chore(docker-jans-images): sync assets for images (#3412)

* build: update BUILD_DATE and JANS_SOURCE_VERSION * refactor: remove duplicated process of role-based secrets creation * fix: remove process to render auiConfiguration.properties * fix: remove obsoletes scopes * fix: add missing config-api auditLog config * fix: update Policy URI and TOS URI * fix: add missing config into persistence * build: update JANS_SOURCE_VERSION * fix: change jans-config-api openapi file * fix: prepopulate role scopes from config-api-rs-protect.json * build: update jans-fido2-client version * feat: load config-api scopes from config-api-rs-protect.json (if required)
JanssenProject · Dec 28, 2022 · 4daf5d0 · 4daf5d0
1 parent ee59332
commit 4daf5d0
Show file tree

Hide file tree

Showing 20 changed files with 171 additions and 742 deletions.
diff --git a/docker-jans-auth-server/Dockerfile b/docker-jans-auth-server/Dockerfile
@@ -56,7 +56,7 @@ RUN /opt/jython/bin/pip uninstall -y pip
 # ===========
 
 ENV CN_VERSION=1.0.6-SNAPSHOT
-ENV CN_BUILD_DATE='2022-12-01 12:38'
+ENV CN_BUILD_DATE='2022-12-25 08:14'
 ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-auth-server/${CN_VERSION}/jans-auth-server-${CN_VERSION}.war
 
 # Install Jans Auth
@@ -88,8 +88,8 @@ ARG CASA_CONFIG_BUILD_DATE="2022-05-26 13:56"
 RUN wget -q https://jenkins.gluu.org/maven/org/gluu/casa-config/${CASA_CONFIG_VERSION}/casa-config-${CASA_CONFIG_VERSION}.jar -P /usr/share/java/
 
 # A workaround for Fido2 integration
-ARG FIDO2_CLIENT_VERSION=1.0.1
-ARG FIDO2_CLIENT_BUILD_DATE="2022-07-06 12:49"
+ARG FIDO2_CLIENT_VERSION=1.0.6-SNAPSHOT
+ARG FIDO2_CLIENT_BUILD_DATE="2022-12-27 10:01"
 RUN wget -q https://jenkins.jans.io/maven/io/jans/jans-fido2-client/${FIDO2_CLIENT_VERSION}/jans-fido2-client-${FIDO2_CLIENT_VERSION}.jar -P /usr/share/java/
 
 # =====================
@@ -118,7 +118,7 @@ RUN mkdir -p ${JETTY_BASE}/jans-auth/agama/fl \
     ${JETTY_BASE}/jans-auth/agama/scripts
 
 # janssenproject/jans SHA commit
-ENV JANS_SOURCE_VERSION=c9d1ed9cbb5de852fcada889f8c1f6be95d66c49
+ENV JANS_SOURCE_VERSION=bd2cdf8501d60959498078bbb31650965c321c73
 
 # note that as we're pulling from a monorepo (with multiple project in it)
 # we are using partial-clone and sparse-checkout to get the agama code

diff --git a/docker-jans-config-api/Dockerfile b/docker-jans-config-api/Dockerfile
@@ -43,7 +43,7 @@ RUN wget -q https://maven.jans.io/maven/io/jans/jython-installer/${JYTHON_VERSIO
 # ==========
 
 ENV CN_VERSION=1.0.6-SNAPSHOT
-ENV CN_BUILD_DATE='2022-12-01 12:42'
+ENV CN_BUILD_DATE='2022-12-25 08:17'
 ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-config-api-server/${CN_VERSION}/jans-config-api-server-${CN_VERSION}.war
 
 # Install Jans Config API
@@ -74,19 +74,19 @@ RUN wget -q https://github.com/GluuFederation/gluu-snap/raw/${PYFACTER_VERSION}/
 
 RUN mkdir -p /usr/share/java
 
-ENV SCIM_PLUGIN_BUILD_DATE='2022-12-01 12:42'
+ENV SCIM_PLUGIN_BUILD_DATE='2022-12-22 12:53'
 ENV SCIM_PLUGIN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-config-api/plugins/scim-plugin/${CN_VERSION}/scim-plugin-${CN_VERSION}-distribution.jar
 RUN wget -q ${SCIM_PLUGIN_SOURCE_URL} -O /usr/share/java/scim-plugin.jar
 
-ENV ADMIN_UI_PLUGIN_BUILD_DATE='2022-12-01 12:42'
+ENV ADMIN_UI_PLUGIN_BUILD_DATE='2022-12-22 12:53'
 ENV ADMIN_UI_PLUGIN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-config-api/plugins/admin-ui-plugin/${CN_VERSION}/admin-ui-plugin-${CN_VERSION}-distribution.jar
 RUN wget -q ${ADMIN_UI_PLUGIN_SOURCE_URL} -O /usr/share/java/admin-ui-plugin.jar
 
-ENV FIDO2_PLUGIN_BUILD_DATE='2022-12-01 12:42'
+ENV FIDO2_PLUGIN_BUILD_DATE='2022-12-22 12:53'
 ENV FIDO2_PLUGIN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-config-api/plugins/fido2-plugin/${CN_VERSION}/fido2-plugin-${CN_VERSION}-distribution.jar
 RUN wget -q ${FIDO2_PLUGIN_SOURCE_URL} -O /usr/share/java/fido2-plugin.jar
 
-ENV USER_MGT_PLUGIN_BUILD_DATE='2022-12-01 12:42'
+ENV USER_MGT_PLUGIN_BUILD_DATE='2022-12-22 12:53'
 ENV USER_MGT_PLUGIN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-config-api/plugins/user-mgt-plugin/${CN_VERSION}/user-mgt-plugin-${CN_VERSION}-distribution.jar
 RUN wget -q ${USER_MGT_PLUGIN_SOURCE_URL} -O /usr/share/java/user-mgt-plugin.jar
 
@@ -114,9 +114,9 @@ RUN mkdir -p /opt/prometheus \
 # jans-linux-setup sync
 # =====================
 
-ENV JANS_SOURCE_VERSION=c9d1ed9cbb5de852fcada889f8c1f6be95d66c49
+ENV JANS_SOURCE_VERSION=bd2cdf8501d60959498078bbb31650965c321c73
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
-ARG JANS_CONFIG_API_DOCS=jans-config-api/docs
+ARG JANS_CONFIG_API_RESOURCES=jans-config-api/server/src/main/resources
 
 # note that as we're pulling from a monorepo (with multiple project in it)
 # we are using partial-clone and sparse-checkout to get the jans-linux-setup code
@@ -125,7 +125,7 @@ RUN git clone --filter blob:none --no-checkout https://github.com/janssenproject
     && git sparse-checkout init --cone \
     && git checkout ${JANS_SOURCE_VERSION} \
     && git sparse-checkout add ${JANS_SETUP_DIR} \
-    && git sparse-checkout add ${JANS_CONFIG_API_DOCS}
+    && git sparse-checkout add ${JANS_CONFIG_API_RESOURCES}
 
 RUN mkdir -p /etc/jans/conf \
     /app/static/rdbm \
@@ -143,7 +143,7 @@ RUN cd /tmp/jans \
     && cp ${JANS_SETUP_DIR}/schema/opendj_types.json /app/schema/ \
     && cp ${JANS_SETUP_DIR}/templates/jans-config-api/config.ldif /app/templates/jans-config-api/ \
     && cp ${JANS_SETUP_DIR}/templates/jans-config-api/dynamic-conf.json /app/templates/jans-config-api/ \
-    && cp ${JANS_CONFIG_API_DOCS}/jans-config-api-swagger-auto.yaml /app/static/
+    && cp ${JANS_CONFIG_API_RESOURCES}/config-api-rs-protect.json /app/static/
 
 # =======
 # Cleanup

diff --git a/docker-jans-config-api/requirements.txt b/docker-jans-config-api/requirements.txt
@@ -1,5 +1,4 @@
 # pinned to py3-grpcio version to avoid failure on native extension build
 grpcio==1.41.0
 libcst<0.4
-ruamel.yaml==0.16.10
 git+https://github.com/JanssenProject/jans@62b82583a211ceba7abaaf4fef5a118d1dec9ef8#egg=jans-pycloudlib&subdirectory=jans-pycloudlib
diff --git a/docker-jans-config-api/scripts/bootstrap.py b/docker-jans-config-api/scripts/bootstrap.py
@@ -31,12 +31,12 @@
 from jans.pycloudlib.utils import generate_base64_contents
 from jans.pycloudlib.utils import get_random_chars
 from jans.pycloudlib.utils import encode_text
+from jans.pycloudlib.utils import as_boolean
 
 from settings import LOGGING_CONFIG
 from plugins import AdminUiPlugin
 from plugins import discover_plugins
-from utils import parse_config_api_swagger
-from utils import generate_hex
+from utils import get_config_api_scope_mapping
 
 logging.config.dictConfig(LOGGING_CONFIG)
 logger = logging.getLogger("entrypoint")
@@ -227,8 +227,6 @@ def configure_logging():
         f.write(tmpl.safe_substitute(config))
 
 
-
-
 def configure_admin_ui_logging():
     # default config
     config = {
@@ -410,68 +408,37 @@ def ctx(self) -> dict[str, _t.Any]:
         # finalize ctx
         return ctx
 
-    def get_scope_jans_ids(self):
-        if self.persistence_type in ("sql", "spanner"):
-            entries = self.client.search("jansScope", ["jansId"])
-            return [entry["jansId"] for entry in entries]
-
-        if self.persistence_type == "couchbase":
-            bucket = os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")
-            req = self.client.exec_query(
-                f"SELECT {bucket}.jansId FROM {bucket} WHERE objectClass = 'jansScope'",
-            )
-            results = req.json()["results"]
-            return [item["jansId"] for item in results]
-
-        # likely ldap
-        entries = self.client.search("ou=scopes,o=jans", "(objectClass=jansScope)", ["jansId"])
-        return [entry.entry_attributes_as_dict["jansId"][0] for entry in entries]
-
     def generate_scopes_ldif(self):
-        # jansId to compare to
-        existing_jans_ids = self.get_scope_jans_ids()
-
-        def generate_config_api_scopes():
-            swagger = parse_config_api_swagger()
-            scopes = swagger["components"]["securitySchemes"]["oauth2"]["flows"]["clientCredentials"]["scopes"]
-
-            generated_scopes = []
-            for jans_id, desc in scopes.items():
-                if jans_id in existing_jans_ids:
-                    continue
-
-                inum = f"1800.{generate_hex()}-{generate_hex()}"
-                attrs = {
-                    "creatorAttrs": [json.dumps({})],
-                    "description": [desc],
-                    "displayName": [f"Config API scope {jans_id}"],
-                    "inum": [inum],
-                    "jansAttrs": [json.dumps({"spontaneousClientScopes": None, "showInConfigurationEndpoint": True})],
-                    "jansId": [jans_id],
-                    "jansScopeTyp": ["oauth"],
-                    "objectClass": ["top", "jansScope"],
-                    "jansDefScope": ["false"],
-                }
-                generated_scopes.append(attrs)
-            return generated_scopes
-
         # prepare required scopes (if any)
         scopes = []
 
-        config_api_scopes = generate_config_api_scopes()
-        scopes += config_api_scopes
+        scope_mapping = get_config_api_scope_mapping()
+        for inum, meta in scope_mapping.items():
+            attrs = {
+                "creatorAttrs": [json.dumps({})],
+                "description": [f"Config API {meta['level']} {meta['name']}"],
+                "displayName": [f"Config API {meta['name']}"],
+                "inum": [inum],
+                "jansAttrs": [json.dumps({"spontaneousClientScopes": None, "showInConfigurationEndpoint": True})],
+                "jansId": [meta["name"]],
+                "jansScopeTyp": ["oauth"],
+                "objectClass": ["top", "jansScope"],
+                "jansDefScope": ["false"],
+            }
+            scopes.append(attrs)
 
         with open("/app/templates/jans-config-api/scopes.ldif", "wb") as fd:
             writer = LDIFWriter(fd, cols=1000)
             for scope in scopes:
                 writer.unparse(f"inum={scope['inum'][0]},ou=scopes,o=jans", scope)
 
     def import_ldif_files(self) -> None:
-        # temporarily disable dynamic scopes creation
-        # see https://github.com/JanssenProject/jans/issues/2869
-        # self.generate_scopes_ldif()
+        # create missing scopes, saved as scopes.ldif (if enabled)
+        if as_boolean(os.environ.get("CN_CONFIG_API_CREATE_SCOPES")):
+            logger.info("Missing scopes creation is enabled!")
+            self.generate_scopes_ldif()
 
-        files = ["config.ldif", "scopes.ldif", "clients.ldif"]
+        files = ["config.ldif", "scopes.ldif", "clients.ldif", "scim-scopes.ldif"]
         ldif_files = [f"/app/templates/jans-config-api/{file_}" for file_ in files]
 
         for file_ in ldif_files:

diff --git a/docker-jans-config-api/scripts/plugins.py b/docker-jans-config-api/scripts/plugins.py
@@ -1,7 +1,6 @@
 import logging.config
 import os
 import shutil
-import sys
 
 from jans.pycloudlib.utils import cert_to_truststore
 
@@ -52,21 +51,8 @@ class AdminUiPlugin:
     def __init__(self, manager):
         self.manager = manager
 
-    def render_config(self):
-        prop_key = "plugins_admin_ui_properties"
-
-        if not self.manager.secret.get(prop_key):
-            logger.error(f"Unable to find {prop_key} from secret")
-            sys.exit(1)
-
-        self.manager.secret.to_file(
-            prop_key,
-            "/opt/jans/jetty/jans-config-api/custom/config/auiConfiguration.properties",
-        )
-
     def setup(self):
         logger.info("Configuring admin-ui plugin")
-        self.render_config()
         self.import_token_server_cert()
 
     def import_token_server_cert(self):

diff --git a/docker-jans-config-api/scripts/upgrade.py b/docker-jans-config-api/scripts/upgrade.py
@@ -4,8 +4,6 @@
 import os
 from collections import namedtuple
 
-from ldif import LDIFWriter
-
 from jans.pycloudlib import get_manager
 from jans.pycloudlib.persistence import CouchbaseClient
 from jans.pycloudlib.persistence import LdapClient
@@ -14,10 +12,10 @@
 from jans.pycloudlib.persistence import PersistenceMapper
 from jans.pycloudlib.persistence import doc_id_from_dn
 from jans.pycloudlib.persistence import id_from_dn
+from jans.pycloudlib.utils import as_boolean
 
 from settings import LOGGING_CONFIG
-from utils import parse_config_api_swagger
-from utils import generate_hex
+from utils import get_config_api_scope_mapping
 
 logging.config.dictConfig(LOGGING_CONFIG)
 logger = logging.getLogger("entrypoint")
@@ -54,6 +52,13 @@ def _transform_api_dynamic_config(conf):
             ],
         }
         should_update = True
+
+    if "auditLogConf" not in conf:
+        conf["auditLogConf"] = {
+            "enabled": True,
+            "headerAttributes": ["User-inum"],
+        }
+        should_update = True
     return conf, should_update
 
 
@@ -245,9 +250,10 @@ def invoke(self):
         logger.info("Running upgrade process (if required)")
         self.update_client_redirect_uri()
         self.update_api_dynamic_config()
-        # temporarily disable client updates
-        # see https://github.com/JanssenProject/jans/issues/2869
-        # self.update_client_scopes()
+
+        # add missing scopes into internal config-api client (if enabled)
+        if as_boolean(os.environ.get("CN_CONFIG_API_CREATE_SCOPES")):
+            self.update_client_scopes()
 
     def update_client_redirect_uri(self):
         kwargs = {}
@@ -310,58 +316,6 @@ def update_api_dynamic_config(self):
             entry.attrs["jansRevision"] += 1
             self.backend.modify_entry(entry.id, entry.attrs, **kwargs)
 
-    def get_all_scopes(self):
-        if self.backend.type in ("sql", "spanner"):
-            kwargs = {"table_name": "jansScope"}
-            entries = self.backend.search_entries(None, **kwargs)
-        elif self.backend.type == "couchbase":
-            kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")}
-            entries = self.backend.search_entries(
-                None, filter_="WHERE objectClass = 'jansScope'", **kwargs
-            )
-        else:
-            # likely ldap
-            entries = self.backend.search_entries(
-                "ou=scopes,o=jans", filter_="(objectClass=jansScope)"
-            )
-
-        return {
-            entry.attrs["jansId"]: entry.attrs.get("dn") or entry.id
-            for entry in entries
-        }
-
-    def generate_scim_plugin_scopes(self):
-        all_scopes = self.get_all_scopes()
-        plugin_scopes = {
-            "https://jans.io/scim/users.read": "Query user resources",
-            "https://jans.io/scim/users.write": "Manage user resources",
-        }
-        generated_scopes = []
-
-        for jans_id, desc in plugin_scopes.items():
-            if jans_id in all_scopes:
-                continue
-
-            inum = f"1200.{generate_hex()}-{generate_hex()}"
-            attrs = {
-                "description": [desc],
-                "displayName": [f"SCIM scope {jans_id}"],
-                "inum": [inum],
-                "jansAttrs": [json.dumps({"spontaneousClientScopes": None, "showInConfigurationEndpoint": True})],
-                "jansId": [jans_id],
-                "jansScopeTyp": ["oauth"],
-                "objectClass": ["top", "jansScope"],
-                "jansDefScope": ["false"],
-            }
-            generated_scopes.append(attrs)
-
-        with open("/app/templates/jans-config-api/scim-scopes.ldif", "wb") as fd:
-            writer = LDIFWriter(fd)
-
-            for scope in generated_scopes:
-                writer.unparse(f"inum={scope['inum'][0]},ou=scopes,o=jans", scope)
-        self.backend.client.create_from_ldif("/app/templates/jans-config-api/scim-scopes.ldif", {})
-
     def update_client_scopes(self):
         kwargs = {}
         client_id = self.manager.config.get("jca_client_id")
@@ -387,31 +341,9 @@ def update_client_scopes(self):
         if not isinstance(client_scopes, list):
             client_scopes = [client_scopes]
 
-        # prepare scim plugin scopes
-        self.generate_scim_plugin_scopes()
-
-        # all scopes mapping from persistence
-        all_scopes = self.get_all_scopes()
-
-        # all potential scopes for client
-        new_client_scopes = []
-
-        # extract config_api scopes within range of jansId defined in swagger
-        swagger = parse_config_api_swagger()
-        config_api_jans_ids = list(swagger["components"]["securitySchemes"]["oauth2"]["flows"]["clientCredentials"]["scopes"].keys())
-        config_api_scopes = list({
-            dn for jid, dn in all_scopes.items()
-            if jid in config_api_jans_ids
-        })
-        new_client_scopes += config_api_scopes
-
-        # extract scim scopes within range of jansId defined in swagger
-        scim_jans_ids = ["https://jans.io/scim/users.read", "https://jans.io/scim/users.write"]
-        scim_scopes = list({
-            dn for jid, dn in all_scopes.items()
-            if jid in scim_jans_ids
-        })
-        new_client_scopes += scim_scopes
+        # all potential new scopes for client
+        scope_mapping = get_config_api_scope_mapping()
+        new_client_scopes = [f"inum={inum},ou=scopes,o=jans" for inum in scope_mapping.keys()]
 
         # find missing scopes from the client
         diff = list(set(new_client_scopes).difference(client_scopes))