def passport_sp_ctx(self):
self._set_secret("passportSpKeyPass", get_random_chars())
self._set_config("passportSpTLSCACert", '/etc/certs/passport-sp.pem')
self._set_config("passportSpTLSCert", '/etc/certs/passport-sp.crt')
self._set_config("passportSpTLSKey", '/etc/certs/passport-sp.key')
self._set_secret("passportSpJksPass", get_random_chars())
self._set_config("passportSpJksFn", '/etc/certs/passport-sp.jks')
generate_ssl_certkey(
"passport-sp",
self.ctx["secret"]["passportSpKeyPass"],
self.ctx["config"]["admin_email"],
self.ctx["config"]["hostname"],
self.ctx["config"]["orgName"],
self.ctx["config"]["country_code"],
self.ctx["config"]["state"],
self.ctx["config"]["city"],
)
with open(self.ctx["config"]["passportSpTLSCert"]) as f:
self._set_secret(
"passport_sp_cert_base64",
encode_text(f.read(), self.ctx["secret"]["encoded_salt"]))
with open(self.ctx["config"]["passportSpTLSKey"]) as f:
self._set_secret(
"passport_sp_key_base64",
encode_text(f.read(), self.ctx["secret"]["encoded_salt"]))
def oxtrust_api_rp_ctx(self):
self._set_config("api_rp_client_jks_fn", "/etc/certs/api-rp.jks")
self._set_config("api_rp_client_jwks_fn",
"/etc/certs/api-rp-keys.json")
self._set_secret("api_rp_client_jks_pass", get_random_chars())
self._set_secret(
"api_rp_client_jks_pass_encoded",
encode_text(self.ctx["secret"]["api_rp_client_jks_pass"],
self.ctx["secret"]["encoded_salt"]),
)
_, err, retcode = generate_openid_keys(
self.ctx["secret"]["api_rp_client_jks_pass"],
self.ctx["config"]["api_rp_client_jks_fn"],
self.ctx["config"]["api_rp_client_jwks_fn"],
self.ctx["config"]["default_openid_jks_dn_name"],
)
if retcode != 0:
logger.error(
"Unable to generate oxTrust API RP keys; reason={}".format(
err))
raise click.Abort()
basedir, fn = os.path.split(
self.ctx["config"]["api_rp_client_jwks_fn"])
self._set_secret("api_rp_client_base64_jwks",
encode_template(fn, self.ctx, basedir))
self._set_config("oxtrust_requesting_party_client_id",
'1402.{}'.format(uuid.uuid4()))
with open(self.ctx["config"]["api_rp_client_jks_fn"], "rb") as fr:
self._set_secret(
"api_rp_jks_base64",
encode_text(fr.read(), self.ctx["secret"]["encoded_salt"]))
def oxauth_ctx(self):
self._set_config("oxauth_client_id", "1001.{}".format(uuid.uuid4()))
self._set_secret(
"oxauthClient_encoded_pw",
encode_text(get_random_chars(),
self.ctx["secret"]["encoded_salt"]),
)
self._set_config("oxauth_openid_jks_fn", "/etc/certs/oxauth-keys.jks")
self._set_secret(
"oxauth_openid_jks_pass",
get_random_chars(),
)
self._set_config("oxauth_openid_jwks_fn",
"/etc/certs/oxauth-keys.json")
self._set_config("oxauth_legacyIdTokenClaims", "false")
self._set_config("oxauth_openidScopeBackwardCompatibility", "false")
_, err, retcode = generate_openid_keys(
self.ctx["secret"]["oxauth_openid_jks_pass"],
self.ctx["config"]["oxauth_openid_jks_fn"],
self.ctx["config"]["oxauth_openid_jwks_fn"],
self.ctx["config"]["default_openid_jks_dn_name"],
exp=2,
sig_keys="RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512",
enc_keys="RSA1_5 RSA-OAEP",
)
if retcode != 0:
logger.error(
"Unable to generate oxAuth keys; reason={}".format(err))
raise click.Abort()
basedir, fn = os.path.split(
self.ctx["config"]["oxauth_openid_jwks_fn"])
self._set_secret("oxauth_openid_key_base64",
encode_template(fn, self.ctx, basedir))
# oxAuth keys
self._set_config("oxauth_key_rotated_at", int(time.time()))
with open(self.ctx["config"]["oxauth_openid_jks_fn"], "rb") as fr:
self._set_secret(
"oxauth_jks_base64",
encode_text(fr.read(), self.ctx["secret"]["encoded_salt"]),
)
def radius_ctx(self):
self._set_config("gluu_radius_client_id",
'1701.{}'.format(uuid.uuid4()))
# self._set_config("ox_radius_client_id", '0008-{}'.format(uuid.uuid4()))
self._set_secret(
"gluu_ro_encoded_pw",
encode_text(get_random_chars(),
self.ctx["secret"]["encoded_salt"]),
)
radius_jwt_pass = get_random_chars()
self._set_secret(
"radius_jwt_pass",
encode_text(radius_jwt_pass, self.ctx["secret"]["encoded_salt"]),
)
out, err, code = generate_openid_keys(
radius_jwt_pass,
"/etc/certs/gluu-radius.jks",
"/etc/certs/gluu-radius.keys",
self.ctx["config"]["default_openid_jks_dn_name"],
)
if code != 0:
logger.error(
"Unable to generate Gluu Radius keys; reason={}".format(err))
raise click.Abort()
for key in json.loads(out)["keys"]:
if key["alg"] == "RS512":
self.ctx["config"]["radius_jwt_keyId"] = key["kid"]
break
with open("/etc/certs/gluu-radius.jks", "rb") as fr:
self._set_secret(
"radius_jks_base64",
encode_text(fr.read(), self.ctx["secret"]["encoded_salt"]))
basedir, fn = os.path.split("/etc/certs/gluu-radius.keys")
self._set_secret(
"gluu_ro_client_base64_jwks",
encode_template(fn, self.ctx, basedir),
)
def render_repository_xml():
is_cluster = as_boolean(os.environ.get("GLUU_JACKRABBIT_CLUSTER", False))
pg_user = os.environ.get("GLUU_JACKRABBIT_POSTGRES_USER", "postgres")
pg_password_file = os.environ.get("GLUU_JACKRABBIT_POSTGRES_PASSWORD_FILE", "/etc/gluu/conf/postgres_password")
pg_password = ""
with contextlib.suppress(FileNotFoundError):
with open(pg_password_file) as f:
pg_password = f.read().strip()
pg_host = os.environ.get("GLUU_JACKRABBIT_POSTGRES_HOST", "localhost")
pg_port = os.environ.get("GLUU_JACKRABBIT_POSTGRES_PORT", "5432")
pg_database = os.environ.get("GLUU_JACKRABBIT_POSTGRES_DATABASE", "jackrabbit")
# anon_id = "anonymous"
# anon_id_file = os.environ.get("GLUU_JACKRABBIT_ANONYMOUS_ID_FILE", "/etc/gluu/conf/jackrabbit_anonymous_id")
# with contextlib.suppress(FileNotFoundError):
# with open(anon_id_file) as f:
# anon_id = f.read().strip()
# admin_id = "admin"
# admin_id_file = os.environ.get("GLUU_JACKRABBIT_ADMIN_ID_FILE", "/etc/gluu/conf/jackrabbit_admin_id")
# with contextlib.suppress(FileNotFoundError):
# with open(admin_id_file) as f:
# admin_id = f.read().strip()
admin_id = os.environ.get("GLUU_JACKRABBIT_ADMIN_ID", "admin")
ctx = {
"node_name": socket.getfqdn(),
"pg_host": pg_host,
"pg_port": pg_port,
"pg_database": pg_database,
"pg_password": base64.b64encode(pg_password.encode()).decode(),
"pg_user": pg_user,
# "jackrabbit_anonymous_id": anon_id,
"jackrabbit_anonymous_id": get_random_chars(),
"jackrabbit_admin_id": admin_id,
}
if is_cluster:
src = "/app/templates/repository.cluster.xml.tmpl"
else:
src = "/app/templates/repository.standalone.xml.tmpl"
dest = "/opt/jackrabbit/repository.xml"
with open(src) as f:
txt = f.read()
with open(dest, "w") as f:
f.write(safe_render(txt, ctx))
def passport_rs_ctx(self):
self._set_config("passport_rs_client_id",
"1501.{}".format(uuid.uuid4()))
self._set_config("passport_rs_client_jks_fn",
"/etc/certs/passport-rs.jks")
self._set_config("passport_rs_client_jwks_fn",
"/etc/certs/passport-rs-keys.json")
self._set_secret("passport_rs_client_jks_pass", get_random_chars())
self._set_secret(
"passport_rs_client_jks_pass_encoded",
encode_text(self.ctx["secret"]["passport_rs_client_jks_pass"],
self.ctx["secret"]["encoded_salt"]),
)
out, err, retcode = generate_openid_keys(
self.ctx["secret"]["passport_rs_client_jks_pass"],
self.ctx["config"]["passport_rs_client_jks_fn"],
self.ctx["config"]["passport_rs_client_jwks_fn"],
self.ctx["config"]["default_openid_jks_dn_name"],
)
if retcode != 0:
logger.error(
"Unable to generate Passport RS keys; reason={}".format(err))
raise click.Abort()
self._set_config("passport_rs_client_cert_alg", "RS512")
cert_alias = ""
for key in json.loads(out)["keys"]:
if key["alg"] == self.ctx["config"]["passport_rs_client_cert_alg"]:
cert_alias = key["kid"]
break
basedir, fn = os.path.split(
self.ctx["config"]["passport_rs_client_jwks_fn"])
self._set_secret(
"passport_rs_client_base64_jwks",
encode_template(fn, self.ctx, basedir),
)
self._set_config("passport_rs_client_cert_alias", cert_alias)
with open(self.ctx["config"]["passport_rs_client_jks_fn"], "rb") as fr:
self._set_secret(
"passport_rs_jks_base64",
encode_text(fr.read(), self.ctx["secret"]["encoded_salt"]))
self._set_config("passport_resource_id",
"1504.{}".format(uuid.uuid4()))
self._set_config("passport_rs_client_cert_alias", cert_alias)
def base_ctx(self):
self._set_secret("encoded_salt", get_random_chars(24))
self._set_config("orgName", self.params["org_name"])
self._set_config("country_code", self.params["country_code"])
self._set_config("state", self.params["state"])
self._set_config("city", self.params["city"])
self._set_config("hostname", self.params["hostname"])
self._set_config("admin_email", self.params["email"])
self._set_config("default_openid_jks_dn_name",
"CN=oxAuth CA Certificates")
self._set_secret("pairwiseCalculationKey",
get_sys_random_chars(random.randint(20, 30)))
self._set_secret("pairwiseCalculationSalt",
get_sys_random_chars(random.randint(20, 30)))
self._set_config("jetty_base", "/opt/gluu/jetty")
self._set_config("fido2ConfigFolder", "/etc/gluu/conf/fido2")
self._set_config("admin_inum", "{}".format(uuid.uuid4()))
self._set_secret("encoded_oxtrust_admin_password",
ldap_encode(self.params["admin_pw"]))
def test_get_random_chars(size):
from pygluu.containerlib.utils import get_random_chars
assert len(get_random_chars(size)) == size
def couchbase_ctx(self):
self._set_config("couchbaseTrustStoreFn",
"/etc/certs/couchbase.pkcs12")
self._set_secret("couchbase_shib_user_password", get_random_chars())
def scim_client_ctx(self):
self._set_config("scim_test_client_id", "0008-{}".format(uuid.uuid4()))
self._set_secret("scim_test_client_secret", get_random_chars(24))
def oxshibboleth_ctx(self):
self._set_config("idp_client_id", "1101.{}".format(uuid.uuid4()))
self._set_secret(
"idpClient_encoded_pw",
encode_text(get_random_chars(),
self.ctx["secret"]["encoded_salt"]),
)
self._set_config("shibJksFn", "/etc/certs/shibIDP.jks")
self._set_secret("shibJksPass", get_random_chars())
self._set_secret(
"encoded_shib_jks_pw",
encode_text(self.ctx["secret"]["shibJksPass"],
self.ctx["secret"]["encoded_salt"]))
generate_ssl_certkey(
"shibIDP",
self.ctx["secret"]["shibJksPass"],
self.ctx["config"]["admin_email"],
self.ctx["config"]["hostname"],
self.ctx["config"]["orgName"],
self.ctx["config"]["country_code"],
self.ctx["config"]["state"],
self.ctx["config"]["city"],
)
generate_keystore("shibIDP", self.ctx["config"]["hostname"],
self.ctx["secret"]["shibJksPass"])
with open("/etc/certs/shibIDP.crt") as f:
self._set_secret(
"shibIDP_cert",
encode_text(f.read(), self.ctx["secret"]["encoded_salt"]))
with open("/etc/certs/shibIDP.key") as f:
self._set_secret(
"shibIDP_key",
encode_text(f.read(), self.ctx["secret"]["encoded_salt"]))
with open(self.ctx["config"]["shibJksFn"], "rb") as f:
self._set_secret(
"shibIDP_jks_base64",
encode_text(f.read(), self.ctx["secret"]["encoded_salt"]))
self._set_config("shibboleth_version", "v3")
self._set_config("idp3Folder", "/opt/shibboleth-idp")
idp3_signing_cert = "/etc/certs/idp-signing.crt"
idp3_signing_key = "/etc/certs/idp-signing.key"
generate_ssl_certkey(
"idp-signing",
self.ctx["secret"]["shibJksPass"],
self.ctx["config"]["admin_email"],
self.ctx["config"]["hostname"],
self.ctx["config"]["orgName"],
self.ctx["config"]["country_code"],
self.ctx["config"]["state"],
self.ctx["config"]["city"],
)
with open(idp3_signing_cert) as f:
self._set_secret("idp3SigningCertificateText", f.read())
with open(idp3_signing_key) as f:
self._set_secret("idp3SigningKeyText", f.read())
idp3_encryption_cert = "/etc/certs/idp-encryption.crt"
idp3_encryption_key = "/etc/certs/idp-encryption.key"
generate_ssl_certkey(
"idp-encryption",
self.ctx["secret"]["shibJksPass"],
self.ctx["config"]["admin_email"],
self.ctx["config"]["hostname"],
self.ctx["config"]["orgName"],
self.ctx["config"]["country_code"],
self.ctx["config"]["state"],
self.ctx["config"]["city"],
)
with open(idp3_encryption_cert) as f:
self._set_secret("idp3EncryptionCertificateText", f.read())
with open(idp3_encryption_key) as f:
self._set_secret("idp3EncryptionKeyText", f.read())
_, err, code = gen_idp3_key(self.ctx["secret"]["shibJksPass"])
if code != 0:
logger.warninging(
f"Unable to generate Shibboleth sealer; reason={err}")
raise click.Abort()
with open("/etc/certs/sealer.jks", "rb") as f:
self._set_secret(
"sealer_jks_base64",
encode_text(f.read(), self.ctx["secret"]["encoded_salt"]))
with open("/etc/certs/sealer.kver") as f:
self._set_secret(
"sealer_kver_base64",
encode_text(f.read(), self.ctx["secret"]["encoded_salt"]))
def nginx_ctx(self):
ssl_cert = "/etc/certs/gluu_https.crt"
ssl_key = "/etc/certs/gluu_https.key"
self._set_secret("ssl_cert_pass", get_random_chars())
# get cert and key (if available) with priorities below:
#
# 1. from mounted files
# 2. from fronted (key file is an empty file)
# 3. self-generate files
ssl_cert_exists = os.path.isfile(ssl_cert)
ssl_key_exists = os.path.isfile(ssl_key)
logger.info(f"Resolving {ssl_cert} and {ssl_key}")
# check from mounted files
if not (ssl_cert_exists and ssl_key_exists):
# no mounted files, hence download from frontend
addr = os.environ.get(
"GLUU_INGRESS_ADDRESS") or self.ctx["config"]["hostname"]
servername = os.environ.get("GLUU_INGRESS_SERVERNAME") or addr
logger.warning(
f"Unable to find mounted {ssl_cert} and {ssl_key}; "
f"trying to download from {addr}:443 (servername {servername})"
)
try:
# cert will be downloaded into `ssl_cert` path
get_server_certificate(addr, 443, ssl_cert, servername)
if not ssl_key_exists:
# since cert is downloaded, key must mounted
# or generate empty file
with open(ssl_key, "w") as f:
f.write("")
except (socket.gaierror, socket.timeout, ConnectionRefusedError,
TimeoutError, ConnectionResetError) as exc:
# address not resolved or timed out
logger.warning(f"Unable to download cert; reason={exc}")
finally:
ssl_cert_exists = os.path.isfile(ssl_cert)
ssl_key_exists = os.path.isfile(ssl_key)
# no mounted nor downloaded files, hence we need to create self-generated files
if not (ssl_cert_exists and ssl_key_exists):
logger.info(f"Creating self-generated {ssl_cert} and {ssl_key}")
generate_ssl_certkey(
"gluu_https",
self.ctx["secret"]["ssl_cert_pass"],
self.ctx["config"]["admin_email"],
self.ctx["config"]["hostname"],
self.ctx["config"]["orgName"],
self.ctx["config"]["country_code"],
self.ctx["config"]["state"],
self.ctx["config"]["city"],
)
with open(ssl_cert) as f:
self._set_secret("ssl_cert", f.read())
with open(ssl_key) as f:
self._set_secret("ssl_key", f.read())
def ldap_ctx(self):
# self._set_secret("encoded_ldap_pw", ldap_encode(self.params["admin_pw"]))
self._set_secret(
"encoded_ox_ldap_pw",
encode_text(self.params["ldap_pw"],
self.ctx["secret"]["encoded_salt"]),
)
self._set_config("ldap_init_host", "localhost")
self._set_config("ldap_init_port", 1636)
self._set_config("ldap_port", 1389)
self._set_config("ldaps_port", 1636)
self._set_config("ldap_binddn", "cn=directory manager")
self._set_config("ldap_site_binddn", "cn=directory manager")
self._set_secret("ldap_truststore_pass", get_random_chars())
self._set_config("ldapTrustStoreFn", "/etc/certs/opendj.pkcs12")
generate_ssl_certkey(
"opendj",
self.ctx["secret"]["ldap_truststore_pass"],
self.ctx["config"]["admin_email"],
self.ctx["config"]["hostname"],
self.ctx["config"]["orgName"],
self.ctx["config"]["country_code"],
self.ctx["config"]["state"],
self.ctx["config"]["city"],
)
with open("/etc/certs/opendj.pem", "w") as fw:
with open("/etc/certs/opendj.crt") as fr:
ldap_ssl_cert = fr.read()
self._set_secret(
"ldap_ssl_cert",
encode_text(ldap_ssl_cert,
self.ctx["secret"]["encoded_salt"]),
)
with open("/etc/certs/opendj.key") as fr:
ldap_ssl_key = fr.read()
self._set_secret(
"ldap_ssl_key",
encode_text(ldap_ssl_key,
self.ctx["secret"]["encoded_salt"]),
)
ldap_ssl_cacert = "".join([ldap_ssl_cert, ldap_ssl_key])
fw.write(ldap_ssl_cacert)
self._set_secret(
"ldap_ssl_cacert",
encode_text(ldap_ssl_cacert,
self.ctx["secret"]["encoded_salt"]),
)
generate_pkcs12(
"opendj",
self.ctx["secret"]["ldap_truststore_pass"],
self.ctx["config"]["hostname"],
)
with open(self.ctx["config"]["ldapTrustStoreFn"], "rb") as fr:
self._set_secret(
"ldap_pkcs12_base64",
encode_text(fr.read(), self.ctx["secret"]["encoded_salt"]),
)
self._set_secret(
"encoded_ldapTrustStorePass",
encode_text(self.ctx["secret"]["ldap_truststore_pass"],
self.ctx["secret"]["encoded_salt"]),
)
