fix(image): add missing ssa configuration (#2613)

JanssenProject · Oct 13, 2022 · b70b8b2 · b70b8b2
1 parent 9461fbc
commit b70b8b2
Show file tree

Hide file tree

Showing 4 changed files with 122 additions and 1 deletion.
diff --git a/docker-jans-persistence-loader/Dockerfile b/docker-jans-persistence-loader/Dockerfile
@@ -24,7 +24,7 @@ RUN python3 -m ensurepip \
 # =====================
 
 # janssenproject/jans SHA commit
-ENV JANS_SOURCE_VERSION=4fa83fcc3f298d91be3cb459bca52417aacd368e
+ENV JANS_SOURCE_VERSION=3f5effd7cff99688ad6c9deb5880e6c4de967cdc
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
 ARG JANS_SCRIPT_CATALOG_DIR=docs/script-catalog
 

diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py
@@ -7,6 +7,7 @@
 
 from ldif import LDIFParser
 
+from jans.pycloudlib import get_manager
 from jans.pycloudlib.persistence import CouchbaseClient
 from jans.pycloudlib.persistence import LdapClient
 from jans.pycloudlib.persistence import SpannerClient
@@ -24,6 +25,8 @@
 
 Entry = namedtuple("Entry", ["id", "attrs"])
 
+manager = get_manager()
+
 
 #: ID of base entry
 JANS_BASE_DN = "o=jans"
@@ -193,6 +196,15 @@ def _transform_auth_dynamic_config(conf):
         ]
         should_update = True
 
+    if "ssaConfiguration" not in conf:
+        hostname = manager.config.get("hostname")
+        conf["ssaConfiguration"] = {
+            "ssaEndpoint": f"https://{hostname}/jans-auth/restv1/ssa",
+            "ssaSigningAlg": "RS256",
+            "ssaExpirationInDays": 30
+        }
+        should_update = True
+
     # return the conf and flag to determine whether it needs update or not
     return conf, should_update
 
@@ -430,6 +442,8 @@ def invoke(self):
             self.backend.update_misc()
 
         self.update_auth_dynamic_config()
+        self.update_auth_errors_config()
+        self.update_auth_static_config()
         self.update_attributes_entries()
         self.update_scripts_entries()
         self.update_admin_ui_config()
@@ -830,6 +844,64 @@ def update_api_dynamic_config(self):
             entry.attrs["jansRevision"] += 1
             self.backend.modify_entry(entry.id, entry.attrs, **kwargs)
 
+    def update_auth_errors_config(self):
+        # default to ldap persistence
+        kwargs = {}
+        id_ = JANS_AUTH_CONFIG_DN
+
+        if self.backend.type in ("sql", "spanner"):
+            kwargs = {"table_name": "jansAppConf"}
+            id_ = doc_id_from_dn(id_)
+        elif self.backend.type == "couchbase":
+            kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")}
+            id_ = id_from_dn(id_)
+
+        entry = self.backend.get_entry(id_, **kwargs)
+
+        if not entry:
+            return
+
+        if self.backend.type != "couchbase":
+            entry.attrs["jansConfErrors"] = json.loads(entry.attrs["jansConfErrors"])
+
+        conf, should_update = _transform_auth_errors_config(entry.attrs["jansConfErrors"])
+
+        if should_update:
+            if self.backend.type != "couchbase":
+                entry.attrs["jansConfErrors"] = json.dumps(conf)
+
+            entry.attrs["jansRevision"] += 1
+            self.backend.modify_entry(entry.id, entry.attrs, **kwargs)
+
+    def update_auth_static_config(self):
+        # default to ldap persistence
+        kwargs = {}
+        id_ = JANS_AUTH_CONFIG_DN
+
+        if self.backend.type in ("sql", "spanner"):
+            kwargs = {"table_name": "jansAppConf"}
+            id_ = doc_id_from_dn(id_)
+        elif self.backend.type == "couchbase":
+            kwargs = {"bucket": os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")}
+            id_ = id_from_dn(id_)
+
+        entry = self.backend.get_entry(id_, **kwargs)
+
+        if not entry:
+            return
+
+        if self.backend.type != "couchbase":
+            entry.attrs["jansConfStatic"] = json.loads(entry.attrs["jansConfStatic"])
+
+        conf, should_update = _transform_auth_static_config(entry.attrs["jansConfStatic"])
+
+        if should_update:
+            if self.backend.type != "couchbase":
+                entry.attrs["jansConfStatic"] = json.dumps(conf)
+
+            entry.attrs["jansRevision"] += 1
+            self.backend.modify_entry(entry.id, entry.attrs, **kwargs)
+
 
 def _transform_api_dynamic_config(conf):
     should_update = False
@@ -861,3 +933,42 @@ def _transform_api_dynamic_config(conf):
         }
         should_update = True
     return conf, should_update
+
+
+def _transform_auth_errors_config(conf):
+    should_update = False
+
+    if "ssa" not in conf:
+        conf["ssa"] = [
+            {
+                "id": "invalid_request",
+                "description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.",
+                "uri": None,
+            },
+            {
+                "id": "unauthorized_client",
+                "description": "The Client is not authorized to use this authentication flow.",
+                "uri": None,
+            },
+            {
+                "id": "invalid_client",
+                "description": "The Client is not authorized to use this authentication flow.",
+                "uri": None,
+            },
+            {
+                "id": "unknown_error",
+                "description": "Unknown or not found error.",
+                "uri": None,
+            },
+        ]
+        should_update = True
+    return conf, should_update
+
+
+def _transform_auth_static_config(conf):
+    should_update = False
+
+    if "ssa" not in conf["baseDn"]:
+        conf["baseDn"]["ssa"] = "ou=ssa,o=jans"
+        should_update = True
+    return conf, should_update
diff --git a/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json b/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json
@@ -450,6 +450,11 @@
     "cibaMaxExpirationTimeAllowedSec": 1800,
     "backchannelLoginHintClaims": ["inum", "uid", "mail"],
     "cibaEnabled": false,
+    "ssaConfiguration": {
+        "ssaEndpoint":"https://%(hostname)s/jans-auth/restv1/ssa",
+        "ssaSigningAlg": "RS256",
+        "ssaExpirationInDays": 30
+    },
     "cibaEndUserNotificationConfig": {
         "apiKey": "",
         "authDomain": "",

diff --git a/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json b/docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json
@@ -353,6 +353,11 @@
     "cibaMaxExpirationTimeAllowedSec": 1800,
     "backchannelLoginHintClaims": ["inum", "uid", "mail"],
     "cibaEnabled": false,
+    "ssaConfiguration": {
+        "ssaEndpoint":"https://%(hostname)s/jans-auth/restv1/ssa",
+        "ssaSigningAlg": "RS256",
+        "ssaExpirationInDays": 30
+    },
     "cibaEndUserNotificationConfig": {
         "apiKey": "",
         "authDomain": "",