def passport_sp_ctx(self): self._set_secret("passportSpKeyPass", get_random_chars()) self._set_config("passportSpTLSCACert", '/etc/certs/passport-sp.pem') self._set_config("passportSpTLSCert", '/etc/certs/passport-sp.crt') self._set_config("passportSpTLSKey", '/etc/certs/passport-sp.key') self._set_secret("passportSpJksPass", get_random_chars()) self._set_config("passportSpJksFn", '/etc/certs/passport-sp.jks') generate_ssl_certkey( "passport-sp", self.ctx["secret"]["passportSpKeyPass"], self.ctx["config"]["admin_email"], self.ctx["config"]["hostname"], self.ctx["config"]["orgName"], self.ctx["config"]["country_code"], self.ctx["config"]["state"], self.ctx["config"]["city"], ) with open(self.ctx["config"]["passportSpTLSCert"]) as f: self._set_secret( "passport_sp_cert_base64", encode_text(f.read(), self.ctx["secret"]["encoded_salt"])) with open(self.ctx["config"]["passportSpTLSKey"]) as f: self._set_secret( "passport_sp_key_base64", encode_text(f.read(), self.ctx["secret"]["encoded_salt"]))
def oxtrust_api_rp_ctx(self): self._set_config("api_rp_client_jks_fn", "/etc/certs/api-rp.jks") self._set_config("api_rp_client_jwks_fn", "/etc/certs/api-rp-keys.json") self._set_secret("api_rp_client_jks_pass", get_random_chars()) self._set_secret( "api_rp_client_jks_pass_encoded", encode_text(self.ctx["secret"]["api_rp_client_jks_pass"], self.ctx["secret"]["encoded_salt"]), ) _, err, retcode = generate_openid_keys( self.ctx["secret"]["api_rp_client_jks_pass"], self.ctx["config"]["api_rp_client_jks_fn"], self.ctx["config"]["api_rp_client_jwks_fn"], self.ctx["config"]["default_openid_jks_dn_name"], ) if retcode != 0: logger.error( "Unable to generate oxTrust API RP keys; reason={}".format( err)) raise click.Abort() basedir, fn = os.path.split( self.ctx["config"]["api_rp_client_jwks_fn"]) self._set_secret("api_rp_client_base64_jwks", encode_template(fn, self.ctx, basedir)) self._set_config("oxtrust_requesting_party_client_id", '1402.{}'.format(uuid.uuid4())) with open(self.ctx["config"]["api_rp_client_jks_fn"], "rb") as fr: self._set_secret( "api_rp_jks_base64", encode_text(fr.read(), self.ctx["secret"]["encoded_salt"]))
def oxauth_ctx(self): self._set_config("oxauth_client_id", "1001.{}".format(uuid.uuid4())) self._set_secret( "oxauthClient_encoded_pw", encode_text(get_random_chars(), self.ctx["secret"]["encoded_salt"]), ) self._set_config("oxauth_openid_jks_fn", "/etc/certs/oxauth-keys.jks") self._set_secret( "oxauth_openid_jks_pass", get_random_chars(), ) self._set_config("oxauth_openid_jwks_fn", "/etc/certs/oxauth-keys.json") self._set_config("oxauth_legacyIdTokenClaims", "false") self._set_config("oxauth_openidScopeBackwardCompatibility", "false") _, err, retcode = generate_openid_keys( self.ctx["secret"]["oxauth_openid_jks_pass"], self.ctx["config"]["oxauth_openid_jks_fn"], self.ctx["config"]["oxauth_openid_jwks_fn"], self.ctx["config"]["default_openid_jks_dn_name"], exp=2, sig_keys="RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512", enc_keys="RSA1_5 RSA-OAEP", ) if retcode != 0: logger.error( "Unable to generate oxAuth keys; reason={}".format(err)) raise click.Abort() basedir, fn = os.path.split( self.ctx["config"]["oxauth_openid_jwks_fn"]) self._set_secret("oxauth_openid_key_base64", encode_template(fn, self.ctx, basedir)) # oxAuth keys self._set_config("oxauth_key_rotated_at", int(time.time())) with open(self.ctx["config"]["oxauth_openid_jks_fn"], "rb") as fr: self._set_secret( "oxauth_jks_base64", encode_text(fr.read(), self.ctx["secret"]["encoded_salt"]), )
def radius_ctx(self): self._set_config("gluu_radius_client_id", '1701.{}'.format(uuid.uuid4())) # self._set_config("ox_radius_client_id", '0008-{}'.format(uuid.uuid4())) self._set_secret( "gluu_ro_encoded_pw", encode_text(get_random_chars(), self.ctx["secret"]["encoded_salt"]), ) radius_jwt_pass = get_random_chars() self._set_secret( "radius_jwt_pass", encode_text(radius_jwt_pass, self.ctx["secret"]["encoded_salt"]), ) out, err, code = generate_openid_keys( radius_jwt_pass, "/etc/certs/gluu-radius.jks", "/etc/certs/gluu-radius.keys", self.ctx["config"]["default_openid_jks_dn_name"], ) if code != 0: logger.error( "Unable to generate Gluu Radius keys; reason={}".format(err)) raise click.Abort() for key in json.loads(out)["keys"]: if key["alg"] == "RS512": self.ctx["config"]["radius_jwt_keyId"] = key["kid"] break with open("/etc/certs/gluu-radius.jks", "rb") as fr: self._set_secret( "radius_jks_base64", encode_text(fr.read(), self.ctx["secret"]["encoded_salt"])) basedir, fn = os.path.split("/etc/certs/gluu-radius.keys") self._set_secret( "gluu_ro_client_base64_jwks", encode_template(fn, self.ctx, basedir), )
def render_repository_xml(): is_cluster = as_boolean(os.environ.get("GLUU_JACKRABBIT_CLUSTER", False)) pg_user = os.environ.get("GLUU_JACKRABBIT_POSTGRES_USER", "postgres") pg_password_file = os.environ.get("GLUU_JACKRABBIT_POSTGRES_PASSWORD_FILE", "/etc/gluu/conf/postgres_password") pg_password = "" with contextlib.suppress(FileNotFoundError): with open(pg_password_file) as f: pg_password = f.read().strip() pg_host = os.environ.get("GLUU_JACKRABBIT_POSTGRES_HOST", "localhost") pg_port = os.environ.get("GLUU_JACKRABBIT_POSTGRES_PORT", "5432") pg_database = os.environ.get("GLUU_JACKRABBIT_POSTGRES_DATABASE", "jackrabbit") # anon_id = "anonymous" # anon_id_file = os.environ.get("GLUU_JACKRABBIT_ANONYMOUS_ID_FILE", "/etc/gluu/conf/jackrabbit_anonymous_id") # with contextlib.suppress(FileNotFoundError): # with open(anon_id_file) as f: # anon_id = f.read().strip() # admin_id = "admin" # admin_id_file = os.environ.get("GLUU_JACKRABBIT_ADMIN_ID_FILE", "/etc/gluu/conf/jackrabbit_admin_id") # with contextlib.suppress(FileNotFoundError): # with open(admin_id_file) as f: # admin_id = f.read().strip() admin_id = os.environ.get("GLUU_JACKRABBIT_ADMIN_ID", "admin") ctx = { "node_name": socket.getfqdn(), "pg_host": pg_host, "pg_port": pg_port, "pg_database": pg_database, "pg_password": base64.b64encode(pg_password.encode()).decode(), "pg_user": pg_user, # "jackrabbit_anonymous_id": anon_id, "jackrabbit_anonymous_id": get_random_chars(), "jackrabbit_admin_id": admin_id, } if is_cluster: src = "/app/templates/repository.cluster.xml.tmpl" else: src = "/app/templates/repository.standalone.xml.tmpl" dest = "/opt/jackrabbit/repository.xml" with open(src) as f: txt = f.read() with open(dest, "w") as f: f.write(safe_render(txt, ctx))
def passport_rs_ctx(self): self._set_config("passport_rs_client_id", "1501.{}".format(uuid.uuid4())) self._set_config("passport_rs_client_jks_fn", "/etc/certs/passport-rs.jks") self._set_config("passport_rs_client_jwks_fn", "/etc/certs/passport-rs-keys.json") self._set_secret("passport_rs_client_jks_pass", get_random_chars()) self._set_secret( "passport_rs_client_jks_pass_encoded", encode_text(self.ctx["secret"]["passport_rs_client_jks_pass"], self.ctx["secret"]["encoded_salt"]), ) out, err, retcode = generate_openid_keys( self.ctx["secret"]["passport_rs_client_jks_pass"], self.ctx["config"]["passport_rs_client_jks_fn"], self.ctx["config"]["passport_rs_client_jwks_fn"], self.ctx["config"]["default_openid_jks_dn_name"], ) if retcode != 0: logger.error( "Unable to generate Passport RS keys; reason={}".format(err)) raise click.Abort() self._set_config("passport_rs_client_cert_alg", "RS512") cert_alias = "" for key in json.loads(out)["keys"]: if key["alg"] == self.ctx["config"]["passport_rs_client_cert_alg"]: cert_alias = key["kid"] break basedir, fn = os.path.split( self.ctx["config"]["passport_rs_client_jwks_fn"]) self._set_secret( "passport_rs_client_base64_jwks", encode_template(fn, self.ctx, basedir), ) self._set_config("passport_rs_client_cert_alias", cert_alias) with open(self.ctx["config"]["passport_rs_client_jks_fn"], "rb") as fr: self._set_secret( "passport_rs_jks_base64", encode_text(fr.read(), self.ctx["secret"]["encoded_salt"])) self._set_config("passport_resource_id", "1504.{}".format(uuid.uuid4())) self._set_config("passport_rs_client_cert_alias", cert_alias)
def base_ctx(self): self._set_secret("encoded_salt", get_random_chars(24)) self._set_config("orgName", self.params["org_name"]) self._set_config("country_code", self.params["country_code"]) self._set_config("state", self.params["state"]) self._set_config("city", self.params["city"]) self._set_config("hostname", self.params["hostname"]) self._set_config("admin_email", self.params["email"]) self._set_config("default_openid_jks_dn_name", "CN=oxAuth CA Certificates") self._set_secret("pairwiseCalculationKey", get_sys_random_chars(random.randint(20, 30))) self._set_secret("pairwiseCalculationSalt", get_sys_random_chars(random.randint(20, 30))) self._set_config("jetty_base", "/opt/gluu/jetty") self._set_config("fido2ConfigFolder", "/etc/gluu/conf/fido2") self._set_config("admin_inum", "{}".format(uuid.uuid4())) self._set_secret("encoded_oxtrust_admin_password", ldap_encode(self.params["admin_pw"]))
def test_get_random_chars(size): from pygluu.containerlib.utils import get_random_chars assert len(get_random_chars(size)) == size
def couchbase_ctx(self): self._set_config("couchbaseTrustStoreFn", "/etc/certs/couchbase.pkcs12") self._set_secret("couchbase_shib_user_password", get_random_chars())
def scim_client_ctx(self): self._set_config("scim_test_client_id", "0008-{}".format(uuid.uuid4())) self._set_secret("scim_test_client_secret", get_random_chars(24))
def oxshibboleth_ctx(self): self._set_config("idp_client_id", "1101.{}".format(uuid.uuid4())) self._set_secret( "idpClient_encoded_pw", encode_text(get_random_chars(), self.ctx["secret"]["encoded_salt"]), ) self._set_config("shibJksFn", "/etc/certs/shibIDP.jks") self._set_secret("shibJksPass", get_random_chars()) self._set_secret( "encoded_shib_jks_pw", encode_text(self.ctx["secret"]["shibJksPass"], self.ctx["secret"]["encoded_salt"])) generate_ssl_certkey( "shibIDP", self.ctx["secret"]["shibJksPass"], self.ctx["config"]["admin_email"], self.ctx["config"]["hostname"], self.ctx["config"]["orgName"], self.ctx["config"]["country_code"], self.ctx["config"]["state"], self.ctx["config"]["city"], ) generate_keystore("shibIDP", self.ctx["config"]["hostname"], self.ctx["secret"]["shibJksPass"]) with open("/etc/certs/shibIDP.crt") as f: self._set_secret( "shibIDP_cert", encode_text(f.read(), self.ctx["secret"]["encoded_salt"])) with open("/etc/certs/shibIDP.key") as f: self._set_secret( "shibIDP_key", encode_text(f.read(), self.ctx["secret"]["encoded_salt"])) with open(self.ctx["config"]["shibJksFn"], "rb") as f: self._set_secret( "shibIDP_jks_base64", encode_text(f.read(), self.ctx["secret"]["encoded_salt"])) self._set_config("shibboleth_version", "v3") self._set_config("idp3Folder", "/opt/shibboleth-idp") idp3_signing_cert = "/etc/certs/idp-signing.crt" idp3_signing_key = "/etc/certs/idp-signing.key" generate_ssl_certkey( "idp-signing", self.ctx["secret"]["shibJksPass"], self.ctx["config"]["admin_email"], self.ctx["config"]["hostname"], self.ctx["config"]["orgName"], self.ctx["config"]["country_code"], self.ctx["config"]["state"], self.ctx["config"]["city"], ) with open(idp3_signing_cert) as f: self._set_secret("idp3SigningCertificateText", f.read()) with open(idp3_signing_key) as f: self._set_secret("idp3SigningKeyText", f.read()) idp3_encryption_cert = "/etc/certs/idp-encryption.crt" idp3_encryption_key = "/etc/certs/idp-encryption.key" generate_ssl_certkey( "idp-encryption", self.ctx["secret"]["shibJksPass"], self.ctx["config"]["admin_email"], self.ctx["config"]["hostname"], self.ctx["config"]["orgName"], self.ctx["config"]["country_code"], self.ctx["config"]["state"], self.ctx["config"]["city"], ) with open(idp3_encryption_cert) as f: self._set_secret("idp3EncryptionCertificateText", f.read()) with open(idp3_encryption_key) as f: self._set_secret("idp3EncryptionKeyText", f.read()) _, err, code = gen_idp3_key(self.ctx["secret"]["shibJksPass"]) if code != 0: logger.warninging( f"Unable to generate Shibboleth sealer; reason={err}") raise click.Abort() with open("/etc/certs/sealer.jks", "rb") as f: self._set_secret( "sealer_jks_base64", encode_text(f.read(), self.ctx["secret"]["encoded_salt"])) with open("/etc/certs/sealer.kver") as f: self._set_secret( "sealer_kver_base64", encode_text(f.read(), self.ctx["secret"]["encoded_salt"]))
def nginx_ctx(self): ssl_cert = "/etc/certs/gluu_https.crt" ssl_key = "/etc/certs/gluu_https.key" self._set_secret("ssl_cert_pass", get_random_chars()) # get cert and key (if available) with priorities below: # # 1. from mounted files # 2. from fronted (key file is an empty file) # 3. self-generate files ssl_cert_exists = os.path.isfile(ssl_cert) ssl_key_exists = os.path.isfile(ssl_key) logger.info(f"Resolving {ssl_cert} and {ssl_key}") # check from mounted files if not (ssl_cert_exists and ssl_key_exists): # no mounted files, hence download from frontend addr = os.environ.get( "GLUU_INGRESS_ADDRESS") or self.ctx["config"]["hostname"] servername = os.environ.get("GLUU_INGRESS_SERVERNAME") or addr logger.warning( f"Unable to find mounted {ssl_cert} and {ssl_key}; " f"trying to download from {addr}:443 (servername {servername})" ) try: # cert will be downloaded into `ssl_cert` path get_server_certificate(addr, 443, ssl_cert, servername) if not ssl_key_exists: # since cert is downloaded, key must mounted # or generate empty file with open(ssl_key, "w") as f: f.write("") except (socket.gaierror, socket.timeout, ConnectionRefusedError, TimeoutError, ConnectionResetError) as exc: # address not resolved or timed out logger.warning(f"Unable to download cert; reason={exc}") finally: ssl_cert_exists = os.path.isfile(ssl_cert) ssl_key_exists = os.path.isfile(ssl_key) # no mounted nor downloaded files, hence we need to create self-generated files if not (ssl_cert_exists and ssl_key_exists): logger.info(f"Creating self-generated {ssl_cert} and {ssl_key}") generate_ssl_certkey( "gluu_https", self.ctx["secret"]["ssl_cert_pass"], self.ctx["config"]["admin_email"], self.ctx["config"]["hostname"], self.ctx["config"]["orgName"], self.ctx["config"]["country_code"], self.ctx["config"]["state"], self.ctx["config"]["city"], ) with open(ssl_cert) as f: self._set_secret("ssl_cert", f.read()) with open(ssl_key) as f: self._set_secret("ssl_key", f.read())
def ldap_ctx(self): # self._set_secret("encoded_ldap_pw", ldap_encode(self.params["admin_pw"])) self._set_secret( "encoded_ox_ldap_pw", encode_text(self.params["ldap_pw"], self.ctx["secret"]["encoded_salt"]), ) self._set_config("ldap_init_host", "localhost") self._set_config("ldap_init_port", 1636) self._set_config("ldap_port", 1389) self._set_config("ldaps_port", 1636) self._set_config("ldap_binddn", "cn=directory manager") self._set_config("ldap_site_binddn", "cn=directory manager") self._set_secret("ldap_truststore_pass", get_random_chars()) self._set_config("ldapTrustStoreFn", "/etc/certs/opendj.pkcs12") generate_ssl_certkey( "opendj", self.ctx["secret"]["ldap_truststore_pass"], self.ctx["config"]["admin_email"], self.ctx["config"]["hostname"], self.ctx["config"]["orgName"], self.ctx["config"]["country_code"], self.ctx["config"]["state"], self.ctx["config"]["city"], ) with open("/etc/certs/opendj.pem", "w") as fw: with open("/etc/certs/opendj.crt") as fr: ldap_ssl_cert = fr.read() self._set_secret( "ldap_ssl_cert", encode_text(ldap_ssl_cert, self.ctx["secret"]["encoded_salt"]), ) with open("/etc/certs/opendj.key") as fr: ldap_ssl_key = fr.read() self._set_secret( "ldap_ssl_key", encode_text(ldap_ssl_key, self.ctx["secret"]["encoded_salt"]), ) ldap_ssl_cacert = "".join([ldap_ssl_cert, ldap_ssl_key]) fw.write(ldap_ssl_cacert) self._set_secret( "ldap_ssl_cacert", encode_text(ldap_ssl_cacert, self.ctx["secret"]["encoded_salt"]), ) generate_pkcs12( "opendj", self.ctx["secret"]["ldap_truststore_pass"], self.ctx["config"]["hostname"], ) with open(self.ctx["config"]["ldapTrustStoreFn"], "rb") as fr: self._set_secret( "ldap_pkcs12_base64", encode_text(fr.read(), self.ctx["secret"]["encoded_salt"]), ) self._set_secret( "encoded_ldapTrustStorePass", encode_text(self.ctx["secret"]["ldap_truststore_pass"], self.ctx["secret"]["encoded_salt"]), )