From 5a17157c6d4c84e3500f64050afcdc519ea9f4be Mon Sep 17 00:00:00 2001 From: iromli Date: Wed, 16 Mar 2022 03:25:56 +0700 Subject: [PATCH 1/6] chore: update persistence-loader image - updated image LABELs - removed initial jansDefAcrValues value - enabled basic ext script - added redirect regex support --- docker-jans-persistence-loader/Dockerfile | 6 +- .../scripts/upgrade.py | 104 +++++++----------- .../templates/gluu-casa/clients.ldif | 1 - .../jans-config-api/admin-ui-clients.ldif | 2 - 4 files changed, 42 insertions(+), 71 deletions(-) diff --git a/docker-jans-persistence-loader/Dockerfile b/docker-jans-persistence-loader/Dockerfile index d24eac27c82..00052cf3826 100644 --- a/docker-jans-persistence-loader/Dockerfile +++ b/docker-jans-persistence-loader/Dockerfile @@ -169,11 +169,11 @@ ENV CN_CACHE_TYPE=NATIVE_PERSISTENCE \ # misc # ==== -LABEL name="Persistence" \ - maintainer="Janssen " \ +LABEL name="janssenproject/persistence-loader" \ + maintainer="Janssen Project " \ vendor="Janssen Project" \ version="1.0.0" \ - release="beta.15" \ + release="beta.16" \ summary="Janssen Authorization Server Persistence loader" \ description="Generate initial data for persistence layer" diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py index 17bf5d4e9da..2cd1c32d720 100644 --- a/docker-jans-persistence-loader/scripts/upgrade.py +++ b/docker-jans-persistence-loader/scripts/upgrade.py @@ -60,6 +60,9 @@ def __init__(self): #: SCIM script DN JANS_SCIM_SCRIPT_DN = "inum=2DAF-F9A5,ou=scripts,o=jans" +#: Basic script DN +JANS_BASIC_SCRIPT_DN = "inum=A51E-76DA,ou=scripts,o=jans" + def _transform_auth_dynamic_config(conf): should_update = False @@ -111,6 +114,10 @@ def _transform_auth_dynamic_config(conf): )) should_update = True + if "redirectUrisRegexEnabled" not in conf: + conf["redirectUrisRegexEnabled"] = False + should_update = True + # return the conf and flag to determine whether it needs update or not return conf, should_update @@ -322,22 +329,6 @@ def update_attributes_entries(self): entry.attrs["jansClaimName"] = claim_name self.modify_entry(entry.id, entry.attrs, **kwargs) - def feature_flags(self): - kwargs = {} - entry = self.get_entry(JANS_SCIM_SCRIPT_DN, **kwargs) - - if not entry: - return - - env_enabled = as_boolean(os.environ.get("CN_SCIM_ENABLED", False)) - script_enabled = as_boolean(entry.attrs["jansEnabled"]) - - if script_enabled == env_enabled: - return - - entry.attrs["jansEnabled"] = env_enabled - self.modify_entry(entry.id, entry.attrs, **kwargs) - class SQLBackend(BaseBackend): def __init__(self, manager): @@ -491,22 +482,6 @@ def update_attributes_entries(self): entry.attrs["jansClaimName"] = claim_name self.modify_entry(entry.id, entry.attrs, **kwargs) - def feature_flags(self): - kwargs = {"table_name": "jansCustomScr"} - entry = self.get_entry(doc_id_from_dn(JANS_SCIM_SCRIPT_DN), **kwargs) - - if not entry: - return - - env_enabled = as_boolean(os.environ.get("CN_SCIM_ENABLED", False)) - script_enabled = as_boolean(entry.attrs["jansEnabled"]) - - if script_enabled == env_enabled: - return - - entry.attrs["jansEnabled"] = env_enabled - self.modify_entry(entry.id, entry.attrs, **kwargs) - class CouchbaseBackend(BaseBackend): def __init__(self, manager): @@ -721,22 +696,6 @@ def update_attributes_entries(self): entry.attrs["jansClaimName"] = claim_name self.modify_entry(entry.id, entry.attrs, **kwargs) - def feature_flags(self): - kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} - entry = self.get_entry(id_from_dn(JANS_SCIM_SCRIPT_DN), **kwargs) - - if not entry: - return - - env_enabled = as_boolean(os.environ.get("CN_SCIM_ENABLED", False)) - script_enabled = as_boolean(entry.attrs["jansEnabled"]) - - if script_enabled == env_enabled: - return - - entry.attrs["jansEnabled"] = env_enabled - self.modify_entry(entry.id, entry.attrs, **kwargs) - class SpannerBackend(BaseBackend): def __init__(self, manager): @@ -890,22 +849,6 @@ def update_attributes_entries(self): entry.attrs["jansClaimName"] = claim_name self.modify_entry(entry.id, entry.attrs, **kwargs) - def feature_flags(self): - kwargs = {"table_name": "jansCustomScr"} - entry = self.get_entry(doc_id_from_dn(JANS_SCIM_SCRIPT_DN), **kwargs) - - if not entry: - return - - env_enabled = as_boolean(os.environ.get("CN_SCIM_ENABLED", False)) - script_enabled = as_boolean(entry.attrs["jansEnabled"]) - - if script_enabled == env_enabled: - return - - entry.attrs["jansEnabled"] = env_enabled - self.modify_entry(entry.id, entry.attrs, **kwargs) - class Upgrade: def __init__(self, manager): @@ -935,4 +878,35 @@ def invoke(self): self.backend.update_auth_dynamic_config() self.backend.update_attributes_entries() - self.backend.feature_flags() + self.update_scripts_entries() + + def update_scripts_entries(self): + # default to ldap persistence + kwargs = {} + scim_id = JANS_SCIM_SCRIPT_DN + basic_id = JANS_BASIC_SCRIPT_DN + + if self.backend.type in ("sql", "spanner"): + kwargs = {"table_name": "jansCustomScr"} + scim_id = doc_id_from_dn(scim_id) + basic_id = doc_id_from_dn(basic_id) + + if self.backend.type == "couchbase": + kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} + scim_id = id_from_dn(scim_id) + basic_id = id_from_dn(basic_id) + + # toggle scim script + scim_entry = self.backend.get_entry(scim_id, **kwargs) + scim_enabled = as_boolean(os.environ.get("CN_SCIM_ENABLED", False)) + + if scim_entry and scim_entry.attrs["jansEnabled"] != scim_enabled: + scim_entry.attrs["jansEnabled"] = scim_enabled + self.backend.modify_entry(scim_entry.id, scim_entry.attrs, **kwargs) + + # always enable basic script + basic_entry = self.backend.get_entry(basic_id, **kwargs) + + if basic_entry and not as_boolean(basic_entry.attrs["jansEnabled"]): + basic_entry.attrs["jansEnabled"] = True + self.backend.modify_entry(basic_entry.id, basic_entry.attrs, **kwargs) diff --git a/docker-jans-persistence-loader/templates/gluu-casa/clients.ldif b/docker-jans-persistence-loader/templates/gluu-casa/clients.ldif index 1d373ba3197..172ed500d8c 100644 --- a/docker-jans-persistence-loader/templates/gluu-casa/clients.ldif +++ b/docker-jans-persistence-loader/templates/gluu-casa/clients.ldif @@ -10,7 +10,6 @@ jansAppTyp: web jansAttrs: {} # jansAttrs: {"tlsClientAuthSubjectDn":"","runIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims":false,"keepClientAuthorizationAfterExpiration":false,"allowSpontaneousScopes":false,"spontaneousScopes":[],"spontaneousScopeScriptDns":[],"backchannelLogoutUri":[],"backchannelLogoutSessionRequired":false,"additionalAudience":[],"postAuthnScripts":[],"consentGatheringScripts":[],"introspectionScripts":[],"rptClaimsScripts":[],"parLifetime":600,"requirePar":false,"jansAuthSignedRespAlg":"RS256","jansAuthEncRespAlg":null,"jansAuthEncRespEnc":null} jansClntSecret: %(casa_client_encoded_pw)s -jansDefAcrValues: simple_password_auth jansDisabled: false jansGrantTyp: authorization_code jansGrantTyp: refresh_token diff --git a/docker-jans-persistence-loader/templates/jans-config-api/admin-ui-clients.ldif b/docker-jans-persistence-loader/templates/jans-config-api/admin-ui-clients.ldif index c13ad2d1f0d..f735c432970 100644 --- a/docker-jans-persistence-loader/templates/jans-config-api/admin-ui-clients.ldif +++ b/docker-jans-persistence-loader/templates/jans-config-api/admin-ui-clients.ldif @@ -9,7 +9,6 @@ jansAccessTknSigAlg: RS256 jansAppTyp: web jansAttrs: {"tlsClientAuthSubjectDn":"","runIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims":false,"keepClientAuthorizationAfterExpiration":false,"allowSpontaneousScopes":false,"spontaneousScopes":[],"spontaneousScopeScriptDns":[],"backchannelLogoutUri":[],"backchannelLogoutSessionRequired":false,"additionalAudience":[],"postAuthnScripts":[],"consentGatheringScripts":[],"introspectionScripts":[],"rptClaimsScripts":[],"parLifetime":600,"requirePar":false,"jansAuthSignedRespAlg":"RS256","jansAuthEncRespAlg":null,"jansAuthEncRespEnc":null} jansClntSecret: %(admin_ui_client_encoded_pw)s -jansDefAcrValues: simple_password_auth jansDisabled: false jansGrantTyp: authorization_code jansGrantTyp: refresh_token @@ -44,7 +43,6 @@ jansAccessTknSigAlg: RS256 jansAttrs: {"tlsClientAuthSubjectDn":"","runIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims":true,"keepClientAuthorizationAfterExpiration":false,"allowSpontaneousScopes":false,"spontaneousScopes":[],"spontaneousScopeScriptDns":[],"backchannelLogoutUri":[],"backchannelLogoutSessionRequired":false,"additionalAudience":[],"postAuthnScripts":[],"consentGatheringScripts":[],"introspectionScripts":["inum=A44E-4F3D,ou=scripts,o=jans"],"rptClaimsScripts":[],"parLifetime":600,"requirePar":false,"jansAuthSignedRespAlg":"RS256","jansAuthEncRespAlg":null,"jansAuthEncRespEnc":null} jansAppTyp: web jansClntSecret: %(token_server_admin_ui_client_encoded_pw)s -jansDefAcrValues: simple_password_auth jansDisabled: false jansGrantTyp: authorization_code jansGrantTyp: client_credentials From 8914477cfbe2df6d4eb52c74b35b71b29f9e124c Mon Sep 17 00:00:00 2001 From: iromli Date: Wed, 16 Mar 2022 03:54:08 +0700 Subject: [PATCH 2/6] chore: update persistence-loader image - set default redirectUrisRegexEnabled to true - refactor update_auth_dynamic_config --- .../scripts/upgrade.py | 84 ++++++++----------- .../templates/jans-auth/jans-auth-config.json | 2 +- .../jans-auth/jans-auth-config.ob.json | 2 +- 3 files changed, 36 insertions(+), 52 deletions(-) diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py index 2cd1c32d720..ddfe870182f 100644 --- a/docker-jans-persistence-loader/scripts/upgrade.py +++ b/docker-jans-persistence-loader/scripts/upgrade.py @@ -52,7 +52,7 @@ def __init__(self): JANS_MANAGER_GROUP = "inum=60B7,ou=groups,o=jans" #: ID of jans-auth config -JANS_AUTH_CONFIG_ID = "ou=jans-auth,ou=configuration,o=jans" +JANS_AUTH_CONFIG_DN = "ou=jans-auth,ou=configuration,o=jans" #: View profile scope JANS_PROFILE_SCOPE_DN = "inum=43F1,ou=scopes,o=jans" @@ -115,7 +115,7 @@ def _transform_auth_dynamic_config(conf): should_update = True if "redirectUrisRegexEnabled" not in conf: - conf["redirectUrisRegexEnabled"] = False + conf["redirectUrisRegexEnabled"] = True should_update = True # return the conf and flag to determine whether it needs update or not @@ -304,17 +304,6 @@ def update_base_entries(self): entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP self.modify_entry(JANS_BASE_ID, entry.attrs) - def update_auth_dynamic_config(self): - entry = self.get_entry(JANS_AUTH_CONFIG_ID) - if not entry: - return - - conf, should_update = _transform_auth_dynamic_config(json.loads(entry.attrs["jansConfDyn"])) - if should_update: - entry.attrs["jansConfDyn"] = json.dumps(conf) - entry.attrs["jansRevision"] += 1 - self.modify_entry(entry.id, entry.attrs) - def update_attributes_entries(self): kwargs = {} rows = collect_claim_names() @@ -456,18 +445,6 @@ def update_base_entries(self): entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP self.modify_entry(id_, entry.attrs, **kwargs) - def update_auth_dynamic_config(self): - kwargs = {"table_name": "jansAppConf"} - entry = self.get_entry(doc_id_from_dn(JANS_AUTH_CONFIG_ID), **kwargs) - if not entry: - return - - conf, should_update = _transform_auth_dynamic_config(json.loads(entry.attrs["jansConfDyn"])) - if should_update: - entry.attrs["jansConfDyn"] = json.dumps(conf) - entry.attrs["jansRevision"] += 1 - self.modify_entry(entry.id, entry.attrs, **kwargs) - def update_attributes_entries(self): kwargs = {"table_name": "jansAttr"} rows = collect_claim_names() @@ -670,18 +647,6 @@ def update_base_entries(self): entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP self.modify_entry(id_, entry.attrs, **kwargs) - def update_auth_dynamic_config(self): - kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} - entry = self.get_entry(id_from_dn(JANS_AUTH_CONFIG_ID), **kwargs) - if not entry: - return - - conf, should_update = _transform_auth_dynamic_config(entry.attrs["jansConfDyn"]) - if should_update: - entry.attrs["jansConfDyn"] = conf - entry.attrs["jansRevision"] += 1 - self.modify_entry(entry.id, entry.attrs, **kwargs) - def update_attributes_entries(self): kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} rows = collect_claim_names() @@ -823,18 +788,6 @@ def update_base_entries(self): entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP self.modify_entry(id_, entry.attrs, **kwargs) - def update_auth_dynamic_config(self): - kwargs = {"table_name": "jansAppConf"} - entry = self.get_entry(doc_id_from_dn(JANS_AUTH_CONFIG_ID), **kwargs) - if not entry: - return - - conf, should_update = _transform_auth_dynamic_config(json.loads(entry.attrs["jansConfDyn"])) - if should_update: - entry.attrs["jansConfDyn"] = json.dumps(conf) - entry.attrs["jansRevision"] += 1 - self.modify_entry(entry.id, entry.attrs, **kwargs) - def update_attributes_entries(self): kwargs = {"table_name": "jansAttr"} rows = collect_claim_names() @@ -866,6 +819,7 @@ def __init__(self, manager): self.backend = backend_cls(manager) def invoke(self): + # TODO: refactor all self.backend.update_ to this class method logger.info("Running upgrade process (if required)") self.backend.update_people_entries() self.backend.update_scopes_entries() @@ -876,7 +830,7 @@ def invoke(self): if hasattr(self.backend, "update_misc"): self.backend.update_misc() - self.backend.update_auth_dynamic_config() + self.update_auth_dynamic_config() self.backend.update_attributes_entries() self.update_scripts_entries() @@ -910,3 +864,33 @@ def update_scripts_entries(self): if basic_entry and not as_boolean(basic_entry.attrs["jansEnabled"]): basic_entry.attrs["jansEnabled"] = True self.backend.modify_entry(basic_entry.id, basic_entry.attrs, **kwargs) + + def update_auth_dynamic_config(self): + # default to ldap persistence + kwargs = {} + id_ = JANS_AUTH_CONFIG_DN + + if self.backend.type in ("sql", "spanner"): + kwargs = {"table_name": "jansAppConf"} + id_ = doc_id_from_dn(id_) + + if self.backend.type == "couchbase": + kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} + id_ = id_from_dn(id_) + + entry = self.backend.get_entry(id_, **kwargs) + + if not entry: + return + + if self.backend.type != "couchbase": + entry.attrs["jansConfDyn"] = json.loads(entry.attrs["jansConfDyn"]) + + conf, should_update = _transform_auth_dynamic_config(entry.attrs["jansConfDyn"]) + + if should_update: + if self.backend.type != "couchbase": + entry.attrs["jansConfDyn"] = json.dumps(conf) + + entry.attrs["jansRevision"] += 1 + self.backend.modify_entry(entry.id, entry.attrs, **kwargs) diff --git a/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json b/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json index 74eaa9c066b..7be5e935cf2 100644 --- a/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json +++ b/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json @@ -436,5 +436,5 @@ "deviceAuthzRequestExpiresIn": 1800, "deviceAuthzTokenPollInterval": 5, "deviceAuthzResponseTypeToProcessAuthz": "code", - "redirectUrisRegexEnabled": false + "redirectUrisRegexEnabled": true } diff --git a/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json b/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json index 8ebd000b25a..05559f2ecb5 100644 --- a/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json +++ b/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json @@ -360,5 +360,5 @@ "deviceAuthzResponseTypeToProcessAuthz": "code", "staticKid": "%(staticKid)s", "forceOfflineAccessScopeToEnableRefreshToken" : false, - "redirectUrisRegexEnabled": false + "redirectUrisRegexEnabled": true } From 4fc47b38ee6950d8aea9c98e080a82a5de0701fb Mon Sep 17 00:00:00 2001 From: iromli Date: Wed, 16 Mar 2022 05:49:40 +0700 Subject: [PATCH 3/6] chore: update images - removed deploy directory - updated image LABELs - updated upstream source --- docker-jans-auth-server/Dockerfile | 6 +++--- docker-jans-certmanager/Dockerfile | 6 +++--- docker-jans-client-api/Dockerfile | 12 +++++------- docker-jans-client-api/scripts/entrypoint.sh | 6 +----- docker-jans-config-api/Dockerfile | 8 ++++---- docker-jans-configurator/Dockerfile | 10 +++++----- docker-jans-fido2/Dockerfile | 8 ++++---- docker-jans-scim/Dockerfile | 6 +++--- 8 files changed, 28 insertions(+), 34 deletions(-) diff --git a/docker-jans-auth-server/Dockerfile b/docker-jans-auth-server/Dockerfile index 469e8e66e83..f8f32916226 100644 --- a/docker-jans-auth-server/Dockerfile +++ b/docker-jans-auth-server/Dockerfile @@ -52,7 +52,7 @@ RUN wget -q https://github.com/fabioz/PyDev.Debugger/archive/refs/tags/pydev_deb # =========== ENV CN_VERSION=1.0.0-SNAPSHOT -ENV CN_BUILD_DATE='2022-03-10 11:31' +ENV CN_BUILD_DATE='2022-03-15 17:19' ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-auth-server/${CN_VERSION}/jans-auth-server-${CN_VERSION}.war # Install Jans Auth @@ -210,11 +210,11 @@ ENV CN_MAX_RAM_PERCENTAGE=75.0 \ # misc stuff # ========== -LABEL name="Janssen Authorization Server" \ +LABEL name="janssenproject/auth-server" \ maintainer="Janssen Project " \ vendor="Janssen Project" \ version="1.0.0" \ - release="beta.15" \ + release="beta.16" \ summary="Janssen Authorization Server" \ description="OAuth 2.0 server and client; OpenID Connect Provider (OP) & UMA Authorization Server (AS)" diff --git a/docker-jans-certmanager/Dockerfile b/docker-jans-certmanager/Dockerfile index 692576b512e..41494d2f63c 100644 --- a/docker-jans-certmanager/Dockerfile +++ b/docker-jans-certmanager/Dockerfile @@ -17,7 +17,7 @@ RUN apk update \ # JAR files required to generate OpenID Connect keys ENV CN_VERSION=1.0.0-SNAPSHOT -ENV CN_BUILD_DATE='2022-03-07 16:25' +ENV CN_BUILD_DATE='2022-03-15 17:18' ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-auth-client/${CN_VERSION}/jans-auth-client-${CN_VERSION}-jar-with-dependencies.jar RUN wget -q ${CN_SOURCE_URL} -P /app/javalibs/ @@ -133,11 +133,11 @@ ENV CN_WAIT_MAX_TIME=300 \ # misc # ==== -LABEL name="Certmanager" \ +LABEL name="janssenproject/certmanager" \ maintainer="Janssen Project " \ vendor="Janssen Project" \ version="1.0.0" \ - release="b12" \ + release="beta.16" \ summary="Janssen Certmanager" \ description="Manage certs and crypto keys for Janssen Server" diff --git a/docker-jans-client-api/Dockerfile b/docker-jans-client-api/Dockerfile index 8491d17f5a7..fa9e317f981 100644 --- a/docker-jans-client-api/Dockerfile +++ b/docker-jans-client-api/Dockerfile @@ -16,7 +16,7 @@ RUN apk update \ # ========== ENV CN_VERSION=1.0.0-SNAPSHOT -ENV CN_BUILD_DATE='2022-03-10 17:03' +ENV CN_BUILD_DATE='2022-03-15 08:49' ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-client-api-server/${CN_VERSION}/jans-client-api-server-${CN_VERSION}-distribution.zip RUN wget -q ${CN_SOURCE_URL} -O /tmp/client-api.zip \ @@ -134,15 +134,15 @@ ENV CN_MAX_RAM_PERCENTAGE=75.0 \ # misc # ==== -LABEL name="Client API" \ +LABEL name="janssenproject/client-api" \ maintainer="Janssen Project " \ - vendor="Janssen" \ + vendor="Janssen Project" \ version="1.0.0" \ - release="b12" \ + release="beta.16" \ summary="Janssen Client API" \ description="Client software to secure apps with OAuth 2.0, OpenID Connect, and UMA" -RUN mkdir -p /etc/certs /app/templates/ /deploy /etc/jans/conf /opt/client-api/logs +RUN mkdir -p /etc/certs /app/templates/ /etc/jans/conf /opt/client-api/logs COPY scripts /app/scripts COPY templates/*.tmpl /app/templates/ RUN chmod +x /app/scripts/entrypoint.sh @@ -153,11 +153,9 @@ RUN adduser -s /bin/sh -D -G root -u 1000 1000 # adjust ownership RUN chown -R 1000:1000 /app/templates \ && chown -R 1000:1000 /etc/jans \ - && chown -R 1000:1000 /deploy \ && chown -R 1000:1000 /tmp \ && chown -R 1000:1000 /opt/client-api \ && chgrp -R 0 /tmp && chmod -R g=u /tmp \ - && chgrp -R 0 /deploy && chmod -R g=u /deploy \ && chgrp -R 0 /etc/certs && chmod -R g=u /etc/certs \ && chgrp -R 0 /etc/jans && chmod -R g=u /etc/jans \ && chgrp -R 0 /opt/client-api && chmod -R g=u /opt/client-api \ diff --git a/docker-jans-client-api/scripts/entrypoint.sh b/docker-jans-client-api/scripts/entrypoint.sh index ceabae56bda..fae269d0acb 100644 --- a/docker-jans-client-api/scripts/entrypoint.sh +++ b/docker-jans-client-api/scripts/entrypoint.sh @@ -3,11 +3,7 @@ set -e python3 /app/scripts/wait.py - -if [ ! -f /deploy/touched ]; then - python3 /app/scripts/bootstrap.py - touch /deploy/touched -fi +python3 /app/scripts/bootstrap.py # run the server # customized `/opt/client-api/bin/client-api-start.sh` diff --git a/docker-jans-config-api/Dockerfile b/docker-jans-config-api/Dockerfile index 3d40637fee8..19b2e958cd9 100644 --- a/docker-jans-config-api/Dockerfile +++ b/docker-jans-config-api/Dockerfile @@ -32,7 +32,7 @@ RUN wget -q https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/${JETTY_ # ========== ENV CN_VERSION=1.0.0-SNAPSHOT -ENV CN_BUILD_DATE='2022-03-10 11:34' +ENV CN_BUILD_DATE='2022-03-15 20:31' ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-config-api-server/${CN_VERSION}/jans-config-api-server-${CN_VERSION}.war # Install Jans Config API @@ -175,11 +175,11 @@ ENV CN_MAX_RAM_PERCENTAGE=75.0 \ # misc # ==== -LABEL name="Config API" \ +LABEL name="janssenproject/config-api" \ maintainer="Janssen Project " \ - vendor="Janssen" \ + vendor="Janssen Project" \ version="1.0.0" \ - release="beta.15" \ + release="beta.16" \ summary="Janssen Config API" \ description="" diff --git a/docker-jans-configurator/Dockerfile b/docker-jans-configurator/Dockerfile index 6d53fec3e0a..f20bdad2f8f 100644 --- a/docker-jans-configurator/Dockerfile +++ b/docker-jans-configurator/Dockerfile @@ -17,7 +17,7 @@ RUN apk update \ # JAR files required to generate OpenID Connect keys ENV CN_VERSION=1.0.0-SNAPSHOT -ENV CN_BUILD_DATE='2022-03-07 16:25' +ENV CN_BUILD_DATE='2022-03-15 17:18' ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-auth-client/${CN_VERSION}/jans-auth-client-${CN_VERSION}-jar-with-dependencies.jar RUN wget -q ${CN_SOURCE_URL} -P /app/javalibs/ @@ -110,11 +110,11 @@ ENV CN_WAIT_MAX_TIME=300 \ # misc # ==== -LABEL name="configurator" \ - maintainer="Janssen " \ - vendor="Janssen" \ +LABEL name="janssenproject/configurator" \ + maintainer="Janssen Project " \ + vendor="Janssen Project" \ version="1.0.0" \ - release="b12" \ + release="beta.16" \ summary="Janssen Configuration Manager" \ description="Manage config and secret" diff --git a/docker-jans-fido2/Dockerfile b/docker-jans-fido2/Dockerfile index e4a032a26f6..e139167150d 100644 --- a/docker-jans-fido2/Dockerfile +++ b/docker-jans-fido2/Dockerfile @@ -35,7 +35,7 @@ EXPOSE 8080 # ===== ENV CN_VERSION=1.0.0-SNAPSHOT -ENV CN_BUILD_DATE='2022-03-10 08:13' +ENV CN_BUILD_DATE='2022-03-15 17:18' ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-fido2-server/${CN_VERSION}/jans-fido2-server-${CN_VERSION}.war # Install FIDO2 @@ -149,11 +149,11 @@ ENV CN_MAX_RAM_PERCENTAGE=75.0 \ # misc stuff # ========== -LABEL name="FIDO2" \ - maintainer="Janssen io " \ +LABEL name="janssenproject/fido2" \ + maintainer="Janssen Project " \ vendor="Janssen Project" \ version="1.0.0" \ - release="beta.15" \ + release="beta.16" \ summary="Janssen FIDO2" \ description="FIDO2 server" diff --git a/docker-jans-scim/Dockerfile b/docker-jans-scim/Dockerfile index 2b43b6683c8..d7e108f0f5e 100644 --- a/docker-jans-scim/Dockerfile +++ b/docker-jans-scim/Dockerfile @@ -45,7 +45,7 @@ RUN wget -q https://ox.gluu.org/maven/org/gluufederation/jython-installer/${JYTH # ==== ENV CN_VERSION=1.0.0-SNAPSHOT -ENV CN_BUILD_DATE='2022-03-10 11:32' +ENV CN_BUILD_DATE='2022-03-15 20:30' ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-scim-server/${CN_VERSION}/jans-scim-server-${CN_VERSION}.war # Install SCIM @@ -158,11 +158,11 @@ ENV CN_MAX_RAM_PERCENTAGE=75.0 \ # misc stuff # ========== -LABEL name="SCIM" \ +LABEL name="janssenproject/scim" \ maintainer="Janssen Project " \ vendor="Janssen Project" \ version="1.0.0" \ - release="beta.15" \ + release="beta.16" \ summary="Janssen SCIM" \ description="SCIM server" From 1bf5a303f7b1189b7eb95529e7220b3a9832bbdc Mon Sep 17 00:00:00 2001 From: iromli Date: Wed, 16 Mar 2022 23:45:45 +0700 Subject: [PATCH 4/6] refactor: unify backend class methods as upgrader methods --- .../scripts/upgrade.py | 428 ++++++------------ 1 file changed, 145 insertions(+), 283 deletions(-) diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py index ddfe870182f..d980ac9ecba 100644 --- a/docker-jans-persistence-loader/scripts/upgrade.py +++ b/docker-jans-persistence-loader/scripts/upgrade.py @@ -46,7 +46,7 @@ def __init__(self): #: ID of base entry -JANS_BASE_ID = "o=jans" +JANS_BASE_DN = "o=jans" #: ID of manager group JANS_MANAGER_GROUP = "inum=60B7,ou=groups,o=jans" @@ -63,6 +63,14 @@ def __init__(self): #: Basic script DN JANS_BASIC_SCRIPT_DN = "inum=A51E-76DA,ou=scripts,o=jans" +#: SCIM users.read scope +JANS_SCIM_USERS_READ_SCOPE_DN = "inum=1200.2B7428,ou=scopes,o=jans" + +#: SCIM users.write scope +JANS_SCIM_USERS_WRITE_SCOPE_DN = "inum=1200.0A0198,ou=scopes,o=jans" + +DEFAULT_JANS_ATTRS = '{"spontaneousClientId":null,"spontaneousClientScopes":null,"showInConfigurationEndpoint":true}' + def _transform_auth_dynamic_config(conf): should_update = False @@ -213,31 +221,6 @@ def modify_entry(self, key, attrs=None, **kwargs): attrs[k] = [(mod, v)] return self.client.modify(key, attrs) - def update_people_entries(self): - # add jansAdminUIRole to default admin user - admin_inum = self.manager.config.get("admin_inum") - id_ = f"inum={admin_inum},ou=people,o=jans" - kwargs = {} - - entry = self.get_entry(id_, **kwargs) - if not entry: - return - - if "jansAdminUIRole" not in entry.attrs: - entry.attrs["jansAdminUIRole"] = ["api-admin"] - self.modify_entry(id_, entry.attrs, **kwargs) - - def update_scopes_entries(self): - # add jansAdminUIRole claim to profile scope - kwargs = {} - entry = self.get_entry(JANS_PROFILE_SCOPE_DN, **kwargs) - if not entry: - return - - attrs, should_update = _transform_profile_scope(entry.attrs) - if should_update: - self.modify_entry(entry.id, attrs, **kwargs) - def update_clients_entries(self): # modify redirect UI of config-api client def _update_jca_client(): @@ -279,45 +262,6 @@ def _update_token_server_client(): _update_jca_client() _update_token_server_client() - def update_scim_scopes_entries(self): - # add jansAttrs to SCIM users.read and users.write scopes - ids = self.jans_scim_scopes - kwargs = {} - - for id_ in ids: - entry = self.get_entry(id_, **kwargs) - if not entry: - continue - - if "jansAttrs" not in entry.attrs: - entry.attrs[ - "jansAttrs"] = self.jans_attrs - self.modify_entry(id_, entry.attrs, **kwargs) - - def update_base_entries(self): - # add jansManagerGrp to base entry - entry = self.get_entry(JANS_BASE_ID) - if not entry: - return - - if not entry.attrs.get("jansManagerGrp"): - entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP - self.modify_entry(JANS_BASE_ID, entry.attrs) - - def update_attributes_entries(self): - kwargs = {} - rows = collect_claim_names() - - for dn, claim_name in rows.items(): - entry = self.get_entry(dn, **kwargs) - - # jansClaimName already set - if "jansClaimName" in entry.attrs and entry.attrs["jansClaimName"]: - continue - - entry.attrs["jansClaimName"] = claim_name - self.modify_entry(entry.id, entry.attrs, **kwargs) - class SQLBackend(BaseBackend): def __init__(self, manager): @@ -339,33 +283,6 @@ def modify_entry(self, key, attrs=None, **kwargs): table_name = kwargs.get("table_name") return self.client.update(table_name, key, attrs), "" - def update_people_entries(self): - # add jansAdminUIRole to default admin user - admin_inum = self.manager.config.get("admin_inum") - id_ = doc_id_from_dn(f"inum={admin_inum},ou=people,o=jans") - kwargs = {"table_name": "jansPerson"} - - entry = self.get_entry(id_, **kwargs) - if not entry: - return - - # sql entry may have empty jansAdminUIRole hash ({"v": []}) - if not entry.attrs["jansAdminUIRole"]["v"]: - entry.attrs["jansAdminUIRole"] = {"v": ["api-admin"]} - self.modify_entry(id_, entry.attrs, **kwargs) - - def update_scopes_entries(self): - # add jansAdminUIRole claim to profile scope - kwargs = {"table_name": "jansScope"} - entry = self.get_entry(doc_id_from_dn(JANS_PROFILE_SCOPE_DN), **kwargs) - - if not entry: - return - - attrs, should_update = _transform_profile_scope(entry.attrs) - if should_update: - self.modify_entry(entry.id, attrs, **kwargs) - def update_clients_entries(self): # modify redirect UI of config-api client def _update_jca_client(): @@ -417,48 +334,6 @@ def _update_token_server_client(): _update_jca_client() _update_token_server_client() - def update_scim_scopes_entries(self): - # add jansAttrs to SCIM users.read and users.write scopes - ids = [doc_id_from_dn(scope) for scope in self.jans_scim_scopes] - kwargs = {"table_name": "jansScope"} - - for id_ in ids: - entry = self.get_entry(id_, **kwargs) - if not entry: - continue - - if "jansAttrs" not in entry.attrs: - entry.attrs[ - "jansAttrs"] = self.jans_attrs - self.modify_entry(id_, entry.attrs, **kwargs) - - def update_base_entries(self): - # add jansManagerGrp to base entry - id_ = doc_id_from_dn(JANS_BASE_ID) - kwargs = {"table_name": "jansOrganization"} - - entry = self.get_entry(id_, **kwargs) - if not entry: - return - - if not entry.attrs.get("jansManagerGrp"): - entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP - self.modify_entry(id_, entry.attrs, **kwargs) - - def update_attributes_entries(self): - kwargs = {"table_name": "jansAttr"} - rows = collect_claim_names() - - for dn, claim_name in rows.items(): - entry = self.get_entry(doc_id_from_dn(dn), **kwargs) - - # jansClaimName already set - if "jansClaimName" in entry.attrs and entry.attrs["jansClaimName"]: - continue - - entry.attrs["jansClaimName"] = claim_name - self.modify_entry(entry.id, entry.attrs, **kwargs) - class CouchbaseBackend(BaseBackend): def __init__(self, manager): @@ -518,33 +393,6 @@ def modify_entry(self, key, attrs=None, **kwargs): message = req.text or req.reason return status, message - def update_people_entries(self): - # add jansAdminUIRole to default admin user - admin_inum = self.manager.config.get("admin_inum") - id_ = id_from_dn(f"inum={admin_inum},ou=people,o=jans") - bucket = os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans") - kwargs = {"bucket": f"{bucket}_user"} - - entry = self.get_entry(id_, **kwargs) - if not entry: - return - - if "jansAdminUIRole" not in entry.attrs: - entry.attrs["jansAdminUIRole"] = ["api-admin"] - self.modify_entry(id_, entry.attrs, **kwargs) - - def update_scopes_entries(self): - # add jansAdminUIRole claim to profile scope - kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} - entry = self.get_entry(id_from_dn(JANS_PROFILE_SCOPE_DN), **kwargs) - - if not entry: - return - - attrs, should_update = _transform_profile_scope(entry.attrs) - if should_update: - self.modify_entry(entry.id, attrs, **kwargs) - def update_clients_entries(self): # modify redirect UI of config-api client def _update_jca_client(): @@ -596,22 +444,6 @@ def _update_token_server_client(): _update_jca_client() _update_token_server_client() - def update_scim_scopes_entries(self): - # add jansAttrs to SCIM users.read and users.write scopes - ids = map(id_from_dn, self.jans_scim_scopes) - bucket = os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans") - kwargs = {"bucket": bucket} - - for id_ in ids: - entry = self.get_entry(id_, **kwargs) - if not entry: - continue - - if "jansAttrs" not in entry.attrs: - entry.attrs[ - "jansAttrs"] = self.jans_attrs - self.modify_entry(id_, entry.attrs, **kwargs) - def update_misc(self): # 1 - fix objectclass for scim and config-api where it has lowecased objectclass instead of objectClass bucket = os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans") @@ -633,34 +465,6 @@ def update_misc(self): # drop the index self.client.exec_query(f'DROP INDEX `{bucket}`.`def_jans_fix_oc`') - def update_base_entries(self): - # add jansManagerGrp to base entry - id_ = id_from_dn(JANS_BASE_ID) - bucket = os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans") - kwargs = {"bucket": bucket} - - entry = self.get_entry(id_, **kwargs) - if not entry: - return - - if not entry.attrs.get("jansManagerGrp"): - entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP - self.modify_entry(id_, entry.attrs, **kwargs) - - def update_attributes_entries(self): - kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} - rows = collect_claim_names() - - for dn, claim_name in rows.items(): - entry = self.get_entry(id_from_dn(dn), **kwargs) - - # jansClaimName already set - if "jansClaimName" in entry.attrs and entry.attrs["jansClaimName"]: - continue - - entry.attrs["jansClaimName"] = claim_name - self.modify_entry(entry.id, entry.attrs, **kwargs) - class SpannerBackend(BaseBackend): def __init__(self, manager): @@ -682,33 +486,6 @@ def modify_entry(self, key, attrs=None, **kwargs): table_name = kwargs.get("table_name") return self.client.update(table_name, key, attrs), "" - def update_people_entries(self): - # add jansAdminUIRole to default admin user - admin_inum = self.manager.config.get("admin_inum") - id_ = doc_id_from_dn(f"inum={admin_inum},ou=people,o=jans") - kwargs = {"table_name": "jansPerson"} - - entry = self.get_entry(id_, **kwargs) - if not entry: - return - - # sql entry may have empty jansAdminUIRole hash ({"v": []}) - if not entry.attrs["jansAdminUIRole"]: - entry.attrs["jansAdminUIRole"] = ["api-admin"] - self.modify_entry(id_, entry.attrs, **kwargs) - - def update_scopes_entries(self): - # add jansAdminUIRole claim to profile scope - kwargs = {"table_name": "jansScope"} - entry = self.get_entry(doc_id_from_dn(JANS_PROFILE_SCOPE_DN), **kwargs) - - if not entry: - return - - attrs, should_update = _transform_profile_scope(entry.attrs) - if should_update: - self.modify_entry(entry.id, attrs, **kwargs) - def update_clients_entries(self): # modify redirect UI of config-api client def _update_jca_client(): @@ -760,48 +537,6 @@ def _update_token_server_client(): _update_jca_client() _update_token_server_client() - def update_scim_scopes_entries(self): - # add jansAttrs to SCIM users.read and users.write scopes - ids = [doc_id_from_dn(scope) for scope in self.jans_scim_scopes] - kwargs = {"table_name": "jansScope"} - - for id_ in ids: - entry = self.get_entry(id_, **kwargs) - if not entry: - continue - - if "jansAttrs" not in entry.attrs: - entry.attrs[ - "jansAttrs"] = self.jans_attrs - self.modify_entry(id_, entry.attrs, **kwargs) - - def update_base_entries(self): - # add jansManagerGrp to base entry - id_ = doc_id_from_dn(JANS_BASE_ID) - kwargs = {"table_name": "jansOrganization"} - - entry = self.get_entry(id_, **kwargs) - if not entry: - return - - if not entry.attrs.get("jansManagerGrp"): - entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP - self.modify_entry(id_, entry.attrs, **kwargs) - - def update_attributes_entries(self): - kwargs = {"table_name": "jansAttr"} - rows = collect_claim_names() - - for dn, claim_name in rows.items(): - entry = self.get_entry(doc_id_from_dn(dn), **kwargs) - - # jansClaimName already set - if "jansClaimName" in entry.attrs and entry.attrs["jansClaimName"]: - continue - - entry.attrs["jansClaimName"] = claim_name - self.modify_entry(entry.id, entry.attrs, **kwargs) - class Upgrade: def __init__(self, manager): @@ -821,17 +556,19 @@ def __init__(self, manager): def invoke(self): # TODO: refactor all self.backend.update_ to this class method logger.info("Running upgrade process (if required)") - self.backend.update_people_entries() - self.backend.update_scopes_entries() + self.update_people_entries() + self.update_scopes_entries() + self.backend.update_clients_entries() - self.backend.update_scim_scopes_entries() - self.backend.update_base_entries() + + self.update_scim_scopes_entries() + self.update_base_entries() if hasattr(self.backend, "update_misc"): self.backend.update_misc() self.update_auth_dynamic_config() - self.backend.update_attributes_entries() + self.update_attributes_entries() self.update_scripts_entries() def update_scripts_entries(self): @@ -844,8 +581,7 @@ def update_scripts_entries(self): kwargs = {"table_name": "jansCustomScr"} scim_id = doc_id_from_dn(scim_id) basic_id = doc_id_from_dn(basic_id) - - if self.backend.type == "couchbase": + elif self.backend.type == "couchbase": kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} scim_id = id_from_dn(scim_id) basic_id = id_from_dn(basic_id) @@ -873,8 +609,7 @@ def update_auth_dynamic_config(self): if self.backend.type in ("sql", "spanner"): kwargs = {"table_name": "jansAppConf"} id_ = doc_id_from_dn(id_) - - if self.backend.type == "couchbase": + elif self.backend.type == "couchbase": kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} id_ = id_from_dn(id_) @@ -894,3 +629,130 @@ def update_auth_dynamic_config(self): entry.attrs["jansRevision"] += 1 self.backend.modify_entry(entry.id, entry.attrs, **kwargs) + + def update_attributes_entries(self): + # default to ldap persistence + kwargs = {} + rows = collect_claim_names() + + for id_, claim_name in rows.items(): + if self.backend.type in ("sql", "spanner"): + id_ = doc_id_from_dn(id_) + kwargs = {"table_name": "jansAttr"} + elif self.backend.type == "couchbase": + id_ = id_from_dn(id_) + kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} + + entry = self.backend.get_entry(id_, **kwargs) + + if not entry: + return + + # jansClaimName already set + if "jansClaimName" in entry.attrs and entry.attrs["jansClaimName"]: + continue + + entry.attrs["jansClaimName"] = claim_name + self.backend.modify_entry(entry.id, entry.attrs, **kwargs) + + def update_base_entries(self): + # default to ldap persistence + kwargs = {} + id_ = JANS_BASE_DN + + if self.backend.type in ("sql", "spanner"): + kwargs = {"table_name": "jansOrganization"} + id_ = doc_id_from_dn(id_) + elif self.backend.type == "couchbase": + kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} + id_ = id_from_dn(id_) + + # add jansManagerGrp to base entry + entry = self.backend.get_entry(id_, **kwargs) + + if not entry: + return + + if not entry.attrs.get("jansManagerGrp"): + entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP + self.backend.modify_entry(entry.id, entry.attrs, **kwargs) + + def update_scim_scopes_entries(self): + # default to ldap persistence + kwargs = {} + + # add jansAttrs to SCIM users.read and users.write scopes + for id_ in [JANS_SCIM_USERS_READ_SCOPE_DN, JANS_SCIM_USERS_WRITE_SCOPE_DN]: + if self.backend.type in ("sql", "spanner"): + kwargs = {"table_name": "jansScope"} + id_ = doc_id_from_dn(id_) + elif self.backend.type == "couchbase": + kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} + id_ = id_from_dn(id_) + + entry = self.backend.get_entry(id_, **kwargs) + + if not entry: + continue + + if "jansAttrs" not in entry.attrs: + entry.attrs["jansAttrs"] = DEFAULT_JANS_ATTRS + self.backend.modify_entry(entry.id, entry.attrs, **kwargs) + + def update_scopes_entries(self): + # default to ldap persistence + kwargs = {} + id_ = JANS_PROFILE_SCOPE_DN + + if self.backend.type in ("sql", "spanner"): + kwargs = {"table_name": "jansScope"} + id_ = doc_id_from_dn(id_) + elif self.backend.type == "couchbase": + kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} + id_ = id_from_dn(id_) + + entry = self.backend.get_entry(id_, **kwargs) + + if not entry: + return + + attrs, should_update = _transform_profile_scope(entry.attrs) + if should_update: + self.backend.modify_entry(entry.id, attrs, **kwargs) + + def update_people_entries(self): + # default to ldap persistence + admin_inum = self.manager.config.get("admin_inum") + + id_ = f"inum={admin_inum},ou=people,o=jans" + kwargs = {} + + if self.backend.type in ("sql", "spanner"): + id_ = doc_id_from_dn(id_) + kwargs = {"table_name": "jansPerson"} + elif self.backend.type == "couchbase": + id_ = id_from_dn(id_) + bucket = os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans") + kwargs = {"bucket": f"{bucket}_user"} + + entry = self.backend.get_entry(id_, **kwargs) + + if not entry: + return + + # add jansAdminUIRole to default admin user + should_update = False + + if self.backend.type == "sql" and not entry.attrs["jansAdminUIRole"]["v"]: + entry.attrs["jansAdminUIRole"] = {"v": ["api-admin"]} + should_update = True + elif self.backend.type == "spanner" and not entry.attrs["jansAdminUIRole"]: + entry.attrs["jansAdminUIRole"] = ["api-admin"] + should_update = True + else: # ldap and couchbase + if "jansAdminUIRole" not in entry.attrs: + entry.attrs["jansAdminUIRole"] = ["api-admin"] + should_update = True + + if should_update: + self.backend.modify_entry(entry.id, entry.attrs, **kwargs) From 8df04782532af86e219473f28ee019edf2b21a56 Mon Sep 17 00:00:00 2001 From: iromli Date: Thu, 17 Mar 2022 00:19:06 +0700 Subject: [PATCH 5/6] chore: sync static and templates for mobile attribute (#1053) --- docker-jans-persistence-loader/Dockerfile | 2 +- .../scripts/spanner_setup.py | 1 + .../scripts/sql_setup.py | 1 + .../scripts/upgrade.py | 46 ++++++++++++++----- 4 files changed, 38 insertions(+), 12 deletions(-) diff --git a/docker-jans-persistence-loader/Dockerfile b/docker-jans-persistence-loader/Dockerfile index 00052cf3826..0dc858fd140 100644 --- a/docker-jans-persistence-loader/Dockerfile +++ b/docker-jans-persistence-loader/Dockerfile @@ -21,7 +21,7 @@ RUN pip3 install -U pip wheel \ # jans-linux-setup sync # ===================== -ENV JANS_LINUX_SETUP_VERSION=452ce0fc0132f6ac7fd3be4a20bab560b1586dea +ENV JANS_LINUX_SETUP_VERSION=5b7fd274230c160d470ef76495d333cab1ae3b2a ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup # note that as we're pulling from a monorepo (with multiple project in it) diff --git a/docker-jans-persistence-loader/scripts/spanner_setup.py b/docker-jans-persistence-loader/scripts/spanner_setup.py index ca076766f7c..957e52d89ef 100644 --- a/docker-jans-persistence-loader/scripts/spanner_setup.py +++ b/docker-jans-persistence-loader/scripts/spanner_setup.py @@ -494,6 +494,7 @@ def column_from_array(table_name, col_name): ("jansClnt", "jansDefAcrValues"), ("jansClnt", "jansLogoutURI"), ("jansPerson", "role"), + ("jansPerson", "mobile"), ]: column_to_array(mod[0], mod[1]) diff --git a/docker-jans-persistence-loader/scripts/sql_setup.py b/docker-jans-persistence-loader/scripts/sql_setup.py index 29e73009a1c..2c967eeb07c 100644 --- a/docker-jans-persistence-loader/scripts/sql_setup.py +++ b/docker-jans-persistence-loader/scripts/sql_setup.py @@ -441,6 +441,7 @@ def column_from_json(table_name, col_name): ("jansClnt", "jansDefAcrValues"), ("jansClnt", "jansLogoutURI"), ("jansPerson", "role"), + ("jansPerson", "mobile"), ]: column_to_json(mod[0], mod[1]) diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py index d980ac9ecba..69e39b2109b 100644 --- a/docker-jans-persistence-loader/scripts/upgrade.py +++ b/docker-jans-persistence-loader/scripts/upgrade.py @@ -5,6 +5,8 @@ import os from collections import namedtuple +from ldif import LDIFParser + from jans.pycloudlib.persistence.couchbase import get_couchbase_user from jans.pycloudlib.persistence.couchbase import get_couchbase_superuser from jans.pycloudlib.persistence.couchbase import get_couchbase_password @@ -172,8 +174,6 @@ def modify_claims(claims): def collect_claim_names(ldif_file="/app/templates/attributes.ldif"): - from ldif import LDIFParser - rows = {} with open("/app/templates/attributes.ldif", "rb") as fd: parser = LDIFParser(fd) @@ -631,11 +631,35 @@ def update_auth_dynamic_config(self): self.backend.modify_entry(entry.id, entry.attrs, **kwargs) def update_attributes_entries(self): - # default to ldap persistence - kwargs = {} - rows = collect_claim_names() + def _update_claim_names(): + # default to ldap persistence + kwargs = {} + rows = collect_claim_names() + + for id_, claim_name in rows.items(): + if self.backend.type in ("sql", "spanner"): + id_ = doc_id_from_dn(id_) + kwargs = {"table_name": "jansAttr"} + elif self.backend.type == "couchbase": + id_ = id_from_dn(id_) + kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} + + entry = self.backend.get_entry(id_, **kwargs) + + if not entry: + return + + # jansClaimName already set + if "jansClaimName" in entry.attrs and entry.attrs["jansClaimName"]: + continue + + entry.attrs["jansClaimName"] = claim_name + self.backend.modify_entry(entry.id, entry.attrs, **kwargs) + + def _update_mobile_attr(): + kwargs = {} + id_ = "inum=6DA6,ou=attributes,o=jans" - for id_, claim_name in rows.items(): if self.backend.type in ("sql", "spanner"): id_ = doc_id_from_dn(id_) kwargs = {"table_name": "jansAttr"} @@ -648,12 +672,12 @@ def update_attributes_entries(self): if not entry: return - # jansClaimName already set - if "jansClaimName" in entry.attrs and entry.attrs["jansClaimName"]: - continue + if not entry.attrs.get("jansMultivaluedAttr"): + entry.attrs["jansMultivaluedAttr"] = True + self.backend.modify_entry(entry.id, entry.attrs, **kwargs) - entry.attrs["jansClaimName"] = claim_name - self.backend.modify_entry(entry.id, entry.attrs, **kwargs) + _update_claim_names() + _update_mobile_attr() def update_base_entries(self): # default to ldap persistence From feea26430f67a89b248911f39583421f2b141a17 Mon Sep 17 00:00:00 2001 From: iromli Date: Thu, 17 Mar 2022 01:41:54 +0700 Subject: [PATCH 6/6] refactor: move backend.update_clients_entries to upgrade class --- .../scripts/upgrade.py | 313 +++++------------- 1 file changed, 86 insertions(+), 227 deletions(-) diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py index 69e39b2109b..5ec18ba8fe4 100644 --- a/docker-jans-persistence-loader/scripts/upgrade.py +++ b/docker-jans-persistence-loader/scripts/upgrade.py @@ -27,31 +27,11 @@ Entry = namedtuple("Entry", ["id", "attrs"]) -class BaseBackend: - """Base class for backend adapters. Must be sub-classed per - implementation details. - """ - - def __init__(self): - # self.jans_admin_ui_role_id = "inum=43F1,ou=scopes,o=jans" - # self.jans_admin_ui_claim = "inum=0A01,ou=attributes,o=jans" - self.jans_attrs = '{"spontaneousClientId":null,"spontaneousClientScopes":null,"showInConfigurationEndpoint":true}' - # SCIM users.read, SCIM users.write scopes that get added to config-api client - self.jans_scim_scopes = [ - "inum=1200.2B7428,ou=scopes,o=jans", # users.read scope - "inum=1200.0A0198,ou=scopes,o=jans", # users.write scope - ] - # jans_stat - self.jans_stat_scopes = [ - "inum=C4F7,ou=scopes,o=jans", # jans_stat - ] - - #: ID of base entry JANS_BASE_DN = "o=jans" #: ID of manager group -JANS_MANAGER_GROUP = "inum=60B7,ou=groups,o=jans" +JANS_MANAGER_GROUP_DN = "inum=60B7,ou=groups,o=jans" #: ID of jans-auth config JANS_AUTH_CONFIG_DN = "ou=jans-auth,ou=configuration,o=jans" @@ -73,6 +53,9 @@ def __init__(self): DEFAULT_JANS_ATTRS = '{"spontaneousClientId":null,"spontaneousClientScopes":null,"showInConfigurationEndpoint":true}' +#: jans_stat scope +JANS_STAT_SCOPE_DN = "inum=C4F7,ou=scopes,o=jans" + def _transform_auth_dynamic_config(conf): should_update = False @@ -183,9 +166,8 @@ def collect_claim_names(ldif_file="/app/templates/attributes.ldif"): return rows -class LDAPBackend(BaseBackend): +class LDAPBackend: def __init__(self, manager): - super().__init__() self.manager = manager self.client = LdapClient(manager) self.type = "ldap" @@ -221,51 +203,9 @@ def modify_entry(self, key, attrs=None, **kwargs): attrs[k] = [(mod, v)] return self.client.modify(key, attrs) - def update_clients_entries(self): - # modify redirect UI of config-api client - def _update_jca_client(): - jca_client_id = self.manager.config.get("jca_client_id") - entry = self.get_entry(f"inum={jca_client_id},ou=clients,o=jans") - - if not entry: - return - - should_update = False - - hostname = self.manager.config.get("hostname") - if f"https://{hostname}/admin" not in entry.attrs["jansRedirectURI"]: - entry.attrs["jansRedirectURI"].append(f"https://{hostname}/admin") - should_update = True - - # add jans_stat, SCIM users.read, SCIM users.write scopes to config-api client - for scope in (self.jans_scim_scopes + self.jans_stat_scopes): - if scope not in entry.attrs["jansScope"]: - entry.attrs["jansScope"].append(scope) - should_update = True - - if should_update: - self.modify_entry(entry.id, entry.attrs) - - # modify introspection script for token server client - def _update_token_server_client(): - token_server_admin_ui_client_id = self.manager.config.get("token_server_admin_ui_client_id") - entry = self.get_entry(f"inum={token_server_admin_ui_client_id},ou=clients,o=jans") - - if not entry: - return - - attrs, should_update = _transform_token_server_client(json.loads(entry.attrs["jansAttrs"])) - if should_update: - entry.attrs["jansAttrs"] = json.dumps(attrs) - self.modify_entry(entry.id, entry.attrs) - _update_jca_client() - _update_token_server_client() - - -class SQLBackend(BaseBackend): +class SQLBackend: def __init__(self, manager): - super().__init__() self.manager = manager self.client = SQLClient() self.type = "sql" @@ -283,61 +223,9 @@ def modify_entry(self, key, attrs=None, **kwargs): table_name = kwargs.get("table_name") return self.client.update(table_name, key, attrs), "" - def update_clients_entries(self): - # modify redirect UI of config-api client - def _update_jca_client(): - jca_client_id = self.manager.config.get("jca_client_id") - kwargs = {"table_name": "jansClnt"} - - entry = self.get_entry( - doc_id_from_dn(f"inum={jca_client_id},ou=clients,o=jans"), - **kwargs - ) - - if not entry: - return - - should_update = False - - hostname = self.manager.config.get("hostname") - - if f"https://{hostname}/admin" not in entry.attrs["jansRedirectURI"]["v"]: - entry.attrs["jansRedirectURI"]["v"].append(f"https://{hostname}/admin") - should_update = True - - # add jans_stat, SCIM users.read, SCIM users.write scopes to config-api client - for scope in (self.jans_scim_scopes + self.jans_stat_scopes): - if scope not in entry.attrs["jansScope"]["v"]: - entry.attrs["jansScope"]["v"].append(scope) - should_update = True - - if should_update: - self.modify_entry(entry.id, entry.attrs, **kwargs) - - # modify introspection script for token server client - def _update_token_server_client(): - token_server_admin_ui_client_id = self.manager.config.get("token_server_admin_ui_client_id") - kwargs = {"table_name": "jansClnt"} - entry = self.get_entry( - doc_id_from_dn(f"inum={token_server_admin_ui_client_id},ou=clients,o=jans"), - **kwargs, - ) - - if not entry: - return - - attrs, should_update = _transform_token_server_client(json.loads(entry.attrs["jansAttrs"])) - if should_update: - entry.attrs["jansAttrs"] = json.dumps(attrs) - self.modify_entry(entry.id, entry.attrs, **kwargs) - - _update_jca_client() - _update_token_server_client() - -class CouchbaseBackend(BaseBackend): +class CouchbaseBackend: def __init__(self, manager): - super().__init__() self.manager = manager hostname = os.environ.get("CN_COUCHBASE_URL", "localhost") user = get_couchbase_superuser(manager) or get_couchbase_user(manager) @@ -393,57 +281,6 @@ def modify_entry(self, key, attrs=None, **kwargs): message = req.text or req.reason return status, message - def update_clients_entries(self): - # modify redirect UI of config-api client - def _update_jca_client(): - jca_client_id = self.manager.config.get("jca_client_id") - kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} - - entry = self.get_entry( - id_from_dn(f"inum={jca_client_id},ou=clients,o=jans"), - **kwargs, - ) - if not entry: - return - - should_update = False - - hostname = self.manager.config.get("hostname") - - if f"https://{hostname}/admin" not in entry.attrs["jansRedirectURI"]: - entry.attrs["jansRedirectURI"].append(f"https://{hostname}/admin") - should_update = True - - # add jans_stat, SCIM users.read, SCIM users.write scopes to config-api client - for scope in (self.jans_scim_scopes + self.jans_stat_scopes): - if scope not in entry.attrs["jansScope"]: - entry.attrs["jansScope"].append(scope) - should_update = True - - if should_update: - self.modify_entry(entry.id, entry.attrs, **kwargs) - - # modify introspection script for token server client - def _update_token_server_client(): - token_server_admin_ui_client_id = self.manager.config.get("token_server_admin_ui_client_id") - kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} - - entry = self.get_entry( - id_from_dn(f"inum={token_server_admin_ui_client_id},ou=clients,o=jans"), - **kwargs, - ) - - if not entry: - return - - attrs, should_update = _transform_token_server_client(json.loads(entry.attrs["jansAttrs"])) - if should_update: - entry.attrs["jansAttrs"] = json.dumps(attrs) - self.modify_entry(entry.id, entry.attrs, **kwargs) - - _update_jca_client() - _update_token_server_client() - def update_misc(self): # 1 - fix objectclass for scim and config-api where it has lowecased objectclass instead of objectClass bucket = os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans") @@ -466,9 +303,8 @@ def update_misc(self): self.client.exec_query(f'DROP INDEX `{bucket}`.`def_jans_fix_oc`') -class SpannerBackend(BaseBackend): +class SpannerBackend: def __init__(self, manager): - super().__init__() self.manager = manager self.client = SpannerClient() self.type = "spanner" @@ -486,57 +322,6 @@ def modify_entry(self, key, attrs=None, **kwargs): table_name = kwargs.get("table_name") return self.client.update(table_name, key, attrs), "" - def update_clients_entries(self): - # modify redirect UI of config-api client - def _update_jca_client(): - jca_client_id = self.manager.config.get("jca_client_id") - kwargs = {"table_name": "jansClnt"} - - entry = self.get_entry( - doc_id_from_dn(f"inum={jca_client_id},ou=clients,o=jans"), - **kwargs, - ) - - if not entry: - return - - should_update = False - - hostname = self.manager.config.get("hostname") - - if f"https://{hostname}/admin" not in entry.attrs["jansRedirectURI"]: - entry.attrs["jansRedirectURI"].append(f"https://{hostname}/admin") - should_update = True - - # add jans_stat, SCIM users.read, SCIM users.write scopes to config-api client - for scope in (self.jans_scim_scopes + self.jans_stat_scopes): - if scope not in entry.attrs["jansScope"]: - entry.attrs["jansScope"].append(scope) - should_update = True - - if should_update: - self.modify_entry(entry.id, entry.attrs, **kwargs) - - # modify introspection script for token server client - def _update_token_server_client(): - token_server_admin_ui_client_id = self.manager.config.get("token_server_admin_ui_client_id") - kwargs = {"table_name": "jansClnt"} - entry = self.get_entry( - doc_id_from_dn(f"inum={token_server_admin_ui_client_id},ou=clients,o=jans"), - **kwargs, - ) - - if not entry: - return - - attrs, should_update = _transform_token_server_client(json.loads(entry.attrs["jansAttrs"])) - if should_update: - entry.attrs["jansAttrs"] = json.dumps(attrs) - self.modify_entry(entry.id, entry.attrs, **kwargs) - - _update_jca_client() - _update_token_server_client() - class Upgrade: def __init__(self, manager): @@ -556,11 +341,10 @@ def __init__(self, manager): def invoke(self): # TODO: refactor all self.backend.update_ to this class method logger.info("Running upgrade process (if required)") + self.update_people_entries() self.update_scopes_entries() - - self.backend.update_clients_entries() - + self.update_clients_entries() self.update_scim_scopes_entries() self.update_base_entries() @@ -698,7 +482,7 @@ def update_base_entries(self): return if not entry.attrs.get("jansManagerGrp"): - entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP + entry.attrs["jansManagerGrp"] = JANS_MANAGER_GROUP_DN self.backend.modify_entry(entry.id, entry.attrs, **kwargs) def update_scim_scopes_entries(self): @@ -780,3 +564,78 @@ def update_people_entries(self): if should_update: self.backend.modify_entry(entry.id, entry.attrs, **kwargs) + + def update_clients_entries(self): + # modify redirect UI of config-api client + def _update_jca_client(): + kwargs = {} + jca_client_id = self.manager.config.get("jca_client_id") + id_ = f"inum={jca_client_id},ou=clients,o=jans" + + if self.backend.type in ("sql", "spanner"): + kwargs = {"table_name": "jansClnt"} + id_ = doc_id_from_dn(id_) + elif self.backend.type == "couchbase": + kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} + id_ = id_from_dn(id_) + + entry = self.backend.get_entry(id_, **kwargs) + + if not entry: + return + + should_update = False + + hostname = self.manager.config.get("hostname") + scopes = [JANS_SCIM_USERS_READ_SCOPE_DN, JANS_SCIM_USERS_WRITE_SCOPE_DN, JANS_STAT_SCOPE_DN] + + if self.backend.type == "sql": + if f"https://{hostname}/admin" not in entry.attrs["jansRedirectURI"]["v"]: + entry.attrs["jansRedirectURI"]["v"].append(f"https://{hostname}/admin") + should_update = True + + # add jans_stat, SCIM users.read, SCIM users.write scopes to config-api client + for scope in scopes: + if scope not in entry.attrs["jansScope"]["v"]: + entry.attrs["jansScope"]["v"].append(scope) + should_update = True + + else: # ldap, couchbase, and spanner + if f"https://{hostname}/admin" not in entry.attrs["jansRedirectURI"]: + entry.attrs["jansRedirectURI"].append(f"https://{hostname}/admin") + should_update = True + + # add jans_stat, SCIM users.read, SCIM users.write scopes to config-api client + for scope in scopes: + if scope not in entry.attrs["jansScope"]: + entry.attrs["jansScope"].append(scope) + should_update = True + + if should_update: + self.backend.modify_entry(entry.id, entry.attrs, **kwargs) + + # modify introspection script for token server client + def _update_token_server_client(): + kwargs = {} + token_server_admin_ui_client_id = self.manager.config.get("token_server_admin_ui_client_id") + id_ = f"inum={token_server_admin_ui_client_id},ou=clients,o=jans" + + if self.backend.type in ("sql", "spanner"): + kwargs = {"table_name": "jansClnt"} + id_ = doc_id_from_dn(id_) + elif self.backend.type == "couchbase": + kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")} + id_ = id_from_dn(id_) + + entry = self.backend.get_entry(id_, **kwargs) + + if not entry: + return + + attrs, should_update = _transform_token_server_client(json.loads(entry.attrs["jansAttrs"])) + if should_update: + entry.attrs["jansAttrs"] = json.dumps(attrs) + self.backend.modify_entry(entry.id, entry.attrs, **kwargs) + + _update_jca_client() + _update_token_server_client()