{"id":19309931,"url":"https://github.com/cedadev/online_ca_client","last_synced_at":"2025-04-22T13:33:44.329Z","repository":{"id":551510,"uuid":"27442145","full_name":"cedadev/online_ca_client","owner":"cedadev","description":null,"archived":false,"fork":false,"pushed_at":"2022-09-09T15:08:11.000Z","size":231,"stargazers_count":1,"open_issues_count":7,"forks_count":1,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-04-13T09:46:22.273Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cedadev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-12-02T16:42:09.000Z","updated_at":"2022-03-07T14:42:18.000Z","dependencies_parsed_at":"2022-08-08T22:46:29.196Z","dependency_job_id":null,"html_url":"https://github.com/cedadev/online_ca_client","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedadev%2Fonline_ca_client","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedadev%2Fonline_ca_client/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedadev%2Fonline_ca_client/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedadev%2Fonline_ca_client/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cedadev","download_url":"https://codeload.github.com/cedadev/online_ca_client/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250249038,"owners_count":21399382,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T00:21:49.331Z","updated_at":"2025-04-22T13:33:44.043Z","avatar_url":"https://github.com/cedadev.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"Online CA Client\n================\nProvides the client interface for an online Certificate Authority web-service.\nThis package works with the ``ContrailOnlineCAService`` the server-side\nimplementation also available from PyPI.\n\nWeb service calls can be made to request a certificate.  The web service\ninterface is RESTful using GET and POST operations.  To request a certificate,\na Certificate Signing Request is sent as a field with a HTTP POST call.  The\nservice should be hosted over HTTPS.  The client authenticates using HTTP Basic\nAuth or SSL client authentication.  In the first case, username and password\nare sent.  For the latter, at least a username should be set as this needed to\nconfigure the subject name of the certificate requested.  If authentication\nsucceeds, an X.509 certificate is returned.\n\nAs well as a Python client, an implementation is included as shell scripts.\nThese require only openssl and wget or curl which are typically available on\nLinux/UNIX based systems.\n\nThe code was originally developed for the EU Framework 7 programme Contrail\nProject.\n\nPrerequisites\n-------------\nThis has been developed and tested for Python 2.7 and 3.6.\n\nInstallation\n------------\nInstallation can be performed using pip:\n```\n$ pip install ContrailOnlineCAClient\n```\n\nConfiguration\n-------------\nExamples are contained in ``onlineca.client.test``.\n\nExample Clients\n---------------\nThe is a shell script client as well as Python command line client and API. It is *strongly* recommended to use the Python command line or API rather than the shell script client because the latter may be deprecated in the future.\n\n### Shell script client ###\nBootstrap trust saving CA trust root certificates in ``./ca-trustroots`` directory:\n```\n$ ./onlineca-get-trustroots.sh -U https://\u003chostname\u003e/onlineca/trustroots/ -c ./ca-trustroots -b\nBootstrapping Short-Lived Credential Service root of trust.\nTrust roots have been installed in ./ca-trustroots.\n```\nObtain a certificate:\n```\n$ ./onlineca-get-cert.sh -U https://\u003chostname\u003e/onlineca/certificate/ -l \u003cusername\u003e -c ./ca-trustroots\nEnter Short-Lived Credential phrase:\n-----BEGIN CERTIFICATE-----\n...\n```\n\n### Python command line client ###\nBootstrap trust saving CA trust root certificates in ``./ca-trustroots`` directory:\n```\n$ online-ca-client get_trustroots -s https://\u003chostname\u003e/onlineca/trustroots -b -c ./ca-trustroots\n```\n#### Obtain a certificate using username and password ####\n```\n$ online-ca-client get_cert -s https://slcs.somewhere.ac.uk/onlineca/certificate/ -l \u003cusername\u003e -c ./ca-trustroots/ -o ./credentials.pem\n```\n\n#### Delegated certificate retrieval using OAuth 2.0 ####\nThis method can be used for scenarios where credentials are needed for an unattended applications requiring user authentication with certificates such as scripts or long running jobs for example large file transfers using GridFTP.\n\nTo obtain a delegated certificate, the identity provider must support an OAuth 2.0 interface. This enables delegated clients to obtain certificates on behalf of a user. In summary the process is: i) client registers with OAuth service obtaining an id and secret. ii) client calls Oauth service to obtain an access token. iii) client calls OnlineCA SLCS service to obtain a new certificate authenticating using the access token instead of username and password as in the more conventional case.\n\nIn more detail:\n 1. Configure OAuth client credentials. The client application seeking to obtain delegated credentials on behalf of the user needs to register a client ID and secret with the identity provider. This will need to be done out of band of the client as it is dependent on the identity provider concerned and their policies. \n 2. Set identity provider configuration file. Once obtained the details need to be entered into this configuration file:\n```\n# Client credentials\nclient_id: \"\u003cclient id\u003e\"\nclient_secret: \"\u003cclient secret\u003e\"\n\n# Configuration details for interacting with the Authorisation Server\nauthorization_base_url: 'https://\u003cidentity provider OAuth service host name\u003e/oauth/authorize'\ntoken_url: 'https://\u003cidentity provider OAuth service host name\u003e/oauth/token/'\nscope: \"https://\u003cSLCS Service host name\u003e/certificate/\"\n\n# Start location for user to invoke\nstart_url: \"http://localhost:5000/\"\n\n# Location on the client that the Authorisation Server is configured to redirect to\nredirect_url: \"http://localhost:5000/callback\"\n```\nAll other host name details between `\u003c\u003e` need to be filled out. Save this file in the location, `~/.onlinecaclient_idp.yaml` or explicitly set a path in the command line options (see later step).\n\n 3. Obtain OAuth access token. This preliminary step is required in order to obtain a delegated authentication certificate. *Note that this command will launch a web browser link and display a page for the identity provider. Follow the steps to sign in with the identity provider and to authorise the client application to obtain delegated credentials. The specific steps may vary depending on the implementation of the identity provider.*\n```\n# online-ca-client get_token -f \u003cidentity provider configuration file location\u003e\n```\nNote that the `-f` option can be omitted in which case, the default identity provider file location will be used (`~/.onlinecaclient_idp.yaml`). If successful, the access token obtained is written out to the file `~/.onlinecaclient_token.json`\n\n 4. Obtain certificate using OAuth access token. This call is a similar form to the method with username and password listed above except username and password settings are replaced with the `-t` token switch:\n```\n# online-ca-client get_cert -s https://slcs.jasmin.ac.uk/certificate/ -t - -c ./ca-trustroots/ -o credentials.pem \n```\nThe setting, `-` for the token option (`-t`) indicates to use the default location for the access token as obtained in the previous step i.e. `~/.onlinecaclient_token.json`\n\n 5. Obtain an updated access token using a Refresh token. In some cases, it may be necessary to renew an access token as it is due to expire. A fresh access token can be obtained using the steps above or alternatively, a new token can be issued if the OAuth Service supports _Refresh tokens_. In this case, when the initial `get_token` call is made a refresh token should have been included in the response from the OAuth Service and written out to the token file (default location - `~/.onlinecaclient_token.json`). This can be checked by listing this file and looking for the key name `\"refresh_token\"`. If this is present then the refresh token call can be made:\n```\n# online-ca-client refresh_token -f \u003cidentity provider configuration file location\u003e\n```\nAs with the `get_token` command, the `-f` option can be omitted in order to use the default location. If successful, a new token file will be written out containing a new access token.\n\n### Python API ###\nInitialise setting directory to store CA certificate trust roots:\n```\n\u003e\u003e\u003e from contrail.security.onlineca.client import OnlineCaClient\n\u003e\u003e\u003e onlineca_client = OnlineCaClient()\n\u003e\u003e\u003e onlineca_client.ca_cert_dir = \"./ca-trustroots\"\n```\nBootstrap trust saving CA trust root certificates in ``./ca-trustroots`` directory:\n```\n\u003e\u003e\u003e trustroots = onlineca_client.get_trustroots(\"https://slcs.somewhere.ac.uk/onlineca/trustroots/\", bootstrap=True, write_to_ca_cert_dir=True)\n```\nGet certificate - key and certificate(s) may be optionally written to a file\n```\n\u003e\u003e\u003e key_pair, certs = onlineca_client.get_certificate(username, password, 'https://slcs.somewhere.ac.uk/onlineca/certificate/', pem_out_filepath=\"./credentials.pem\")\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcedadev%2Fonline_ca_client","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcedadev%2Fonline_ca_client","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcedadev%2Fonline_ca_client/lists"}