Exemplo n.º 1
0
    def passport_sp_ctx(self):
        encoded_salt = self.get_secret("encoded_salt")
        # passportSpKeyPass = self.set_secret("passportSpKeyPass", get_random_chars())  # noqa: N806
        _ = self.set_secret("passportSpKeyPass",
                            get_random_chars)  # noqa: N806
        self.set_config("passportSpTLSCACert", '/etc/certs/passport-sp.pem')
        passportSpTLSCert = self.set_config(
            "passportSpTLSCert", '/etc/certs/passport-sp.crt')  # noqa: N806
        passportSpTLSKey = self.set_config(
            "passportSpTLSKey", '/etc/certs/passport-sp.key')  # noqa: N806
        self.set_secret("passportSpJksPass", get_random_chars)
        self.set_config("passportSpJksFn", '/etc/certs/passport-sp.jks')

        generate_ssl_certkey(
            "passport-sp",
            self.get_config("admin_email"),
            self.get_config("hostname"),
            self.get_config("orgName"),
            self.get_config("country_code"),
            self.get_config("state"),
            self.get_config("city"),
        )
        with open(passportSpTLSCert) as f:
            self.set_secret(
                "passport_sp_cert_base64",
                partial(encode_text, f.read(), encoded_salt),
            )

        with open(passportSpTLSKey) as f:
            self.set_secret(
                "passport_sp_key_base64",
                partial(encode_text, f.read(), encoded_salt),
            )
    def sync_x509(self):
        cert = self.manager.secret.get(f"client_api_{self.type}_cert")
        key = self.manager.secret.get(f"client_api_{self.type}_key")

        if cert and key:
            self.manager.secret.to_file(f"client_api_{self.type}_cert",
                                        self.cert_file)
            self.manager.secret.to_file(f"client_api_{self.type}_key",
                                        self.key_file)
        else:
            generate_ssl_certkey(
                f"client_api_{self.type}",
                self.manager.config.get("admin_email"),
                self.manager.config.get("hostname"),
                self.manager.config.get("orgName"),
                self.manager.config.get("country_code"),
                self.manager.config.get("state"),
                self.manager.config.get("city"),
                extra_dns=[self.cert_cn],
            )
            # save cert and key to secrets for later use
            self.manager.secret.from_file(f"client_api_{self.type}_cert",
                                          self.cert_file)
            self.manager.secret.from_file(f"client_api_{self.type}_key",
                                          self.key_file)
Exemplo n.º 3
0
    def _patch_cert_key(self, prefix, extra_dns=None):
        cert_fn = f"/etc/certs/{prefix}.crt"
        key_fn = f"/etc/certs/{prefix}.key"

        logger.info(f"Generating new {cert_fn} and {key_fn} files")
        generate_ssl_certkey(
            prefix,
            self.manager.config.get("admin_email"),
            self.manager.config.get("hostname"),
            self.manager.config.get("orgName"),
            self.manager.config.get("country_code"),
            self.manager.config.get("state"),
            self.manager.config.get("city"),
            extra_dns=extra_dns,
        )
        return cert_fn, key_fn
Exemplo n.º 4
0
def regenerate_ldap_certs(extra_dns=None):
    suffix = "opendj"
    country_code = manager.config.get("country_code")
    state = manager.config.get("state")
    city = manager.config.get("city")
    org_name = manager.config.get("orgName")
    domain = manager.config.get("hostname")
    email = manager.config.get("admin_email")

    cert, key = generate_ssl_certkey(
        suffix,
        email,
        domain,
        org_name,
        country_code,
        state,
        city,
        extra_dns=extra_dns,
    )

    with open(f"/etc/certs/{suffix}.pem", "w") as fw:
        with open(cert) as fr:
            ldap_ssl_cert = fr.read()

        with open(key) as fr:
            ldap_ssl_key = fr.read()

        ldap_ssl_cacert = "".join([ldap_ssl_cert, ldap_ssl_key])
        fw.write(ldap_ssl_cacert)
Exemplo n.º 5
0
def test_generate_ssl_certkey(tmpdir):
    from jans.pycloudlib.utils import generate_ssl_certkey

    base_dir = tmpdir.mkdir("certs")
    generate_ssl_certkey(
        "my-suffix",
        "*****@*****.**",
        "my.org.local",
        "org",
        "US",
        "TX",
        "Austin",
        base_dir=str(base_dir),
        extra_dns=["custom.org.local"],
        extra_ips=["127.0.0.1"],
    )
    assert os.path.isfile(str(base_dir.join("my-suffix.crt")))
    assert os.path.isfile(str(base_dir.join("my-suffix.key")))
Exemplo n.º 6
0
    def oxshibboleth_ctx(self):
        encoded_salt = self.get_secret("encoded_salt")
        hostname = self.get_config("hostname")
        admin_email = self.get_config("admin_email")
        orgName = self.get_config("orgName")  # noqa: N806
        country_code = self.get_config("country_code")
        state = self.get_config("state")
        city = self.get_config("city")
        self.set_config("idp_client_id", lambda: f"1101.{uuid4()}")
        self.set_secret(
            "idpClient_encoded_pw",
            partial(encode_text, get_random_chars(), encoded_salt),
        )
        shibJksFn = self.set_config("shibJksFn",
                                    "/etc/certs/shibIDP.jks")  # noqa: N806
        shibJksPass = self.set_secret("shibJksPass",
                                      get_random_chars)  # noqa: N806
        self.set_secret(
            "encoded_shib_jks_pw",
            partial(encode_text, shibJksPass, encoded_salt),
        )

        generate_ssl_certkey(
            "shibIDP",
            admin_email,
            hostname,
            orgName,
            country_code,
            state,
            city,
        )

        generate_keystore("shibIDP", hostname, shibJksPass)

        with open("/etc/certs/shibIDP.crt") as f:
            self.set_secret(
                "shibIDP_cert",
                partial(encode_text, f.read(), encoded_salt),
            )

        with open("/etc/certs/shibIDP.key") as f:
            self.set_secret(
                "shibIDP_key",
                partial(encode_text, f.read(), encoded_salt),
            )

        with open(shibJksFn, "rb") as f:
            self.set_secret(
                "shibIDP_jks_base64",
                partial(encode_text, f.read(), encoded_salt),
            )

        self.set_config("shibboleth_version", "v3")
        self.set_config("idp3Folder", "/opt/shibboleth-idp")

        idp3_signing_cert = "/etc/certs/idp-signing.crt"
        idp3_signing_key = "/etc/certs/idp-signing.key"

        generate_ssl_certkey(
            "idp-signing",
            admin_email,
            hostname,
            orgName,
            country_code,
            state,
            city,
        )

        with open(idp3_signing_cert) as f:
            self.set_secret("idp3SigningCertificateText", f.read)

        with open(idp3_signing_key) as f:
            self.set_secret("idp3SigningKeyText", f.read)

        idp3_encryption_cert = "/etc/certs/idp-encryption.crt"
        idp3_encryption_key = "/etc/certs/idp-encryption.key"

        generate_ssl_certkey(
            "idp-encryption",
            admin_email,
            hostname,
            orgName,
            country_code,
            state,
            city,
        )

        with open(idp3_encryption_cert) as f:
            self.set_secret("idp3EncryptionCertificateText", f.read)

        with open(idp3_encryption_key) as f:
            self.set_secret("idp3EncryptionKeyText", f.read)

        _, err, code = gen_idp3_key(shibJksPass)
        if code != 0:
            logger.warninging(
                f"Unable to generate Shibboleth sealer; reason={err}")
            raise click.Abort()

        with open("/etc/certs/sealer.jks", "rb") as f:
            self.set_secret(
                "sealer_jks_base64",
                partial(encode_text, f.read(), encoded_salt),
            )

        with open("/etc/certs/sealer.kver") as f:
            self.set_secret(
                "sealer_kver_base64",
                partial(encode_text, f.read(), encoded_salt),
            )
Exemplo n.º 7
0
    def ldap_ctx(self):
        encoded_salt = self.get_secret("encoded_salt")

        # self.set_secret("encoded_ldap_pw", ldap_encode(self.params["admin_pw"]))
        self.set_secret(
            "encoded_ox_ldap_pw",
            partial(encode_text, self.params["ldap_pw"], encoded_salt),
        )
        self.set_config("ldap_init_host", "localhost")
        self.set_config("ldap_init_port", 1636)
        self.set_config("ldap_port", 1389)
        self.set_config("ldaps_port", 1636)
        self.set_config("ldap_binddn", "cn=directory manager")
        self.set_config("ldap_site_binddn", "cn=directory manager")
        ldap_truststore_pass = self.set_secret("ldap_truststore_pass",
                                               get_random_chars)
        self.set_config("ldapTrustStoreFn", "/etc/certs/opendj.pkcs12")
        hostname = self.get_config("hostname")

        generate_ssl_certkey(
            "opendj",
            self.get_config("admin_email"),
            hostname,
            self.get_config("orgName"),
            self.get_config("country_code"),
            self.get_config("state"),
            self.get_config("city"),
            extra_dns=["ldap"],
        )
        with open("/etc/certs/opendj.pem", "w") as fw:
            with open("/etc/certs/opendj.crt") as fr:
                ldap_ssl_cert = fr.read()
                self.set_secret(
                    "ldap_ssl_cert",
                    partial(encode_text, ldap_ssl_cert, encoded_salt),
                )

            with open("/etc/certs/opendj.key") as fr:
                ldap_ssl_key = fr.read()
                self.set_secret(
                    "ldap_ssl_key",
                    partial(encode_text, ldap_ssl_key, encoded_salt),
                )

            ldap_ssl_cacert = "".join([ldap_ssl_cert, ldap_ssl_key])
            fw.write(ldap_ssl_cacert)
            self.set_secret(
                "ldap_ssl_cacert",
                partial(encode_text, ldap_ssl_cacert, encoded_salt),
            )

        generate_pkcs12("opendj", ldap_truststore_pass, hostname)

        with open(self.get_config("ldapTrustStoreFn"), "rb") as fr:
            self.set_secret(
                "ldap_pkcs12_base64",
                partial(encode_text, fr.read(), encoded_salt),
            )

        self.set_secret(
            "encoded_ldapTrustStorePass",
            partial(encode_text, ldap_truststore_pass, encoded_salt),
        )