def main():
manager = get_manager()
addr = guess_serf_addr()
host = addr.split(":")[0]
admin_port = os.environ.get("CN_LDAP_ADVERTISE_ADMIN_PORT", "4444")
deregister_serf_peer(manager, addr)
with admin_password_bound(manager) as password_file:
cmd = " ".join([
"/opt/opendj/bin/dsreplication",
"disable",
"--disableAll",
f"--port {admin_port}",
f"--hostname {host}",
"--adminUID admin",
f"--adminPasswordFile {password_file}",
"-X",
"-n",
"-Q",
])
out, err, code = exec_cmd(cmd)
if code:
err = err or out
logger.warning(
f"Unable to disable replication for current server; reason={err.decode()}"
)
def main():
# check how many member in ldap cluster,
peers_num = len(peers_from_serf_membership())
if peers_num == 0:
sys.exit(1)
elif peers_num == 1:
# if there's only 1 alive member, mark the server as ready to allow
# data injection to persistence
sys.exit(0)
else:
# if there are more than 1 instances, determine the server readiness by
# checking entries in persistence
manager = get_manager()
host = "localhost:1636"
user = manager.config.get("ldap_binddn")
password = decode_text(
manager.secret.get("encoded_ox_ldap_pw"),
manager.secret.get("encoded_salt"),
)
result = get_ldap_entries(host, user, password)
if result:
sys.exit(0)
else:
sys.exit(1)
def main():
manager = get_manager()
if not os.path.isfile("/etc/certs/web_https.crt"):
# pull SSL cert to a file
manager.secret.to_file("ssl_cert", "/etc/certs/web_https.crt")
if not os.path.isfile("/etc/certs/web_https.key"):
# pull SSL key to a file
manager.secret.to_file("ssl_key", "/etc/certs/web_https.key")
def main():
persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap")
validate_persistence_type(persistence_type)
ldap_mapping = os.environ.get("CN_PERSISTENCE_LDAP_MAPPING", "default")
validate_persistence_ldap_mapping(persistence_type, ldap_mapping)
manager = get_manager()
deps = ["config", "secret"]
wait_for(manager, deps)
def __init__(self, manager=None):
manager = manager or get_manager()
dialect = os.environ.get("CN_SQL_DB_DIALECT", "mysql")
if dialect in ("pgsql", "postgresql"):
self.adapter = PostgresqlClient(manager)
elif dialect == "mysql":
self.adapter = MysqlClient(manager)
self._adapter_methods = [
method for method in dir(self.adapter)
if method in self._allowed_adapter_methods
]
def prune(service, dry_run, opts):
"""Cleanup expired crypto keys for the targeted service.
"""
manager = get_manager()
if dry_run:
logger.warning("Dry-run mode is enabled!")
logger.info(f"Processing updates for service {service}")
parsed_opts = _parse_opts(opts)
callback_cls = PRUNE_SERVICE_MAP[service]
callback_cls(manager, dry_run, **parsed_opts).prune()
def patch(service, dry_run, opts):
"""Patch cert and/or crypto keys for the targeted service.
"""
manager = get_manager()
if dry_run:
logger.warning("Dry-run mode is enabled!")
logger.info(f"Processing updates for service {service}")
parsed_opts = _parse_opts(opts)
callback_cls = PATCH_SERVICE_MAP[service]
callback_cls(manager, dry_run, **parsed_opts).patch()
def main():
config_adapter = os.environ.get("CN_CONFIG_ADAPTER", "consul")
if config_adapter != "consul":
logger.error("This container only supports Consul as config backend")
sys.exit(1)
secret_adapter = os.environ.get("CN_SECRET_ADAPTER", "vault")
if secret_adapter != "vault":
logger.error("This container only supports Vault as secret backend")
sys.exit(1)
manager = get_manager()
deps = ["config", "secret"]
wait_for(manager, deps)
def main():
persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap")
validate_persistence_type(persistence_type)
ldap_mapping = os.environ.get("CN_PERSISTENCE_LDAP_MAPPING", "default")
validate_persistence_ldap_mapping(persistence_type, ldap_mapping)
if persistence_type == "sql":
sql_dialect = os.environ.get("CN_SQL_DB_DIALECT", "mysql")
validate_persistence_sql_dialect(sql_dialect)
manager = get_manager()
deps = ["config", "secret"]
if persistence_type == "hybrid":
deps += ["ldap", "couchbase"]
else:
deps.append(persistence_type)
wait_for(manager, deps)
def prune(service, dry_run, opts):
"""Cleanup expired crypto keys for the targeted service.
"""
manager = get_manager()
if dry_run:
logger.warning("Dry-run mode is enabled!")
logger.info(f"Processing updates for service {service}")
_opts = {}
for opt in opts:
try:
k, v = opt.split(":", 1)
_opts[k] = v
except ValueError:
k = opt
v = ""
callback_cls = PRUNE_SERVICE_MAP[service]
callback_cls(manager, dry_run, **_opts).prune()
def main():
manager = get_manager()
for addr in peers_from_file():
register_serf_peer(manager, addr)
addr = guess_serf_addr()
register_serf_peer(manager, addr)
mcast = as_boolean(os.environ.get("CN_SERF_MULTICAST_DISCOVER", False))
if mcast:
# join Serf cluster using multicast (no extra code needed)
return
# join Serf cluster manually
peers = " ".join(get_serf_peers(manager))
out, err, code = exec_cmd(f"serf join {peers}")
err = err or out
if code != 0:
logger.warning(f"Unable to join Serf cluster; reason={err}")
def decode_string(text, salt_file, salt_literal):
salt = ""
if salt_literal:
salt = salt_literal
elif salt_file:
with click.open_file(salt_file, "r") as f:
salt = f.read().split(" = ")[-1].strip()
else:
manager = get_manager()
try:
salt = manager.secret.get("encoded_salt")
except Exception as exc: # noqa: B902
click.echo(f"Unable to get salt from secrets; reason={exc}")
if not salt:
raise click.Abort()
try:
txt = decode_text(text, salt)
click.echo(txt)
except ValueError as exc:
raise click.ClickException(f"Unable to decode given string; reason={exc}")
def main():
manager = get_manager()
backend_classes = {
"ldap": LDAPBackend,
"couchbase": CouchbaseBackend,
"hybrid": HybridBackend,
"sql": SQLBackend,
"spanner": SpannerBackend,
}
# initialize the backend
persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap")
backend_cls = backend_classes.get(persistence_type)
if not backend_cls:
raise ValueError("Unsupported persistence backend")
backend = backend_cls(manager)
backend.initialize()
# run upgrade if needed
upgrade = Upgrade(manager)
upgrade.invoke()
def get_injected_urls():
manager = get_manager()
persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap")
ldap_mapping = os.environ.get("CN_PERSISTENCE_LDAP_MAPPING", "default")
if persistence_type in ("ldap", "couchbase", "sql", "spanner"):
backend_type = persistence_type
else:
# maybe hybrid
if ldap_mapping == "default":
backend_type = "ldap"
else:
backend_type = "couchbase"
# resolve backend
backend = _backend_classes[backend_type](manager)
auth_config = backend.get_auth_config()
try:
auth_config = json.loads(auth_config)
except TypeError:
pass
endpoints = [
"issuer",
"openIdConfigurationEndpoint",
"introspectionEndpoint",
"tokenEndpoint",
"tokenRevocationEndpoint",
]
transformed_urls = {
attr: transform_url(auth_config[attr])
for attr in endpoints
}
return transformed_urls
from jans.pycloudlib.utils import generate_keystore
from parameter import params_from_file
from settings import LOGGING_CONFIG
DEFAULT_SIG_KEYS = "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"
DEFAULT_ENC_KEYS = "RSA1_5 RSA-OAEP"
DEFAULT_CONFIG_FILE = "/app/db/config.json"
DEFAULT_SECRET_FILE = "/app/db/secret.json"
DEFAULT_GENERATE_FILE = "/app/db/generate.json"
logging.config.dictConfig(LOGGING_CONFIG)
logger = logging.getLogger("configurator")
manager = get_manager()
def encode_template(fn, ctx, base_dir="/app/templates"):
path = os.path.join(base_dir, fn)
# ctx is nested which has `config` and `secret` keys
data = {}
for _, v in ctx.items():
data.update(v)
with open(path) as f:
return generate_base64_contents(safe_render(f.read(), data))
def generate_openid_keys(passwd,
jks_path,
jwks_path,
def main():
manager = get_manager()
persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap")
render_salt(manager, "/app/templates/salt.tmpl", "/etc/jans/conf/salt")
render_base_properties("/app/templates/jans.properties.tmpl",
"/etc/jans/conf/jans.properties")
if persistence_type in ("ldap", "hybrid"):
render_ldap_properties(
manager,
"/app/templates/jans-ldap.properties.tmpl",
"/etc/jans/conf/jans-ldap.properties",
)
sync_ldap_truststore(manager)
if persistence_type in ("couchbase", "hybrid"):
render_couchbase_properties(
manager,
"/app/templates/jans-couchbase.properties.tmpl",
"/etc/jans/conf/jans-couchbase.properties",
)
# need to resolve whether we're using default or user-defined couchbase cert
sync_couchbase_truststore(manager)
if persistence_type == "hybrid":
render_hybrid_properties("/etc/jans/conf/jans-hybrid.properties")
if persistence_type == "sql":
render_sql_properties(
manager,
"/app/templates/jans-sql.properties.tmpl",
"/etc/jans/conf/jans-sql.properties",
)
if persistence_type == "spanner":
render_spanner_properties(
manager,
"/app/templates/jans-spanner.properties.tmpl",
"/etc/jans/conf/jans-spanner.properties",
)
if not all([
os.path.isfile("/etc/certs/web_https.crt"),
os.path.isfile("/etc/certs/web_https.key"),
]):
manager.secret.to_file("ssl_cert", "/etc/certs/web_https.crt")
manager.secret.to_file("ssl_key", "/etc/certs/web_https.key")
cert_to_truststore(
"web_https",
"/etc/certs/web_https.crt",
"/usr/lib/jvm/default-jvm/jre/lib/security/cacerts",
"changeit",
)
modify_jetty_xml()
modify_webdefault_xml()
modify_server_ini()
configure_logging()
plugins = discover_plugins()
modify_config_api_xml(plugins)
if "admin-ui" in plugins:
admin_ui_plugin = AdminUiPlugin(manager)
admin_ui_plugin.setup()
