feat: Jans linux setup refactor (#1328)

* refactor: jans-linux-setup use python libs to get ssl certificate

* refactor: jans-linux-setup use python libs to decode cert

* refactor: jans-linux-setup collecting properties

jans-linux-setup/jans_setup/setup_app/installers/jans_auth.py

@@ -5,6 +5,7 @@
 import uuid
 import shutil
 import json
+import tempfile
 
 from urllib.parse import urlparse
 
@@ -159,17 +160,16 @@ def import_openbanking_certificate(self):
         jwksUri = oxauth_config_json['jwksUri']
         o = urlparse(jwksUri)
         jwks_addr = o.netloc
-        ssl_cmd = shutil.which('openssl')
-        random_crt_fn = os.path.join(self.output_folder, '{}.crt'.format(os.urandom(3).hex()))
-        cmd = "echo -n | {} s_client -connect {}:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > {}".format(ssl_cmd, jwks_addr, random_crt_fn)
-        self.run(cmd, shell=True)
+        open_banking_cert = self.get_server_certificate(jwks_addr)
         alias = jwks_addr.replace('.', '_')
 
-        self.run([Config.cmd_keytool, '-import', '-trustcacerts', '-keystore', 
-                            Config.defaultTrustStoreFN, '-storepass', 'changeit', 
-                            '-noprompt', '-alias', alias, '-file', random_crt_fn])
+        with tempfile.TemporaryDirectory() as tmp_dir:
+            tmp_fn = os.path.join(tmp_dir, jwks_addr+'.crt')
+            self.writeFile(tmp_fn, open_banking_cert)
+            self.run([Config.cmd_keytool, '-import', '-trustcacerts', '-keystore', 
+                      Config.defaultTrustStoreFN, '-storepass', 'changeit', 
+                      '-noprompt', '-alias', alias, '-file', tmp_fn])
 
-        #os.remove(random_crt_fn)
 
     def import_openbanking_key(self):
         if os.path.isfile(Config.ob_key_fn) and os.path.isfile(Config.ob_cert_fn):

jans-linux-setup/jans_setup/setup_app/utils/collect_properties.py

@@ -196,10 +196,10 @@ def collect(self):
 
         ssl_subj = self.get_ssl_subject('/etc/certs/httpd.crt')
 
-        Config.countryCode = ssl_subj['C']
-        Config.state = ssl_subj['ST']
-        Config.city = ssl_subj['L']
-        Config.city = ssl_subj['L']
+        Config.countryCode = ssl_subj.get('countryName', '')
+        Config.state = ssl_subj.get('stateOrProvinceName', '')
+        Config.city = ssl_subj.get('localityName', '')
+        Config.admin_email = ssl_subj.get('emailAddress', '')
 
          #this is not good, but there is no way to retreive password from ldap
         if not Config.get('admin_password'):
@@ -209,11 +209,7 @@ def collect(self):
                 Config.admin_password = Config.cb_password
 
         if not Config.get('orgName'):
-            Config.orgName = ssl_subj['O']
-
-        #for service in jetty_services:
-        #    setup_prop[jetty_services[service][0]] = os.path.exists('/opt/jans/jetty/{0}/webapps/{0}.war'.format(service))
-
+            Config.orgName = ssl_subj.get('organizationName', '')
 
         for s in ['jansScimEnabled']:
             setattr(Config, s, oxConfiguration.get(s, False))
@@ -252,13 +248,6 @@ def collect(self):
         Config.installEleven = os.path.exists(os.path.join(Config.jetty_base, 'jans-eleven/start.ini'))
         Config.install_config_api = os.path.exists(os.path.join(Config.jansOptFolder, 'jans-config-api'))
 
-        result = dbUtils.search('ou=people,o=jans', search_filter='(&(uid=admin)(objectClass=jansPerson))')
-        if result:
-            Config.admin_inum = result['inum']
-            if 'mail' in result:
-                Config.admin_email = result['mail']
-
-
     def save(self):
         if os.path.exists(Config.setup_properties_fn):
             self.backupFile(Config.setup_properties_fn)

jans-linux-setup/jans_setup/setup_app/utils/crypto64.py

@@ -2,6 +2,8 @@
 import re
 import base64
 import json
+import socket
+import ssl
 
 from collections import OrderedDict
 from pathlib import Path
@@ -15,15 +17,10 @@
 class Crypto64:
 
     def get_ssl_subject(self, ssl_fn):
+        cert_info = ssl._ssl._test_decode_cert(ssl_fn)    
         retDict = {}
-        cmd = paths.cmd_openssl + ' x509  -noout -subject -nameopt RFC2253 -in {}'.format(ssl_fn)
-        s = self.run(cmd, shell=True)
-        s = s.strip() + ','
-
-        for k in ('emailAddress', 'CN', 'O', 'L', 'ST', 'C'):
-            rex = re.search('{}=(.*?),'.format(k), s)
-            retDict[k] = rex.groups()[0] if rex else ''
-
+        for subj in cert_info["subject"]:
+            retDict[subj[0][0]] = subj[0][1]
         return retDict
 
     def obscure(self, data=""):
@@ -327,3 +324,11 @@ def encode_test_passwords(self):
             Config.templateRenderingDict['oxauthClient_4_encoded_pw'] = self.obscure(Config.templateRenderingDict['oxauthClient_4_pw'])
         except:
             self.logIt("Error encoding test passwords", True)
+
+    def get_server_certificate(self, host):
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        context = ssl.SSLContext()
+        ssl_sock = context.wrap_socket(sock, server_hostname=host)
+        ssl_sock.connect((host, 443))
+        cert_der = ssl_sock.getpeercert(True)
+        return ssl.DER_cert_to_PEM_cert(cert_der)

jans-linux-setup/jans_setup/setup_app/utils/properties_utils.py

@@ -455,7 +455,7 @@ def check_oxd_ssl_cert(self, oxd_hostname, oxd_port):
         self.writeFile(oxd_crt_fn, oxd_cert)
         ssl_subjects = self.get_ssl_subject(oxd_crt_fn)
 
-        if ssl_subjects['CN'] != oxd_hostname:
+        if ssl_subjects.get('commonName') != oxd_hostname:
             return ssl_subjects