Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Jans linux setup refactor #1328

Merged
merged 3 commits into from
May 12, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions jans-linux-setup/jans_setup/setup_app/installers/jans_auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import uuid
import shutil
import json
import tempfile

from urllib.parse import urlparse

Expand Down Expand Up @@ -159,17 +160,16 @@ def import_openbanking_certificate(self):
jwksUri = oxauth_config_json['jwksUri']
o = urlparse(jwksUri)
jwks_addr = o.netloc
ssl_cmd = shutil.which('openssl')
random_crt_fn = os.path.join(self.output_folder, '{}.crt'.format(os.urandom(3).hex()))
cmd = "echo -n | {} s_client -connect {}:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > {}".format(ssl_cmd, jwks_addr, random_crt_fn)
self.run(cmd, shell=True)
open_banking_cert = self.get_server_certificate(jwks_addr)
alias = jwks_addr.replace('.', '_')

self.run([Config.cmd_keytool, '-import', '-trustcacerts', '-keystore',
Config.defaultTrustStoreFN, '-storepass', 'changeit',
'-noprompt', '-alias', alias, '-file', random_crt_fn])
with tempfile.TemporaryDirectory() as tmp_dir:
tmp_fn = os.path.join(tmp_dir, jwks_addr+'.crt')
self.writeFile(tmp_fn, open_banking_cert)
self.run([Config.cmd_keytool, '-import', '-trustcacerts', '-keystore',
Config.defaultTrustStoreFN, '-storepass', 'changeit',
'-noprompt', '-alias', alias, '-file', tmp_fn])

#os.remove(random_crt_fn)

def import_openbanking_key(self):
if os.path.isfile(Config.ob_key_fn) and os.path.isfile(Config.ob_cert_fn):
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -196,10 +196,10 @@ def collect(self):

ssl_subj = self.get_ssl_subject('/etc/certs/httpd.crt')

Config.countryCode = ssl_subj['C']
Config.state = ssl_subj['ST']
Config.city = ssl_subj['L']
Config.city = ssl_subj['L']
Config.countryCode = ssl_subj.get('countryName', '')
Config.state = ssl_subj.get('stateOrProvinceName', '')
Config.city = ssl_subj.get('localityName', '')
Config.admin_email = ssl_subj.get('emailAddress', '')

#this is not good, but there is no way to retreive password from ldap
if not Config.get('admin_password'):
Expand All @@ -209,11 +209,7 @@ def collect(self):
Config.admin_password = Config.cb_password

if not Config.get('orgName'):
Config.orgName = ssl_subj['O']

#for service in jetty_services:
# setup_prop[jetty_services[service][0]] = os.path.exists('/opt/jans/jetty/{0}/webapps/{0}.war'.format(service))

Config.orgName = ssl_subj.get('organizationName', '')

for s in ['jansScimEnabled']:
setattr(Config, s, oxConfiguration.get(s, False))
Expand Down Expand Up @@ -252,13 +248,6 @@ def collect(self):
Config.installEleven = os.path.exists(os.path.join(Config.jetty_base, 'jans-eleven/start.ini'))
Config.install_config_api = os.path.exists(os.path.join(Config.jansOptFolder, 'jans-config-api'))

result = dbUtils.search('ou=people,o=jans', search_filter='(&(uid=admin)(objectClass=jansPerson))')
if result:
Config.admin_inum = result['inum']
if 'mail' in result:
Config.admin_email = result['mail']


def save(self):
if os.path.exists(Config.setup_properties_fn):
self.backupFile(Config.setup_properties_fn)
Expand Down
21 changes: 13 additions & 8 deletions jans-linux-setup/jans_setup/setup_app/utils/crypto64.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
import re
import base64
import json
import socket
import ssl

from collections import OrderedDict
from pathlib import Path
Expand All @@ -15,15 +17,10 @@
class Crypto64:

def get_ssl_subject(self, ssl_fn):
cert_info = ssl._ssl._test_decode_cert(ssl_fn)
retDict = {}
cmd = paths.cmd_openssl + ' x509 -noout -subject -nameopt RFC2253 -in {}'.format(ssl_fn)
s = self.run(cmd, shell=True)
s = s.strip() + ','

for k in ('emailAddress', 'CN', 'O', 'L', 'ST', 'C'):
rex = re.search('{}=(.*?),'.format(k), s)
retDict[k] = rex.groups()[0] if rex else ''

for subj in cert_info["subject"]:
retDict[subj[0][0]] = subj[0][1]
return retDict

def obscure(self, data=""):
Expand Down Expand Up @@ -327,3 +324,11 @@ def encode_test_passwords(self):
Config.templateRenderingDict['oxauthClient_4_encoded_pw'] = self.obscure(Config.templateRenderingDict['oxauthClient_4_pw'])
except:
self.logIt("Error encoding test passwords", True)

def get_server_certificate(self, host):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
context = ssl.SSLContext()
ssl_sock = context.wrap_socket(sock, server_hostname=host)
ssl_sock.connect((host, 443))
cert_der = ssl_sock.getpeercert(True)
return ssl.DER_cert_to_PEM_cert(cert_der)
Original file line number Diff line number Diff line change
Expand Up @@ -455,7 +455,7 @@ def check_oxd_ssl_cert(self, oxd_hostname, oxd_port):
self.writeFile(oxd_crt_fn, oxd_cert)
ssl_subjects = self.get_ssl_subject(oxd_crt_fn)

if ssl_subjects['CN'] != oxd_hostname:
if ssl_subjects.get('commonName') != oxd_hostname:
return ssl_subjects


Expand Down