def to_file(self,
key: str,
dest: str,
decode: bool = False,
binary_mode: bool = False) -> AnyStr:
"""Pull secret and write to a file.
Example:
.. code-block:: python
# assuming there is secret with key ``server_cert`` that stores
# server cert needed to be fetched as ``/etc/certs/server.crt``
# file.
SecretManager().to_file("server_cert", "/etc/certs/server.crt")
# assuming there is secret with key ``server_jks`` that stores
# server keystore needed to be fetched as ``/etc/certs/server.jks``
# file.
SecretManager().to_file(
"server_jks",
"/etc/certs/server.jks",
decode=True,
binary_mode=True,
)
:params key: Key name in secret backend.
:params dest: Absolute path to file to write the secret to.
:params decode: Decode the content of the secret.
:params binary_mode: Write the file as binary.
"""
mode = "w"
if binary_mode:
mode = "wb"
# always decodes the bytes
decode = True
value = self.adapter.get(key)
if decode:
salt = self.adapter.get("encoded_salt")
try:
value = decode_text(value, salt).decode()
except UnicodeDecodeError:
# likely bytes from a binary
value = decode_text(value, salt).decode("ISO-8859-1")
with open(dest, mode) as f:
if binary_mode:
# convert to bytes
value = value.encode("ISO-8859-1")
f.write(value)
def __init__(self, manager, persistence_type, ldap_mapping="default"):
if persistence_type in ("ldap", "couchbase"):
backend_type = persistence_type
else:
# persistence_type is hybrid
if ldap_mapping == "default":
backend_type = "ldap"
else:
backend_type = "couchbase"
# resolve backend
if backend_type == "ldap":
host = os.environ.get("GLUU_LDAP_URL", "localhost:1636")
user = manager.config.get("ldap_binddn")
password = decode_text(
manager.secret.get("encoded_ox_ldap_pw"),
manager.secret.get("encoded_salt"),
)
backend_cls = LDAPBackend
else:
host = os.environ.get("GLUU_COUCHBASE_URL", "localhost")
user = get_couchbase_user(manager)
password = get_couchbase_password(manager)
backend_cls = CouchbaseBackend
self.backend = backend_cls(host, user, password)
self.manager = manager
def __init__(self, manager):
url = os.environ.get("GLUU_LDAP_URL", "localhost:1636")
user = manager.config.get("ldap_binddn")
passwd = decode_text(
manager.secret.get("encoded_ox_ldap_pw"),
manager.secret.get("encoded_salt"),
)
server = Server(url, port=1636, use_ssl=True)
self.conn = Connection(server, user, passwd)
self.manager = manager
def __init__(self, manager):
host = GLUU_LDAP_URL
user = manager.config.get("ldap_binddn")
password = decode_text(
manager.secret.get("encoded_ox_ldap_pw"),
manager.secret.get("encoded_salt"),
)
server = Server(host, port=1636, use_ssl=True)
self.conn = Connection(server, user, password)
self.manager = manager
def wait_for_ldap(manager, **kwargs):
"""Wait for readiness/availability of LDAP server based on existing entry.
:param manager: An instance of :class:`~pygluu.containerlib.manager._Manager`.
"""
host = os.environ.get("GLUU_LDAP_URL", "localhost:1636")
user = manager.config.get("ldap_binddn")
password = decode_text(
manager.secret.get("encoded_ox_ldap_pw"), manager.secret.get("encoded_salt")
)
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")
ldap_mapping = os.environ.get("GLUU_PERSISTENCE_LDAP_MAPPING", "default")
ldap_server = ldap3.Server(host, 1636, use_ssl=True)
# a minimum service stack is having oxTrust, hence check whether entry
# for oxTrust exists in LDAP
default_search = (
"ou=oxtrust,ou=configuration,o=gluu",
"(objectClass=oxTrustConfiguration)",
)
if persistence_type == "hybrid":
# `cache` and `token` mapping only have base entries
search_mapping = {
"default": default_search,
"user": ("inum=60B7,ou=groups,o=gluu", "(objectClass=gluuGroup)"),
"site": ("ou=cache-refresh,o=site", "(ou=cache-refresh)"),
"cache": ("ou=cache,o=gluu", "(ou=cache)"),
"token": ("ou=tokens,o=gluu", "(ou=tokens)"),
"session": ("ou=sessions,o=gluu", "(ou=sessions)"),
}
search = search_mapping[ldap_mapping]
else:
search = default_search
with ldap3.Connection(ldap_server, user, password) as conn:
conn.search(
search_base=search[0],
search_filter=search[1],
search_scope=ldap3.SUBTREE,
attributes=["objectClass"],
size_limit=1,
)
if not conn.entries:
raise WaitError("LDAP is not fully initialized")
def __init__(self,
manager,
persistence_type,
ldap_mapping="default",
rotation_interval=48):
if persistence_type in ("ldap", "couchbase"):
backend_type = persistence_type
else:
# persistence_type is hybrid
if ldap_mapping == "default":
backend_type = "ldap"
else:
backend_type = "couchbase"
# resolve backend
if backend_type == "ldap":
host = os.environ.get("GLUU_LDAP_URL", "localhost:1636")
user = manager.config.get("ldap_binddn")
password = decode_text(
manager.secret.get("encoded_ox_ldap_pw"),
manager.secret.get("encoded_salt"),
)
backend_cls = LDAPBackend
else:
host = os.environ.get("GLUU_COUCHBASE_URL", "localhost")
user = get_couchbase_user(manager)
password = get_couchbase_password(manager)
backend_cls = CouchbaseBackend
self.backend = backend_cls(host, user, password)
self.manager = manager
self.rotation_interval = rotation_interval
metadata = os.environ.get("GLUU_CONTAINER_METADATA", "docker")
if metadata == "kubernetes":
self.meta_client = KubernetesClient()
else:
self.meta_client = DockerClient()
def wait_for_ldap_conn(manager, **kwargs):
"""Wait for readiness/availability of LDAP server based on connection status.
:param manager: An instance of :class:`~pygluu.containerlib.manager._Manager`.
"""
host = os.environ.get("GLUU_LDAP_URL", "localhost:1636")
user = manager.config.get("ldap_binddn")
password = decode_text(
manager.secret.get("encoded_ox_ldap_pw"), manager.secret.get("encoded_salt")
)
ldap_server = ldap3.Server(host, 1636, use_ssl=True)
search = ("", "(objectClass=*)")
with ldap3.Connection(ldap_server, user, password) as conn:
conn.search(
search_base=search[0],
search_filter=search[1],
search_scope=ldap3.BASE,
attributes=["1.1"],
size_limit=1,
)
if not conn.entries:
raise WaitError("LDAP is unreachable")
def test_decode_text(encoded_text, key, expected):
from pygluu.containerlib.utils import decode_text
assert decode_text(encoded_text, key) == expected