feat(docker-jans): add archived jwks (#6564)

JanssenProject · Nov 16, 2023 · 119d9ad · 119d9ad
1 parent 993490d
commit 119d9ad
Show file tree

Hide file tree

Showing 8 changed files with 51 additions and 76 deletions.
diff --git a/docker-jans-auth-server/Dockerfile b/docker-jans-auth-server/Dockerfile
@@ -51,7 +51,7 @@ RUN /opt/jython/bin/pip uninstall -y pip setuptools
 # ===========
 
 ENV CN_VERSION=1.0.21-SNAPSHOT
-ENV CN_BUILD_DATE='2023-10-11 10:17'
+ENV CN_BUILD_DATE='2023-11-14 10:53'
 ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-auth-server/${CN_VERSION}/jans-auth-server-${CN_VERSION}.war
 
 # Install Jans Auth

diff --git a/docker-jans-casa/Dockerfile b/docker-jans-casa/Dockerfile
@@ -55,7 +55,7 @@ RUN mkdir -p ${JETTY_BASE}/jans-casa/plugins \
 # jans-linux-setup sync
 # =====================
 
-ENV JANS_SOURCE_VERSION=a3026d7957a1aaefa30269904744975352ae4642
+ENV JANS_SOURCE_VERSION=c86ae0a5a703ff96fd1e69fddcc110b5b754ad71
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
 ARG JANS_CASA_EXTRAS_DIR=jans-casa/extras
 

diff --git a/docker-jans-config-api/Dockerfile b/docker-jans-config-api/Dockerfile
@@ -94,7 +94,7 @@ RUN wget -q ${SCIM_PLUGIN_SOURCE_URL} -O ${JETTY_BASE}/jans-config-api/_plugins/
 # jans-linux-setup sync
 # =====================
 
-ENV JANS_SOURCE_VERSION=a3026d7957a1aaefa30269904744975352ae4642
+ENV JANS_SOURCE_VERSION=c86ae0a5a703ff96fd1e69fddcc110b5b754ad71
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
 ARG JANS_CONFIG_API_RESOURCES=jans-config-api/server/src/main/resources
 

diff --git a/docker-jans-fido2/Dockerfile b/docker-jans-fido2/Dockerfile
@@ -59,7 +59,7 @@ RUN mkdir -p ${JETTY_BASE}/jans-fido2/webapps \
 # jans-linux-setup sync
 # =====================
 
-ENV JANS_SOURCE_VERSION=a3026d7957a1aaefa30269904744975352ae4642
+ENV JANS_SOURCE_VERSION=c86ae0a5a703ff96fd1e69fddcc110b5b754ad71
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
 
 # note that as we're pulling from a monorepo (with multiple project in it)

diff --git a/docker-jans-link/Dockerfile b/docker-jans-link/Dockerfile
@@ -59,7 +59,7 @@ RUN mkdir -p ${JETTY_BASE}/jans-link/webapps \
 # jans-linux-setup sync
 # =====================
 
-ENV JANS_SOURCE_VERSION=a3026d7957a1aaefa30269904744975352ae4642
+ENV JANS_SOURCE_VERSION=c86ae0a5a703ff96fd1e69fddcc110b5b754ad71
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
 
 # note that as we're pulling from a monorepo (with multiple project in it)

diff --git a/docker-jans-persistence-loader/Dockerfile b/docker-jans-persistence-loader/Dockerfile
@@ -26,7 +26,7 @@ RUN python3 -m ensurepip \
 # =====================
 
 # janssenproject/jans SHA commit
-ENV JANS_SOURCE_VERSION=a3026d7957a1aaefa30269904744975352ae4642
+ENV JANS_SOURCE_VERSION=c86ae0a5a703ff96fd1e69fddcc110b5b754ad71
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
 ARG JANS_SCRIPT_CATALOG_DIR=docs/script-catalog
 ARG JANS_CONFIG_API_RESOURCES=jans-config-api/server/src/main/resources

diff --git a/docker-jans-persistence-loader/scripts/hooks.py b/docker-jans-persistence-loader/scripts/hooks.py
@@ -21,12 +21,10 @@ def transform_auth_dynamic_config_hook(conf, manager):
     should_update = False
     hostname = manager.config.get("hostname")
 
-    if "redirectUrisRegexEnabled" not in conf:
-        conf["redirectUrisRegexEnabled"] = True
-        should_update = True
-
-    if "accessTokenSigningAlgValuesSupported" not in conf:
-        conf["accessTokenSigningAlgValuesSupported"] = [
+    # add missing top-level keys
+    for missing_key, value in [
+        ("redirectUrisRegexEnabled", True),
+        ("accessTokenSigningAlgValuesSupported", [
             "none",
             "HS256",
             "HS384",
@@ -40,17 +38,40 @@ def transform_auth_dynamic_config_hook(conf, manager):
             "ES512",
             "PS256",
             "PS384",
-            "PS512"
-        ]
-        should_update = True
-
-    if "forceSignedRequestObject" not in conf:
-        conf["forceSignedRequestObject"] = False
-        should_update = True
-
-    if "grantTypesAndResponseTypesAutofixEnabled" not in conf:
-        conf["grantTypesAndResponseTypesAutofixEnabled"] = False
-        should_update = True
+            "PS512",
+        ]),
+        ("forceSignedRequestObject", False),
+        ("grantTypesAndResponseTypesAutofixEnabled", False),
+        ("useHighestLevelScriptIfAcrScriptNotFound", False),
+        ("requestUriBlockList", ["localhost", "127.0.0.1"]),
+        ("ssaConfiguration", {
+            "ssaEndpoint": f"https://{hostname}/jans-auth/restv1/ssa",
+            "ssaSigningAlg": "RS256",
+            "ssaExpirationInDays": 30,
+        }),
+        ("blockWebviewAuthorizationEnabled", False),
+        ("subjectIdentifiersPerClientSupported", ["mail", "uid"]),
+        ("agamaConfiguration", {
+            "enabled": True,
+            "templatesPath": "/ftl",
+            "scriptsPath": "/scripts",
+            "serializerType": "KRYO",
+            "maxItemsLoggedInCollections": 9,
+            "pageMismatchErrorPage": "mismatch.ftl",
+            "interruptionErrorPage": "timeout.ftl",
+            "crashErrorPage": "crash.ftl",
+            "finishedFlowPage": "finished.ftl",
+            "bridgeScriptPage": "agama.xhtml",
+            "defaultResponseHeaders": {
+                "Cache-Control": "max-age=0, no-store",
+            },
+        }),
+        ("authorizationChallengeEndpoint", f"https://{hostname}/jans-auth/restv1/authorization_challenge"),
+        ("archivedJwksUri", f"https://{hostname}/jans-auth/restv1/jwks/archived"),
+    ]:
+        if missing_key not in conf:
+            conf[missing_key] = value
+            should_update = True
 
     if "sessionIdEnabled" in conf:
         conf.pop("sessionIdEnabled")
@@ -73,29 +94,10 @@ def transform_auth_dynamic_config_hook(conf, manager):
         ]
         should_update = True
 
-    if "useHighestLevelScriptIfAcrScriptNotFound" not in conf:
-        conf["useHighestLevelScriptIfAcrScriptNotFound"] = False
-        should_update = True
-
     if "httpLoggingExcludePaths" not in conf:
         conf["httpLoggingExcludePaths"] = conf.pop("httpLoggingExludePaths", [])
         should_update = True
 
-    if "requestUriBlockList" not in conf:
-        conf["requestUriBlockList"] = [
-            "localhost",
-            "127.0.0.1",
-        ]
-        should_update = True
-
-    if "ssaConfiguration" not in conf:
-        conf["ssaConfiguration"] = {
-            "ssaEndpoint": f"https://{hostname}/jans-auth/restv1/ssa",
-            "ssaSigningAlg": "RS256",
-            "ssaExpirationInDays": 30
-        }
-        should_update = True
-
     if "ssaCustomAttributes" not in conf["ssaConfiguration"]:
         conf["ssaConfiguration"]["ssaCustomAttributes"] = []
         should_update = True
@@ -122,10 +124,6 @@ def transform_auth_dynamic_config_hook(conf, manager):
             conf[new_attr] = conf.pop(old_attr, None)
             should_update = True
 
-    if "blockWebviewAuthorizationEnabled" not in conf:
-        conf["blockWebviewAuthorizationEnabled"] = False
-        should_update = True
-
     if "dateFormatterPatterns" not in conf:
         # remove old config
         conf.pop("userInfoConfiguration", None)
@@ -149,28 +147,6 @@ def transform_auth_dynamic_config_hook(conf, manager):
         conf["personCustomObjectClassList"] = []
         should_update = True
 
-    if "subjectIdentifiersPerClientSupported" not in conf:
-        conf["subjectIdentifiersPerClientSupported"] = ["mail", "uid"]
-        should_update = True
-
-    if "agamaConfiguration" not in conf:
-        conf["agamaConfiguration"] = {
-            "enabled": False,
-            "templatesPath": "/ftl",
-            "scriptsPath": "/scripts",
-            "serializerType": "KRYO",
-            "maxItemsLoggedInCollections": 9,
-            "pageMismatchErrorPage": "mismatch.ftl",
-            "interruptionErrorPage": "timeout.ftl",
-            "crashErrorPage": "crash.ftl",
-            "finishedFlowPage": "finished.ftl",
-            "bridgeScriptPage": "agama.xhtml",
-            "defaultResponseHeaders": {
-                "Cache-Control": "max-age=0, no-store",
-            },
-        }
-        should_update = True
-
     if "interruptionTime" in conf["agamaConfiguration"]:
         conf["agamaConfiguration"].pop("interruptionTime", None)
         should_update = True
@@ -204,11 +180,6 @@ def transform_auth_dynamic_config_hook(conf, manager):
         conf["agamaConfiguration"]["rootDir"] = "/opt/jans/jetty/jans-auth/agama"
         should_update = True
 
-    # add authorizationChallengeEndpoint if missing
-    if "authorizationChallengeEndpoint" not in conf:
-        conf["authorizationChallengeEndpoint"] = f"https://{hostname}/jans-auth/restv1/authorization_challenge"
-        should_update = True
-
     # return the conf and flag to determine whether it needs update or not
     return conf, should_update
 

diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py
@@ -888,9 +888,13 @@ def _transform_auth_errors_config(conf):
 def _transform_auth_static_config(conf):
     should_update = False
 
-    if "ssa" not in conf["baseDn"]:
-        conf["baseDn"]["ssa"] = "ou=ssa,o=jans"
-        should_update = True
+    for key, dn in [
+        ("ssa", "ou=ssa,o=jans"),
+        ("archivedJwks", "ou=archived_jwks,o=jans"),
+    ]:
+        if key not in conf["baseDn"]:
+            conf["baseDn"][key] = dn
+            should_update = True
     return conf, should_update