From fa53c390da02d506088390efa9452de14fd210b8 Mon Sep 17 00:00:00 2001
From: Maciej Szymanski <maciej.szymanski@cern.ch>
Date: Fri, 4 Feb 2022 14:57:36 +0100
Subject: [PATCH] use keytab to authenticate the job running the test

---
 lb/nightly/functions/common.py | 20 +++++++++++++++-----
 lb/nightly/functions/rpc.py    |  2 +-
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/lb/nightly/functions/common.py b/lb/nightly/functions/common.py
index 512f66ea..16ef04d1 100644
--- a/lb/nightly/functions/common.py
+++ b/lb/nightly/functions/common.py
@@ -186,7 +186,9 @@ def get_build_method(project=None):
 def safe_dict(mydict):
     """Helper to return the dictionary without sensitive data
     To be used e.g. to remove secret environment variables.
-    >>> d={"PASSWORD": "my_secret_pass", "PASS": "asd", "USER": "me", "KEY": "asd", "TOKEN": "asd", "PRIVATE": "Asd", "HOME": "Asd", "SHA": "asd"}
+    >>> d={"PASSWORD": "my_secret_pass", "PASS": "asd", "USER": "me",\
+    "KEY": "asd", "TOKEN": "asd", "PRIVATE": "Asd", "HOME": "Asd",\
+    "SHA": "asd", "KRB5CCNAME": "FILE:/tmp/user_123"}
     >>> safe_dict(d)
     {}
     """
@@ -203,6 +205,7 @@ def safe_dict(mydict):
                 "PRIVATE",
                 "HOME",
                 "SHA",
+                "KRB5",
             ]
         )
     }
@@ -242,8 +245,15 @@ def singularity_run(
 
         try:
             run(
-                ["kinit", "-c", krb_token.name, krb_auth[0]],
-                input=krb_auth[1].encode(),
+                [
+                    "kinit",
+                    "-c",
+                    krb_token.name,
+                    "-k",
+                    "-t",
+                    krb_auth[1],
+                    krb_auth[0],
+                ],
                 check=True,
             )
         except (CalledProcessError, IndexError):
@@ -283,7 +293,7 @@ def singularity_run(
         }
         log_body.update(
             {
-                "log": f"Running command: {cmd} with env: {s_env}",
+                "log": f"Running command: {cmd} with env: {safe_dict(s_env)}",
                 "timestamp": datetime.now(timezone.utc),
             }
         )
@@ -296,7 +306,7 @@ def singularity_run(
         with open(env.get("TASK_LOGFILE"), "a") as logfile:
             logfile.write(
                 f"{datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M:%S')}: "
-                f"Running command: {cmd} with {s_env}\n"
+                f"Running command: {cmd} with {safe_dict(s_env)}\n"
             )
 
     # to collect the build messages we communicate through the UNIX socket
diff --git a/lb/nightly/functions/rpc.py b/lb/nightly/functions/rpc.py
index 35d225b1..63ebd1d9 100644
--- a/lb/nightly/functions/rpc.py
+++ b/lb/nightly/functions/rpc.py
@@ -337,7 +337,7 @@ def test(
     try:
         krb_auth = (
             lbnightly_settings()["kerberos"]["user"],
-            lbnightly_settings()["kerberos"]["password"],
+            lbnightly_settings()["kerberos"]["keytab"],
         )
     except KeyError:
         krb_auth = None
-- 
GitLab