def main(): manager = get_manager() addr = guess_serf_addr() host = addr.split(":")[0] admin_port = os.environ.get("CN_LDAP_ADVERTISE_ADMIN_PORT", "4444") deregister_serf_peer(manager, addr) with admin_password_bound(manager) as password_file: cmd = " ".join([ "/opt/opendj/bin/dsreplication", "disable", "--disableAll", f"--port {admin_port}", f"--hostname {host}", "--adminUID admin", f"--adminPasswordFile {password_file}", "-X", "-n", "-Q", ]) out, err, code = exec_cmd(cmd) if code: err = err or out logger.warning( f"Unable to disable replication for current server; reason={err.decode()}" )
def main(): # check how many member in ldap cluster, peers_num = len(peers_from_serf_membership()) if peers_num == 0: sys.exit(1) elif peers_num == 1: # if there's only 1 alive member, mark the server as ready to allow # data injection to persistence sys.exit(0) else: # if there are more than 1 instances, determine the server readiness by # checking entries in persistence manager = get_manager() host = "localhost:1636" user = manager.config.get("ldap_binddn") password = decode_text( manager.secret.get("encoded_ox_ldap_pw"), manager.secret.get("encoded_salt"), ) result = get_ldap_entries(host, user, password) if result: sys.exit(0) else: sys.exit(1)
def main(): manager = get_manager() if not os.path.isfile("/etc/certs/web_https.crt"): # pull SSL cert to a file manager.secret.to_file("ssl_cert", "/etc/certs/web_https.crt") if not os.path.isfile("/etc/certs/web_https.key"): # pull SSL key to a file manager.secret.to_file("ssl_key", "/etc/certs/web_https.key")
def main(): persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap") validate_persistence_type(persistence_type) ldap_mapping = os.environ.get("CN_PERSISTENCE_LDAP_MAPPING", "default") validate_persistence_ldap_mapping(persistence_type, ldap_mapping) manager = get_manager() deps = ["config", "secret"] wait_for(manager, deps)
def __init__(self, manager=None): manager = manager or get_manager() dialect = os.environ.get("CN_SQL_DB_DIALECT", "mysql") if dialect in ("pgsql", "postgresql"): self.adapter = PostgresqlClient(manager) elif dialect == "mysql": self.adapter = MysqlClient(manager) self._adapter_methods = [ method for method in dir(self.adapter) if method in self._allowed_adapter_methods ]
def prune(service, dry_run, opts): """Cleanup expired crypto keys for the targeted service. """ manager = get_manager() if dry_run: logger.warning("Dry-run mode is enabled!") logger.info(f"Processing updates for service {service}") parsed_opts = _parse_opts(opts) callback_cls = PRUNE_SERVICE_MAP[service] callback_cls(manager, dry_run, **parsed_opts).prune()
def patch(service, dry_run, opts): """Patch cert and/or crypto keys for the targeted service. """ manager = get_manager() if dry_run: logger.warning("Dry-run mode is enabled!") logger.info(f"Processing updates for service {service}") parsed_opts = _parse_opts(opts) callback_cls = PATCH_SERVICE_MAP[service] callback_cls(manager, dry_run, **parsed_opts).patch()
def main(): config_adapter = os.environ.get("CN_CONFIG_ADAPTER", "consul") if config_adapter != "consul": logger.error("This container only supports Consul as config backend") sys.exit(1) secret_adapter = os.environ.get("CN_SECRET_ADAPTER", "vault") if secret_adapter != "vault": logger.error("This container only supports Vault as secret backend") sys.exit(1) manager = get_manager() deps = ["config", "secret"] wait_for(manager, deps)
def main(): persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap") validate_persistence_type(persistence_type) ldap_mapping = os.environ.get("CN_PERSISTENCE_LDAP_MAPPING", "default") validate_persistence_ldap_mapping(persistence_type, ldap_mapping) if persistence_type == "sql": sql_dialect = os.environ.get("CN_SQL_DB_DIALECT", "mysql") validate_persistence_sql_dialect(sql_dialect) manager = get_manager() deps = ["config", "secret"] if persistence_type == "hybrid": deps += ["ldap", "couchbase"] else: deps.append(persistence_type) wait_for(manager, deps)
def prune(service, dry_run, opts): """Cleanup expired crypto keys for the targeted service. """ manager = get_manager() if dry_run: logger.warning("Dry-run mode is enabled!") logger.info(f"Processing updates for service {service}") _opts = {} for opt in opts: try: k, v = opt.split(":", 1) _opts[k] = v except ValueError: k = opt v = "" callback_cls = PRUNE_SERVICE_MAP[service] callback_cls(manager, dry_run, **_opts).prune()
def main(): manager = get_manager() for addr in peers_from_file(): register_serf_peer(manager, addr) addr = guess_serf_addr() register_serf_peer(manager, addr) mcast = as_boolean(os.environ.get("CN_SERF_MULTICAST_DISCOVER", False)) if mcast: # join Serf cluster using multicast (no extra code needed) return # join Serf cluster manually peers = " ".join(get_serf_peers(manager)) out, err, code = exec_cmd(f"serf join {peers}") err = err or out if code != 0: logger.warning(f"Unable to join Serf cluster; reason={err}")
def decode_string(text, salt_file, salt_literal): salt = "" if salt_literal: salt = salt_literal elif salt_file: with click.open_file(salt_file, "r") as f: salt = f.read().split(" = ")[-1].strip() else: manager = get_manager() try: salt = manager.secret.get("encoded_salt") except Exception as exc: # noqa: B902 click.echo(f"Unable to get salt from secrets; reason={exc}") if not salt: raise click.Abort() try: txt = decode_text(text, salt) click.echo(txt) except ValueError as exc: raise click.ClickException(f"Unable to decode given string; reason={exc}")
def main(): manager = get_manager() backend_classes = { "ldap": LDAPBackend, "couchbase": CouchbaseBackend, "hybrid": HybridBackend, "sql": SQLBackend, "spanner": SpannerBackend, } # initialize the backend persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap") backend_cls = backend_classes.get(persistence_type) if not backend_cls: raise ValueError("Unsupported persistence backend") backend = backend_cls(manager) backend.initialize() # run upgrade if needed upgrade = Upgrade(manager) upgrade.invoke()
def get_injected_urls(): manager = get_manager() persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap") ldap_mapping = os.environ.get("CN_PERSISTENCE_LDAP_MAPPING", "default") if persistence_type in ("ldap", "couchbase", "sql", "spanner"): backend_type = persistence_type else: # maybe hybrid if ldap_mapping == "default": backend_type = "ldap" else: backend_type = "couchbase" # resolve backend backend = _backend_classes[backend_type](manager) auth_config = backend.get_auth_config() try: auth_config = json.loads(auth_config) except TypeError: pass endpoints = [ "issuer", "openIdConfigurationEndpoint", "introspectionEndpoint", "tokenEndpoint", "tokenRevocationEndpoint", ] transformed_urls = { attr: transform_url(auth_config[attr]) for attr in endpoints } return transformed_urls
from jans.pycloudlib.utils import generate_keystore from parameter import params_from_file from settings import LOGGING_CONFIG DEFAULT_SIG_KEYS = "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" DEFAULT_ENC_KEYS = "RSA1_5 RSA-OAEP" DEFAULT_CONFIG_FILE = "/app/db/config.json" DEFAULT_SECRET_FILE = "/app/db/secret.json" DEFAULT_GENERATE_FILE = "/app/db/generate.json" logging.config.dictConfig(LOGGING_CONFIG) logger = logging.getLogger("configurator") manager = get_manager() def encode_template(fn, ctx, base_dir="/app/templates"): path = os.path.join(base_dir, fn) # ctx is nested which has `config` and `secret` keys data = {} for _, v in ctx.items(): data.update(v) with open(path) as f: return generate_base64_contents(safe_render(f.read(), data)) def generate_openid_keys(passwd, jks_path, jwks_path,
def main(): manager = get_manager() persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap") render_salt(manager, "/app/templates/salt.tmpl", "/etc/jans/conf/salt") render_base_properties("/app/templates/jans.properties.tmpl", "/etc/jans/conf/jans.properties") if persistence_type in ("ldap", "hybrid"): render_ldap_properties( manager, "/app/templates/jans-ldap.properties.tmpl", "/etc/jans/conf/jans-ldap.properties", ) sync_ldap_truststore(manager) if persistence_type in ("couchbase", "hybrid"): render_couchbase_properties( manager, "/app/templates/jans-couchbase.properties.tmpl", "/etc/jans/conf/jans-couchbase.properties", ) # need to resolve whether we're using default or user-defined couchbase cert sync_couchbase_truststore(manager) if persistence_type == "hybrid": render_hybrid_properties("/etc/jans/conf/jans-hybrid.properties") if persistence_type == "sql": render_sql_properties( manager, "/app/templates/jans-sql.properties.tmpl", "/etc/jans/conf/jans-sql.properties", ) if persistence_type == "spanner": render_spanner_properties( manager, "/app/templates/jans-spanner.properties.tmpl", "/etc/jans/conf/jans-spanner.properties", ) if not all([ os.path.isfile("/etc/certs/web_https.crt"), os.path.isfile("/etc/certs/web_https.key"), ]): manager.secret.to_file("ssl_cert", "/etc/certs/web_https.crt") manager.secret.to_file("ssl_key", "/etc/certs/web_https.key") cert_to_truststore( "web_https", "/etc/certs/web_https.crt", "/usr/lib/jvm/default-jvm/jre/lib/security/cacerts", "changeit", ) modify_jetty_xml() modify_webdefault_xml() modify_server_ini() configure_logging() plugins = discover_plugins() modify_config_api_xml(plugins) if "admin-ui" in plugins: admin_ui_plugin = AdminUiPlugin(manager) admin_ui_plugin.setup()