Merge pull request opensciencegrid#3216 from AndresTanasijczuk/cache_…

…authz_ligo_vo

Extend authz list with LIGO DNs for all LIGO private namespaces in cache Authfile

src/README.md

@@ -442,7 +442,7 @@ For every cache resource, add a `u <DN HASH> <PATH1> rl <PATH2> rl ...` ACL for
 The Authfile for a public cache is served at `/cache/Authfile-public?fqdn=<CACHE FQDN>`.
 
 The public Authfile is basically a giant `u *` list:
-- Explicitly deny read access to `/user/ligo` (with `-rl` permissions)
+- Explicitly deny read access to `/user/ligo` (with `-rl` permissions); this is needed, because granting access to the OSG VO `/user` path would otherwise also grant access to `/user/ligo`
 - Allow read access to the path of each namespace supported by the cache (`rl` permissions) 
 
 ### Cache authenticated Authfile generation
@@ -452,9 +452,9 @@ The Authfile for an authenticated cache is served at `/cache/Authfile?fqdn=<CACH
 - Add a `u <DN HASH> <PATH1> rl <PATH2> rl ...` for every DN listed in the Authorizations list of every namespace supported by the cache.
 - Add a `g <FQAN> <PATH1> rl <PATH2> rl ...` for every FQAN listed in the Authorizations list of every namespace supported by the cache.
 
-In addition, if the cache supports the `/user/ligo` namespace and the webapp can access LIGO's LDAP server:
+In addition, if the cache supports the LIGO VO and the webapp can access LIGO's LDAP server:
 
-- Add a `u <DN HASH> /user/ligo rl` for every DN obtained from the LIGO's LDAP server.
+- Add a `u <DN HASH> <LIGO PATH1> rl <LIGO PATH2> rl ...` for every DN obtained from the LIGO's LDAP server.
 
 
 ### Origin xrootd-scitokens config generation

src/stashcache.py

@@ -151,7 +151,7 @@ def fetch_ligo_authz_list_if_needed():
                     ligo_authz_list.append(parse_authz(f"DN:{dn}")[0])
             return ligo_authz_list
 
-        for stashcache_obj in vos_data.stashcache_by_vo_name.values():
+        for vo_name, stashcache_obj in vos_data.stashcache_by_vo_name.items():
             for path, namespace in stashcache_obj.namespaces.items():
                 if not namespace_allows_cache_resource(namespace, cache_resource):
                     continue
@@ -165,7 +165,7 @@ def fetch_ligo_authz_list_if_needed():
 
                 # Extend authz list with LIGO DNs if applicable
                 extended_authz_list = namespace.authz_list
-                if path == "/user/ligo":
+                if vo_name.lower() == "ligo":
                     if legacy:
                         extended_authz_list += fetch_ligo_authz_list_if_needed()
                     else:
@@ -323,11 +323,6 @@ def generate_cache_grid_mapfile(global_data: GlobalData,
         if not resource:
             return ""
 
-    ligo_authz_list: List[AuthMethod] = []
-    if legacy:
-        for dn in global_data.get_ligo_dn_list():
-            ligo_authz_list.append(parse_authz(f"DN:{dn}")[0])
-
     idns = _IdNamespaceData.for_cache(
         global_data=global_data,
         topology=topology,

src/tests/test_stashcache.py

@@ -50,14 +50,14 @@ def test_allowedVO_includes_ANY_for_ligo_inclusion(self, client: flask.Flask, mo
 
         stashcache.generate_cache_authfile(global_data, "osg-sunnyvale-stashcache.t2.ucsd.edu")
 
-        assert spy.call_count == 1
+        assert spy.call_count == 5
 
     def test_allowedVO_includes_LIGO_for_ligo_inclusion(self, client: flask.Flask, mocker: MockerFixture):
         spy = mocker.spy(global_data, "get_ligo_dn_list")
 
         stashcache.generate_cache_authfile(global_data, "stashcache.gwave.ics.psu.edu")
 
-        assert spy.call_count == 1
+        assert spy.call_count == 5
 
     def test_allowedVO_excludes_LIGO_and_ANY_for_ligo_inclusion(self, client: flask.Flask, mocker: MockerFixture):
         spy = mocker.spy(global_data, "get_ligo_dn_list")