config/settings/container/playground.py

+# Settings for a playground GraceDB instance (for user testing) running
+# in a container on AWS. These settings inherent from base.py) 
+# and overrides or adds to them.
+from .base import *
+
+TIER = "playground"
+CONFIG_NAME = "USER TESTING"
+
+# Debug settings
+DEBUG = False
+
+# Override EMBB email address
+# TP (8 Aug 2017): not sure why?
+EMBB_MAIL_ADDRESS = 'gracedb@{fqdn}'.format(fqdn=SERVER_FQDN)
+
+# Enforce that phone and email alerts are off XXX: Set by deployment variables!
+#SEND_PHONE_ALERTS = False
+#SEND_EMAIL_ALERTS = False
+
+# Enable Mattermost alerts
+SEND_MATTERMOST_ALERTS = True
+
+# Add testserver to ALLOWED_HOSTS
+ALLOWED_HOSTS += ['testserver']
+
+# Set up Sentry for error logging
+sentry_dsn = get_from_env('DJANGO_SENTRY_DSN', fail_if_not_found=False)
+if sentry_dsn is not None:
+    USE_SENTRY = True
+
+    # Set up Sentry
+    import sentry_sdk
+    from sentry_sdk.integrations.django import DjangoIntegration
+    sentry_sdk.init(
+        environment='playground',
+        dsn=sentry_dsn,
+        integrations=[DjangoIntegration()],
+        before_send=before_send,
+    )
+
+    # Turn off default admin error emails
+    LOGGING['loggers']['django.request']['handlers'] = []
+
+# Home page stuff
+INSTANCE_TITLE = 'GraceDB Playground'
+
+# Add sub-bullet with igwn-alert group:
+group_sub_bullet = """<ul>
+<li> Messages are sent to group: <span class="text-monospace"> {0}  </span></li>
+</ul>""".format(LVALERT_OVERSEER_INSTANCES[0]['igwn_alert_group'])
+INSTANCE_LIST = INSTANCE_LIST + group_sub_bullet
+
+INSTANCE_INFO = """
+<h5>Playground instance</h5>
+<hr>
+<p>
+This GraceDB instance is designed for users to develop and test their own
+applications. It mimics the production instance in all but the following ways:
+</p>
+<ul>
+{}
+<li>Only LIGO logins are provided (no login via InCommon or Google).</li>
+<li>Events and associated data will <b>not</b> be preserved indefinitely.
+A nightly cron job removes events older than 21 days.</li>
+</ul>
+""".format(INSTANCE_LIST)
+
+# Safety check on debug mode for playground
+if (DEBUG == True):
+    raise RuntimeError("Turn off debug mode for playground")

config/settings/container/production.py

+# Settings for a production GraceDB instance running in a container
+from .base import *
+
+TIER = "production"
+
+DEBUG = False
+
+# Turn on alerts: XXX: Set by deployment variables!
+#SEND_PHONE_ALERTS = True
+#SEND_EMAIL_ALERTS = True
+#SEND_MATTERMOST_ALERTS = True
+
+# TP, March 2019: for now, it looks infeasible to use multiple databases
+# since there are many operations which normal LVC users can do that
+# do a write and then a read very soon after.  And we can't rely on
+# the read replica being updated quickly enough for that to work.
+# So there are several workflows that need to be redone in order for
+# this to be possible, but it's not obvious that they even can be
+# reworked properly.  I.e. this is a much bigger project than expected
+# so we're going to have to revisit it at some point.  We'll leave the
+# config here for now.
+# if not PRIORITY_SERVER:
+#    # If not a priority server, we use the read-only replica database
+#    # for reads and master for writes.
+#    # The username, password, and database name are all replicated
+#    # from the production database
+#
+#    # Set up dict and add to DATABASES setting
+#    read_replica = {
+#        'NAME': DATABASES['default']['NAME'],
+#        'ENGINE': 'django.db.backends.mysql',
+#        'USER': DATABASES['default']['USER'],
+#        'PASSWORD': DATABASES['default']['PASSWORD'],
+#        'HOST': os.environ.get('DJANGO_REPLICA_DB_HOST', ''),
+#        'PORT': os.environ.get('DJANGO_REPLICA_DB_PORT', ''),
+#        'OPTIONS': {
+#            'init_command': 'SET storage_engine=MyISAM',
+#        },
+#    }
+#    DATABASES['read_replica'] = read_replica
+#
+#    # Set up database router
+#    DATABASE_ROUTERS = ['core.db.routers.NonPriorityRouter',]
+
+# Set up Sentry for error logging
+sentry_dsn = get_from_env('DJANGO_SENTRY_DSN', fail_if_not_found=False)
+if sentry_dsn is not None:
+    USE_SENTRY = True
+
+    # Set up Sentry
+    import sentry_sdk
+    from sentry_sdk.integrations.django import DjangoIntegration
+    sentry_sdk.init(
+        environment='production',
+        dsn=sentry_dsn,
+        integrations=[DjangoIntegration()],
+        before_send=before_send,
+    )
+
+    # Turn off default admin error emails
+    LOGGING['loggers']['django.request']['handlers'] = []
+
+# Home page stuff
+INSTANCE_TITLE = 'GraceDB'
+
+# Add sub-bullet with igwn-alert group:
+group_sub_bullet = """<ul>
+<li> Messages are sent to group: <span class="text-monospace"> {0}  </span></li>
+</ul>""".format(LVALERT_OVERSEER_INSTANCES[0]['igwn_alert_group'])
+INSTANCE_LIST = INSTANCE_LIST + group_sub_bullet
+
+INSTANCE_INFO = """
+<h5>GraceDB Notifications</h5>
+<hr>
+<p>
+GraceDB notifies registered users of Gravitational-Wave candidate detections 
+in real-time during LIGO/Virgo/KAGRA observation periods. Current notifications 
+mechanisms are:
+</p>
+<ul>
+{}
+</ul>
+""".format(INSTANCE_LIST)
+
+# Safety check on debug mode for production
+if (DEBUG == True):
+    raise RuntimeError("Turn off debug mode for production")
+
+# Hardcode pipelines not approved for production:
+UNAPPROVED_PIPELINES += ['aframe', 'GWAK']

config/settings/container/test.py

+# Settings for a test/dev GraceDB instance running in a container
+from .base import *
+
+TIER = "test"
+CONFIG_NAME = "TEST"
+
+# Debug settings
+DEBUG = True
+
+# Override EMBB email address
+# TP (8 Aug 2017): not sure why?
+EMBB_MAIL_ADDRESS = 'gracedb@{fqdn}'.format(fqdn=SERVER_FQDN)
+
+# Add middleware
+debug_middleware = 'debug_toolbar.middleware.DebugToolbarMiddleware'
+MIDDLEWARE += [
+    debug_middleware,
+    #'silk.middleware.SilkyMiddleware',
+    #'core.middleware.profiling.ProfileMiddleware',
+    #'core.middleware.admin.AdminsOnlyMiddleware',
+]
+
+# Add to installed apps
+INSTALLED_APPS += [
+    'debug_toolbar',
+    #'silk'
+]
+
+# Add testserver to ALLOWED_HOSTS
+ALLOWED_HOSTS += ['testserver']
+
+# Settings for django-silk profiler
+SILKY_AUTHENTICATION = True
+SILKY_AUTHORISATION = True
+if 'silk' in INSTALLED_APPS:
+    # Needed to prevent RequestDataTooBig for files > 2.5 MB
+    # when silk is being used. This setting is typically used to
+    # prevent DOS attacks, so should not be changed in production.
+    DATA_UPLOAD_MAX_MEMORY_SIZE = 20*(1024**2)
+
+# Tuple of IPs which are marked as internal, useful for debugging.
+# Tanner (5 Dec. 2017): DON'T CHANGE THIS! Django Debug Toolbar exposes
+# some headers which we want to keep hidden.  So to be safe, we only allow
+# it to be used through this server.  You need to configure a SOCKS proxy
+# on your local machine to use DJDT (see admin docs).
+INTERNAL_IPS = [
+    INTERNAL_IP_ADDRESS,
+]
+
+# Enforce that phone and email alerts are off XXX: Set by deployment variables!
+#SEND_PHONE_ALERTS = False
+#SEND_EMAIL_ALERTS = False
+#SEND_MATTERMOST_ALERTS = True
+
+# Set up Sentry for error logging
+sentry_dsn = get_from_env('DJANGO_SENTRY_DSN', fail_if_not_found=False)
+if sentry_dsn is not None:
+    USE_SENTRY = True
+
+    # Set up Sentry
+    import sentry_sdk
+    from sentry_sdk.integrations.django import DjangoIntegration
+    sentry_sdk.init(
+        environment='test',
+        dsn=sentry_dsn,
+        integrations=[DjangoIntegration()],
+        before_send=before_send,
+    )
+
+    # Turn off default admin error emails
+    LOGGING['loggers']['django.request']['handlers'] = []
+
+# Home page stuff
+INSTANCE_TITLE = 'GraceDB Testing Server'
+
+# Add sub-bullet with igwn-alert group:
+group_sub_bullet = """<ul>
+<li> Messages are sent to group: <span class="text-monospace"> {0}  </span></li>
+</ul>""".format(LVALERT_OVERSEER_INSTANCES[0]['igwn_alert_group'])
+INSTANCE_LIST = INSTANCE_LIST + group_sub_bullet
+
+INSTANCE_INFO = """
+<h5>Testing Instance</h5>
+<hr>
+<p>
+This GraceDB instance is designed for Quality Assurance (QA) testing and
+validation for GraceDB and electromagnetic follow-up (EMFollow) developers.
+Software should meet QA milestones on the test instance before being moved 
+to Playground or Production. Note, on this GraceDB instance:
+</p>
+<ul>
+{}
+<li>Only LIGO logins are provided (no login via InCommon or Google).</li>
+</ul>
+""".format(INSTANCE_LIST)

config/settings/vm/base.py

+# For running a VM that is provisioned by Puppet with a secret.py file
+# for secret settings
+from ..base import *
+# Get secret settings:
+# DB_PASSWORD, SECRET_KEY, TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN
+from ..secret import *
+import socket
+
+# Nested dict of settings for all databases
+DATABASES = {
+    'default' : {
+        'NAME': 'gracedb',
+        'ENGINE': 'django.db.backends.postgresql_psycopg2',
+        'USER': 'gracedb',
+        'PASSWORD': DB_PASSWORD,
+        'HOST':'127.0.0.1',
+        'PORT':'5432',
+        'CONN_MAX_AGE': 3600,
+    },
+}
+
+# Set up allowed hosts
+SERVER_FQDN = socket.getfqdn()
+SERVER_HOSTNAME = INTERNAL_HOSTNAME
+LIGO_FQDN = '{hostname}.ligo.org'.format(hostname=SERVER_HOSTNAME)
+ALLOWED_HOSTS += [SERVER_FQDN, LIGO_FQDN]
+
+# Email settings - dependent on server hostname and FQDN ----------------------
+EMAIL_HOST = 'localhost'
+SERVER_EMAIL = 'GraceDB <gracedb@{fqdn}>'.format(fqdn=SERVER_FQDN)
+ALERT_EMAIL_FROM = SERVER_EMAIL
+ALERT_EMAIL_TO = []
+ALERT_EMAIL_BCC = []
+ALERT_TEST_EMAIL_FROM = SERVER_EMAIL
+ALERT_TEST_EMAIL_TO = []
+# EMBB email settings
+EMBB_MAIL_ADDRESS = 'embb@{fqdn}.ligo.org'.format(fqdn=SERVER_FQDN)
+EMBB_SMTP_SERVER = 'localhost'
+EMBB_MAIL_ADMINS = [admin[1] for admin in ADMINS]
+EMBB_IGNORE_ADDRESSES = ['Mailer-Daemon@{fqdn}'.format(fqdn=SERVER_FQDN)]
+
+# Load modified caching middleware:
+# https://docs.djangoproject.com/en/2.2/ref/middleware/#middleware-ordering
+MIDDLEWARE = [
+    'django.middleware.cache.UpdateCacheMiddleware',
+    'django.middleware.gzip.GZipMiddleware',
+    'events.middleware.PerformanceMiddleware',
+    'core.middleware.accept.AcceptMiddleware',
+    'core.middleware.api.ClientVersionMiddleware',
+    'core.middleware.api.CliExceptionMiddleware',
+    'core.middleware.proxy.XForwardedForMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'user_sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'core.middleware.maintenance.MaintenanceModeMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'ligoauth.middleware.ShibbolethWebAuthMiddleware',
+    'ligoauth.middleware.ControlRoomMiddleware',
+    'django.middleware.cache.FetchFromCacheMiddleware',
+]
+
+# Set caches:
+CACHE_MIDDLEWARE_SECONDS = 5
+CACHES = {
+    'default': {
+        'BACKEND': 'django.core.cache.backends.memcached.PyMemcacheCache',
+        'LOCATION': 'localhost:11211',
+        'TIMEOUT': 60,
+        'KEY_PREFIX': 'NULL',
+        'OPTIONS': {
+            'ignore_exc': True,
+            }
+    },
+    # For API throttles
+    'throttles': {
+        'BACKEND': 'django.core.cache.backends.db.DatabaseCache',
+        'LOCATION': 'api_throttle_cache', # Table name
+    },    
+}
+
+# FIXME: hardwire this for now in the VMs for testing
+ENABLE_REDIS_QUEUE = True
+
+if ENABLE_REDIS_QUEUE:
+    # For async alert follow-up:
+    CACHES.update({"async_followup": {
+        "BACKEND": "django_redis.cache.RedisCache",
+        "LOCATION": f"redis://{REDIS_QUEUE_ADDRESS}:{REDIS_QUEUE_PORT}/{REDIS_QUEUE_DATABASE}",
+        "OPTIONS": {
+            "CLIENT_CLASS": "django_redis.client.DefaultClient",
+        }
+    }})
+
+
+    # Set queue backend for async django tasks:
+    # example django-redis connection
+    Q_CLUSTER = {
+        'name': Q_CLUSTER_NAME,
+        'label': Q_CLUSTER_LABEL,
+        'retry': REDIS_QUEUE_RETRY,
+        'timeout': REDIS_QUEUE_TIMEOUT,
+        'workers': REDIS_QUEUE_WORKERS,
+        'recycle': REDIS_QUEUE_RECYCLE,
+        'django_redis': 'async_followup'
+    }
+
+# DB "cool-down" factor for when a db conflict is detected. This
+# factor scales a random number of seconds between zero and one.
+DB_SLEEP_FACTOR = get_from_env(
+        'DJANGO_DB_SLEEP_FACTOR',
+        default_value=1.0,
+        fail_if_not_found=False
+)
+# Fix the factor (str to float)
+try:
+    DB_SLEEP_FACTOR = float(DB_SLEEP_FACTOR)
+except:
+    DB_SLEEP_FACTOR = 1.0
+
+BETA_REPORTS_LINK = True
+
+## EGAD (External GraceDB Alert Dispatcher) configuration
+ENABLE_EGAD_EMAIL = parse_envvar_bool(
+    get_from_env('ENABLE_EGAD_EMAIL',
+                 fail_if_not_found=False, default_value="false")
+)
+ENABLE_EGAD_KAFKA = parse_envvar_bool(
+    get_from_env('ENABLE_EGAD_KAFKA',
+                 fail_if_not_found=False, default_value="false")
+)
+ENABLE_EGAD_MATTERMOST = parse_envvar_bool(
+    get_from_env('ENABLE_EGAD_MATTERMOST',
+                 fail_if_not_found=False, default_value="false")
+)
+ENABLE_EGAD_PHONE = parse_envvar_bool(
+    get_from_env('ENABLE_EGAD_PHONE',
+                 fail_if_not_found=False, default_value="false")
+)
+
+ENABLE_EGAD = (
+    ENABLE_EGAD_EMAIL or ENABLE_EGAD_KAFKA
+    or ENABLE_EGAD_MATTERMOST or ENABLE_EGAD_PHONE
+)
+
+
+# Pull in remaining (phone/email) alert variables from
+# the environment. Default to false.
+SEND_PHONE_ALERTS = parse_envvar_bool(get_from_env(
+    'SEND_PHONE_ALERTS',
+    default_value='False',
+    fail_if_not_found=False
+    ))
+
+SEND_EMAIL_ALERTS = parse_envvar_bool(get_from_env(
+    'SEND_EMAIL_ALERTS',
+    default_value='False',
+    fail_if_not_found=False
+    ))
+
+SEND_MATTERMOST_ALERTS = parse_envvar_bool(get_from_env(
+    'SEND_MATTERMOST_ALERTS',
+    default_value='False',
+    fail_if_not_found=False
+    ))
+
+INSTANCE_STUB = """
+<li>Phone alerts (calls/SMS) are {0}</li>
+<li>Email alerts are {1}</li>
+<li><span class="text-monospace">igwn-alert</span> messages to <span class="text-monospace">{2}</span> are {3}</li>
+"""
+
+INSTANCE_LIST = INSTANCE_STUB.format(ENABLED[SEND_PHONE_ALERTS],
+                                ENABLED[SEND_EMAIL_ALERTS],
+                                LVALERT_OVERSEER_INSTANCES[0]['lvalert_server'],
+                                ENABLED[SEND_XMPP_ALERTS])
+
+if (len(LVALERT_OVERSEER_INSTANCES) == 2):
+    IGWN_STUB = '<li><span class="text-monospace">igwn-alert</span> messages to <span class="text-monospace">{0}</span> are {1}</li>'
+    IGWN_LIST = IGWN_STUB.format(LVALERT_OVERSEER_INSTANCES[1]['lvalert_server'],
+                                ENABLED[SEND_XMPP_ALERTS])
+    INSTANCE_LIST = INSTANCE_LIST + IGWN_LIST
+
+# Set SciToken accepted audience to server FQDN
+SCITOKEN_AUDIENCE = ["https://" + SERVER_FQDN, "https://" + LIGO_FQDN]

config/settings/vm/dev.py

+# Settings for a test/dev GraceDB instance running on a VM with Puppet
+# provisioning. Starts with vm.py settings (which inherits from base.py
+# settings) and overrides or adds to them.
+import socket
+from .base import *
+
+TIER = "dev"
+CONFIG_NAME = "DEV"
+
+# Debug settings
+DEBUG = True
+SEND_XMPP_ALERTS=True
+SEND_MATTERMOST_ALERTS=True
+
+# Override EMBB email address
+# TP (8 Aug 2017): not sure why?
+EMBB_MAIL_ADDRESS = 'gracedb@{fqdn}'.format(fqdn=SERVER_FQDN)
+
+# Add middleware
+debug_middleware = 'debug_toolbar.middleware.DebugToolbarMiddleware'
+MIDDLEWARE += [
+    debug_middleware,
+    #'silk.middleware.SilkyMiddleware',
+    #'core.middleware.profiling.ProfileMiddleware',
+    #'core.middleware.admin.AdminsOnlyMiddleware',
+]
+
+# Add to installed apps
+INSTALLED_APPS += [
+    'debug_toolbar',
+]
+
+# Add testserver to ALLOWED_HOSTS
+ALLOWED_HOSTS += ['testserver']
+
+# Settings for django-silk profiler
+SILKY_AUTHENTICATION = True
+SILKY_AUTHORISATION = True
+if 'silk' in INSTALLED_APPS:
+    # Needed to prevent RequestDataTooBig for files > 2.5 MB
+    # when silk is being used. This setting is typically used to
+    # prevent DOS attacks, so should not be changed in production.
+    DATA_UPLOAD_MAX_MEMORY_SIZE = 20*(1024**2)
+
+# Tuple of IPs which are marked as internal, useful for debugging.
+# Tanner (5 Dec. 2017): DON'T CHANGE THIS! Django Debug Toolbar exposes
+# some headers which we want to keep hidden.  So to be safe, we only allow
+# it to be used through this server.  You need to configure a SOCKS proxy
+# on your local machine to use DJDT (see admin docs).
+INTERNAL_IPS = [
+    INTERNAL_IP_ADDRESS,
+]
+INSTANCE_TITLE = 'GraceDB Development VM'
+
+# Add sub-bullet with igwn-alert group:
+if (len(LVALERT_OVERSEER_INSTANCES) == 2):
+    igwn_alert_group = os.environ.get('IGWN_ALERT_GROUP', 'lvalert-dev')
+    group_sub_bullet = """<ul>
+    <li> Messages are sent to group: <span class="text-monospace"> {0}  </span></li>
+    </ul>""".format(igwn_alert_group)
+    INSTANCE_LIST = INSTANCE_LIST + group_sub_bullet
+
+INSTANCE_INFO = """
+<h5>Development Instance</h5>
+<hr>
+<p>
+This GraceDB instance is designed for GraceDB maintainers to develop and
+test in the AWS cloud architecture. There is <b>no guarantee</b> that the
+behavior of this instance will mimic the production system at any time.
+Events and associated data may change or be removed at any time.
+</p>
+<ul>
+{}
+<li>Only LIGO logins are provided (no login via InCommon or Google).</li>
+</ul>
+""".format(INSTANCE_LIST)
+
+# Turn off public page caching for development and testing:
+PUBLIC_PAGE_CACHING = 0
+
+# Hardcode pipelines not approved for production (for vm testing)
+# UNAPPROVED_PIPELINES += ['aframe', 'GWAK']

config/settings/vm/playground.py

+# Settings for a playground GraceDB instance (for user testing) running
+# on a VM with Puppet provisioning. Starts with vm.py settings (which inherits
+# from base.py settings) and overrides or adds to them.
+from .base import *
+
+TIER = "playground"
+CONFIG_NAME = "USER TESTING"
+
+# Debug settings
+DEBUG = False
+
+# Override EMBB email address
+# TP (8 Aug 2017): not sure why?
+EMBB_MAIL_ADDRESS = 'gracedb@{fqdn}'.format(fqdn=SERVER_FQDN)
+
+# Turn on XMPP alerts
+SEND_XMPP_ALERTS = True
+
+# Turn on Mattermost alerts
+SEND_MATTERMOST_ALERTS = True
+
+# Enforce that phone and email alerts are off
+SEND_PHONE_ALERTS = False
+SEND_EMAIL_ALERTS = False
+
+# Define correct LVAlert settings
+LVALERT_OVERSEER_INSTANCES = [
+    {
+        "lvalert_server": "lvalert-playground.cgca.uwm.edu",
+        "listen_port": 8001,
+    },
+]
+
+# Add testserver to ALLOWED_HOSTS
+ALLOWED_HOSTS += ['testserver']
+
+# Home page stuff
+INSTANCE_TITLE = 'GraceDB Playground'
+INSTANCE_INFO = """
+<h3>Playground instance</h3>
+<p>
+This GraceDB instance is designed for users to develop and test their own
+applications. It mimics the production instance in all but the following ways:
+</p>
+<ul>
+<li>Phone and e-mail alerts are turned off.</li>
+<li>Only LIGO logins are provided (no login via InCommon or Google).</li>
+<li>LVAlert messages are sent to lvalert-playground.cgca.uwm.edu.</li>
+<li>Events and associated data will <b>not</b> be preserved indefinitely.
+A nightly cron job removes events older than 21 days.</li>
+</ul>
+"""
+
+# Safety check on debug mode for playground
+if (DEBUG == True):
+    raise RuntimeError("Turn off debug mode for playground")

config/settings/vm/production.py

+# Settings for a production GraceDB instance running on a VM with Puppet
+# provisioning. Starts with vm.py settings (which inherits from base.py
+# settings) and overrides or adds to them.
+from .base import *
+
+TIER = "production"
+
+DEBUG = False
+
+# LVAlert Overseer settings
+LVALERT_OVERSEER_INSTANCES = [
+    {
+        "lvalert_server": "lvalert.cgca.uwm.edu",
+        "listen_port": 8000,
+    },
+]
+
+# Turn on alerts
+SEND_XMPP_ALERTS = True
+SEND_PHONE_ALERTS = True
+SEND_EMAIL_ALERTS = True
+SEND_MATTERMOST_ALERTS = True
+
+# Safety check on debug mode for production
+if (DEBUG == True):
+    raise RuntimeError("Turn off debug mode for production")

config/urls.py

+from django.conf import settings
+
+from django.urls import re_path, include
+
+from django.contrib import admin
+from django.contrib.auth.views import LogoutView
+from django.views.generic import TemplateView
+
+# Import feeds
+import core.views
+from events.feeds import EventFeed, feedview
+import events.reports
+import events.views
+from ligoauth.views import (
+    manage_password, ShibLoginView, ShibPostLoginView
+)
+import search.views
+
+# Django admin auto-discover
+admin.autodiscover()
+
+feeds = {
+    'latest' : EventFeed
+}
+
+
+urlpatterns = [
+    re_path(r'^$', events.views.index, name="home"),
+    re_path(r'^navbar_only$', TemplateView.as_view(
+        template_name='navbar_only.html'), name="navbar-only"),
+    re_path(r'^SPInfo', TemplateView.as_view(template_name='gracedb/spinfo.html'),
+         name="spinfo"),
+    re_path(r'^SPPrivacy', TemplateView.as_view(
+        template_name='gracedb/spprivacy.html'), name="spprivacy"),
+    re_path(r'^DiscoveryService', TemplateView.as_view(
+        template_name='discovery.html'), name="discovery"),
+    re_path(r'^events/', include('events.urls')),
+    re_path(r'^superevents/', include('superevents.urls')),
+    re_path(r'^alerts/', include('alerts.urls')),
+    re_path(r'^feeds/(?P<url>.*)/$', EventFeed()),
+    re_path(r'^feeds/$', feedview, name="feeds"),
+
+    re_path(r'^other/$', TemplateView.as_view(template_name='other.html'),
+        name='other'),
+    re_path(r'^performance/$', events.views.performance, name="performance"),
+    re_path(r'^reports/$', events.reports.reports_page_context, name="reports"),
+    re_path(r'^latest/$', search.views.latest, name="latest"),
+    #(r'^reports/(?P<path>.+)$', 'django.views.static.serve',
+    #        {'document_root': settings.LATENCY_REPORT_DEST_DIR}),
+    re_path(r'^search/$', search.views.search, name="mainsearch"),
+
+    # Authentication
+    re_path(r'^login/$', ShibLoginView.as_view(), name='login'),
+    re_path(r'^post-login/$', ShibPostLoginView.as_view(), name='post-login'),
+    re_path(r'^logout/$', LogoutView.as_view(), name='logout'),
+
+    # Password management
+    re_path('^manage-password/$', manage_password, name='manage-password'),
+
+    # API URLs
+    re_path(r'^api/', include('api.urls')),
+    # Legacy API URLs - must be maintained!
+    re_path(r'^apibasic/', include('api.urls', namespace='legacy_apibasic')),
+    re_path(r'^apiweb/', include('api.urls', namespace='legacy_apiweb')),
+
+    # Heartbeat URL
+    re_path(r'^heartbeat/$', core.views.heartbeat, name='heartbeat'),
+
+    # Uncomment the admin/doc line below and add 'django.contrib.admindocs'
+    # to INSTALLED_APPS to enable admin documentation:
+    # (r'^admin/doc/', include('django.contrib.admindocs.urls')),
+    re_path(r'^admin/', admin.site.urls),
+
+    # Sessions
+    re_path(r'^', include('user_sessions.urls', 'user_sessions')),
+
+]
+
+# We don't require settings.DEBUG for django-silk since running unit tests
+# by default setings settings.DEBUG to False, unless you use the
+# --debug-mode flag
+if ('silk' in settings.INSTALLED_APPS):
+    # Add django-silk
+    urlpatterns = [
+        re_path(r'^silk/', include('silk.urls', namespace='silk'))
+    ] + urlpatterns
+
+# Add django-debug-toolbar
+if settings.DEBUG and 'debug_toolbar' in settings.INSTALLED_APPS:
+    import debug_toolbar
+    urlpatterns = [
+        re_path(r'^__debug__/', include(debug_toolbar.urls)),
+    ] + urlpatterns

config/wsgi.py

+import os
+import sys
+from os.path import abspath, dirname, join
+
+# Parameters
+DEFAULT_SETTINGS_MODULE = 'config.settings.vm.dev'
+PROJECT_ROOT_NAME = 'gracedb'
+
+# Set up base dir of repository
+BASE_DIR = abspath(join(dirname(__file__), ".."))
+
+# Add the source code directory and project root
+sys.path.append(BASE_DIR)
+sys.path.append(join(BASE_DIR, PROJECT_ROOT_NAME))
+
+# Set DJANGO_SETTINGS_MODULE environment variable if it's not already set
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', DEFAULT_SETTINGS_MODULE)
+
+# Matplotlib config directory
+os.environ['MPLCONFIGDIR'] = '/tmp/'
+
+from django.core.wsgi import get_wsgi_application
+application = get_wsgi_application()

django-dev.wsgi

-import os
-import sys
-
-# XXX The WSGI files should be unified.
-# Would be easy if settings.py were unified, which isn't hard.
-
-os.environ['DJANGO_SETTINGS_MODULE'] = 'gracedb.settings_dev'
-
-sys.path.append('/home/bmoe/sandbox/lib/python2.6/site-packages')
-sys.path.append('/home/bmoe/sandbox/lib/python2.6')
-
-import django.core.handlers.wsgi
-application = django.core.handlers.wsgi.WSGIHandler()
-
-

django.wsgi

-import os
-import sys
-
-# XXX The WSGI files should be unified.
-# Would be easy if settings.py were unified, which isn't hard.
-
-os.environ['DJANGO_SETTINGS_MODULE'] = 'gracedb.settings'
-
-import django.core.handlers.wsgi
-application = django.core.handlers.wsgi.WSGIHandler()
-

docker/apache-config

+ServerName ${DJANGO_PRIMARY_FQDN}
+
+<VirtualHost *:80>
+  ServerName https://${DJANGO_PRIMARY_FQDN}:443
+  UseCanonicalName On
+  ServerSignature On
+  ErrorLog /dev/stderr
+  Transferlog /dev/stdout
+
+  ServerAdmin cgca-admins@uwm.edu
+
+  ## Log format
+  LogFormat "APACHE | %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
+
+  ## Vhost docroot
+  DocumentRoot "/var/www/html"
+
+  ## Directories, there should at least be a declaration for /var/www/html
+
+  <Directory "/var/www/html">
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Require all granted
+  </Directory>
+
+  # Improve proxy behavior with gunicorn:
+  # https://serverfault.com/questions/206738/intermittent-error-when-using-mod-proxy-to-do-reverse-proxy-to-soap-service#comment1327184_209006
+  # https://github.com/benoitc/gunicorn/issues/207
+
+  SetEnv force-proxy-request-1.0 1
+  SetEnv proxy-nokeepalive 1
+
+  ## Custom fragment
+  # gUnicorn edits
+  Alias /shibboleth-ds/idpselect_config.js /etc/shibboleth-ds/idpselect_config.js
+  Alias /shibboleth-ds/idpselect.js /etc/shibboleth-ds/idpselect.js
+  Alias /shibboleth-ds/idpselect.css /etc/shibboleth-ds/idpselect.css
+  Alias /static/ "/app/gracedb_project/static_root/"
+  # Aliases for docs and admin_docs
+  Alias /documentation/ "/app/gracedb_project/docs/user_docs/build/"
+  Alias /admin_docs/ "/app/gracedb_project/docs/admin_docs/build/"
+  ProxyPreserveHost on
+  ProxyAddHeaders off
+  ProxyPass "/robots.txt" "!"
+  ProxyPass "/shibboleth-ds" "!"
+  ProxyPass "/Shibboleth.sso" "!"
+  ProxyPass "/static" "!"
+  ProxyPass "/documentation" "!"
+  ProxyPass "/admin_docs" "!"
+  ProxyPass "/" "http://localhost:8080/" timeout=120
+  ProxyPassReverse "/" "http://localhost:8080/"
+
+  # This section is for apache2 timeout and keepalive tuning parameters. 
+  # https://ioflood.com/blog/2020/02/21/what-is-apache-keepalive-timeout-how-to-optimize-this-critical-setting/
+  
+  # KeepAlive will... keep a connection alive for subsequent requests. 
+  # Turn this on.
+  KeepAlive On
+
+  # The maximum number of requests served to a client before terminating the connection.
+  # This can be large, possibly safely unlimited. (0 = unlimited)
+  MaxKeepAliveRequests 0
+
+  # The number of seconds Apache will wait for a subsequent request before closing the 
+  # connection. Once a request has been received, the timeout value specified by the 
+  # Timeout directive applies. Setting KeepAliveTimeout to a high value may cause 
+  # performance problems in heavily loaded servers. The higher the timeout, the more 
+  # server processes will be kept occupied waiting on connections with idle clients
+  KeepAliveTimeout 5
+
+  # Amount of time the server will wait for certain events before failing a 
+  # request. The TimeOut directive defines the length of time Apache will wait for
+  # I/O (e.g., when reading data from the client, when writing data to the client, etc.) 
+  # Default: 300s. Try setting this lower, then do a test like a long query with the API
+  # and in the browser and see what happens. 
+  Timeout 60
+
+  # Unset certain headers to help prevent spoofing
+  RequestHeader unset REMOTE_USER
+  RequestHeader unset ISMEMBEROF
+  RequestHeader unset X_FORWARDED_FOR
+  RequestHeader unset REMOTE_ADDR
+  RequestHeader unset SSL_CLIENT_S_DN
+  RequestHeader unset SSL_CLIENT_I_DN
+  RequestHeader unset X_FORWARDED_PROTO
+
+  # Get a few of them from the environment
+  RequestHeader set X_FORWARDED_FOR "%{X_FORWARDED_FOR}e" env=X_FORWARDED_FOR
+  RequestHeader set REMOTE_ADDR "%{REMOTE_ADDR}e" env=REMOTE_ADDR
+
+  # Set X_FORWARDED_PROTO to https
+  RequestHeader set X_FORWARDED_PROTO "https"
+
+  # Increase the max allowable header size:
+  LimitRequestFieldSize 16384
+
+  # Set up mod_xsendfile for serving static event files as directed by Django
+  XSendFile On
+  XSendFilePath /app/db_data/
+
+  Alias /shibboleth-ds/idpselect_config.js /etc/shibboleth-ds/idpselect_config.js
+  Alias /shibboleth-ds/idpselect.js /etc/shibboleth-ds/idpselect.js
+  Alias /shibboleth-ds/idpselect.css /etc/shibboleth-ds/idpselect.css
+
+  <Directory /etc/shibboleth-ds>
+    Require all granted
+  </Directory>
+
+  # Deny access to the DocumentRoot. This makes it possible to upload
+  # large files. See notes.
+  <Directory "/var/www/">
+    Require all denied
+  </Directory>
+
+  <Directory "/app/gracedb_project/static_root/">
+    AllowOverride None
+    Options None
+    Require all granted
+  </Directory>
+
+  Alias /robots.txt /app/gracedb_project/static_root/robots.txt
+
+  <Location /Shibboleth.sso>
+    SetHandler shib
+    Require all granted
+  </Location>
+
+  <Location /shibboleth-sp>
+    Require all granted
+  </Location>
+
+  <Location "/post-login/">
+    AuthType Shibboleth
+    Require shibboleth
+    ShibRequestSetting requireSession true
+    ShibUseHeaders On
+
+    # use funky method to get REMOTE_USER variable
+    RewriteEngine On
+    RewriteCond %{LA-U:REMOTE_USER} (.+)
+    RewriteRule . - [E=RU:%1]
+    RequestHeader set REMOTE_USER %{RU}e
+
+    # this way only works with SSLEngine On because REMOTE_USER is secure variable
+    #RequestHeader set REMOTE_USER %{REMOTE_USER}s
+    RequestHeader set ISMEMBEROF "%{ISMEMBEROF}e" env=ISMEMBEROF
+  </Location>
+
+  <Directory "/app/gracedb_project/docs/user_docs/build/">
+    Require all granted
+  </Directory>
+
+  # Restrict access to admin documentation
+  <Location "/admin_docs/">
+    AuthType Shibboleth
+    ShibRequestSetting requireSession true
+    ShibUseHeaders On
+    Require shib-user duncan.meacher@ligo.org alexander.pace@ligo.org daniel.wysocki@ligo.org patrick.brady@ligo.org
+  </Location>
+
+</VirtualHost>

docker/backports.pref

+Explanation: shibboleth 3.0 dependencies
+Package: init-system-helpers libxerces-c3.2
+Pin: release a=stretch-backports
+Pin-Priority: 500

docker/check_shibboleth_status

+#!/usr/bin/python3
+
+'''
+Pulls Shibboleth status.sso page, checks for:
+  1. Presence of <OK/> tags under Status and SessionCache,
+  2. Presence of required metadata feeds (see metadata_feeds).
+Run ./check_shibboleth_status -h for help.
+'''
+
+# Imports
+import argparse
+import sys
+import xml.etree.ElementTree as ET
+try:
+    from urllib.request import urlopen
+    from urllib.error import URLError
+except ImportError:  # python < 3
+    from urllib2 import (urlopen, URLError)
+
+# Parameters - may need to be modified in the future
+# if Shibboleth status pages change or new metadata
+# providers are added.
+tags_to_check = ["Status", "SessionCache"] # XML tags to check for "OK" status.
+# Metadata feeds.
+default_metadata_feeds = ["ligo-approved-idp-none", "incommon", "cirrus"]
+
+# Default arguments
+default_host = "localhost"
+default_urlpath = "Shibboleth.sso/Status"
+default_timeout = 10
+
+# Process arguments.
+parser = argparse.ArgumentParser(formatter_class=
+                                 argparse.ArgumentDefaultsHelpFormatter)
+parser.add_argument("-H", "--host", type=str,
+                    help="Hostname of gracedb server",
+                    default=default_host)
+parser.add_argument("-U", "--urlpath", type=str,
+                    help="Path to gracedb server Shibboleth status page",
+                    default=default_urlpath)
+parser.add_argument("-T", "--timeout", type=int,
+                    help="Maximum time (in sec.) to allow connecting to server",
+                    default=default_timeout)
+parser.add_argument("-F", "--feeds", type=str,
+                    help=("Comma-separated list of metadata feeds to check"
+                    "for the presence of"), default=",".join(
+                    default_metadata_feeds))
+args = parser.parse_args()
+host = "http://" + args.host
+urlpath = args.urlpath
+timeout = args.timeout
+metadata_feeds = args.feeds.split(",")
+
+# Get XML data from URL.
+host_url = host + "/" + urlpath
+try:
+    response = urlopen(host_url, timeout=timeout)
+except URLError:
+    print("Error opening Shibboleth status page (" + host_url + ").")
+    sys.exit(2)
+except:
+    print("Unknown error opening Shibboleth status page (" + host_url + ").")
+    sys.exit(3)
+
+# Convert from string to ElementTree
+try:
+    status_tree = ET.fromstring(response.read())
+except ET.ParseError:
+    # Error parsing response.
+    print("Error parsing response from server - not in XML format.")
+    sys.exit(2)
+except:
+    # Error that is not ParseError.
+    print("Unknown error occurred when parsing response from server.")
+    sys.exit(3)
+response.close()
+
+# Process XML. ----------------------------
+# Check 1: find <Status> and <SessionCache> tags, make sure
+# they both contain an <OK/> child.
+for tag in tags_to_check:
+    status_tag = status_tree.find(tag)
+    if (status_tag is None):
+        print("Error: tag \'" +  tag + "\' not found.")
+        sys.exit(2)
+    else:
+        status_OK = status_tag.find('OK')
+        if (status_OK is None):
+            print("Error: tag \'" + tag + "\' is not OK.")
+            sys.exit(2)
+
+# Check 2: make sure metadata feeds that we expect
+# are actually there.
+metaprov_tags = status_tree.findall("MetadataProvider")
+srcs = [element.attrib['source'] for element in metaprov_tags]
+for feed in metadata_feeds:
+    feed_found = [src.lower().find(feed) >= 0 for src in srcs]
+    if (sum(feed_found) < 1):
+        print("MetadataProvider " + feed + " not found.")
+        sys.exit(2)
+    elif (sum(feed_found) < 1):
+        print("MetadataProvider " + feed + "found in multiple elements.")
+        sys.exit(2)
+
+# If we make it to this point, everything is OK.
+print("All MetadataProviders found. Status and SessionCache are OK.")
+sys.exit(0)

docker/cleanup

+#!/bin/sh
+
+python3 /app/gracedb_project/manage.py update_user_accounts_from_ligo_ldap kagra
+python3 /app/gracedb_project/manage.py update_user_accounts_from_ligo_ldap ligo
+python3 /app/gracedb_project/manage.py update_user_accounts_from_ligo_ldap robots
+python3 /app/gracedb_project/manage.py update_catalog_managers_group
+python3 /app/gracedb_project/manage.py remove_inactive_alerts
+python3 /app/gracedb_project/manage.py clearsessions 2>&1 | grep -v segment
+python3 /app/gracedb_project/manage.py remove_old_mdc_public_perms
+PGPASSWORD=$DJANGO_DB_PASSWORD psql -h $DJANGO_DB_HOST -U $DJANGO_DB_USER -c "VACUUM VERBOSE ANALYZE;" $DJANGO_DB_NAME

docker/entrypoint

+#!/bin/bash
+
+export LVALERT_OVERSEER_RESOURCE=${LVALERT_USER}_overseer_$(python3  -c 'import uuid; print(uuid.uuid4().hex)')
+
+# Change the file permissions and ownership on /app/db_data:
+chown gracedb:www-data /app/db_data
+chmod 755 /app/db_data
+
+## PGA: 2019-10-15: use certs from secrets for Shibboleth SP
+SHIB_SP_CERT=/run/secrets/saml_certificate
+SHIB_SP_KEY=/run/secrets/saml_private_key
+if [[ -f $SHIB_SP_CERT && -f $SHIB_SP_KEY ]]
+then
+        echo "Using Shibboleth Cert from docker secrets over the image one"
+        cp -f $SHIB_SP_CERT /etc/shibboleth/sp-cert.pem
+        cp -f $SHIB_SP_KEY /etc/shibboleth/sp-key.pem
+        chown _shibd:_shibd /etc/shibboleth/sp-{cert,key}.pem
+        chmod 0600 /etc/shibboleth/sp-key.pem
+fi
+
+## PGA 2019-10-16: use secrets for sensitive environment variables
+LIST="aws_ses_access_key_id
+  aws_ses_secret_access_key
+  django_db_password
+  django_secret_key
+  django_twilio_account_sid
+  django_twilio_auth_token
+  lvalert_password
+  igwn_alert_password
+  gracedb_ldap_keytab
+  egad_url
+  egad_api_key
+  django_sentry_dsn"
+
+for SECRET in $LIST
+do
+        VARNAME=$( tr [:lower:] [:upper:] <<<$SECRET)
+        [  -f /run/secrets/$SECRET ] && export $VARNAME="$(< /run/secrets/$SECRET)"
+done
+
+# get x509 cert for ldap access from environment variable. 
+echo "${GRACEDB_LDAP_KEYTAB}" | base64 -d | install -m 0600 /dev/stdin keytab
+kinit ldap/gracedb.ligo.org@LIGO.ORG -k -t keytab
+
+exec "$@"
+

docker/inc-md-cert.pem

+-----BEGIN CERTIFICATE-----
+MIIDgTCCAmmgAwIBAgIJAJRJzvdpkmNaMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
+BAYTAlVTMRUwEwYDVQQKDAxJbkNvbW1vbiBMTEMxMTAvBgNVBAMMKEluQ29tbW9u
+IEZlZGVyYXRpb24gTWV0YWRhdGEgU2lnbmluZyBLZXkwHhcNMTMxMjE2MTkzNDU1
+WhcNMzcxMjE4MTkzNDU1WjBXMQswCQYDVQQGEwJVUzEVMBMGA1UECgwMSW5Db21t
+b24gTExDMTEwLwYDVQQDDChJbkNvbW1vbiBGZWRlcmF0aW9uIE1ldGFkYXRhIFNp
+Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Chdkrn+
+dG5Zj5L3UIw+xeWgNzm8ajw7/FyqRQ1SjD4Lfg2WCdlfjOrYGNnVZMCTfItoXTSp
+g4rXxHQsykeNiYRu2+02uMS+1pnBqWjzdPJE0od+q8EbdvE6ShimjyNn0yQfGyQK
+CNdYuc+75MIHsaIOAEtDZUST9Sd4oeU1zRjV2sGvUd+JFHveUAhRc0b+JEZfIEuq
+/LIU9qxm/+gFaawlmojZPyOWZ1JlswbrrJYYyn10qgnJvjh9gZWXKjmPxqvHKJcA
+TPhAh2gWGabWTXBJCckMe1hrHCl/vbDLCmz0/oYuoaSDzP6zE9YSA/xCplaHA0mo
+C1Vs2H5MOQGlewIDAQABo1AwTjAdBgNVHQ4EFgQU5ij9YLU5zQ6K75kPgVpyQ2N/
+lPswHwYDVR0jBBgwFoAU5ij9YLU5zQ6K75kPgVpyQ2N/lPswDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAaQkEx9xvaLUt0PNLvHMtxXQPedCPw5xQBd2V
+WOsWPYspRAOSNbU1VloY+xUkUKorYTogKUY1q+uh2gDIEazW0uZZaQvWPp8xdxWq
+Dh96n5US06lszEc+Lj3dqdxWkXRRqEbjhBFh/utXaeyeSOtaX65GwD5svDHnJBcl
+AGkzeRIXqxmYG+I2zMm/JYGzEnbwToyC7yF6Q8cQxOr37hEpqz+WN/x3qM2qyBLE
+CQFjmlJrvRLkSL15PCZiu+xFNFd/zx6btDun5DBlfDS9DG+SHCNH6Nq+NfP+ZQ8C
+GzP/3TaZPzMlKPDCjp0XOQfyQqFIXdwjPFTWjEusDBlm4qJAlQ==
+-----END CERTIFICATE-----

docker/login.ligo.org.cert.LIGOCA.pem

+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 40 (0x28)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: DC=org, DC=ligo, O=LIGO, OU=Certificate Authorities, OU=Web Services, CN=LIGO CA 1
+        Validity
+            Not Before: Dec 20 19:42:07 2010 GMT
+            Not After : Dec 19 19:42:07 2020 GMT
+        Subject: DC=org, DC=ligo, O=LIGO, OU=Web Services, CN=login.ligo.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:dc:4c:a7:a0:cd:c3:7e:af:94:57:cc:c6:e7:fe:
+                    3d:0b:e2:28:f2:b6:39:fd:0e:46:d8:a9:4a:39:8e:
+                    bb:f3:47:e1:3b:0d:4b:a4:9c:72:a8:16:29:d9:ba:
+                    ef:75:71:8d:4b:36:b2:68:0e:94:b8:20:dc:b1:d3:
+                    3c:f4:a5:c5:f4:76:1c:f1:59:34:7d:5a:cc:14:41:
+                    89:7a:e3:27:8e:4f:7c:d1:e8:a2:52:d0:4e:a0:97:
+                    6d:46:bf:7b:44:99:40:1a:5f:3d:40:1b:54:a7:27:
+                    f4:38:cb:f0:e4:b7:9d:d2:28:b6:3b:b3:ce:f5:ba:
+                    fb:e8:3e:16:62:0f:c3:de:da:f5:a7:b3:29:85:7a:
+                    de:74:00:4d:37:76:71:d5:6c:ed:fb:15:5f:ad:50:
+                    da:25:28:d8:cf:f1:b0:5a:9b:e2:82:72:32:42:fe:
+                    36:84:b4:de:7f:67:14:45:c1:7e:e3:2b:5c:0c:ae:
+                    bb:36:1f:b3:01:03:df:8a:8c:10:36:ea:2a:2c:54:
+                    f0:fd:6b:13:20:f7:20:aa:35:c8:bf:6b:5b:7a:ca:
+                    31:be:b1:5f:1d:13:c5:5c:7d:ab:1b:e7:c3:a1:9b:
+                    1b:74:75:8e:cf:ec:61:c3:95:84:2f:23:0e:35:76:
+                    ef:ef:bc:d6:ab:30:3d:c2:de:1d:21:ec:f1:43:2c:
+                    24:c5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Data Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Certificate Policies: 
+                Policy: 1.3.6.1.4.1.32070.2.1.2.1
+
+            X509v3 CRL Distribution Points: 
+                URI:http://ca.ligo.org/541404c3/541404c3.crl
+
+            X509v3 Authority Key Identifier: 
+                keyid:52:6E:DD:7B:AA:6F:85:5C:08:22:D3:97:9F:AD:7F:23:56:1E:6A:D1
+
+            X509v3 Subject Alternative Name: 
+                DNS:login.ligo.org:scott.koranda@ligo.org
+    Signature Algorithm: sha1WithRSAEncryption
+        1e:4b:cb:44:4c:35:7e:0b:19:85:07:b2:82:10:50:04:84:80:
+        c2:84:8d:ab:0d:5c:fb:b8:68:c6:0d:b9:83:a4:02:be:8e:0a:
+        4b:e6:da:45:f2:19:d0:69:da:d0:c5:e7:30:46:03:05:43:e1:
+        84:94:92:f9:03:d0:dd:31:ec:18:ad:c9:77:3a:14:8e:12:9f:
+        2a:ab:1a:5f:8a:eb:3d:ac:9d:c8:ce:74:e2:72:0c:de:1c:6d:
+        54:67:2d:b9:c9:ac:4d:c1:96:1c:00:92:ac:89:d9:81:c8:83:
+        9a:73:75:14:91:cf:9b:4f:bf:a3:41:2e:36:42:e6:ec:11:bc:
+        5c:07:0c:43:ad:bb:9e:fa:b4:1d:0f:d5:f9:00:70:78:e4:be:
+        dc:3d:84:fe:fa:17:43:c1:d6:01:7e:8f:0b:b7:9a:08:ff:0c:
+        be:cf:d0:cd:a4:1e:77:b9:86:80:e2:b1:e2:1c:9a:68:97:a3:
+        96:06:06:59:19:ad:ca:17:8f:50:f1:44:fa:69:bf:04:06:9b:
+        f3:2c:24:75:c4:79:69:9a:dc:be:3e:25:8e:83:a6:b8:75:91:
+        9b:86:5f:85:9b:ae:d9:1d:07:97:ec:b1:08:51:93:53:7a:f1:
+        64:e3:5d:a1:73:e1:95:42:e2:b2:38:7b:d5:56:f4:f2:15:84:
+        d9:e8:72:98
+-----BEGIN CERTIFICATE-----
+MIIEVzCCAz+gAwIBAgIBKDANBgkqhkiG9w0BAQUFADCBhzETMBEGCgmSJomT8ixk
+ARkWA29yZzEUMBIGCgmSJomT8ixkARkWBGxpZ28xDTALBgNVBAoTBExJR08xIDAe
+BgNVBAsTF0NlcnRpZmljYXRlIEF1dGhvcml0aWVzMRUwEwYDVQQLEwxXZWIgU2Vy
+dmljZXMxEjAQBgNVBAMTCUxJR08gQ0EgMTAeFw0xMDEyMjAxOTQyMDdaFw0yMDEy
+MTkxOTQyMDdaMGoxEzARBgoJkiaJk/IsZAEZFgNvcmcxFDASBgoJkiaJk/IsZAEZ
+FgRsaWdvMQ0wCwYDVQQKEwRMSUdPMRUwEwYDVQQLEwxXZWIgU2VydmljZXMxFzAV
+BgNVBAMTDmxvZ2luLmxpZ28ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA3EynoM3Dfq+UV8zG5/49C+Io8rY5/Q5G2KlKOY6780fhOw1LpJxyqBYp
+2brvdXGNSzayaA6UuCDcsdM89KXF9HYc8Vk0fVrMFEGJeuMnjk980eiiUtBOoJdt
+Rr97RJlAGl89QBtUpyf0OMvw5Led0ii2O7PO9br76D4WYg/D3tr1p7MphXredABN
+N3Zx1Wzt+xVfrVDaJSjYz/GwWpvignIyQv42hLTef2cURcF+4ytcDK67Nh+zAQPf
+iowQNuoqLFTw/WsTIPcgqjXIv2tbesoxvrFfHRPFXH2rG+fDoZsbdHWOz+xhw5WE
+LyMONXbv77zWqzA9wt4dIezxQywkxQIDAQABo4HpMIHmMAwGA1UdEwEB/wQCMAAw
+DgYDVR0PAQH/BAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAZ
+BgNVHSAEEjAQMA4GDCsGAQQBgfpGAgECATA5BgNVHR8EMjAwMC6gLKAqhihodHRw
+Oi8vY2EubGlnby5vcmcvNTQxNDA0YzMvNTQxNDA0YzMuY3JsMB8GA1UdIwQYMBaA
+FFJu3Xuqb4VcCCLTl5+tfyNWHmrRMDAGA1UdEQQpMCeCJWxvZ2luLmxpZ28ub3Jn
+OnNjb3R0LmtvcmFuZGFAbGlnby5vcmcwDQYJKoZIhvcNAQEFBQADggEBAB5Ly0RM
+NX4LGYUHsoIQUASEgMKEjasNXPu4aMYNuYOkAr6OCkvm2kXyGdBp2tDF5zBGAwVD
+4YSUkvkD0N0x7BityXc6FI4SnyqrGl+K6z2sncjOdOJyDN4cbVRnLbnJrE3BlhwA
+kqyJ2YHIg5pzdRSRz5tPv6NBLjZC5uwRvFwHDEOtu576tB0P1fkAcHjkvtw9hP76
+F0PB1gF+jwu3mgj/DL7P0M2kHne5hoDiseIcmmiXo5YGBlkZrcoXj1DxRPppvwQG
+m/MsJHXEeWma3L4+JY6Dprh1kZuGX4WbrtkdB5fssQhRk1N68WTjXaFz4ZVC4rI4
+e9VW9PIVhNnocpg=
+-----END CERTIFICATE-----