def get_keystore_password(self):
password = manager.secret.get(
f"client_api_{self.type}_keystore_password")
if not password:
password = get_random_chars()
manager.secret.set(f"client_api_{self.type}_keystore_password",
password)
return password
def radius_ctx(self):
encoded_salt = self.get_secret("encoded_salt")
self.set_config("jans_radius_client_id", f'1701.{uuid4()}')
self.set_secret(
"jans_ro_encoded_pw",
partial(encode_text, get_random_chars(), encoded_salt),
)
radius_jwt_pass = self.set_secret(
"radius_jwt_pass",
partial(encode_text, get_random_chars(), encoded_salt),
)
out, err, code = generate_openid_keys(
radius_jwt_pass,
"/etc/certs/jans-radius.jks",
"/etc/certs/jans-radius.keys",
self.get_config("default_openid_jks_dn_name"),
)
if code != 0:
logger.error(f"Unable to generate Radius keys; reason={err}")
raise click.Abort()
for key in json.loads(out)["keys"]:
if key["alg"] == "RS512":
self.set_config("radius_jwt_keyId", key["kid"])
break
with open("/etc/certs/jans-radius.jks", "rb") as fr:
self.set_secret(
"radius_jks_base64",
partial(encode_text, fr.read(), encoded_salt),
)
basedir, fn = os.path.split("/etc/certs/jans-radius.keys")
self.set_secret(
"jans_ro_client_base64_jwks",
partial(encode_template, fn, self.ctx, basedir),
)
def auth_server_client():
if not self.manager.config.get("admin_ui_client_id"):
self.manager.config.set("admin_ui_client_id",
f"1901.{uuid4()}")
client_pw = self.manager.secret.get("admin_ui_client_pw")
if not client_pw:
client_pw = get_random_chars()
self.manager.secret.set("admin_ui_client_pw", client_pw)
if not self.manager.secret.get("admin_ui_client_encoded_pw"):
self.manager.secret.set(
"admin_ui_client_encoded_pw",
encode_text(client_pw,
self.manager.secret.get("encoded_salt")),
)
def merge_casa_ctx(manager, ctx):
# Casa client
ctx["casa_client_id"] = manager.config.get("casa_client_id")
if not ctx["casa_client_id"]:
ctx["casa_client_id"] = f"1902.{uuid4()}"
manager.config.set("casa_client_id", ctx["casa_client_id"])
ctx["casa_client_pw"] = manager.secret.get("casa_client_pw")
if not ctx["casa_client_pw"]:
ctx["casa_client_pw"] = get_random_chars()
manager.secret.set("casa_client_pw", ctx["casa_client_pw"])
ctx["casa_client_encoded_pw"] = manager.secret.get(
"casa_client_encoded_pw")
if not ctx["casa_client_encoded_pw"]:
ctx["casa_client_encoded_pw"] = encode_text(
ctx["casa_client_pw"],
manager.secret.get("encoded_salt"),
).decode()
manager.secret.set("casa_client_encoded_pw",
ctx["casa_client_encoded_pw"])
return ctx
def get_base_ctx(manager):
redis_pw = manager.secret.get("redis_pw") or ""
redis_pw_encoded = ""
if redis_pw:
redis_pw_encoded = encode_text(
redis_pw,
manager.secret.get("encoded_salt"),
).decode()
doc_store_type = os.environ.get("CN_DOCUMENT_STORE_TYPE", "LOCAL")
jca_user, jca_pw = get_jackrabbit_creds()
jca_pw_encoded = encode_text(
jca_pw,
manager.secret.get("encoded_salt"),
).decode()
cache_type = os.environ.get("CN_CACHE_TYPE", "NATIVE_PERSISTENCE")
redis_url = os.environ.get('CN_REDIS_URL', 'localhost:6379')
redis_type = os.environ.get('CN_REDIS_TYPE', 'STANDALONE')
redis_use_ssl = os.environ.get("CN_REDIS_USE_SSL", False)
redis_ssl_truststore = os.environ.get("CN_REDIS_SSL_TRUSTSTORE", "")
redis_sentinel_group = os.environ.get("CN_REDIS_SENTINEL_GROUP", "")
memcached_url = os.environ.get('CN_MEMCACHED_URL', 'localhost:11211')
oxtrust_config_generation = os.environ.get("CN_OXTRUST_CONFIG_GENERATION",
True)
passport_enabled = os.environ.get("CN_PASSPORT_ENABLED", False)
radius_enabled = os.environ.get("CN_RADIUS_ENABLED", False)
casa_enabled = os.environ.get("CN_CASA_ENABLED", False)
saml_enabled = os.environ.get("CN_SAML_ENABLED", False)
scim_enabled = os.environ.get("CN_SCIM_ENABLED", False)
ctx = {
'cache_provider_type':
cache_type,
'redis_url':
redis_url,
'redis_type':
redis_type,
'redis_pw':
redis_pw,
'redis_pw_encoded':
redis_pw_encoded,
"redis_use_ssl":
"{}".format(as_boolean(redis_use_ssl)).lower(),
"redis_ssl_truststore":
redis_ssl_truststore,
"redis_sentinel_group":
redis_sentinel_group,
'memcached_url':
memcached_url,
"document_store_type":
doc_store_type,
"jca_server_url":
get_jackrabbit_rmi_url(),
"jca_username":
jca_user,
"jca_pw":
jca_pw,
"jca_pw_encoded":
jca_pw_encoded,
'ldap_hostname':
manager.config.get('ldap_init_host'),
'ldaps_port':
manager.config.get('ldap_init_port'),
'ldap_binddn':
manager.config.get('ldap_binddn'),
"ldap_use_ssl":
str(as_boolean(os.environ.get("CN_LDAP_USE_SSL", True))).lower(),
'encoded_ox_ldap_pw':
manager.secret.get('encoded_ox_ldap_pw'),
'jetty_base':
manager.config.get('jetty_base'),
'orgName':
manager.config.get('orgName'),
'hostname':
manager.config.get('hostname'),
'idp_client_id':
manager.config.get('idp_client_id'),
'idpClient_encoded_pw':
manager.secret.get('idpClient_encoded_pw'),
'auth_openid_key_base64':
manager.secret.get('auth_openid_key_base64'),
# 'passport_rs_client_id': manager.config.get('passport_rs_client_id'),
# 'passport_rs_client_base64_jwks': manager.secret.get('passport_rs_client_base64_jwks'),
# 'passport_rs_client_cert_alias': manager.config.get('passport_rs_client_cert_alias'),
# 'passport_rp_client_id': manager.config.get('passport_rp_client_id'),
# 'passport_rp_client_base64_jwks': manager.secret.get('passport_rp_client_base64_jwks'),
# "passport_rp_client_jks_fn": manager.config.get("passport_rp_client_jks_fn"),
# "passport_rp_client_jks_pass": manager.secret.get("passport_rp_client_jks_pass"),
# "encoded_ldap_pw": manager.secret.get('encoded_ldap_pw'),
"encoded_admin_password":
manager.secret.get('encoded_admin_password'),
# 'passport_rp_ii_client_id': manager.config.get("passport_rp_ii_client_id"),
'admin_email':
manager.config.get('admin_email'),
'shibJksFn':
manager.config.get('shibJksFn'),
'shibJksPass':
manager.secret.get('shibJksPass'),
'oxTrustConfigGeneration':
str(as_boolean(oxtrust_config_generation)).lower(),
'encoded_shib_jks_pw':
manager.secret.get('encoded_shib_jks_pw'),
'passport_rs_client_jks_fn':
manager.config.get('passport_rs_client_jks_fn'),
'passport_rs_client_jks_pass_encoded':
manager.secret.get('passport_rs_client_jks_pass_encoded'),
'shibboleth_version':
manager.config.get('shibboleth_version'),
'idp3Folder':
manager.config.get('idp3Folder'),
'ldap_site_binddn':
manager.config.get('ldap_site_binddn'),
"passport_resource_id":
manager.config.get("passport_resource_id"),
"gluu_radius_client_id":
manager.config.get("gluu_radius_client_id"),
"gluu_ro_encoded_pw":
manager.secret.get("gluu_ro_encoded_pw"),
# "super_gluu_ro_session_script": manager.config.get("super_gluu_ro_session_script"),
# "super_gluu_ro_script": manager.config.get("super_gluu_ro_script"),
# "enableRadiusScripts": "false", # @TODO: enable it?
# "gluu_ro_client_base64_jwks": manager.secret.get("gluu_ro_client_base64_jwks"),
"jansPassportEnabled":
str(as_boolean(passport_enabled)).lower(),
"jansRadiusEnabled":
str(as_boolean(radius_enabled)).lower(),
"jansSamlEnabled":
str(as_boolean(saml_enabled)).lower(),
"jansScimEnabled":
str(as_boolean(scim_enabled)).lower(),
"pairwiseCalculationKey":
manager.secret.get("pairwiseCalculationKey"),
"pairwiseCalculationSalt":
manager.secret.get("pairwiseCalculationSalt"),
"default_openid_jks_dn_name":
manager.config.get("default_openid_jks_dn_name"),
"auth_openid_jks_pass":
manager.secret.get("auth_openid_jks_pass"),
"auth_legacyIdTokenClaims":
manager.config.get("auth_legacyIdTokenClaims"),
"passportSpTLSCert":
manager.config.get("passportSpTLSCert"),
"passportSpTLSKey":
manager.config.get("passportSpTLSKey"),
"auth_openidScopeBackwardCompatibility":
manager.config.get("auth_openidScopeBackwardCompatibility"),
"fido2ConfigFolder":
manager.config.get("fido2ConfigFolder"),
"admin_inum":
manager.config.get("admin_inum"),
"enable_scim_access_policy":
str(as_boolean(scim_enabled) or as_boolean(passport_enabled)).lower(),
"scim_client_id":
manager.config.get("scim_client_id"),
"scim_client_encoded_pw":
manager.secret.get("scim_client_encoded_pw"),
"casa_enable_script":
str(as_boolean(casa_enabled)).lower(),
# "oxd_hostname": "localhost",
# "oxd_port": "8443",
"jca_client_id":
manager.config.get("jca_client_id"),
"jca_client_encoded_pw":
manager.secret.get("jca_client_encoded_pw"),
}
# JWKS URI
jwks_uri = f"https://{ctx['hostname']}/jans-auth/restv1/jwks"
auth_openid_jks_fn = manager.config.get("auth_openid_jks_fn")
ext_jwks_uri = os.environ.get("CN_OB_EXT_SIGNING_JWKS_URI", "")
if ext_jwks_uri:
jwks_uri = ext_jwks_uri
auth_openid_jks_fn = "/etc/certs/ob-ext-signing.jks"
ctx["jwks_uri"] = jwks_uri
ctx["auth_openid_jks_fn"] = auth_openid_jks_fn
# static kid
ctx["staticKid"] = os.environ.get("CN_OB_STATIC_KID", "")
# admin-ui plugins
ctx["admin_ui_client_id"] = manager.config.get("admin_ui_client_id")
if not ctx["admin_ui_client_id"]:
ctx["admin_ui_client_id"] = f"1901.{uuid4()}"
manager.config.set("admin_ui_client_id", ctx["admin_ui_client_id"])
ctx["admin_ui_client_pw"] = manager.secret.get("admin_ui_client_pw")
if not ctx["admin_ui_client_pw"]:
ctx["admin_ui_client_pw"] = get_random_chars()
manager.secret.set("admin_ui_client_pw", ctx["admin_ui_client_pw"])
ctx["admin_ui_client_encoded_pw"] = manager.secret.get(
"admin_ui_client_encoded_pw")
if not ctx["admin_ui_client_encoded_pw"]:
ctx["admin_ui_client_encoded_pw"] = encode_text(
ctx["admin_ui_client_pw"],
manager.secret.get("encoded_salt")).decode()
manager.secret.set(
"admin_ui_client_encoded_pw",
ctx["admin_ui_client_encoded_pw"],
)
# token server client
ctx["token_server_admin_ui_client_id"] = manager.config.get(
"token_server_admin_ui_client_id")
if not ctx["token_server_admin_ui_client_id"]:
ctx["token_server_admin_ui_client_id"] = f"1901.{uuid4()}"
manager.config.set("token_server_admin_ui_client_id",
ctx["token_server_admin_ui_client_id"])
ctx["token_server_admin_ui_client_pw"] = manager.secret.get(
"token_server_admin_ui_client_pw")
if not ctx["token_server_admin_ui_client_pw"]:
ctx["token_server_admin_ui_client_pw"] = get_random_chars()
manager.secret.set("token_server_admin_ui_client_pw",
ctx["token_server_admin_ui_client_pw"])
ctx["token_server_admin_ui_client_encoded_pw"] = manager.secret.get(
"token_server_admin_ui_client_encoded_pw")
if not ctx["token_server_admin_ui_client_encoded_pw"]:
ctx["token_server_admin_ui_client_encoded_pw"] = encode_text(
ctx["token_server_admin_ui_client_pw"],
manager.secret.get("encoded_salt"),
).decode()
manager.secret.set(
"token_server_admin_ui_client_encoded_pw",
ctx["token_server_admin_ui_client_encoded_pw"],
)
# finalize ctx
return ctx
def test_get_random_chars(size):
from jans.pycloudlib.utils import get_random_chars
assert len(get_random_chars(size)) == size
def oxshibboleth_ctx(self):
encoded_salt = self.get_secret("encoded_salt")
hostname = self.get_config("hostname")
admin_email = self.get_config("admin_email")
orgName = self.get_config("orgName") # noqa: N806
country_code = self.get_config("country_code")
state = self.get_config("state")
city = self.get_config("city")
self.set_config("idp_client_id", lambda: f"1101.{uuid4()}")
self.set_secret(
"idpClient_encoded_pw",
partial(encode_text, get_random_chars(), encoded_salt),
)
shibJksFn = self.set_config("shibJksFn",
"/etc/certs/shibIDP.jks") # noqa: N806
shibJksPass = self.set_secret("shibJksPass",
get_random_chars) # noqa: N806
self.set_secret(
"encoded_shib_jks_pw",
partial(encode_text, shibJksPass, encoded_salt),
)
generate_ssl_certkey(
"shibIDP",
admin_email,
hostname,
orgName,
country_code,
state,
city,
)
generate_keystore("shibIDP", hostname, shibJksPass)
with open("/etc/certs/shibIDP.crt") as f:
self.set_secret(
"shibIDP_cert",
partial(encode_text, f.read(), encoded_salt),
)
with open("/etc/certs/shibIDP.key") as f:
self.set_secret(
"shibIDP_key",
partial(encode_text, f.read(), encoded_salt),
)
with open(shibJksFn, "rb") as f:
self.set_secret(
"shibIDP_jks_base64",
partial(encode_text, f.read(), encoded_salt),
)
self.set_config("shibboleth_version", "v3")
self.set_config("idp3Folder", "/opt/shibboleth-idp")
idp3_signing_cert = "/etc/certs/idp-signing.crt"
idp3_signing_key = "/etc/certs/idp-signing.key"
generate_ssl_certkey(
"idp-signing",
admin_email,
hostname,
orgName,
country_code,
state,
city,
)
with open(idp3_signing_cert) as f:
self.set_secret("idp3SigningCertificateText", f.read)
with open(idp3_signing_key) as f:
self.set_secret("idp3SigningKeyText", f.read)
idp3_encryption_cert = "/etc/certs/idp-encryption.crt"
idp3_encryption_key = "/etc/certs/idp-encryption.key"
generate_ssl_certkey(
"idp-encryption",
admin_email,
hostname,
orgName,
country_code,
state,
city,
)
with open(idp3_encryption_cert) as f:
self.set_secret("idp3EncryptionCertificateText", f.read)
with open(idp3_encryption_key) as f:
self.set_secret("idp3EncryptionKeyText", f.read)
_, err, code = gen_idp3_key(shibJksPass)
if code != 0:
logger.warninging(
f"Unable to generate Shibboleth sealer; reason={err}")
raise click.Abort()
with open("/etc/certs/sealer.jks", "rb") as f:
self.set_secret(
"sealer_jks_base64",
partial(encode_text, f.read(), encoded_salt),
)
with open("/etc/certs/sealer.kver") as f:
self.set_secret(
"sealer_kver_base64",
partial(encode_text, f.read(), encoded_salt),
)