def encode_template(fn, ctx, base_dir="/app/templates"):
path = os.path.join(base_dir, fn)
# ctx is nested which has `config` and `secret` keys
data = {}
for _, v in ctx.items():
data.update(v)
with open(path) as f:
return generate_base64_contents(safe_render(f.read(), data))
def merge_passport_ctx(ctx):
basedir = '/app/templates/passport'
file_mappings = {
'passport_central_config_base64': 'passport-central-config.json',
}
for key, file_ in file_mappings.iteritems():
file_path = os.path.join(basedir, file_)
with open(file_path) as fp:
ctx[key] = generate_base64_contents(fp.read() % ctx)
return ctx
def merge_oxidp_ctx(ctx):
basedir = '/app/templates/oxidp'
file_mappings = {
'oxidp_config_base64': 'oxidp-config.json',
}
for key, file_ in file_mappings.items():
file_path = os.path.join(basedir, file_)
with open(file_path) as fp:
ctx[key] = generate_base64_contents(fp.read() % ctx)
return ctx
def merge_radius_ctx(ctx):
basedir = "/app/static/radius"
file_mappings = {
"super_gluu_ro_session_script": "super_gluu_ro_session.py",
"super_gluu_ro_script": "super_gluu_ro.py",
}
for key, file_ in file_mappings.iteritems():
fn = os.path.join(basedir, file_)
with open(fn) as f:
ctx[key] = generate_base64_contents(f.read())
return ctx
def merge_fido2_ctx(ctx):
basedir = '/app/templates/fido2'
file_mappings = {
'fido2_dynamic_conf_base64': 'fido2-dynamic-conf.json',
'fido2_static_conf_base64': 'fido2-static-conf.json',
}
for key, file_ in file_mappings.items():
file_path = os.path.join(basedir, file_)
with open(file_path) as fp:
ctx[key] = generate_base64_contents(fp.read() % ctx)
return ctx
def merge_oxauth_ctx(ctx):
basedir = '/app/templates/oxauth'
file_mappings = {
'oxauth_config_base64': 'oxauth-config.json',
'oxauth_static_conf_base64': 'oxauth-static-conf.json',
'oxauth_error_base64': 'oxauth-errors.json',
}
for key, file_ in file_mappings.iteritems():
file_path = os.path.join(basedir, file_)
with open(file_path) as fp:
ctx[key] = generate_base64_contents(fp.read() % ctx)
return ctx
def merge_oxtrust_ctx(ctx):
basedir = '/app/templates/oxtrust'
file_mappings = {
'oxtrust_cache_refresh_base64': 'oxtrust-cache-refresh.json',
'oxtrust_config_base64': 'oxtrust-config.json',
'oxtrust_import_person_base64': 'oxtrust-import-person.json',
}
for key, file_ in file_mappings.iteritems():
file_path = os.path.join(basedir, file_)
with open(file_path) as fp:
ctx[key] = generate_base64_contents(fp.read() % ctx)
return ctx
def merge_extension_ctx(ctx):
basedir = "/app/static/extension"
for ext_type in os.listdir(basedir):
ext_type_dir = os.path.join(basedir, ext_type)
for fname in os.listdir(ext_type_dir):
filepath = os.path.join(ext_type_dir, fname)
ext_name = "{}_{}".format(ext_type,
os.path.splitext(fname)[0].lower())
with open(filepath) as fd:
ctx[ext_name] = generate_base64_contents(fd.read())
return ctx
def test_generate_base64_contents(text, num_spaces, expected):
from pygluu.containerlib.utils import generate_base64_contents
assert generate_base64_contents(text, num_spaces) == expected
def rotate(self):
if not self.should_rotate():
# logger.info("no need to rotate keys at the moment")
return
config = self.backend.get_oxauth_config()
if not config:
# search failed due to missing entry
logger.warn("unable to find oxAuth config")
return
jks_pass = self.manager.secret.get("oxauth_openid_jks_pass")
jks_fn = "/etc/certs/oxauth-keys.jks"
jwks_fn = "/etc/certs/oxauth-keys.json"
jks_dn = r"{}".format(
self.manager.config.get("default_openid_jks_dn_name"))
ox_rev = int(config["oxRevision"])
try:
conf_dynamic = json.loads(config["oxAuthConfDynamic"])
except TypeError: # not string/buffer
conf_dynamic = config["oxAuthConfDynamic"]
if conf_dynamic["keyRegenerationEnabled"]:
logger.warn("keyRegenerationEnabled config was set to true; "
"skipping proccess to avoid conflict with "
"builtin key rotation feature in oxAuth")
return
conf_dynamic.update({
"keyRegenerationEnabled":
False, # always set to False
"keyRegenerationInterval":
int(self.rotation_interval),
"webKeysStorage":
"keystore",
"keyStoreSecret":
jks_pass,
})
# exp_hours = int(self.rotation_interval) + (conf_dynamic["idTokenLifetime"] / 3600)
exp_hours = int(self.rotation_interval)
# create JKS file; this needs to be pushed out to
# config/secret backend and oxauth containers
out, err, retcode = generate_openid_keys(jks_pass,
jks_fn,
jks_dn,
exp=exp_hours)
if retcode != 0 or err:
logger.error("unable to generate keys; reason={}".format(err))
return
# create JWKS file; this needs to be pushed out to
# config/secret backend and oxauth containers
with open(jwks_fn, "w") as f:
f.write(out)
oxauth_containers = self.meta_client.get_oxauth_containers()
if not oxauth_containers:
logger.warn("Unable to find any oxAuth container; make sure "
"to deploy oxAuth and set APP_NAME=oxauth "
"label on container level")
return
for container in oxauth_containers:
name = self.meta_client.get_container_name(container)
logger.info(
"creating backup of {0}:/etc/certs/oxauth-keys.jks".format(
name))
self.meta_client.exec_cmd(
container,
"cp /etc/certs/oxauth-keys.jks /etc/certs/oxauth-keys.jks.backup"
)
logger.info(
"creating new {0}:/etc/certs/oxauth-keys.jks".format(name))
self.meta_client.copy_to_container(container, jks_fn)
logger.info(
"creating backup of {0}:/etc/certs/oxauth-keys.json".format(
name))
self.meta_client.exec_cmd(
container,
"cp /etc/certs/oxauth-keys.json /etc/certs/oxauth-keys.json.backup"
)
logger.info(
"creating new {0}:/etc/certs/oxauth-keys.json".format(name))
self.meta_client.copy_to_container(container, jwks_fn)
try:
keys = json.loads(out)
# keys = merge_keys(keys, conf_webkeys)
logger.info("modifying oxAuth configuration")
ox_modified = self.backend.modify_oxauth_config(
config["id"],
ox_rev + 1,
conf_dynamic,
keys,
)
if not ox_modified:
# restore jks and jwks
logger.warn("failed to modify oxAuth configuration")
for container in oxauth_containers:
logger.info(
"restoring backup of {0}:/etc/certs/oxauth-keys.jks".
format(name))
self.meta_client.exec_cmd(
container,
"cp /etc/certs/oxauth-keys.jks.backup /etc/certs/oxauth-keys.jks"
)
logger.info(
"restoring backup of {0}:/etc/certs/oxauth-keys.json".
format(name))
self.meta_client.exec_cmd(
container,
"cp /etc/certs/oxauth-keys.json.backup /etc/certs/oxauth-keys.json"
)
return
# XXX: save jwks and jks to config and secret for later use?
if manager.secret.set("oxauth_jks_base64", encode_jks(jks_fn)):
manager.config.set("oxauth_key_rotated_at", int(time.time()))
manager.secret.set("oxauth_openid_jks_pass", jks_pass)
# jwks
manager.secret.set(
"oxauth_openid_key_base64",
generate_base64_contents(json.dumps(keys)),
)
logger.info("keys have been rotated")
except (TypeError, ValueError) as exc:
logger.warn("unable to get public keys; reason={}".format(exc))
