No user named 'nagios'")
+            nagios.setCode(nagios.CRITICAL)
+            print nagios.getMsg()
+            sys.exit(nagios.getCode())
+
+        try:
+            gid = grp.getgrnam("nagios").gr_gid
+
+        except KeyError:
+            nagios.writeCriticalMessage("No group named 'nagios'")
+            nagios.setCode(nagios.CRITICAL)
+            print nagios.getMsg()
+            sys.exit(nagios.getCode())
+
+        os.chown(args.token_file, uid, gid)
+
+        print nagios.getMsg()
+        sys.exit(nagios.getCode())
+
+    except (
+            requests.exceptions.HTTPError,
+            requests.exceptions.ConnectionError,
+            requests.exceptions.RequestException,
+            ValueError,
+            KeyError
+    ) as e:
+        nagios.writeCriticalMessage(str(e))
+        nagios.setCode(nagios.CRITICAL)
+        print nagios.getMsg()
+        sys.exit(nagios.getCode())
+
+    except IOError as e:
+        nagios.writeCriticalMessage("Error creating file: " + str(e))
+        nagios.setCode(nagios.CRITICAL)
+        print nagios.getMsg()
+        sys.exit(nagios.getCode())
+
+    except Exception as e:
+        nagios.writeCriticalMessage(str(e))
+        nagios.setCode(nagios.CRITICAL)
+        print nagios.getMsg()
+        sys.exit(nagios.getCode())
+
+
+if __name__ == "__main__":
+    main()

modules/refresh_token_expiration.py

@@ -0,0 +1,81 @@
+import argparse
+import datetime
+import signal
+import sys
+
+import jwt
+
+from NagiosResponse import NagiosResponse
+
+nagios = NagiosResponse("Refresh token valid.")
+
+
+class TimeoutError(Exception):
+    pass
+
+
+class timeout:
+    def __init__(self, seconds=1, error_message="Timeout"):
+        self.seconds = seconds
+        self.error_message = error_message
+
+    def handle_timeout(self, signum, frame):
+        raise TimeoutError(self.error_message)
+
+    def __enter__(self):
+        signal.signal(signal.SIGALRM, self.handle_timeout)
+        signal.alarm(self.seconds)
+
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        signal.alarm(0)
+
+
+def validate_token(args):
+    try:
+        unix_time = jwt.decode(args.token, verify=False)["exp"]
+        expiration_time = datetime.datetime.fromtimestamp(unix_time)
+        timedelta = expiration_time - datetime.datetime.today()
+
+        if 15 < timedelta.days < 30:
+            nagios.writeWarningMessage(
+                "Refresh token expiring in %d days!" % timedelta.days
+            )
+            nagios.setCode(nagios.WARNING)
+
+        if timedelta.days < 15:
+            nagios.writeCriticalMessage(
+                "Refresh token expiring in %d days!" % timedelta.days
+            )
+            nagios.setCode(nagios.CRITICAL)
+
+        print nagios.getMsg()
+
+    except jwt.exceptions.DecodeError as e:
+        print "UNKNOWN - Token is malformed: %s" % str(e)
+
+    except Exception as e:
+        print "UNKNOWN - %s" % str(e)
+
+        nagios.setCode(nagios.UNKNOWN)
+
+    sys.exit(nagios.getCode())
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Nagios probe for checking refresh token expiration"
+    )
+    parser.add_argument(
+        "--token", dest="token", type=str, required=True, help="Refresh token"
+    )
+    parser.add_argument(
+        "-t", "--timeout", dest="timeout", type=int, default=5, help="timeout"
+    )
+    args = parser.parse_args()
+
+    with timeout(seconds=args.timeout):
+        validate_token(args)
+
+
+if __name__ == "__main__":
+    main()

nagios-plugins-argo.spec

@@ -4,17 +4,17 @@
 
 Name: nagios-plugins-argo
 Summary: ARGO components related probes.
-Version: 0.1.12
+Version: 0.1.13
 Release: 1%{?dist}
 License: ASL 2.0
 Source0: %{name}-%{version}.tar.gz
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 Group: Network/Monitoring
 BuildArch: noarch
-Requires: python-requests, argo-ams-library, pyOpenSSL, python-argparse, nagios-plugins-file_age, curl
+Requires: python-requests, argo-ams-library, pyOpenSSL, python-argparse, nagios-plugins-file_age, curl, python-jwt
 
 %description
-This package includes probes for ARGO components. 
+This package includes probes for ARGO components.
 Currently it supports the following components:
  - ARGO Consumer log
  - ARGO EGI Connectors
@@ -23,7 +23,7 @@ Currently it supports the following components:
  - POEM service
 
 %prep
-%setup -q 
+%setup -q
 
 %build
 %{__python} setup.py build
@@ -44,8 +44,11 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Mon Aug 31 2020 Katarina Zailac <[email protected]> - 0.1.13-1%{?dist}
+- ARGO-2442 Monitor OIDC refresh token expiration
+- ARGO-2443 Implement probe for fetching tokens
 * Wed Apr 1 2020 Daniel Vrcic <[email protected]>, Angelos Tsalapatis <[email protected]> - 0.1.12-1%{?dist}
-- ARGO-2014 Update connectors internal tests wrt poem connectors changes 
+- ARGO-2014 Update connectors internal tests wrt poem connectors changes
 - ARGO-1752 Authn nagios probe
 * Thu Nov 8 2018 Daniel Vrcic <[email protected]>, Katarina Zailac <[email protected]>, Emir Imamagic <[email protected]>, Angelos Tsalapatis <[email protected]> - 0.1.11-1%{?dist}
 - ARGO-1369 Check POEM metric configuration API
@@ -57,7 +60,7 @@ rm -rf %{buildroot}
 - added argo-nagios-ams-publisher
 * Mon Dec 4 2017 Daniel Vrcic <[email protected]> - 0.1.8-1%{?dist}
 - connectors-probe warning logic revised
-- connectors-probe updated global.conf parsing 
+- connectors-probe updated global.conf parsing
 * Tue Jun 6 2017 Daniel Vrcic <[email protected]> - 0.1.7-4%{?dist}
 - sprint release minor version bump
 * Thu May 25 2017 Daniel Vrcic <[email protected]> - 0.1.7-3%{?dist}
@@ -68,24 +71,24 @@ rm -rf %{buildroot}
 * Tue May 16 2017 Hrvoje Sute <[email protected]> - 0.1.7-1%{?dist}
 - ARGO-759 Develop a probe that checks the status of AMS
 * Wed Apr 26 2017 Daniel Vrcic <[email protected]> - 0.1.6-4%{?dist}
-- converted tab to whitespaces 
+- converted tab to whitespaces
 - check current date for the downtimes state
-- vertical line separator for multiple fail msgs 
+- vertical line separator for multiple fail msgs
 * Wed Apr 26 2017 Hrvoje Sute <[email protected]> - 0.1.6-3%{?dist}
 - More descriptive OK status
 * Tue Apr 25 2017 Hrvoje Sute <[email protected]> - 0.1.6-2%{?dist}
 - Removed debugger lefover module
 * Thu Apr 20 2017 Hrvoje Sute <[email protected]> - 0.1.6-1%{?dist}
 - ARGO-754 Nagios sensor for connectors component
 * Thu Apr 6 2017 Daniel Vrcic <[email protected]> - 0.1.5-3%{?dist}
-- ARGO-773 POEM probe should have argument for client certificate 
+- ARGO-773 POEM probe should have argument for client certificate
 * Tue Mar 21 2017 Daniel Vrcic <[email protected]>, Themis Zamani <[email protected]> - 0.1.5-2%{?dist}
-- POEM probe verify certs in all request calls to remove warning msg 
+- POEM probe verify certs in all request calls to remove warning msg
 - ARGO-756 [WEB API] - New status check to nagios internal probe
 * Thu Mar 9 2017 Daniel Vrcic <[email protected]> - 0.1.5-1%{?dist}
 - ARGO-677 POEM probe should properly check host certificate
 * Thu Mar 9 2017 Daniel Vrcic <[email protected]> - 0.1.4-1%{?dist}
-- ARGO-676 Added default --capath to POEM probe 
+- ARGO-676 Added default --capath to POEM probe
 * Thu Mar 9 2017 Emir Imamagic <[email protected]> - 0.1.3-1%{dist}
 - Added consumer log probe & deps
 * Tue Nov 1 2016 Daniel Vrcic <[email protected]> - 0.1.2-1%{?dist}

src/check-refresh-token-expiration

@@ -0,0 +1,4 @@
+#!/usr/bin/env python
+from nagios_plugins_argo import refresh_token_expiration
+
+refresh_token_expiration.main()

src/refresh-token

@@ -0,0 +1,4 @@
+#!/usr/bin/env python
+from nagios_plugins_argo import refresh_token
+
+refresh_token.main()