def main():
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")
render_salt(manager, "/app/templates/salt.tmpl", "/etc/gluu/conf/salt")
render_gluu_properties("/app/templates/gluu.properties.tmpl", "/etc/gluu/conf/gluu.properties")
if persistence_type in ("ldap", "hybrid"):
render_ldap_properties(
manager,
"/app/templates/gluu-ldap.properties.tmpl",
"/etc/gluu/conf/gluu-ldap.properties",
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/gluu-couchbase.properties.tmpl",
"/etc/gluu/conf/gluu-couchbase.properties",
)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")
if not os.path.isfile("/etc/certs/gluu_https.crt"):
if as_boolean(os.environ.get("GLUU_SSL_CERT_FROM_SECRETS", False)):
manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt")
else:
get_server_certificate(manager.config.get("hostname"), 443, "/etc/certs/gluu_https.crt")
cert_to_truststore(
"gluu_https",
"/etc/certs/gluu_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
get_oxd_cert()
cert_to_truststore(
"gluu_oxd",
"/etc/certs/oxd.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
modify_jetty_xml()
modify_webdefault_xml()
manager.secret.to_file("passport_rp_jks_base64", "/etc/certs/passport-rp.jks",
decode=True, binary_mode=True)
config = CasaConfig(manager)
config.setup()
def sync_couchbase_truststore(manager, dest: str = "") -> None:
"""Pull secret contains base64-string contents of Couchbase truststore,
and save it as a JKS file, i.e. ``/etc/certs/couchbase.pkcs12``.
:params manager: An instance of :class:`~pygluu.containerlib.manager._Manager`.
:params dest: Absolute path where generated file is located.
"""
cert_file = os.environ.get("GLUU_COUCHBASE_CERT_FILE",
"/etc/certs/couchbase.crt")
dest = dest or manager.config.get("couchbaseTrustStoreFn")
cert_to_truststore(
"gluu_couchbase",
cert_file,
dest,
GLUU_COUCHBASE_TRUSTSTORE_PASSWORD,
)
def test_cert_to_truststore(tmpdir):
from pygluu.containerlib.utils import cert_to_truststore
tmp = tmpdir.mkdir("pygluu")
keystore_file = tmp.join("gluu.jks")
cert_file = tmp.join("gluu.crt")
# dummy cert
cert_file.write("""-----BEGIN CERTIFICATE-----
MIIEGDCCAgCgAwIBAgIRANslKJCe/whYi01rkUOAxh0wDQYJKoZIhvcNAQELBQAw
DTELMAkGA1UEAxMCQ0EwHhcNMTkxMTI1MDQwOTQ4WhcNMjEwNTI1MDQwOTE4WjAP
MQ0wCwYDVQQDEwRnbHV1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
05TqppxdpSP9vzQP42YFPM79K3TdOFmsCJLMnKRkeR994MGra6JQ75/+vYmKXJaU
Bo3/VieU2pGaAsXI7MqNfXQcKSwAoGU03xqoBUS8INIYX+Cr7q8jFp1q2VLqpNlt
zWZQsee2TUIsa7MzJ5UK7QnaqK4uadl9XHlkRdXC5APecJoRJK4K1UZ59TyiMisz
Dqf+DrmCaJpIPph4Ro9TZMdoE9CX2mFz6Q+ItaSXvyNqUabip7iIwFf3Mu1pal98
AogsfKcfvu+ki93slrJ6jiDIi5B+D0gbA4E03ncgdfQ8Vs55BZbI0N5uEypfI0ky
LQ6201p4bRRXX4LKooObCwIDAQABo3EwbzAOBgNVHQ8BAf8EBAMCA7gwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBROCOakMthTjAwM7MTP
RnkvLRHMOjAfBgNVHSMEGDAWgBTeSnpdqVZhjCRnCKJFfwiGwnVCvTANBgkqhkiG
9w0BAQsFAAOCAgEAjBOt4xgsiW3BN/ZZ6DehrdmRZRrezwhBWwUrnY9ajmwv0Trs
4sd8EP7RuJsGS5gdUy/qzogSEhUyMz4+iRy/OW9bdzOFe+WDU6Xh9Be/C2Dv9osa
5dsG+Q9/EM9Z2LqKB5/uJJi5xgXdYwRXATDsBdNI8LxQQz0RdCZIJlpqsDEd1qbH
8YX/4cnknuL/7NsqLvn5iZvQcYFA/mfsN8zN52StuRONf1RKdQ3rwT7KehGi7aUa
IWwLEnzLmeZFLUWBl6h2uUMOUe1J8Di176K3SP5pCeb8+gQd5b2ra/IutN7lpISD
7YSStLNCCT33sjbximvX0ur/VipQQO1B/dz9Ua1kPPKV/blTXCiKNf+PpepaFBIp
jIb/dBIq9pLPBWtGz4tCNQIORDBpQjfPpSNH3lEjTyWUOttJYkss6LHAnnQ8COyk
IsbroXkmDKy86qHKlUc7L4REBykLDL7Olm4yQC8Zg46PaG5ymfYVuHd+tC7IZj8H
FRnpMhUJ4+bn+h0kxS4agwb2uCSO4Ge7edViq6ZFZnnfOG6zsz3VJRV71Zw2CQAL
0MxrbeozSHyNrbT2uAGyV85pNJmwZVlBfyKywMWsG3HcoKAhxg//IqNv0pi48Ey9
2xLnWTK3GxoBMh3mpjub+jf6OYDwmh0eBxm+PRMVAe3QB1eG/GGKgEwaTrc=
-----END CERTIFICATE-----""")
_, _, code = cert_to_truststore(
"gluu_https",
str(cert_file),
str(keystore_file),
"secret",
)
assert code == 0
)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")
if not os.path.isfile("/etc/certs/gluu_https.crt"):
if as_boolean(os.environ.get("GLUU_SSL_CERT_FROM_SECRETS", False)):
manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt")
else:
get_server_certificate(manager.config.get("hostname"), 443,
"/etc/certs/gluu_https.crt")
cert_to_truststore(
"gluu_https",
"/etc/certs/gluu_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
if not os.path.isfile("/etc/certs/shibIDP.crt"):
manager.secret.to_file("shibIDP_cert",
"/etc/certs/shibIDP.crt",
decode=True)
if not os.path.isfile("/etc/certs/shibIDP.key"):
manager.secret.to_file("shibIDP_key",
"/etc/certs/shibIDP.key",
decode=True)
if not os.path.isfile("/etc/certs/idp-signing.crt"):
manager.secret.to_file("idp3SigningCertificateText",
def main():
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")
render_salt(manager, "/app/templates/salt.tmpl", "/etc/gluu/conf/salt")
render_gluu_properties("/app/templates/gluu.properties.tmpl",
"/etc/gluu/conf/gluu.properties")
if persistence_type in ("ldap", "hybrid"):
render_ldap_properties(
manager,
"/app/templates/gluu-ldap.properties.tmpl",
"/etc/gluu/conf/gluu-ldap.properties",
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/gluu-couchbase.properties.tmpl",
"/etc/gluu/conf/gluu-couchbase.properties",
)
# need to resolve whether we're using default or user-defined couchbase cert
sync_couchbase_cert(manager)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")
if not os.path.isfile("/etc/certs/gluu_https.crt"):
get_server_certificate(manager.config.get("hostname"), 443,
"/etc/certs/gluu_https.crt")
cert_to_truststore(
"gluu_https",
"/etc/certs/gluu_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
if not os.path.isfile("/etc/certs/idp-signing.crt"):
manager.secret.to_file("idp3SigningCertificateText",
"/etc/certs/idp-signing.crt")
manager.secret.to_file("passport_rp_jks_base64",
"/etc/certs/passport-rp.jks",
decode=True,
binary_mode=True)
manager.secret.to_file("api_rp_jks_base64",
"/etc/certs/api-rp.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("api_rp_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(manager.secret.get("api_rp_client_base64_jwks")))
manager.secret.to_file("api_rs_jks_base64",
"/etc/certs/api-rs.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("api_rs_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(manager.secret.get("api_rs_client_base64_jwks")))
manager.secret.to_file("scim_rs_jks_base64",
"/etc/certs/scim-rs.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("scim_rs_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(manager.secret.get("scim_rs_client_base64_jwks")))
manager.secret.to_file("scim_rp_jks_base64",
"/etc/certs/scim-rp.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("scim_rp_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(manager.secret.get("scim_rp_client_base64_jwks")))
modify_jetty_xml()
modify_webdefault_xml()
def main():
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")
render_salt(manager, "/app/templates/salt.tmpl", "/etc/gluu/conf/salt")
render_gluu_properties("/app/templates/gluu.properties.tmpl",
"/etc/gluu/conf/gluu.properties")
if persistence_type in ("ldap", "hybrid"):
render_ldap_properties(
manager,
"/app/templates/gluu-ldap.properties.tmpl",
"/etc/gluu/conf/gluu-ldap.properties",
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/gluu-couchbase.properties.tmpl",
"/etc/gluu/conf/gluu-couchbase.properties",
)
# need to resolve whether we're using default or user-defined couchbase cert
# sync_couchbase_cert(manager)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")
if not os.path.isfile("/etc/certs/gluu_https.crt"):
if as_boolean(os.environ.get("GLUU_SSL_CERT_FROM_SECRETS", False)):
manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt")
else:
get_server_certificate(manager.config.get("hostname"), 443,
"/etc/certs/gluu_https.crt")
cert_to_truststore(
"gluu_https",
"/etc/certs/gluu_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
if not os.path.isfile("/etc/certs/idp-signing.crt"):
manager.secret.to_file("idp3SigningCertificateText",
"/etc/certs/idp-signing.crt")
manager.secret.to_file("passport_rp_jks_base64",
"/etc/certs/passport-rp.jks",
decode=True,
binary_mode=True)
manager.secret.to_file("api_rp_jks_base64",
"/etc/certs/api-rp.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("api_rp_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(
manager.secret.get("api_rp_client_base64_jwks")).decode())
manager.secret.to_file("api_rs_jks_base64",
"/etc/certs/api-rs.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("api_rs_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(
manager.secret.get("api_rs_client_base64_jwks")).decode())
# manager.secret.to_file("scim_rs_jks_base64", "/etc/certs/scim-rs.jks",
# decode=True, binary_mode=True)
# with open(manager.config.get("scim_rs_client_jwks_fn"), "w") as f:
# f.write(
# base64.b64decode(manager.secret.get("scim_rs_client_base64_jwks")).decode()
# )
# manager.secret.to_file("scim_rp_jks_base64", "/etc/certs/scim-rp.jks",
# decode=True, binary_mode=True)
# with open(manager.config.get("scim_rp_client_jwks_fn"), "w") as f:
# f.write(
# base64.b64decode(manager.secret.get("scim_rp_client_base64_jwks")).decode()
# )
modify_jetty_xml()
modify_webdefault_xml()
sync_enabled = as_boolean(os.environ.get("GLUU_SYNC_JKS_ENABLED", False))
if not sync_enabled:
manager.secret.to_file(
"oxauth_jks_base64",
"/etc/certs/oxauth-keys.jks",
decode=True,
binary_mode=True,
)
with open("/etc/certs/oxauth-keys.json", "w") as f:
f.write(
base64.b64decode(
manager.secret.get("oxauth_openid_key_base64")).decode())
certs_from_webdav()