feat(docker-jans-configurator): allow user-defined salt (#3624)

docker-jans-configurator/README.md

@@ -72,34 +72,46 @@ The following commands are supported by the container:
 
 The load command can be used either to generate or restore config and secret for the cluster.
 
-#### Docker
+For fresh installation, generate the initial configuration and secret by creating `/path/to/host/volume/generate.json` similar to example below:
+```json
+{
+    "hostname": "demoexample.jans.io",
+    "country_code": "US",
+    "state": "TX",
+    "city": "Austin",
+    "admin_pw": "S3cr3t+pass",
+    "ldap_pw": "S3cr3t+pass",
+    "email": "s@jans.io",
+    "org_name": "Gluu Inc."
+}
+```
 
-1. To generate the initial configuration and secret, create `/path/to/host/volume/generate.json` similar to example below:
-
-    ```json
-    {
-        "hostname": "demoexample.jans.io",
-        "country_code": "US",
-        "state": "TX",
-        "city": "Austin",
-        "admin_pw": "S3cr3t+pass",
-        "ldap_pw": "S3cr3t+pass",
-        "email": "s@jans.io",
-        "org_name": "Gluu Inc."
-    }
-    ```
+**NOTE**: `generate.json` has optional attributes as seen below.
 
-    **NOTE**: `generate.json` has optional attributes to generate oxAuth signing and encryption keys based on specific algorithms.
+- `auth_sig_keys`: space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`)
+- `auth_enc_keys`: space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`)
+- `optional_scopes`: list of scopes that will be used (supported scopes are `ldap`, `scim`, `fido2`, `couchbase`, `redis`, `sql`, `casa`; default to empty list)
+- `ldap_pw`: user's password to access LDAP database (only used if `optional_scopes` list contains `ldap` scope)
+- `sql_pw`: user's password to access SQL database (only used if `optional_scopes` list contains `sql` scope)
+- `couchbase_pw`: user's password to access Couchbase database (only used if `optional_scopes` list contains `couchbase` scope)
+- `couchbase_superuser_pw`: superusers password to access Couchbase database (only used if `optional_scopes` list contains `couchbase` scope)
+- `salt`: user-defined salt (24 characters length); if omitted, salt will be generated automatically
 
-    - `auth_sig_keys`: space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`)
-    - `auth_enc_keys`: space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`)
-    - `optional_scopes`: list of scopes that will be used (supported scopes are `ldap`, `scim`, `fido2`, `couchbase`, `redis`, `sql`, `casa`; default to empty list)
-    - `ldap_pw`: user's password to access LDAP database (only used if `optional_scopes` list contains `ldap` scope)
-    - `sql_pw`: user's password to access SQL database (only used if `optional_scopes` list contains `sql` scope)
-    - `couchbase_pw`: user's password to access Couchbase database (only used if `optional_scopes` list contains `couchbase` scope)
-    - `couchbase_superuser_pw`: superusers password to access Couchbase database (only used if `optional_scopes` list contains `couchbase` scope)
+Example of generating `salt` value:
 
-2. Mount the volume into container:
+```
+# using shell script
+cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1
+# output: NFAG5g4R0NSkAZXHL8t2DScL
+
+# using python oneliner
+python -c 'import random, string; print("".join(random.choices(string.ascii_letters + string.digits, k=24)))'
+# ouput: HsPzqiPkRzNySWlOVui8Ilmw
+```
+
+#### Docker
+
+1. Mount the `generate.json` into container:
 
     ```sh
     docker run \
@@ -117,33 +129,13 @@ The load command can be used either to generate or restore config and secret for
 
 #### Kubernetes
 
-1. To generate the initial configuration and secret, create `/path/to/host/volume/generate.json` similar to example below:
-
-    ```json
-    {
-        "hostname": "demoexample.jans.io",
-        "country_code": "US",
-        "state": "TX",
-        "city": "Austin",
-        "admin_pw": "S3cr3t+pass",
-        "ldap_pw": "S3cr3t+pass",
-        "email": "s@gluu.local",
-        "org_name": "Gluu Inc."
-    }
-    ```
-
-    **NOTE**: `generate.json` has optional attributes to generate oxAuth signing and encryption keys based on specific algorithms.
-
-    - `auth_sig_keys`: space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`)
-    - `auth_enc_keys`: space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`)
-
-2. Create config map `config-generate-params`
+1. Create config map `config-generate-params` to store the contents of `generate.json`
 
    ```sh
    kubectl create cm config-generate-params --from-file=generate.json
    ```
 
-3. Mount the configmap into container and apply the yaml:
+1. Mount the configmap into container and apply the yaml:
 
     ```yaml
     apiVersion: batch/v1

docker-jans-configurator/scripts/bootstrap.py

@@ -196,7 +196,10 @@ def get_secret(self, key, default=None):
         return self.ctx_manager.get_secret(key, default)
 
     def base_ctx(self):
-        self.set_secret("encoded_salt", partial(get_random_chars, 24))
+        if self.params["salt"]:
+            self.set_secret("encoded_salt", self.params["salt"])
+        else:
+            self.set_secret("encoded_salt", partial(get_random_chars, 24))
         self.set_config("orgName", self.params["org_name"])
         self.set_config("country_code", self.params["country_code"])
         self.set_config("state", self.params["state"])

docker-jans-configurator/scripts/parameter.py

@@ -81,6 +81,15 @@ class Meta:
 
     auth_enc_keys = Str(missing="")
 
+    salt = Str(
+        validate=[
+            Length(equal=24),
+            Predicate("isalnum", error="Only alphanumeric characters are allowed"),
+        ],
+        missing="",
+        default="",
+    )
+
     @validates("hostname")
     def validate_fqdn(self, value):
         fqdn = FQDN(value)