schrodinger.job.cert module

Provide an interface for generating user certificates for job server. Wraps ‘$SCHRODINGER/jsc cert’ commands to create a single entrypoint. The $SCHRODINGER environment variable is assumed to be an unescaped path.

Authentication can occur in two ways:

1. Using LDAP. In this case, the ‘jsc ldap-get’ command communicates the username and password to the job server using a gRPC method and saves the user certificate. The LDAP password can be submitted to the command either through an interactive commandline prompt or through piped stdin.

2. Using a Unix socket. In this case, the user must be on the server host to get a user certificate. The flow is as follows:

   1. The ‘jsc get-auth-socket-path’ command gets the path of the Unix socket from the server using a gRPC method.

   2. We then ssh to the server host and send a request over that Unix socket to retrieve a user certificate. (If the user is already on the same server host, we can skip ssh).

   3. That certificate is communicated back to the client machine over ssh, where a separate jsc command saves it.

exception schrodinger.job.cert.AuthenticationException

Bases: Exception

__init__(*args, **kwargs)

args

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception schrodinger.job.cert.SocketAuthenticationException

Bases: schrodinger.job.cert.AuthenticationException

__init__(*args, **kwargs)

args

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception schrodinger.job.cert.LDAPAuthenticationException

Bases: schrodinger.job.cert.AuthenticationException

__init__(*args, **kwargs)

args

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception schrodinger.job.cert.BadLDAPInputException

Bases: Exception

__init__(*args, **kwargs)

args

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

schrodinger.job.cert.get_cert_with_ldap(schrodinger, address, user, ldap_password=None)

Generates a user certificate job server at the given address. Wraps ‘$SCHRODINGER/jsc cert ldap-get –user [user] [address]’

Parameters

• schrodinger (str) – $SCHRODINGER environment variable for the current system

• address (str) – Server Address of the job server to authenticate with

• user (str) – Username to authenticate as. This must be the same as the username that will be used to submit jobs to the job server.

• ldap_password (str) – LDAP password for the given username. If None, the command is assumed to be in interactive mode.

Returns

True if authentication succeeds. False if authentication fails, or raises an exception if not in interactive mode.

Return type

bool

Raises

BADLDAPInputException if ldap_password is None and sys.stdin is not a tty

Raises

LDAPAuthenticationException if the authentication fails

schrodinger.job.cert.get_cert_with_socket_auth(schrodinger: str, hostname: str, user: str, socket_path: str, server_schrodinger: str, ssh_password: Optional[str] = None)

Generate a user certificate for job server using socket authentication through SSH.

Parameters

• schrodinger – $SCHRODINGER environment variable, path to schrodinger suite

• hostname – job server’s hostname

• user – user for which to generate certificate, used as remote user for ssh if required.

• socket_path – the path on the server where the auth socket is located

• ssh_password – the SSH password for the given user. If None, the SSH password will be requested via a terminal prompt unless passwordless SSH is configured.

• server_schrodinger – for remote job servers, a path to the SCHRODINGER installation containing a “jsc” executable to communicate with the socket.

Returns

True if a certificate is generated, otherwise an appropriate error.

Return type

bool

Raises

RuntimeError for any other failure

schrodinger.job.cert.get_cert(hostname: str, port: Union[int, str], user: str, *, schrodinger: Optional[str] = None, ssh_password: Optional[str] = None, ldap_password: Optional[str] = None, server_schrodinger: Optional[str] = None)

Entrypoint to generate a user certificate for the requested server.

A server can have one or both of unix socket authentication and LDAP authentication.

Attempts unix socket authentication if enabled, otherwise falls back to LDAP authentication.

Parameters

• hostname – hostname for the job server to authenticate wtih

• port – port for the job server to authenticate with

• user – user for which to generate certificate, used as remote user for ssh if required.

• schrodinger – $SCHRODINGER environment variable, path to schrodinger suite. If None, the current system’s $SCHRODINGER environment variable will be used.

• ssh_password – the SSH password for the given user. If None, the SSH password will be requested via a terminal prompt unless passwordless SSH is configured.

• ldap_password – LDAP password for the given username. If left blank, the LDAP password will be requested in a terminal prompt.

• server_schrodinger – the server SCHRODINGER installation for socket authentication. If blank, this will be derived from available sources.

Returns

hostname of the registered job server upon success

Raises

BADLDAPInputException if ldap_password is left blank and sys.stdin is not a tty

Raises

AuthenticationException if the authentication fails

Raises

RuntimeError for any other failure

schrodinger.job.cert.validate_server_for_auth(server_info: schrodinger.job.server.ServerInfo) → bool

Validates that it is possible to authenticate with the server. Otherwise, raises an error

Returns

bool indicating if the server’s certificate hostname is known.

Raises

RuntimeError, AuthenticationException

schrodinger.job.cert.has_cert_for_server(address, schrodinger=None)

Check if the current user already has an existing cert for the given job server.

Parameters

address (str) – Address of the Job Server

Returns

True if cert exists, False if not

Return type

bool

schrodinger.job.cert.verify_cert(address: str, schrodinger: Optional[str] = None)

Verify that an rpc can be made using a TLS gRPC connection to the jobserver at the given address.

schrodinger.job.cert.remove_cert(address: str, schrodinger: Optional[str] = None)

Removes the certificate to the user’s collection. Wraps $SCHRODINGER/jsc cert add.

Parameters

• address (str) – The host:port of the server to remove.

• schrodinger (str) – $SCHRODINGER environment variable for the current system

Raises

RuntimeError if the executed command fails

schrodinger.job.cert.configured_servers() → Set[str]

Check to see if the SCHRODINGER install has default job servers configured.

Returns

a set of server addresses

Return type

set of str

schrodinger.job.cert.servers_without_registration() → Set[str]

Check to see if the current user is missing registration for default job servers.

Returns

a set of server address that are lacking registration.

schrodinger.job.cert.hostname_and_port(addr)

Get the hostname and port of the provided address. If no port is provided, return the default.

Returns

a tuple of address and port

Return type

(str, int)

schrodinger.job.cert.join_host_port(hostname: str, port: Union[str, int]) → str

Join a hostname and port into a network address. Taken from the Go implementation of net.JoinHostPort.