schrodinger.job.cert module

Provide an interface for generating user certificates for job server. Wraps ‘$SCHRODINGER/jsc cert’ commands to create a single entrypoint. The $SCHRODINGER environment variable is assumed to be an unescaped path.

Authentication can occur in two ways:

1. Using LDAP. In this case, the ‘jsc ldap-get’ command communicates the username and password to the job server using a gRPC method and saves the user certificate. The LDAP password can be submitted to the command either through an interactive commandline prompt or through piped stdin.

2. Using a Unix socket. In this case, the user must be on the server host to get a user certificate. The flow is as follows:

   1. The ‘jsc get-auth-socket-path’ command gets the path of the Unix socket from the server using a gRPC method.

   2. We then ssh to the server host and send a request over that Unix socket to retrieve a user certificate. (If the user is already on the same server host, we can skip ssh).

   3. That certificate is communicated back to the client machine over ssh, where a separate jsc command saves it.

class schrodinger.job.cert.CertInfo(address: str, cert: str)

Bases: object

CertInfo represents the class containing address of the jobserver with the user-certificate to interact with it. The certificate contains the sensitive private key, so use it in a secured way.

address: str

cert: str

__init__(address: str, cert: str) → None

exception schrodinger.job.cert.AuthenticationException

Bases: Exception

__init__(*args, **kwargs)

args

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception schrodinger.job.cert.SocketAuthenticationException

Bases: schrodinger.job.cert.AuthenticationException

__init__(*args, **kwargs)

args

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception schrodinger.job.cert.LDAPAuthenticationException

Bases: schrodinger.job.cert.AuthenticationException

__init__(*args, **kwargs)

args

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

exception schrodinger.job.cert.BadLDAPInputException

Bases: Exception

__init__(*args, **kwargs)

args

with_traceback()

Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.

schrodinger.job.cert.get_cert_with_ldap(schrodinger, address, user, ldap_password=None)

Generates a user certificate job server at the given address. Wraps ‘$SCHRODINGER/jsc cert ldap-get –user [user] [address]’

Parameters

• schrodinger (str) – $SCHRODINGER environment variable for the current system

• address (str) – Server Address of the job server to authenticate with

• user (str) – Username to authenticate as. This must be the same as the username that will be used to submit jobs to the job server.

• ldap_password (str) – LDAP password for the given username. If None, the command is assumed to be in interactive mode.

Returns

user-certificate as JSON string if authentication succeeds, or raises an exception otherwise.

Return type

string

Raises

BADLDAPInputException if ldap_password is None and sys.stdin is not a tty

Raises

LDAPAuthenticationException if the authentication fails

schrodinger.job.cert.get_cert_with_socket_auth(schrodinger: str, hostname: str, user: str, socket_path: str, server_schrodinger: str, ssh_password: Optional[str] = None, prompt_for_password: Optional[bool] = True)

Generate a user certificate for job server using socket authentication through SSH.

Parameters

• schrodinger – $SCHRODINGER environment variable, path to schrodinger suite

• hostname – job server’s hostname

• user – user for which to generate certificate, used as remote user for ssh if required.

• socket_path – the path on the server where the auth socket is located

• server_schrodinger – for remote job servers, a path to the SCHRODINGER installation containing a “jsc” executable to communicate with the socket.

• ssh_password – the SSH password for the given user. If None, the SSH password will be requested via a terminal prompt unless passwordless SSH is configured.

• prompt_for_password – whether to prompt for the SSH password for the given user (the parameter will only be in effect if stdin is attached to a terminal).

Returns

user-certificate as JSON string, otherwise an appropriate error.

Return type

string

Raises

RuntimeError for any other failure

schrodinger.job.cert.get_cert(hostname: str, port: Union[int, str], user: str, *, schrodinger: Optional[str] = None, ssh_password: Optional[str] = None, ldap_password: Optional[str] = None, server_schrodinger: Optional[str] = None, prompt_for_password: Optional[bool] = True) → schrodinger.job.cert.CertInfo

Entrypoint to generate a user certificate for the requested server.

A server can have one or both of unix socket authentication and LDAP authentication.

Attempts unix socket authentication if enabled, otherwise falls back to LDAP authentication.

Parameters

• hostname – hostname for the job server to authenticate wtih

• port – port for the job server to authenticate with

• user – user for which to generate certificate, used as remote user for ssh if required.

• schrodinger – $SCHRODINGER environment variable, path to schrodinger suite. If None, the current system’s $SCHRODINGER environment variable will be used.

• ssh_password – the SSH password for the given user. If None, the SSH password will be requested via a terminal prompt unless passwordless SSH is configured.

• ldap_password – LDAP password for the given username. If left blank, the LDAP password will be requested in a terminal prompt.

• server_schrodinger – the server SCHRODINGER installation for socket authentication. If blank, this will be derived from available sources.

• prompt_for_password – whether to prompt for the SSH password when attempting socket authentication.

Returns

address of the registered job server and user-certificate as JSON string as CertInfo.

Raises

BADLDAPInputException if ldap_password is left blank and sys.stdin is not a tty

Raises

AuthenticationException if the authentication fails

Raises

RuntimeError for any other failure

schrodinger.job.cert.validate_server_for_auth(server_info: schrodinger.job.server.ServerInfo) → bool

Validates that it is possible to authenticate with the server. Otherwise, raises an error

Returns

bool indicating if the server’s certificate hostname is known.

Raises

RuntimeError, AuthenticationException

schrodinger.job.cert.has_cert_for_server(address, schrodinger=None)

Check if the current user already has an existing cert for the given job server.

Parameters

address (str) – Address of the Job Server

Returns

True if cert exists, False if not

Return type

bool

schrodinger.job.cert.verify_cert(address: str, schrodinger: Optional[str] = None)

Verify that an rpc can be made using a TLS gRPC connection to the jobserver at the given address.

schrodinger.job.cert.remove_cert(address: str, schrodinger: Optional[str] = None)

Removes the certificate to the user’s collection. Wraps $SCHRODINGER/jsc cert add.

Parameters

• address (str) – The host:port of the server to remove.

• schrodinger (str) – $SCHRODINGER environment variable for the current system

Raises

RuntimeError if the executed command fails

schrodinger.job.cert.configured_servers() → Set[str]

Check to see if the SCHRODINGER install has default job servers configured.

Returns

a set of server addresses

Return type

set of str

schrodinger.job.cert.servers_without_registration() → Set[str]

Check to see if the current user is missing registration for default job servers.

Returns

a set of server address that are lacking registration.

schrodinger.job.cert.hostname_and_port(addr)

Get the hostname and port of the provided address. If no port is provided, return the default.

Returns

a tuple of address and port

Return type

(str, int)

schrodinger.job.cert.join_host_port(hostname: str, port: Union[str, int]) → str

Join a hostname and port into a network address. Taken from the Go implementation of net.JoinHostPort.