1 # Copyright 2014 The Chromium OS Authors. All rights reserved.
2 # Use of this source code is governed by a BSD-style license that can be
3 # found in the LICENSE file.
5 """Manage Google Low Overhead Authentication Service (LOAS) tasks.
7 This is used by scripts that run outside of the chroot and require access to
8 Google production resources.
10 If you don't know what any of this means, then you don't need this module :).
13 from __future__ import print_function
20 from chromite.lib import alerts
21 from chromite.lib import cros_build_lib
24 class LoasError(Exception):
25 """Raised when a LOAS error occurs"""
29 """Class for holding all the various LOAS cruft."""
31 def __init__(self, user, email_notify):
33 self.email_notify = email_notify
34 self.enroll_msg = 'become -t -c "prodaccess --sslenroll" %s@%s' % (
35 self.user, socket.getfqdn())
36 self.last_notification = (
37 datetime.date.today() - datetime.timedelta(weeks=10))
40 logging.debug('Checking LOAS credentials for %s', self.user)
41 cmd = ['runloas', '/usr/bin/loas_check']
43 # Error message to print when loas credential check fails. This usually
44 # is the result of production credentials expiring for accessing
45 # Keystore for the unwrapping private key.
46 loas_error = 'loas_check for %s failed! Did you run: %s' % (
47 self.user, self.enroll_msg)
49 cros_build_lib.SudoRunCommand(cmd,
51 error_message=loas_error)
52 except cros_build_lib.RunCommandError as e:
53 raise LoasError(e.msg)
56 # Only bother checking once a day. Our certs are valid in the
57 # range of weeks, so there's no need to constantly do this.
58 if (datetime.date.today() < self.last_notification +
59 datetime.timedelta(days=1)):
62 cmd = ['prodcertstatus', '--check_loas_cert_location', 'sslenrolled']
63 result = cros_build_lib.SudoRunCommand(cmd,
68 # Figure out how many days are left. The command should display:
69 # SSL-ENROLLED CERT cert expires in about 22 days
70 m = re.search(r'cert expires in about ([0-9]+) days', result.output)
72 days_left = int(m.group(1))
76 # Send out one notification a day if there's a week or less left
77 # before our creds expire.
80 'Loas certs expiring soon!',
82 message='Please run:\n %s\n\n%s\n%s' %
83 (self.enroll_msg, result.output, result.error))
84 self.last_notification = datetime.date.today()
86 # We won't expire for a while, so stop the periodic polling.
87 self.last_notification = (
88 datetime.date.today() + datetime.timedelta(days=days_left - 8))