def main():
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")
render_salt(manager, "/app/templates/salt.tmpl", "/etc/gluu/conf/salt")
render_gluu_properties("/app/templates/gluu.properties.tmpl", "/etc/gluu/conf/gluu.properties")
if persistence_type in ("ldap", "hybrid"):
render_ldap_properties(
manager,
"/app/templates/gluu-ldap.properties.tmpl",
"/etc/gluu/conf/gluu-ldap.properties",
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/gluu-couchbase.properties.tmpl",
"/etc/gluu/conf/gluu-couchbase.properties",
)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")
if not os.path.isfile("/etc/certs/gluu_https.crt"):
if as_boolean(os.environ.get("GLUU_SSL_CERT_FROM_SECRETS", False)):
manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt")
else:
get_server_certificate(manager.config.get("hostname"), 443, "/etc/certs/gluu_https.crt")
cert_to_truststore(
"gluu_https",
"/etc/certs/gluu_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
get_oxd_cert()
cert_to_truststore(
"gluu_oxd",
"/etc/certs/oxd.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
modify_jetty_xml()
modify_webdefault_xml()
manager.secret.to_file("passport_rp_jks_base64", "/etc/certs/passport-rp.jks",
decode=True, binary_mode=True)
config = CasaConfig(manager)
config.setup()
def test_get_server_certificate(tmpdir, httpsserver):
from pygluu.containerlib.utils import get_server_certificate
host, port = httpsserver.server_address
filepath = tmpdir.mkdir("pygluu").join("gluu.crt")
cert = get_server_certificate(host, port, str(filepath))
assert cert == filepath.read()
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/gluu-couchbase.properties.tmpl",
"/etc/gluu/conf/gluu-couchbase.properties",
)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")
if not os.path.isfile("/etc/certs/gluu_https.crt"):
if as_boolean(os.environ.get("GLUU_SSL_CERT_FROM_SECRETS", False)):
manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt")
else:
get_server_certificate(manager.config.get("hostname"), 443,
"/etc/certs/gluu_https.crt")
cert_to_truststore(
"gluu_https",
"/etc/certs/gluu_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
if not os.path.isfile("/etc/certs/shibIDP.crt"):
manager.secret.to_file("shibIDP_cert",
"/etc/certs/shibIDP.crt",
decode=True)
if not os.path.isfile("/etc/certs/shibIDP.key"):
manager.secret.to_file("shibIDP_key",
def main():
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")
render_salt(manager, "/app/templates/salt.tmpl", "/etc/gluu/conf/salt")
render_gluu_properties("/app/templates/gluu.properties.tmpl",
"/etc/gluu/conf/gluu.properties")
if persistence_type in ("ldap", "hybrid"):
render_ldap_properties(
manager,
"/app/templates/gluu-ldap.properties.tmpl",
"/etc/gluu/conf/gluu-ldap.properties",
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/gluu-couchbase.properties.tmpl",
"/etc/gluu/conf/gluu-couchbase.properties",
)
# need to resolve whether we're using default or user-defined couchbase cert
sync_couchbase_cert(manager)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")
if not os.path.isfile("/etc/certs/gluu_https.crt"):
get_server_certificate(manager.config.get("hostname"), 443,
"/etc/certs/gluu_https.crt")
cert_to_truststore(
"gluu_https",
"/etc/certs/gluu_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
if not os.path.isfile("/etc/certs/idp-signing.crt"):
manager.secret.to_file("idp3SigningCertificateText",
"/etc/certs/idp-signing.crt")
manager.secret.to_file("passport_rp_jks_base64",
"/etc/certs/passport-rp.jks",
decode=True,
binary_mode=True)
manager.secret.to_file("api_rp_jks_base64",
"/etc/certs/api-rp.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("api_rp_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(manager.secret.get("api_rp_client_base64_jwks")))
manager.secret.to_file("api_rs_jks_base64",
"/etc/certs/api-rs.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("api_rs_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(manager.secret.get("api_rs_client_base64_jwks")))
manager.secret.to_file("scim_rs_jks_base64",
"/etc/certs/scim-rs.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("scim_rs_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(manager.secret.get("scim_rs_client_base64_jwks")))
manager.secret.to_file("scim_rp_jks_base64",
"/etc/certs/scim-rp.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("scim_rp_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(manager.secret.get("scim_rp_client_base64_jwks")))
modify_jetty_xml()
modify_webdefault_xml()
def get_oxd_cert():
oxd_url = os.environ.get("GLUU_OXD_SERVER_URL", "localhost:8443")
_, host, port = resolve_oxd_url(oxd_url)
if not os.path.isfile("/etc/certs/oxd.crt"):
get_server_certificate(host, port, "/etc/certs/oxd.crt")
def nginx_ctx(self):
ssl_cert = "/etc/certs/gluu_https.crt"
ssl_key = "/etc/certs/gluu_https.key"
self._set_secret("ssl_cert_pass", get_random_chars())
# get cert and key (if available) with priorities below:
#
# 1. from mounted files
# 2. from fronted (key file is an empty file)
# 3. self-generate files
ssl_cert_exists = os.path.isfile(ssl_cert)
ssl_key_exists = os.path.isfile(ssl_key)
logger.info(f"Resolving {ssl_cert} and {ssl_key}")
# check from mounted files
if not (ssl_cert_exists and ssl_key_exists):
# no mounted files, hence download from frontend
addr = os.environ.get(
"GLUU_INGRESS_ADDRESS") or self.ctx["config"]["hostname"]
servername = os.environ.get("GLUU_INGRESS_SERVERNAME") or addr
logger.warning(
f"Unable to find mounted {ssl_cert} and {ssl_key}; "
f"trying to download from {addr}:443 (servername {servername})"
)
try:
# cert will be downloaded into `ssl_cert` path
get_server_certificate(addr, 443, ssl_cert, servername)
if not ssl_key_exists:
# since cert is downloaded, key must mounted
# or generate empty file
with open(ssl_key, "w") as f:
f.write("")
except (socket.gaierror, socket.timeout, ConnectionRefusedError,
TimeoutError, ConnectionResetError) as exc:
# address not resolved or timed out
logger.warning(f"Unable to download cert; reason={exc}")
finally:
ssl_cert_exists = os.path.isfile(ssl_cert)
ssl_key_exists = os.path.isfile(ssl_key)
# no mounted nor downloaded files, hence we need to create self-generated files
if not (ssl_cert_exists and ssl_key_exists):
logger.info(f"Creating self-generated {ssl_cert} and {ssl_key}")
generate_ssl_certkey(
"gluu_https",
self.ctx["secret"]["ssl_cert_pass"],
self.ctx["config"]["admin_email"],
self.ctx["config"]["hostname"],
self.ctx["config"]["orgName"],
self.ctx["config"]["country_code"],
self.ctx["config"]["state"],
self.ctx["config"]["city"],
)
with open(ssl_cert) as f:
self._set_secret("ssl_cert", f.read())
with open(ssl_key) as f:
self._set_secret("ssl_key", f.read())
def main():
persistence_type = os.environ.get("GLUU_PERSISTENCE_TYPE", "ldap")
render_salt(manager, "/app/templates/salt.tmpl", "/etc/gluu/conf/salt")
render_gluu_properties("/app/templates/gluu.properties.tmpl",
"/etc/gluu/conf/gluu.properties")
if persistence_type in ("ldap", "hybrid"):
render_ldap_properties(
manager,
"/app/templates/gluu-ldap.properties.tmpl",
"/etc/gluu/conf/gluu-ldap.properties",
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/gluu-couchbase.properties.tmpl",
"/etc/gluu/conf/gluu-couchbase.properties",
)
# need to resolve whether we're using default or user-defined couchbase cert
# sync_couchbase_cert(manager)
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties")
if not os.path.isfile("/etc/certs/gluu_https.crt"):
if as_boolean(os.environ.get("GLUU_SSL_CERT_FROM_SECRETS", False)):
manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt")
else:
get_server_certificate(manager.config.get("hostname"), 443,
"/etc/certs/gluu_https.crt")
cert_to_truststore(
"gluu_https",
"/etc/certs/gluu_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
if not os.path.isfile("/etc/certs/idp-signing.crt"):
manager.secret.to_file("idp3SigningCertificateText",
"/etc/certs/idp-signing.crt")
manager.secret.to_file("passport_rp_jks_base64",
"/etc/certs/passport-rp.jks",
decode=True,
binary_mode=True)
manager.secret.to_file("api_rp_jks_base64",
"/etc/certs/api-rp.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("api_rp_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(
manager.secret.get("api_rp_client_base64_jwks")).decode())
manager.secret.to_file("api_rs_jks_base64",
"/etc/certs/api-rs.jks",
decode=True,
binary_mode=True)
with open(manager.config.get("api_rs_client_jwks_fn"), "w") as f:
f.write(
base64.b64decode(
manager.secret.get("api_rs_client_base64_jwks")).decode())
# manager.secret.to_file("scim_rs_jks_base64", "/etc/certs/scim-rs.jks",
# decode=True, binary_mode=True)
# with open(manager.config.get("scim_rs_client_jwks_fn"), "w") as f:
# f.write(
# base64.b64decode(manager.secret.get("scim_rs_client_base64_jwks")).decode()
# )
# manager.secret.to_file("scim_rp_jks_base64", "/etc/certs/scim-rp.jks",
# decode=True, binary_mode=True)
# with open(manager.config.get("scim_rp_client_jwks_fn"), "w") as f:
# f.write(
# base64.b64decode(manager.secret.get("scim_rp_client_base64_jwks")).decode()
# )
modify_jetty_xml()
modify_webdefault_xml()
sync_enabled = as_boolean(os.environ.get("GLUU_SYNC_JKS_ENABLED", False))
if not sync_enabled:
manager.secret.to_file(
"oxauth_jks_base64",
"/etc/certs/oxauth-keys.jks",
decode=True,
binary_mode=True,
)
with open("/etc/certs/oxauth-keys.json", "w") as f:
f.write(
base64.b64decode(
manager.secret.get("oxauth_openid_key_base64")).decode())
certs_from_webdav()