Example #1
0
    def generate_configuration(self):
        self.logIt("Generating {} configuration".format(self.service_name))
        yml_str = self.readFile(os.path.join(self.source_files[1][0]))
        yml_str = yml_str.replace('\t', ' ')
        cfg_yml = ruamel.yaml.load(yml_str, ruamel.yaml.RoundTripLoader)
        config_scopes = cfg_yml['components']['securitySchemes']['scim_oauth'][
            'flows']['clientCredentials']['scopes']

        scope_ldif_fd = open(self.ldif_scopes_fn, 'wb')
        ldif_scopes_writer = LDIFWriter(scope_ldif_fd, cols=1000)

        scopes_dn = self.create_user_scopes()
        for scope in config_scopes:
            if scope in ('https://jans.io/scim/users.read',
                         'https://jans.io/scim/users.write'):
                continue
            inum = '1200.' + os.urandom(3).hex().upper()
            scope_dn = 'inum={},ou=scopes,o=jans'.format(inum)
            scopes_dn.append(scope_dn)
            display_name = 'Scim {}'.format(os.path.basename(scope))
            ldif_scopes_writer.unparse(
                scope_dn, {
                    'objectclass': ['top', 'jansScope'],
                    'description': [config_scopes[scope]],
                    'displayName': [display_name],
                    'inum': [inum],
                    'jansId': [scope],
                    'jansScopeTyp': ['oauth'],
                })

        scope_ldif_fd.close()

        client_ldif_fd = open(self.ldif_clients_fn, 'wb')
        client_scopes_writer = LDIFWriter(client_ldif_fd, cols=1000)

        self.check_clients([('scim_client_id', '1201.')])

        if not Config.get('scim_client_pw'):
            Config.scim_client_pw = self.getPW()
            Config.scim_client_encoded_pw = self.obscure(Config.scim_client_pw)

        scim_client_dn = 'inum={},ou=clients,o=jans'.format(
            Config.scim_client_id)
        client_scopes_writer.unparse(
            scim_client_dn, {
                'objectClass': ['top', 'jansClnt'],
                'displayName': ['SCIM client'],
                'jansAccessTknSigAlg': ['RS256'],
                'jansAppTyp': ['native'],
                'jansAttrs': ['{}'],
                'jansGrantTyp': ['client_credentials'],
                'jansScope': scopes_dn,
                'jansSubjectTyp': ['pairwise'],
                'jansTknEndpointAuthMethod': ['client_secret_basic'],
                'inum': [Config.scim_client_id],
                'jansClntSecret': [Config.scim_client_encoded_pw]
            })

        client_ldif_fd.close()
Example #2
0
    def create_scope(self, scope, inum_base='0001.'):
        result = self.check_scope(scope['jansId'][0])
        if result:
            return result

        if not os.path.exists(self.output_folder):
            os.makedirs(self.output_folder)

        scope['inum'] = [inum_base + '.' + os.urandom(3).hex().upper()]
        ldif_scope_fn = os.path.join(self.output_folder,
                                     '{}.ldif'.format(scope['inum'][0]))
        scope_ldif_fd = open(ldif_scope_fn, 'wb')
        scope_dn = 'inum={},ou=scopes,o=jans'.format(scope['inum'][0])
        ldif_scopes_writer = LDIFWriter(scope_ldif_fd, cols=1000)
        ldif_scopes_writer.unparse(scope_dn, scope)
        scope_ldif_fd.close()
        self.dbUtils.import_ldif([ldif_scope_fn])
        return scope_dn
Example #3
0
import sys
import os
import json
from collections import OrderedDict
from setup_app.pylib.ldif4.ldif import LDIFWriter

with open(sys.argv[1]) as f:
    data = json.load(f, object_pairs_hook=OrderedDict)

stdout = os.fdopen(sys.stdout.fileno(), "wb", closefd=False)

ldif_writer = LDIFWriter(stdout, cols=10000)
for entry in data:
    dn = entry.pop('dn')
    for e in entry:

        if isinstance(entry[e], dict):
            ne = []
            for v in entry[e]['v']:
                ne.append(v)
            entry[e] = ne
        else:
            entry[e] = [str(entry[e])]
    entry['objectClass'].insert(0, 'top')
    ldif_writer.unparse(dn, entry)

stdout.flush()
Example #4
0
    def generate_configuration(self):

        try:
            config_api_swagger_yaml_fn = os.path.join(
                Config.install_dir,
                'setup_app/data/jans-config-api-swagger.yaml')
            yml_str = self.readFile(config_api_swagger_yaml_fn)
            yml_str = yml_str.replace('\t', ' ')
            cfg_yml = ruamel.yaml.load(yml_str, ruamel.yaml.RoundTripLoader)
            scopes_def = cfg_yml['components']['securitySchemes']['jans-auth'][
                'flows']['clientCredentials']['scopes']
            scope_type = cfg_yml['components']['securitySchemes']['jans-auth'][
                'type']
        except:
            scopes_def = {}
            scope_type = 'oauth2'

        self.check_clients([('jca_client_id', '1801.')])

        if not Config.get('jca_client_pw'):
            Config.jca_client_pw = self.getPW()
            Config.jca_client_encoded_pw = self.obscure(Config.jca_client_pw)

        scopes = ''
        scope_ldif_fd = open(self.scope_ldif_fn, 'wb')
        ldif_scopes_writer = LDIFWriter(scope_ldif_fd, cols=1000)
        scopes = {}
        jansUmaScopes_all = []

        for scope in scopes_def:

            jansUmaScopes = []

            if Config.installed_instance and self.dbUtils.search(
                    'ou=scopes,o=jans',
                    search_filter='(&(jansId={})(objectClass=jansScope))'.
                    format(scope)):
                continue

            if not scope in scopes:
                inum = '1800.' + os.urandom(3).hex().upper()
                scope_dn = 'inum={},ou=scopes,o=jans'.format(inum)
                scopes[scope] = {'dn': scope_dn}
                display_name = 'Config API scope {}'.format(scope)
                ldif_scopes_writer.unparse(
                    scope_dn, {
                        'objectclass': ['top', 'jansScope'],
                        'description': [scopes_def[scope]],
                        'displayName': [display_name],
                        'inum': [inum],
                        'jansDefScope': ['false'],
                        'jansId': [scope],
                        'jansScopeTyp': [scope_type],
                        'jansAttrs': [
                            json.dumps({
                                "spontaneousClientId": None,
                                "spontaneousClientScopes": [],
                                "showInConfigurationEndpoint": False
                            })
                        ],
                    })

                jansUmaScopes.append(scopes[scope]['dn'])
                jansUmaScopes_all.append(scopes[scope]['dn'])

        scope_ldif_fd.close()

        createClient = True
        config_api_dn = 'inum={},ou=clients,o=jans'.format(
            Config.jca_client_id)
        if Config.installed_instance and self.dbUtils.search(
                'ou=clients,o=jans',
                search_filter='(&(inum={})(objectClass=jansClnt))'.format(
                    Config.jca_client_id)):
            createClient = False

        if createClient:
            clients_ldif_fd = open(self.clients_ldif_fn, 'wb')
            ldif_clients_writer = LDIFWriter(clients_ldif_fd, cols=1000)
            ldif_clients_writer.unparse(
                config_api_dn, {
                    'objectClass': ['top', 'jansClnt'],
                    'del': ['false'],
                    'displayName': ['Jans Config Api Client'],
                    'inum': [Config.jca_client_id],
                    'jansAccessTknAsJwt': ['false'],
                    'jansAccessTknSigAlg': ['RS256'],
                    'jansAppTyp': ['web'],
                    'jansAttrs': [
                        '{"tlsClientAuthSubjectDn":"","runIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims":false,"keepClientAuthorizationAfterExpiration":false,"allowSpontaneousScopes":false,"spontaneousScopes":[],"spontaneousScopeScriptDns":[],"backchannelLogoutUri":[],"backchannelLogoutSessionRequired":false,"additionalAudience":[],"postAuthnScripts":[],"consentGatheringScripts":[],"introspectionScripts":[],"rptClaimsScripts":[]}'
                    ],
                    'jansClntSecret': [Config.jca_client_encoded_pw],
                    'jansDisabled': ['false'],
                    'jansGrantTyp': [
                        'authorization_code', 'refresh_token',
                        'client_credentials'
                    ],
                    'jansIdTknSignedRespAlg': ['RS256'],
                    'jansInclClaimsInIdTkn': ['false'],
                    'jansLogoutSessRequired': ['false'],
                    'jansPersistClntAuthzs': ['true'],
                    'jansRequireAuthTime': ['false'],
                    'jansRespTyp': ['code'],
                    'jansRptAsJwt': ['false'],
                    'jansScope':
                    jansUmaScopes_all,
                    'jansSubjectTyp': ['pairwise'],
                    'jansTknEndpointAuthMethod': ['client_secret_basic'],
                    'jansTrustedClnt': ['false'],
                    'jansRedirectURI': [
                        'https://{}/admin-ui'.format(Config.hostname),
                        'http://localhost:4100'
                    ]
                })

            clients_ldif_fd.close()
            self.load_ldif_files.append(self.clients_ldif_fn)
Example #5
0
    def load_test_data(self):
        self.logIt("Re-binding database")
        self.dbUtils.bind(force=True)

        self.logIt("Checking Internet conncetion")
        socket.setdefaulttimeout(3)
        try:
            socket.socket(socket.AF_INET, socket.SOCK_STREAM).connect(
                ("8.8.8.8", 443))
        except:
            self.logIt("Failed to connect 8.8.8.8:443.", True)
            print("Test data loader needs internet connection. Giving up ...")
            return

        if not base.current_app.ScimInstaller.installed():
            self.logIt("Scim was not installed. Installing")
            Config.installScimServer = True
            base.current_app.ScimInstaller.start_installation()

        self.encode_test_passwords()

        self.logIt("Rendering test templates")

        if Config.rdbm_type == 'spanner':
            Config.rdbm_password_enc = ''

        Config.templateRenderingDict[
            'config_oxauth_test_ldap'] = '# Not available'
        Config.templateRenderingDict[
            'config_oxauth_test_couchbase'] = '# Not available'

        config_oxauth_test_properties = self.fomatWithDict(
            'server.name=%(hostname)s\nconfig.oxauth.issuer=http://localhost:80\nconfig.oxauth.contextPath=http://localhost:80\nconfig.oxauth.salt=%(encode_salt)s\nconfig.persistence.type=%(persistence_type)s\n\n',
            self.merge_dicts(Config.__dict__, Config.templateRenderingDict))

        if self.getMappingType('ldap'):
            template_text = self.readFile(
                os.path.join(
                    self.template_base,
                    'jans-auth/server/config-oxauth-test-ldap.properties.nrnd')
            )
            rendered_text = self.fomatWithDict(
                template_text,
                self.merge_dicts(Config.__dict__,
                                 Config.templateRenderingDict))
            config_oxauth_test_properties += '#ldap\n' + rendered_text

        if self.getMappingType('couchbase'):
            couchbaseDict = base.current_app.CouchbaseInstaller.couchbaseDict()
            template_text = self.readFile(
                os.path.join(
                    self.template_base,
                    'jans-auth/server/config-oxauth-test-couchbase.properties.nrnd'
                ))
            rendered_text = self.fomatWithDict(
                template_text,
                self.merge_dicts(Config.__dict__, Config.templateRenderingDict,
                                 couchbaseDict))
            config_oxauth_test_properties += '\n#couchbase\n' + rendered_text

        if self.getMappingType('rdbm'):
            base.current_app.RDBMInstaller.server_time_zone()
            template_text = self.readFile(
                os.path.join(
                    self.template_base,
                    'jans-auth/server/config-oxauth-test-sql.properties.nrnd'))
            rendered_text = self.fomatWithDict(
                template_text,
                self.merge_dicts(Config.__dict__,
                                 Config.templateRenderingDict))
            config_oxauth_test_properties += '\n#sql\n' + rendered_text

            self.logIt("Adding custom attributs and indexes")

            schema2json(
                os.path.join(Config.templateFolder,
                             'test/jans-auth/schema/102-oxauth_test.ldif'),
                os.path.join(Config.outputFolder, 'test/jans-auth/schema/'))
            schema2json(
                os.path.join(Config.templateFolder,
                             'test/scim-client/schema/103-scim_test.ldif'),
                os.path.join(Config.outputFolder, 'test/scim-client/schema/'),
            )

            oxauth_json_schema_fn = os.path.join(
                Config.outputFolder,
                'test/jans-auth/schema/102-oxauth_test.json')
            scim_json_schema_fn = os.path.join(
                Config.outputFolder,
                'test/scim-client/schema/103-scim_test.json')
            jans_schema_json_files = [
                oxauth_json_schema_fn, scim_json_schema_fn
            ]

            scim_schema = base.readJsonFile(scim_json_schema_fn)
            may_list = []

            for attribute in scim_schema['attributeTypes']:
                may_list += attribute['names']

            jansPerson = {
                'kind': 'STRUCTURAL',
                'may': may_list,
                'must': ['objectclass'],
                'names': ['jansPerson'],
                'oid': 'jansObjClass',
                'sup': ['top'],
                'x_origin': 'Jans created objectclass'
            }
            scim_schema['objectClasses'].append(jansPerson)

            with open(scim_json_schema_fn, 'w') as w:
                json.dump(scim_schema, w, indent=2)

            self.dbUtils.read_jans_schema(others=jans_schema_json_files)

            base.current_app.RDBMInstaller.create_tables(
                jans_schema_json_files)
            if Config.rdbm_type != 'spanner':
                self.dbUtils.rdm_automapper()

        self.writeFile(
            os.path.join(
                Config.outputFolder,
                'test/jans-auth/server/config-oxauth-test.properties'),
            config_oxauth_test_properties)

        self.render_templates_folder(self.template_base)

        self.logIt("Loading test ldif files")

        ox_auth_test_ldif = os.path.join(
            Config.outputFolder, 'test/jans-auth/data/oxauth-test-data.ldif')
        ox_auth_test_user_ldif = os.path.join(
            Config.outputFolder,
            'test/jans-auth/data/oxauth-test-data-user.ldif')

        scim_test_ldif = os.path.join(
            Config.outputFolder, 'test/scim-client/data/scim-test-data.ldif')
        scim_test_user_ldif = os.path.join(
            Config.outputFolder,
            'test/scim-client/data/scim-test-data-user.ldif')

        ldif_files = (ox_auth_test_ldif, scim_test_ldif,
                      ox_auth_test_user_ldif, scim_test_user_ldif)
        self.dbUtils.import_ldif(ldif_files)

        apache_user = '******' if base.clone_type == 'deb' else 'apache'

        # Client keys deployment
        base.download(
            'https://raw.githubusercontent.com/JanssenProject/jans-auth-server/master/client/src/test/resources/jans_test_client_keys.zip',
            '/var/www/html/jans_test_client_keys.zip')
        self.run([
            paths.cmd_unzip, '-o', '/var/www/html/jans_test_client_keys.zip',
            '-d', '/var/www/html/'
        ])
        self.run([paths.cmd_rm, '-rf', 'jans_test_client_keys.zip'])
        self.run([
            paths.cmd_chown, '-R', 'root:' + apache_user,
            '/var/www/html/jans-auth-client'
        ])

        oxAuthConfDynamic_changes = {
            'dynamicRegistrationCustomObjectClass':
            'jansClntCustomAttributes',
            'dynamicRegistrationCustomAttributes': [
                "jansTrustedClnt", "myCustomAttr1", "myCustomAttr2",
                "jansInclClaimsInIdTkn"
            ],
            'dynamicRegistrationExpirationTime':
            86400,
            'dynamicGrantTypeDefault': [
                "authorization_code", "implicit", "password",
                "client_credentials", "refresh_token",
                "urn:ietf:params:oauth:grant-type:uma-ticket",
                "urn:openid:params:grant-type:ciba",
                "urn:ietf:params:oauth:grant-type:device_code"
            ],
            'legacyIdTokenClaims':
            True,
            'authenticationFiltersEnabled':
            True,
            'clientAuthenticationFiltersEnabled':
            True,
            'keyRegenerationEnabled':
            True,
            'openidScopeBackwardCompatibility':
            False,
            'forceOfflineAccessScopeToEnableRefreshToken':
            False,
            'dynamicRegistrationPasswordGrantTypeEnabled':
            True,
            'cibaEnabled':
            True,
            'backchannelAuthenticationRequestSigningAlgValuesSupported': [
                "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256",
                "PS384", "PS512"
            ],
            'backchannelClientId':
            '123-123-123',
            'backchannelUserCodeParameterSupported':
            True,
            'tokenEndpointAuthSigningAlgValuesSupported': [
                'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256',
                'ES384', 'ES512', 'PS256', 'PS384', 'PS512'
            ],
            'userInfoSigningAlgValuesSupported': [
                'none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512',
                'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512'
            ],
            'consentGatheringScriptBackwardCompatibility':
            False,
            'claimsParameterSupported':
            True,
            'grantTypesSupported': [
                'urn:openid:params:grant-type:ciba', 'authorization_code',
                'urn:ietf:params:oauth:grant-type:uma-ticket',
                'urn:ietf:params:oauth:grant-type:device_code',
                'client_credentials', 'implicit', 'refresh_token', 'password'
            ],
            'idTokenSigningAlgValuesSupported': [
                'none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512',
                'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512'
            ],
            'requestObjectSigningAlgValuesSupported': [
                'none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512',
                'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512'
            ],
            'softwareStatementValidationClaimName':
            'jwks_uri',
            'softwareStatementValidationType':
            'jwks_uri',
            'umaGrantAccessIfNoPolicies':
            True,
            'rejectJwtWithNoneAlg':
            False,
            'removeRefreshTokensForClientOnLogout':
            True,
            'fapiCompatibility':
            False,
            'forceIdTokenHintPrecense':
            False,
            'introspectionScriptBackwardCompatibility':
            False,
            'spontaneousScopeLifetime':
            0,
            'tokenEndpointAuthMethodsSupported': [
                'client_secret_basic', 'client_secret_post',
                'client_secret_jwt', 'private_key_jwt', 'tls_client_auth',
                'self_signed_tls_client_auth', 'none'
            ],
            'sessionIdRequestParameterEnabled':
            True,
            'skipRefreshTokenDuringRefreshing':
            False,
            'enabledComponents': [
                'unknown', 'health_check', 'userinfo', 'clientinfo',
                'id_generation', 'registration', 'introspection',
                'revoke_token', 'revoke_session', 'end_session',
                'status_session', 'jans_configuration', 'ciba', 'uma', 'u2f',
                'device_authz', 'stat'
            ]
        }

        if Config.get('config_patch_creds'):
            data = None
            datajs = None
            patch_url = 'https://ox.gluu.org/protected/jans-auth/jans-auth-test-config-patch.json'
            req = urllib.request.Request(patch_url)
            credentials = Config.get('config_patch_creds')
            encoded_credentials = base64.b64encode(credentials.encode('ascii'))
            req.add_header('Authorization',
                           'Basic %s' % encoded_credentials.decode("ascii"))
            self.logIt("Retreiving auto test ciba patch from " + patch_url)

            try:
                resp = urllib.request.urlopen(req)
                data = resp.read()
                self.logIt("Auto test ciba patch retreived")
            except:
                self.logIt("Can't retreive auto test ciba patch", True)

            if data:
                try:
                    datajs = json.loads(data.decode())
                except:
                    self.logIt("Can't decode json for auto test ciba patch",
                               True)

            if datajs:
                oxAuthConfDynamic_changes.update(datajs)
                self.logIt(
                    "oxAuthConfDynamic was updated with auto test ciba patch")

        custom_scripts = ('2DAF-F995', '2DAF-F996', '4BBE-C6A8', 'A51E-76DA')

        self.dbUtils.set_oxAuthConfDynamic(oxAuthConfDynamic_changes)

        # Enable custom scripts
        for inum in custom_scripts:
            self.dbUtils.enable_script(inum)

        if self.dbUtils.moddb == static.BackendTypes.LDAP:
            # Update LDAP schema
            openDjSchemaFolder = os.path.join(Config.ldapBaseFolder,
                                              'config/schema/')
            self.copyFile(
                os.path.join(Config.outputFolder,
                             'test/jans-auth/schema/102-oxauth_test.ldif'),
                openDjSchemaFolder)
            self.copyFile(
                os.path.join(Config.outputFolder,
                             'test/scim-client/schema/103-scim_test.ldif'),
                openDjSchemaFolder)

            schema_fn = os.path.join(openDjSchemaFolder,
                                     '77-customAttributes.ldif')

            obcl_parser = myLdifParser(schema_fn)
            obcl_parser.parse()

            for i, o in enumerate(obcl_parser.entries[0][1]['objectClasses']):
                objcl = ObjectClass(o)
                if 'jansCustomPerson' in objcl.tokens['NAME']:
                    may_list = list(objcl.tokens['MAY'])
                    for a in ('scimCustomFirst', 'scimCustomSecond',
                              'scimCustomThird'):
                        if not a in may_list:
                            may_list.append(a)

                    objcl.tokens['MAY'] = tuple(may_list)
                    obcl_parser.entries[0][1]['objectClasses'][
                        i] = objcl.getstr()

            tmp_fn = '/tmp/77-customAttributes.ldif'
            with open(tmp_fn, 'wb') as w:
                ldif_writer = LDIFWriter(w)
                for dn, entry in obcl_parser.entries:
                    ldif_writer.unparse(dn, entry)

            self.copyFile(tmp_fn, openDjSchemaFolder)

            self.logIt("Making opndj listen all interfaces")
            ldap_operation_result = self.dbUtils.ldap_conn.modify(
                'cn=LDAPS Connection Handler,cn=Connection Handlers,cn=config',
                {'ds-cfg-listen-address': [ldap3.MODIFY_REPLACE, '0.0.0.0']})

            if not ldap_operation_result:
                self.logIt("Ldap modify operation failed {}".format(
                    str(self.ldap_conn.result)))
                self.logIt(
                    "Ldap modify operation failed {}".format(
                        str(self.ldap_conn.result)), True)

            self.dbUtils.ldap_conn.unbind()

            self.logIt("Re-starting opendj")
            self.restart('opendj')

            self.logIt("Re-binding opendj")
            # try 5 times to re-bind opendj
            for i in range(5):
                time.sleep(5)
                self.logIt("Try binding {} ...".format(i + 1))
                bind_result = self.dbUtils.ldap_conn.bind()
                if bind_result:
                    self.logIt("Binding to opendj was successful")
                    break
                self.logIt("Re-try in 5 seconds")
            else:
                self.logIt("Re-binding opendj FAILED")
                sys.exit("Re-binding opendj FAILED")

            for atr in ('myCustomAttr1', 'myCustomAttr2'):

                dn = 'ds-cfg-attribute={},cn=Index,ds-cfg-backend-id={},cn=Backends,cn=config'.format(
                    atr, 'userRoot')
                entry = {
                    'objectClass': ['top', 'ds-cfg-backend-index'],
                    'ds-cfg-attribute': [atr],
                    'ds-cfg-index-type': ['equality'],
                    'ds-cfg-index-entry-limit': ['4000']
                }
                self.logIt("Creating Index {}".format(dn))
                ldap_operation_result = self.dbUtils.ldap_conn.add(
                    dn, attributes=entry)
                if not ldap_operation_result:
                    self.logIt("Ldap modify operation failed {}".format(
                        str(self.dbUtils.ldap_conn.result)))
                    self.logIt(
                        "Ldap modify operation failed {}".format(
                            str(self.dbUtils.ldap_conn.result)), True)

        elif self.dbUtils.moddb in (static.BackendTypes.MYSQL,
                                    static.BackendTypes.PGSQL):
            pass

        elif self.dbUtils.moddb == static.BackendTypes.COUCHBASE:
            self.dbUtils.cbm.exec_query(
                'CREATE INDEX def_{0}_myCustomAttr1 ON `{0}`(myCustomAttr1) USING GSI WITH {{"defer_build":true}}'
                .format(Config.couchbase_bucket_prefix))
            self.dbUtils.cbm.exec_query(
                'CREATE INDEX def_{0}_myCustomAttr2 ON `{0}`(myCustomAttr2) USING GSI WITH {{"defer_build":true}}'
                .format(Config.couchbase_bucket_prefix))
            self.dbUtils.cbm.exec_query(
                'BUILD INDEX ON `{0}` (def_{0}_myCustomAttr1, def_{0}_myCustomAttr2)'
                .format(Config.couchbase_bucket_prefix))

        if self.dbUtils.moddb == static.BackendTypes.LDAP:
            self.dbUtils.ldap_conn.bind()

            result = self.dbUtils.search(
                'ou=configuration,o=jans',
                search_filter='(&(jansDbAuth=*)(objectClass=jansAppConf))',
                search_scope=ldap3.BASE)
            oxIDPAuthentication = json.loads(result['jansDbAuth'])
            oxIDPAuthentication['config']['servers'] = [
                '{0}:{1}'.format(Config.hostname, Config.ldaps_port)
            ]
            oxIDPAuthentication_js = json.dumps(oxIDPAuthentication, indent=2)
            self.dbUtils.set_configuration('jansDbAuth',
                                           oxIDPAuthentication_js)

        self.create_test_client_keystore()

        # Disable token binding module
        if base.os_name in ('ubuntu18', 'ubuntu20'):
            self.run(['a2dismod', 'mod_token_binding'])
            self.restart('apache2')

        self.restart('jans-auth')

        if Config.installEleven:
            eleven_tokens_package = os.path.join(
                Config.staticFolder, 'eleven/jans-eleven-tokens.tar.gz')
            target_dir = '/var/lib/softhsm/tokens/'
            if not os.path.exists(target_dir):
                os.makedirs(target_dir)
            self.run([
                paths.cmd_tar, '-zxf', eleven_tokens_package, '-C', target_dir
            ])
Example #6
0
    def load_test_data(self):

        if not self.scimInstaller.installed():
            self.logIt("Scim was not installed. Installing")
            Config.installScimServer = True
            self.scimInstaller.start_installation()

        self.encode_test_passwords()

        self.logIt("Rendering test templates")

        Config.templateRenderingDict[
            'config_oxauth_test_ldap'] = '# Not available'
        Config.templateRenderingDict[
            'config_oxauth_test_couchbase'] = '# Not available'

        if self.getMappingType('ldap'):
            template_text = self.readFile(
                os.path.join(
                    self.template_base,
                    'oxauth/server/config-oxauth-test-ldap.properties.nrnd'))
            rendered_text = self.fomatWithDict(
                template_text,
                self.merge_dicts(Config.__dict__,
                                 Config.templateRenderingDict))
            Config.templateRenderingDict[
                'config_oxauth_test_ldap'] = rendered_text

        if self.getMappingType('couchbase'):
            template_text = self.readFile(
                os.path.join(
                    self.template_base,
                    'oxauth/server/config-oxauth-test-couchbase.properties.nrnd'
                ))
            rendered_text = self.fomatWithDict(
                template_text,
                self.merge_dicts(Config.__dict__,
                                 Config.templateRenderingDict))
            Config.templateRenderingDict[
                'config_oxauth_test_couchbase'] = rendered_text

        self.render_templates_folder(self.template_base)

        self.logIt("Loading test ldif files")

        if not self.passportInstaller.installed():
            self.passportInstaller.generate_configuration()

        ox_auth_test_ldif = os.path.join(
            Config.outputFolder, 'test/oxauth/data/oxauth-test-data.ldif')
        ox_auth_test_user_ldif = os.path.join(
            Config.outputFolder, 'test/oxauth/data/oxauth-test-data-user.ldif')

        scim_test_ldif = os.path.join(
            Config.outputFolder, 'test/scim-client/data/scim-test-data.ldif')
        scim_test_user_ldif = os.path.join(
            Config.outputFolder,
            'test/scim-client/data/scim-test-data-user.ldif')

        ldif_files = (ox_auth_test_ldif, scim_test_ldif,
                      ox_auth_test_user_ldif, scim_test_user_ldif)
        self.dbUtils.import_ldif(ldif_files)

        apache_user = '******' if base.clone_type == 'deb' else 'apache'

        # Client keys deployment
        base.download(
            'https://raw.githubusercontent.com/GluuFederation/oxAuth/master/Client/src/test/resources/oxauth_test_client_keys.zip',
            '/var/www/html/oxauth_test_client_keys.zip')
        self.run([
            paths.cmd_unzip, '-o', '/var/www/html/oxauth_test_client_keys.zip',
            '-d', '/var/www/html/'
        ])
        self.run([paths.cmd_rm, '-rf', 'oxauth_test_client_keys.zip'])
        self.run([
            paths.cmd_chown, '-R', 'root:' + apache_user,
            '/var/www/html/oxauth-client'
        ])

        oxAuthConfDynamic_changes = {
            'dynamicRegistrationCustomObjectClass':
            'oxAuthClientCustomAttributes',
            'dynamicRegistrationCustomAttributes': [
                "oxAuthTrustedClient", "myCustomAttr1", "myCustomAttr2",
                "oxIncludeClaimsInIdToken"
            ],
            'dynamicRegistrationExpirationTime':
            86400,
            'dynamicGrantTypeDefault': [
                "authorization_code", "implicit", "password",
                "client_credentials", "refresh_token",
                "urn:ietf:params:oauth:grant-type:uma-ticket"
            ],
            'legacyIdTokenClaims':
            True,
            'authenticationFiltersEnabled':
            True,
            'clientAuthenticationFiltersEnabled':
            True,
            'keyRegenerationEnabled':
            True,
            'openidScopeBackwardCompatibility':
            False,
        }

        custom_scripts = ('2DAF-F995', '2DAF-F996', '4BBE-C6A8')

        self.dbUtils.set_oxAuthConfDynamic(oxAuthConfDynamic_changes)

        # Enable custom scripts
        for inum in custom_scripts:
            self.dbUtils.enable_script(inum)

        if self.dbUtils.moddb == static.BackendTypes.LDAP:
            # Update LDAP schema
            openDjSchemaFolder = os.path.join(Config.ldapBaseFolder,
                                              'config/schema/')
            self.copyFile(
                os.path.join(Config.outputFolder,
                             'test/oxauth/schema/102-oxauth_test.ldif'),
                openDjSchemaFolder)
            self.copyFile(
                os.path.join(Config.outputFolder,
                             'test/scim-client/schema/103-scim_test.ldif'),
                openDjSchemaFolder)

            schema_fn = os.path.join(openDjSchemaFolder,
                                     '77-customAttributes.ldif')

            obcl_parser = myLdifParser(schema_fn)
            obcl_parser.parse()

            for i, o in enumerate(obcl_parser.entries[0][1]['objectClasses']):
                objcl = ObjectClass(o)
                if 'gluuCustomPerson' in objcl.tokens['NAME']:
                    may_list = list(objcl.tokens['MAY'])
                    for a in ('scimCustomFirst', 'scimCustomSecond',
                              'scimCustomThird'):
                        if not a in may_list:
                            may_list.append(a)

                    objcl.tokens['MAY'] = tuple(may_list)
                    obcl_parser.entries[0][1]['objectClasses'][
                        i] = objcl.getstr()

            tmp_fn = '/tmp/77-customAttributes.ldif'
            with open(tmp_fn, 'wb') as w:
                ldif_writer = LDIFWriter(w)
                for dn, entry in obcl_parser.entries:
                    ldif_writer.unparse(dn, entry)

            self.copyFile(tmp_fn, openDjSchemaFolder)
            cwd = os.path.join(Config.ldapBaseFolder, 'bin')
            dsconfigCmd = (
                '{} --trustAll --no-prompt --hostname {} --port {} '
                '--bindDN "{}" --bindPasswordFile /home/ldap/.pw set-connection-handler-prop '
                '--handler-name "LDAPS Connection Handler" --set listen-address:0.0.0.0'
            ).format(os.path.join(Config.ldapBaseFolder,
                                  'bin/dsconfig'), Config.ldap_hostname,
                     Config.ldap_admin_port, Config.ldap_binddn)

            self.run(['/bin/su', 'ldap', '-c', dsconfigCmd], cwd=cwd)

            self.dbUtils.ldap_conn.unbind()

            self.restart('opendj')
            #wait 10 seconds to start opendj
            time.sleep(10)

            for atr in ('myCustomAttr1', 'myCustomAttr2'):
                cmd = (
                    'create-backend-index --backend-name userRoot --type generic '
                    '--index-name {} --set index-type:equality --set index-entry-limit:4000 '
                    '--hostName {} --port {} --bindDN "{}" -j /home/ldap/.pw '
                    '--trustAll --noPropertiesFile --no-prompt').format(
                        atr, Config.ldap_hostname, Config.ldap_admin_port,
                        Config.ldap_binddn)

                dsconfigCmd = '{1} {2}'.format(Config.ldapBaseFolder,
                                               os.path.join(cwd, 'dsconfig'),
                                               cmd)
                self.run(['/bin/su', 'ldap', '-c', dsconfigCmd], cwd=cwd)

        else:
            self.dbUtils.cbm.exec_query(
                'CREATE INDEX def_gluu_myCustomAttr1 ON `gluu`(myCustomAttr1) USING GSI WITH {"defer_build":true}'
            )
            self.dbUtils.cbm.exec_query(
                'CREATE INDEX def_gluu_myCustomAttr2 ON `gluu`(myCustomAttr2) USING GSI WITH {"defer_build":true}'
            )
            self.dbUtils.cbm.exec_query(
                'BUILD INDEX ON `gluu` (def_gluu_myCustomAttr1, def_gluu_myCustomAttr2)'
            )

        self.dbUtils.ldap_conn.bind()

        result = self.dbUtils.search('ou=configuration,o=gluu',
                                     search_filter='(oxIDPAuthentication=*)',
                                     search_scope=ldap3.BASE)

        oxIDPAuthentication = json.loads(result['oxIDPAuthentication'])
        oxIDPAuthentication['config']['servers'] = [
            '{0}:{1}'.format(Config.hostname, Config.ldaps_port)
        ]
        oxIDPAuthentication_js = json.dumps(oxIDPAuthentication, indent=2)
        self.dbUtils.set_configuration('oxIDPAuthentication',
                                       oxIDPAuthentication_js)

        self.create_test_client_keystore()

        # Disable token binding module
        if base.os_name in ('ubuntu18', 'ubuntu20'):
            self.run(['a2dismod', 'mod_token_binding'])
            self.restart('apache2')

        self.restart('oxauth')
    def load_test_data(self):

        if not self.scimInstaller.installed():
            self.logIt("Scim was not installed. Installing")
            Config.installScimServer = True
            self.scimInstaller.start_installation()

        self.encode_test_passwords()

        self.logIt("Rendering test templates")

        Config.templateRenderingDict[
            'config_oxauth_test_ldap'] = '# Not available'
        Config.templateRenderingDict[
            'config_oxauth_test_couchbase'] = '# Not available'

        config_oxauth_test_properties = self.fomatWithDict(
            'server.name=%(hostname)s\nconfig.oxauth.issuer=http://localhost:80\nconfig.oxauth.contextPath=http://localhost:80\nconfig.oxauth.salt=%(encode_salt)s\nconfig.persistence.type=%(persistence_type)s\n\n',
            self.merge_dicts(Config.__dict__, Config.templateRenderingDict))

        if self.getMappingType('ldap'):
            template_text = self.readFile(
                os.path.join(
                    self.template_base,
                    'oxauth/server/config-oxauth-test-ldap.properties.nrnd'))
            rendered_text = self.fomatWithDict(
                template_text,
                self.merge_dicts(Config.__dict__,
                                 Config.templateRenderingDict))
            config_oxauth_test_properties += '#ldap\n' + rendered_text

        if self.getMappingType('couchbase'):
            template_text = self.readFile(
                os.path.join(
                    self.template_base,
                    'oxauth/server/config-oxauth-test-couchbase.properties.nrnd'
                ))
            rendered_text = self.fomatWithDict(
                template_text,
                self.merge_dicts(Config.__dict__,
                                 Config.templateRenderingDict))
            config_oxauth_test_properties += '\n#couchbase\n' + rendered_text

        self.writeFile(
            os.path.join(Config.outputFolder,
                         'test/oxauth/server/config-oxauth-test.properties'),
            config_oxauth_test_properties)

        self.render_templates_folder(self.template_base)

        self.logIt("Loading test ldif files")

        ox_auth_test_ldif = os.path.join(
            Config.outputFolder, 'test/oxauth/data/oxauth-test-data.ldif')
        ox_auth_test_user_ldif = os.path.join(
            Config.outputFolder, 'test/oxauth/data/oxauth-test-data-user.ldif')

        scim_test_ldif = os.path.join(
            Config.outputFolder, 'test/scim-client/data/scim-test-data.ldif')
        scim_test_user_ldif = os.path.join(
            Config.outputFolder,
            'test/scim-client/data/scim-test-data-user.ldif')

        ldif_files = (ox_auth_test_ldif, scim_test_ldif,
                      ox_auth_test_user_ldif, scim_test_user_ldif)
        self.dbUtils.import_ldif(ldif_files)

        apache_user = '******' if base.clone_type == 'deb' else 'apache'

        # Client keys deployment
        base.download(
            'https://raw.githubusercontent.com/JanssenProject/jans-auth-server/master/client/src/test/resources/oxauth_test_client_keys.zip',
            '/var/www/html/oxauth_test_client_keys.zip')
        self.run([
            paths.cmd_unzip, '-o', '/var/www/html/oxauth_test_client_keys.zip',
            '-d', '/var/www/html/'
        ])
        self.run([paths.cmd_rm, '-rf', 'oxauth_test_client_keys.zip'])
        self.run([
            paths.cmd_chown, '-R', 'root:' + apache_user,
            '/var/www/html/oxauth-client'
        ])

        oxAuthConfDynamic_changes = {
            'dynamicRegistrationCustomObjectClass':
            'oxAuthClientCustomAttributes',
            'dynamicRegistrationCustomAttributes': [
                "oxAuthTrustedClient", "myCustomAttr1", "myCustomAttr2",
                "oxIncludeClaimsInIdToken"
            ],
            'dynamicRegistrationExpirationTime':
            86400,
            'dynamicGrantTypeDefault': [
                "authorization_code", "implicit", "password",
                "client_credentials", "refresh_token",
                "urn:ietf:params:oauth:grant-type:uma-ticket"
            ],
            'legacyIdTokenClaims':
            True,
            'authenticationFiltersEnabled':
            True,
            'clientAuthenticationFiltersEnabled':
            True,
            'keyRegenerationEnabled':
            True,
            'openidScopeBackwardCompatibility':
            False,
        }

        custom_scripts = ('2DAF-F995', '2DAF-F996', '4BBE-C6A8')

        self.dbUtils.set_oxAuthConfDynamic(oxAuthConfDynamic_changes)

        # Enable custom scripts
        for inum in custom_scripts:
            self.dbUtils.enable_script(inum)

        if self.dbUtils.moddb == static.BackendTypes.LDAP:
            # Update LDAP schema
            openDjSchemaFolder = os.path.join(Config.ldapBaseFolder,
                                              'config/schema/')
            self.copyFile(
                os.path.join(Config.outputFolder,
                             'test/oxauth/schema/102-oxauth_test.ldif'),
                openDjSchemaFolder)
            self.copyFile(
                os.path.join(Config.outputFolder,
                             'test/scim-client/schema/103-scim_test.ldif'),
                openDjSchemaFolder)

            schema_fn = os.path.join(openDjSchemaFolder,
                                     '77-customAttributes.ldif')

            obcl_parser = myLdifParser(schema_fn)
            obcl_parser.parse()

            for i, o in enumerate(obcl_parser.entries[0][1]['objectClasses']):
                objcl = ObjectClass(o)
                if 'gluuCustomPerson' in objcl.tokens['NAME']:
                    may_list = list(objcl.tokens['MAY'])
                    for a in ('scimCustomFirst', 'scimCustomSecond',
                              'scimCustomThird'):
                        if not a in may_list:
                            may_list.append(a)

                    objcl.tokens['MAY'] = tuple(may_list)
                    obcl_parser.entries[0][1]['objectClasses'][
                        i] = objcl.getstr()

            tmp_fn = '/tmp/77-customAttributes.ldif'
            with open(tmp_fn, 'wb') as w:
                ldif_writer = LDIFWriter(w)
                for dn, entry in obcl_parser.entries:
                    ldif_writer.unparse(dn, entry)

            self.copyFile(tmp_fn, openDjSchemaFolder)

            self.logIt("Making opndj listen all interfaces")
            ldap_operation_result = self.dbUtils.ldap_conn.modify(
                'cn=LDAPS Connection Handler,cn=Connection Handlers,cn=config',
                {'ds-cfg-listen-address': [ldap3.MODIFY_REPLACE, '0.0.0.0']})

            if not ldap_operation_result:
                self.logIt("Ldap modify operation failed {}".format(
                    str(self.ldap_conn.result)))
                self.logIt(
                    "Ldap modify operation failed {}".format(
                        str(self.ldap_conn.result)), True)

            self.dbUtils.ldap_conn.unbind()

            self.logIt("Re-starting opendj")
            self.restart('opendj')

            self.logIt("Re-binding opendj")
            # try 5 times to re-bind opendj
            for i in range(5):
                time.sleep(5)
                self.logIt("Try binding {} ...".format(i + 1))
                bind_result = self.dbUtils.ldap_conn.bind()
                if bind_result:
                    self.logIt("Binding to opendj was successful")
                    break
                self.logIt("Re-try in 5 seconds")
            else:
                self.logIt("Re-binding opendj FAILED")
                sys.exit("Re-binding opendj FAILED")

            for atr in ('myCustomAttr1', 'myCustomAttr2'):

                dn = 'ds-cfg-attribute={},cn=Index,ds-cfg-backend-id={},cn=Backends,cn=config'.format(
                    atr, 'userRoot')
                entry = {
                    'objectClass': ['top', 'ds-cfg-backend-index'],
                    'ds-cfg-attribute': [atr],
                    'ds-cfg-index-type': ['equality'],
                    'ds-cfg-index-entry-limit': ['4000']
                }
                self.logIt("Creating Index {}".format(dn))
                ldap_operation_result = self.dbUtils.ldap_conn.add(
                    dn, attributes=entry)
                if not ldap_operation_result:
                    self.logIt("Ldap modify operation failed {}".format(
                        str(self.dbUtils.ldap_conn.result)))
                    self.logIt(
                        "Ldap modify operation failed {}".format(
                            str(self.dbUtils.ldap_conn.result)), True)

        else:
            self.dbUtils.cbm.exec_query(
                'CREATE INDEX def_gluu_myCustomAttr1 ON `gluu`(myCustomAttr1) USING GSI WITH {"defer_build":true}'
            )
            self.dbUtils.cbm.exec_query(
                'CREATE INDEX def_gluu_myCustomAttr2 ON `gluu`(myCustomAttr2) USING GSI WITH {"defer_build":true}'
            )
            self.dbUtils.cbm.exec_query(
                'BUILD INDEX ON `gluu` (def_gluu_myCustomAttr1, def_gluu_myCustomAttr2)'
            )

        self.dbUtils.ldap_conn.bind()

        result = self.dbUtils.search('ou=configuration,o=jans',
                                     search_filter='(jansIDPAuthn=*)',
                                     search_scope=ldap3.BASE)

        oxIDPAuthentication = json.loads(result['jansIDPAuthn'])
        oxIDPAuthentication['config']['servers'] = [
            '{0}:{1}'.format(Config.hostname, Config.ldaps_port)
        ]
        oxIDPAuthentication_js = json.dumps(oxIDPAuthentication, indent=2)
        self.dbUtils.set_configuration('jansIDPAuthn', oxIDPAuthentication_js)

        self.create_test_client_keystore()

        # Disable token binding module
        if base.os_name in ('ubuntu18', 'ubuntu20'):
            self.run(['a2dismod', 'mod_token_binding'])
            self.restart('apache2')

        self.restart('jans-auth')
Example #8
0
    def generate_configuration(self):

        self.check_clients([('admin_ui_client_id', '1901.')])

        if not Config.get('admin_ui_client_pw'):
            Config.admin_ui_client_pw = self.getPW(32)
            Config.admin_ui_client_encoded_pw = self.obscure(
                Config.admin_ui_client_pw)

        createClient = True
        config_api_dn = 'inum={},ou=clients,o=jans'.format(
            Config.admin_ui_client_id)
        if Config.installed_instance and self.dbUtils.search(
                'ou=clients,o=jans',
                search_filter='(&(inum={})(objectClass=jansClnt))'.format(
                    Config.admin_ui_client_id)):
            createClient = False

        if createClient:
            clients_ldif_fd = open(self.clients_ldif_fn, 'wb')
            ldif_clients_writer = LDIFWriter(clients_ldif_fd, cols=1000)
            ldif_clients_writer.unparse(
                config_api_dn, {
                    'objectClass': ['top', 'jansClnt'],
                    'del': ['false'],
                    'displayName': ['Jans Admin UI Client'],
                    'inum': [Config.admin_ui_client_id],
                    'jansAccessTknAsJwt': ['false'],
                    'jansAccessTknSigAlg': ['RS256'],
                    'jansAppTyp': ['web'],
                    'jansAttrs': [
                        '{"tlsClientAuthSubjectDn":"","runIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims":false,"keepClientAuthorizationAfterExpiration":false,"allowSpontaneousScopes":false,"spontaneousScopes":[],"spontaneousScopeScriptDns":[],"backchannelLogoutUri":[],"backchannelLogoutSessionRequired":false,"additionalAudience":[],"postAuthnScripts":[],"consentGatheringScripts":[],"introspectionScripts":[],"rptClaimsScripts":[]}'
                    ],
                    'jansClntSecret': [Config.admin_ui_client_encoded_pw],
                    'jansDefAcrValues': ['simple_password_auth'],
                    'jansDisabled': ['false'],
                    'jansGrantTyp': [
                        'authorization_code', 'refresh_token',
                        'client_credentials'
                    ],
                    'jansIdTknSignedRespAlg': ['RS256'],
                    'jansInclClaimsInIdTkn': ['false'],
                    'jansLogoutSessRequired': ['false'],
                    'jansPersistClntAuthzs': ['true'],
                    'jansRequireAuthTime': ['false'],
                    'jansRespTyp': ['code'],
                    'jansRptAsJwt': ['false'],
                    'jansPostLogoutRedirectURI': ['http://localhost:4100'],
                    'jansRedirectURI': ['http://localhost:4100'],
                    'jansLogoutURI': ['http://localhost:4100/logout'],
                    'jansScope': [
                        'inum=43F1,ou=scopes,o=jans',
                        'inum=6D90,ou=scopes,o=jans',
                        'inum=FOC4,ou=scopes,o=jans'
                    ],
                    'jansSubjectTyp': ['pairwise'],
                    'jansTknEndpointAuthMethod': ['client_secret_basic'],
                    'jansTrustedClnt': ['false'],
                })

            clients_ldif_fd.close()
            self.load_ldif_files.append(self.clients_ldif_fn)

        admin_dn = 'inum={},ou=people,o=jans'.format(Config.admin_inum)
        backend_location = self.dbUtils.get_backend_location_for_dn(admin_dn)

        result = self.dbUtils.dn_exists(admin_dn)
        if result and not 'jansAdminUIRole' in result:
            if backend_location == BackendTypes.LDAP:
                ldap_operation_result = self.dbUtils.ldap_conn.modify(
                    admin_dn,
                    {'jansAdminUIRole': [ldap3.MODIFY_ADD, 'api-admin']})
                self.dbUtils.log_ldap_result(ldap_operation_result)
Example #9
0
            if dnc[0] == dne[0] and dnc[1] == dne[1]:
                new_val[1] = dnc[2]

        new_dn_list.append('='.join(new_val))

    new_dn = ','.join(new_dn_list)

    if 'Gluu' in new_entry.get('description', [''])[0]:
        new_entry['description'][0] = new_entry['description'][0].replace(
            'Gluu', 'Janssen')

    if 'gluu' in new_entry.get('displayName', [''])[0]:
        new_entry['displayName'][0] = new_entry['displayName'][0].replace(
            'gluu', 'janssen')

    ldif_writer.unparse(new_dn, new_entry)

out_ldif.close()

#de-escape base64 encoded fields
w = open(out_file, 'w')
for l in open(b64_escaped_out_file):
    n = l.find(':')
    if n > -1:
        a = l[:n]
        v = l[n + 1:].strip()
        if v.startswith(b64_encoded_field_descriptor):
            l = a + '::' + v[len(b64_encoded_field_descriptor):] + '\n'
            if 'person_authentication_supergluuexternalauthenticator' in l:
                l = l.replace(
                    'person_authentication_supergluuexternalauthenticator',