def encode_template(fn, ctx, base_dir="/app/templates"): path = os.path.join(base_dir, fn) # ctx is nested which has `config` and `secret` keys data = {} for _, v in ctx.items(): data.update(v) with open(path) as f: return generate_base64_contents(safe_render(f.read(), data))
def merge_passport_ctx(ctx): basedir = '/app/templates/passport' file_mappings = { 'passport_central_config_base64': 'passport-central-config.json', } for key, file_ in file_mappings.iteritems(): file_path = os.path.join(basedir, file_) with open(file_path) as fp: ctx[key] = generate_base64_contents(fp.read() % ctx) return ctx
def merge_oxidp_ctx(ctx): basedir = '/app/templates/oxidp' file_mappings = { 'oxidp_config_base64': 'oxidp-config.json', } for key, file_ in file_mappings.items(): file_path = os.path.join(basedir, file_) with open(file_path) as fp: ctx[key] = generate_base64_contents(fp.read() % ctx) return ctx
def merge_radius_ctx(ctx): basedir = "/app/static/radius" file_mappings = { "super_gluu_ro_session_script": "super_gluu_ro_session.py", "super_gluu_ro_script": "super_gluu_ro.py", } for key, file_ in file_mappings.iteritems(): fn = os.path.join(basedir, file_) with open(fn) as f: ctx[key] = generate_base64_contents(f.read()) return ctx
def merge_fido2_ctx(ctx): basedir = '/app/templates/fido2' file_mappings = { 'fido2_dynamic_conf_base64': 'fido2-dynamic-conf.json', 'fido2_static_conf_base64': 'fido2-static-conf.json', } for key, file_ in file_mappings.items(): file_path = os.path.join(basedir, file_) with open(file_path) as fp: ctx[key] = generate_base64_contents(fp.read() % ctx) return ctx
def merge_oxauth_ctx(ctx): basedir = '/app/templates/oxauth' file_mappings = { 'oxauth_config_base64': 'oxauth-config.json', 'oxauth_static_conf_base64': 'oxauth-static-conf.json', 'oxauth_error_base64': 'oxauth-errors.json', } for key, file_ in file_mappings.iteritems(): file_path = os.path.join(basedir, file_) with open(file_path) as fp: ctx[key] = generate_base64_contents(fp.read() % ctx) return ctx
def merge_oxtrust_ctx(ctx): basedir = '/app/templates/oxtrust' file_mappings = { 'oxtrust_cache_refresh_base64': 'oxtrust-cache-refresh.json', 'oxtrust_config_base64': 'oxtrust-config.json', 'oxtrust_import_person_base64': 'oxtrust-import-person.json', } for key, file_ in file_mappings.iteritems(): file_path = os.path.join(basedir, file_) with open(file_path) as fp: ctx[key] = generate_base64_contents(fp.read() % ctx) return ctx
def merge_extension_ctx(ctx): basedir = "/app/static/extension" for ext_type in os.listdir(basedir): ext_type_dir = os.path.join(basedir, ext_type) for fname in os.listdir(ext_type_dir): filepath = os.path.join(ext_type_dir, fname) ext_name = "{}_{}".format(ext_type, os.path.splitext(fname)[0].lower()) with open(filepath) as fd: ctx[ext_name] = generate_base64_contents(fd.read()) return ctx
def test_generate_base64_contents(text, num_spaces, expected): from pygluu.containerlib.utils import generate_base64_contents assert generate_base64_contents(text, num_spaces) == expected
def rotate(self): if not self.should_rotate(): # logger.info("no need to rotate keys at the moment") return config = self.backend.get_oxauth_config() if not config: # search failed due to missing entry logger.warn("unable to find oxAuth config") return jks_pass = self.manager.secret.get("oxauth_openid_jks_pass") jks_fn = "/etc/certs/oxauth-keys.jks" jwks_fn = "/etc/certs/oxauth-keys.json" jks_dn = r"{}".format( self.manager.config.get("default_openid_jks_dn_name")) ox_rev = int(config["oxRevision"]) try: conf_dynamic = json.loads(config["oxAuthConfDynamic"]) except TypeError: # not string/buffer conf_dynamic = config["oxAuthConfDynamic"] if conf_dynamic["keyRegenerationEnabled"]: logger.warn("keyRegenerationEnabled config was set to true; " "skipping proccess to avoid conflict with " "builtin key rotation feature in oxAuth") return conf_dynamic.update({ "keyRegenerationEnabled": False, # always set to False "keyRegenerationInterval": int(self.rotation_interval), "webKeysStorage": "keystore", "keyStoreSecret": jks_pass, }) # exp_hours = int(self.rotation_interval) + (conf_dynamic["idTokenLifetime"] / 3600) exp_hours = int(self.rotation_interval) # create JKS file; this needs to be pushed out to # config/secret backend and oxauth containers out, err, retcode = generate_openid_keys(jks_pass, jks_fn, jks_dn, exp=exp_hours) if retcode != 0 or err: logger.error("unable to generate keys; reason={}".format(err)) return # create JWKS file; this needs to be pushed out to # config/secret backend and oxauth containers with open(jwks_fn, "w") as f: f.write(out) oxauth_containers = self.meta_client.get_oxauth_containers() if not oxauth_containers: logger.warn("Unable to find any oxAuth container; make sure " "to deploy oxAuth and set APP_NAME=oxauth " "label on container level") return for container in oxauth_containers: name = self.meta_client.get_container_name(container) logger.info( "creating backup of {0}:/etc/certs/oxauth-keys.jks".format( name)) self.meta_client.exec_cmd( container, "cp /etc/certs/oxauth-keys.jks /etc/certs/oxauth-keys.jks.backup" ) logger.info( "creating new {0}:/etc/certs/oxauth-keys.jks".format(name)) self.meta_client.copy_to_container(container, jks_fn) logger.info( "creating backup of {0}:/etc/certs/oxauth-keys.json".format( name)) self.meta_client.exec_cmd( container, "cp /etc/certs/oxauth-keys.json /etc/certs/oxauth-keys.json.backup" ) logger.info( "creating new {0}:/etc/certs/oxauth-keys.json".format(name)) self.meta_client.copy_to_container(container, jwks_fn) try: keys = json.loads(out) # keys = merge_keys(keys, conf_webkeys) logger.info("modifying oxAuth configuration") ox_modified = self.backend.modify_oxauth_config( config["id"], ox_rev + 1, conf_dynamic, keys, ) if not ox_modified: # restore jks and jwks logger.warn("failed to modify oxAuth configuration") for container in oxauth_containers: logger.info( "restoring backup of {0}:/etc/certs/oxauth-keys.jks". format(name)) self.meta_client.exec_cmd( container, "cp /etc/certs/oxauth-keys.jks.backup /etc/certs/oxauth-keys.jks" ) logger.info( "restoring backup of {0}:/etc/certs/oxauth-keys.json". format(name)) self.meta_client.exec_cmd( container, "cp /etc/certs/oxauth-keys.json.backup /etc/certs/oxauth-keys.json" ) return # XXX: save jwks and jks to config and secret for later use? if manager.secret.set("oxauth_jks_base64", encode_jks(jks_fn)): manager.config.set("oxauth_key_rotated_at", int(time.time())) manager.secret.set("oxauth_openid_jks_pass", jks_pass) # jwks manager.secret.set( "oxauth_openid_key_base64", generate_base64_contents(json.dumps(keys)), ) logger.info("keys have been rotated") except (TypeError, ValueError) as exc: logger.warn("unable to get public keys; reason={}".format(exc))