Ejemplo n.º 1
0
def main():
    persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")

    render_salt(manager, "/app/templates/salt.tmpl", "/etc/gluu/conf/salt")
    render_gluu_properties("/app/templates/gluu.properties.tmpl", "/etc/gluu/conf/gluu.properties")

    if persistence_type in ("ldap", "hybrid"):
        render_ldap_properties(
            manager,
            "/app/templates/gluu-ldap.properties.tmpl",
            "/etc/gluu/conf/gluu-ldap.properties",
        )
        sync_ldap_truststore(manager)

    if persistence_type in ("couchbase", "hybrid"):
        render_couchbase_properties(
            manager,
            "/app/templates/gluu-couchbase.properties.tmpl",
            "/etc/gluu/conf/gluu-couchbase.properties",
        )
        sync_couchbase_truststore(manager)

    if persistence_type == "hybrid":
        render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")

    if not os.path.isfile("/etc/certs/gluu_https.crt"):
        if as_boolean(os.environ.get("GLUU_SSL_CERT_FROM_SECRETS", False)):
            manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt")
        else:
            get_server_certificate(manager.config.get("hostname"), 443, "/etc/certs/gluu_https.crt")

    cert_to_truststore(
        "gluu_https",
        "/etc/certs/gluu_https.crt",
        "/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
        "changeit",
    )

    get_oxd_cert()
    cert_to_truststore(
        "gluu_oxd",
        "/etc/certs/oxd.crt",
        "/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
        "changeit",
    )
    modify_jetty_xml()
    modify_webdefault_xml()

    manager.secret.to_file("passport_rp_jks_base64", "/etc/certs/passport-rp.jks",
                           decode=True, binary_mode=True)

    config = CasaConfig(manager)
    config.setup()
def test_get_server_certificate(tmpdir, httpsserver):
    from pygluu.containerlib.utils import get_server_certificate

    host, port = httpsserver.server_address
    filepath = tmpdir.mkdir("pygluu").join("gluu.crt")

    cert = get_server_certificate(host, port, str(filepath))
    assert cert == filepath.read()
Ejemplo n.º 3
0
    if persistence_type in ("couchbase", "hybrid"):
        render_couchbase_properties(
            manager,
            "/app/templates/gluu-couchbase.properties.tmpl",
            "/etc/gluu/conf/gluu-couchbase.properties",
        )
        sync_couchbase_truststore(manager)

    if persistence_type == "hybrid":
        render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")

    if not os.path.isfile("/etc/certs/gluu_https.crt"):
        if as_boolean(os.environ.get("GLUU_SSL_CERT_FROM_SECRETS", False)):
            manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt")
        else:
            get_server_certificate(manager.config.get("hostname"), 443,
                                   "/etc/certs/gluu_https.crt")

    cert_to_truststore(
        "gluu_https",
        "/etc/certs/gluu_https.crt",
        "/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
        "changeit",
    )

    if not os.path.isfile("/etc/certs/shibIDP.crt"):
        manager.secret.to_file("shibIDP_cert",
                               "/etc/certs/shibIDP.crt",
                               decode=True)

    if not os.path.isfile("/etc/certs/shibIDP.key"):
        manager.secret.to_file("shibIDP_key",
Ejemplo n.º 4
0
def main():
    persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")

    render_salt(manager, "/app/templates/salt.tmpl", "/etc/gluu/conf/salt")
    render_gluu_properties("/app/templates/gluu.properties.tmpl",
                           "/etc/gluu/conf/gluu.properties")

    if persistence_type in ("ldap", "hybrid"):
        render_ldap_properties(
            manager,
            "/app/templates/gluu-ldap.properties.tmpl",
            "/etc/gluu/conf/gluu-ldap.properties",
        )
        sync_ldap_truststore(manager)

    if persistence_type in ("couchbase", "hybrid"):
        render_couchbase_properties(
            manager,
            "/app/templates/gluu-couchbase.properties.tmpl",
            "/etc/gluu/conf/gluu-couchbase.properties",
        )
        # need to resolve whether we're using default or user-defined couchbase cert
        sync_couchbase_cert(manager)
        sync_couchbase_truststore(manager)

    if persistence_type == "hybrid":
        render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")

    if not os.path.isfile("/etc/certs/gluu_https.crt"):
        get_server_certificate(manager.config.get("hostname"), 443,
                               "/etc/certs/gluu_https.crt")

    cert_to_truststore(
        "gluu_https",
        "/etc/certs/gluu_https.crt",
        "/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
        "changeit",
    )

    if not os.path.isfile("/etc/certs/idp-signing.crt"):
        manager.secret.to_file("idp3SigningCertificateText",
                               "/etc/certs/idp-signing.crt")

    manager.secret.to_file("passport_rp_jks_base64",
                           "/etc/certs/passport-rp.jks",
                           decode=True,
                           binary_mode=True)

    manager.secret.to_file("api_rp_jks_base64",
                           "/etc/certs/api-rp.jks",
                           decode=True,
                           binary_mode=True)
    with open(manager.config.get("api_rp_client_jwks_fn"), "w") as f:
        f.write(
            base64.b64decode(manager.secret.get("api_rp_client_base64_jwks")))

    manager.secret.to_file("api_rs_jks_base64",
                           "/etc/certs/api-rs.jks",
                           decode=True,
                           binary_mode=True)
    with open(manager.config.get("api_rs_client_jwks_fn"), "w") as f:
        f.write(
            base64.b64decode(manager.secret.get("api_rs_client_base64_jwks")))

    manager.secret.to_file("scim_rs_jks_base64",
                           "/etc/certs/scim-rs.jks",
                           decode=True,
                           binary_mode=True)
    with open(manager.config.get("scim_rs_client_jwks_fn"), "w") as f:
        f.write(
            base64.b64decode(manager.secret.get("scim_rs_client_base64_jwks")))

    manager.secret.to_file("scim_rp_jks_base64",
                           "/etc/certs/scim-rp.jks",
                           decode=True,
                           binary_mode=True)
    with open(manager.config.get("scim_rp_client_jwks_fn"), "w") as f:
        f.write(
            base64.b64decode(manager.secret.get("scim_rp_client_base64_jwks")))

    modify_jetty_xml()
    modify_webdefault_xml()
Ejemplo n.º 5
0
def get_oxd_cert():
    oxd_url = os.environ.get("GLUU_OXD_SERVER_URL", "localhost:8443")
    _, host, port = resolve_oxd_url(oxd_url)

    if not os.path.isfile("/etc/certs/oxd.crt"):
        get_server_certificate(host, port, "/etc/certs/oxd.crt")
    def nginx_ctx(self):
        ssl_cert = "/etc/certs/gluu_https.crt"
        ssl_key = "/etc/certs/gluu_https.key"
        self._set_secret("ssl_cert_pass", get_random_chars())

        # get cert and key (if available) with priorities below:
        #
        # 1. from mounted files
        # 2. from fronted (key file is an empty file)
        # 3. self-generate files

        ssl_cert_exists = os.path.isfile(ssl_cert)
        ssl_key_exists = os.path.isfile(ssl_key)

        logger.info(f"Resolving {ssl_cert} and {ssl_key}")

        # check from mounted files
        if not (ssl_cert_exists and ssl_key_exists):
            # no mounted files, hence download from frontend
            addr = os.environ.get(
                "GLUU_INGRESS_ADDRESS") or self.ctx["config"]["hostname"]
            servername = os.environ.get("GLUU_INGRESS_SERVERNAME") or addr

            logger.warning(
                f"Unable to find mounted {ssl_cert} and {ssl_key}; "
                f"trying to download from {addr}:443 (servername {servername})"
            )
            try:
                # cert will be downloaded into `ssl_cert` path
                get_server_certificate(addr, 443, ssl_cert, servername)
                if not ssl_key_exists:
                    # since cert is downloaded, key must mounted
                    # or generate empty file
                    with open(ssl_key, "w") as f:
                        f.write("")
            except (socket.gaierror, socket.timeout, ConnectionRefusedError,
                    TimeoutError, ConnectionResetError) as exc:
                # address not resolved or timed out
                logger.warning(f"Unable to download cert; reason={exc}")
            finally:
                ssl_cert_exists = os.path.isfile(ssl_cert)
                ssl_key_exists = os.path.isfile(ssl_key)

        # no mounted nor downloaded files, hence we need to create self-generated files
        if not (ssl_cert_exists and ssl_key_exists):
            logger.info(f"Creating self-generated {ssl_cert} and {ssl_key}")
            generate_ssl_certkey(
                "gluu_https",
                self.ctx["secret"]["ssl_cert_pass"],
                self.ctx["config"]["admin_email"],
                self.ctx["config"]["hostname"],
                self.ctx["config"]["orgName"],
                self.ctx["config"]["country_code"],
                self.ctx["config"]["state"],
                self.ctx["config"]["city"],
            )

        with open(ssl_cert) as f:
            self._set_secret("ssl_cert", f.read())

        with open(ssl_key) as f:
            self._set_secret("ssl_key", f.read())
Ejemplo n.º 7
0
def main():
    persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")

    render_salt(manager, "/app/templates/salt.tmpl", "/etc/gluu/conf/salt")
    render_gluu_properties("/app/templates/gluu.properties.tmpl",
                           "/etc/gluu/conf/gluu.properties")

    if persistence_type in ("ldap", "hybrid"):
        render_ldap_properties(
            manager,
            "/app/templates/gluu-ldap.properties.tmpl",
            "/etc/gluu/conf/gluu-ldap.properties",
        )
        sync_ldap_truststore(manager)

    if persistence_type in ("couchbase", "hybrid"):
        render_couchbase_properties(
            manager,
            "/app/templates/gluu-couchbase.properties.tmpl",
            "/etc/gluu/conf/gluu-couchbase.properties",
        )
        # need to resolve whether we're using default or user-defined couchbase cert
        # sync_couchbase_cert(manager)
        sync_couchbase_truststore(manager)

    if persistence_type == "hybrid":
        render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")

    if not os.path.isfile("/etc/certs/gluu_https.crt"):
        if as_boolean(os.environ.get("GLUU_SSL_CERT_FROM_SECRETS", False)):
            manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt")
        else:
            get_server_certificate(manager.config.get("hostname"), 443,
                                   "/etc/certs/gluu_https.crt")

    cert_to_truststore(
        "gluu_https",
        "/etc/certs/gluu_https.crt",
        "/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
        "changeit",
    )

    if not os.path.isfile("/etc/certs/idp-signing.crt"):
        manager.secret.to_file("idp3SigningCertificateText",
                               "/etc/certs/idp-signing.crt")

    manager.secret.to_file("passport_rp_jks_base64",
                           "/etc/certs/passport-rp.jks",
                           decode=True,
                           binary_mode=True)

    manager.secret.to_file("api_rp_jks_base64",
                           "/etc/certs/api-rp.jks",
                           decode=True,
                           binary_mode=True)
    with open(manager.config.get("api_rp_client_jwks_fn"), "w") as f:
        f.write(
            base64.b64decode(
                manager.secret.get("api_rp_client_base64_jwks")).decode())

    manager.secret.to_file("api_rs_jks_base64",
                           "/etc/certs/api-rs.jks",
                           decode=True,
                           binary_mode=True)
    with open(manager.config.get("api_rs_client_jwks_fn"), "w") as f:
        f.write(
            base64.b64decode(
                manager.secret.get("api_rs_client_base64_jwks")).decode())

    # manager.secret.to_file("scim_rs_jks_base64", "/etc/certs/scim-rs.jks",
    #                        decode=True, binary_mode=True)
    # with open(manager.config.get("scim_rs_client_jwks_fn"), "w") as f:
    #     f.write(
    #         base64.b64decode(manager.secret.get("scim_rs_client_base64_jwks")).decode()
    #     )

    # manager.secret.to_file("scim_rp_jks_base64", "/etc/certs/scim-rp.jks",
    #                        decode=True, binary_mode=True)
    # with open(manager.config.get("scim_rp_client_jwks_fn"), "w") as f:
    #     f.write(
    #         base64.b64decode(manager.secret.get("scim_rp_client_base64_jwks")).decode()
    #     )

    modify_jetty_xml()
    modify_webdefault_xml()

    sync_enabled = as_boolean(os.environ.get("GLUU_SYNC_JKS_ENABLED", False))
    if not sync_enabled:
        manager.secret.to_file(
            "oxauth_jks_base64",
            "/etc/certs/oxauth-keys.jks",
            decode=True,
            binary_mode=True,
        )
        with open("/etc/certs/oxauth-keys.json", "w") as f:
            f.write(
                base64.b64decode(
                    manager.secret.get("oxauth_openid_key_base64")).decode())

    certs_from_webdav()