def passport_sp_ctx(self):
encoded_salt = self.get_secret("encoded_salt")
# passportSpKeyPass = self.set_secret("passportSpKeyPass", get_random_chars()) # noqa: N806
_ = self.set_secret("passportSpKeyPass",
get_random_chars) # noqa: N806
self.set_config("passportSpTLSCACert", '/etc/certs/passport-sp.pem')
passportSpTLSCert = self.set_config(
"passportSpTLSCert", '/etc/certs/passport-sp.crt') # noqa: N806
passportSpTLSKey = self.set_config(
"passportSpTLSKey", '/etc/certs/passport-sp.key') # noqa: N806
self.set_secret("passportSpJksPass", get_random_chars)
self.set_config("passportSpJksFn", '/etc/certs/passport-sp.jks')
generate_ssl_certkey(
"passport-sp",
self.get_config("admin_email"),
self.get_config("hostname"),
self.get_config("orgName"),
self.get_config("country_code"),
self.get_config("state"),
self.get_config("city"),
)
with open(passportSpTLSCert) as f:
self.set_secret(
"passport_sp_cert_base64",
partial(encode_text, f.read(), encoded_salt),
)
with open(passportSpTLSKey) as f:
self.set_secret(
"passport_sp_key_base64",
partial(encode_text, f.read(), encoded_salt),
)
def sync_x509(self):
cert = self.manager.secret.get(f"client_api_{self.type}_cert")
key = self.manager.secret.get(f"client_api_{self.type}_key")
if cert and key:
self.manager.secret.to_file(f"client_api_{self.type}_cert",
self.cert_file)
self.manager.secret.to_file(f"client_api_{self.type}_key",
self.key_file)
else:
generate_ssl_certkey(
f"client_api_{self.type}",
self.manager.config.get("admin_email"),
self.manager.config.get("hostname"),
self.manager.config.get("orgName"),
self.manager.config.get("country_code"),
self.manager.config.get("state"),
self.manager.config.get("city"),
extra_dns=[self.cert_cn],
)
# save cert and key to secrets for later use
self.manager.secret.from_file(f"client_api_{self.type}_cert",
self.cert_file)
self.manager.secret.from_file(f"client_api_{self.type}_key",
self.key_file)
def _patch_cert_key(self, prefix, extra_dns=None):
cert_fn = f"/etc/certs/{prefix}.crt"
key_fn = f"/etc/certs/{prefix}.key"
logger.info(f"Generating new {cert_fn} and {key_fn} files")
generate_ssl_certkey(
prefix,
self.manager.config.get("admin_email"),
self.manager.config.get("hostname"),
self.manager.config.get("orgName"),
self.manager.config.get("country_code"),
self.manager.config.get("state"),
self.manager.config.get("city"),
extra_dns=extra_dns,
)
return cert_fn, key_fn
def regenerate_ldap_certs(extra_dns=None):
suffix = "opendj"
country_code = manager.config.get("country_code")
state = manager.config.get("state")
city = manager.config.get("city")
org_name = manager.config.get("orgName")
domain = manager.config.get("hostname")
email = manager.config.get("admin_email")
cert, key = generate_ssl_certkey(
suffix,
email,
domain,
org_name,
country_code,
state,
city,
extra_dns=extra_dns,
)
with open(f"/etc/certs/{suffix}.pem", "w") as fw:
with open(cert) as fr:
ldap_ssl_cert = fr.read()
with open(key) as fr:
ldap_ssl_key = fr.read()
ldap_ssl_cacert = "".join([ldap_ssl_cert, ldap_ssl_key])
fw.write(ldap_ssl_cacert)
def test_generate_ssl_certkey(tmpdir):
from jans.pycloudlib.utils import generate_ssl_certkey
base_dir = tmpdir.mkdir("certs")
generate_ssl_certkey(
"my-suffix",
"*****@*****.**",
"my.org.local",
"org",
"US",
"TX",
"Austin",
base_dir=str(base_dir),
extra_dns=["custom.org.local"],
extra_ips=["127.0.0.1"],
)
assert os.path.isfile(str(base_dir.join("my-suffix.crt")))
assert os.path.isfile(str(base_dir.join("my-suffix.key")))
def oxshibboleth_ctx(self):
encoded_salt = self.get_secret("encoded_salt")
hostname = self.get_config("hostname")
admin_email = self.get_config("admin_email")
orgName = self.get_config("orgName") # noqa: N806
country_code = self.get_config("country_code")
state = self.get_config("state")
city = self.get_config("city")
self.set_config("idp_client_id", lambda: f"1101.{uuid4()}")
self.set_secret(
"idpClient_encoded_pw",
partial(encode_text, get_random_chars(), encoded_salt),
)
shibJksFn = self.set_config("shibJksFn",
"/etc/certs/shibIDP.jks") # noqa: N806
shibJksPass = self.set_secret("shibJksPass",
get_random_chars) # noqa: N806
self.set_secret(
"encoded_shib_jks_pw",
partial(encode_text, shibJksPass, encoded_salt),
)
generate_ssl_certkey(
"shibIDP",
admin_email,
hostname,
orgName,
country_code,
state,
city,
)
generate_keystore("shibIDP", hostname, shibJksPass)
with open("/etc/certs/shibIDP.crt") as f:
self.set_secret(
"shibIDP_cert",
partial(encode_text, f.read(), encoded_salt),
)
with open("/etc/certs/shibIDP.key") as f:
self.set_secret(
"shibIDP_key",
partial(encode_text, f.read(), encoded_salt),
)
with open(shibJksFn, "rb") as f:
self.set_secret(
"shibIDP_jks_base64",
partial(encode_text, f.read(), encoded_salt),
)
self.set_config("shibboleth_version", "v3")
self.set_config("idp3Folder", "/opt/shibboleth-idp")
idp3_signing_cert = "/etc/certs/idp-signing.crt"
idp3_signing_key = "/etc/certs/idp-signing.key"
generate_ssl_certkey(
"idp-signing",
admin_email,
hostname,
orgName,
country_code,
state,
city,
)
with open(idp3_signing_cert) as f:
self.set_secret("idp3SigningCertificateText", f.read)
with open(idp3_signing_key) as f:
self.set_secret("idp3SigningKeyText", f.read)
idp3_encryption_cert = "/etc/certs/idp-encryption.crt"
idp3_encryption_key = "/etc/certs/idp-encryption.key"
generate_ssl_certkey(
"idp-encryption",
admin_email,
hostname,
orgName,
country_code,
state,
city,
)
with open(idp3_encryption_cert) as f:
self.set_secret("idp3EncryptionCertificateText", f.read)
with open(idp3_encryption_key) as f:
self.set_secret("idp3EncryptionKeyText", f.read)
_, err, code = gen_idp3_key(shibJksPass)
if code != 0:
logger.warninging(
f"Unable to generate Shibboleth sealer; reason={err}")
raise click.Abort()
with open("/etc/certs/sealer.jks", "rb") as f:
self.set_secret(
"sealer_jks_base64",
partial(encode_text, f.read(), encoded_salt),
)
with open("/etc/certs/sealer.kver") as f:
self.set_secret(
"sealer_kver_base64",
partial(encode_text, f.read(), encoded_salt),
)
def ldap_ctx(self):
encoded_salt = self.get_secret("encoded_salt")
# self.set_secret("encoded_ldap_pw", ldap_encode(self.params["admin_pw"]))
self.set_secret(
"encoded_ox_ldap_pw",
partial(encode_text, self.params["ldap_pw"], encoded_salt),
)
self.set_config("ldap_init_host", "localhost")
self.set_config("ldap_init_port", 1636)
self.set_config("ldap_port", 1389)
self.set_config("ldaps_port", 1636)
self.set_config("ldap_binddn", "cn=directory manager")
self.set_config("ldap_site_binddn", "cn=directory manager")
ldap_truststore_pass = self.set_secret("ldap_truststore_pass",
get_random_chars)
self.set_config("ldapTrustStoreFn", "/etc/certs/opendj.pkcs12")
hostname = self.get_config("hostname")
generate_ssl_certkey(
"opendj",
self.get_config("admin_email"),
hostname,
self.get_config("orgName"),
self.get_config("country_code"),
self.get_config("state"),
self.get_config("city"),
extra_dns=["ldap"],
)
with open("/etc/certs/opendj.pem", "w") as fw:
with open("/etc/certs/opendj.crt") as fr:
ldap_ssl_cert = fr.read()
self.set_secret(
"ldap_ssl_cert",
partial(encode_text, ldap_ssl_cert, encoded_salt),
)
with open("/etc/certs/opendj.key") as fr:
ldap_ssl_key = fr.read()
self.set_secret(
"ldap_ssl_key",
partial(encode_text, ldap_ssl_key, encoded_salt),
)
ldap_ssl_cacert = "".join([ldap_ssl_cert, ldap_ssl_key])
fw.write(ldap_ssl_cacert)
self.set_secret(
"ldap_ssl_cacert",
partial(encode_text, ldap_ssl_cacert, encoded_salt),
)
generate_pkcs12("opendj", ldap_truststore_pass, hostname)
with open(self.get_config("ldapTrustStoreFn"), "rb") as fr:
self.set_secret(
"ldap_pkcs12_base64",
partial(encode_text, fr.read(), encoded_salt),
)
self.set_secret(
"encoded_ldapTrustStorePass",
partial(encode_text, ldap_truststore_pass, encoded_salt),
)