def get_web_cert():
if not os.path.isfile("/etc/certs/web_https.crt"):
manager.secret.to_file("ssl_cert", "/etc/certs/web_https.crt")
cert_to_truststore(
"web_https",
"/etc/certs/web_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
def main():
persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap")
render_salt(manager, "/app/templates/salt.tmpl", "/etc/jans/conf/salt")
render_base_properties("/app/templates/jans.properties.tmpl",
"/etc/jans/conf/jans.properties")
if persistence_type in ("ldap", "hybrid"):
render_ldap_properties(
manager,
"/app/templates/jans-ldap.properties.tmpl",
"/etc/jans/conf/jans-ldap.properties",
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/jans-couchbase.properties.tmpl",
"/etc/jans/conf/jans-couchbase.properties",
)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/jans/conf/jans-hybrid.properties")
if persistence_type == "sql":
render_sql_properties(
manager,
"/app/templates/jans-sql.properties.tmpl",
"/etc/jans/conf/jans-sql.properties",
)
if persistence_type == "spanner":
render_spanner_properties(
manager,
"/app/templates/jans-spanner.properties.tmpl",
"/etc/jans/conf/jans-spanner.properties",
)
if not os.path.isfile("/etc/certs/web_https.crt"):
manager.secret.to_file("ssl_cert", "/etc/certs/web_https.crt")
cert_to_truststore(
"web_https",
"/etc/certs/web_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
modify_jetty_xml()
modify_webdefault_xml()
modify_server_ini()
configure_logging()
def sync_couchbase_truststore(manager, dest: str = "/etc/certs/couchbase.pkcs12") -> None:
"""Pull secret contains base64-string contents of Couchbase truststore,
and save it as a JKS file, i.e. ``/etc/certs/couchbase.pkcs12``.
:params manager: An instance of :class:`~jans.pycloudlib.manager._Manager`.
:params dest: Absolute path where generated file is located.
"""
cert_file = os.environ.get("CN_COUCHBASE_CERT_FILE", "/etc/certs/couchbase.crt")
dest = dest or manager.config.get("couchbaseTrustStoreFn")
cert_to_truststore(
"couchbase", cert_file, dest, CN_COUCHBASE_TRUSTSTORE_PASSWORD,
)
def import_token_server_cert(self):
cert_file = os.environ.get("CN_TOKEN_SERVER_CERT_FILE",
"/etc/certs/token_server.crt")
if not os.path.isfile(cert_file):
self.manager.secret.to_file("ssl_cert", cert_file)
cert_to_truststore(
"token_server",
cert_file,
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
def test_cert_to_truststore(tmpdir):
from jans.pycloudlib.utils import cert_to_truststore
tmp = tmpdir.mkdir("jans")
keystore_file = tmp.join("jans.jks")
cert_file = tmp.join("jans.crt")
# dummy cert
cert_file.write("""-----BEGIN CERTIFICATE-----
MIIEGDCCAgCgAwIBAgIRANslKJCe/whYi01rkUOAxh0wDQYJKoZIhvcNAQELBQAw
DTELMAkGA1UEAxMCQ0EwHhcNMTkxMTI1MDQwOTQ4WhcNMjEwNTI1MDQwOTE4WjAP
MQ0wCwYDVQQDEwRnbHV1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
05TqppxdpSP9vzQP42YFPM79K3TdOFmsCJLMnKRkeR994MGra6JQ75/+vYmKXJaU
Bo3/VieU2pGaAsXI7MqNfXQcKSwAoGU03xqoBUS8INIYX+Cr7q8jFp1q2VLqpNlt
zWZQsee2TUIsa7MzJ5UK7QnaqK4uadl9XHlkRdXC5APecJoRJK4K1UZ59TyiMisz
Dqf+DrmCaJpIPph4Ro9TZMdoE9CX2mFz6Q+ItaSXvyNqUabip7iIwFf3Mu1pal98
AogsfKcfvu+ki93slrJ6jiDIi5B+D0gbA4E03ncgdfQ8Vs55BZbI0N5uEypfI0ky
LQ6201p4bRRXX4LKooObCwIDAQABo3EwbzAOBgNVHQ8BAf8EBAMCA7gwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBROCOakMthTjAwM7MTP
RnkvLRHMOjAfBgNVHSMEGDAWgBTeSnpdqVZhjCRnCKJFfwiGwnVCvTANBgkqhkiG
9w0BAQsFAAOCAgEAjBOt4xgsiW3BN/ZZ6DehrdmRZRrezwhBWwUrnY9ajmwv0Trs
4sd8EP7RuJsGS5gdUy/qzogSEhUyMz4+iRy/OW9bdzOFe+WDU6Xh9Be/C2Dv9osa
5dsG+Q9/EM9Z2LqKB5/uJJi5xgXdYwRXATDsBdNI8LxQQz0RdCZIJlpqsDEd1qbH
8YX/4cnknuL/7NsqLvn5iZvQcYFA/mfsN8zN52StuRONf1RKdQ3rwT7KehGi7aUa
IWwLEnzLmeZFLUWBl6h2uUMOUe1J8Di176K3SP5pCeb8+gQd5b2ra/IutN7lpISD
7YSStLNCCT33sjbximvX0ur/VipQQO1B/dz9Ua1kPPKV/blTXCiKNf+PpepaFBIp
jIb/dBIq9pLPBWtGz4tCNQIORDBpQjfPpSNH3lEjTyWUOttJYkss6LHAnnQ8COyk
IsbroXkmDKy86qHKlUc7L4REBykLDL7Olm4yQC8Zg46PaG5ymfYVuHd+tC7IZj8H
FRnpMhUJ4+bn+h0kxS4agwb2uCSO4Ge7edViq6ZFZnnfOG6zsz3VJRV71Zw2CQAL
0MxrbeozSHyNrbT2uAGyV85pNJmwZVlBfyKywMWsG3HcoKAhxg//IqNv0pi48Ey9
2xLnWTK3GxoBMh3mpjub+jf6OYDwmh0eBxm+PRMVAe3QB1eG/GGKgEwaTrc=
-----END CERTIFICATE-----""")
_, _, code = cert_to_truststore(
"jans_https",
str(cert_file),
str(keystore_file),
"secret",
)
assert code == 0
def main():
persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap")
render_salt(manager, "/app/templates/salt.tmpl", "/etc/jans/conf/salt")
render_base_properties("/app/templates/jans.properties.tmpl",
"/etc/jans/conf/jans.properties")
if persistence_type in ("ldap", "hybrid"):
render_ldap_properties(
manager,
"/app/templates/jans-ldap.properties.tmpl",
"/etc/jans/conf/jans-ldap.properties",
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/jans-couchbase.properties.tmpl",
"/etc/jans/conf/jans-couchbase.properties",
)
# need to resolve whether we're using default or user-defined couchbase cert
# sync_couchbase_cert(manager)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/jans/conf/jans-hybrid.properties")
if persistence_type == "sql":
render_sql_properties(
manager,
"/app/templates/jans-sql.properties.tmpl",
"/etc/jans/conf/jans-sql.properties",
)
if persistence_type == "spanner":
render_spanner_properties(
manager,
"/app/templates/jans-spanner.properties.tmpl",
"/etc/jans/conf/jans-spanner.properties",
)
if not os.path.isfile("/etc/certs/web_https.crt"):
manager.secret.to_file("ssl_cert", "/etc/certs/web_https.crt")
cert_to_truststore(
"web_https",
"/etc/certs/web_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
# if not os.path.isfile("/etc/certs/idp-signing.crt"):
# manager.secret.to_file("idp3SigningCertificateText", "/etc/certs/idp-signing.crt")
# manager.secret.to_file("passport_rp_jks_base64", "/etc/certs/passport-rp.jks",
# decode=True, binary_mode=True)
modify_jetty_xml()
modify_server_ini()
modify_webdefault_xml()
configure_logging()
ext_jwks_uri = os.environ.get("CN_OB_EXT_SIGNING_JWKS_URI", "")
if ext_jwks_uri:
# Open Banking external signing cert and key. Use for generating the PKCS12 and jks keystore
ext_cert = "/etc/certs/ob-ext-signing.crt"
ext_key = "/etc/certs/ob-ext-signing.key"
ext_key_pin = "/etc/certs/ob-ext-signing.pin"
# Open Banking transport signing cert and key. Use for generating the PKCS12 file.
ob_transport_cert = "/etc/certs/ob-transport.crt"
ob_transport_key = "/etc/certs/ob-transport.key"
ob_transport_pin = "/etc/certs/ob-transport.pin"
ob_transport_alias = os.environ.get("CN_OB_AS_TRANSPORT_ALIAS",
"OpenBankingAsTransport")
ob_ext_alias = os.environ.get("CN_OB_EXT_SIGNING_ALIAS", "OpenBanking")
parsed_url = urlparse(ext_jwks_uri)
# uses hostname instead of netloc as netloc may have host:port format
hostname = parsed_url.hostname
# get port listed in netloc or fallback to port 443
port = parsed_url.port or 443
get_server_certificate(hostname, port, "/etc/certs/obextjwksuri.crt")
cert_to_truststore(
"OpenBankingJwksUri",
"/etc/certs/obextjwksuri.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
cert_to_truststore(
ob_ext_alias,
ext_cert,
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
ext_key_passphrase = ""
with suppress(FileNotFoundError):
with open(ext_key_pin) as f:
ext_key_passphrase = f.read().strip()
generate_keystore(
"ob-ext-signing",
manager.config.get("hostname"),
manager.secret.get("auth_openid_jks_pass"),
jks_fn="/etc/certs/ob-ext-signing.jks",
in_key=ext_key,
in_cert=ext_cert,
alias=ob_ext_alias,
in_passwd=ext_key_passphrase,
)
if os.path.isfile(ob_transport_cert):
cert_to_truststore(
ob_transport_alias,
ob_transport_cert,
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
ob_transport_passphrase = ""
with suppress(FileNotFoundError):
with open(ob_transport_pin) as f:
ob_transport_passphrase = f.read().strip()
generate_keystore(
"ob-transport",
manager.config.get("hostname"),
manager.secret.get("auth_openid_jks_pass"),
jks_fn="/etc/certs/ob-transport.jks",
in_key=ob_transport_key,
in_cert=ob_transport_cert,
alias=ob_transport_alias,
in_passwd=ob_transport_passphrase,
)
keystore_path = "/etc/certs/ob-ext-signing.jks"
jwks_uri = ext_jwks_uri
else:
# sync_enabled = as_boolean(os.environ.get("CN_SYNC_JKS_ENABLED", False))
# if not sync_enabled:
manager.secret.to_file(
"auth_jks_base64",
"/etc/certs/auth-keys.jks",
decode=True,
binary_mode=True,
)
with open("/etc/certs/auth-keys.json", "w") as f:
f.write(
base64.b64decode(
manager.secret.get("auth_openid_key_base64")).decode())
keystore_path = "/etc/certs/auth-keys.jks"
jwks_uri = f"https://{manager.config.get('hostname')}/jans-auth/restv1/jwks"
# ensure we're using correct JKS file and JWKS uri
modify_keystore_path(manager, keystore_path, jwks_uri)
def main():
manager = get_manager()
persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap")
render_salt(manager, "/app/templates/salt.tmpl", "/etc/jans/conf/salt")
render_base_properties("/app/templates/jans.properties.tmpl",
"/etc/jans/conf/jans.properties")
if persistence_type in ("ldap", "hybrid"):
render_ldap_properties(
manager,
"/app/templates/jans-ldap.properties.tmpl",
"/etc/jans/conf/jans-ldap.properties",
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/jans-couchbase.properties.tmpl",
"/etc/jans/conf/jans-couchbase.properties",
)
# need to resolve whether we're using default or user-defined couchbase cert
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/jans/conf/jans-hybrid.properties")
if persistence_type == "sql":
render_sql_properties(
manager,
"/app/templates/jans-sql.properties.tmpl",
"/etc/jans/conf/jans-sql.properties",
)
if persistence_type == "spanner":
render_spanner_properties(
manager,
"/app/templates/jans-spanner.properties.tmpl",
"/etc/jans/conf/jans-spanner.properties",
)
if not all([
os.path.isfile("/etc/certs/web_https.crt"),
os.path.isfile("/etc/certs/web_https.key"),
]):
manager.secret.to_file("ssl_cert", "/etc/certs/web_https.crt")
manager.secret.to_file("ssl_key", "/etc/certs/web_https.key")
cert_to_truststore(
"web_https",
"/etc/certs/web_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
modify_jetty_xml()
modify_webdefault_xml()
modify_server_ini()
configure_logging()
plugins = discover_plugins()
modify_config_api_xml(plugins)
if "admin-ui" in plugins:
admin_ui_plugin = AdminUiPlugin(manager)
admin_ui_plugin.setup()