def generate_keystore(suffix, hostname, keypasswd):
# converts key to pkcs12
cmd = " ".join([
"openssl",
"pkcs12",
"-export",
"-inkey /etc/certs/{}.key".format(suffix),
"-in /etc/certs/{}.crt".format(suffix),
"-out /etc/certs/{}.pkcs12".format(suffix),
"-name {}".format(hostname),
"-passout pass:'******'".format(keypasswd),
])
_, err, retcode = exec_cmd(cmd)
assert retcode == 0, "Failed to generate PKCS12 keystore; reason={}".format(
err)
# imports p12 to keystore
cmd = " ".join([
"keytool",
"-importkeystore",
"-srckeystore /etc/certs/{}.pkcs12".format(suffix),
"-srcstorepass {}".format(keypasswd),
"-srcstoretype PKCS12",
"-destkeystore /etc/certs/{}.jks".format(suffix),
"-deststorepass {}".format(keypasswd),
"-deststoretype JKS",
"-keyalg RSA",
"-noprompt",
])
_, err, retcode = exec_cmd(cmd)
assert retcode == 0, "Failed to generate JKS keystore; reason={}".format(
err)
def generate_ssl_certkey(suffix, passwd, email, hostname, org_name,
country_code, state, city):
# create key with password
_, err, retcode = exec_cmd(" ".join([
"openssl",
"genrsa -des3",
"-out /etc/certs/{}.key.orig".format(suffix),
"-passout pass:'******' 2048".format(passwd),
]))
assert retcode == 0, "Failed to generate SSL key with password; reason={}".format(
err)
# create .key
_, err, retcode = exec_cmd(" ".join([
"openssl",
"rsa",
"-in /etc/certs/{}.key.orig".format(suffix),
"-passin pass:'******'".format(passwd),
"-out /etc/certs/{}.key".format(suffix),
]))
assert retcode == 0, "Failed to generate SSL key; reason={}".format(err)
# create .csr
_, err, retcode = exec_cmd(" ".join([
"openssl",
"req",
"-new",
"-key /etc/certs/{}.key".format(suffix),
"-out /etc/certs/{}.csr".format(suffix),
"""-subj /C="{}"/ST="{}"/L="{}"/O="{}"/CN="{}"/emailAddress='{}'""".
format(country_code, state, city, org_name, hostname, email),
]))
assert retcode == 0, "Failed to generate SSL CSR; reason={}".format(err)
# create .crt
_, err, retcode = exec_cmd(" ".join([
"openssl",
"x509",
"-req",
"-days 365",
"-in /etc/certs/{}.csr".format(suffix),
"-signkey /etc/certs/{}.key".format(suffix),
"-out /etc/certs/{}.crt".format(suffix),
]))
assert retcode == 0, "Failed to generate SSL cert; reason={}".format(err)
# return the paths
return "/etc/certs/{}.crt".format(suffix), \
"/etc/certs/{}.key".format(suffix)
def test_exec_cmd(cmd):
from pygluu.containerlib.utils import exec_cmd
out, err, code = exec_cmd(cmd)
assert out == b"foobar"
assert err == b""
assert code == 0
def generate_openid_keys(passwd,
jks_path,
jwks_path,
dn,
exp=365,
sig_keys=DEFAULT_SIG_KEYS,
enc_keys=DEFAULT_ENC_KEYS):
cmd = " ".join([
"java",
"-Dlog4j.defaultInitOverride=true",
"-jar",
"/app/javalibs/oxauth-client.jar",
"-enc_keys",
enc_keys,
"-sig_keys",
sig_keys,
"-dnname",
"{!r}".format(dn),
"-expiration",
"{}".format(exp),
"-keystore",
jks_path,
"-keypasswd",
passwd,
])
out, err, retcode = exec_cmd(cmd)
if retcode == 0:
with open(jwks_path, "w") as f:
f.write(out.decode())
return out, err, retcode
def gen_idp3_key(storepass):
cmd = " ".join([
"java",
"-classpath '/app/javalibs/*'",
"net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool",
"--storefile /etc/certs/sealer.jks",
"--versionfile /etc/certs/sealer.kver",
"--alias secret",
"--storepass {}".format(storepass),
])
return exec_cmd(cmd)
def modify_admin_password():
logger.info("Modifying credentials for webdav access.")
cmd = (
"java -cp .:/opt/gluu/jetty/jackrabbit/webapps/jackrabbit/WEB-INF/lib/* "
"/app/scripts/Main.java"
)
out, err, code = exec_cmd(cmd)
if code != 0:
err = err or out
logger.warn(f"Unable to modify credentials; reason={err}")
else:
logger.info("Credentials for webdav access has been modified.")
def export_openid_keys(keystore, keypasswd, alias, export_file):
cmd = " ".join([
"java",
"-Dlog4j.defaultInitOverride=true",
"-cp /app/javalibs/oxauth-client.jar",
"org.gluu.oxauth.util.KeyExporter",
"-keystore {}".format(keystore),
"-keypasswd {}".format(keypasswd),
"-alias {}".format(alias),
"-exportfile {}".format(export_file),
])
return exec_cmd(cmd)
def ls(self, path: str) -> bytes:
"""List paths at remote.
:params path: Remote path.
:returns: List of paths.
"""
cmd = f"rclone ls jackrabbit:{path}"
out, err, code = exec_cmd(cmd)
if code != 0:
errors = err.decode().splitlines()
logger.debug(f"Unable to list remote directory {path}; reason={errors}")
return out
def copy_to(self, remote: str, local: str) -> None:
""" Copy path from local to remote.
:params remote: Remote path.
:params local: Local path.
"""
cmd = f"rclone copy {local} jackrabbit:{remote} --create-empty-src-dirs --ignore-size"
_, err, code = exec_cmd(cmd)
if code != 0:
errors = err.decode().splitlines()
logger.debug(f"Unable to sync files to remote directories; reason={errors}")
def configure(self) -> None:
"""Configure connection to Jackrabbit WebDAV.
"""
conf_file = os.path.expanduser("~/.config/rclone/rclone.conf")
if os.path.isfile(conf_file):
return
cmd = f"rclone config create jackrabbit webdav vendor other pass '{self.password}' user '{self.username}' url {self.url}"
_, err, code = exec_cmd(cmd)
if code != 0:
errors = err.decode().splitlines()
logger.warning(f"Unable to create webdav config; reason={errors}")
def ready(self, path: str = "/") -> bool:
"""Check whether remote WebDAV is ready.
:params path: Root path of remote.
:returns: A ``bool`` to mark remote readiness.
"""
cmd = f"rclone lsd jackrabbit:{path}"
_, err, code = exec_cmd(cmd)
if code != 0:
errors = err.decode().splitlines()
logger.debug(f"Unable to list remote directory {path}; reason={errors}")
return False
return True
def generate_pkcs12(suffix, passwd, hostname):
# Convert key to pkcs12
cmd = " ".join([
"openssl",
"pkcs12",
"-export",
"-inkey /etc/certs/{}.key".format(suffix),
"-in /etc/certs/{}.crt".format(suffix),
"-out /etc/certs/{}.pkcs12".format(suffix),
"-name {}".format(hostname),
"-passout pass:{}".format(passwd),
])
_, err, retcode = exec_cmd(cmd)
assert retcode == 0, "Failed to generate PKCS12 file; reason={}".format(
err)
def generate_openid_keys(passwd, jks_path, dn, exp=365):
if os.path.isfile(jks_path):
os.unlink(jks_path)
cmd = " ".join([
"java",
"-Dlog4j.defaultInitOverride=true",
"-jar",
"/app/javalibs/oxauth-client.jar",
"-enc_keys",
ENC_KEYS,
"-sig_keys",
SIG_KEYS,
"-dnname",
"{!r}".format(dn),
"-expiration_hours",
"{}".format(exp),
"-keystore",
jks_path,
"-keypasswd",
passwd,
])
return exec_cmd(cmd)
