find_x509_credentials

igwn_auth_utils.find_x509_credentials(timeleft=600, on_error='warn')

Locate X509 certificate and (optionally) private key files.

Warning

Support for identity-based X.509 credentials for LIGO.ORG is being dropped. Calls to this utility will stop working on/around 20 May 2025.

For details on this change please see

https://computing.docs.ligo.org/guide/compsoft/roadmap/LVK/x509_retirement/

If you have questions about this message, or its implications, please consider opening an IGWN Computing Help Desk ticket:

https://git.ligo.org/computing/helpdesk/-/issues/new

This function checks the following paths in order:

• ${X509_USER_CERT} and ${X509_USER_KEY}

• ${X509_USER_PROXY}

• /tmp/x509up_u${UID}

• ~/.globus/usercert.pem and ~/.globus/userkey.pem

Any located X.509 credential is validated using find_x509_credentials(), with validation failures handled according to on_error.

Parameters:

• timeleft (int) – The minimum required time (in seconds) remaining until expiry for a certificate to be considered ‘valid’

• on_error (str) –

  How to handle errors reading/validating an X.509 certificate file. One of:

  • "ignore" - do nothing and move on to the next candidate

  • "warn" - emit a warning and move on to the next candidate

  • "raise" - raise the exception immediately

Returns:

• cert (str) – the path of the certificate file that also contains the private key, OR

• cert, key (str) – the paths of the separate cert and private key files

Raises:

IgwnAuthError – if not certificate files can be found, or if the files found on disk cannot be validtted.

See also

find_x509_credentials

For details of the certificate validation.

Examples

If no environment variables are set, but a short-lived certificate has been generated in the default location:

>>> find_credentials()
'/tmp/x509up_u1000'

If a long-lived (grid) certificate has been downloaded:

>>> find_credentials()
('/home/me/.globus/usercert.pem', '/home/me/.globus/userkey.pem')