-
Notifications
You must be signed in to change notification settings - Fork 5
/
quicksetup.py
executable file
·295 lines (253 loc) · 13.3 KB
/
quicksetup.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os
import shutil
from certgeneration import generateCert
from saml2.cert import OpenSSLWrapper
from pubkeygen import generatePublicKey
generate_cert_str = " \"only_use_keys_in_metadata\": False,\n" \
" \"cert_handler_extra_class\": None,\n" \
" \"generate_cert_info\": {\n" \
" \"cn\": BASE,\n" \
" \"country_code\": \"COUNTRY_CODE\",\n" \
" \"state\": \"STATE_REPLACE\",\n" \
" \"city\": \"CITY_REPLACE\",\n" \
" \"organization\": \"ORG_REPLACE\",\n" \
" \"organization_unit\": \"UNIT_REPLACE\"},\n" \
" \"tmp_key_file\": WORKING_DIR + \"sp_cert/tmp_mykey.pem\",\n" \
" \"tmp_cert_file\": WORKING_DIR + \"sp_cert/tmp_mycert.pem\",\n"
generate_root_cert = False
root_cert_info_ca = None
def write_str_to_file(file, str_data):
f = open(file, "wt")
f.write(str_data)
f.close()
def read_str_from_file(file):
f = open(file)
str_data = f.read()
f.close()
return str_data
folders = ['httpsCert', 'idp_cert', 'opKeys', 'sp_cert', 'static']
for folder in folders:
if not os.path.exists(folder):
os.makedirs(folder)
raw_input("This script will help you to perform the basic configurations needed to get up and running. (Press enter)")
shutil.copy2('idp_conf.example', 'test_idp_conf.py')
shutil.copy2('sp_conf.example', 'test_sp_conf.py')
shutil.copy2('op_conf.example', 'test_op_conf.py')
shutil.copy2('server_conf.example', 'test_server_conf.py')
server_str = read_str_from_file('test_server_conf.py')
op_str = read_str_from_file('test_op_conf.py')
idp_str = read_str_from_file('test_idp_conf.py')
sp_str = read_str_from_file('test_sp_conf.py')
port = raw_input("Port for the server:")
try:
(int(port))
except Exception:
print "Not a port, using default value 8999."
port = "8999"
server_str = server_str.replace("PORT = 8999", "PORT = " + str(port))
_true = raw_input("Write True to activate HTTPS:")
_true = "True" == _true
server_str = server_str.replace("HTTPS = True", "HTTPS = " + str(_true))
host = raw_input("Your host (use localhost for testing):")
if host is None or len(host) == 0:
host = "localhost"
print "Host is set to localhost."
server_str = server_str.replace("HOST=\"localhost\"", "HOST = \"" + str(host) + "\"")
proxy = None
password = None
while (proxy != "Yes") and (proxy != "No"):
proxy = raw_input("Type Yes to setup a proxy or No(default) to the OP and Idp with only password verification:")
if (proxy != "Yes") and (proxy != "No"):
print "Please type Yes or No..."
if proxy == "Yes":
proxy = True
else:
proxy = False
password = True
yes = raw_input("Type Yes(Y) for a quick setup of a proxy anonymizer based encrypted assertion.")
quicksetup_cert_anonym_proxy = (yes.lower() == "yes" or yes.lower() == "y")
if proxy:
while (password != "Yes") and (password != "No"):
password = raw_input("Type Yes to add password verification for using the proxy, otherwise No:")
print "(The proxy also support CAS, Yubikey, LDAP etc... but the quick setup do NOT!)"
if (password != "Yes") and (password != "No"):
print "Please type Yes or No..."
if password == "Yes":
password = True
else:
password = False
if proxy:
op_str = op_str.replace("# \"SAML\": {\"ACR\": \"SAML\", \"WEIGHT\": 3, \"URL\": ISSUER, \"USER_INFO\": \"SAML\"},",
" \"SAML\": {\"ACR\": \"SAML\", \"WEIGHT\": 3, \"URL\": ISSUER, \"USER_INFO\": \"SAML\"},")
idp_str = idp_str.replace(" #\"SAML\": {\"ACR\": authn_context_class_ref(UNSPECIFIED), \"WEIGHT\": 3, \"URL\": BASE, \"USER_INFO\": None},",
" \"SAML\": {\"ACR\": authn_context_class_ref(UNSPECIFIED), \"WEIGHT\": 3, \"URL\": BASE, \"USER_INFO\": None},")
idp_meta = raw_input("Url (must begin with http) or path to metadata file contaning all IdP's that should be behind the proxy:")
url = False
try:
if idp_meta[:4] == "http":
url = True
except Exception:
pass
if url:
sp_str = sp_str.replace("\"metadata\": {\"local\": [\"[..]/idp.xml\"]},",
"\"metadata\": {\"remote\": [{ \"url\":\"" + idp_meta + "\", \"cert\": None}],},")
else:
sp_str = sp_str.replace("\"metadata\": {\"local\": [\"[..]/idp.xml\"]},",
"\"metadata\": {\"local\": [\"" + idp_meta + "\"],},")
discovery = None
while (discovery != "Yes") and (discovery != "No"):
discovery = raw_input("Do you have multiple IdP's behind the proxy, answer Yes or No:")
print "The proxy supports WAYF but not the quick setup."
if (discovery != "Yes") and (discovery != "No"):
print "Please type Yes or No..."
if discovery == "Yes":
discovery = True
else:
discovery = False
if not quicksetup_cert_anonym_proxy:
yes = raw_input("Type Yes(Y) to inactivate the OP frontend:")
if quicksetup_cert_anonym_proxy or yes.lower() == "yes" or yes.lower() == "y":
server_str = server_str.replace("OP_FRONTEND = True",
"OP_FRONTEND = False")
if not quicksetup_cert_anonym_proxy:
yes = raw_input("Type Yes(Y) to inactivate the IdP frontend:")
if yes.lower() == "yes" or yes.lower() == "y":
server_str = server_str.replace("IDP_FRONTEND = True",
"IDP_FRONTEND = False")
if discovery:
discovery_server = raw_input("Url to the discovery server:")
sp_str = sp_str.replace("DISCOSRV = None", "DISCOSRV = \"" + str(discovery_server) + "\"")
if not quicksetup_cert_anonym_proxy:
yes = raw_input("Type Yes(Y) to sign authn requests (all other answers is considered no):")
if quicksetup_cert_anonym_proxy or(yes.lower() == "yes" or yes.lower() == "y"):
sp_str = sp_str.replace("#\"authn_requests_signed\": \"true\",",
"\"authn_requests_signed\": \"true\",")
if not quicksetup_cert_anonym_proxy:
yes = raw_input("Type Yes(Y) to demand that all SAML responses are signed:")
if quicksetup_cert_anonym_proxy or(yes.lower() == "yes" or yes.lower() == "y"):
sp_str = sp_str.replace("#\"want_response_signed\": \"true\",",
"\"want_response_signed\": \"true\",")
if not quicksetup_cert_anonym_proxy:
yes = raw_input("Type Yes(Y) to sign all SAML responses are signed:")
if quicksetup_cert_anonym_proxy or (yes.lower() == "yes" or yes.lower() == "y"):
idp_str = idp_str.replace("#\"sign_response\": True,",
"\"sign_response\": True,")
if not quicksetup_cert_anonym_proxy:
yes = raw_input("Type Yes(Y) to verify that assertions are signed (all other answers is considered no):")
if yes.lower() == "yes" or yes.lower() == "y":
sp_str = sp_str.replace("#\"want_assertions_signed\": \"true\",",
"\"want_assertions_signed\": \"true\",")
if not quicksetup_cert_anonym_proxy:
yes = raw_input("Type Yes(Y) to verify certificates from an IdP (all other answers is considered no):")
if yes.lower() == "yes" or yes.lower() == "y":
sp_str = sp_str.replace("#\"validate_certificate\": True,",
"\"validate_certificate\": True,")
if not quicksetup_cert_anonym_proxy:
yes = raw_input("Type Yes(Y) to copy encryption assertion from the underlying IdP to the calling SP:")
if quicksetup_cert_anonym_proxy or yes.lower() == "yes" or yes.lower() == "y":
sp_str = sp_str.replace("COPY_ASSERTION = False",
"COPY_ASSERTION = True")
if not quicksetup_cert_anonym_proxy:
yes = raw_input("Type Yes(Y) to copy certificates from the calling SP to the underlying IdP:")
if yes.lower() == "yes" or yes.lower() == "y":
idp_str = idp_str.replace("COPYSPCERT = False",
"COPYSPCERT = True")
if not quicksetup_cert_anonym_proxy:
yes = raw_input("Type Yes(Y) to copy encryption certificates from the calling SP to the underlying IdP:")
if quicksetup_cert_anonym_proxy or yes.lower() == "yes" or yes.lower() == "y":
idp_str = idp_str.replace("COPYSPKEY = False",
"COPYSPKEY = True")
if not quicksetup_cert_anonym_proxy:
yes = raw_input("Type Yes(Y) to generate new certificates(IdP and SP) for each authn request (all other answers is considered no):")
print "Type the information that will be included on the generated the certificates."
if yes.lower() == "yes" or yes.lower() == "y":
tmp_generate_cert_str = generate_cert_str
country_code = raw_input("Country code(2 letters):")
state = raw_input("State:")
city = raw_input("City:")
org = raw_input("Organisation:")
unit = raw_input("Organisation unit:")
tmp_generate_cert_str = tmp_generate_cert_str.replace("COUNTRY_CODE", state)
tmp_generate_cert_str = tmp_generate_cert_str.replace("STATE_REPLACE", state)
tmp_generate_cert_str = tmp_generate_cert_str.replace("CITY_REPLACE", city)
tmp_generate_cert_str = tmp_generate_cert_str.replace("ORG_REPLACE", org)
tmp_generate_cert_str = tmp_generate_cert_str.replace("UNIT_REPLACE", unit)
sp_str = sp_str.replace("#CERT_GENERATION", tmp_generate_cert_str)
sp_str = sp_str.replace("sp_cert/localhost.key", "root_cert/localhost.ca.key")
sp_str = sp_str.replace("sp_cert/localhost.crt", "root_cert/localhost.ca.crt")
idp_str = idp_str.replace("#CERT_GENERATION", tmp_generate_cert_str)
idp_str = idp_str.replace("idp_cert/localhost.key", "root_cert/localhost.ca.key")
idp_str = idp_str.replace("idp_cert/localhost.crt", "root_cert/localhost.ca.crt")
generate_root_cert = True
if not password:
op_str = op_str.replace(" \"PASSWORD\": {\"ACR\": \"PASSWORD\", \"WEIGHT\": 1, \"URL\": ISSUER, \"USER_INFO\": \"SIMPLE\"},",
"# \"PASSWORD\": {\"ACR\": \"PASSWORD\", \"WEIGHT\": 1, \"URL\": ISSUER, \"USER_INFO\": \"SIMPLE\"},")
idp_str = idp_str.replace("\"PASSWORD\": {\"ACR\": authn_context_class_ref(PASSWORD), \"WEIGHT\": 1, \"URL\": BASE, \"USER_INFO\": \"SIMPLE\"},",
"#\"PASSWORD\": {\"ACR\": authn_context_class_ref(PASSWORD), \"WEIGHT\": 1, \"URL\": BASE, \"USER_INFO\": \"SIMPLE\"},")
sp_meta = raw_input("Url (must begin with http) or path to metadata file contaning all SP's that should make use of the proxy:")
url = False
try:
if sp_meta[:4] == "http":
url = True
except Exception:
pass
if url:
idp_str = idp_str.replace("\"metadata\": {\"local\": [\"[..]/sp.xml\"],},",
"\"metadata\": {\"remote\": [{ \"url\":\"" + sp_meta + "\", \"cert\": None}],},")
else:
idp_str = idp_str.replace("\"metadata\": {\"local\": [\"[..]/sp.xml\"],},",
"\"metadata\": {\"local\": [\"" + sp_meta + "\"],},")
if password:
print "Connect to the proxy with your SP or RP and login with the user test1 and password qwerty."
server_str = server_str.replace("localhost", host)
op_str = op_str.replace("localhost", host)
idp_str = idp_str.replace("localhost", host)
sp_str = sp_str.replace("localhost", host)
write_str_to_file('test_server_conf.py', server_str)
write_str_to_file('test_op_conf.py', op_str)
write_str_to_file('test_idp_conf.py', idp_str)
write_str_to_file('test_sp_conf.py', sp_str)
print "Type the information for all server certificates; https, sp and idp."
country_code = raw_input("Country code(2 letters):")
state = raw_input("State:")
city = raw_input("City:")
org = raw_input("Organisation:")
unit = raw_input("Organisation unit:")
server_cert_info_ca = {
"cn": host,
"country_code": country_code,
"state": state,
"city": city,
"organization": org,
"organization_unit": unit
}
yes = raw_input("Type Yes(Y) to generate new certificates for jwks:")
generate_jwks_cert = False
if yes.lower() == "yes" or yes.lower() == "y":
generate_jwks_cert = True
sn, jwks_cert = generateCert(server_cert_info_ca, generate_jwks_cert)
if not generate_jwks_cert:
jwks_cert = raw_input("Enter the path to existing cert for jwks:")
generatePublicKey(jwks_cert)
if generate_root_cert:
if not os.path.exists("root_cert"):
os.makedirs("root_cert")
print "Type the information for the root certificate."
country_code = raw_input("Country code(2 letters):")
state = raw_input("State:")
city = raw_input("City:")
org = raw_input("Organisation:")
unit = raw_input("Organisation unit:")
root_cert_info_ca = {
"cn": host,
"country_code": country_code,
"state": state,
"city": city,
"organization": org,
"organization_unit": unit
}
osw = OpenSSLWrapper()
ca_cert1, ca_key1 = osw.create_certificate(root_cert_info_ca, request=False, write_to_file=True,
cert_dir="/localhost.ca", sn=sn)