def session(self):
"""Get an instance of ``requests.Session``.
By default, the session will not use certificate verification.
To enable certificate verification:
- set ``GLUU_COUCHBASE_VERIFY`` environment variable to ``true`` (default to ``false``)
- ensure ``GLUU_COUCHBASE_CERT_FILE`` pointed to valid Couchbase cluster
certificate (default to ``/etc/certs/couchbase.crt``)
- optionally, set ``GLUU_COUCHBASE_HOST_HEADER`` to match Common Name
or any of SubjectAltName defined in certificate (default to ``localhost``)
"""
suppress_verification_warning()
if not self._session:
self._session = requests.Session()
self._session.verify = False
verify = as_boolean(os.environ.get("GLUU_COUCHBASE_VERIFY", False))
if verify:
self._session.mount("https://", HostHeaderSSLAdapter())
self._session.verify = os.environ.get(
"GLUU_COUCHBASE_CERT_FILE") or "/etc/certs/couchbase.crt"
self._session.headers["Host"] = os.environ.get(
"GLUU_COUCHBASE_HOST_HEADER") or "localhost"
return self._session
def main():
sync_enabled = as_boolean(os.environ.get("GLUU_SYNC_JKS_ENABLED", False))
if not sync_enabled:
logger.warning("JKS sync is disabled")
return
# delay between JKS sync (in seconds)
sync_interval = os.environ.get("GLUU_SYNC_JKS_INTERVAL", 30)
try:
sync_interval = int(sync_interval)
# if value is lower than 1, use default
if sync_interval < 1:
sync_interval = 30
except ValueError:
sync_interval = 30
try:
while True:
try:
if should_sync_jks():
sync_jks()
sync_jwks()
except Exception as exc:
logger.warning(f"Got unhandled error; reason={exc}")
# sane interval
time.sleep(sync_interval)
except KeyboardInterrupt:
logger.warning("Canceled by user; exiting ...")
def initialize(self):
def is_initialized():
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE",
"couchbase")
ldap_mapping = os.environ.get("GLUU_PERSISTENCE_LDAP_MAPPING",
"default")
bucket_prefix = os.environ.get("GLUU_COUCHBASE_BUCKET_PREFIX",
"gluu")
# only _default_ and _user_ buckets that may have initial data;
# these data also affected by LDAP mapping selection;
# by default we will choose the _default_ bucket
bucket, key = bucket_prefix, "configuration_oxtrust"
# if `hybrid` is selected and default mapping is stored in LDAP,
# the _default_ bucket won't have data, hence we check the _user_ bucket
if persistence_type == "hybrid" and ldap_mapping == "default":
bucket, key = f"{bucket_prefix}_user", "groups_60B7"
query = "SELECT objectClass FROM {0} USE KEYS '{1}'".format(
bucket, key)
req = self.client.exec_query(query)
if req.ok:
data = req.json()
return bool(data["results"])
return False
num_replica = int(os.environ.get("GLUU_COUCHBASE_INDEX_NUM_REPLICA",
0))
num_indexer_nodes = len(self.get_index_nodes())
if num_replica >= num_indexer_nodes:
raise ValueError(
f"Number of index replica ({num_replica}) must be less than available indexer nodes ({num_indexer_nodes})"
)
self.index_num_replica = num_replica
bucket_mappings = get_bucket_mappings()
time.sleep(5)
self.create_buckets(bucket_mappings)
time.sleep(5)
self.create_indexes(bucket_mappings)
time.sleep(5)
should_skip = as_boolean(
os.environ.get("GLUU_PERSISTENCE_SKIP_EXISTING", True), )
if should_skip and is_initialized():
logger.info("Couchbase backend already initialized")
return
self.import_ldif(bucket_mappings)
time.sleep(5)
self.create_couchbase_shib_user()
def client(self):
"""Lazy-loaded client to interact with Kubernetes API.
"""
if not self._client:
if as_boolean(
self.settings["GLUU_SECRET_KUBERNETES_USE_KUBE_CONFIG"]):
kubernetes.config.load_kube_config(self.kubeconfig_file)
else:
kubernetes.config.load_incluster_config()
self._client = kubernetes.client.CoreV1Api()
return self._client
def main():
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")
render_salt(manager, "/app/templates/salt.tmpl", "/etc/gluu/conf/salt")
render_gluu_properties("/app/templates/gluu.properties.tmpl", "/etc/gluu/conf/gluu.properties")
if persistence_type in ("ldap", "hybrid"):
render_ldap_properties(
manager,
"/app/templates/gluu-ldap.properties.tmpl",
"/etc/gluu/conf/gluu-ldap.properties",
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/gluu-couchbase.properties.tmpl",
"/etc/gluu/conf/gluu-couchbase.properties",
)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")
if not os.path.isfile("/etc/certs/gluu_https.crt"):
if as_boolean(os.environ.get("GLUU_SSL_CERT_FROM_SECRETS", False)):
manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt")
else:
get_server_certificate(manager.config.get("hostname"), 443, "/etc/certs/gluu_https.crt")
cert_to_truststore(
"gluu_https",
"/etc/certs/gluu_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
get_oxd_cert()
cert_to_truststore(
"gluu_oxd",
"/etc/certs/oxd.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
modify_jetty_xml()
modify_webdefault_xml()
manager.secret.to_file("passport_rp_jks_base64", "/etc/certs/passport-rp.jks",
decode=True, binary_mode=True)
config = CasaConfig(manager)
config.setup()
def wait_for_secret(manager, **kwargs):
"""Wait for readiness/availability of secret backend.
If ``conn_only`` keyword argument is set to ``True``,
this function only checks its connection status; if set
to ``False`` or omitted, this function will check config entry.
:param manager: An instance of :class:`~pygluu.containerlib.manager._Manager`.
"""
conn_only = as_boolean(kwargs.get("conn_only", False))
ssl_cert = manager.secret.get("ssl_cert")
if not conn_only and not ssl_cert:
raise WaitError("Secret 'ssl_cert' is not available")
def wait_for_config(manager, **kwargs):
"""Wait for readiness/availability of config backend.
If ``conn_only`` keyword argument is set to ``True``,
this function only checks its connection status; if set
to ``False`` or omitted, this function will check config entry.
:param manager: An instance of :class:`~pygluu.containerlib.manager._Manager`.
"""
conn_only = as_boolean(kwargs.get("conn_only", False))
hostname = manager.config.get("hostname")
if not conn_only and not hostname:
raise WaitError("Config 'hostname' is not available")
def render_repository_xml():
is_cluster = as_boolean(os.environ.get("GLUU_JACKRABBIT_CLUSTER", False))
pg_user = os.environ.get("GLUU_JACKRABBIT_POSTGRES_USER", "postgres")
pg_password_file = os.environ.get("GLUU_JACKRABBIT_POSTGRES_PASSWORD_FILE", "/etc/gluu/conf/postgres_password")
pg_password = ""
with contextlib.suppress(FileNotFoundError):
with open(pg_password_file) as f:
pg_password = f.read().strip()
pg_host = os.environ.get("GLUU_JACKRABBIT_POSTGRES_HOST", "localhost")
pg_port = os.environ.get("GLUU_JACKRABBIT_POSTGRES_PORT", "5432")
pg_database = os.environ.get("GLUU_JACKRABBIT_POSTGRES_DATABASE", "jackrabbit")
# anon_id = "anonymous"
# anon_id_file = os.environ.get("GLUU_JACKRABBIT_ANONYMOUS_ID_FILE", "/etc/gluu/conf/jackrabbit_anonymous_id")
# with contextlib.suppress(FileNotFoundError):
# with open(anon_id_file) as f:
# anon_id = f.read().strip()
# admin_id = "admin"
# admin_id_file = os.environ.get("GLUU_JACKRABBIT_ADMIN_ID_FILE", "/etc/gluu/conf/jackrabbit_admin_id")
# with contextlib.suppress(FileNotFoundError):
# with open(admin_id_file) as f:
# admin_id = f.read().strip()
admin_id = os.environ.get("GLUU_JACKRABBIT_ADMIN_ID", "admin")
ctx = {
"node_name": socket.getfqdn(),
"pg_host": pg_host,
"pg_port": pg_port,
"pg_database": pg_database,
"pg_password": base64.b64encode(pg_password.encode()).decode(),
"pg_user": pg_user,
# "jackrabbit_anonymous_id": anon_id,
"jackrabbit_anonymous_id": get_random_chars(),
"jackrabbit_admin_id": admin_id,
}
if is_cluster:
src = "/app/templates/repository.cluster.xml.tmpl"
else:
src = "/app/templates/repository.standalone.xml.tmpl"
dest = "/opt/jackrabbit/repository.xml"
with open(src) as f:
txt = f.read()
with open(dest, "w") as f:
f.write(safe_render(txt, ctx))
def _set_secret(self, key, value):
if as_boolean(os.environ.get("GLUU_OVERWRITE_ALL", False)):
logger.info("updating secret {!r}".format(key))
self.ctx["secret"][key] = value
return value
# check existing key first
if key in self.remote_secret_ctx:
logger.info("ignoring secret {!r}".format(key))
self.ctx["secret"][key] = value = self.remote_secret_ctx[key]
return value
logger.info("adding secret {!r}".format(key))
self.ctx["secret"][key] = value
return value
def initialize(self):
def is_initialized():
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")
ldap_mapping = os.environ.get("GLUU_PERSISTENCE_LDAP_MAPPING",
"default")
# a minimum service stack is having oxTrust, hence check whether entry
# for oxTrust exists in LDAP
default_search = ("ou=oxtrust,ou=configuration,o=gluu",
"(objectClass=oxTrustConfiguration)")
if persistence_type == "hybrid":
# `cache` and `token` mapping only have base entries
search_mapping = {
"default":
default_search,
"user":
("inum=60B7,ou=groups,o=gluu", "(objectClass=gluuGroup)"),
"site": ("ou=cache-refresh,o=site", "(ou=people)"),
"cache": ("o=gluu", "(objectClass=gluuOrganization)"),
"token": ("ou=tokens,o=gluu", "(ou=tokens)"),
}
search = search_mapping[ldap_mapping]
else:
search = default_search
with self.conn as conn:
conn.search(
search_base=search[0],
search_filter=search[1],
search_scope=SUBTREE,
attributes=['objectClass'],
size_limit=1,
)
return bool(conn.entries)
should_skip = as_boolean(
os.environ.get("GLUU_PERSISTENCE_SKIP_EXISTING", True), )
if should_skip and is_initialized():
logger.info("LDAP backend already initialized")
return
self.import_ldif()
def initialize(self):
def is_initialized():
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE",
"couchbase")
ldap_mapping = os.environ.get("GLUU_PERSISTENCE_LDAP_MAPPING",
"default")
# only `gluu` and `gluu_user` buckets that may have initial data;
# these data also affected by LDAP mapping selection;
# by default we will choose the `gluu` bucket
bucket, key = "gluu", "configuration_oxtrust"
# if `hybrid` is selected and default mapping is stored in LDAP,
# the `gluu` bucket won't have data, hence we check the `gluu_user` instead
if persistence_type == "hybrid" and ldap_mapping == "default":
bucket, key = "gluu_user", "groups_60B7"
query = "SELECT objectClass FROM {0} USE KEYS '{1}'".format(
bucket, key)
req = self.client.exec_query(query)
if req.ok:
data = req.json()
return bool(data["results"])
return False
should_skip = as_boolean(
os.environ.get("GLUU_PERSISTENCE_SKIP_EXISTING", True), )
if should_skip and is_initialized():
logger.info("Couchbase backend already initialized")
return
bucket_mappings = get_bucket_mappings()
time.sleep(5)
self.create_buckets(bucket_mappings)
time.sleep(5)
self.create_indexes(bucket_mappings)
time.sleep(5)
self.import_ldif(bucket_mappings)
def _verify_cert(self, scheme, verify, cacert_file, cert_file, key_file) -> Tuple[Union[None, tuple], Union[bool, str]]:
"""Verify client cert and key.
:params scheme: Scheme of Consul address.
:params verify: Mark whether client needs to verify the address.
:params cacert_file: Path to CA cert file.
:params cert_file: Path to client's cert file.
:params key_file: Path to client's key file.
:returns: A pair of cert key files (if exist) and verification.
"""
cert = None
if scheme == "https":
verify = as_boolean(verify)
# verify using CA cert (if any)
if all([verify, os.path.isfile(cacert_file)]):
verify = cacert_file
if all([os.path.isfile(cert_file), os.path.isfile(key_file)]):
cert = (cert_file, key_file)
return cert, verify
def should_rotate(self):
force_rotate = as_boolean(
os.environ.get("GLUU_KEY_ROTATION_FORCE", False))
if force_rotate:
logger.warn("key rotation is set to force mode")
return True
last_rotation = self.manager.config.get("oxauth_key_rotated_at")
# keys are not rotated yet
if not last_rotation:
return True
# when keys are supposed to be rotated
next_rotation = int(last_rotation) + (60 * 60 *
int(self.rotation_interval))
# current timestamp
now = int(time.time())
# check if current timestamp surpassed expected rotation timestamp
return now > next_rotation
def get_base_ctx(manager):
passport_oxtrust_config = '''
"passportUmaClientId":"%(passport_rs_client_id)s",
"passportUmaClientKeyId":"%(passport_rs_client_cert_alias)s",
"passportUmaResourceId":"%(passport_resource_id)s",
"passportUmaScope":"https://%(hostname)s/oxauth/restv1/uma/scopes/passport_access",
"passportUmaClientKeyStoreFile":"%(passport_rs_client_jks_fn)s",
"passportUmaClientKeyStorePassword":"******",
''' % {
"passport_rs_client_id":
manager.config.get("passport_rs_client_id"),
"passport_resource_id":
manager.config.get("passport_resource_id"),
"hostname":
manager.config.get("hostname"),
"pdp_ep":
manager.config.get("pdp_ep"),
"passport_rs_client_jks_fn":
manager.config.get("passport_rs_client_jks_fn"),
"passport_rs_client_jks_pass_encoded":
manager.secret.get("passport_rs_client_jks_pass_encoded"),
"passport_rs_client_cert_alias":
manager.config.get("passport_rs_client_cert_alias"),
}
redis_pw = manager.secret.get("redis_pw") or ""
redis_pw_encoded = ""
if redis_pw:
redis_pw_encoded = encode_text(
redis_pw,
manager.secret.get("encoded_salt"),
)
ctx = {
'cache_provider_type':
GLUU_CACHE_TYPE,
'redis_url':
GLUU_REDIS_URL,
'redis_type':
GLUU_REDIS_TYPE,
'pdp_ep':
PDP_EP,
'redis_pw':
redis_pw,
'redis_pw_encoded':
redis_pw_encoded,
"redis_use_ssl":
"{}".format(as_boolean(GLUU_REDIS_USE_SSL)).lower(),
"redis_ssl_truststore":
GLUU_REDIS_SSL_TRUSTSTORE,
"redis_sentinel_group":
GLUU_REDIS_SENTINEL_GROUP,
'memcached_url':
GLUU_MEMCACHED_URL,
'ldap_hostname':
manager.config.get('ldap_init_host', "localhost"),
'ldaps_port':
manager.config.get('ldap_init_port', 1636),
'ldap_binddn':
manager.config.get('ldap_binddn'),
'encoded_ox_ldap_pw':
manager.secret.get('encoded_ox_ldap_pw'),
'jetty_base':
manager.config.get('jetty_base'),
'orgName':
manager.config.get('orgName'),
'oxauth_client_id':
manager.config.get('oxauth_client_id'),
'oxauthClient_encoded_pw':
manager.secret.get('oxauthClient_encoded_pw'),
'hostname':
manager.config.get('hostname'),
'idp_client_id':
manager.config.get('idp_client_id'),
'idpClient_encoded_pw':
manager.secret.get('idpClient_encoded_pw'),
'oxauth_openid_key_base64':
manager.secret.get('oxauth_openid_key_base64'),
'passport_rs_client_id':
manager.config.get('passport_rs_client_id'),
'passport_rs_client_base64_jwks':
manager.secret.get('passport_rs_client_base64_jwks'),
'passport_rp_client_id':
manager.config.get('passport_rp_client_id'),
'passport_rp_client_base64_jwks':
manager.secret.get('passport_rp_client_base64_jwks'),
"passport_rp_client_jks_fn":
manager.config.get("passport_rp_client_jks_fn"),
"passport_rp_client_jks_pass":
manager.secret.get("passport_rp_client_jks_pass"),
# "encoded_ldap_pw": manager.secret.get('encoded_ldap_pw'),
"encoded_oxtrust_admin_password":
manager.secret.get('encoded_oxtrust_admin_password'),
'scim_rs_client_id':
manager.config.get('scim_rs_client_id'),
'scim_rs_client_base64_jwks':
manager.secret.get('scim_rs_client_base64_jwks'),
'scim_rs_client_cert_alias':
manager.config.get("scim_rs_client_cert_alias"),
'scim_rp_client_id':
manager.config.get('scim_rp_client_id'),
'scim_rp_client_base64_jwks':
manager.secret.get('scim_rp_client_base64_jwks'),
'scim_resource_oxid':
manager.config.get('scim_resource_oxid'),
'passport_rp_ii_client_id':
manager.config.get("passport_rp_ii_client_id"),
'api_rs_client_base64_jwks':
manager.secret.get("api_rs_client_base64_jwks"),
'api_rs_client_cert_alias':
manager.config.get("api_rs_client_cert_alias"),
'api_rp_client_base64_jwks':
manager.secret.get("api_rp_client_base64_jwks"),
'admin_email':
manager.config.get('admin_email'),
'shibJksFn':
manager.config.get('shibJksFn'),
'shibJksPass':
manager.secret.get('shibJksPass'),
'oxTrustConfigGeneration':
str(as_boolean(GLUU_OXTRUST_CONFIG_GENERATION)).lower(),
'encoded_shib_jks_pw':
manager.secret.get('encoded_shib_jks_pw'),
'scim_rs_client_jks_fn':
manager.config.get('scim_rs_client_jks_fn'),
'scim_rs_client_jks_pass_encoded':
manager.secret.get('scim_rs_client_jks_pass_encoded'),
'passport_rs_client_jks_fn':
manager.config.get('passport_rs_client_jks_fn'),
'passport_rs_client_jks_pass_encoded':
manager.secret.get('passport_rs_client_jks_pass_encoded'),
'shibboleth_version':
manager.config.get('shibboleth_version'),
'idp3Folder':
manager.config.get('idp3Folder'),
'ldap_site_binddn':
manager.config.get('ldap_site_binddn'),
'api_rs_client_jks_fn':
manager.config.get("api_rs_client_jks_fn"),
'api_rs_client_jks_pass_encoded':
manager.secret.get("api_rs_client_jks_pass_encoded"),
"oxtrust_requesting_party_client_id":
manager.config.get("oxtrust_requesting_party_client_id"),
"oxtrust_resource_server_client_id":
manager.config.get("oxtrust_resource_server_client_id"),
"oxtrust_resource_id":
manager.config.get("oxtrust_resource_id"),
"passport_resource_id":
manager.config.get("passport_resource_id"),
"passport_oxtrust_config":
passport_oxtrust_config,
"gluu_radius_client_id":
manager.config.get("gluu_radius_client_id"),
"gluu_ro_encoded_pw":
manager.secret.get("gluu_ro_encoded_pw"),
# "super_gluu_ro_session_script": manager.config.get("super_gluu_ro_session_script"),
# "super_gluu_ro_script": manager.config.get("super_gluu_ro_script"),
"enableRadiusScripts":
"false", # @TODO: enable it?
"gluu_ro_client_base64_jwks":
manager.secret.get("gluu_ro_client_base64_jwks"),
"gluuPassportEnabled":
str(as_boolean(GLUU_PASSPORT_ENABLED)).lower(),
"gluuRadiusEnabled":
str(as_boolean(GLUU_RADIUS_ENABLED)).lower(),
"gluuSamlEnabled":
str(as_boolean(GLUU_SAML_ENABLED)).lower(),
"gluuScimEnabled":
str(as_boolean(GLUU_SCIM_ENABLED)).lower(),
"pairwiseCalculationKey":
manager.secret.get("pairwiseCalculationKey"),
"pairwiseCalculationSalt":
manager.secret.get("pairwiseCalculationSalt"),
"default_openid_jks_dn_name":
manager.config.get("default_openid_jks_dn_name"),
"oxauth_openid_jks_fn":
manager.config.get("oxauth_openid_jks_fn"),
"oxauth_openid_jks_pass":
manager.secret.get("oxauth_openid_jks_pass"),
"oxauth_legacyIdTokenClaims":
manager.config.get("oxauth_legacyIdTokenClaims"),
"passportSpTLSCert":
manager.config.get("passportSpTLSCert"),
"passportSpTLSKey":
manager.config.get("passportSpTLSKey"),
"oxauth_openidScopeBackwardCompatibility":
manager.config.get("oxauth_openidScopeBackwardCompatibility"),
"fido2ConfigFolder":
manager.config.get("fido2ConfigFolder"),
"admin_inum":
manager.config.get("admin_inum"),
"enable_oxtrust_api_access_policy":
str(as_boolean(GLUU_OXTRUST_API_ENABLED)).lower(),
"oxtrust_api_test_mode":
str(as_boolean(GLUU_OXTRUST_API_TEST_MODE)).lower(),
"api_test_client_id":
manager.config.get("api_test_client_id"),
"encoded_api_test_client_secret":
encode_text(
manager.secret.get("api_test_client_secret"),
manager.secret.get("encoded_salt"),
),
"enable_scim_access_policy":
str(
as_boolean(GLUU_SCIM_ENABLED)
or as_boolean(GLUU_PASSPORT_ENABLED)).lower(),
"scimTestMode":
str(as_boolean(GLUU_SCIM_TEST_MODE)).lower(),
"scim_test_client_id":
manager.config.get("scim_test_client_id"),
"encoded_scim_test_client_secret":
encode_text(
manager.secret.get("scim_test_client_secret"),
manager.secret.get("encoded_salt"),
),
"casa_enable_script":
str(as_boolean(GLUU_CASA_ENABLED)).lower(),
}
return ctx
def main():
is_cluster = as_boolean(os.environ.get("GLUU_JACKRABBIT_CLUSTER", False))
if not is_cluster:
return
wait_for_postgres(None, **{"label": "Postgres"})
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/gluu-couchbase.properties.tmpl",
"/etc/gluu/conf/gluu-couchbase.properties",
)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")
if not os.path.isfile("/etc/certs/gluu_https.crt"):
if as_boolean(os.environ.get("GLUU_SSL_CERT_FROM_SECRETS", False)):
manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt")
else:
get_server_certificate(manager.config.get("hostname"), 443,
"/etc/certs/gluu_https.crt")
cert_to_truststore(
"gluu_https",
"/etc/certs/gluu_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
if not os.path.isfile("/etc/certs/shibIDP.crt"):
manager.secret.to_file("shibIDP_cert",
"/etc/certs/shibIDP.crt",
def render_couchbase_properties(manager, src: str, dest: str) -> None:
"""Render file contains properties to connect to Couchbase server,
i.e. ``/etc/gluu/conf/gluu-couchbase.properties``.
:params manager: An instance of :class:`~pygluu.containerlib.manager._Manager`.
:params src: Absolute path to the template.
:params dest: Absolute path where generated file is located.
"""
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "couchbase")
ldap_mapping = os.environ.get("GLUU_PERSISTENCE_LDAP_MAPPING", "default")
hostname = os.environ.get("GLUU_COUCHBASE_URL", "localhost")
bucket_prefix = os.environ.get("GLUU_COUCHBASE_BUCKET_PREFIX", "gluu")
_couchbase_mappings = get_couchbase_mappings(persistence_type,
ldap_mapping)
couchbase_buckets = []
couchbase_mappings = []
for _, mapping in _couchbase_mappings.items():
couchbase_buckets.append(mapping["bucket"])
if not mapping["mapping"]:
continue
couchbase_mappings.append(
f"bucket.{mapping['bucket']}.mapping: {mapping['mapping']}")
# always have _default_ bucket
if bucket_prefix not in couchbase_buckets:
couchbase_buckets.insert(0, bucket_prefix)
with open(src) as fr:
txt = fr.read()
with open(dest, "w") as fw:
rendered_txt = txt % {
"hostname":
hostname,
"couchbase_server_user":
get_couchbase_user(manager),
"encoded_couchbase_server_pw":
get_encoded_couchbase_password(manager),
"couchbase_buckets":
", ".join(couchbase_buckets),
"default_bucket":
bucket_prefix,
"couchbase_mappings":
"\n".join(couchbase_mappings),
"encryption_method":
"SSHA-256",
"ssl_enabled":
str(
as_boolean(
os.environ.get("GLUU_COUCHBASE_TRUSTSTORE_ENABLE",
True))).lower(),
"couchbaseTrustStoreFn":
manager.config.get("couchbaseTrustStoreFn"),
"encoded_couchbaseTrustStorePass":
encode_text(
GLUU_COUCHBASE_TRUSTSTORE_PASSWORD,
manager.secret.get("encoded_salt"),
).decode(),
"couchbase_conn_timeout":
get_couchbase_conn_timeout(),
"couchbase_conn_max_wait":
get_couchbase_conn_max_wait(),
"couchbase_scan_consistency":
get_couchbase_scan_consistency(),
}
fw.write(rendered_txt)
def test_as_boolean(val, expected):
from pygluu.containerlib.utils import as_boolean
assert as_boolean(val) == expected
def main():
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")
render_salt(manager, "/app/templates/salt.tmpl", "/etc/gluu/conf/salt")
render_gluu_properties("/app/templates/gluu.properties.tmpl",
"/etc/gluu/conf/gluu.properties")
if persistence_type in ("ldap", "hybrid"):
render_ldap_properties(
manager,
"/app/templates/gluu-ldap.properties.tmpl",
"/etc/gluu/conf/gluu-ldap.properties",
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/gluu-couchbase.properties.tmpl",
"/etc/gluu/conf/gluu-couchbase.properties",
)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")
if not os.path.isfile("/etc/certs/gluu_https.crt"):
if as_boolean(os.environ.get("GLUU_SSL_CERT_FROM_SECRETS", False)):
manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt")
else:
get_server_certificate(manager.config.get("hostname"), 443,
"/etc/certs/gluu_https.crt")
cert_to_truststore(
"gluu_https",
"/etc/certs/gluu_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
# if not os.path.isfile("/etc/certs/idp-signing.crt"):
# manager.secret.to_file("idp3SigningCertificateText", "/etc/certs/idp-signing.crt")
# manager.secret.to_file("passport_rp_jks_base64", "/etc/certs/passport-rp.jks",
# decode=True, binary_mode=True)
manager.secret.to_file("scim_rs_jks_base64",
"/etc/certs/scim-rs.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("scim_rs_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(
manager.secret.get("scim_rs_client_base64_jwks")).decode())
manager.secret.to_file("scim_rp_jks_base64",
"/etc/certs/scim-rp.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("scim_rp_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(
manager.secret.get("scim_rp_client_base64_jwks")).decode())
modify_jetty_xml()
modify_webdefault_xml()
def suppress_verification_warning():
import urllib3
if as_boolean(os.environ.get("GLUU_COUCHBASE_SUPPRESS_VERIFICATION",
True)):
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
